7/19/19

PhNOG – IPv6 Tutorial

Makati, Philippines
19 July 2019

Content
• IPv6 Protocol Architecture
• IPv6 Addressing
• IPv6 Deployment

1
 7/19/19

Module 1

IPV6 PROTOCOL ARCHITECTURE

v4/v6 Header Comparison

Not kept in IPv6

Renamed in IPv6

Same name and function

New in IPv6

2
 7/19/19

New Functional Improvement

• Address Space
– Increase from 32-bit to 128-bit address space

• Management
– Stateless autoconfiguration (SLAAC) means no more need to configure IP
addresses for end systems, even via DHCP

• Performance
– Simplified header means efficient packet processing
– No header checksum re-calculation at every hop (when TTL is decremented) =>
left up to the lower and upper layers!

• No hop-by-hop fragmentation - PMTUD

IPv6 Protocol Header Format

• Version (4-bit):
– 4-bit IP version number (6)

• Traffic class (8-bit):

– Similar to DiffServ in IPv4; define
different classes or priorities.

• Flow label (20-bit):

– allows IPv6 packets to be identified
based on flows (multilayer
switching techniques and faster
packet-switching performance)

3
 7/19/19

IPv6 Protocol Header Format

• Payload length (16-bit):
– Defines the length of the IPv6
payload (including extension
headers); Total Length in IPv4
includes the header.

• Next header (8-bit):

– Identifies the type of information
following IPv6 header. Could be
upper layer (TCP/UDP), or an
extension header (similar to Protocol
field in IPv4).
• Hop limit (8-bit):
– Similar to TTL in IPv4

IPv6 Extension Header

• IPv6 allows an optional Extension Header in between the
IPv6 header and upper layer header
– Allows adding new features to IPv6 protocol without major re-
engineering
Next Header values:
0 Hop-by-hop option
IPv6 Header 6 TCP
TCP header + data
Next Header = 6
17 UDP
43 Source routing (RFC5095)
44 Fragmentation
50 Encrypted security
IPv6 Header Fragment header payload
TCP header + data 51 Authentication
Next Header = 44 Next header = 6
58 ICMPv6
59 Null (No next header)
60 Destination option
Extension Header

4
 7/19/19

IPv6 Extension Header (contd)

• An IPv6 packet may carry none or many extension headers
– A next header value of 6 or 17 (TCP/UDP) indicates there is no
extension header
• the next header field points to TCP/UDP header, which is the payload

• Unless the next header value is 0 (Hop-by-Hop option),

extension headers are processed only by the destination
node, specified by the destination address.

Fragmentation Handling In IPv6

• In IPv6, fragmentation is only performed by the host/source
nodes, and not the routers along the path (unlike IPv4)

• Each source device tracks the MTU size for each session

• When a IPv6 host has large amount of data to be sent, it

will be send in a series of IPv6 packets (fragmented)
– IPv6 hosts use Path MTU Discovery (PMTUD) to determine the most
optimum MTU size along the path

Source: www.cisco.com 10

5
 7/19/19

Path MTU Discovery

• With PMTUD, the source IPv6 device assumes the initial PMTU
is the MTU of the first hop in the path
– upper layers (Transport/Application) send packets based on the first hop
MTU

– If the device receives an “ICMPv6 packet too big (Type 2)” message, it
informs the upper layer to reduce its packet size, based on the actual
MTU size (contained in the message) of the node that dropped the
packet

1500 1420 1280 1500

Path MTU =1280

11

IPv6 Address Representation

• IPv6 address is 128 bits

• Number of IPv6 addresses : 2^128 ~ 3.4 x 1038

• IPv6 address is represented in hexadecimal

– 4-bits (nibble) represent a hexadecimal digit
– 4 nibbles (16-bits) make a hextet
– represented as eight hextets (4 nibbles or 16 bits), each separated by a colon (:)

2001:ABCD:1234::DC0:A910 nibble

1010 1001 0001 0000

Hextet
12

6
 7/19/19

IPv6 Address Representation (2)

– 2001:0DB8:0000:0000:0000:036E:1250:2B00

• Abbreviated form
– 2001:0DB8:0000:0000:0000:036E:1250:2B00 Leading 0s

– Leading zeroes (0) in any hextet can be omitted

– 2001:DB8:0:0:0:36E:1250:2B00 Sequence of 0s

– A double colon (::) can replace contiguous hextet segments of zeroes

Double colons
– 2001:DB8::36E:1250:2B00

– (::) can only be used once!

