Part I Getting Started | 1 |
1 | A Quick Overview of IPv6 | 3 |
| 1.1 | Terminology: IP, IPv4, IPv6 and the Internet | 3 |
| 1.2 | The "IPv6 Sales Pitch" | 3 |
| 1.3 | IPv6 and the TCP/IP Stack | 6 |
2 | Preparing for IPv6 | 9 |
| 2.1 | Obtaining Our Own IPv6 Address Prefix | 9 |
| 2.2 | Setting Up Our Test Environment | 10 |
| | 2.2.1 | Choosing the Hardware | 10 |
| | 2.2.2 | Supplementing the System Installation | 11 |
| | 2.2.3 | Backup and Disaster Recovery | 12 |
| 2.3 | Security Precautions | 12 |
| 2.4 | Kernel IPv6 Support | 13 |
| | 2.4.1 | Enabling IPv6 Within the Kernel | 13 |
| | 2.4.2 | IPv6-related Kernel Variables | 15 |
| 2.5 | Packet Filter Considerations | 16 |
| | 2.5.1 | Available Implementations | 16 |
| | 2.5.2 | Basic Configuration | 17 |
3 | IPv6 Address Basics | 21 |
| 3.1 | Size Matters | 21 |
| 3.2 | Address Notation | 22 |
| 3.3 | Scopes | 24 |
| 3.4 | Unicast Addresses | 25 |
| | 3.4.1 | Link-local Unicast Addresses | 26 |
| | 3.4.2 | Site-local and Unique-local Unicast Addresses | 27 |
| | 3.4.3 | Global Scope Unicast Addresses | 28 |
| 3.5 | Multicast Addresses | 29 |
| 3.6 | Anycast Addresses | 30 |
| 3.7 | Inside IPv6: The IPv6 Headers | 31 |
| 3.8 | Address Allocation Policy and the Routing Table Problem | 32 |
| 3.9 | References | 34 |
| 3.10 | Packet Filter Considerations | 34 |
4 | Address Configuration | 35 |
| 4.1 | Static Address Configuration | 35 |
| | 4.1.1 | Temporary Configuration | 36 |
| | 4.1.2 | Persistent Configuration | 38 |
| 4.2 | Inside IPv6: Neighbor Discovery (ND) | 40 |
| | 4.2.1 | Neighbor Solicitations (NS) and Advertisements (NA) | 40 |
| | 4.2.2 | Neighbor Unreachability Detection (NUD) | 41 |
| | 4.2.3 | Duplicate Address Detection (DAD) | 42 |
| 4.3 | Stateless Address Autoconfiguration (SAC) | 43 |
| | 4.3.1 | The Problems with DHCP | 43 |
| | 4.3.2 | Autoconfiguration Concepts | 44 |
| | 4.3.3 | Router Configuration | 46 |
| | 4.3.4 | Host Configuration | 49 |
| 4.4 | Mixing Static and Automatic Configuration | 50 |
| 4.5 | Inside IPv6: Autoconfiguration Details | 51 |
| | 4.5.1 | Address States | 51 |
| | 4.5.2 | Router Solicitations (RS) and Advertisements (RA) | 52 |
| | 4.5.3 | Ethernet Addresses and Interface IDs | 53 |
| 4.6 | Testing and Debugging | 54 |
| 4.7 | Packet Filter Considerations | 55 |
| | 4.7.1 | From Stateless Filtering to Rewriting Filters | 55 |
| | 4.7.2 | Packet Sanitation | 56 |
| | 4.7.3 | Packet Spoofing (Ingress) Filters | 56 |
| | 4.7.4 | Essential ICMPv6 Packets | 57 |
| | 4.7.5 | Sample Filter Configurations | 57 |
| | 4.7.6 | Testing the Filter Configuration | 63 |
5 | IPv6 and the Domain Name System (DNS) | 65 |
| 5.1 | Getting Started | 65 |
| | 5.1.1 | Naming Conventions | 65 |
| | 5.1.2 | The DNS Test Setup | 66 |
| | 5.1.3 | Local Address Management with /etc/hosts | 67 |
| 5.2 | IPv6 Addresses in the DNS | 68 |
