Saturday, November 18, 2017

IPv6

Address Privacy

The privacy of autoconfigured IPv6 addresses using the interface identifier was a major issue in the IETF. If an IPv6 address is built using the MAC identifier, your Internet access could be traced because this identifier is unique to your interface. Part of the concern is the result of a misunderstanding. An IPv6 node can have an address based on the interface identifier, but this is not a requirement. As an alternative, the IPv6 device can have an address like the ones currently used with IPv4, either static
and manually configured or dynamically assigned by a DHCP server. In early 2001, RFC 3041, "Privacy Extensions for Stateless Address Autoconfiguration in IPv6," was published, introducing a new kind of address available only in IPv6 that contains a random number in place of the factory-assigned serial number. This address can also change over time. An Internet device that is a target for IP communication—for instance, a web or FTP server—needs a unique and stable IP address. But a host
running a browser or an FTP client does not need to have the same address every time it connects to the Internet. Some organizations have modified their DHCPv6 server to generate random interface identifiers according to RFC 3041, rotate those identifiers regularly, and maintain audit tables of the address assignments. This way, they use DHCPv6 to manage their address space but prevent anyone from topology mapping their network or tracking their nodes. With the address architecture in IPv6,
you can choose between two types of addresses:
Unique stable IP addresses  Assigned through manual configuration, a DHCP server, or autoconfiguration using the interface identifier Temporary transient IP addresses Assigned using a random number in
place of the interface identifier.

The Interface ID

Addresses in the prefix range 001 to 111 should use a 64-bit interface identifier that follows the EUI-64 (Extended Unique Identifier) format (except for multicast addresses with the prefix 1111 1111). The EUI-64 is a unique identifier defined by the Institute of Electrical and Electronics Engineers (IEEE); for more
information, refer to http://standards.ieee.org/regauth/oui/tutorials/EUI64.html Appendix A of RFC 4291 explains how to create EUI-64 identifiers, and more details can be found in the link-specific
RFCs, such as "IPv6 over Ethernet" or "IPv6 over FDDI." Chapter 7 and Appendix A of this book contain a short discussion and a complete list of these RFCs, respectively. A host uses an identifier following the
EUI-64 format during autoconfiguration. For example, when our host Marvin autoconfigures for a link-local address on an Ethernet interface using its MAC address, the 64-bit interface identifier has to be created from the 48-bit (6-byte) Ethernet MAC address. First, the hex digits 0xff-fe are inserted between
the third and fourth bytes of the MAC address. Then the universal/local bit, the second low-order bit of 0x00 (the first byte) of the MAC address, is complemented. The second low-order bit of 0x00 is 0, which, when complemented, becomes 1; as a result, the first byte of the MAC address becomes 0x02. Therefore, the IPv6 interface identifier corresponding to the Ethernet MAC address 00-02-b3-1e-
83-29 is 02-02-b3-ff-fe-1e-83-29. This example discusses only the EUI-64 creation process. Many other steps occur during autoconfiguration. The link-local address of a node is the combination of the prefix fe80::/64 and a 64-bit interface identifier expressed in IPv6 colon-hexadecimal

notation. Therefore, the MAC-based link-local address of the previous example node, with prefix fe80::/64 and interface identifier 02-02-b3-ff-fe-1e-83-29, is fe80::202:b3ff:fe1e:8329. This process is described in RFC 2464, "Transmission of IPv6 Packets over Ethernet Networks."
Hagen, S. (2014). IPv6 essentials. O'reilly.




Given that, the IPv6 class has so many IP addresses available; could we get rid of MAC address assignments and ARP? IF every device in the world had a unique IPv6 address, wouldn't this be sufficient to route traffic globally? Wouldn't this be alot like having a public phone number, in that you could easily identify a single device globally? We could get rid of switches all together and just have a world of routers.

