RIPng

RIPNg Routing Protocol
RFC 2080 defines Routing Information Protocol next generation (RIPng) as a simple routing protocol based on RIP (based on RIPv2. has the same features such as, a distance vector routing protocol, max of 15 hops, split horizon and poison reverse). RIPng is no more less and powerfull than RIP, it supports IPv6 network without having to build a new routing protocol.
RIPng has the following features:
  • Based on RIPv2 and is similar to it
  • Uses IPv6 to transport
  • Includes IPv6 prefix and next-hop IPv6 address
  • uses the multicast group FFo2::9 address (IPv6 multicast address identifying all RIPng routers on link) to send updates. this is similar to broadcast function in RIP.
  • sends updates on UDP port 521

RIPng is supported by Cisco IOS Release 12.2.(2)T and later. in dual-stacked deployments, both RIP and RIPng are required.

Configuring IPv6 addresses
first we must enable IPv6 traffic-forwarding in Cisco router (by default this feature is disabled) by entering the command "ipv6 unicast-routing" at the global configuration level. then you can configure the address of the interface by using the manual configuration or the eui-64 standard (see above).
  • - manual interface ID assignment. one way to statically define the IPv6 address for a device is to manually configure both the network (prefix) and the interface ID to the device. to assign an IPv6 address to an interface in Cisco router, enter the following command in the interface configuration level
ipv6 address ipv6-address/prefix-length
ipv6-address: the address of the interface in IPv6 notation, example 2001:A58E:9CD:2947::49
prefix-length: the length of the prefix (network) portion. example /64

  • EUI-64 interface ID assignment. EUI-64 standard define the way to stretch the MAC address, which is 48 bits, of the interface to a 64 bits interface ID used for IPv6. the convertion is done by inserting the 4 hexadecimal values of "FFFE" at the 24th bit of the MAC address. example, a MAC address of 00:0c:4F:90:27:FC is converted to 00:0c:4F:FF:FE:90:27:FC. to assign an IPv6 with the EUI-64 scheme to an interface in Cisco router. enter the following command at the interface configuration level.
ipv6 address ipv6-prefix/prefix-length eui-64
ipv6-prefix: the network (prefix) portion of the address
prefix-length: the length of the prefix (network) portion
example,

ipv6 address 2001:A58E:9CD:2947::/64 eui-64


Cisco IOS IPv6 Name Resolution
two ways to perform name resolution in Cisco IOS
  • Statically define a name for an IPv6 address. use the following command at global configuration level
ipv6 host name [port] ipv6addr [{ipv6addr}..]
name : name of the ipv6addr
port : telnet port to be used for the associated host
ipv6addr: the address of the hostname. there can be up to four addresses for a given hostname
example,
ipv6 host router1 2001:A58E:9CD:2947::1

  • Define a DNS server to query. the hostname database is not located at local router but at a particular server. use the following command at the global configuration level
ip name-server address

address: the address of the server
example,
ip name-server 2001:A58E:9CD:2947::1



Configuring RIPng
first use the command "ipv6 unicast-routing" to enable IPv6 traffic-forwarding. then create a RIPng process by using the command
ipv6 router rip name
name: name/identifier of the RIPng process
the command is to be entered at global configuration level. next, give each interface required to join in RIPng an IPv6 address. after that, instead of using the "network" command to make a particular interface participate in RIP process, RIPng use the command
ipv6 rip name enable
name: name of the RIPng process that the interface to be participate in

enter the command at the interface configuration level (at the interface required to participate in RIPng). the name must match with the name in the "ipv6 router rip" command. enabling RIP on an interface dynamically creates a "router rip" process if necessary.


example,
enable RIPng on a Cisco router named RIP1. give FastEthernet0/0 an IPv6 address of 2001:9cd:1:3::10, and FastEthernet0/1 an address of 2001:9cd:1:2::10 make inteface FastEthernet0/0 and FastEthernet0/1 participate in the RIP1 process. the commands are
ipv6 unicast-routing
ipv6 router rip RIP1


interface FastEthernet0/0
ipv6 address 2001:9cd:1:3::10/64 eui-64
ipv6 rip RIP1 enable

interface FastEthernet0/1
ipv6 address 2001:9cd:1:2::10/64 eui-64
ipv6 rip RIP1 enable





instead of using "show ip" command, you can use the "show ipv6" (there will be some next command options such as "show ipv6 route", "show ipv6 interface" and "show ipv6 traffic", try the "?") to see the configuration related to ipv6.