| | 5.2.1 | Resolver Configuration | 69 |
| | 5.2.2 | Enabling IPv6 on the DNS Server | 70 |
| | 5.2.3 | Forwarder Configuration vs. a Fake Root Zone | 70 |
| | 5.2.4 | Forward Zones on a Primary Server | 71 |
| | 5.2.5 | Reverse Zones on a Primary Server | 73 |
| | 5.2.6 | Secondary Servers | 75 |
| | 5.2.7 | Testing and Debugging | 75 |
| | 5.2.8 | Annoying Legacies | 75 |
| 5.3 | Open Issues | 77 |
| 5.4 | Packet Filter Considerations | 77 |
| | 5.4.1 | Filter Rules | 77 |
| | 5.4.2 | DNS Names in Filter Configurations | 78 |
6 | Essential Network Services | 81 |
| 6.1 | Levels of IPv6 Support | 81 |
| 6.2 | The Inetd Super Daemon | 82 |
| 6.3 | Basic Debugging---Tools and Procedures | 86 |
| 6.4 | The Secure Shell (OpenSSH) | 88 |
| 6.5 | Time Synchronization with the Network Time Protocol (NTP) | 89 |
| 6.6 | Event Logging with Syslog | 91 |
| 6.7 | E-mail: The Simple Mail Transfer Protocol (SMTP) | 92 |
| 6.8 | The World Wide Web: HTTP and HTTPS | 93 |
| | 6.8.1 | IPv6 Addresses in URLs | 93 |
| | 6.8.2 | Web Browsers | 94 |
| | 6.8.3 | The Apache Web Server | 94 |
| | 6.8.4 | Web Proxies | 95 |
| 6.9 | The Network File System (NFS) | 97 |
| 6.10 | Other Services | 98 |
| 6.11 | Packet Filter Considerations | 99 |
| | 6.11.1 | TCP Services | 99 |
| | 6.11.2 | UDP Services | 100 |
| | 6.11.3 | Performance Tuning | 101 |
7 | Unicast Routing Basics | 103 |
| 7.1 | Hosts and ICMPv6 Redirects | 103 |
| 7.2 | Inside IPv6: ICMPv6 Redirect Protocol Details | 104 |
| 7.3 | Static Routing | 106 |
| 7.4 | Dynamic Routing with RIPng | 108 |
| 7.5 | Testing and Debugging | 110 |
| 7.6 | Inside IPv6: RIPng Protocol Details | 111 |
| 7.7 | Routing Architecture Strategies | 112 |
| | 7.7.1 | Basic Considerations | 112 |
| | 7.7.2 | Static or Dynamic Routing? | 113 |
| | 7.7.3 | Network Redundancy | 113 |
| | 7.7.4 | Router Performance Issues | 115 |
| | 7.7.5 | Performance Issues with ICMPv6 Redirects | 115 |
| | 7.7.6 | Inconsistent Prefix Advertisements | 116 |
| | 7.7.7 | Security Aspects | 117 |
| 7.8 | Mixing Static and Dynamic Routing | 118 |
| 7.9 | Inside IPv6: Maximum Transmission Unit (MTU) Improvements | 120 |
| 7.10 | Packet Filter Considerations | 120 |
| | 7.10.1 | Source Address Validation (Ingress Filtering) | 121 |
| | 7.10.2 | Forwarding Filter Rules | 122 |
| | 7.10.3 | Dealing with ICMPv6 Redirects | 123 |
| | 7.10.4 | Packet Filters and Dynamic Routing | 123 |
Part II IPv4/IPv6 Interoperation | 125 |
8 | Interoperation Concepts | 127 |
| 8.1 | Dual Stack Configuration and Operation | 127 |
| 8.2 | Interoperation Problems | 128 |
| 8.3 | Dual Stack Everything | 128 |
| 8.4 | Dual Stack Servers Only | 128 |
| 8.5 | Connecting to Foreign IPv4-only Servers | 129 |
| 8.6 | Packet Filter Considerations | 129 |
9 | Application Level Gateways | 131 |
| 9.1 | Domain Name Service (DNS) | 131 |
