• No results found

marcel.nijenhof@proxy.nl IPv6.marceln.org

N/A
N/A
Info
Downloaden
Protected

Academic year: 2021

Share "marcel.nijenhof@proxy.nl IPv6.marceln.org"

Copied!
25
0
0

Bezig met laden.... (Bekijk nu de volledige tekst)

Download het nu ( 25 pagina )

Hele tekst

(1)

IPv6.marceln.org

marcel.nijenhof@proxy.nl

(2)

RFC 1606

(3)

RFC 1606

A Historical Perspective On The Usage Of IP Version 9

1 April 1994, J. Onions

Introduction

The take-up of the network protocol TCP/IPv9 has been phenomenal over the last few years. Gone are the days when there were just a few million hosts, and the network was understood. As the IP version 9 protocol comes to the end of its useful life, once again due to address space exhaustion, we look back at some of the success of the

protocol.

(4)

Introduction

• Marcel Nijenhof

• Why IPv6

• IPv6 Addresses

• IPv6 Configuration

• IPv6 Routing

• DHCP and DNS

• IPv6 Firewall

(5)

Marcel Nijenhof

• Proxy

– Employee

– Unix administrator

• LPI Nederland

– Board member – Proctor

• NLUUG

– Program committee

(6)

Why Ipv6 (1)

• All /8 off the IANA are used (1 Feb 2011)

• Expected exhaustion of rir's 19 April 2011

– RIR Assigned Addresses (/8s) Remaining Addresses (/8s)

– AFRINIC 8.2389 4.7572 (57%)

– APNIC 53.3649 1.6351 (3%)

– ARIN 77.7206 6.2051 (5%)

– LACNIC 15.4684 4.5316 (29%)

– RIPE NCC 44.6854 4.3146 (9%)

• LIR and providers still have some IPv4 addresses

http://www.potaroo.net/tools/ipv4/

(7)

Why IPv6 (2)

• We don't have enough IPv4 Addresses!

– Microsoft betaalt 5,3 miljoen voor Ipv4-adressen

http://webwereld.nl/nieuws/106148/microsoft-betaalt-5-3-miljoen-voor-ipv4-adressen.html

• Solutions

– NAT

– Reclaiming unused space – IPv6

• It's time to get some experience with IPv6!

(8)

IPv6 Addresses (writing)

• IPv4: 32 bits

– Written as for decimal numbers – 1.2.3.4

• IPv6: 128 bits

– Written as 8 blocks of 4 hex numbers with colons

• 1234:5678:9abc:def0:1122:3344:5566:7788

– Skipping zero at the start of 4 hex numbers – Skipping sequences of zero's with ::

• 0001:0002:0000:0000:0000:0000:0003:0004 = 1:2::3:4

(9)

IPv6 Addresses (network part)

• IPv4

– netmask/CIDR (Classless internet domain routing)

• 192.0.2.0/24 (host part last byte from 0 to 255)

• 192.0.2.64/26 (host part last byte from 64 to 127)

• IPv6

– 1111:2222:3333:4444:5555:6666:7777:8888/48

• Network type (link local, site local, global)

• Global routing prefix (64-Subnet bits)

• Subnet ID (16-48 bits)

• Host part

• CIDR bits

(10)

IPv6 Addresses (important networks)

• ::1/128

– Localhost (IPv4 127.0.0.1)

• fe80::/10

– Link local (IPv4 169.254.0.0/16)

• fc00::/7

– Unique local addresses (IPv4 rfc 1918 192.168.0.0/16)

• ff00::/8

– Multicast (IPv4 224.0.0.0/4)

• 2000::/3

– Global unicast addresses

(11)

IPv6 Configuration (Autoconfig)

• Install and activate IPv6!

– Default on many linux distro's, BSD and opensolaris

• Auto configuration

– Client configures a link local address – Listens for IPv6 router advertisements

• Configures the network part of the address from the advertisement

• Uses the mac address to calculate the host part

• More then one address per device is normal!

(12)

IPv6 configuration (manual)

• Manual configuration

– ifconfig <dev> add <addr>

– ip addr add <addr> dev <dev>

• Use the distro specific configuration files

– Redhat: /etc/sysconfig/network-scripts/ifcfg-<dev>

• IPV6ADDR=2001:888:165c:101::1/64

– Debian: /etc/network.interfaces

• iface eth0 inet6 static

address 2001:888:165c:ff01::2 ...

