TechWise TV episode 23 Viewers Choice: IPv6 Show Notes

Cisco Interaction Network

www.cisco.com/go/interact

Host: Co-hosts:

Jonas Tichenor Robb Boyd, Cisco solutions specialist Jimmy Ray Purser, Cisco solutions specialist Executive Summary Segment 1 Why Mess with a Running System? Segment 2 IPv6 for Dummies Layer 2 Deep Dive Segment 3 IPv6 Routing and Transitioning Segment 4 Security Gotchas and QOS Segment 5 Deployment and Conclusion Recommended Resources Acronym Dictionary Host & Co-host Biographies

Jump to:

Executive Summary
What is IPv6? The current Internet Protocol (IP) is version 4. It underpins everything that we do on the Internet. The vast majority of business network applications also uses IP and associated protocols. IP is over thirty years old and it is showing its age. Designed for networks with thousands of nodes it only has 4 billion addresses of which maybe 500 million can realistically be used. Given that the world has a population of over 6 billion people and everything from cars, to phones, to televisions to light switches is being IP enabled it is not surprising that there is a shortage of addresses. Indeed, had it not been for a number of fixes the Internet would have already run out of addresses. Additionally, IPv4 has no security, no mobility, limited quality of service and performance issues; there is clear room for improvement. It is easy to think that the Internet has survived this far and that nothing really needs to be done. Unfortunately, this ignores the stark reality of the situation. The Internet has been living on borrowed time for many years. Without the significant intervention that was taken with the introduction of CIDR (Classless Inter Domain Routing), NAT (Network Address Translation), the dynamic allocation of addresses and Proxy services, the Internet would have ceased to operate and grow years ago. It is only through these techniques that address depletion has been slowed down and the backbone routing table growth has been constrained. The problem is that these techniques can only do so much. NAT is in fact a bottle-neck that breaks the end-to-end connectivity of the Internet. NAT, while essential at present, stops you from using very desirable functions and applications (e.g. IP Security, Mobile IP, Voice over IP VoIP and IP Video on Demand), and NAT is an extra layer of complexity in the network. Organizations find the growing use of private addresses and NAT increasingly complex to manage. Even with these techniques address space is going to run out and routing tables are again exploding in size. In addition to this, attractive new applications cannot operate without global IP addresses and some of the features that IPv4 lacks. Enter the solution - IPv6. IPv6 has 128 bit addresses, giving 2128 3402823669209384624633744607431768211456. With IPv6 there is no need to use the address fixes bolted onto IPv4. In addition to the benefits of a larger address space, IPv6 includes significant technical enhancements in the areas of security, mobility, quality of service and improved performance that simplify network administration, such as: - Simplified header for routing efficiency - Deeper hierarchy and policies for network architecture flexibility, enabling efficient support for routing and route aggregation - Serverless autoconfiguration, easier renumbering, and improved ready-to-use support - Security with mandatory IP Security (IPSec) implementation for all IPv6 devices - Improved support for Mobile IP and mobile computing devices (direct path) - Enhanced multicast support with increased addresses and efficient mechanisms

Segment 1 Why mess with a Running System?

Internet Protocol defines how computers communicate over a network. IP version 4 (IPv4), the currently prevalent version, contains just over four billion unique IP addresses, which is not enough to last indefinitely. IPv6 is a replacement for IPv4, offering far more IP addresses and enhanced security features. ARIN and the other RIRs have distributed IPv6 alongside IPv4 since 1999. So far, ARIN has issued both versions in tandem and has not advocated one over the other, though it has closely monitored distribution trends with the understanding that the IPv4 available resource pool would continue to diminish. With only 19% of IPv4 address space remaining, however, ARIN is now compelled to advise the Internet community that migration to IPv6 is necessary for any applications that require ongoing availability of contiguous IP number resources.

Jeff Doyle Blog Address Depletion Much Sooner than Expected: http://edge.networkworld.com/community/?q=node/14969&docid=8648 ARIN Warns of IPv4 Depletion http://www.arnnet.com.au/index.php/id;1883973296;fp;4194304;fpid;1 China's broadband users only second to US http://www.chinaknowledge.com/news/news-detail.aspx?id=8340

IPv4 Address Depletion Imminent; ARIN Board Chairman to Recommend Migration to IPv6 at Burton Group Catalyst Conference North America http://new.marketwire.com/2.0/release.do?id=741953&k=arin

Segment 2 IPv6 for Dummies, Layer 2 Deep Dive

IPv6 101: - Packets/structures - Address Architecture - Headers (Packet Sniffer Capture) Look at header format and what is actually contained in the header: prioritization, addressing structures, flags for anycast (new term!), tunneled packet, extensions, routing flags, etc. What is missing (the actual improvements made from the IPv4) checksum, fragmentation removed, - Deep Dive L2 (IOS demo on any Cisco Router (IOS CLI)) What does IPv6 do to my layer 2 Network Design? - ICMPv6 - Anycast/Auto-config Cisco IPv6 Config Library http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_configuration_guide_book0 9186a00801d65f9.html Understanding IPv6 http://www.cisco.com/ipv6

