2. IPv6 - advanced functionalities PA159: Net-Centric Computing I. Eva Hladká Faculty of Informatics Masaryk University Autumn 2010 Eva Hladká (Fl MU) 2. IPv6 - advanced functionalities Autumn 2010 1 / 47 Lecture Overview Lecture Overview I 1) Lecture Overview 2) Brief IPv6 Introduction o IPv6 Addresses o Path MTU discovery 3^ IPv6 Neighbor Discovery Protocol in Detail o L2 address resolution Duplicate Address Detection Neighbor Unreachability Detection o Autoconfiguration o Summary 4^ IPv6 Mobility Support in Detail Return Routability Procedure 2. IPv6 - advanced functionalities Autumn 2010 2 / 47 Brief IPv6 Introduction Lecture overview I i| Lecture Overview 2) Brief IPv6 Introduction o IPv6 Addresses o Path MTU discovery 3) IPv6 Neighbor Discovery Protocol in Detail • L2 address resolution Duplicate Address Detection Neighbor Unreachability Detection • Autoconfiguration a Summary ^ IPv6 Mobility Support in Detail Return Routability Procedure 2. IPv6 - advanced functionalities Autumn 2010 3 / 47 Brief IPv6 Introduction IP Protocol version 6 (IPv6) - Why a new protocol? o the master pulse for a new protocol proposal: relatively fast exhaustion of IPv4 address space o further reasons: the issues, that arose during IPv4 usage, especially: o weak support of real-time applications o no support of communication security • no devices' autoconfiguration support o no mobility support o etc. o (many features retroactively implemented into IPv4) 2. IPv6 - advanced functionalities Autumn 2010 4 / 47 Brief IPv6 Introduction IP Protocol version 6 (IPv6) - Basic Features o bigger address space - 128-bit IPv6 address, theoretically 2128 of unique addresses o simpler header format - basic 40B header containing just the most necessary information possibilities of further extensions - through so-called extension headers • support of real-time transmissions - streams' tagging and priorities o support of secure communication - authentication, encryption and integrity verification support mobility support - using so-called home agents o devices' autoconfiguration support - stateful and stateless autoconfiguration 2. IPv6 - advanced functionalities Autumn 2010 5 / 47 Brief IPv6 Introduction IPv6 Datagram - Basic Header o fixed basic header size (40 B) o checksum, options, and fragmentation information not included in basic header o options and fragmentation information has to be ensured via extension headers • checksum was removed at all (it's ensured on L2 and L4) Eva Hladká (FI MU) 2. IPv6 - advanced functionalities Autumn 2010 6 / 47 Brief IPv6 Introduction IPv6 Datagram - Extension Headers Several extension headers have been defined o e.g., Hop-By-Hop Options, Routing, Fragment, Encapsulating Security Payload, Authentication Header, etc. Eva Hladká (Fl MU) 2. IPv6 - advanced functionalities Autumn 2010 7/47 Brief IPv6 Introduction IPv6 Addresses IPv6 Addresses o (currently) final solution to address space shortage o IPv6 address has 128 bits (= 16 bytes): o 2128 of unique addresses (« 3 x 1038 addresses « 5 x 1028 addresses for every human on the Earth) o written in a hexadecimal form instead of decadic (pairs of bytes divided by ":" character) Eva Hladká (Fl MU) 2. IPv6 - advanced functionalities Autumn 2010 8 / 47 Brief IPv6 Introduction IPv6 Addresses IPv6 addresses - Address Abbreviation The leading 0s might be omitted in each address group: o 0074 might be written as 74, 000F as F, ... o 3210 cannot be abbreviated! Unabbreviated FDEC I BA98 \ 0074 '. 3210 '. 000F '. BBFF '. 0000 I FFFF I FDEC ; BA98 ; 74 ; 3210 ; F J BBFF J 0 ; FFFF Abbreviated Consecutive groups of zeros might be replaced by character) o just a single group might be replaced! Abbreviated I fdec ; o; o; o; o; bbff ; o; ffff I T Ifdec ; I bbffI 0 j ffff| More Abbreviated 2. IPv6 - advanced functionalities Autumn 2010 9 / 47 Brief IPv6 Introduction IPv6 Addresses IPv6 addresses - Hierarchy o the goal is to simplicity the routing o the structure of unicast IPv6 addresses is defined by RFC 3587 basic structure: n bits 64-n bits 64 bits global routing prefix subnet address interface address o global routing prefix p network address o subnetwork address is usually 16 bits long == global routing prefix thus has 48 bits o first 16 bits contain the value 2001 (hexadecimal form) □ next 16 bits are assigned by Regional Internet Registry (RIR) o next 16 bits are assigned by Local Internet Registry (LIR) 16 bits 16 bits 16 bits 16 bits 64 bits - 2001 assigned by RIR assigned by LIR