The first characteristic I would like to point is each company has to plan if they want the total transition between  IPv4 to IPv6, many articles and books come to the conclusion that it is worth if done with a total approve from the organization, pointing that this process could be very complex and not sure of success, furthermore, let’s check some information.
The transition methods such dual-stack protocols, tunneling IPv6 through IPv4 and vice-versa and/or translating addresses using NAT-PT could handle most incompatibility problems as Angelescu, S. (2010) summarizes in the IPv6 chapter, and here, we can see that we could get rid of MAC address and ARP using the ICMPv6 and encapsulation, of course, having a little overhead in the IP header for that. Other authors Clafani (2017) summarizes these issues with 5 main situations (negative and positives) where IPv6 could handle better the organization data flow:
1) Concern 1 – Selling the Migration Internally to CIO/CFO
2) Concern 2 – The Cost
3) Concern 3 – Complexity
4) Concern 4 – Dealing with Legacy System Issues
5) Concern 5 – Cleaning Current IPv4 Inventory
Working on those 5 concerns, I found that the ProVision’s IP Address Management (IPAM ) can show what devices will have problem with the transition, so gaining time and managing the problem of legacy devices. Of course, neither the TechNet article nor Clafani says that this is flawless, but it is using for many companies successfully.
IPv6 doesn’t use Broadcast as IPv4 (here, we have an incredible evolution), so it uses NDP and ICMPv6, avoiding overhead in the IP header at the beginning, but having overhead with the network security, example IPSec. Still, even using encapsulation programs to resolve some incompatibilities, we will face that IPv4 does not support the quality of service provisions of IPv6, thus the quality benefits will not be obtained completely. Getting few results until a large number of others also upgrade their equipment. (Irvine, 2002)
When I read the Clafani's article, my conclusion was the majority of problems have more than one solution and most transitions didn’t occur yet because many companies don’t see the cost benefit for this transition and it is not clear for everybody the timeline for the transition in a big company.
Sure, some articles and forums saying that we have (CIDR) and (NAT and PAT), so they have helped to extend the inevitable lack of addresses, but we will run out of them. (Lammle, 2013)
This article from ISOC points again that NAT will not resolve this issue forever, so the implementation of IPv6 or other new protocol that tackles this problem is inevitable. 
So why has it taken so long for IPv6 to be implemented? ISOC (n.d.)
“The imminent need to migrate systems to the IPv6 protocol does not exist the way we saw with Y2K (Millennium bug). As a result, enterprises have frequently decided to postpone investment in the transition. One of the reasons is that IPv6 deployment is a necessary upgrade procedure that requires the investment of human and capital resources, but does not offer clear short-term return. There are also workarounds, such as the introduction of Network Address Translation (NAT) that allows organizations to extend their addresses to more devices.  These workarounds are costly and not viable in the long-term. The only way forward is to adopt IPv6. The time to adopt is now - and many organizations have already initiated, and even completed the transition process. This is why many organizations have recently joined World IPv6 Day.”

Since we have the ICMPv6 to substitute ARP,  we can use dual stack protocol, 6to4, or tunneling to transmit the data. I found useful for me reading this question (Stack). As we can read on Tamera (2017):
“For example, the ICMP protocol described next works on both IPv4 and IPv6 networks, but the IGMP and ARP protocols are used only on IPv4 networks. Let’s see how these three protocols work. IPv6 relies on ICMPv6 (Internet Control Message Protocol for use with IPv6) to perform the functions that ICMPv4, IGMP, and ARP perform in IPv4. In other words, ICMPv6 on IPv6 networks performs the functions of IGMP and ARP on IPv4 networks to detect and report data transmission errors, discover other nodes on a network, and manage multicasting.”
But remembering that even with the dual stack protocol, not all the devices will be compatible without MAC and ARP (Layer 2) as main transport and discovery protocol. Requiring some management programs to resolve this and investing more in new equipment’s with the new protocols.

References:
Angelescu, S. (2010). CCNA Certification. Hoboken: For Dummies. Imprint.
Clafani. (2017, August 25). Top 5 Concerns of Network Admins About Migrating to IPv6 in 2018. Retrieved from https://www.6connect.com/resources/top-5-concerns-of-network-admins-about-migrating-to-ipv6/
Dean, T. (2013). Network+ guide to networks. Australia: Course Technology, Cengage.
can IPv6 eliminate mac address. (2012, December). Retrieved from https://stackoverflow.com/questions/13834515/can-ipv6-eliminate-mac-address
Hagen, S. (2014). IPv6 essentials. O'reilly.
IP Address Management (IPAM) Overview. (2014, April 15). Retrieved from https://technet.microsoft.com/en-us/library/hh831353(v=ws.11).aspx
Irvine, J., & Harle, D. (2002). Data communications and networks: An engineering approach. Chichester, West Sussex: Wiley. 
Society, I. (n.d.). IPv6 - Frequently Asked Questions on IPv6 adoption and IPv4 exhaustion. Retrieved from https://www.isoc.org/internet/issues/ipv6_faq.shtml#q12
Lammle, T., & Swartz, J. (2013). CCNA data center: Introducing Cisco data center networking.






No comments:

Post a Comment

Remote Hybrid and Office work