- IPv6
- IPv6 addresses
- IPv6 migration
- IPv6 ACL implicit
- Solicited-node mcast
- Extension headers
- ICMPv6
- EUI-64
- SLAAC
- Neighbour cache
- On-link prefix
- Temporary address
- Source address selection
- LIR prefix allocation
- QoS
IPv6
- Ethertype = 0x86dd
- no fragmentation by intermediate nodes – ICMP Packet Too Big
- min MTU = 1280 bytes
- traceroute
- using TTL (ICMPv6 Time Exceeded when Hop Limit = 0)
- traceroute IPv6 option: every hop along the path replies
IPv6 addresses
- ::ffff:IPv4 – mapped IPv4
- 64:ff9b::/96 – well-known NAT64 (not globally unique!)
- 2000::/3 – global unicast
- fc00::/7 – unique local (fd00::/8, L bit = 1)
- fe80::/64 – link-local
- ::/128 – unspecified; used, when no IPv6 is available (DHCP packets, link-local DAD)
- ::1/128 – loopback
- 2001:::/32 – Teredo
- 2001:0002::/48 – benchmark
- 2002::/16 – 6to4
- 2001:db8::/32 – documentation
- ::/80 – embedded IPv4 (::0:1921:6800:1001 ≡ 192.168.1.1)
- fec0::/10 – site-local (deprecated)
(config)# ipv6 unicast-routing
(config)# ipv6 cef
IPv4-embedded IPv6
- RFC 6052
- suffix = 0
+-------------+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
|Prefix Length| 0-------------32--40--48--56--64--72--80--88--96--104---------|
+-------------+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
| 32 | prefix | v4(32)| u | suffix |
+-------------+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
| 40 | prefix | v4(24)| u |(8)| suffix |
+-------------+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
| 48 | prefix | v4(16)| u |(16) | suffix |
+-------------+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
| 56 | prefix |(8)| u |v4(24) | suffix |
+-------------+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
| 64 | prefix | u |v4(32) | suffix |
+-------------+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
| 96 | prefix | v4(32) |
+-------------+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
IPv6 migration
- dual stack
- NAT64 (IPv6 → IPv4)
- NAT-PT (IPv4 → IPv6)
- NPTv6: network prefix translation (IPv6 → IPv6); for ACL bypass
- tunnels
- XLAT464
IPv6 ACL implicit
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any
Solicited-node mcast
- global: 2001:db8:cafe:1::1
- IPv6 mcast: ff02::1:ff00:0001 – last 6 hex digits
- Ethernet: 3333.ff00.0001
Extension headers
- types:
- hop-by-hop (0)
- always the first
- processed by each hop
- router alert, jumbo payload
- process switching
- destination options (60)
- for destination only
- routing (43)
- for mobile IPv6
- source routing
- fragment (44)
- only endpoints do fragmentation
- ESP (50)
- AH (51)
- ICMP (58)
- No Next Header (59)
- hop-by-hop (0)
- if extension header length limit is exceeded (hardware const) – process switching
ICMPv6
- RFC 2463
- types:
- error: < 128
- 1: destination unreachable
- 2: packet too big (contains MTU)
- 3: time exceeded
- 4: parameter problem
- control: ≥ 128
- 128: echo request
- 129: echo reply
- 130: group membership query
- 131: group membership report
- 132: group membership reduction
- 133: NDP RS
- 134: NDP RA
- 135: NDP NS
- 136: NDP NA
- 137: NDP Redirect
- error: < 128
- includes packet that caused error (included as much as possible – at 1280 bytes at least – minimal IPv6 MTU)
Neighbour discovery protocol (NDP)
- ARP alternative in IPv6
- duplicate address detection (DAD):
- for unicast addresses, including link-local
- NS + NA
- not performed for anycast addresses
- on receiving unsolicited message, entry in neighbour cache → STALE
