Which network technologies makes IPv6 unnecessary?

Entry into IPv6 - (not only) using the example of address planning and

The Network Insider January 2011

Systematic training for network and IT professionals

E.inroseinIPv6 -

(Notjust) at theexample

Address planningand

"Direct Access"

by Dipl.-Inform. Dietlind Huebner, Dipl.-Inform. Oliver Flues

Various articles in the network Insider

have already pointed out hininstructed

that it was time to get involved with

IPv6 to deal with as soon as possible,

around Not suddenly being overrun.

Why on einsometimes the hurry, he likes

eine ask. Let the others do that first

Make colleagues in the IT area,

I've got enough other things to do this year

do, the other may think.

This is how it becomes in the case of IPv6Not functional

onieren: This time (even more than usual)

coordiniert and coordinated planning

and E.inlead hip, and this on basis

eindetailed knowledge built up in good time

minat least for grandadditional

Decisions. The alternative: the E.inrose

will eine stumble tour, first attempts

become clearly troublesomeat thehe as necessary,

first quick shots are clear

at the desired goal over or beinhold

Bug that just laboriousat the to correct

sind. In particular goes at IPv6 (nearly)

Nots without Einbinmanagement of the operators of

networkininfrastructure and Firewalls and associated

Decisions. This should be done on two

acute exampleen be demonstrated, the

Address planning einon the one hand and the possible

E.inmanagement of direct access,

einem Microsoft solution offering that

completely without IPv6Not is usable.

continue on the next page


ComConsult Research The Network Insider January 2011

E.inrose

inIPv6 -

(Notjust)

at theexample

Address planning

and "Direct

Access "

The IPv6-Router as a pilot on the way

to the working configuration

If you deal with the Einguide

of IPv6, one comes toinleast for that

Terminal area at the Keyword "autoconfiguration"

hardly over. E.ine typical

There is a choice here

representin,

• Addresses of end devices, printers

etc. connected in the access area

Generate devices automatically

allow

(who this in previous insider articles

or other literature too IPv6 more accurate

want to read can about the search

after the term "autoconfiguration"

einclimb)

and

Continued from page 1

• the rest of them are fully able to work

necessary parat theeter (e.g. Nat thee

Server, NTP server, ...) as under IPv4

used to pick up using DHCP.

The keyword here is of course generalin

DHCP, in RFCs or eng at the RFC

Vocabulary of formulated literature more precisely

"Stateless DHCP".

All right, then you decide

Main topic

Dipl.-Inform. Dietlind Huebner has been for more than

20 years as a specialistin for network structuring,

Network protocols, connectivity

and Network applications. As a senior

She works regularly as a consultant in Projects

on these main topics and Has

essential standard concepts for

Office- and Developed industrial environments

as well as their implementation. About that

Hinfrom include the conception and E.inset planning

of IT security and Innovations at

Network protocols, inparticular IPv6, to

their thematic focus.

maybe just for this path.

What's the problem, why is there Teat thejob,

So a coordinated approach

and overall planning in demand?

The configuration management for the

The terminal area is clearly regulated,

Period - as soon as in the network at all IPv6

is transported, the terminal operator decides

and the DHCP server operator,

what he like einposes !? OK, autoconfiguration

needed eine "Prefix List", i.e.

eine List of “front parts” of the IPv6-

Address that goes to einem considered IP

Subnet belongs to: the automatically generated

The address is then generated by

that this "Netzvorspann" ein For

the network interface of the terminal einclearer

"Interface Identifier" appended

becomes. The prefix einhe worldwide einclarify

Address will be split up in einen

worldwide einclear part and the part

the “subnet” in your own network

identified (subnet identifier), you can

so as usual sein Network itself flexible

structure.

The interface identifier on the other hand can

e.g. according to a fixed rule from the Ethernet address

einit derived from device sein

(Keyword: modified EUI-64 representation),

or you follow the security ideas of

RFC 4941 ("privacy extensions") and leaves

generate the identifier so that the end device

less easy at the IPv6-Address

can be recognized. As long as you have the

Convention einholds, for this the IPv6-Address

split half-half (64 bit prefix,

64 bit interface identifier), any

RFC-compliant variant of ID generation

be used. The choice of the identifier form

you will certainly on the

Terminal as part of the IPv6-Einset direction.

