Post on 28-Apr-2023
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Webex Teams
Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session
Find this session in the Cisco Events Mobile App
Click “Join the Discussion”
Install Webex Teams or go directly to the team space
Enter messages/questions in the team space
How
1
2
3
4
3
cs.co/ciscolivebot#BRKRST-3304
BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Nicole
4BRKRST-3304
Nicole Wajer Technical Solutions Architect
@vlinder_nl
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Hitchhiker's Guide to the Galaxy
“Space,” it says, “is big. Really big. You just won’t believe how vastly hugely
mindboggingly big it is. I mean you may think it’s a long way down the road to the chemist, but that’s just peanuts to
space. Listen …” and so on.
5BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
• Easy to miss – Warm up your brain
• Neighbor And Router Discovery
• Addressing
• IPv4 Coexistence And Transition
• IPv6-centric Deployments
Encyclopaedia Galactica
BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
EIGRP IPv6 needs “no shutdown”
11BRKRST-3304
ipv6 router eigrp 1 router-id 192.0.2.1 no shutdown
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
VRRPv3: default is VRRPv2 => no IPv6 support
12BRKRST-3304
R1#conf tEnter configuration commands, one per line. End with CNTL/Z.R1(config)#int e0/1R1(config-if)# ipv6 address 2001:DB8:CAFE::1/64R1(config-if)#vrrp 101 ?
authentication Authenticationdescription Group specific descriptionip Enable Virtual Router Redundancy Protocol (VRRP) for IPpreempt Enable preemption of lower priority Masterpriority Priority of this VRRP groupshutdown Disable VRRP Configurationtimers Set the VRRP timerstrack Event Tracking
R1(config-if)#vrrp 101
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
VRRPv3: enabling it + successful configuration
13BRKRST-3304
interface Ethernet0/1no ip addressipv6 address 2001:DB8:CAFE::1/64vrrp 101 address-family ipv6address FE80::1 primaryexit-vrrp
!
fhrp version vrrp v3
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
• Easy to miss – Warm up your brain
• Neighbor And Router Discovery
• Addressing
• IPv4 Coexistence And Transition
• IPv6-centric Deployments
Encyclopaedia Galactica
BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
FF02::1:FFCC:CCCCFF02::1:FFBB:BBBBFF02::1:FFAA:AAAA
Neighbor Discovery: Solicited Node Multicatscast
15BRKRST-3304
2001:db8::0000:0001
Solicited node multicast groups: FF02::1:FF00:0000 /104
FF0
2::1
:FF
00
:00
01
2001:db8::0000:0002
FF0
2::1
:FF
00
:00
02
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Beware the ACL “tightening”
17BRKRST-3304
ipv6 access-list ingresspermit tcp host 2001:db8::1 eq 80 anydeny ipv6 any any log
deny ipv6 any any implicit
permit icmp any any nd-ns implicitpermit icmp any any nd-na
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6 ACL Implicit Rules
• IPv6 ACLs configure like “extended named”• Matching, SRC, DST, next header
• Applying the ACL uses ipv6 traffic-filter command
• IPv6 ACLs have multiple implicit rules
• Similar to deny ip any any
• IOS has 3 implicit IPv6 ACL rules
• NXOS has 5 implicit IPv6 ACL rules
• IOS-XE has no implicit IPv6 ACL rules
18BRKRST-3304
ipv6 access-list NXOSpermit icmp any any nd-napermit icmp any any nd-nspermit icmp any any router-advertisepermit icmp any any router-solicitationdeny ipv6 any any
ipv6 access-list IOSpermit icmp any any nd-napermit icmp any any nd-nsdeny ipv6 any any
interface GigabitEthernet 0/2ipv6 address 2001:db8:50:31::1/64ipv6 traffic-filter BLOCK-BAD in
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
NIST guidelines for secure IPv6 deployment; RFC4890
19BRKRST-3304
http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdfhttp://www.ietf.org/rfc/rfc4890.txt
See BRKSEC-2003
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ducks in a Row
• Code paths of requests/replies may differ
• Multicast and Unicast processing can differ
• Neighbor Solicitation contains Link-Layer address
• May populate the cache without explicit request
• Beware of defaults
20BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Neighbor Cache State Machine
• Incomplete – Pending address resolution, NS message outstanding
• Reachable – Recently used mapping, Can be refreshed by ULP
• Stale – Not currently communicating, waiting for next queued packet
• Delay –Using stale binding, awaiting (ULP) return traffic
• Probe – Sending Unicast NS to node (after Delay timer, 3x1 sec)
Reachable
IncompleteNo Entry
DelayStale Probe
NS
NA
time expiredNA
send packet
ULP
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
0.5x 1.5x
BASE_REACHABLE_TIME
ReachableTime: How Long Is It ?
23BRKRST-3304
• BASE_REACHABLE_TIME
• Sent in RA or taken from default
• Value in milliseconds
• Random(0.5 .. 1.5) * BASE_REACHABLE_TIME
• Chosen every few hours or when BASE… changes
BASE_REACHABLE_TIME
RANDOM (0.5x .. 1.5x)
milliseconds
BASE_REACHABLE_TIME
default: 30000 msec
ReachableTime
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Neighbor Table Maintenance
24BRKRST-3304
Active
Standby
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Neighbor Table Maintenance Can Burden The CPU
25BRKRST-3304
Active
Standby
Newly active
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
DC ND Tuning
26BRKRST-3304
• If FHRP is present or single gateway: increase reachable time
• Pre-populate and maintain the neighbor table
• Rate-limit the address resolution traffic
• Start with this configuration and adjust depending on the site
• Wrong values can impact the neighbor resolution times!
ipv6 nd cache expire 14400 refreshipv6 nd na glean
mls rate-limit unicast cef glean 1000 10
PPS
Burst size
TEST !
ipv6 nd reachable-time 600000 ! 10 minutes
Expiry
BASE_REACHABLE_TIME
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ducks in a Row
• ND has more states than ARP
• Having “STALE” Neighbor Entry is ok!