(13)

IPv6 configuration (IPv4 tunnels)

• Add the tunnel on both sides

– ip tunnel add sit1 mode sit remote <IPv4 DST>

ip addr add <IPv6 ADDR/MASK> dev sit1 ip link set sit1 up

• RH: /etc/sysconfig/network-scripts/ifcfg-sit1

– DEVICE=sit1

BOOTPROTO=none ONBOOT=yes

IPV6INIT=yes

IPV6TUNNELIPV4=194.109.5.241 IPV6ADDR=2001:888:10:65c::2

(14)

IPv6 routing (gateway)

• Enable IPv6 forwarding

– Forwarding from IPv6 tunnels to local Ethernet

– Forwarding through multiple tunnels or Ethernet segments

• Default route

– ip route add default via <IPv6 default router>

– Or the os depend config file

• RH: /etc/sysconfig/network

– IPV6_DEFAULTDEV=<dev>

(15)

IPv6 routing (local static routes)

• Static routes work the same as IPv4

– Just add them to the routing table

– ip -6 route add <IPv6 DST> via <IPv6 ADDR>

• Or use the os dependend config file

– RH: cat /etc/sysconfig/network-scripts/route-sit2

GATEWAY0=<IPv6 ADDR>

NETMASK0=<IPv6 Mask>

ADDRESS0=<IPv6 Network>

(16)

IPv6 routing (advertisement)

• Automatic configuration of clients

– Router announces network and gateway – Client chooses a host part of the address

• The host part is calculated from the mac address

• The host chooses a random host part (Privacy Extensions)

• Run radvd to advertise IPv6 network

– Configuration per network interface needed

(17)

DHCPv6

• Needed for extra parameters?

– DNS

• Servers

• domain-name

– Some services

• Ntp

• Log servers

• Netnios name server

• Dynamic DNS update

– Register the name of the client in DNS

(18)

DNS (adding IPv6 Record)

• Forwards

– The record type is “AAAA”

• koning100 IN AAAA 2001:888:165c:100::1

• Reverse

– Other zone name

• c.5.6.1.8.8.8.0.1.0.0.2.ip6.arpa

– Normal “PTR” record but every hex character is a sub level

• 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0 IN PTR

koning100.marceln.org.

(19)

DNS (server)

• The normal bind works

– Just add one configuration option

• listen-on-v6 port 53 { 0::0/0; };

(20)

Firewall (IPv4)

• The IPv6 tunnel over IPv4 sends IPv4 packages

– Create a rule to allow IPv4 packets type 41 (Ipv6)

• iptables -A OUTPUT -p 41 -j ACCEPT iptables -A INPUT -p 41 -j ACCEPT

• No other changes needed

• No protection from IPv4 firewall

(21)

Firewall (IPv6)

• All your host are now direct connected to the internet

– No nat

– All host have routable addresses

• Use a firewall to protect your internal hosts

• Ip6tables works the same as “iptables”

(22)

Ip6tables example

ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -P OUTPUT DROP

ip6tables -A INPUT -m state –state \

ESTABLISHED,RELATED -j ACCEPT ip6tables -A FORWARD -m state –state \

ESTABLISHED,RELATED -j ACCEPT ip6tables -A OUTPUT -m state –state \

ESTABLISHED,RELATED -j ACCEPT ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT

ip6tables -A FORWARD -p tcp --dport 22 -j ACCEPT ip6tables -A OUTPUT -p tcp --dport 22 -j ACCEPT

(23)

RFC 1607

A VIEW FROM THE 21ST CENTURY

1 April 1994, V. Cerf

A NOTE TO THE READER

The letters below were discovered in September 1993 in a reverse time- capsule apparently sent from 2023. The author of this paper cannot

vouch for the accuracy of the letter contents, but spectral and radiation analysis are consistent with origin later than 2020. It is not known

what, if any, effect will arise if readers take actions based on the future history contained in these documents. I trust you will be particularly careful with our collective futures!

(24)

Questions

(25)

Presentation

• http://pion.xs4all.nl/lezingen/IPv6-20110410.pdf

• Copyright: CC Some rights reserved

– The following items are not covered by cc

• Nluug logo

• Lpi logo

• Proxy logo

Referenties

Download het nu ( PDF - 25 pagina - 253.15 KB )

GERELATEERDE DOCUMENTEN

Part 2 The method

Using different scenarios and combining the found functional requirements from each task analysis can however result in applications which are more generic and are aware of a

Host Country Openness and US FDI Outflows: evidence from European host countries

where outflow is the annual US FDI outflows to a certain host country; IDV is the individualism score; UAI is the uncertainty avoidance index; PDI is the power

Part One Developing the model

With respect to this one should especially think of the extra degrees of cost control that should be identified, the pros and resulting implications that allocating totally

The relation between organization size and labor productivity : in the Dutch healthcare sector

It also suggests that the productivity level in large organizations is lower than in small and medium size organizations, but this effect cannot be precisely estimated and is not

Meer dan toetsen alleen......

• Veel accent in maatschappelijke discussies • Veel scholen maken geen analyses van.. resultaten op klas-

Linux lezing 13 april 2005Marcel Nijenhof  Linux

Linux..

Marcel Nijenhof25 Januari 2006 NSLU2 Linux

– Linksys firmware revisie R63 samengevoegd met de unslung kernel. ● Op de mailinglijst

Identity theft risk quantification for social media users

The data on individual’s social media sharing habits will then be used to build prediction models that classify individuals as either high- or low-risk identity theft victims and