Home     About author     IPv6 links     IPv6 tools    

“IPv6 Act Now” Launched

Posted May 25, 2009 – 09:45 in: IPv6

An interesting website popped up, called IPv6 Act Now!

Right now, 88% of all IPv4 addresses have been allocated, and it is widely accepted that we will run out entirely by 2011. The technical community has been aware of this address shortage for many years, and has long recognised that a new protocol was required to meet future demand for unique Internet addresses. It was with this in mind that Internet Protocol version six (IPv6) was developed in the mid-90s.

Now is the time to recognise that sustainable growth of the IPv4-based Internet is coming to an end, and that it is time to move on, with IPv6 as the successor.

Definately worth a check!

  No Comments  |  Tags: ,

What Ever Happened To IPv5?

Posted April 15, 2009 – 20:00 in: IPv6

This blog mainly focusses on the transition from IPv4, to IPv6, but what ever happened to IPv5? This was an experimental Internet Stream Protocol (ST), developed in the 1990’s, that never seemed to appeal to a larger public. But because the version number 5 was once assigned to ST, it couldn’t be used for IPv6.

Even though Internet Stream Protocol was abandoned, many of its ideas and techniques can be found in todays Multiprotocol Label Switching (MPLS).

The original ST protocol was later revised in 1995 to form ST2+, but was again, never put to good use.

  1 Comment  |  Tags: , , ,

How IPv6 Headers Are Formed, Compared To IPv4

Posted April 5, 2009 – 20:00 in: IPv6

On the cisco.com website, there is an excellent write-up on IPv6 headers. The author describes in great detail how the IPv6 packets are created, and how they compare to IPv4.

header_ipv4

The IHL - or Internet Header Length - was removed from IPv6, as each IPv6 header will always be 40 bytes in length, despite the content. The Time to Live has been rephrased to “Hop Limit“, which more accurately describes its purpose. Each hop the fragment passes, the counter is reduced by value 1. As soon as the counter hits zero, the packet is destroyed. The Header Checksum was removed from IPv6.

header_ipv6The IPv6 looks less cluttered, and holds less fragmented data, but more to-the-point information. The Version holds value 6, to indicate IPv6. The Flow Label can be used to label certain packets belonging to the same stream or session, so they are more easily distinguishable. It could be used by routers to uphold certain Quality of Service settings, without having to analyze the packet entirely. 

The Payload Length holds the length of the user data to be transmitted, as well as the length of any additional headers that might be sent along. Since the header has a fixed 40 byte size, the Total Length from IPv4 (which included both the header size + user data size) is no longer needed.

For a more detailed explanation, I’ll refer you to the post on Cisco’s website titled IPv6 internals.

  No Comments  |  Tags: , , , , , ,

IPv6 Over Social Networks

Posted April 1, 2009 – 22:53 in: IPv6

Today, on Slashdot.org.

“A new RFC has been published this morning to significantly speed the deployment of IPv6. With IPv6 over Social Network (IPoSN), ‘[e]very user is a router with at least one loopback interface,’ and ‘Every friend or connection between users will be used as a point-to-point link.’ It is noted that latency on the network can be very high, though.”

  No Comments  |  Tags: , , ,

We’ll Still Need DHCP, Despite Stateless Autoconfiguration

Posted April 1, 2009 – 20:00 in: IPv6

We previously explained in detail how Stateless Autoconfiguration works for IPv6, but there’s one aspect that wasn’t discussed; nameservers.

While Stateless Autoconfiguration can be used as a relatively easy way of assigning IP addresses, it does only that (in its current form). It will not send out DNS servers, unlike DHCPv4 and DHCPv6. 

Through Router Advertisements - which are now responsible for sending out the first 64 bits of the Stateless Autoconfiguration IP address - it should be possible to include nameservers as well in the near future, to further eradicate DHCP solutions. 

Until then, any additional information, beside the IP address, should still be entered manually.

  No Comments  |  Tags: , ,

IPv6 And Security: What You Probably Don’t Know

Posted March 29, 2009 – 20:00 in: IPv6

For anyone claiming IPv6 is more secure than IPv4, take a deep breath, count to ten, and rethink your arguments again. While IPv6 has some technological advantages over IPv4, I wouldn’t go so far as saying it’s safer.