• Even in a connected Nespresso machine
• Reachable interval is in milliseconds
• Remember when adjusting
• Adjust the Reachable timer up
27BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
The model of measurements
• Three levels:
• Device – level behavior
• Network-wide behavior
• Traffic on the network
• Power consumption ~ F(number of hosts on segment, network volatility)
• Two main sources of multicast traffic
• IPv6 Neighbor Discovery protocol
• Service Advertisements
• More information on the power consumption model from the author directly:
• http://tools.ietf.org/html/draft-desmouceaux-ipv6-mcast-wifi-power-usage-01
• Disclaimer: use this model as a guidance/basis only, verify your network telemetry!
BRKRST-3304 29
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Power Consumption On A Smartphone
30BRKRST-3304
t
sleeping
sleeping
awake
10 mA
40 mA
CPU awake 150 mA
I(t)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Experimental Measurements: Per Device
joins
When joining the network• At least 4 multicast packets issued (RS +
3DAD)• Possibly more than 20 (MLD, mDNS)
Once connected• ~0.021
packets/device/second
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Analysis From A Real Network (~600 nodes)
32BRKRST-3304
• Arrival rates: exponential(λ) • Connection durations: ?
• Model: power multiplier is K = 1 + (0.03 + 28/Tc)*N
• 27 nodes, 1 hour average connection time K = 2 (!)
• Here 600 hosts: 1/λ = 6 s (small)! • Average connection time = 55 min
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why Multicast Solicited RAs ?
RFC4861, 6.2.6. Processing Router Solicitations
In addition to sending periodic, unsolicited advertisements, a routersends advertisements in response to valid solicitations received onan advertising interface. A router MAY choose to unicast theresponse directly to the soliciting host's address (if thesolicitation's source address is not the unspecified address), butthe usual case is to multicast the response to the all-nodes group.
33BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tcpdump On A Host In A Large WiFi Network
34BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
WLC Sends RAs Reliably: Can Reduce Frequency!
35BRKRST-3304
APc47a.fe34.1cc9#show capwap mcast mgid all | begin RA MGID RA MGID InformationMGID = 8341IPv6 mc2uc Clients = 1
MGID = 8343IPv6 mc2uc Clients = 1
APc47a.fe34.1cc9#show capwap mcast mgid id 8343Normal Mcast Clients:Reliable Mcast Clients:Client: 14cf.929d.740c --- Qos User Priority: 3 State: ADMITTED
History – Retry Pct: 0 0 0 0 Rate )500Kbps): 0 65535 65535APc47a.fe34.1cc9#
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
IOS vs. NX-OS Default Solicited RA Behavior
• NX-OS sends unicast solicited RA packets
• Periodic RA still sent multicast as expected
• Easy (Less need for RA-throttle), but may be harder to debug (unicast vs. multicastcast)
38BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
IOS IPv6 ND RA suppress
• Periodic Router Advertisements: suppressed
• Solicited Router Advertisements: unicast
• Problem: maximum connection time limited by 9000 sec.
39BRKRST-3304
interface Vlan100ipv6 nd ra suppress
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
IOS Solicited RA Unicast: CSCul29450
• Periodic Router Advertisements sent as Multicast
• Solicited Router Advertisements sent as Unicast
• 15.4(03)S, 15.4(02)T01
40BRKRST-3304
interface Vlan100ipv6 nd ra solicited unicast
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
RFC7772: Do Not Send RA Too Frequently !
41BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ducks in a Row
• Router Advertisements require processing
• Do not blindly send them too frequently
• Router Solicitation triggers Router Advertisement
• Adjusting the interval alone is not enough
• There are many tools to control the RAs
• Send Solicited RA unicast
• RA Throttler
• Work in progress in IETF to further improve in his are
42BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
• Easy to miss – Warm up your brain
• Neighbor And Router Discovery
• Addressing
• IPv4 Coexistence And Transition
• IPv6-centric Deployments
Encyclopaedia Galactica
BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
DAD (Duplicate Address Detection)
• Neighbor Solicitation from Unspecified ( :: ) address
• At least 1 second delay
• Rfc4429 - Optimistic DAD
• No delay
• Rfc7527 - Enhanced DAD
• Improved loopback detection
• Self-healing
44BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6 Host Attachment Procedure
45BRKRST-3304
Router Solicitation
IPv6 g.a. DAD NS
DHCPv6 inf req
DHCPv6 req
IPv6 g.a. DAD NS
DHCPv6 reply (DNS)
DHCPv6 reply (address)
IPv6 LL DAD NSAnyone with this addr ?
RtrAdv“M”Pref; “A” “O”
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Host State Post-Attachment
66BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
M-, O-, A- flags: (Too) Many To Choose From ?
67BRKRST-3304
https://tools.ietf.org/html/draft-ietf-v6ops-dhcpv6-slaac-problem
Host State Input Behavior
Host has not acquired any addresses
No RA Some OS perform DHCPv6, some do not
Host has not acquired any addresses
RA with M=0, O=1 Some OS acquire info only if A=1
Host has acquired DHCPv6 addresses (M=1, A=0)
RA with M=0 Some OS releaseDHCPv6 addresses immediately, some not
Host has acquiredSLAAC-only addresses (A=1, M=0)
RA with M=1 Some OS acquire DHCPv6 address immediately, some not
For Your
Reference
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
To SLAAC or not to SLAAC ?
