CCIE - EI: IPv6 📝

2022-04-29 · Topic: CCIE-EI

This is a summary of the notes I’ve made in preparation for the IPv6 parts of the exam. In other words, this only contains the stuff I felt the need to take note of. Please see study resources for the resources I’ve used.

IPv6

  • Fixed header size of 40B, compared to the minimum of 20B and maximum of 60B for IPv4.
    • IPv6 can use extension headers instead of the IPv4 IHS.
    • IPv4 packet lengths must adhere to a 32b divisible length and IPv6 must adhere to a 64b divisible length.
  • TOS field is identical to IPv4
  • Flow labels are included in IPv6 to label all packets in a sequence to ensure equal treatment.
    • Very few applications actually uses this though…
  • The total length field includes the header in IPv4, while it excludes the header in IPv6
    • Jumbograms are packets with payloads larger than the 16b length field allows, only possible in IPv6 where the MTU is insane.
    • v6 requires an MTU of 1280b, while IPv4 only requires an MTU of 68b.
  • The “protocol” field is replaced with the “next-header” field in IPv6.
    • The protocol numbers used in IPv4 is reused in the IPv6 next-header field.
    • The next-header field will either point to a type of payload or extension header(which again contains a next-header field)
  • The TTL field has been renamed to hop-limit in IPv6
  • The checksum field is removed from IPv6 headers as they’re not needed.
    • UDP checksum is hence mandatory in IPv6

Extension headers There are currently six extension headers for IPv6:

  • 0 hop-to-hop, additional information to be processed by all routers. Jumbograms are enabled by this header
  • 43 routing, source can specify path to dest
  • 44 fragment, allows fragmentation
  • 50 ESP, provides authentication, encryption and integrity
  • 51 AH, provides authentication and integrity
  • 60 destination options, provides extra information only to be processed by the destination

Fragmentation
IPv4: Fragmentation is achieved through the use of the “more fragments” flag and the fragment offset field. Packets can be fragmented by intermediate routes when forwarded. The 3b IPv4 flags field contains: reserved, don’t fragment(DF) and more fragments flags.

IPv6: Fragmentation is only done by the source and is achieved through PMTU discovery and extension fields. Whenever the MTU is exceeded along the path a ICMPv6 packet to big message will be sent to the source router.

Addressing

  • Unicast
    • FE80::/10 - Link-local
    • 2000::/3 - Global unicast addressing
    • FC00::/7 - Unique-local(L bit flipped gives FC00::/8)
    • ::/80 - IPv4 embedded {80b of 0}{16b of 1}{32b ipv4 address}
  • Multicast - ff00::/8 {8b 1}{0RPT}{4b scope}{112b group ID}
    • ff00::/12 Well-known
    • ff10::/12 Transient
    • ff02:0:0:0:0:1:ff00::/104 Solicited node multicast
  • Anycast

Interface ID == “Host bits” in IPv4. Must be 64b and should be in EUI-64 format. All IPv6 enabled interfaces must have exactly one link-local address.

314 rule:

  • 3 16b chunks for global routing prefix
  • 1 16b chunk for subnet id’s
  • 4 16b chunks for interface id’s

/127 links:
Used to limit the possibility of NDP exhaustion attacks.

The U/L bit flip Cisco devices will flip the U/L bit regardless of it’s original value.

Address-selection:

  1. Prefer same address - Pinging local address with the same local address
  2. Prefer appropriate scope - Link-local -> link-local, Global -> Global
  3. Avoid deprecated addresses - Only use deprecated addresses for existing sessions
  4. Prefer home addresses - Prefer the “normal” address over temporary addresses, for roaming
  5. Prefer outgoing interface - Prefer outgoing interface
  6. Prefer matching label - Use same address for the same labeled flows
  7. Prefer temporary addreses - Prefer privacy extension address
  8. Prefer longest prefix - If common prefix is shared, use the one with the longer match.

Dynamic address allocation

There are three methods used for dynamic address allocation in IPv6:

  • SLAAC, Using RA information only
  • SLAAC + Stateless DHCP, Addressing through SLAAC but additional information in DHCP
  • Statful DHCP, All information fetched from DHCP.

Notably the gateway information is always learned through RA messages.