| 9.2 | Network Time Protocol (NTP) | 131 |
| 9.3 | Syslog | 132 |
| 9.4 | Simple Mail Transfer Protocol (SMTP) | 132 |
| 9.5 | Hypertext Transfer Protocol (HTTP) | 132 |
| 9.6 | Packet Filter Considerations | 133 |
10 | Protocol Translation | 135 |
| 10.1 | Protocol Translation Concepts | 135 |
| 10.2 | Setting Up a Protocol Translator | 136 |
| 10.3 | Operational Issues | 139 |
| 10.4 | Packet Filter Considerations | 140 |
Part III Tunnels and Related Topics | 141 |
11 | Tunnel Basics | 143 |
| 11.1 | Concepts and Terminology | 143 |
| 11.2 | Tunnel Types | 144 |
| 11.3 | Common Scenarios | 145 |
| 11.4 | Operational Issues | 145 |
| 11.5 | Security Considerations | 146 |
| 11.6 | Choosing the Proper Tunnel | 147 |
12 | IP-in-IP Encapsulation | 149 |
| 12.1 | Configured and Automatic (6in4) Tunnels | 150 |
| | 12.1.1 | The Link-local Address Problem | 151 |
| | 12.1.2 | Configured Tunnels | 151 |
| | 12.1.3 | Routing Through a Tunnel | 156 |
| | 12.1.4 | Automatic Tunnels | 158 |
| | 12.1.5 | Security Considerations | 159 |
| 12.2 | 6to4 Tunnels | 159 |
| | 12.2.1 | 6to4 Tunnel Hosts | 160 |
| | 12.2.2 | Tunnels Between 6to4 Sites | 162 |
| | 12.2.3 | Tunnels Between 6to4 and Native IPv6 Sites | 163 |
| | 12.2.4 | Connecting to the Internet6: Default Relay Routers | 165 |
| | 12.2.5 | Public Relay Routers | 166 |
| | 12.2.6 | Operational Issues | 167 |
| | 12.2.7 | Security Considerations | 169 |
| 12.3 | Tunneling Over IPv6 Networks | 170 |
| | 12.3.1 | IPv4-in-IPv6 (4in6) Encapsulation | 170 |
| | 12.3.2 | IPv6 in IPv6 (6in6) Encapsulation | 172 |
| 12.4 | 6over4 Tunnels | 176 |
| 12.5 | The Intra-site Automatic Tunnel Addressing Protocol (ISATAP) | 177 |
| 12.6 | Packet Filter Considerations | 177 |
| | 12.6.1 | Fundamental Problems | 178 |
| | 12.6.2 | Manageable Special Cases | 178 |
| | 12.6.3 | Configurations | 179 |
13 | Other Tunneling Methods | 181 |
| 13.1 | GRE | 181 |
| 13.2 | Teredo | 182 |
| 13.3 | OpenVPN | 183 |
| 13.4 | Packet Filter Considerations | 187 |
14 | Advanced Tunneling Issues | 189 |
| 14.1 | Tunnel Brokers | 189 |
| 14.2 | Tunnels and NAT Gateways | 190 |
| | 14.2.1 | Strategies | 191 |
| | 14.2.2 | Configurations | 191 |
| 14.3 | Nested Tunnels and Tunnel Loops | 193 |
| | 14.3.1 | Network Meltdown from a Tunnel Loop | 193 |
| | 14.3.2 | Tunnel Loop Causes | 194 |
| | 14.3.3 | Preventing Tunnel Loops | 194 |
| 14.4 | Tunnel Parameter Tuning | 195 |
| | 14.4.1 | The Maximum Transmission Unit (MTU) | 195 |
| | 14.4.2 | Hop Limit and Time to Live (TTL) Parameters | 196 |
| 14.5 | Mixing Tunnels and Native Connectivity | 197 |
15 | The Point-to-Point Protocol (PPP) | 199 |
| 15.1 | Implementations and Installation | 199 |
| 15.2 | Basic Configuration | 200 |
| 15.3 | Adding Routable Addresses and Static Routes | 202 |
| 15.4 | Dynamic Routing Across PPP Links | 204 |
| 15.5 | PPP and Autoconfiguration | 205 |