• Pros of using SLAAC
• No need to do stateful DHCP
• Wide device support (Android!)
• “IPv6 way”
68BRKRST-3304
• Cons of using SLAAC
• Some stacks (iOS) are very aggressive with temp. addresses
• More volatility in the binding table/ND
• Address tracing is harder
Question: Would you run both
SLAAC and DHCPv6 and why ?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SLAAC, Stationary Hosts, and Temporary Addresses
69BRKRST-3304
ayourtch@mcnano:~$ ip -6 addr1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536
inet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000inet6 2001:470:1f13:62e:90f8:5341:15d:e733/64 scope global temporary dynamic
valid_lft 601936sec preferred_lft 82936secinet6 2001:470:1f13:62e:1d4d:4d2b:129e:13b8/64 scope global temporary deprecated dynamic
valid_lft 516139sec preferred_lft 0secinet6 2001:470:1f13:62e:bc4e:defa:819f:fb40/64 scope global temporary deprecated dynamic
valid_lft 430342sec preferred_lft 0secinet6 2001:470:1f13:62e:517:5a87:6d1c:618e/64 scope global temporary deprecated dynamic
valid_lft 344544sec preferred_lft 0secinet6 2001:470:1f13:62e:1cd:10de:7ec0:889e/64 scope global temporary deprecated dynamic
valid_lft 258747sec preferred_lft 0secinet6 2001:470:1f13:62e:11c9:c1a4:952c:d327/64 scope global temporary deprecated dynamic
valid_lft 172949sec preferred_lft 0secinet6 2001:470:1f13:62e:59f5:704b:a59a:4f13/64 scope global temporary deprecated dynamic
valid_lft 87151sec preferred_lft 0secinet6 2001:470:1f13:62e:6a5b:35ff:fed0:8d7c/64 scope global dynamic
valid_lft forever preferred_lft 86307secinet6 fe80::6a5b:35ff:fed0:8d7c/64 scope link
valid_lft forever preferred_lft foreverayourtch@mcnano:~$
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
To SLAAC or not to SLAAC ?
70BRKRST-3304
interface Vlan102ip address 10.2.1.1 255.255.255.0ipv6 address FE80::1 link-localipv6 address 2001:db8::1/64ipv6 nd prefix default 86400 3600 no-autoconfigipv6 nd managed-config-flagipv6 nd other-config-flagipv6 nd router-preference Highipv6 nd ra mtu suppressipv6 nd ra interval 300ipv6 dhcp server DUALSTACKend
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
MAC Address Randomization in Windows 10
71BRKRST-3304
https://www.ietf.org/proceedings/93/slides/slides-93-intarea-5.pdf
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Quiz: “No valid route for destination” – why ?
72BRKRST-3304
R1#show run interface Gig0/1Interface GigabitEthernet1/0
no ip addressnegotiation autoipv6 address FE80::1 link-localipv6 address 2001:DB8::1/64
R1#
R1#ping 2001:db8::2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2001:DB8::2, timeout is 2 seconds:
% No valid route for destinationSuccess rate is 0 percent (0/1)
What’s the problem ?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ducks in a Row
• Modern hosts implement optimizations
• Optimistic DAD
• Attempt to use old IPv6 address
• DHCPv6 – more “traditional”
• Allows the control of addresses (DUID may not be known in advance)
• DHCPv6-PD allows prefix allocation
• SLAAC
• Device-centric model
• Decentralized
• No influence over the Interface ID used by a host
73BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
• Easy to miss – Warm up your brain
• Neighbor And Router Discovery
• Addressing
• IPv4 Coexistence And Transition
• IPv6-centric Deployments
Encyclopaedia Galactica
BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dualstack: Always remember both protocols
75BRKRST-3304
Type “example.com” and press Enter
GET / HTTP/1.1Host: example.com
A? “example.com”
connect 192.0.43.10
AAAA? “example.com”
connect 2001:500:88:200::10
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Retrieve and display
The problem: RFC3484, if IPv6 connection fails
76BRKRST-3304
User: “example.com”
getaddrinfo(“example.com”)
Attempt IPv6 connect
Attempt IPv4 connect
Connection failure
Time
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
RFC6555: Happy Eyeballs: Success with Dual-Stack Hosts
77BRKRST-3304
Internet Engineering Task Force (IETF) D. WingRequest for Comments: 6555 A.YourtchenkoCategory: Standards Track CiscoISSN: 2070-1721 April 2012
Happy Eyeballs: Success with Dual-Stack Hosts
Abstract
When a server's IPv4 path and protocol are working, but the server'sIPv6 path and protocol are not working, a dual-stack clientapplication experiences significant connection delay compared to anIPv4-only client. This is undesirable because it causes the dual-stack client to have a worse user experience. This documentspecifies requirements for algorithms that reduce this user-visible delay and provides an algorithm.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
RFC6555 in a nutshell
78BRKRST-3304
Attempt IPv6 lookup and connect
Attempt IPv4 lookup and connect
User: “example.com”
~300ms
Retrieve and display
Time
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Happy eyeballs - happy admin ?
• Dualstack selection service may not be deterministic
• Add two hostnames, one IPv4-only and one IPv6-only – retest with them if in doubt.