SLAAC

The RA includes prefix and gateway information. Then the end-device chooses it’s interface ID by itself.

The two common methods of generating the interface ID is:

  • Random 64b string, default in Windows
  • EUI-64, default in sensible OSes. 48b MAC address with FFFE inserted in the middle and the 7th bit flipped.

Privacy extension: Uses temporary IPv6 addresses with randomized device ID to avoid tracking. RFC 4941 - Privacy extensions for SLAAC

Stateless DHCPv6

  1. DHCPv6 solicit is sent to ff02::1:2(all-DHCPv6 servers)
  2. DHCPv6 servers respond with DHCPv6 Advertise
  3. Host sends and information request message(only for “other configuration”)
  4. DHCPv6 servers respond with DHCPv6 Reply containing said information

DHCPv6 server

ipv6 dhcp pool {name}
dns-server {ipv6 addr}
domain-name {name}
int> ipv6 dhcp server {pool} [rapid-commit]

DHCPv6 gateway

int> ipv6 nd other-config-flag

Rapid-commit

Reduces exchange from Solicit Advertise Request and Reply to Solicit and Reply.

This works best when a single DHCP server is in use. This is due to servers not seeing that others have replied and potentially wastes address space.

When a client sends a SOLICIT with rapid-commit configured it will prioritize any received rapid-commit REPLY messages over non-rapid-commit messages.

Relay agent

The DHCPv6 relay server forwards SOLICIT messages from clients in RELAY-FORWARD messages, sent as unicasts to the DHCPv6 server.

Multicast addresses can be used instead of the unicast address. The accepted addresses are ff02::1:2 - link-local scope and ff05::1:3 - site-local scope. ipv6 multiast routing must be enabled if the site-local multicast address is used.

ipv6 dhcp relay destination {addr}

Stateful DHCPv6

  1. DHCPv6 solicit is sent to ff02::1:2(all-DHCPv6 servers)
  2. DHCPv6 servers respond with DHCPv6 Advertise
  3. Host sends and request message(only for “other configuration”)
  4. DHCPv6 servers respond with DHCPv6 Reply containing said information

The difference between stateful and stateless in terms of messages is that stateful uses REQUEST while stateless uses INFORMATION_REQUEST.

DHCPv6 server

ipv6 dhcp pool {name}
dhcp> dns-server {ipv6 addr}
dhcp> domain-name {name}
dhcp> address prefix {} [lifetime {valid} {preferred} | infinite] 
int> ipv6 dhcp server {pool}

DHCPv6 gateway

int> ipv6 nd managed-config-flag
int> ipv6 nd prefix {prefix} no-autoconfig

If the A flag is set Linux and Windows will both generate a SLAAC address and receive an address from DHCPv6.

Prefix Delegation DHCPv6-PD extension can be used to delegate globally routed prefixes in addition to a “regular” Global address.

ICMPv6

Address resolution

NDP

Messages:

  • Router solicitation
  • Router advertisement
  • Neighbor solicitation
  • Neighbor advertisement
  • Redirect

RS/RA

RA flags: AOM

  • Address autoconfiguration - Use SLAAC?
  • Other configuration - Find other addressing from stateless DHCP?
  • Managed address - Fetch everything form DHCP? Default flags: A1 O0 M0
ipv6 nd other-config-flag
ipv6 nd managed-config-flag

Additional flags:

  • L / On-link - Whether the address can be reached without being routed. Must be 1 for the address to be used in SLAAC. Without this flag all traffic will be sent to the default gateway.

The show ipv6 interface {} command includes most information sent in RA messages. The sending of RA messages is triggered with ipv6 unicast-routing

Router preference: Which gateway to use, higher is better. Notably “High” is 01 while “Low” is 11, which in reality makes the lowest value preferred.

ipv6 nd router-preference

Timers:

  • Advertisement interval, random value between max and min to avoid sync (200s)
  • Router lifetime, maximum time the router should be considered usable as a gateway (5m)
  • Valid lifetime, maximum time an address remains valid (30d)
  • Preferred lifetime, length of time an address is preferred (7d)
ipv6 nd ra interval {max [min]} | msec {max [min]}
ipv6 nd ra {lifetime} {seconds}

ipv6 nd prefix {pref/len} {valid-time} [preferred-time]