| 15.6 | Beyond a Single Interface: Operational Issues | 206 |
| 15.7 | Packet Filter Considerations | 207 |
Part IV Additional Base Features | 209 |
16 | More on Addresses | 211 |
| 16.1 | Site-local and Unique-local Addresses | 211 |
| | 16.1.1 | From Site-local to Unique-local Addresses | 211 |
| | 16.1.2 | What is a "Site"? | 212 |
| | 16.1.3 | When to Use Unique-local Addresses | 212 |
| | 16.1.4 | Routing Configuration | 213 |
| | 16.1.5 | DNS Setups | 213 |
| 16.2 | IPv4-mapped IPv6 Addresses | 214 |
| | 16.2.1 | Making an IPv6 Server Support IPv4 | 214 |
| | 16.2.2 | Operational Aspects | 215 |
| 16.3 | Dynamically Changing Interface IDs | 216 |
| | 16.3.1 | The "Road Warrior" Problem | 216 |
| | 16.3.2 | Temporary Addresses | 216 |
| | 16.3.3 | Performance Considerations | 217 |
| | 16.3.4 | Configuration and Operation | 218 |
| | 16.3.5 | Using Temporary Addresses | 219 |
| 16.4 | Address Selection Algorithms | 220 |
| | 16.4.1 | The Address Selection Policy Table | 221 |
| | 16.4.2 | Source Address Selection | 221 |
| | 16.4.3 | Destination Address Ordering | 222 |
| | 16.4.4 | Tuning the Policy Table | 222 |
| 16.5 | Stateless Autoconfiguration Tuning | 223 |
| | 16.5.1 | Tuning the Advertising Interval | 225 |
| | 16.5.2 | Per-interface Information | 226 |
| | 16.5.3 | Subnet Prefix Information | 228 |
| | 16.5.4 | Expiring a Prefix From a Subnet | 230 |
| 16.6 | The Router Renumbering Protocol | 231 |
17 | Advanced Routing with Quagga | 233 |
| 17.1 | The Quagga Routing Framework | 233 |
| | 17.1.1 | Features and Peculiarities | 233 |
| | 17.1.2 | Supported Routing Protocols | 235 |
| | 17.1.3 | Installing Quagga | 235 |
| | 17.1.4 | Using the Virtual Terminal Interface | 239 |
| | 17.1.5 | Interface and Static Route Configurations | 240 |
| | 17.1.6 | Router Advertisements | 241 |
| | 17.1.7 | Debugging Capabilities | 241 |
| 17.2 | RIPng Revisited | 242 |
| | 17.2.1 | Enabling RIPng Support with Quagga | 242 |
| | 17.2.2 | Limited Route Distribution | 243 |
| | 17.2.3 | Metric Tuning | 244 |
| | 17.2.4 | Route Aggregation | 245 |
| | 17.2.5 | Non-standard Timing Parameters | 245 |
| 17.3 | Open Shortest Path First (OSPF), version 3 | 246 |
| | 17.3.1 | Features and Limitations | 246 |
| | 17.3.2 | Basic Concepts | 247 |
| | 17.3.3 | Essential Configuration | 247 |
| | 17.3.4 | A Simple Test Setup | 249 |
| | 17.3.5 | Understanding OSPF Status Information | 250 |
| | 17.3.6 | Timing Considerations | 252 |
| | 17.3.7 | Failover Tests | 254 |
| | 17.3.8 | The Cost Metric | 255 |
| | 17.3.9 | Scalability, OSPF Areas and Route Aggregation | 256 |
| | 17.3.10 | Other OSPF Features and Further Reading | 259 |
| | 17.3.11 | Operational Issues | 259 |
| 17.4 | Beyond RIP and OSPF | 260 |
| | 17.4.1 | The Border Gateway Protocol (BGP) | 260 |
| | 17.4.2 | Other Routing Protocols | 261 |