79BRKRST-3304
dhcp-10-149-4-30:~ ayourtch$ host stdio.bestdio.be has address 188.40.136.148stdio.be has IPv6 address 2a01:4f8:101:3245::cafestdio.be mail is handled by 10 mail.stdio.be.dhcp-10-149-4-30:~ ayourtch$ host ipv6.stdio.beipv6.stdio.be has IPv6 address 2a01:4f8:101:3245::cafedhcp-10-149-4-30:~ ayourtch$ host ipv4.stdio.beipv4.stdio.be has address 188.40.136.148dhcp-10-149-4-30:~ ayourtch$
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6 troubleshooting for Helpdeskshttp://isp.testipv6.com
80BRKRST-3304
https://www.ripe.net/ripe/groups/tf/bcop/ipv6-troubleshooting-for-residential-isp-helpdesks
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ducks in a Row
• Instrument for monitoring of both address families
• The good tooling end education are there
• There are established procedures for first-level troubleshooting
• Use Them!
81BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
• Easy to miss – Warm up your brain
• Neighbor And Router Discovery
• Addressing
• IPv4 Coexistence And Transition
• IPv6-centric Deployments
Encyclopaedia Galactica
BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Do they exist, IPv6-only clients ?
83BRKRST-3304
Picture: http://en.wikipedia.org/wiki/File:Oftheunicorn.jpg
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Unicorns in the wild
84BRKRST-3304
Ron Broersma Sander Steffann
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6-only clients: yes, they do exist!
85BRKRST-3304
Picture source: http://en.wikipedia.org/wiki/Rhinoceros search: “deploy360 t-mobile case study”
http://www.internetsociety.org/deploy360/resources/case-study-t-mobile-us-goes-ipv6-only-using-464xlat/
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Sebastien Marineau, VP of Core OS, Apple (June 2015)
Because IPv6 support is so critical to ensuring your applications work across the world for every customer, we are
making it an AppStore submission requirement, starting with iOS 9.”
86BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Mobile Provider Using IPv6 Only
• Legacy applications using embedded literals in their code
• RFC6877 464xLAT, “fixes” broken code for now
Legacy
Application
Intelligent
Application
4CLAT
6
4PLAT
6
IPv4
Edge
Services
IPv6
InternetHandset Carrier Network
IPv6
only
87BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
464XLAT: legacy apps "just work"
88BRKRST-3304
IPv4IPv6
IPv4 trafficIPv6 traffic
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
https://developer.apple.com/support/ipv6/
“Starting June 1, 2016 all apps submitted to the App Store must support IPv6-only networking.”
89BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ducks in a Row
• Different OS use different approaches for legacy apps
• Higher-level API’s provide better coexistence support
• Any new applications MUST be designed with IPv6-only/NAT64 in mind
90BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6-only deployments: it's a reality
• IPV6-only clients
• T-Mobile USA
• http://www.internetsociety.org/deploy360/resources/case-study-t-mobile-us-goes-ipv6-only-using-464xlat/
• Orange Poland
• https://www.youtube.com/watch?v=Y0G5PTtZjTM (Polish language)
• Telenor Norway (opt-in)
• http://blog.toreanderson.no/2015/09/20/ipv6-mobile-roaming-possible-or-not.html
• IPv6-only servers
• Redpill Linpro
• http://blog.ipspace.net/2012/05/ipv6-only-data-center-built-by-tore.html
BRKRST-3304 91
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Conclusions and Takeaways
92
• Main changes are at First Hop
• Prolonged use of dualstack introduces complexity
• Keep sunsetting IPv4 in mind from the start IPv6-only is your goal
• IPv6-only requirements from endpoint vendors pave the way to future single-stack deployments
• Don’t panic!
BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Shameless self promotion of my own Quotes - Nicole Wajer
"IPv6 is Internet broccoli. Good for us in the long run but no
immediate sugar rush from deploying it"
93BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Future IPv6 this week in Barcelona
94BRKRST-3304
CLEUR
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
When Session Title
29 Jan 2019 / 14:15 LABSPG-3122 Advanced IPv6 Routing and services lab
29 Jan 2019 / 14:30 BRKIP6-2616 Beyond Dual-Stack: Using IPv6 like you’ve never imagined
30 Jan 2019 / 11:00 BRKSPG-2602 IPv4 Exhaustion: NAT and Transition to IPv6 for Service Providers
30 Jan 2019 / 14:30 BRKIP6-2301 Intermediate - Enterprise IPv6 Deployment
31 Jan 2019 / 08:30 BRKRST-3304 Hitchhiker's Guide to Troubleshooting IPv6 - Advanced
31 Jan 2019 / 11:00 BRKRST-2619 IPv6 Deployment: Developing an IPv6 Addressing Plan and Deploying IPv6
31 Jan 2019 / 11:00 BRKSEC-3200 Advanced IPv6 Security Threats and Mitigation
31 Jan 2019 / 14:00 LTRIPV-2494 IPv6 Transformation Lab
31 Jan 2019 / 14:00 LABSPG-3122 Advanced IPv6 Routing and services lab
LABIPV-2261 IPv6 planning, deployment and transition
LABCRS-1000 Intro IPv6 Addressing and Routing Lab
More IPv6 Sessions
95BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Key Take Away
• Gain Operational Experience now
• IPv6, the time is now.
• Control IPv6 traffic as you would IPv4
BRKRST-3304 96
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Webex Teams
Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session
Find this session in the Cisco Events Mobile App
Click “Join the Discussion”
Install Webex Teams or go directly to the team space
Enter messages/questions in the team space
How
1
2
3
4
97
cs.co/ciscolivebot#BRKRST-3304
BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com
• Please complete your Online Session Survey after each session
• Complete 4 Session Surveys & the Overall Conference Survey (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Events Mobile App or the Communication Stations
Complete your online session survey
98BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Demos in the Cisco Showcase
Walk-in self-paced
labs
Meet the engineer
1:1 meetings
Related sessions
Continue Your Education
99BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Nexus7000 not passing IPv6 traffic
• On M1, M2 and M3 modules, you must disable IGMP optimized multicast flooding (OMF) on all VLANs that require IPv6 multicast packet forwarding.
