book

IPv6 Essentials, 2nd Edition

Name: IPv6 Essentials, 2nd Edition
Author: Silvia Hagen
ISBN: 9780596100582

by Silvia Hagen

May 2006

Beginner to intermediate

436 pages

14h 48m

English

O'Reilly Media, Inc.

Read now

Unlock full access

A Note Regarding Supplemental Files
Preface
AudienceAbout This BookOrganizationConventions Used in This BookUsing Code ExamplesSafari® EnabledComments and QuestionsAcknowledgments
1. Why IPv6?
1.1. The History of IPv61.2. What’s New in IPv6?1.3. Why Do We Need IPv6?1.4. Common Misconceptions1.5. When Is It Time for IPv6?1.6. IPv6 Around the World1.6.1. Asia1.6.2. Europe1.6.3. The United States1.7. IPv6 Status and Vendor Support1.8. References1.8.1. RFCs
2. The Structure of the IPv6 Protocol
2.1. General Header Structure2.2. The Fields in the IPv6 Header2.2.1. Version (4 Bits)2.2.2. Traffic Class (1 Byte)2.2.3. Flow Label (20 Bits)2.2.4. Payload Length (2 Bytes)2.2.5. Next Header (1 Byte)2.2.6. Hop Limit (1 Byte)2.2.7. Source Address (16 Bytes)2.2.8. Destination Address (16 Bytes)2.3. Extension Headers2.3.1. Hop-by-Hop Options Header2.3.1.1. Option Type Jumbogram2.3.1.2. Option Router Alert2.3.2. Routing Header2.3.3. Fragment Header2.3.4. Destination Options Header2.4. References
3. IPv6 Addressing
3.1. The IPv6 Address Space3.2. Address Types3.2.1. Unicast, Multicast, and Anycast Addresses3.2.2. Some General Rules3.3. Address Notation3.4. Prefix Notation3.5. Global Routing Prefixes3.6. Global Unicast Address3.6.1. International Registry Services and Current Address Allocations3.6.2. Prefixes3.6.3. The Interface ID3.6.4. Address Privacy3.7. Special Addresses3.7.1. IPv6 Addresses with Embedded IPv4 Addresses3.7.2. 6to4 Addresses3.7.3. ISATAP addresses3.7.4. Teredo Addresses3.8. Link- and Site-Local Addresses3.9. Anycast Address3.10. Multicast Address3.10.1. Well-Known Multicast Addresses3.10.2. Solicited-Node Multicast Address3.10.3. Dynamic Allocation of Multicast Addresses3.11. Required Addresses3.12. Default Address Selection3.13. References3.13.1. RFCs3.13.2. Drafts
4. ICMPv6
4.1. General Message Format4.1.1. Type (1 Byte)4.1.2. Code (1 Byte)4.1.3. Checksum (2 Bytes)4.1.4. Message Body (Variable Size)4.2. ICMP Error Messages4.2.1. Destination Unreachable4.2.2. Packet Too Big4.2.3. Time Exceeded4.2.4. Parameter Problem4.3. ICMP Informational Messages4.3.1. Echo Request Message4.3.2. Echo Reply4.4. Processing Rules4.5. The ICMPv6 Header in a Trace File4.6. Neighbor Discovery (ND)4.6.1. Router Solicitation and Router Advertisement4.6.2. Neighbor Solicitation and Neighbor Advertisement4.6.3. The ICMP Redirect Message4.6.4. Inverse Neighbor Discovery4.6.5. Neighbor Discovery Options4.6.6. Secure Neighbor Discovery4.6.7. ND in the Trace File4.6.8. Link-Layer Address Resolution4.6.9. Neighbor Unreachability Detection (NUD)4.6.10. Neighbor Cache and Destination Cache4.7. Autoconfiguration4.8. Network Renumbering4.9. Path MTU Discovery4.10. Multicast Listener Discovery (MLD)4.10.1. MLDv14.10.2. MLDv24.11. Multicast Router Discovery (MRD)4.12. References4.12.1. RFCs4.12.2. Drafts
5. Security with IPv6
5.1. General Security Concepts5.2. General Security Practices5.3. IPsec Basics5.3.1. Security Associations5.3.2. Key Management5.3.2.1. IKEv15.3.2.2. IKEv25.3.3. IPsec Databases5.3.4. IPsec Performance5.4. IPv6 Security Elements5.4.1. Authentication Header5.4.2. Encapsulating Security Payload Header5.4.3. Combination of AH and ESP5.5. Overview of New IPsec RFCs5.6. Interaction of IPsec with IPv6 Elements5.7. IPv6 Security “Gotchas”5.7.1. Native IPv65.7.1.1. Public Key Infrastructure (PKI)5.7.1.2. Firewalls and intrusion detection/prevention systems5.7.1.3. Implementation issues5.7.1.4. Neighbor Discovery issues5.7.1.5. Port scanning5.7.1.6. Multicast issues5.7.2. Transition and Tunneling Mechanisms5.8. Enterprise Security Models for IPv65.8.1. The New Model5.8.2. IPv6 Firewall Filter Rules5.9. References5.9.1. RFCs5.9.2. Drafts