13

IPv6 Address Representation (3)

• Double colons (::) representation
– RFC5952 recommends that the largest set of :0: be replaced with :: for
consistency
– 2001:0:0:0:2F:0:0:5
– 2001::2F:0:0:5 instead of 2001:0:0:0:2F::5

– Where there is same number of :0:, the first set be replaced with ::
– 2001:DB8:0:0:2F:0:0:5
– 2001:DB8::2F:0:0:5 instead of 2001:DB8:0:0:2F::5
• Prefix Representation
– Representation of prefix is similar to IPv4 CIDR

– → prefix/prefix-length
– 2001:DB8:12::/40

14

7
 7/19/19

IPv6 Addressing Model RFC

429
1
• Unicast Address
– Assigned to a single interface
B
– Packet sent only to the interface with that address
A
B

• Anycast Address
B
– Same address assigned to more than one interface (on different nodes)
A
– Packet for an anycast address routed to the nearest interface (routing distance)
B

• Multicast Address
– group of interfaces (on different nodes) join a multicast group B
– A multicast address identifies the interface group
A
– Packet sent to the multicast address is replicated to all interfaces in the group

15

Special Unicast Addresses

• Unspecified Address (absence of a address)
• ::/128

• Loopback (test OSI/TCP-IP stack implementation)

• ::1/128

16

8
 7/19/19

Global Unicast Addresses

• Globally unique and routable IPv6 address

• Currently, only global unicast address with first three bits of

001 have been assigned
• 0010 0000 0000 0000 (2000::/3)
• 0011 1111 1111 1111 (3FFF::/3)
APNIC
2400::/12
• IANA gives a /12 each from 2000-3FFF::/3 to each RIR
ARIN
2600::/12
LACNIC
2800::/12
RIPE NCC 17

2A00::/12
AfriNIC 2C00::/12

Global Unicast Addresses

• RIRs assign /32 to ISPs
3 bits

001 RIR ISP Global Unicast Address

9 bits
20 bits
/3 /12 /32

128 bits

18

9
 7/19/19

IPv6 Addressing Structure

RFC
Network Prefix 6177

Customer(Site) Prefix Subnet ID Interface ID

48 bits 16 bits 64 bits

• Customer (Site) Prefix: assigned to a customer site

– Group of subnets
– ISPs/RIRs ‘would’ assign /48 (/56 to customers)

• Subnet ID: identifies the subnets (links) within a site

• Interface ID: host portion of the IPv6 address

– how many hosts within a subnet

19

IPv6 Addressing Structure

0 63 64 127
Network Prefix Interface ID

32
16

16
ISP /32
64
Customer Site /48
End Site Subnet /64 Device 128 Bit Address

20

10
 7/19/19

Link-local Unicast Addresses

• Auto configured address (similar to APIPA)
– Every IPv6 enabled device must have a link-local address
– To communicate with other IPv6 devices on the same link
– FE80::/10

• The link-local address is used by routers as the next-

hop address when forwarding IPv6 packets

• All IPv6 hosts on a subnet/link, uses the router’s

link-local as the default gateway
– Routers use the link-local as the source in ND-RA messages

21

Unique Local Unicast Addresses

• Similar to RFC1918 addresses (but within a
“site”)
– Unique within a site
– Routable within site(s)
– Not ‘expected’ to be routed on the internet

FC00::/7
| 7 bits | 1 | 40 bits | 16 bits. | 64 bits |
+--------+--+--------------+------------+---------------------------+
| Prefix | L | Global ID | Subnet ID | Interface ID. |
+--------+--+--------------+------------+---------------------------+

L: 1 for local significance

Global ID: 40-bit pseudo-random

22

11
 7/19/19

Well-known Multicast Addresses

• Multicast addresses can only be destinations and never a source
– FF00::/8
• Pre-defined multicast addresses:
– FF02::1 All nodes multicast
• All IPv6 enabled devices join this multicast group
• Packets sent to this address is received by all nodes

– FF02::2 All routers multicast

• The moment IPv6 is enabled on a router (#ipv6 unicast-routing), the router becomes a member
of this group