• On F2 modules, you must disable IGMP optimized multicast flooding (OMF) on all VLANs that require IPv6 packet forwarding (unicast or multicast). IPv6 neighbor discovery only functions in a VLAN with the OMF feature disabled.
103BRKRST-3304
• http://tinyurl.com/mld-nexus7K
no ip igmp snooping optimise-multicast-flood
http://www.cisco.com/en/US/docs/switches/datacenter/sw/nx-os/multicast/configuration/guide/b_multicast_chapter_0100.html#concept_4401AA5D7477469E9208FCE766906395
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
NDP Scaling Techniques
• ND cache sizing - ipv6 nd cache interface-limit• Need to account for link local addresses
• NUD Reachable Time: ipv6 nd reachable-time • Using a FHRP, move from 30 sec (default) to 10 minutes
• Scavenge and Refresh Timer: ipv6 nd cache expire• Using a FHRP, use refresh in conjunction with NA glean
• Unsolicited NA Glean: ipv6 nd na glean• Create neighbor entries from unsolicited NA’s received
• Router Advertisements: ipv6 nd ra interval • IOS = 200 Sec, NXOS = 600 Sec• Router lifetime = 3x RA interval
104BRKRST-3304
WARNINGMUST USE
WITH CAUTION
For YourReference
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enhancements to Router Discovery/Maintenance
• draft-ietf-6man-maxra
• increase max router lifetime from 9000 to 65535
• draft-ietf-6man-rs-refresh-01
• client-initiated RA refresh
• RFC7559
• resilient (re)-transmission of initial RS
105BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ND: Router Maintenance
107BRKRST-3304
RA
IPv6
IPv6
IPv6
RARARA
RA Sent
Every 200sec
+/- jitter
Lifetime
Lifetime
Lifetime
Lifetime--
Lifetime--
Lifetime--
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multicast multicast mode
108BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multicast CAPWAP packet
109BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
PIM SSM configuration
110BRKRST-3304
ip pim rp-address 172.16.10.50ip pim ssm default
interface GigabitEthernet1ip address 172.17.1.1 255.255.255.0ip pim sparse modeip igmp version 3
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Output “show ip mroute” on the router
111BRKRST-3304
Outgoing interface flags: H - Hardware switched, A – Assert Timers: Uptime/ExpiresInterface state: Interface, Next-Hop or VCD, State/Mode
(172.17.1.20, 232.1.1.2), 00:12:36/00:02:23, flags: sTIIncoming interface: GigabitEthernet1, RPF nbr 0.0.0.0Outgoing interface list:GigabitEthernet1.118, Forward/Sparse, 00:12:36/00:02:23
(*, 224.0.1.40), 00:24:39/00:02:53, RP 172.16.10.50, flags: SJCLIncoming interface: Null, RPF nbr 0.0.0.0Outgoing interface list:GigabitEthernet1, Forward/Sparse, 00:24:39/00:02:53
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multicast at a glance on the AP
112BRKRST-3304
APc47a.fe34.1cc9#show capwap mcastCAPWAP MULTICAST
Multicast Group: 232.1.1.2, Source: 172.17.1.20V1 Rpt Sent: 0; V2 Rpt Sent: 2V3 Rpt Sent: 189; Leave Sent: 1V1 Query Rcvd: 0; V2 Query Rcvd: 0V3 Query Rcvd: 188; V1 Rpt Rcvd: 0V2 Rpt Rcvd: 0; V3 Rpt Rcvd: 0APc47a.fe34.1cc9#
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Check Clients in Reliable Multicast Groups
APc47a.fe34.1cc9#show capwap mcast mgid all | begin RA MGID RA MGID Information
MGID = 8341IPv6 mc2uc Clients = 1
MGID = 8343IPv6 mc2uc Clients = 1
APc47a.fe34.1cc9#show capwap mcast mgid id 8343Normal Mcast Clients:Reliable Mcast Clients:Client: 14cf.929d.740c --- Qos User Priority: 3 State: ADMITTED
History – Retry Pct: 0 0 0 0 Rate )500Kbps): 0 65535 65535APc47a.fe34.1cc9#
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Since WLC 8.0: Multicast Packet Counters
114BRKRST-3304
APc471.fe34.1cc9#show capwap mcast mgid id 8343rx pkts = 4 tx packets:wlan : 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 slots0 : 0 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 slots1 : 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Normal Mcast Clients: Reliable Mcast Clients:Client: 14cf.929d.740c --- SlotId: 0 WlanId: 1 --- Qos User Priority: 3 State: ADMITTED
History - Retry Pct: 0 0 0 0 Rate (500 Kbps): 0 65535 65535 65535Client: 14cf.923c.117c --- SlotId: 0 WlanId: 1 --- Qos User Priority: 3 State: ADMITTED
History - Retry Pct: 0 0 0 0 Rate (500 Kbps): 0 65535 65535 65535APc471.fe34.1cc9##
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
C6500/C7600 SUP720 TCAM Customization
116BRKRST-3304
7600# show mls cef summary
Total routes: 513525IPv4 unicast routes: 513507
IPv4 non-vrf routes: 513507 IPv4 vrf routes: 0
IPv4 Multicast routes: 3 MPLS routes: 1IPv6 unicast routes: 5
IPv6 non-vrf routes: 5 IPv6 vrf routes: 0
IPv6 multicast routes: 3 EoM routes: 1
7600#
Default is 512K IPv4 routes
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
C6500/C7600 SUP720 TCAM Customization
117BRKRST-3304
7600# show mls cef maxFIB TCAM maximum routes :=======================Current :--------IPv4 + MPLS - 512k (default)IPv6 + IP Multicast - 256k (default)
7600#
https://supportforums.cisco.com/discussion/11333356/cisco-7609-rsp720-3cxl-ge-mls-cef-maximum-routes
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/117712-problemsolution-cat6500-00.html
Changing the TCAM layout requires a reboot
Sup2T has a shared pool of TCAM for IPv4 and IPv6 no customization needed
mls cef maximum-routes ip 768
Not 1000! Leave some space for
IPv6 routes!