6. Quality of Service
6.1. QoS Basics6.1.1. Integrated Services6.1.2. Differentiated Services6.2. QoS in IPv6 Protocols6.2.1. IPv6 Header6.2.1.1. Traffic Class6.2.1.2. Flow Label6.2.2. IPv6 Extension Headers6.2.3. IPv6 Label Switch Architecture (6LSA)6.3. Using QoS6.4. References6.4.1. RFCs
7. Networking Aspects
7.1. Layer 2 Support for IPv67.1.1. Ethernet (RFC 2464)7.1.2. FDDI (RFC 2467)7.1.3. Token Ring (RFC 2470)7.1.4. Point-to-Point Protocol (RFC 2472)7.1.5. ATM (RFC 2492)7.1.6. Frame Relay (RFC 2590)7.2. Detecting Network Attachment (DNA)7.3. References7.3.1. RFCs7.3.2. Drafts
8. Routing Protocols
8.1. The Routing Table8.1.1. Routing Table Lookup and Content8.1.2. Default Route8.2. RIPng8.2.1. Distance-Vector Algorithm for RIPng8.2.2. Limitations of the Protocol8.2.3. Changes in Topology and Preventing Instability8.2.3.1. Route poisoning and the hold-down timer8.2.3.2. Split horizon, with or without poison reverse8.2.3.3. Triggered updates8.2.4. RIPng Message Format8.2.5. Next Hop Information8.2.6. Timers8.2.7. Packet Processing8.2.7.1. Request message8.2.7.2. Response message8.2.8. Control Functions and Security8.3. OSPF for IPv6 (OSPFv3)8.3.1. Overview of OSPF for IPv68.3.1.1. Differences between OSPF for IPv4 and OSPF for IPv68.3.1.2. Link state-based protocol8.3.1.3. OSPF areas and external routes8.3.2. OSPF Areas and External Routes8.3.2.1. The backbone area8.3.2.2. Nonbackbone areas8.3.2.3. Virtual links8.3.2.4. External routes8.3.2.5. Stub areas8.3.2.6. Not-so-stubby areas8.3.3. Message Format of OSPF for IPv68.3.3.1. Encapsulation in IP datagrams8.3.3.2. OSPF header8.3.3.3. Processing OSPF packets8.3.4. Forming Adjacencies8.3.4.1. The Hello packet8.3.4.2. Interface status and election of DR/BDR8.3.4.3. Processing of Hello packets8.3.4.4. Database description exchange8.3.4.5. The loading phase8.3.5. The Link State Database8.3.5.1. Contents of the LSDB8.3.5.2. LSAs8.3.5.3. LSA header8.3.5.4. Router-LSA (type 0x2001)8.3.5.5. Network-LSA (type 0x2002)8.3.5.6. Inter-Area-Prefix-LSA (type 0x2003)8.3.5.7. Inter-Area-Router-LSA (type 0x2004)8.3.5.8. AS-External-LSA (type 0x4005)8.3.5.9. Link-LSA (type 0x0008)8.3.5.10. Intra-Area-Prefix-LSA (type 0x2009)8.3.6. Calculation of the OSPF Routing Table (Dijkstra Algorithm)8.3.6.1. Step 1: Intra-area routes8.3.6.2. Step 2: Inter-area routes8.3.6.3. Step 3: External routes8.3.7. LSA Flooding8.3.7.1. Aging an LSA8.3.7.2. Self-originating LSAs8.3.7.3. Handling of unknown LSAs8.4. BGP-4 Support for IPv68.4.1. BGP-4 Overview8.4.1.1. Establishing a BGP connection8.4.1.2. Route storage and policies8.4.2. BGP Message Header8.4.3. OPEN Message8.4.4. UPDATE Message8.4.5. BGP Attributes8.4.6. NOTIFICATION and KEEPALIVE Messages8.4.7. BGP Multiprotocol Extension for IPv68.4.7.1. MP_REACH_NLRI path attribute8.4.7.2. MP_UNREACH_NLRI path attribute8.5. Additional Routing Protocols for IPv68.5.1. Routing IPv6 with IS-IS8.5.1.1. Integrated IS-IS8.5.1.2. Routing IPv6 with IS-IS8.5.2. EIGRP for IPv68.5.2.1. Protocol-dependent modules8.5.2.2. EIGRP packet types8.5.2.3. EIGRP neighbors8.5.2.4. The Diffuse Update Algorithm (DUAL)8.5.2.5. EIGRP packet format8.5.2.6. EIGRP support for IPv68.5.3. Multicast Routing for IPv68.6. References8.6.1. Drafts