Segment 3 Understanding IPv6 Routing and Transitioning

Deep Dive L3 (Hardware based demo/IOS CLI demo) - OSPFv3 - RIPng - EIGRP - Routing Tables Transition Mechanisms 6to4 is an IPv4 tunnel-based transition mechanism defined in RFC-3056. It was designed to allow different IPv6 domains communicate with other IPv6 domains through IPv4 clouds without explicit IPv4 tunnels. 6to4 encapsulate IPv6 packets into IPv4 ones, similar to the 6in4 tunnels, but the main difference between both methods is that in 6in4 it is necessary to establish an explicit tunnel on both ends of the tunnel: at the host and at the server sides. Usually this configuration is done by means of external tools like the Tunnel Broker defined in RFC-3053 who is in charge of configuring the tunnel on the server side (router) and sending a configuration script in order to let the user configure the tunnel on the host side. With 6to4 there is no need to establish the tunnel on the server side, so the only configuration is done on the host side. The 6to4 router (server side) will accept all the 6to4-encapsultated packets coming from any host. A 6in4 router (server side) only accepts 6in4-encapsulated packets of active tunnels.

IPv6: Assessing Transition Technologies http://www.enterprisenetworkingplanet.com/netsp/article.php/3681291

Segment 4 Security Gotchas and QoS

Security in IPv6 Security (gotchas) must be pure Ipv6 any tunneling will break the security advantages. Encapsulation (tunneling) Security Models different types of security strategies to design your network. Implementation strategies for migration/deployment. Ipsec--->IPv6 interaction Vista not playing well with IPv6 http://www.networkworld.com/news/2007/060707-microsoft-vista-ipv6-incompatible.html Sean Convery has some great information on his page: http://www.seanconvery.com Download this paper: IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation QoS in IPv6 - Traffic class - Flow labeling - Extension headers RFC 2460/3697 Currently IPv6 provides support for QoS marking via a field in the IPv6 header. Similar to the type of service (ToS) field in the IPv4 header, the traffic class field (8 bits) is available for use by originating nodes and/or forwarding routers to identify and distinguish between different classes or priorities of IPv6 packets.

Segment 5 Deployment and Conclusion

Deploying IPv6 - Transition mechanisms - Network Design - Managing IPv6 and even IPv4 Management Tools: Cisco has supported IPv6 in its IOS software since 2001. During the last two years, Cisco has begun developing IPv6 support in other management tools that its customers will need to move their network architectures to IPv6. Cisco offers a free auditing tool called IPv6 Network Assessor that automates the process of figuring out which Cisco switches and routers on a network are ready for IPv6 and which arent. Cisco also has upgraded its CiscoWorks campus-management software to manage its IPv6enabled Layer 2 and Layer 3 devices. The software offers limited support for IPv6: identifying address identification, management of some configurations and limited path tracing. However, CiscoWorks doesnt offer the full set of features available in IPv4. Cisco Network Registrar (CNR), a DNS and DHCP package, supports IPv6, including stateful and stateless configuration. Cable service providers are among the early adopters of IPv6enabled Cisco Network Registrar. Cisco also has an IPv6-enabled Network Analysis Module, which is a blade that sits in its switches and reports back to Cisco's NetFlow traffic monitoring software. Full Article: http://www.networkworld.com/news/2007/060707-8-mgmt-vendors-ipv6.html

Recommended Resources
*Multiple resources and links referenced above

Ciscos IPv6 Main Page:

http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.html Cisco initially announced its three-phase IPv6 roadmap in June 2000, and has since introduced support across a wide range of Cisco solutions. Cisco IOS Software release deliver a wide spectrum of IPv6 features. Cisco IPv6 Solutions http://www.cisco.com/en/US/products/ps6553/products_white_paper09186a00802219bc.shtml IPv6 Autoconfiguration Since 1993 the Dynamic Host Configuration Protocol (DHCP) [1] has allowed systems to obtain an IPv4 address as well as other information such as the default router or Domain Name System (DNS) server. A similar protocol called DHCPv6 [2] has been published for IPv6, the next version of the IP protocol. However, IPv6 also has a stateless autoconfiguration protocol [3], which has no equivalent in IPv4. http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-2/ipv6_autoconfig.html

Acronym Dictionary
*Scroll down for IPv6 specific acronyms. ASA Adaptive Security Appliance CSA Cisco Security Agent CSC Content Security and Control Services Module (for use within the ASA) CSM Cisco Security Manager DTM Distributed Threat Mitigation ICS Incident Control System IPS Intrusion Prevention System IDS Intrusion Detection System IPSEC VPN Virtual Private Network technology that leverages a client on the endpoint to establish the private, encrypted connection. ISR Integrated Services Router MARS Monitoring, Analysis and Response System NAC Network Admission Control NCM Network Compliance Manager SDN Self-Defending Network NetFlow - open but proprietary network protocol developed by Cisco Systems to run on Cisco IOS-enabled equipment for collecting IP traffic information. (Wikipedia) SSL VPN Often referred to as Clientless VPN that, in contrast to IPSEC, uses the encryption built into the browser to set up a secure, remote connection. SSM Security Services Module located within the ASA that allows the addition of an IPS module or a CSC (Content Security and Control Services ModuleAnti-X Edition of the ASA)