subnet address interface address 2. IPv6 - advanced functionalities Autumn 2010 10 / 47 Brief IPv6 Introduction IPv6 Addresses IPv6 Addresses & CIDR o IPv6 addresses are just classless (classes do not exist) o IPv6 networks are defined using CIDR notation (similarly as in the IPv4 case) o e.g., FDEC:0:0:0:0:BBFF:0:FFFF/60 2. IPv6 - advanced functionalities Autumn 2010 11 / 47 Brief IPv6 Introduction IPv6 Addresses IPv6 addresses - address types o unicast addresses - same as in IPv4 (a single network interface identification) o multicast addresses - same as in IPv4, used for addressing a group of devices/hosts o data is delivered to all the group members o prefix ff00::/8 o anycast addresses - a newbie in IPv6 o identify a group of devices/hosts as well o but data is delivered just to a single member of the group (the closest one) o IPv4 broadcast addresses are not used in IPv6 o replaced by special multicast addresses (e.g., FF02::1 - all the nodes on the particular LAN) 2. IPv6 - advanced functionalities Autumn 2010 12 / 47 Brief IPv6 Introduction Path MTU discovery IPv6 Path MTU discovery o just source devices must decide on the correct size of fragments • routers can't fragment datagrams, just end nodes can! o if a datagram is too large for a router, it must drop the datagram o and send back to the source a feedback about this occurrence (in the form of an ICMPv6 Packet Too Big message) o Path MTU Discovery o a special technique used for determining what size of fragments should be used o uses the feedback mechanism performed by ICMPv6 Packet Too Big messages the source node sends a datagram that has the MTU of its local physical link (it represents an upper bound on the MTU) if this goes through without any errors, that value for future datagrams to that destination can be used if it gets back any Packet Too Big messages, it tries again using a smaller datagram size (indicated in the Packet Too Big message) 2. IPv6 - advanced functionalities Autumn 20i0 i3 / 47 Brief IPv6 Introduction Path MTU discovery IPv6 Path MTU discovery The Schema 2. IPv6 - advanced functionalities Autumn 2010 14 / 47 IPv6 Neighbor Discovery Protocol in Detail Lecture overview I i| Lecture Overview 4 Brief IPv6 Introduction • IPv6 Addresses • Path MTU discovery 3^ IPv6 Neighbor Discovery Protocol in Detail o L2 address resolution Duplicate Address Detection Neighbor Unreachability Detection o Autoconfiguration o Summary ^ IPv6 Mobility Support in Detail Return Routability Procedure 2. IPv6 - advanced functionalities Autumn 2010 15 / 47 IPv6 Neighbor Discovery Protocol in Detail Neighbor Discovery Protocol I. o How can we obtain a link (e.g., Ethernet) address of a node (having its IP address)? o IPv4: ARP protocol o IPv6: a new mechanism called Neighbor Discovery Protocol proposed o Neighbor Discovery for IP version 6 (RFC 2461) o a part of ICMPv6 in comparison with the IPv4's ARP, new functionalities has been added o IPv6 nodes use Neighbor Discovery for/to: o autoconfiguration of IPv6 address (stateful/stateless autoconfiguration) □ determine network prefixes, routers and other configuration information o duplicate IP address detection (DAD) o determine layer two addresses of nodes on the same link □ find neighboring routers that can forward their packets o keep track of which neighbors are reachable and which are not (NUD) o detect changed link-layer address 2. IPv6 - advanced functionalities Autumn 2010 16 / 47 IPv6 Neighbor Discovery Protocol in Detail Neighbor Discovery Protocol II. o consists of five ICMP messages: o Router Solicitation (RS) o Router Advertisement (RA) o Neighbor Solicitation (NS) o Neighbor Advertisement (NA) o ICMP Redirect o Inverse Neighbor Discovery also possible see the literature for details 2. IPv6 - advanced functionalities Autumn 2010 17 / 47 IPv6 Neighbor Discovery Protocol in Detail L2 address resolution Neighbor Discovery - L2 address resolution I. o very similar to ARP in IPv4 o based on Neighbor Solicitation and Neighbor Advertisement messages o a common multicast prefix is defined (FF02:0:0:0:0:1:FF00::/104) o the node looking for an L2-layer address takes last 24 bits of the IP address, whose L2-address it is looking for, and concatenates it with the prefix o e.g., looking for L2-address of 2AC0:56:A319:15:022A:FFF:FE32:5ED1 it receives FF02:0:0:0:0:1:FF32:5ED1 o i.e., the destination address is a multicast address o the 24 bits ensure that the multicast group will contain just a few nodes (typically 1 or 0) o