– FF02::1:FFXX:XXXX/104 Solicited Node multicast

• NS messages (~ARP request) are sent to this address
• Uses the least significant 24-bits of its unicast/anycast address
• Must compute and join for every unicast (link-local & global) on a interface

23

Well-known Multicast Addresses

• Pre-defined multicast addresses:

– FF02::1:2 All DHCP Servers/Relay Agents

• Clients use this multicast address to discover any DHCPv6 servers/relays on the
local link (link-scoped)

– FF05::1:3 All DHCP servers

• Generally used by Relays to talk to servers
• Site-scoped

24

12
 7/19/19

Modified EUI-64 format

• Allows IPv6 device to compute a unique 64 bit Interface ID using
the interface MAC address (48 bit)
OUI NIC

0 2 2 1 A 4
– MAC address is split into two 24 bit halves 0 1 F 0 2 8

• OUI and NIC

0 2 2 F F 1 A 4
– Then 0xFFFE is inserted between the two halves
0 1 F F E 0 2 8

• 0xFFFE is reserved value, not assigned to any OEM

0000 0000
0000 0010
– Invert 7th bit (U/L) of the OUI to get the EUI-64 address
0 2 2 F F 1 A 4
• addresses assigned to OEMs have this bit set to 0 to indicate
2 1 F global
F E uniqueness
0 2 8

• Set to 1 (invert 0) to indicate IEEE identifier (MAC( is used, or 0 if otherwise

(serials/tunnels).

25

IPv6 Addressing EUI-64

LAN: 2001:db8:213:1::/64

Eth0

interface Ethernet0
ipv6 address 2001:db8:213:1::/64 eui-64 MAC address: 0060.3e47.1530

router# show ipv6 interface Ethernet0

Ethernet0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::260:3EFF:FE47:1530
Global unicast address(es):
2001:db8:213:1:260:3EFF:FE47:1530, subnet is 2001:db8:213:1::/64
Joined group address(es):
FF02::1:FF47:1530
FF02::1
FF02::2
MTU is 1500 bytes

26

13
 7/19/19

ICMPv6 Neighbor Discovery

• Router Solicitation (RS):
– sent by IPv6 host to "all routers" multicast to request RA RFC
4861

• Router Advertisement (RA):

– sent by a IPv6 router to the "all nodes" multicast (200 secs)
– IPv6 prefix/prefix length, and default gateway

• Neighbor Solicitation (NS):

– sent by IPv6 host to the "solicited node" multicast to find the MAC address of a given IPv6 address (~ARP
request).

• Neighbor Advertisement (NA):

– sent in response to a NS and informs of its MAC address.

• ICMPv6 Redirect:
– informs the source of a better next-hop

27

IPv6 Neighbor Discovery (ND)

• Host A would like to communicate with Host B
– Global address 2406:6400::10
– Link-local fe80::226:bbff:fe06:ff81
– MAC address 00:26:bb:06:ff:81

• Host B IPv6 global address 2406:6400::20

– Link-local UNKNOWN (if GW outside the link)
– MAC address UNKNOWN

• How will Host A create L2 frame and send to Host B?

28

14
 7/19/19

IPv6 Neighbor Discovery (ND)

29

IPv6 Address Resolution

1 Multicast
ICMPv6 NS Type135

SMAC: 00:26:BB:06:FF:81 DMAC: 33:33:FF:00:00:20 RFC2464 – 33:33:xx:xx:xx:xx

Source IPv6: Destination IPv6:
2406:6400::0010 FF02:0:0:0:0:1:FF00:0020

Unicast 2
ICMPv6 NA Type136

SMAC: 00:26:BB:06:FF:82 DMAC: 00:26:BB:06:FF:81

Source IPv6: Dest IPv6:
2406:6400::0020 2406:6400::0010

30

15
 7/19/19

IPv6 Address Resolution

3 Unicast
IPv6 Packet

SMAC: 00:26:BB:06:FF:81 DMAC: 00:26:BB:06:FF:82

Source IPv6: Dest IPv6:
2406:6400::0010 2406:6400::0020
Payload

Unicast 4
IPv6 Packet

SMAC: 00:26:BB:06:FF:82 DMAC: 00:26:BB:06:FF:81

Source IPv6: Dest IPv6:
2406:6400::0020 2406:6400::0010
Payload

31

IPv6 Address Auto-configuration

• Stateless address auto-configuration (SLAAC)
– No manual configuration required
– Gets the IPv6 prefix and prefix length through RA (local router)
– EUI-64 for interface ID (pseudo random)