!Other options...
ipv6 nd prefix {prefix | default} [no-advertise] [ off-link | no-rtr-address | no-autoconfig | no-onlink ]

RA DNS advertisement: Enabled by RFC 6106, includes RDNSS and Search list.

ipv6 nd ra dns server {address} {lifteime}

Solicited unicast RA: Used to reduce amount of RA traffic seen by devices, when enabled the RA will be sent unicast to whoever sends an RS.

ipv6 nd ra solicited unicast

RA suppression: RAs are sent by default on all IPv6 enabled ethernet interfaces. Can be suppressed ipv6 nd ra suppress [all]: Prefer the same address if the source and destination addresses are the same. For example, if you have WinPC ping itself, it should use the same address for the source address that it uses for the destination address.

Gateway failover with RA:

ipv6 nd ra interval msec {}
ipv6 nd ra lifetime {}

Multicast

There is no automatic filtering based on which scope is selected in the IPv6 group address. With the exception of link-local. It is also worth noting that the scope field can differ and still be “the same group”. ff02::2 and ff05::2 are both all IPv6 routers.

MLD

MLD is ICMPv6

Solicited node multicast

L3 ff02:0:0:0:0:1:ffXX/104 + last 24b(1.5 hextets) - Solicited-node multicast address L2 33-33-FF-{last 24b}

First-hop Security features

RA Guard Similiar to ip dhcp snooping trust, but with option to define policy.

ipv6 nd raguard policy {name}
policy> device-role {}
policy> [additional filters]
policy> trusted-port ! Disables all policy

int> ipv6 nd raguard attach-policy {name}

ND Inspection Neighbor Discovery inspection creates a binding-table for IPv6-MAC mappings and drops any ND messages which doesn’t match the binding for the port.

ND inspection does not drop spoofed traffic, only spoofed ND messages.

ipv6 nd inspection policy {name}
policy> drop-unsecure
policy> sec-level minimum {} ! For CGA addresses
policy> device-role {host | monitor | router}
policy> tracking ! Override default tracking
policy> trusted-port ! Disables all policy

int> ipv6 nd inspection [attach-policy] [policy {}] vlan P{

! Static binding
ipv6 neighbor binding {vlan} {ipv6} int {int} {mac}

show ipv6 snooping...

Binding table Common binding table used with the IPv6 FHRP security features.

The table contains:

  • Interface ID
  • MAC addr
  • VLAN
  • IPv6 addr

The binding table can be populated with:

  • ND Inspection
  • RA Guard
  • DHCPv6 guard
  • Static bindings
ipv6 snoopign policy {}
policy> security-level glean 

show ipv6 snooping

IPv6 glean is used when information is missing in the binding-table by querying DHCP or using ND.

DHCPv6 guard

Very similar to IPv4 DHCP snooping.

Only “server” type messages are inspected, all client messages are allowed. Not supported on Etherchannel interfaces.

ip dhcp guard policy {name}
policy> device-role {server|client}
policy> match server access-list {} ! Whitelist servers and relays
policy> match reply prefix-list {} ! Whitelist prefixes in replies
policy> preference {min|max}

int> ipv6 dhcp guard attach-policy {}

Device tracking

Tracks whether a device is active or not for the purpose of immediately updating the binding table. Device tracking relies on other first-hop security features to populate the binding table.

ipv6 neighbor tracking [retry-interval value]

Source guard Denies traffic based on information in the IPv6 binding table

ipv6 source-guard policy {name}
policy> permit link-local
policy> deny global-autoconfig

int> ipv6 source-guard attach policy {name}

Prefix guard A part of source guard that validates that the prefixes used makes sense topologically. Prefix guard gets information from:

  1. Glean in RA
  2. Glean in DHCP
  3. Static config
ipv6 source-guard policy {name}
policy> validate-prefix

int> ipv6 source-guard attach policy {name}

Study resources

Books used, ranked by most value for time spent:

I have also used the IOS XE 16.2.x configuration guide extensively.

Various links I’ve found useful:


Got feedback or a question?
Feel free to contact me at hello@torbjorn.dev