a Neighbor Solicitation message is sent to such a multicast address o the message contains the IPv6 address being resolved and the L2 address of the sending node the neighbor has to listen for such messages in his multicast group(s) (based on his IPv6 address(es)) 2. IPv6 - advanced functionalities Autumn 2010 18 / 47 IPv6 Neighbor Discovery Protocol in Detail L2 address resolution Neighbor Discovery - L2 address resolution II. once a node belonging to the particular multicast group receives a NS message, it answers with a Neighbor Advertisement message o note: there might be several nodes in the particular multicast group -just the one having the IPv6 address being resolved answers the answer contains: o all the IPv6 and L2 addresses the node has an attribute: o R (Router) - the sender is a router o S (Solicited) - indicates whether the NA has been solicited or not (unsolicited NAs are possible) o O (Override) - indicates whether the new information should override the old information previously saved on the node(s) o unsolicited Neighbor Advertisement o used in situations, when the node knows that his L2-address has changed o these messages are sent to multicast address containing all the nodes (FF02::1) 2. IPv6 - advanced functionalities Autumn 2010 19 / 47 IPv6 Neighbor Discovery Protocol in Detail L2 address resolution Neighbor Discovery - L2 address resolution II. The mechanism IGMPvB Type = 135 Src= A Dst = solicited-node multicast of B Data = link-layer address of A Query = what is your link address? IGMPv6Type = 136 ^_ Src = B Dst = A Data= link-layer address of B A and Bean now exchange packets on this link 2. IPv6 - advanced functionalities Autumn 2010 20 / 47 IPv6 Neighbor Discovery Protocol in Detail L2 address resolution Neighbor Discovery - L2 address resolution II. The mechanism - Neighbor Solicitation message format 0 4 8 12 16 20 24 28 32 1 I 1 1 1 Type = 135 Code - 0 Checksum Reserved Target Address ICMPv6 Options Eva Hladka (FI MU) 2. IPv6 - advanced functionalities Autumn 2010 21 / 47 IPv6 Neighbor Discovery Protocol in Detail L2 address resolution Eva Hladka (FI MU) 2. IPv6 - advanced functionalities Autumn 2010 22 / 47 IPv6 Neighbor Discovery Protocol in Detail Duplicate Address Detection Neighbor Discovery - Duplicate Address Detection (DAD) o Duplicate Address Detection (DAD) o used during autoconfiguration process (see later) o the host sends NS message with its own address as the target address o destination address in the IPv6 header is set to the solicited-node multicast address o the source address is set to the unspecified address (::, i.e. all zeros) o if there is another node on the link that is using the same address as the hosts's address, it will reply with a NA message (sent to the all-nodes multicast address), thus exposing the duplicated address to the host Eva Hladká (Fl MU) 2. IPv6 - advanced functionalities Autumn 2010 2S / 47 IPv6 Neighbor Discovery Protocol in Detail Neighbor Unreachability Detection Neighbor Discovery - Neighbor Unreachability Detection o a node periodically controls the reachability of its neighbors (just the ones it is communicating with) can be achieved by two ways: o a higher-level protocol (e.g., the TCP) informs IPv6 that the communication proceeds and thus the host is alive o otherwise, the IPv6 has to perform such a detection on its own o a cached address might be in one of the following states: o incomplete - address resolution is currently being performed and awaiting either a response or timeout (a NS has been sent, but the corresponding NA has not been received yet) o reachable - this neighbor is currently reachable (positive confirmation within the last ReachableTime has been received) o stale - more than ReachableTime milliseconds have elapsed since the last positive confirmation was received • delay - the neighbor's reachable time has expired; an upper layer protocol might confirm the reachability within a specific time o probe - a reachability confirmation is being actively attempted Eva Hladka (FIMU) 2. IPv6 - advanced functionalities Autumn 2010 24 / 47 IPv6 Neighbor Discovery Protocol in Detail Neighbor Unreachability Detection Neighbor Discovery - Neighbor Unreachability Detection The schema 2. IPv6 - advanced functionalities Autumn 2010 25 / 47 IPv6 Neighbor Discovery Protocol in Detail Autoconfiguration Neighbor Discovery - Autoconfiguration o designed to ensure that manually configuring hosts before connecting them to the network is not