Scanning ~3.7billion hosts (IPv4) vs a couple trillion hosts (IPv6)
This is probably the biggest advantage that IPv6 has over IPv4; it’s shere number of available IP addresses. A botnet nowadays can scan all of our IPv4 addresses in a relatively timely manner. It will never scan all assigned IPv6 ranges, because it’s just too big.

Of course, any targeted scan for a specific (smaller) range could yield results, but you’d still only see a fragment of all available addresses. I predict we’ll be seeing less computer infections in the first 20 minutes of being online.

IPSec built-in IPv6
For IPv4, IPSec was an extra protocol on top of the IP layer, which added encryption to individual IP packets (versus encrypting specific TCP streams with SSL). IPv6 has built-in support for IPSec, which means it can also be applied to UDP streams.

However, having the ability to use IPSec, does not necessarily mean it will be used. It requires a number of modifications in the applications themselves, to support and implement it. But having IPSec available for all hosts with IPv6, could mean a broader adaptation of the technology.

NAT won’t save you this time
Most home networks are relatively safe, as they only have one router in their network, and use NAT for all internal routing. Doing so gives you an advantage to the outside world, as your computer can’t be reached directly (unless through UPnP or port forwarding), but only your router can. Of course, this can be circumvented, but it’s a layer of “security”.

Since NAT was introduced as a means to stop the rapid assignment of IPv4 addresses, it was ment to be deprecated in IPv6. It has more advantages than disadvantages to give all hosts a publicly routable IP address, so IPv6 strives towards this. Your local LAN will probably contain hosts (computers, routers, NAS’s, printers, …) that all have public IPv6 addresses.

So your private LAN will no longer form a barrier, but direct access to your hosts will be possible. Which brings us to the next point.

Firewalling IPv4 traffic, doesn’t automatically mean firewalling IPv6 traffic
This is something very important to understand. A software firewall designed to filter IPv4 traffic based on IP policies, will probably not filter IPv6 addresses (some firewalls will, some won’t). This means that traffic targetted towards your IPv6 address, will most likely not be stopped by your IPv4 firewall.

Add to this that whenever you bring up a NIC (Network Interface Card), and attach a cable, an IPv6 address will automatically be assigned to that interface. So whenever you install a new host, and hook it up to your network, it will be reachable over IPv6 (but probably limited to the current network only).

  1 Comment  |  Tags: , , , ,

“Google: IPv6 is easy, not expensive”

Posted March 27, 2009 – 00:40 in: IPv6

Interesting read.

Google engineers say it was not expensive and required only a small team of developers to enable all of the company’s applications to support IPv6, a long-anticipated upgrade to the Internet’s main communications protocol.

“We can provide all Google services over IPv6,” said Google network engineer Lorenzo Colitti during a panel discussion held here Tuesday at a meeting of the Internet Engineering Task Force (IETF).

Colitti said a “small, core team” spent 18 months enabling IPv6, from the initial network architecture and software engineering work, through a pilot phase, until Google over IPv6 was made publicly available. Google engineers worked on the IPv6 effort as a 20% project – meaning it was in addition to their regular work – from July 2007 until January 2009. 
[Source: Network World

The article itself is bundled with interesting links, well worth your time!

  No Comments  |  Tags: , ,

IPv6 Test Methods: Description & Validation Proposal

Posted March 25, 2009 – 22:37 in: IPv6

Today, the NIST - or National Institute of Standards and Technology - announced its final proposal for testing & validating IPv6-ready equipment (hosts, routers & network devices). It’s purpose is to provide essential documentation for defining when material is “IPv6 ready” (a logo that is bound to become very important in the months to come).

The draft, as well as a Call For Comments, can be downloaded from the following location: http://www.troy-networks.com/NIST/ (mirror).

Beware though, it’s a lengthy read!

  No Comments  |  Tags: , , ,

Stateless Autoconfiguration To Replace DHCP For Some Systems

Posted March 24, 2009 – 01:34 in: IPv6

Stateless Address Autoconfiguration is a technique where individual nodes in a network can generate their own unique IP address, based on a “network address” which the router will send out, and a unique part generated from the hosts’ MAC address.

Here’s how it works. The router sends out a “router advertisement” or RA, which contains the first 64bit of an IPv6 address. This value is defined on the router, by the network administrator. The host itself will use its own MAC Address, add some magic, and use it as the last 64 bit of the IPv6 address. Combine those, and you have a unique IPv6 network address.

Take the following example: the router will “advertise” the first 64 bits of the 128bit IPv6 address as 2001:0af2:0005:0001.