9. Upper-Layer Protocols
9.1. UDP/TCP9.2. DHCP9.2.1. DHCP Terms9.2.2. DHCPv6 Header Format9.2.2.1. Client-Server messages9.2.3. Relay Agent—Server Message Format9.2.4. DHCP Unique Identifier9.2.5. Identity Association9.2.6. DHCP Communication9.2.6.1. Client and server communication9.2.6.2. Renew/Rebind9.2.6.3. Information Request9.2.6.4. Reconfigure process9.2.6.5. Relay Agent communication9.2.7. Security Considerations9.2.7.1. Security for messages between Relay Agents and DHCP servers9.2.7.2. DHCP Authentication9.2.8. Dynamic Updates to DNS9.2.9. Stateless DHCP9.3. DNS9.3.1. AAAA Records (RFC 3596)9.3.2. DNS Servers9.3.3. DNS Resolvers9.3.4. DNS Lookup9.3.5. Issues with DNS Lookups9.4. SLP9.5. FTP9.6. Telnet9.7. Web Servers9.7.1. Browser Support9.7.2. Proxy Support and Scenarios9.8. References9.8.1. RFCs9.8.2. Drafts
10. Interoperability
10.1. Dual-Stack Techniques10.2. Tunneling Techniques10.2.1. How Tunneling Works10.2.2. Automatic Tunneling10.2.3. Configured Tunneling (RFC 4213)10.2.4. Encapsulation in IPv6 (RFC 2473)10.2.5. Transition Mechanisms10.2.5.1. 6to4 (RFC 3056)10.2.5.2. ISATAP10.2.5.3. Teredo10.2.5.4. Silkroad10.2.5.5. Proto 41 Forwarding10.2.5.6. Tunnel Broker10.2.5.7. Dual-Stack IPv6 Dominant Transition Mechanism (DSTM)10.2.5.8. IPv4/IPv6 coexistence by using VLANs10.2.5.9. IPv6 in MPLS networks10.2.5.10. Cisco’s 6PE10.2.5.11. Generic Routing Encapsulation (GRE)10.2.5.12. SSH (Secure SHell) Tunnels10.3. Network Address and Protocol Translation10.3.1. Stateless IP/ICMP Translation10.3.1.1. Translating IPv4 to IPv610.3.1.2. Translating ICMPv4 to ICMPv6 and vice versa10.3.1.3. Translating IPv6 to IPv410.3.2. NAT-PT10.3.3. Limitations10.3.4. Other Translation Techniques10.3.4.1. Bump-in-the-Stack10.3.4.2. Bump-in-the-API10.3.4.3. Transport Relay Translator10.4. Comparison10.4.1. Dual Stack10.4.2. Tunneling10.4.3. NAT-PT10.4.4. When to Choose IPv6?10.5. Integration Scenarios10.5.1. Organizations10.5.2. ISPs10.6. Case Studies10.6.1. NTT Communications—An ISP Case Study10.6.2. University of Porto10.6.2.1. Access/perimeter technology10.6.2.2. Core and vertical distribution10.6.2.3. Network services10.6.2.4. Security10.6.2.5. Cost of introduction10.6.2.6. Conclusions10.6.3. University of Strasbourg10.6.4. This Book Has Been Reviewed over IPv610.6.5. Moonv6—The Largest IPv6 Test Network10.6.5.1. Phase I10.6.5.2. Phase II10.6.5.3. Phase III10.7. What Is Missing?10.7.1. IPv6 Routing10.7.2. Protocol Selection on Dual-Stack Nodes10.7.3. Multihoming with IPv610.7.4. DNS10.7.5. Network Management10.7.6. IPv4 Dependencies10.8. Security Aspects10.9. Applications10.10. Cost of Introduction10.10.1. Hardware and Operating Systems10.10.2. Software10.10.3. Education10.10.4. Planning10.10.5. Other Costs10.11. Vendor Support10.11.1. Operating Systems10.11.2. Router Support10.11.3. IP Address Management10.11.4. Firewalls10.12. References10.12.1. RFCs10.12.2. Drafts
11. Mobile IPv6
11.1. Overview11.1.1. Mobile IPv6 Terms11.1.2. How Mobile IPv6 Works11.2. The Mobile IPv6 Protocol11.2.1. Mobility Header and Mobility Messages11.2.2. The Binding Update Message11.2.3. The Binding Acknowledgement11.2.4. Mobility Options11.2.5. Routing Header Type 211.3. ICMPv6 and Mobile IPv611.3.1. Home Agent Address Discovery11.3.1.1. ICMPv6 Home Agent Address Discovery messages11.3.1.2. Home agents list11.3.2. Mobile Prefix Solicitation11.3.3. Changes in Neighbor Discovery (ND)11.3.3.1. Modified Router Advertisement format11.3.3.2. Modified Prefix option11.3.3.3. New Advertisement Interval option11.3.3.4. New Home Agent Information option11.3.3.5. Changes in the Router Advertisement Interval11.4. Mobile IPv6 Communication11.4.1. Binding Cache11.4.2. Binding Update List11.4.3. Return Routability Procedure11.4.4. Home Agent Operation11.4.4.1. Proxy Neighbor Discovery11.4.4.2. Bidirectional Tunneling11.4.5. Mobile Node Operation11.4.5.1. Route Optimization in detail11.4.5.2. Communication with Bidirectional Tunneling11.4.5.3. Movement Detection11.4.5.4. Returning home11.5. Security11.6. Extensions to Mobile IPv611.6.1. NEMO11.6.2. Hierarchical Mobile IPv611.6.3. Fast Handover11.7. References11.7.1. RFCs11.7.2. Drafts
12. Get Your Hands Dirty
12.1. Linux12.1.1. Where to Get Linux12.1.2. Installation12.1.3. Utilities12.2. BSD12.2.1. Installation12.2.2. Utilities12.2.3. KAME Project12.3. Sun Solaris12.3.1. Enable IPv6 and Get Started12.3.2. Utilities12.4. Macintosh12.5. Microsoft12.5.1. Windows .NET Server 200312.5.2. Windows XP12.5.2.1. Installation and configuration12.5.2.2. Utilities12.5.3. Microsoft’s Roadmap12.6. Cisco Router12.7. Applications12.8. Description of the Tests12.8.1. Pinging with IPv612.8.2. Pinging the 6Bone over the IPv4 Infrastructure12.8.3. Traceroute with IPv612.8.4. Browsing with IPv6
A. RFCs
A.1. General RFC InformationA.2. DraftsA.3. RFC Index for IPv6A.3.1. General IPv6 RFCsA.3.2. RFCs Referring to Topologies
B. IPv6 Resources
B.1. Ethertype FieldB.2. Next Header Field Values (Chapter 2)B.3. Reserved Anycast IDs (Chapter 3, RFC 2526)B.4. Values for the Multicast Scope Field (Chapter 3, RFC 4291)B.5. Well-Known Multicast Group Addresses (Chapter 3, RFC 2375)B.6. ICMPv6 Message Types and Code Values (Chapter 4, RFC 2463)B.7. QoS in IPv6 (Chapter 6)B.8. Multicast Group Addresses and Token Ring Functional Addresses (Chapter 7)B.9. OSPFv3 Messages and the Link State Database (Chapter 8)B.10. BGP-4 Message Types and Parameters (Chapter 8)B.11. DHCPv6 and Multicast Addresses for SLP over IPv6 (Chapter 9)B.12. Mobile IPv6 (Chapter 11, RFC 3775)
C. Recommended Reading
Index
About the Author
Colophon
Copyright