- host is allowed to learn IPv6 or MAC without explicit prior request (STALE entry state) in contrast to ARP (only refresh is allowed)
- messages
- router solicitation (RS)
- mcast ff02::2
- router advertisement (RA)
- unsolicited:
- mcast ff02::1
- randomly between min < t < max
- max ∈ [4; 1800], 600s default
- min ∈ [3; 0.75 × max], default = max ≥ 9 ? 0.33 × max : max
- solicited: mcast/unicast (implementation-dependent), usually mcast
- contains options, no MAC
- host uses link-local address (adds to default router list)
- interval between RAs is at least 3s (in case there are several RS)
- invalid timer for RA on host = router lifetime from RA
- disabled in tunnel interfaces by default
- flags
- address autoconfiguration (A)
- permits SLAAC
- within prefix option
- 1 by default
- other configuration (O)
- request information, absent from RA, from DHCP
- 0 by default
- managed configuration (M)
- address and information are to be requested from DHCP
- 0 by default
- on-link (L)
- whether prefix in on-link (direct connection) or not (via router)
- replaces IPv4 mask check
- 1 by default
- address autoconfiguration (A)
- unsolicited:
- neighbour solicitation (NS)
- solicited-node mcast
- neighbour advertisement (NA)
- solicited:
- unicast
- routers set Router flag
- unsolicited:
- mcast ff02::1
- could be used on MAC change
- flags
- router flag (R)
- solicited (S)
- override (O): if received, receiver must update cache entry
- solicited:
- redirect
- router solicitation (RS)
- Hop Limit = 255 (not routed beyond L2 segment), NDP AD = 2
Host-level load balancing
- if 2 routers in L2 segment announce different prefixes, 2 addresses are assigned
- if announced prefixes match, default gateway is selected based on priority
- if priority and prefixes match, first received RA is used to select default gateway
- no load-balancing for traffic
- RA advertisement = 200s (Cisco)
- RA TTL = 1800s: validity as default gateway
- FHRP advantages:
- faster switchover
- tracking
- no dependency on OS implementation
IOS XE CLI
; router priority, medium – default
; 2 bits: medium = 0, low = 3, high = 1 (2 – reserved)
; if priority matches, host selects first RA
(config-if)# ipv6 nd router-preference low|medium|high
; valid and preferred lifetimes, seconds
(config-if)# ipv6 nd prefix default|<prefix> <valid> <preferred>
; A = 0, by default A = 1
(config-if)# ipv6 nd default|<prefix> no-autoconfig
; set L-bit to 0, off-link ≡ not inserted into RIB as connected
(config-if)# ipv6 nd default|<prefix> no-onlink|off-link
; 200s default, periodic RA transmission interval
; min_sec = 75% default, min_sec < t < sec
(config-if)# ipv6 nd ra interval <sec> [<min_sec>]
; RA lifetime for default gateway role, included in RA
; 1800s default
; sec = 0 – must not be used as default gateway
(config-if)# ipv6 nd ra lifetime <sec>
; up to 8 servers
(config-if)# ipv6 nd ra dns server <IPv6> <lifetime>
; solicited RA unicast, useful to decrease load (e.g., power usage on mobile/IoT)
(config-if)# ipv6 nd ra solicited unicast
; suppress periodic RA transmission, all – suppress replies to RS as well
(config-if)# ipv6 nd ra suppress [all]
; default: 0s for self-RA, 30s for ingress RA
; neighbour validity after receiving NA
(config-if)# ipv6 nd reachable-time <ms>
; default: B = 1, I = 1000ms, C = 3
; NUD after Probe state, sending interval: Bⁱ × I, i ∈ {0, C-1}
(config-if)# ipv6 nd nud retry <base> <interval> <count>
; default: 0 egress, 1000 egress
; DAD and address resolution (≠ NUD!)
