From the course: CompTIA Network+ (N10-009) Cert Prep

IPv6 in action

From the course: CompTIA Network+ (N10-009) Cert Prep

Start my 1-month free trial Buy for my team

IPv6 in action

- We've talked about the basics of IPv6, but let's go ahead and actually watch IPv6 in action. Now, before we get started, there's one thing I want to stress to you, and that is the idea of the EUI-64 addressing used for IPv6 addresses. Take a look right now on my screen. What I want to show you is, I'm on a Windows system and I'm running ipconfig /all. There it is. So what I want you to do is look very closely here. Do you see my MAC address? Let's just look at the last digits here. So it says 5A-50. Now, according to the rules of EUI-64, we should be able to see that 5A-50 in the IPv6 addresses. But if you look, we don't see that. Well, what's going on here? Well, the answer is simple. If you're generating the last half of your IPv6 address from your MAC address using EUI-64, there is a traceability to your system from any data you're sending out the door. Remember, there is no private IP addresses in the world of IPv6. All IPv6 addresses are public. NAT is dead. 192.168 stuff, it's gone. So unless your firewall's properly configured, people will be able to ping your system. And of course we just configure our firewalls properly and everything's great. However, when you're sending data out, that means that some of your IPv6 address could be literally tracked back to your MAC address. Yeah, they're spoofing and all that, but there could be a situation where you're losing privacy. And what we're seeing, and you saw it right there on my screen, is all operating systems have an alternative way to generate the last half of your IPv6 address that instead of using EUI-64, they have a randomizer. And this randomizer makes you more anonymous and it allows you to be more comfortable. We don't think there's any problems, but that's gone ahead and been built in anyway. Pretty much all operating systems, all the Linuxes, Windows of course, Macs of course, all have this feature, but administrators if they want to, could turn that off and force these systems to go back into EUI-64 mode. Okay, well, understanding that, what I want to do is run over to the whiteboard right now, and I want to watch our network get populated with IPv6 addresses using the Neighbor Discovery Protocol. So here's my pretty basic setup. I've got four desktop systems, I've got a generic server, doesn't really matter. It could be a webcam for all I care in this particular situation. I have an internet service provider who is sending IPv6 information out and I have an IPv6 capable router. Now, with all this in hand, let's watch the process. Remember, the first thing that's going to happen is all of these computers are going to generate their own link-local. They don't need anything to make their own link-local. So, instead of writing out FE80:: can I just type 1234? Is that okay? And then we'll just remember that these are link-local addresses. So that would be, you know, FE80::1234:4567: You get the idea, all right. So all of these computers automatically, as soon as they boot up, have link-local addresses. Now that they have link-local addresses, they can begin something called neighbor solicitation and neighbor advertisement. So, this is a neighbor solicitation message. So this goes out, comes into the switch, and is propagated not as a broadcast, but as a multicast. Neighbor solicitation messages, in fact, all of these messages use a very specific protocol called ICMPv6. These are multicast. So this message is only going to be sent out on the switch to any of these that are designed to accept multicast messages. They're all IPv6 systems, therefore, this multicast looks an awful lot like a broadcast. But as this goes out, he is saying, "Here is my MAC address, here is my link-local address. Is there anybody else out there?" So this gets sent out on multicast, and then all of these devices will then begin sending neighbor advertisements. A neighbor advertisement simply says, "This is who I am, this is my MAC address, it's built into the ethernet frame, and this is my link-local address." And these systems can then begin to build up a way to resolve IPv6 addresses to MAC addresses so that they can send out ethernet. So, neighborhood solicitation and neighbor advertisement are important tools, not neighborhood neighbor, but they're really only used for the local stuff. Because there's another really, really important neighbor here, and that is the router. Now, keep in mind this is going to be a two-port router, it just has a four-port switch built into it. Now, the router itself will respond to neighbor solicitations with a neighbor advertisement, but he has a whole other level of stuff to send out. If these computers want to get on the internet, they have to have an internet address. It's not the one that starts with FE80. Right now with IPv6 most internet addresses start with 2,000 something. So 2,002, 2,600, that is just because the fathers of the internet have decided to start arbitrarily at that value. There's nothing secret about that. So, what's going to happen here is if these guys want to get out, they've got their link-local address, so they can send out IPv6 packets, but they send out a very specific packet called a router solicitation. The router solicitation does a lot of stuff. Keep in mind that he