IPv6 Acronyms/Glossary
IANA Internet Assigned Numbers Authority - The Internet Assigned Numbers Authority (IANA) is the entity that oversees global IP address allocation, DNS root zone management, and other Internet protocol assignments. It is operated by ICANN. APNIC - The Asia Pacific Network Information Centre (APNIC) is the Regional Internet Registry for the Asia-Pacific region. RIR Regional Internet Registry - organization overseeing the allocation and registration of Internet number resources within a particular region of the world. Resources include IP addresses (both IPv4 and IPv6) and autonomous system numbers (for use in BGP routing). ARIN American Registry for Internet Numbers (ARIN is an RIR) LIR - A local Internet registry (LIR) is an organization which has received an IP address allocation from a regional Internet registry (RIR), and which may assign parts of this allocation to its own customers. A LIR is thus typically an Internet service provider. To become a LIR, membership of a RIR is required. ICANN Internet Corporation for Assigned Names and Numbers - The tasks of ICANN include managing the assignment of domain names and IP addresses. To date, much of its work has concerned the introduction of new generic top-level domains. The technical work of ICANN is referred to as the IANA function; the rest of ICANN is mostly concerned with defining policy. CIDR - Classless Inter-Domain Routing (CIDR, pronounced "cider") was introduced in 1993 and is the latest refinement to the way IP addresses are interpreted. It replaced the previous generation of IP address syntax, classful networks. It allowed increased flexibility when dividing ranges of IP addresses into separate networks and thereby promoted: More efficient use of increasingly scarce IPv4 addresses. Greater use of hierarchy in address assignments (prefix aggregation), lowering the overhead of the Internet-wide inter-domain routing.

Anycast is a network addressing and routing scheme whereby data is routed to the "nearest" or "best" destination as viewed by the routing topology. The term is intended to echo the terms unicast, broadcast and multicast. In unicast, there is a one-to-one association between network address and network endpoint: each destination address uniquely identifies a single receiver endpoint. In broadcast and multicast, there is a one-to-many association between network addresses and network endpoints: each destination address identifies a set of receiver endpoints, to which all information is replicated. In anycast, there is also a one-to-many association between network addresses and network endpoints: each destination address identifies a set of receiver endpoints, but only one of them is chosen at any given time to receive information from any given sender.

Biographies
Jonas Tichenor, Host of TechWiseTV Jonas joined the Cisco Interaction Network as host of Techwise TV in August of 2006. His experience as anchor for the show comes from an award-winning career in the world of broadcast journalism. Jonas began as a writer and producer for the FOX affiliate in Tampa Bay in 1996. He quickly became an on-air talent and started to climb the ranks and markets of news until being signed as a NBC Network news reporter in the highly desirable San Francisco Bay Area. Jonas is the recipient of several Associated Press awards, two Edward R. Murrow Awards for broadcast excellence, he is an Emmy Award winner and 9 times Emmy Award nominee.

Robb Boyd Co-host of TechWiseTV and Cisco security specialist Robb is the security specialist on Ciscos TechWiseTV, part of the Cisco Interaction Network and Ciscos National Speakers Bureau. Robb is a certified by ISC2 as a Certified Information Systems Security Professional and by the SANS Institute with the GIAC (Global Information Assurance Certification) Security Essentials Certification (GSEC). Robb was one of the first field specialists in Ciscos Emerging Technologies group that was eventually re-named as Advanced Technologies. Charged with assisting Ciscos field sales people to communicate a security message to their customers, Robb was then asked to repeat that success with the Cisco Partner Community. Robb was subsequently recognized for building security partners that won awards for Security Partner of the Year, Global Security Partner of the Year and Most Innovative Partner of the Year. He has been consistently requested around the nation as a security speaker and made numerous contributions to the training of Ciscos Commercial field and channel sales and engineering teams.

Jimmy Ray Purser, Co-host of TechWiseTV and Cisco networking specialist Jimmy Ray conducts advanced training for engineers across North America and Europe and regularly speaks at industry conferences such as NetWorld+Interop, CeBIT, ZoomIT, Comdex, HP World and numerous regional events. His topic of choice is network security and security penetration testing. Purser has been an active participant of the information technology (IT) community for more than 15 years, with particular emphasis on local area network (LAN) and wide area network (WAN) infrastructure and security. He is an active member in the IEEE. He has designed, installed and tested numerous networks for Fortune 500 companies, the United States Military, Internet-based businesses, universities and other education institutions around the world. He is a hands on engineer that loves getting into the thick of it. He also writes many articles, whitepapers and other periodicals. Before joining Cisco, Jimmy Ray was a Master Level Field Pre Sales Solution Architect at HP. Jimmy Ray holds a Masters of Science degree in Electrical Engineering. He is a licensed Professional Engineer in the State of Wisconsin. Jimmy Ray holds two U.S. Patents on network security algorithms and continues to develop for the IPv6 end to end network.