• Stateful - DHCPv6
– To track address assignments

32

16
 7/19/19

Stateless Address Autoconfig (1)

RFC
When a host joins a link/subnet: 2462
• It auto-generates a link-local using
the FE80::/10 prefix and EUI-64: FE80::346A:3BFF:FE76:CAF9
– Ex: FE80::346A:3BFF:FE76:CAF9

• DAD is performed on the link-local: NS

– NS message is sent to the “solicited-
node” multicast (FF02::1:FF76:CAF9),
with ::/128 as the source

– If no NA message is received back, the

generated address is unique and can be
used

33

Stateless Address Autoconfig (2)

Once the node has a link-local address:
FE80::346A:3BFF:FE76:CAF9
• sends a RS message to the ”all-routers” 2001:DB8::346A:3BFF:FE76:CAF9
multicast (FF02::2)
– link-local as the source address

RS
• The router responds with a RA message 2001:DB8::/6
– IPv6 prefix and prefix length 4
– link-local as the source
– Auto flag by default (Managed and Other flags RA
are not set!)

• The node generates the IPv6 address

– uses the received prefix (2001:DB8::/64)
– Interface ID (EUI-64)
– 2001:DB8::346A:3BFF:FE76:CAF9
– DAD not necessary (link-local validated for the
same interface!)

34

17
 7/19/19

DHCPv6 (1)
RFC
DHCPv6 is used: 3315
– If there are no router(s) on the subnet/link, OR
– If the RA message specifies to get addressing
information via DHCPv6

If the router’s RA message has the:

– O (other) flag set: stateless DHCPv6

• auto-generate IPv6 address using IPv6 prefix & prefix length in
the RA
• obtain other information (DNS server, domain) via DHCPv6

– M (managed) flag set:

• obtain all addressing information via DHCPv6
• ‘O’ flag is redundant

35

Stateful Autoconfig – DHCPv6 (2)

1. Client sends Solicit message to FF02::1:2
DHCPv6
to find any available DHCPv6 servers IPv6 Client Server

2. Server responds with an Advertise message Solicit

• the tentative IPv6 address/prefix
• Other parameters (DNS, domain, default
gateway, lease time) Advertise
• could receive multiple Advertise messages
Request
3. Client selects the server, and sends a
Request asking to formally request the Reply
indicated IPv6 address

4. Server responds with a Reply to confirm the

assignment

5. Performs DAD before using!

36

18
 7/19/19

IPv6 Interface ID – Privacy

• Overcome the ability to track (interface ID based on MAC
address):
– Temporary address (changes): outgoing connections
RFC
– Secured address: incoming connection 4941

– Temp > 2001:dc0:a000:4:84a3:49b6:1919:26fb

– Secured> 2001:dc0:a000:4:108b:3690:9335:b7ec
– Temp > 2001:dc0:a000:4:14e6:d4a3:815d:91dd

• Ease network management yet improve privacy:

RFC
– Stable interface identifiers for each subnet 7217
– Secured> 2001:dc0:a000:4:cbb:347c:6215:1083
37

Zone IDs for Link-locals

– Interface en0 - fe80::4e0:37e4:c5d1:c845%en0
– Interface en5 - fe80::aede:48ff:fe00:1122%en5

• Zone IDs help uniquely distinguish which link/subnet an

interface is connected to

• To ping a remote IPv6 node, use your interface zone ID (so

that the response packet has a path)

38

19
 7/19/19

Quiz - Zone ID
• Please write down the commands:
fe80::b1%1
– PC-A pings PC-B PC-B
fe80::a1%11
– PC-A telnet PC-C
PC-A

fe80::a2%12 fe80::c1%en0
PC-C

39

Subnetting (Example)
• Provider A has been allocated
• 2001:DB8::/32

– will delegate /48 blocks to its customers

• Q. Find the blocks provided to the first 4 customers

40

20
 7/19/19

Subnetting (Example)
Original block: 2001:0DB8::/32
This is your
Rewrite as a /48 block: 2001:0DB8:0000::/48 network prefix!