Content preview from IPv6 Essentials, 2nd Edition

Chapter 5. Security with IPv6

The developers of IPv4 did not rack their brains about security. The “Internet” in those early days connected a few trusted networks of some visionary researchers. The individuals who controlled these networks, as well as those who were allowed to use the networked resources, were implicitly trusted to not cause any malicious or destructive behavior. This is the reason why the original IP architecture does not include a security framework that can be used by all applications. If security was needed, it was usually rudimentary authentication/authorization and was included in the application code (e.g., the password for Telnet and FTP). Many years later, IPsec was introduced when IPv4 had already been widely deployed. Therefore, it needed to be retrofitted into existing deployments. Due to many interoperability and performance issues, IPsec is not widely deployed in many IPv4 scenarios. This is in contrast to IPv6, which from the beginning had the notion that fundamental security functionality had to be included in the base protocol in order to be used on any Internet platform. A standards-conforming IPv6 implementation must include IPsec to allow more secured communication once it is appropriately configured. Before we dive into the technical details, I want to talk about some general security concepts and practices.

General Security Concepts

In order to protect data, one has to be aware of the possible threats. People often focus solely on malicious ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 0596100582Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

IPv6 Essentials, 2nd Edition

by Silvia Hagen

Chapter 5. Security with IPv6

General Security Concepts

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.