class: center, middle, inverse # IPv6 --- # Content 1. Why we need IPv6 (or why IPv4 sucks) 2. New Features 3. Implementation of IPv6 --- class: middle, center, inverse ## Why do we need IPv6 --- .left-column[ ## Why we need IPv6 ### - IPv4 Basics ] .right-column[ * 32-bit address range * 2^32 addresses => 4 billion * 1.2 billion active devices * 10 years ago everybody got a class C or B net * Less available nets => smaller allocation * 595,385 BGP entries in full table * Several router fail at 524288 entries (512 * 1024) ] --- background-image: url(ASxml.svg) --- background-image: url(routing.svg) --- background-image: url(routing2.svg) --- class: middle, center, inverse ## Features --- .left-column[ ## Features ### - Moar!! Addresses ] .right-column[ * 128-bit length * 2^128 addresses * 7.9*10^28 times bigger than IPv4 space * 29-bit prefix for each LIR (Local Internet Registry) * LIR can get even one per location * Even 19-bit prefix if you blame the RIR (Regional Internet Registry) * For example DTAG got 2003::/19 * Every site should get their own 64-bit prefix * 48-bit minimal PI space * 2a00::/12 for RIPE * IANA currently uses 2000::/3 ] --- .left-column[ ## Features ### - Moar!! Addresses ### - New notation ] .right-column[ * New hex notation: 2a01:4f8:11a:b1f::4/64 * Full notation: 2a01:04f8:011a:0b1f:0000:0000:0000:0004 * 8 groups of 16-bit in hex * Ignore leading 0s in groups * Replace the biggest successive group of zeros with :: * /64 indicates the prefix length * 64-bit is default, can be omitted ] --- .left-column[ ## Features ### - Moar!! Addresses ### - New notation ### - Improvement ] .right-column[ * No broadcast * Multicast is mandatory * Neighbor Discovery Protocol (NDP) as ARP replacement * Always assign 64bit prefixes to devices, no single IP-Addresses * Privacy extension for host part of addresses ] --- .left-column[ ## Features ### - Moar!! Addresses ### - New notation ### - Improvement ### - Multicast ] .right-column[ Excursion about Multicast * Own address space, prefix is ff::/8 * used for communication in groups * different groups and scopes available * Simply assign an address from a group to you to be part of the group * ff0X::1 : every device with IPv6 (like IPv4 broadcast) * ff0X::2 : all router * ff0X::f : UPnP devices * ff0X::101 : NTP server * ff0X::1:2 : DHCPv6 server * Where X is: 1 = Interface-Local; 2 Link-Local, 8 Organization-Local ] --- .left-column[ ## Features ### - Moar!! Addresses ### - New notation ### - Improvement ### - Multicast ### - Useless stuff ] .right-column[ * Mobile IPv6 * SLAAC - StateLess Address AutoConfiguration * DAD - Duplicate Address Detection * Fake RA - Router Advertisment * RA Flooding * Fake DAD ] --- .left-column[ ## Features ### - Moar!! Addresses ### - New notation ### - Improvement ### - Multicast ### - Useless stuff ### - Good to know ] .right-column[ * IPv6 is always prefered over IPv4 * IPv4 and IPv6 are seperate networks, awesome for breaking stuff * BIOS PXE boot will never support IPv6 * UEFI PXE boot supports IPv6 + IPv4 * Link local address now contains MAC address fe80::52e5:49ff:fe41:c204 * Route your prefix to server, no bridging * STOP SHITTY NAT! ] --- class: middle, center, inverse ##Implementation --- .left-column[ ##Implementation ### - Global Routing ] .right-column[ * IPv6 addresses are 4 times bigger than IPv4 * Requires 4 times more space for each BGP entry * Routers are already full ... * Bigger prefixes for each AS -> less prefixes -> less BGP entries * Hierarchical routing * Renumber a server if he changes the location, don't route his prefix * DO NOT ROUTE A 64bit PREFIX ] --- class: middle, center, inverse ## SERIOUSLY, DO NOT ROUTE A SINGLE PREFIX --- background-image: url(bgprouter.svg) --- .left-column[ ##Implementation ### - Global Routing ### - System configuration ] .right-column[ * Static for servers * Always try to use link local gateway fe80::1 * SLAAC for clients in trusted networks * DHCP6 or static for clients in untrusted networks ] --- .left-column[ ##Implementation ### - Global Routing ### - System configuration ### - Debugging ] .right-column[ * Do you run a firewall? Does it care about IPv6? * You killed IPv4/IPv6 Routing/Firewalling? The other protocol will still work * Never forget that IPv6 is always preferred over IPv4 * Local issues? Check the cache size of your switch * Routing issues? Check the cache size of your routers * Initial connection is slow? Src + Dest have IPv6 configured but it is broken => fallback to IPv4 ] --- class: middle, center, inverse ## Summary ### Plan your hierarchy wisely ### Honor your hierarchy ### Be careful with SLAAC .footnote[© Tim Meusel]