(see figure 1)

Who is already ein little inIPv6 einread

will think “I have that too

already explained in more detail ". All

will think: And where is the specialty /

Tripping hazard?

The first peculiarity compared to

IPv4 arises from the question of where to go at

Decision on the couple "automatically

configured address + stateless DHCP "

configured this decision.

Answer: on the subnet router

Page 2

Dipl.-Inform. Oliver Flüs has many years of experience

Knowledge of the operation of IT infrastructures.

As head of the Competence Center

IT service from ComConsult Consulting and

Planning GmbH has been working on projects for years

in the areas of IT services.

He is regular on these topics

as a speaker at the ComConsult Academy

active, among other things as a keynote speaker

to TCP / IP aspects, in the trouble shooter

Seminar series as well as within the security seminare.

• typical source for eine list of in

einem subnet working prefix

is the subnet router

• Typical source for the definition

"DHCP provides additional (other)

parat theeter, except for the IP address “

also the subnet router.


ComConsult Research The Network Insider January 2011

Global Identifier

(48 bit)

E.inroseinIPv6 - (Notjust) at theexampleAddress planningand "Direct Access"

L.ink-local prefix

(64 bit)

Routing prefix

allocation

through router

Subnet identifier

(16 bit)

If this is configured accordingly, so

he distributes (regularly or on targeted

Inquiry, search term to read: “router

solicitation ") the corresponding guidelines

in Form of special packages, so-called

Router Advertisements. (please refer

Figure 2)

All you have to do is set ein,

that this is also based on such input from

Interface identifier

(64 bit)

Workstation

Interface identifier

(64 bit)

Figure 1: Addat thecomposition of IPv6-Addresses from prefix and Interface identifier

Automatic

Generation from

MAC address

Router should listen - the rest will be on

configured on the router (see pictureexample

for the "testrouterbp"). For the router configuration

but is the network operator

responsible, i.e. that of the terminal operator

Operational decision made

must implement the network operator - Teat thework

Point 1.

You can do this "by the way" in the router

Figure 2: Instructions for autom. Configuration of end devices or similar via router advertisement

Page 3

Advertisement also via optional

Communicate elements ("Prefix Information"),

which prefixes for the automatic

Address generation can be used.

Did you care because of the one shown in the picture

Flags for listening for advertisements

decided it lies just close to that

Also deliver prefix information from the router

to let - especially since the prefixes on this

yes anywayin einmust be worn

dat theit he connects the subnet correctlyinthe

can (so why do the work unnecessarily twice

do?). (see figure 3)

Depending on the operating system, it is also possible

such router functionality as

"Service" on einto simulate em another device.

So L knowsinux e.g. einen router advertisement daemon

radvd, the

could be used for this. This could

even the ones to be sent in the advertisement

parat theeter on the network to be networked

Set device yourself, and this

is then supplied via the IPv6-Loopback interface

yourself. But honestly

- instead of local Hindeposit einhe working,

finished configuration

the device for automatic configuration

inkl. Decide to use DHCP and

then laborious such crutch solutions

build that for each device type

can look different: that

klingt Notjust contradictinnig ... should

so one on the involvement of the router

and dat theit of the network operator on the terminal configuration

For IPv6 dispense,

then just exceptionally, because you have to

is forced.

Who has been more specific about it IPv6 well read

has, will know, the others will

you might have guessed it: the subnet router

can provide more details and so

control important mechanisms. This harbors

of course the danger of new forms of attack

by "pretending to be the router role"

by einen attacker. Corresponding

must also be used for IT security and the

for ein functioning network responsible persons

on sizeandlocation einit gemeinsat theen level of knowledge

addat thework. (The surprise

but will Not so big

sein?!)

Waste of addresses on

reinen transport routes

Autoconfiguration?

Of course you have to and one becomes at Einguide

of IPv6 also einIPv6Address concept

need to set. The jurisdiction

for this it will probably stay where

you in einhe looked at the surroundings too

for IPv4 already lay. Sizeandadditional to this

was already in the Insider in previous articles

said


ComConsult Research The Network Insider January 2011

E.inroseinIPv6 - (Notjust) at theexampleAddress planningand "Direct Access"

Figure 3: example Prefix information via router advertisement

Figure 4: RFC 4291 regarding (length of) the interface identifier

• in additionat therelated to the idea

with the under IPv6 available

Address types (keywords to search for /

Read e.g .: global addresses,

Unique local addresses / ULA) and

• with Hinindicates possible advantages

the significantly larger set of addresses.