| | 17.4.3 | IPv6-independent Quagga Features | 261 |
| 17.5 | Packet Filter Considerations | 262 |
18 | Multicasts Beyond the Link-local Scope | 263 |
| 18.1 | A Closer Look at Multicasts | 263 |
| | 18.1.1 | Terminology | 263 |
| | 18.1.2 | Multicast Diagnostics | 264 |
| | 18.1.3 | Inside IPv6: Multicast Listener Discovery (MLD) | 266 |
| 18.2 | Protocol Independent Multicast---Dense Mode (PIM-DM) | 271 |
| | 18.2.1 | Installation | 271 |
| | 18.2.2 | Essential Configurations: Filters | 272 |
| | 18.2.3 | Inside IPv6: More on Multicast Listener Discovery | 273 |
| | 18.2.4 | Inside IPv6: The PIM-DM Protocol | 275 |
| | 18.2.5 | Advantages and Limitations | 277 |
| 18.3 | Protocol Independent Multicast---Sparse Mode (PIM-SM) | 278 |
| | 18.3.1 | Installation and Basic Configuration | 278 |
| | 18.3.2 | Bootstrap Routers | 280 |
| | 18.3.3 | Running PIM-SM | 281 |
| | 18.3.4 | Inside IPv6: The PIM-SM Protocol | 282 |
| | 18.3.5 | Source-specific Multicasts (SSM) | 283 |
| | 18.3.6 | Embedded Rendezvous Point Addresses | 284 |
| 18.4 | Multicast Address Allocation | 285 |
| 18.5 | Operational Issues | 286 |
| 18.6 | Packet Filter Considerations | 287 |
| 18.7 | Advanced Topics and Further Reading | 288 |
19 | The Dynamic Host Configuration Protocol (DHCPv6) | 289 |
| 19.1 | Installation | 289 |
| 19.2 | Stateless DHCPv6 | 291 |
| | 19.2.1 | The First Step: Resolver Configuration | 291 |
| | 19.2.2 | Adding More Stateless Data | 293 |
| 19.3 | Address Management with DHCPv6 | 294 |
| 19.4 | DHCPv6 Across Subnet Borders | 295 |
| | 19.4.1 | Setting Up a DHCP Relay | 295 |
| | 19.4.2 | Multicasts from Relay to Server | 296 |
| 19.5 | Interoperation Problems | 297 |
| 19.6 | Conceptual Security Aspects | 297 |
| 19.7 | Packet Filter Considerations | 298 |
20 | Bridging the DNS Gap | 299 |
| 20.1 | From Autoconfiguration to the DNS | 299 |
| 20.2 | Solution Strategies | 299 |
| | 20.2.1 | "But Only Servers Need DNS Entries" | 300 |
| | 20.2.2 | Manual DNS Entries | 300 |
| | 20.2.3 | The DHCP Non-solution | 300 |
| | 20.2.4 | Dynamic DNS (DDNS) Updates | 301 |
| 20.3 | A Preliminary Implementation | 301 |
| | 20.3.1 | Configuring BIND for Dynamic Updates | 302 |
| | 20.3.2 | Creating and Installing TSIG Keys | 303 |
| | 20.3.3 | Updating the DNS Forward Zone Records | 304 |
| | 20.3.4 | Maintaining DNS Reverse Zones | 304 |
| | 20.3.5 | Security Considerations | 305 |
| 20.4 | Operational Issues | 306 |
| 20.5 | Future Work | 307 |
Part V New Functionalities | 309 |
21 | IP Security (IPsec) | 311 |
| 21.1 | Basic Concepts | 311 |
| | 21.1.1 | Authentication and Encryption | 311 |
| | 21.1.2 | Transport and Tunnel Mode | 312 |
| | 21.1.3 | Policy and Key Management Within the Kernel | 312 |
| | 21.1.4 | The Internet Key Exchange Protocol (IKE) | 313 |
| | 21.1.5 | References | 314 |
| 21.2 | Open Problems | 315 |