The MAC address of the node’s network card is 00:0A:95:A4:40:10, which in turn consists of 2 distinguishable parts. The first 24 bits (or the first 3 ‘blocks’ in the MAC address) are the OUI or Organizationally Unique Identifier. In this example, this would be 000A95. This is the OUI that is assigned by IEEE (Institute of Electrical and Electronic Engineers), and is guaranteed to be unique worldwide. The second part of the MAC address, or A44010 is a unique part that the owner of the OUI can assign.

 

MAC Address Layout

MAC Address Layout

The first part of the MAC address is guaranteed to be unique by IEEE, the second part is guaranteed to be unique by the owner the of OUI (=the company which was assigned that specific OUI; ie: Apple, Xerox, HP, …). 

The MAC address, however, has a so called “universal / local bit”. A specific bit (0/1) to indicate whether the MAC address is globally unique (provided by the hardware supplier), or not (it might be altered afterwards) and whether the MAC address is a multicast address, or a unicast address.

If a MAC address is not available, the “universal / local bit” is set to one, to indicate that the MAC address isn’t globally unique, and can’t be used universally. The end result - a combination of the 64 bit router-supplied prefix, and the MAC address - will form a Modified EUI-64 instead of a regular EUI-64 (because the “u/l bit” was flipped).

For those keeping count, you will have noticed that a MAC address does not contain 64 bits, and in itself would not be sufficient to be used as the last 64 bits of the IPv6 address. The 48bit MAC address should first be turned into a 64bit EUI-64, by adding the hexademical value FFEE in between the OUI (first 6 bits) and the owner-assigned bits (last 6 bits).

00:0A:95:A4:40:10 is the full MAC address
000A95 is the OUI
A44010 is the organization-assigned value
000A95FFEEA44010 is the 64-bit EUI-64

The end result, 000A95FFEEA44010, is EUI-64 which can be used as the last 64 bits of an IPv6 address.

In total, our IPv6 address could be as follows.

2001:0af2:0005:0001 are the first 64 bits advertised by our router
000a:95ff:eea4:4010 are the last 64 bits, made from the MAC address to a EUI-64
2001:0af2:0005:0001:000a:95ff:eea4:4010 is the logical combination of both
2001:af2:5:1:a:95ff:eea4:4010 is the shortened version, with leading zeros removed

If there are multiple routers, each handing out different address prefixes, the host will create a IPv6 address for each of those prefixes. A router can even announce a new prefix, and the connected clients will generate a new IP based on this new prefix. To keep existing connections alive, the previous IP address isn’t deleted right away, but marked as “deprecated” first.

Using Stateless Autoconfiguration can be a good way to assign the same IP to the same host, providing the MAC address of that host doesn’t change. Should a NIC (Network Interface Card) be replaced, removed or added, the MAC address will change, and inevitabely also its IPv6 address. For this reason, Stateless Autoconfiguration will be used primarily in small to medium sized organizations, and never in datacenter/hosting businesses which rely heavily on fixed IP addresses.

For Windows systems, a random MAC address will be generated to create a random IPv6 address which will be used for outgoing sessions. This will aid privacy, as your IP will never be the same (whereas the default Stateless Autoconfiguration will re-generate the same IP over and over again).

  No Comments  |  Tags: , , , , ,

Neighbor Discovery (ND) To Replace ARP In IPv6

Posted March 23, 2009 – 22:35 in: IPv6

Neighbor Discovery - or ND - is the protocol used by IPv6 to determine neighboring hosts, and will replace ARP which was used in IPv4. It will perform similar tasks of the Address Resolution Protocol (ARP) and ICMP Router Discovery Protocol. It’s purpose remains to get the MAC/Link Layer addresses of available hosts, and the connection information of available routers in the network.

Neighbor Discovery operates in the Link Layer (Layer #2 of the OSI model) and uses ICMPv6 (the obvious IPv6 version of ICMP) to discover neighboring nodes. It will provide the translation between the IPv6 address and the Link Layer address.

ND can be used to perform …

  • Address Autoconfiguration: perform stateless configuration of addresses for an interface;
  • Address Resolution: Mapping from IP address to link-layer address;
  • Neighbor Unreachability Detection (NUD): determine that a neighbor is no longer reachable on the link;
  • Duplicate Address Detection (DAD): nodes can check whether an address is already in use;

And many more.

  No Comments  |  Tags: , , ,