Keine Care for regular insider

Reader, the rough outline given above

configuration automatisms had to be as

Hintergrand for new members of the readership

sein, but the grandadditional statements

become an address concept Not

also repeated.

Allings show questions and Discussions

to IPv6-Address conception, in Kandprojects

as well as in Events

the ComConsult Academy that

the points warmed up in the brief outline

the autoconfiguration idea also has an impact

have on the address concept.

The first idea of ​​the "EUI 64" -like interface

Identifier has led to all

via RFC for automatic address configuration

always use the hinteren

64 bit the IPv6Address for the identifier

claim. Who also breakdown-free

subsequently to automatic configuration

want to be able to fall back, must

when structuring the network in the address concept

via prefix design at first

Limit 64 bits. In the Prinzip makes

the Nots, one compares this maneuvering mass

with the current situation below

IPv4. Common subnet sizes such as 256

Addresses (4th octet for the host ID) or

64 addresses (for 48 port switches with the

Idea “ein Switch = ein Subnet ")

under IPv4 for example when using einhe

Class A address to einer number of possible

Subnets that one under IPv6 With

64 bit prefixes also achieved even if

man einen larger part of the prefix for einen

worldwide einclear "global identifier"

takes.

Allings it will in give practice cases,

in which you can still get from Prinzip

addat thetwitches when one because of einhe

blanket stipulation "the hinlower 64 bit

sind taboo for the address concept “massive

Must waste addresses. That probably

most typical example this kind sind "transport networks",

to the example to the direct verbinmanure

two locations or direct

verbinapplications of Layer 3 switches of various

Structuring levels (e.g.

"Core and Distribution-Switch ”or similar

conceptual role distinctions

in Network concepts with a stronger layer

3 structuring).

page 4

Should one with such transport networks, even

at rightinen point-to-point verbinfertilize

from routers / layer 3 switches, actually

let the prefix end at bit 64? Follows

one slavishly to RFC 4291 "IP Version 6

Addressing Architecture ”, that's how you have to do it

do, something in Figure 4 is described.

RFC 4291 is Notinformational ", but

belongs to the "standards track", and Rules of the game

standardization should be einhold,

if you want to avoid trouble,

already to avoid compatibility problems

between in the network einset

Products. Or just to choose

between different options that

ein M.inimum to communityinsat thehave opportunities,

here the EUI 64-like interface

IDs and schinbar arbitrary looking

Alternatives according to the above

"Privacy extensions" for automatically configured

Addresses - all such forms of address

all have eine prefix length

of Not more than 64 bits, just as einuniform

Basis for automatic address configuration.

So the bottom line: the possibility of making operations easier

for terminal operation via

automatic address configuration leads to

Obligation to waste when compliant with RFC

working address planner, and the person responsible for the end device

must be stubborn too

so eindemand?!

Luckily Not, but notice that just, who

reads very carefully:

• Would you get the quoted passage from RFC

4291 as a must literally would be

also the RFC for "privacy extensions"

dat theit sinnless.

If you read a little more closely, you will find

that "modified EUI-64 format"

and the implementation of ideas from the

privacy extensions-RFC contradict each other

can. Microsoft leads e.g. with

the under Windows 7 available "temporary

Addresses ”how to go under

Implementation of privacy extensions

Ideas for einin the address format,

but also with modified EUI 64

Nots gemeinsat the Has.

• In einem another (informational) RFC

5375 „IPv6 Unicast Address Assignment

Considerations “is used for transport verbinfertilize

eine prefix length of>

64 discussed and the use einhe

Prefix length of / 112 suggested for such cases.

That is still "waste"

but forinleast Not more so

bad as / 64 according to RFC 4291.


ComConsult Research The Network Insider January 2011

E.inroseinIPv6 - (Notjust) at theexampleAddress planningand "Direct Access"

Requirement for ein Deviate from the

half-half division of the IPv6-Address in

prefix and Identifier is of course that one

in corresponding subnetworks on all mechanisms

in additionat therelated to the autoconfiguration

can do without. Episode:

While for permanently reine transport networks

eine such an exception is possible,

if it were for subnets, in those retrospectively

Not from the network operator administrated

Devices could be connected

(e.g. for the purpose of a monitoring, as proxies or similar),

eine possible stumbling blocks. Marriage ein Device operator

so ein first device in ein Subnet

einbringt he is using autoconfiguration

(no matter which address format) wants to operate,

if necessary, he should contact the network operator

regarding the prefix length (n) in this subnet

Erkandigen.