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Netscaler: Need IPv6 Protocol Translation “on”
119BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Backend services configuration: as usual
120BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
NetScaler VIP configuration
121BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
NetScaler: “Use Source IP” needs to be unchecked
122BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Service Properties: “Use Source IP” Must Be Unchecked
123BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Working captures from client side and server side
125BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
VIP statistics services
127BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Nexus 1000V flow vPath
128BRKRST-3304
cdn-nexus1k-4# show vservice connection Actions(Act):d - drop s - resetp - permit t - passthroughr - redirect e - errorn - not processed upper case - offloadedFlags:A - seen ack for syn/fin from src a - seen ack for syn/fin from dstE - tcp conn established (SasA done)F - seen fin from src f - seen fin from dstR - seen rst from src r - seen rst from dstS - seen syn from src s - seen syn from dstT - tcp conn torn down (FafA done) x - IP-fragment connection
#Port-Profile:Access_vlan1353 Node:ns1000v#Module 3Proto SrcIP[:Port] SAct DstIP[:Port] DAct Flags Bytesicmp 192.168.37.1 192.168.37.32 p 546icmp 192.168.37.1 192.168.37.31 p 546tcp 192.168.37.1:1805 192.168.37.32:80 p E 1255
cdn-nexus1k-4#
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
NetScaler CLI outputs
129BRKRST-3304
> show ipIpaddress TD Type Mode Arp Icmp Vserver State--------- -- ---- ---- --- ---- ------- ------
1) 10.48.62.6 0 NetScaler IP Active Enabled Enabled NA Enabled2) 10.48.62.8 0 SNIP Active Enabled Enabled NA Enabled3) 192.168.37.1 0 SNIP Active Enabled Enabled NA Enabled4) 192.168.35.2 0 SNIP Active Enabled Enabled NA Enabled5) 192.168.35.20 0 VIP Active Enabled Enabled Enabled Enabled>
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
NetScaler CLI outputs
130BRKRST-3304
> show ip6IPv6 Address TD Vlan Type Scope State ------------ -- ---- ---- ----- -----
1) fe80::202:3dff:fe70:6605/64 0 1 NSIP link-local ACTIVE 2) 2001:db8:1::1/64 0 NA SNIP global ACTIVE 3) 2001:db8:1::10/128 0 NA VIP global ACTIVE Done>
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
NetScaler CLI outputs
131BRKRST-3304
> show nd6Neighbor MAC-Address(Vlan, Interface) TD State TIME -------- ---------------------------- -- ----- --------
1) ::1 00:02:3d:70:66:05( 1, LO/1) 0 REACHABLE PERMANENT2) fe80::202:3dff:fe70:6605 00:02:3d:70:66:05( 1, LO/1) 0 REACHABLE PERMANENT3) 2001:db8:1::1000 00:50:56:b8:9d:4d(1351, 1/1) 0 REACHABLE 00:00:214) fe80::38b8:1c9:2338:e677 00:50:56:b8:9d:4d(1351, 1/1) 0 STALE 00:04:39Done>
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
NetScaler CLI outputs
132BRKRST-3304
> show lb vserver static_VIP_vlan_1351_v6static_VIP_vlan_1351_v6 (2001:db8:1::10.80) - HTTP Type: ADDRESS State: UPLast state change was at Thu Jan 16 08:52:56 2014Time since last state change: 0 days, 00:04:11.900Effective State: UPClient Idle Timeout: 180 secDown state flush: ENABLEDDisable Primary Vserver On Down : DISABLEDAppflow logging: ENABLEDPort Rewrite : DISABLEDNo. of Bound Services : 2 (Total) 2 (Active)Configured Method: LEASTCONNECTIONCurrent Method: Round Robin, Reason: Bound service's state changed to UPMode: IPPersistence: NONEVserver IP and Port insertion: OFF Push: DISABLED Push VServer: Push Multi Clients: NOPush Label Rule: noneL2Conn: OFFSkip Persistency: NoneIcmpResponse: PASSIVENew Service Startup Request Rate: 0 PER_SECOND, Increment Interval: 0TD: 0Mac mode Retain Vlan: DISABLEDDBS_LB: DISABLEDDNS64 Synth: DISABLEDBypass AAAA: NO
1) HTTP_vm-31 (192.168.37.31: 80) - HTTP State: UP Weight: 12) HTTP_vm-32 (192.168.37.32: 80) - HTTP State: UP Weight: 1
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
DHCPv6
• Defined in RFC3315
• Multiple enhancements/additions
• DHCPv6-PD, Stateless DHCPv6…
• Work In Progress: “draft-3315-bis”
• DHCPv6-PD (RFC3633)
• Stateless DHCPv6 extensions (RFC3736)
• Interaction between the mechanisms (RFC7550)
• https://tools.ietf.org/html/draft-ietf-dhc-rfc3315bis
134BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Capture Packets on iOS Devices
136BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SLB setup
138BRKRST-3304
IPv6
IPv4
IPv6 Internet
IPv4internet
Back-End
IPv4
Client leg Server leg
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
MTU “impedance mismatch”
139BRKRST-3304
IPv6
IPv4
IPv6 hdrTCP hdr
Data
40 bytes 20 bytesN bytes
IPv4 hdrTCP hdr
Data
20 bytes 20 bytesN bytes
MTU4MTU6
MTU4 = 20+20+NMTU6 = 40+20+N
MTU6 = MTU4 + 20
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL/TLS Offload and MTU
140BRKRST-3304
IPv6
IPv4 IPv4
IPv6 TCP Data
40 20 N bytes
MTU
TLS
21..35
IPv4 TCP Data
20 20 N bytes
MTU
TLS
21..35
IPv4 TCP Data
20 20 N bytes
MTU
MTU6tls = MTU4 + (41..55)
MTU4tls = MTU4 + (21..35)
IPv6
TCP Data
40 20 N bytes
MTU
IPv6
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
RFC2460
“IPv6 requires that every link in the internet have an MTU of 1280 octets or greater. On any link that cannot convey a 1280-octet packet in one piece, link-specific fragmentation and reassembly must be provided at a layer below IPv6.”
141BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
PMTUD: review of the mechanism
142BRKRST-3304
Data
3
Data
4
Data
1
ICMP PTB
2MTU=1280
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
“Naïve” PMTUD with SSL offload
143BRKRST-3304
Data
5
Data
1
Data
2
TLS
ICMP PTB
3
ICMP PTB”
4
6
TLS Data
MT
U h
ere
1280 Spot the problem!
IPv4 has min MTU of 68, IPv6 has min MTU of 1280
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
PMTUD: Not New, But Well Forgotten
• Test with different client MTUs
• 1280 (Minimal IPv6 MTU, set on some tunnels)
• 1480 (IPv6-in-IPv4)
• 1500 (standard Ethernet)
• Keep ICMPv6 in mind when designing the network
144BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
NAT64 Setup
145BRKRST-3304
IPv6
IPv4
IPv6 Internet
IPv4internet
Back-End
IPv4
Client leg Server leg
1
s: [2607:f128:42:73::2]:37897
d: [2610:d0:1208:cafe::72.163.4.161]:80
2
asr1knat64-xtr#sh nat64 trans
tcp 72.163.4.161:80 [2610:d0:1208:cafe::48a3:4a1]:80153.16.17.82:1056 [2607:f128:42:73::2]:37897
3
s: 153.17.16.82:1056
d: 72.163.4.161:80
s: 72.163.4.161:80
d: 153.17.16.82:10565
s: [2610:d0:1208:cafe::72.163.4.161]:80
d: [2607:f128:42:73::2]:37897
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Symptom: IPv6 clients can not connect
146BRKRST-3304
%NAT64-6-ADDR_ALLOC_FAILURE: Address allocation failed; pool 1 may be exhausted
asr1knat64-xtr#show nat64 stat | beg DynamicDynamic Mapping Statistics
v6v4access-list NAT64 pool TEST refcount 2
pool TEST:start 153.16.17.84 end 153.16.17.84total addresses 1, allocated 1 (100%)address exhaustion packet count 0
Limit Statistics
asr1knat64-xtr#
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Verify the translation table
147BRKRST-3304
asr1knat64-xtr#show nat64 trans
Proto Original IPv4 Translated IPv4Translated IPv6 Original IPv6
--------------------------------------------------------------- --- ---
153.16.17.84 2a01:4f8:101:3245::fafa--- 192.0.2.2 2610:d0:1208:cafe::c000:202
153.16.17.84 2a01:4f8:101:3245::fafa
Total number of translations: 2
asr1knat64-xtr#
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Problem: Address pool exhausted due to 1:1 NAT
148BRKRST-3304
IPv6 hosts
IPv4 hostsGig0/0/0
Gig0/0/1
nat64 prefix stateful 2610:D0:1208:CAFE::/96nat64 v4 pool TEST 153.16.17.84 153.16.17.84nat64 v6v4 list NAT64 pool TEST overloadipv6 access-list NAT64
permit ipv6 any 2610:D0:1208:CAFE::/96
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Solution: be more specific on the NAT[46]4 ACLs!
149BRKRST-3304
IPv6 hosts
IPv4 hostsGig0/0/0
Gig0/0/1
ipv6 access-list NAT64no permit ipv6 any 2610:D0:1208:CAFE::/96permit tcp any 2610:D0:1208:CAFE::/96permit udp any 2610:D0:1208:CAFE::/96permit icmp any 2610:D0:1208:CAFE::/96
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Verify the translation table
150BRKRST-3304
asr1knat64-xtr#clear nat64 trans allasr1knat64-xtr#sh nat64 trans
Proto Original IPv4 Translated IPv4Translated IPv6 Original IPv6
----------------------------------------------------------------
tcp 192.0.2.2:80 [2610:d0:1208:cafe::c000:202]:80 153.16.17.84:1024 [2a01:4f8:101:3245::cafe]:12345
udp 192.0.2.2:53 [2610:d0:1208:cafe::c000:202]:53 153.16.17.84:512 [2a01:4f8:101:3245::cafe]:53
Total number of translations: 2
asr1knat64-xtr#
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Happy Eyeballs ( RFC6555 )
• Chrome/Firefox: use the “backup thread” mechanism, 300ms delay
• iOS / MacOS X: 25ms preference for IPv6; connect-by-name proprietary API; re-sorting by the order of received replies if using getaddrinfo()
• Windows 8: perform a connectivity check, and if does not work, change sorting order in rfc3484 getaddrinfo() call to prefer IPv4, cache the result.