required o even larger sites should not need a DHCP server to configure hosts o a key feature when all sorts of devices (TVs, refrigerators, DVD players, etc.) will use IP addresses o IPv6 supports two types of autoconfiguration: o Stateful autoconfiguration - like DHCP in IPv4 world (here called DHCPv6) o Stateless autoconfiguration - new type of autoconfiguration they might be combined o stateless configuration can be used to generate IPv6 address and stateful autoconfiguration for additional parameters (e.g., DNS servers) 2. IPv6 - advanced functionalities Autumn 2010 26 / 47 IPv6 Neighbor Discovery Protocol in Detail Autoconfiguration Neighbor Discovery - Stateless autoconfiguration o RFC 2462 o assumes that there are clever wisemen (routers) in the network, who know everything necessary o from time to time, they inform all the nodes about current configuration (Router Advertisements) o a new node just waits for an RA or asks for it (Router Solicitation) o router advertisements: o periodically sent by every router o in random intervals to all the connected networks (via multicast to all connected hosts), or o as an answer to router solicitation message (via unicast to the host that has sent the RS) o contains specific information about the router o MTU □ prefixes • L2-address of the router's interface through which the RA has been sent o etc. Eva Hladka (FI MU) 2. IPv6 - advanced functionalities Autumn 2010 27 / 47 IPv6 Neighbor Discovery Protocol in Detail Autoconfiguration Neighbor Discovery - Stateless autoconfiguration The mechanism I. o to generate its IP address, a host uses a combination of local information (such as its MAC address or a randomly chosen ID), and information received from routers o steps, which a device takes when using stateless autoconfiguration: o Link-Local Address Generation - the device generates a link-local address (so-called tentative address) o link-local addresses have 1111 1110 10 as first 10 bits (prefix FE80) o the generated address uses those ten bits followed by 54 zeroes and then the 64 bit interface identifier (the MAC address or a randomly chosen ID) o Link-Local Address Uniqueness Test - the node tests to ensure that the address it generated isn't for some reason already in use on the local network this is very unlikely an issue if the link-local address came from a MAC address but more likely if it was based on a generated ID o it sends NS message and listens for NA response (see Duplicate Address Detection mentioned before) Eva Hladka (FIMU) 2. IPv6 - advanced functionalities Autumn 2010 28 / 47 IPv6 Neighbor Discovery Protocol in Detail Autoconfiguration Neighbor Discovery - Stateless autoconfiguration o Link-Local Address Assignment - assuming the uniqueness test passes, the device assigns the link-local address to its IP interface o this address can be used for communication on the local network, but not on the wider Internet (since link-local addresses are not routed) o Router Contact - the node next attempts to contact a local router for more information on continuing the coniguration o this is done either by listening for RA messages sent periodically by routers, or by sending a specific RS message to ask a router for information on what to do next (to the all-routers multicast group, i.e. FF02::2) Router Direction - the router provides direction to the node on how to proceed with the autoconiguration • it may tell the node that on this network the "stateful" autoconfiguration is in use, and tell it the address of a DHCP server to use. Alternatively, it may tell the host how to determine its global Internet address. The mechanism II. • cont'd: Eva Hladka (FI MU) 2. IPv6 - advanced functionalities Autumn 2010 29 / 47 IPv6 Neighbor Discovery Protocol in Detail Autoconfiguration Neighbor Discovery - Stateless autoconfiguration The mechanism III. • cont'd: o Global Address Configuration - assuming that stateless autoconfguration is in use on the network, the host confgures itself with its globally-unique Internet address o this address is generally formed from a network prefix provided to the host by the router, combined with the device's identifier as generated in the first step 2. IPv6 - advanced functionalities Autumn 2010 30 / 47 IPv6 Neighbor Discovery Protocol in Detail Autoconfiguration Neighbor Discovery - Stateless autoconfiguration The schema IPv6 Neighbor Discovery Protocol in Detail Autoconfiguration Neighbor Discovery - Stateless autoconfiguration Router Advertisement I. 0 4 8 12 16 20 24 28 32 1 I I I I Type = 134 Code = 0 Checksum Current Hop Limit ■' Autoconfig Flags Router Lifetime Reachable T.ime .