How many /48 blocks are there in a /32?

2^16 = 65K
Find only the first 4 /48 blocks…

41

Subnetting (Example)
Start by manipulating the LSB of your
network prefix – write in bits
2001:0DB8:0000::/48
In bits

2001:0DB8: 0000 0000 0000 ::/48 2001:0DB8:0000::/48

0000
2001:0DB8: 0000 0000 0000 ::/48 2001:0DB8:0001::/48
0001
2001:0DB8: 0000 0000 0000 ::/48 2001:0DB8:0002::/48
0010
2001:0DB8: 0000 0000 0000 ::/48 2001:0DB8:0003::/48
0011
Then write back into hex digits

42

21
 7/19/19

Exercise 1.1: IPv6 subnetting

• Identify the first four /36 sub-prefixes out of 2406:6400::/32
– _____________________
– _____________________
– _____________________
– _____________________

43

Exercise 1.2: IPv6 subnetting

Identify the first four /35 blocks out of 2406:6400::/32
1. _____________________
2. _____________________
3. _____________________
4. _____________________

‹ 44

#
›

22
 7/19/19

Module 2

IPV6 ADDRESS PLANNING

45

IPv6 Address Recap

0 63 64 127
Network Prefix Interface ID

32
16

16
ISP /32
64
Customer Site /48
End Site Subnet /64 Device 128 Bit Address

46

23
 7/19/19

IPv6 Address Planning

• Network Operators allocated /32 by RIRs

• Global Routing prefix /48

– /56 (ISPs to end site)
– upstream could filter anything smaller
– Consider the routing table size!

47

IPv6 Address Planning

• Future traffic engineering needs?
– Contiguous assignment vs Split assignment

• Shift in thought:
– IPv4: number of hosts L
– IPv6: number of subnets!

48

24
 7/19/19

IPv6 Address Plan: ISP Infra

• Loopbacks

• Point-to-Point links

• Internal Server LAN

– also called NOC LAN
– not seen from outside

• External Server LAN

– Mail, DNS, etc

49

IPv6 Address Plan: ISP Infra

• Dedicate a /40 (or /48) for the backbone infra
– Every infrastructure assignment from this block!
– Carried by IGP (NOT iBGP)

• Loopbacks
– Generally one /48 (/60 and /64 also common) for all loopbacks
– /128 as loopback

• Point-to-Point links (Ex: /48 for all P2P links)

– Assign /64 per link (RFC3177); RFC6164/6547 recommends /127
• Reserve /64 per link but use /127

50

25
 7/19/19

IPv6 Address Plan: ISP Infra

• Internal Server/NOC LAN
– /60 (if different subnets within the NOC), or
– /64

• External Server LAN

– /64 (allows up to 2^64 services to be hosted)

51

IPv6 Address Plan:

Enterprise Customer
• Consider regional delegation
– Aggregation in mind!
– /40 per region?

• One /48 per customer

– Could be transit customers or leased line customers
– Could be given additional /48s as they grow (more than 65K subnets)

• We also see ISPs give:

– /52 or /56 to mid-sized customers ()
– /60 for very small customers
– /64 to end sites NOT recommended!!

52

26
 7/19/19

IPv6 Address Plan:

Customer WAN links
• Dedicate a /48 block for customer WAN links
– Helps to monitor customer links
– Not to be mistaken with the trusted infra PtP block!
– Actual addressing still the same:
• Reserve /64 and use /127

• Carried in iBGP (not IGP)

– Aggregated at the GW router or POP routers

53

IPv6 Address Plan:

Broadband Customer
• Depends on your deployment
– ND-RA for CPE WAN side
• A /64 prefix on BRAS can still support 2^64 CPEs through SLAAC

– DHCPv6-PD for CPE LAN side

• A /48 pool on each BRAS (65k /64s can be delegated)

• Dedicate a /40 (or bigger) for Broadband network

– /48s out of the /40 to each BRAS
– Announced in iBGP by BRAS

54

27
 7/19/19

IPv6 Address Plan:

DC services
• DC infra blocks from your infra block
– Loopbacks
– PtP links

• dedicate /40 for Data Center (hosted) services

– Depends on DC architecture
– Dedicated VLAN/subnet per service?
• /64 per VLAN/subnet (2^64 servers)
– Dedicated subnet per customer (customer buys VMs/hosts services)?
• /64 per customer or subnet (2^64 VMs)
– Announced in iBGP (DC border router)
55