(config-if)# ipv6 nd ns-interval <ms>
(config-if)# ipv6 nd other-config-flag
(config-if)# ipv6 nd managed-config-flag
NDP RS format
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved (0x00) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ /
\ Options \
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Options:
- unknown options are ignored
- TLV: type and length are 1 byte
- types:
- 1: source L2 address
NDP RA format
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Hop limit | Flags | Router lifetime (s) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reachable time (ms) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Retransmit time (ms) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ /
\ Options \
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Options:
- types:
- 1: source L2 address
- 3: prefix info for SLAAC
- 5: MTU
Flags:
- 0x80: managed
- 0x40: other
- 0x20: home agent
- 0x18: default router preference
- 0x04: proxy
- 0x03: reserved
Prefix info option
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length (0x04) | Prefix length | Flags |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Valid lifetime (s) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Preferred lifetime (s) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Prefix |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Flags:
- 0x80: on-link (0 ≡ prefix can be on-link/offlink)
- 0x40: SLAAC
- 0x20: router address
NDP NS format
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved (0x00) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Target address |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ /
\ Options \
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Options:
- types
- 1: source L2 address
NDP NA format
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|R|S|O| Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Target address |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ /
\ Options \
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
R: router flag (NUD, to detect router → host)
S: solicited
O: override (0 in solicited NA for anycast and proxy)
Options:
- types
- 1: source L2 address (mandatory)
EUI-64
- extended unique identifier: create interface ID
- process
- split MAC in halves
- insert FFFE in between
- invert 7th bit MSB:
- universal/local bit
- 0 ≡ burnt-in MAC
- must be 1 according to RFC (Cisco flips)
- if interface has no MAC (serial), lowest numbered interface provides MAC
SLAAC
- process:
- generate link-local address L; L state = tentative
- DAD(L): if success, L state = preferred
- generate global address G; G state = tentative
- DAD(G); if success, G state = preferred
- preferred lifetime → G to deprecated
- valid lifetime → G invalid
- valid: 30 days, refreshed by receiving RA
- preferred: create, use (7 days) conenctions
- deprecated: no new connections are allowed
- invalid: cannot be used
- link-local
- EUI-64, privacy/security extension
Interface ID
- EUI-64
- privacy extension
- cryptographically generated addresses (CGA)
Neighbour cache
- states:
- INCOMPLETE: NS sent (if 3×NS fail – remove entry)
- REACHABLE: NA or data packets received (e.g., TCP session)
- STALE: from REACHABLE after Reachable time or receiving unsolicited NA
- DELAY: re-resolution, waiting for response (reply received → REACHABLE, otherwise → PROBE)
- PROBE: ≈ INCOMPLETE, re-resolution
- NS transmission interval in PROBE and INCOMPLETE – 1s
On-link prefix
- howto:
- L flag in RA (if not set, not clear if it is on-link or off-link)
- redirect
- received NA from address (≈ ARP reply)
- received NS from address (≈ ARP request)
- link-local address (lifetime = ∞)
- static, SLAAC and DHCP prefix on interface are not considered on-link by default
- destination is off-link by default
Temporary address
- privacy extension
- used for egress connections
- interface ID – random only
- lifetime is not refreshed on receiving RA
- lifetime is shorter than the one for public address
- default lifetime is different between OS
Source address selection
- if src = dst, select src = dst (loopback to itself)
- scope dst: if link-local, then select link-local source
- do not use deprecated if preferred is available
- home address is preferred over care-of
- mobility
- home ≡ permanent (normal)
- care-of – after moving to another subnet
- outgoing interface to destination
- match label
- address group might have one label
- if dst has label N – prefer src address from label N
- allows using native addresses (e.g., 6to4)
- temporary over public
- longest prefix match
- dst = 2001:db8:cafe:0001:0000:0000:0000:0000
- src A = 2001:db8:cafe:0001:0000:0000:0000:0001 – win
- src B = 2001:db8:cafe:0001:1111:1111:1111:1111
LIR prefix allocation
- /40: large enterprise
- /48: default
- /56: medium/small company, consumer service
QoS
- Traffic class
- 8 bit, DSCP + ECN
- can be changed along packet’s path
- not accounted by IPsec
- Flow Label
- 20 bit
- non-default QoS
- cannot be changed along packet’s path
- can be used for QoS on fragments, L4-based session marking or IPsec marking