■' / Retransmission Timer ICMPvB Optioni y 0. .2 4 6 8 I I Managed Other Address Stateful Reserved Con fig Config Flag (M) Flag CO) 2. IPv6 - advanced functionalities Autumn 2010 32 / 47 IPv6 Neighbor Discovery Protocol in Detail Autoconfiguration Neighbor Discovery - Stateless autoconfiguration Router Advertisement II. o autoconfiguration flags: o M (Managed Address Configuration Flag) - tells hosts to use stateful method for address configuration (e.g., the DHCPv6) o O (Other Stateful Configuration Flag) - tells hosts to use stateful method for information other than addresses o router lifetime - tells the host receiving this message how long this router should be used as a default router; if set to 0, tells the host this router should not be used as a default router o reachable time - tells hosts how long they should consider a neighbor to be reachable after they have received reachability confirmation o retransmission timer -the amount of time, in milliseconds, that a host should wait before retransmitting o ICMPv6 options - RA messages may contain three possible options: o source L2 Address - included when the router sending the RA knows its L2 address o MTU - used to tell local hosts the MTU of the local network o prefix information - informs what prefix(es) to use for the local network Eva Hladka (FIMU) 2. IPv6 - advanced functionalities Autumn 2010 33 / 47 IPv6 Neighbor Discovery Protocol in Detail Autoconfiguration Neighbor Discovery - Stateless autoconfiguration Router Solicitation I. 0 4 8 12 16 20 24 28 32 1 l I I I Type = 133 Code = 0 Checksum Reserved ICMPvS Options ICMPv6 options: if the device sending the RS knows its L2 address, it should be included 2. IPv6 - advanced functionalities Autumn 2010 34 / 47 IPv6 Neighbor Discovery Protocol in Detail Summary Neighbor Discovery Protocol Summary o Neighbor solicitation (NS) message o used to acquire the link-layer address of a neighbor o used to verify whether the neighbor is reachable used to perform a duplicate address detection o Neighbor advertisement (NA) message used to respond to a neighbor solicitation message when the link layer address changes, the local node initiates a neighbor advertisement message to notify neighbor nodes of the change o Router solicitation (RS) message once started, a host sends a router solicitation message to request the router for an address prefix and other configuration information (autoconfiguration) Router advertisement (RA) message used to respond to a router solicitation message a router regularly sends a router advertisement message containing information such as address prefix and flag bits Redirect message the default gateway might send a redirect message to the source host so that the host can reselect a better/correct next hop router to forward its packets Eva Hladka (FIMU) 2. IPv6 - advanced functionalities Autumn 2010 35 / 47 IPv6 Mobility Support in Detail Lecture overview I i| Lecture Overview 4 Brief IPv6 Introduction • IPv6 Addresses • Path MTU discovery 3) IPv6 Neighbor Discovery Protocol in Detail • L2 address resolution Duplicate Address Detection Neighbor Unreachability Detection • Autoconfiguration a Summary 4^ IPv6 Mobility Support in Detail Return Routability Procedure 2. IPv6 - advanced functionalities Autumn 2010 36 / 47 IPv6 Mobility Support in Detail IPv6 - Mobility Support I. • main idea: even mobile devices are somewhere "at home" o i.e., their home network exists used addresses: o Home Address - a global unicast persistent address, through which a mobile node is always accessible (even though not being in its home network) o Care-of Address - a global unicast address for the mobile node while it is in a foreign network (the address is based on the network where the host is currently located) o Correspondent Node (CN) - a peer node with which a mobile node is communicating o Home Agent (HA) - a router in the home network, through which the mobile node is always accessible receives datagram destined to the mobile node and forwards them (via a tunnel) to it o route optimization - direct communication of the mobile and corresponding nodes o in order to optimize the communication not necessary (the communication might proceed through the home agent all the time) Eva Hladka (FIMU) 2. IPv6 - advanced functionalities Autumn 2010 37 / 47 IPv6 Mobility Support in Detail IPv6 - Mobility Support II. How it works o as long as the mobile node is at home, it receives packets through regular IP routing mechanism and behaves like any other host o when the mobile node is away from the home network, it has an additional care-of address (received via a mechanism available in the foreign network) o the association of home address and care-of address is called binding the mobile node registers its care-of address with a router on its home link (its Home Agent (HA)) there are two ways to communicate for a correspondent node and a mobile node: o bidirectional tunneling - packets from the correspondent node are sent to the HA, which encapsulates them and sends them to the mobile node's care-of address (and vice versa) route optimization - the communication between the mobile node and correspondent node can be direct without the usage of the HA o the mobile node has to register its care-of address with the correspondent node, and o the binding has to be authorized through the Return Routability Procedure Eva Hladka (FIMU) 2. IPv6 - advanced functionalities Autumn 2010 38 / 47 IPv6 Mobility Support in Detail IPv6 - Mobility Support II. The schema Figure: An illustration of home agent's functionality in IPv6. 2. IPv6 - advanced functionalities Autumn 2010 39 / 47 IPv6 Mobility Support in Detail Return Routability Procedure IPv6 - Mobility Support II. Return Routability Procedure o mobile node must prove to correspondent node that it owns both home address and care-of address o but mobile node does not share any secret with the correspondent node o initially performed using IPsec o however, there is no world-wide Public Key Infrastructure (PKI) available for the nodes o Return Routability (RR) Procedure o RFC 3775 o enables the correspondent node to obtain some reasonable assurance that the mobile node is in fact addressable at its claimed care-of address as well as at its home address only when successfully proven, the route optimization might take place o reduces the risk of a security attack (a harmful node working off the mobile node) 2. IPv6 - advanced functionalities Autumn 2010 40 / 47 IPv6 Mobility Support in Detail Return Routability Procedure IPv6 - Mobility Support II. Return Routability Procedure - the steps D) MN sends a Home Test Init (HoTI) message via HA to the CN (this message carries a Home Init Cookie) o this way the CN learns the home address of the MN Vfy MN sends a Care-of Test Init (CoTI) message to the CN (this message carries a Care-of Init Cookie) - this is sent to the CN directly (not through the HA) o this way the CN learns the care-of address of the MN [3) CN replies to the Home Test Init message with a Home Test (HoT) message sent via HA (this message carries the Home Init Cookie and the Home Nonce Index) the MN can now generate a Home Keygen Token [4j CN replies to the Care-of Test Init message with a Care-of Test (CoT) message sent to the MN's care-of address (this message carries the Care-of Init Cookie and the Care-of Nonce Index) the MN can now generate a Care-of Keygen Token [5 both the MN and the CN compute a 20-byte Management Key, which is used to secure the Binding Update messages having the correct Management Key the MN has proven that it is reachable both via its home and care-of addresses Eva Hladka (FIMU) 2. IPv6 - advanced functionalities Autumn 2010 41 / 47 IPv6 Mobility Support in Detail Return Routability Procedure IPv6 - Mobility Support III. Home Agent Functionality Home Agent: o maintains binding cache and a list of home agents o every router, that sits on the same link and provides home agent services, must be listed processes bindings o indicates primary care-of address • processes care-of addresses' changes/removals o tunnels received packets to care-of address o performs Neighbor Advertisements by the name of mobile node o supports Home Agent Address Discovery • normally, mobile nodes are configured statically with a home agent's address o once a home agent is renumbered (or goes down being replaced by another HA with a different IP), dynamic discovery of the HA's address takes place • Home Agent Address Discovery Request (sent using home agents' anycast address) and Home Agent Address Discovery Reply messages o see details in the literature Eva Hladka (FIMU) 2. IPv6 - advanced functionalities Autumn 2010 42 / 47 IPv6 Mobility Support in Detail Return Routability Procedure IPv6 - Mobility Support II. Return Routability Procedure - the schema Autumn 2010 43 / 47