IPv6 Address Plan:

Traffic Shaping
• Borrow from IPv4
– sub-aggregates to shape traffic
– Difficult with contiguous assignment

• Assign customer prefixes (that attract traffic) from both ends

of address space
– Infrastructure prefix do not attract traffic

56

28
 7/19/19

IPv6 Address Plan:

Traffic Shaping
• Customer prefixes assigned from each /33 sub-prefix
– Similar to IPv4 sub-aggregates!
ISP/32
– Allows us to balance
/33
incoming traffic /33

/34 /34 /34 /34

Customer 1 Customer 3 Customer 2 Customer 4

/48 /48 /48 /48

57

IPv6 Address Plan: Routing

• IGP to carry next-hop reachability information
– Infrastructure blocks (PtPs, loopbacks)
– Aggregation desirable in IGP

• Customer prefixes (Enterprise, broadband, DC

customers/services)
– Sub-aggregates for traffic shaping (mulithoming)
– Consider regional delegation
– iBGP carries all customer prefixes
• Aggregation may interfere with traffic shaping
– Aggregation necessary in eBGP (pull up routes)

58

29
 7/19/19

59

Module 3

IPV6 TRANSITION TECHNIQUES

60

30
 7/19/19

IPv6 in Mobile Networks: Technology

Carrier Economy Deployment

Reliance Jio India Dual stack in 2016
SK Telecom Korea 464XLAT in 2014
Telstra Australia 464XLAT since 2016
T-Mobile USA 464XLAT in 2012
Verizon Wireless USA Dual stack in 2011

61

Dual-stack

Dual-stack
network

62

31
 7/19/19

Dual-stack
• Does not solve IPv4 (public) depletion issue
– Still need to use CG-NAT to access IPv4-only sites

• But effective, and the only viable/scalable way forward

– IPv6 native access to most of the major content providers
– None of the scalability issues of v4 CG-NAT

63

Dual-stack in mobile network

• Does not solve IPv4 (public) depletion issue
– Still need to use CG-NAT to access IPv4-only sites

• But effective, and the only viable and scalable way forward
– IPv6 native access to most of the major content providers
– None of the scalability issues of v4 CG-NAT
– And of course, no DNSSEC issues

64

32
 7/19/19

464XLAT (RFC6877)
DN
S
IPv6
64 Internet
End Host

v6
PLAT
CLAT IPv6 Core GGSN
(NAT6
(NAT64) IPv4
v4p 4) Interne
(v4 sockets) t

IPv4 embedded IPv6:

Stateless NAT64 Statelful NAT64
IPv6 /96 + 32 bit IPv4
(RFC6145) (RFC6146)
(RFC6052)
64:ff9b::/96

65

CLAT (Stateless NAT64) (RFC6145)

• When IPv4 connection is required (an IPv4 socket)
– CLAT function provides private IPv4 address (and default route for
applications to bind to)
– a dedicated prefix (/64 or /96) for stateless translation (DHCPv6)
– must know the PLAT side translation prefix
– Route connections to the PLAT (stateful NAT64)
– 1:1 mapping
– 2400:6400::[v4p in HEX] (RFC6052)

66

33
 7/19/19

DNS64(RFC6147)
• Generate AAAA records from A records
– Allows IPv6-only client to talk to IPv4 hosts
– If ‘AAAA’ records exists, no synthesis
– If only ‘A’ record exist for the queried name (after recursive query),
synthesize to AAAA record
AAAA Query: AAAA Query: test.com
test.com
Empty Response Authoritative
DNS
64 DNS
A Query: test.com
Response: 192.168.2.10
Response:
2406:6400::C0A8:20A

67

DNS64 Example
• DNS64 options statement in BIND9.8

dns64 2406:6400::/96 {
clients {any;};
mapped {!rfc1918; any;};
exclude {0::/3; 2001:DB8::/32;};
break-dnssec yes;
};
• https://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html

– mapped: which IPv4 addresses are to be mapped (A records)

– exclude: list of IPv6 addresses to ignore if they appear in the domain’s AAAA records (synthesize it
from the NAT64 prefix+v4 address)

– break-dnssec yes: by default, DNS64 module does not process secure queries (DO = 1) or
responses. The break-dnssec yes overrides this default.
• However, the synthesized response will not have any DNSSEC records added and therefore cannot be verified by the
client!