needs an IPv6 address. He needs to know what his default gateway is. He needs a DNS server. Think of all the things that you need to get onto the internet. So, individual computers will send out router solicitations. When routers hear this, they will respond back a with a router advertisement. The router advertisement is the cornerstone of what makes IPv6 work. In a perfect world, what we have are routers that are properly configured and they use what's known as stateless auto configuration to provide all the information that these computers need to get on the internet. There is no DHCP, it doesn't exist. It's because of good aggregation and routers that are properly configured, and really there's not that much to configure, these individual systems will get their IPv6 address, the one that starts with a two. They don't need a subnet mask 'cause everything's x64. That's not even hard. They'll get their default gateway, he'll report that he is the gateway. And if they're properly configured, they'll get their DNS information. It can do a lot more than that, but those are the core ones that IPv6 is ready to do for us, and it takes care of it and sends it all out. And these machines are now suddenly and magically on the internet. Now, when we were looking at ipconfig moment ago, one of the things you probably noticed is that there was lots of IPv6 internet addresses. There was one address and a bunch of other addresses that said temporary. IPv6 is really security conscious and depending on the operating system, Windows is notorious for this, is that the operating system can spin up multiple instances that use different IPv6 addresses every time. So it's not uncommon for a particular application to tell Windows, "Hey, not only do I want to make a connection, but could you generate a new temporary IPv6 address for me?" And that's all just done for security. It can be a bit of a challenge in terms of running this stuff with Wireshark, for example, because sometimes you're running with a lot of IPv6 addresses, but that's what it's there for and it does work. Okay, so that's a perfect world where we use router advertisements and router solicitations using stateless autoconfiguration and everything's set up. Now, there's a few things we have to do in these routers to make this happen. For example, what will take place is keep in mind we're going to have to have a network ID in here, and then obviously upstream there's going to be a network ID. So usually what will take place is that the internet service provider also sends router advertisements down to our individual routers. And those routers will actually use DHCPv6 and they will generate what we call router prefixes, which basically allow our router to determine what is our little network ID going to be for this guy. So just for funsies I'll say this is 2600:1:2:3 and that's for my internal network. Remember, this is a public network, okay? That number comes from your ISP. Remember, it's all aggregation. So your upstream router is probably going to be 2600:1:2 kind of cool, huh? And then the aggregation concept comes into play. There is a little bit more variable length subnet mass to this. So for example, this is going to be a 64-bit prefix, and then the next one down is going to be a 48-bit prefix. There are actually ways to chop up individual groups. You can do things like 52-bit prefixes and stuff like that, but it's not done too terribly much because you got lots of colons, so why don't we just split 'em at the colons. Okay, so that has to be handled either from the ISP or you can type this stuff in here. Now, that's a perfect world. Unfortunately, there are imperfect worlds. For example, you're getting DNS information from the ISP. That ISP is going to give you the best DNS server that it thinks is there, and it's just going to keep propagating that down. And you've got a box over here and he thinks his DNS server is somewhere out on the internet. Well, let's make it complicated. What if I turn this box? What if I have an internal DNS server? Well, that's where IPv6 tends to be a bit of a problem. In this particular case, what we'll probably have is built in to this guy. Or we could have a dedicated DHCP box that's not running the DHCP you and I know and love, it's running DHCP version six. In this particular case, if you need to, you can run a DHCPv6 and it acts a lot like a regular DHCP server. You can use a pool of IPv6 addresses if you want to, that can be done. But the reason DHCPv6 exists more than anything else, well, other than propagating down prefixes for downstream routers is DNS. Because so many people have a little in-house DNS server, a lot of times we'll set up DHCPv6 not to give these guys IP addresses, not to set up their default gateway, not even to define the network, just to go, "Hey, wait a minute, instead of using the DNS server that's coming down via aggregation from the ISP, just use that one." The beautiful part about IPv6 is that especially for simple networks, for home networks, you literally have nothing to do to make it work. The routers themselves handle everything. There's nothing for you to touch whatsoever. The only time we have to do any form of configuration is if we're an upstream router and we're passing out to a bunch of network IDs, or if you want to use DNS. Other than that, IPv6 using stateless autoconfiguration is so easy to use that there's nothing to do.

Contents