That would still be einfold, but you read

RFC 5375 more precisely and also the darin referenced

RFC 3627, it is found

that the / 112 proposal actually Not

is really justified. It will just

More obvious values ​​from IPv4 practice

as explained / 127 as problematic

and expressed the hope that with

/ 112 prefixes keine mishaps happen

become.

What can you get out of this excursion in the

Details on IPv6-Address management and

IPv6-Address planning learn?

1. The operation of terminals and Network components

hang in the IPv6-Practice

closer togetherat themen than under IPv4.

2. E.ine uncoordinated planning of various

IT specialists is more disadvantageous

than under IPv4, can even be too

Failures or avoidable mishaps

to lead.

3. E.ine coordination between the various

Specialists use

Voting time eine suitable

Intersection of IPv6-Knowledge

ahead, and one has to be suitable for

Compromises more “about your own

Edge of the plate hinimagine and

knowledge.

4. With einem a short “crash course IPv6

in Shape einit einleading article

or something like that is it Not done. If you want to be successful

seinandinespecially unnecessary

Avoid clumsiness,

must also the “Kleinprinted " and

further information taken into account

be (product-specific

Of course, there are also variants

Hinto).

A coordinated approach also means:

eine sinnous E.inrosesorder

finthe

So far ging it more about Grandadditions,

e.g. the addat theeffect of

Network components and Terminal configuration

to manufacture einit IPv6- capable

Device status.

The in the operational practice also under IPv4

"breakdown situation" that has already occurred many times

but it is: It should ein new

network-based service offer einguided

become and Network operator and "IT security"

be the last to know about it. On the

E.inroseinIPv6 transferred this means:

There are specific plans for the Einguide

einhe IPv6-based solution, at the best

already with a fixed terminimaginations

and the operator einhe still Not (continuously)

on IPv6-Support prepared

Infrastructure from network and Security components

will shortly dat theit

faced.

The result: eine Infrastructure conversion

on parallel IPv4 / IPv6-Operation in competitionat thepftempo

and

• Breakdowns sind probinlich,

• the effort is towards einhe voted

E.inorder of leadership (ideal:

to theinleast in instar network ininclusive security transitions

consistently configured

Support of IPv6) unnecessary

elevated,

• The new service offer can beinen

full value possibly initially Not

unfold and

page 5

• the security level can be temporary

sinken.

E.inroseinIPv6and Direct Access -

how at the best?

E.in first, acute example is direct access

from Microsoft.

Motivation: Direct Access, IPv6 as necessary

requirement

Direct access is ein Solution offer

from Microsoft, available with Windows 7 /

W.indows Server 2008 R2. Allows

for mobile clients einen automatic

verbinestablishment of communication with the company network,

as soon as Internet verbindung for

einen client exists. This will be on

this way without any action on the part of the user

ininternal IT resources of the target environment

made accessible.

Unlike conventional VPN or

RAS solutions is the authorization to

the dat theit verbandaccess to the instars

network Not to the authentication

of the user (e.g. Login) linked,

but to eine device authentication.

So there is the possibility to start with the

Communication of the mobile device

certain into limit internal goals,

of which from the security point of view

appropriate condition (e.g. topicality

of security updates) automatically checked

and be made if necessary

before the user can access the

actual IT services.

• Direct access can increase the convenience for the

Become a reader now

The network insider

The network insider appearsint 12 times a year in PDF

format andinwill inform you via email via the Hingrounds

current network technologies. Every month

two topics are chosen over which in in more detail

Form up-to-date insider information will be given.

The network insider represents the point of view of

Technology users and evaluates products and

Technologies in the Sinne the economic and successful

practicability in daily practice. By

seine strict economic independence (keine

Manufacturer advertisements) he can afford vulnerabilities

and To address disadvantages openly. The network insider

is known for seine critical, manufacturer-neutral

and fandized technology assessment.