68

34
 7/19/19

PLAT (Stateful NAT64) (RFC6146)

• IPv6 to IPv4 translation (public)
– and vice versa
– bindings for every translation maintained
• need a return path
– N:1 mapping (conserves IPv4)
– 2400:6400::[v4p in HEX] to [v4]:port (~PAT)

69

Stateful NAT64
(v6-only to v4-only ‘Internet’)
DN
S
64
Mobile Phone
v6
IPv6 PLAT
CLAT Mobile GGSN
(NAT6
(NAT64) IPv4
Core Interne
v4p 4)
(v4 sockets) t
192.168.2.10
Over IPv6
(test.com)

IPv4 Pool: 202.70.77.1-30

Dst: [2406:6400::C0A8:20A]:80
Dst: 192.168.2.10:80
Src: 2406:6400::9
Src: 202.70.77.1:6435
Over IPv4

70

35
 7/19/19

Stateless NAT64
(v4 to v4 – literal IPs)
Mobile Phone
v6
IPv6 PLAT
CLAT Mobile GGSN
(NAT6
(NAT64) IPv4
Core Interne
v4p 4)
(v4 sockets) t

202.69.185.252
v4p address (Src): 192.168.12.99 IPv4 Pool: 202.70.77.1-30
Dst: 202.69.185.252:80
IPv6 Src:
2406:6400:EEEE::C0A8:C63 PLAT-side XLATE prefix:
Stateless XLATE prefix: 2406:6400:AAAA::/96
2406:6400:EEEE::/96
IPv6 Dst:
[2406:6400:AAAA::CA45:B9FC]:80 Src: 202.70.77.1:888
PLAT-side XLATE prefix:
2406:6400:AAAA::/96 Dst: 202.69.185.252:80

71

NAT64/DNS64 public test

• Go6lab’s NAT64/DNS64 public testing
– https://go6lab.si/current-ipv6-tests/nat64dns64-public-test/

– http://www.internetsociety.org/deploy360/blog/2016/08/new-
nat64dns64-implementations-available-for-public-testing-in-go6lab/

72

36
 7/19/19

IPv6 and Mobile devices

• Android supports 464XLAT (4.4 - KitKat)

• IPv6 supported over mobile interface since iOS 9

(supported IPv6 on WiFi for a long time!)
– All apps submitted to App Store must support IPv6 (only) since June
2016
• https://developer.apple.com/support/ipv6/

73

IPv6 Tethering
• RFC6653: DHCPv6-PD for Mobile Networks
– 3GPP Rel-10

• RFC7278: Extending IPv6 /64 prefix from Mobile interface

to LAN
– “Flaky” support since Android 6.0 (Marshmallow)
– Stop-gap until DHCPv6-PD

74

37
 7/19/19

References
• IPv6 in Mobile Networks – Telstra
– Sunny Yeung, Senior Technology Specialist
– Presentation @APNIC41 (Feb 2016)
– https://conference.apnic.net/data/41/yeung.-s-tutorial-apricot-
2016_1455689286.pdf

• 464XLAT: Breaking free of IPv4 - TMobile

– Cameron Byrne’s presentation at SANOG23 (Jan 2014)
– http://www.sanog.org/resources/sanog23/SANOG23_464XLAT.pdf
75

Broadband Network (IPv4)

CPE/RG DSLAM BRAS/BNG RADIUS (AAA)

Home LAN

PPP Access Request

& Response
(Accept/Reject)
End user NAT

LSN/CGN

DHCP Server
On the BRAS Centralized

76

38
 7/19/19

IPv6 over PPP (RFC2472)

CPE/RG DSLAM BRAS/BNG

IPv6 over PPP

• Link Control Protocol (LCP) same as in IPv4

– Establish the connection, agree packet sizes (MTU/MSS)

• Authentication same as IPv4

– (PAP/CHAP)

• Network Control Protocol (NCP) for IPv6 is IPV6CP

– Choose the network protocol (IPv6)
– Options:
• Interface Identifier (to negotiate the 64-bit int-id for SLAAC)
• Compression Protocol (ability to received compressed packets)

77

IPv6 CPE WAN

CPE/RG DSLAM BRAS/BNG

Home LAN
ND-RA over
PPP ipv6 nd prefix 2400:db8::/64
no ipv6 nd ra suppress
ipv6 nd other-config-flag

DHCPv6
DHCPv6 over
Server
PPP
• CPE IPv6 address
– SLAAC based on the RA (and set ‘O’ flag for DNS), or
– use the link-local, OR
• DHCPv6 over PPP
• How will home devices get IPv6 address?
– Proxy RA?