| | 21.2.1 | Inherent Limitations | 315 |
| | 21.2.2 | Implementation Issues | 316 |
| 21.3 | Packet Filter Considerations | 317 |
22 | Mobile IPv6 (MIPv6) | 319 |
| 22.1 | Concepts | 319 |
| | 22.1.1 | Basic Mobile IPv6 | 319 |
| | 22.1.2 | Telling the Home Agent: Binding Updates | 321 |
| | 22.1.3 | Bidirectional Tunneling and Route Optimization | 321 |
| | 22.1.4 | Network Mobility (NEMO) | 322 |
| | 22.1.5 | Fast Handovers | 323 |
| | 22.1.6 | Hierarchical Mobile IPv6 | 323 |
| 22.2 | Open Problems | 323 |
| | 22.2.1 | Available Implementations | 324 |
| | 22.2.2 | Unanswered Security Questions | 324 |
| 22.3 | Further Reading | 325 |
23 | Quality of Service (QoS) | 327 |
| 23.1 | Concepts | 327 |
| | 23.1.1 | Integrated Services (IntServ) | 328 |
| | 23.1.2 | Differentiated Services (DiffServ) | 328 |
| 23.2 | Is It Necessary? | 329 |
| | 23.2.1 | Technical Considerations | 329 |
| | 23.2.2 | Political and Economic Aspects | 330 |
| | 23.2.3 | Common Misunderstandings | 330 |
| 23.3 | Further Reading | 331 |
Part VI Architectural and Operational Topics | 333 |
24 | Renumbering Procedures | 335 |
| 24.1 | Preparations | 335 |
| 24.2 | Soft Renumberings with a Grace Period | 336 |
| | 24.2.1 | Deploying a New Prefix | 336 |
| | 24.2.2 | Revoking an Old Prefix | 338 |
| 24.3 | Emergency Renumberings | 339 |
| 24.4 | Changing the Internet Service Provider | 339 |
25 | Multi-homing | 341 |
| 25.1 | Multi-homed Networks | 341 |
| | 25.1.1 | Life Without Provider-independent Addresses | 341 |
| | 25.1.2 | Redundant Links to a Single Provider | 342 |
| | 25.1.3 | Non-redundant Links to Multiple Providers | 343 |
| | 25.1.4 | Redundant Internet Connectivity | 344 |
| 25.2 | Multi-homed Hosts | 346 |
A | Crash Course: DNS & BIND | 349 |
| A.1 | Domain Name System (DNS) Basics | 349 |
| A.2 | The BIND Name Server | 350 |
| | A.2.1 | Installation | 350 |
| | A.2.2 | Base Configuration | 351 |
| | A.2.3 | Forwarder Configuration and Fake Root Zones | 352 |
| | A.2.4 | Starting the Name Server | 352 |
| | A.2.5 | Adding Forward Zones | 353 |
| | A.2.6 | Adding Reverse Zones | 354 |
| | A.2.7 | Secondary Servers | 355 |
| | A.2.8 | Restarting the Server | 355 |
| | A.2.9 | Testing and Debugging | 356 |
| | A.2.10 | Zone Delegations | 356 |
| A.3 | Common Pitfalls | 356 |
B | Assigned Numbers and Addresses | 359 |
| B.1 | Addresses and Address Prefixes | 359 |
| | B.1.1 | Unicast Addresses | 359 |
| | B.1.2 | Multicast Addresses | 360 |
| | B.1.3 | Multicast Scopes | 360 |
| | B.1.4 | Anycast and Other Special Interface IDs | 360 |
| B.2 | Transport Layer Port Numbers | 361 |
| | B.2.1 | TCP | 361 |
| | B.2.2 | UDP | 361 |
| B.3 | ICMPv6 Types | 362 |
| B.4 | Protocol Numbers in Next Header Field | 362 |
| B.5 | Ethernet | 363 |
| | B.5.1 | Ethernet Types | 363 |
| | B.5.2 | Ethernet Addresses | 363 |
| References | 365 |
| Index | 371 |