Here you can become a network insider for free and without any obligation

register:

http://www.comconsult-akademie.de/de/Registrierung.php


ComConsult Research The Network Insider January 2011

E.inroseinIPv6 - (Notjust) at theexampleAddress planningand "Direct Access"

Users of the mobile device Einsentence

increase (elimination of manual initiation

of the verbinapplication structure for instars

Network).

• Direct Access can be used to

that risk of danger from mobile

Clients for the ininternal IT installations

to reduce.

In this respect, Direct Access can be both improved

Service offer to the user

can be used as well as a basis for

Reduction of residual risk from a security point of view.

This sind two powerful arguments,

the eine Einmanagement of direct access

ininteresting and it dat theit understandable

do if eine timely Einleadership considered

becomes.

What does Direct Access have to do with the IPv6-

E.inleadership to do?

Direct access sets IPv6 as a basis for communication

advance what einen Minleastinrose

inIPv6 as a prerequisite for use

of Direct Access makes it necessary.

• The direct access client sends exclusively

IPv6-Traffic to the direct access server.

• Direct access is just by IPv6-able

Client applications can be used.

• Clients need to use

Direct access for IPv6 activated and With

einhe appropriate configuration

be provided.

• Direct access servers must be used for IPv6

activated and can be configured.

The operator of Direct

Access IPv6-Know-how required.

This must ensure that ein Direct

Access client in different

Guest environments eine suitable IPv6-

Configuration received.

• Internal services / services that use Direct

Access (DA) should be used

minat least indirectly via IPv6 reachable

sein.

• Either is the appropriate solution

IPv6-capable, or e.g. ein

Tunnel mechanism needed, about

ISATAP.

It should in the Einset environment

Know-how regarding configuration and

Operation (fault clearance) einit such

Tunnel mechanism givenin,

e.g. at the operator of the DA server

(This can be saved as a

ISATAP router).

or

• The used ininternal services sind

already IPv6-based ininstalled and directly

by means of IPv6 reachable.

Here must inespecially betweeningend

at the server / service / application operator

IPv6-Know-how given

sein.

(Alternatives to the implementation of IPv4 /

IPv6-Connectivity via NAT sind because of

currently insufficient standardization basis

by NAT for IPv6 regarding future security

questionable.)

E.in optimal use of Direct

Access also depends on performance

Aspects.

Optimum: IPv6 "End to End", forinleast

from the DA server

Optimal performance is achieved when

on IPv4IPv6Coupling mechanisms dispensed with

can be so that package handling

at tunnel ends or similar

There are no transition points. Should forinleast

from reaching your own infrastructure

the optimum performance offered

this presupposes:

• continuous IPv6-Support in

own network from the DA server to the instars

Servers

IPv6-Ability of ininternal server and

the services to be used on it and

Applications

To create these conditions

have to

• hardware and Network component software

and Server sufficient sein as

suitable software or firmware versions

present sein,

• the affected network components for

IPv6 be configured, suitable

Address concept and Operational know-how

provided, and

• Server and Services / applications with

IPv6-Support ininstalled and configured

suitable operational

Know-how required.

Avoidable auxiliary mechanisms for

Transport of IPv6 about eine IPv4

(Partial) route sind for performance

Not conducive.

How significantat the but is this point?

page 6

You have to keep in mind that the solution

on the addinmobile computers

aims to bring the "outside" with instars

Servers and Communicate services. The

from previous VPN and RAS offers

known runtime aspects sind therefore empirical values,

which apply sind.

For the communication path from the mobile

Client to the Einstepping point in the instars

Network (DMZ with direct access server)

can this just bedingt be assumed

here is the IPv6-Support externally operated

stretch Not forceingbar.

Can also in of one's own environment

eine continuous IPv6-Support

through the devices relevant for direct access

and Services / Applications and the

Communication paths to these first

Not guaranteed, this goes to

Loads of performance.

To the anywayin for access from mobile

Clients inevitably incurring delays

by

• to overwinend distance,

• Time spent on encryption / decryption

the transfer,

• Time spent checking for packet filters

and Firewalls as well

• Possibly. Not avoidable bottleneck phenomena

at WAN accesses with a bandwidth gradient

LAN-WAN

come

• Time spent on Einpacking / unpacking

the IPv6-Packages at the endpoints

of the "tunnel" for the transmission of

IPv6Packets in the IPv4 network via einen

new tunnel mechanism

• Time spent on security reviews

through firewalls on the "tunneled"

Route.

With response time recinfine applications