78

39
 7/19/19

IPv6 on Home LAN

(DHCPv6-PD: RFC 3633)
CPE/RG DSLAM BRAS/BNG

Home LAN
DHCPv6
DHCPv6-PD over
Server
PPP
RA (2001:db8::/64)
ipv6 local pool PD-POOL 2001:db8::/60 64
ipv6 dhcp pool DHCPv6-PD-POOL
prefix-delegation pool PD-POOL
dns-server 2001:db8::1

• CPE requests prefix from BRAS (delegator)

– DHCPv6 messages over PPP
– BRAS delegates /64 prefix from the pool to CPE

• ND-RA to home devices by CPE

– Auto-configure IPv6 address (SLAAC) using the delegated prefix

79

DHCPv6 (RFC3315)
• RA message:

– A (auto) flag set by default

• SLAAC

– If O (other) flag set: stateless DHCPv6

• auto-generate IPv6 address (IPv6 prefix, prefix length in the RA)
• obtain other information (DNS server, domain) via DHCPv6

– If M (managed) flag set:

• obtain all addressing information via DHCPv6
• ‘O’ flag is redundant

80

40
 7/19/19

DHCPv6 (RFC3315)
Solicit (Client- DHCPv6
IPv6 Client Id) Server
Advertise
Request
Reply

• DHCPv6 uses DUID + IAID as Client-Id

– Servers will drop any Solicit message without Client-id

• Be wary of duplicate DUID!

– to uniquely identify & associate (IA) IPv6 addresses with each interface on a host
– IAIDs uniquely identifies the interface (one IA per interface)
– Have a look at “The Story of IPv6 at FPT Telecom” @APRICOT2017

• DUID types:
– Link-layer address, Link-layer+Time, Enterprise number (vendor)

81

RADIUS attributes for IPv6

(RFC6911)
Access-Request
"username, password, NAS"
BRAS/BNG (Framed-Interface-Id) RADIUS (AAA)

Access-Accept/Reject

Accounting Start/Stop
(Framed-IPv6-Prefix)
(Framed-Interface-Id)
• Framed-IPv6-Prefix:
– Which prefix was delegated to the LAN side of the CPE

• Framed-Interface-Id:
– Used for accounting and also indicates what address will be used on WAN side
through RA

82

41
 7/19/19

Putting it together
CPE BRAS(DHCPv6) RADIUS (AAA)

LCP Access-Request

PPPoE Access Accept

NCP (IPv6CP)
Solicit
Advertise
DHCPv6 Request
Reply
Accounting Start
NCP Open

IPv6 traffic over the session

83

Deployment Planning
• Assess your network
– Do the existing network nodes support IPv6?
• What requires updating (hw/sw)?
• What needs upgrading/replacing (hw)?

– Talk to your vendor!

• Clean up your network
– Remove unused configs/interfaces/BCPs/etc
• Mistakes in v4 could get carried over to v6

• Get your IPv6 address – very easy J

• Address planning – not difficult J
• Do you have in-house skills or need consulting?
– Talk to the community – many are willing to help!!

84

42
 7/19/19

Deployment Planning -2
• Start from the backbone – not so complicated
– Transit ready?
• Dual stack or tunnel?

• Deploy for enterprise customers – not difficult

• Deploy in access Network
– Both financial and technical assessment required!!
• Vendors and ”IPv6 consultants” will tell you otherwise L

– Mobile: IPv6 PDP license L

• Either IPv6-only or dual-stack (IPv4v6)

– Wired broadband:
• MSANs, DSLAMS, OLTs should carry IPv6 ether-type (do not assume)
• CPEs, wireless routers, APs: https://getipv6.info/display/IPv6/Broadband+CPE

85

86

43
 7/19/19

Thank You!
END OF SESSION

87

44