• http://support.microsoft.com/kb/2750841
151BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Testing NAT64 client applications
153BRKRST-3304
http://docwiki.cisco.com/wiki/IPv6_only_setup_with_NAT64
ipv6 access-list NAT64permit tcp 2001:DB8::/64 64:FF9B::/64permit udp 2001:DB8::/64 64:FF9B::/64permit icmp 2001:DB8::/64 64:FF9B::/64!!nat64 v4 pool NAT64-IPv4 192.0.2.1 192.0.2.1nat64 v6v4 list NAT64 pool NAT64-IPv4 overload!
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Have A Mac (with 10.11) ? Have IPv6-Only Network!
154BRKRST-3304
Alt-Click
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
OS X El Capitan (10.11) as access gateway
155BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6-only deployments: it's a reality
• IPV6-only clients
• T-Mobile USA
• http://www.internetsociety.org/deploy360/resources/case-study-t-mobile-us-goes-ipv6-only-using-464xlat/
• Orange Poland
• https://www.youtube.com/watch?v=Y0G5PTtZjTM (Polish language)
• Telenor Norway (opt-in)
• http://blog.toreanderson.no/2015/09/20/ipv6-mobile-roaming-possible-or-not.html
• IPv6-only servers
• Redpill Linpro
• http://blog.ipspace.net/2012/05/ipv6-only-data-center-built-by-tore.html
156BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6-only: Not Just For Networking Geeks!
157BRKRST-3304
http://www.slideshare.net/yuyarin/janog37-ltcedecnet2015-en-57359924
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Testing NAT64 client applications
159BRKRST-3304
http://docwiki.cisco.com/wiki/IPv6_only_setup_with_NAT64
ipv6 access-list NAT64permit tcp 2001:DB8::/64 64:FF9B::/64permit udp 2001:DB8::/64 64:FF9B::/64permit icmp 2001:DB8::/64 64:FF9B::/64!!nat64 v4 pool NAT64-IPv4 192.0.2.1 192.0.2.1nat64 v6v4 list NAT64 pool NAT64-IPv4 overload!
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Have A Mac (with 10.11) ? Have IPv6-Only Network!
160BRKRST-3304
Alt-Click
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
OS X El Capitan (10.11) as access gateway
161BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
NAT64 for an IPv6-only client
162BRKRST-3304
Address from IPv4 pool Map into IPv6 /96
IPv4IPv6
IPv6 traffic IPv4 traffic
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv4-embedded syntax for IPv6
• 2001:db8:aaaa:aaaa::192.0.2.1
• 2001:db8:aaaa:aaaa::c000:201
163BRKRST-3304
IPv6
IPv4IPv4
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNS64 – Synthesize the addresses
164BRKRST-3304
IPv4
IPv6
IPv4
Recursive Resolver
Authoritative Name Server
Resolving Host
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv4-only Site Is Broken For NAT64+DNS64 Clients
165BRKRST-3304
• Beware IPv4 Literals !
Andrews-MacBook-Air:~ ayourtch$ curl -v http://cs.co/6011pZiX* About to connect() to cs.co port 80 (#0)* Trying 67.192.93.178...* connected* Connected to cs.co (67.192.93.178) port 80 (#0)> GET /6011pZiX HTTP/1.1> User-Agent: curl/7.28.1> Host: cs.co> Accept: */*> < HTTP/1.1 301 Moved Permanently< Date: Fri, 07 Dec 2012 01:59:02 GMT< Server: Apache/2.2.3 (Red Hat)< Location: http://184.72.243.192//6011pZiX< Keep-Alive: timeout=15, max=99< Content-Type: text/html; charset=iso-8859-1< Content-Length: 310< Via: 1.1 ams3-dmz-wsa-1.cisco.com:80 (WSA/x)< Connection: keep-alive< <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://184.72.243.192//6011pZiX">here</a>.</p><hr><address>Apache/2.2.3 (Red Hat) Server at cs.co Port 80</address></body></html>* Connection #0 to host cs.co left intact
Location: http://184.72.243.192//6011pZiX
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
FQDN in Redirect NAT64+DNS64 Works!
166BRKRST-3304
Andrews-MacBook-Air:~ ayourtch$ curl -v http://cs.co/6011pZiX* About to connect() to cs.co port 80 (#0)* Trying 67.192.93.178...* connected* Connected to cs.co (67.192.93.178) port 80 (#0)> GET /6011pZiX HTTP/1.1> User-Agent: curl/7.28.1> Host: cs.co> Accept: */*> < HTTP/1.1 301 Moved Permanently< Date: Tue, 08 Jan 2013 00:54:25 GMT< Server: Apache/2.2.3 (Red Hat)< Location: http://ec2-184-72-243-192.compute-1.amazonaws.com//6011pZiX< Keep-Alive: timeout=15, max=99< Content-Type: text/html; charset=iso-8859-1< Content-Length: 338< Via: 1.1 ams3-dmz-wsa-4.cisco.com:80 (WSA/x)< Connection: keep-alive< <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://ec2-184-72-243-192.compute-1.amazonaws.com//6011pZiX">here</a>.</p><hr><address>Apache/2.2.3 (Red Hat) Server at cs.co Port 80</address></body></html>* Connection #0 to host cs.co left intact* Closing connection #0Andrews-MacBook-Air:~ ayourtch$
Location: http://ec2-184-72-243-192.compute-1.amazonaws.com//6011pZiX
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
If IPv6 broken, 4... 21… 75... 189… seconds delay…
167BRKRST-3304
http://www.ietf.org/proceedings/80/slides/v6ops-11.pdf
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Browser extensions: browser may cache documents
168BRKRST-3304
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Free eBook: IPv6 for IPv4 Experts
169BRKRST-3304
• https://sites.google.com/site/yartikhiy/home/ipv6book