Read more...
IPv4 provides appoximately 3.7 billion assignable addresses of all 4,296,967,296 available addresses. this is because IPv4 divides addresses into classes and some of these classes are used for multicasting, research and testing and other reserved uses. in 2007 there are about 2.4 billion of IPv4 addresses that has been used. newer technology requires more addresses, including mobile users (PDA, new mobile phone), transportation (allow remote monitoring and maintenance), electronics (home appliances).


Europe, Japan and Asia-Pacific region has started to begin the transition from IPv4 to IPv6. Japan officially started to move in 2000 and set a deadline in 2005 to upgrade existing systems in every sector. this is followed by Korea, China and Malaysia. DOD mandated at early 2003, that all new equipment must be ip-enabled and compatible to IPv6.

IPv5 was used to define an experimental real-time streaming protocol.

not only IPv6 provides more addresses than IPv4, but also IPv6 is easier to use, has a simplified header and more secure. devices has been evolving from stationary devices into moving devices. in IPv6, mobile devices can roam into network reqions without breaking the network connection. the simplified header offers several advantages:
  • Better routing efficiency
  • no broadcasts, avoid potential threat of broadcast storm.
  • no checksum processing
  • flow labels field, no need to open the inner packet to identifiy various traffic flow.


IPv6 Representation
IPv6 is 128-bit length. it's represented as a series of eight 16-bit fields, each seperated by a colon. example, 1031:40BF:A03C:0000:5031:04DE:0000:0000. the representation can be shortened by using the following rules:
  • leading zeros are optional to be written. the field 04DE can be written as 4DE. field 0000 can be written as 0
  • successive zeros can be represented as two colons "::". the field 0000:0000 can be written as :: .

from the example above, it can be shortened as 1031:40BF:A03C:0:5031:4DE:: .


Global Unicast Address
IPv6 has a block of global unicast address. that is, addresses that are globally unique and are able to be routed. this address typically consists of a 48-bit global routing prefix and followed by a 16-bit subnet ID. an Organization can divide a given global unicast address into subnets with a maximum number of 65,535 subnets for each address. currently, IANA uses the range of addresses that starts with binray value 001 (2000::/3), which is 1/8 of the total IPv6 addresses. IANA is allocating the addresses in the ranges 2001::/16 to the five RIR (ARIN, RIPE, APNICm LACNIC, AfriNIC).

Reserved Address
IETF has reserved 1/256 of the total IPv6 addresses for various uses, both present and future.

Private Address
IPv6 has private addresses (just as in IPv4) for use in local needs only and not to be routed outside a particular private network. these addresses start with the first octet value of "FE" in hexadecimal notation and the next hexadecimal digit being a value between 8 and F.
these addresses are further divided into two types:
  • Site-Local addresses. the same as private addresses stated in RFC 1918 for IPv4. the scope of these addresses is an entire site. however, the use of site-local addresses is problematic and is being deprecated as stated by RFC 3879 in 2003. site-local addresses begin with the first two hexadecimal value of "FE" and the third being a value from "C" - "F".
  • Link-local addresses. link-local addresses are new concept to IP networking. these addresses have a smaller scope than site-local addresses. they refer only to a physical network (physical link). routers won't forward packets containing these addresses. they are used for link communications such as automatic address configuration, neighbor discovery and router discovery. Many IPv6 routing protocols also use link-local addresses. these addresses begin with the first two hexadecimal value of "FE" and the third being a value from "8" - "B".

Loopback Address
the concept is the same as a loopback address in IPv4. however in IPv6, there is just on address instead of a whole block for this function. the loopback address in IPv6 is 0:0:0:0:0:0:0:1 or also expressed as ::1.

Unspecified Address
in IPv4, a device that doesn't know its IP address will set the source address as all zeroes value. this is formalized in IPv6. the all-zeroes address is named "unspecified" and typically used in the source field of a datagram that is sent by a device that seeks to have its IP address configured. also expressed as ::.


IPv6 addresses have a portion that serves the same functionality of the host portion of IPv4 addesse, which is called the interface identifier. this portion is always 64 bits length and can be dynamically derived from a layer 2 address (MAC). this portion can be defined statically or dynamically. two ways to statically define IPv6 addresses ID are:
  • manual interface ID assignment. one way to statically define the IPv6 address for a device is to manually configure both the network (prefix) and the interface ID to the device. to assign an IPv6 address to an interface in Cisco router, enter the following command in the interface configuration level
ipv6 address ipv6-address/prefix-length

ipv6-address: the address of the interface in IPv6 notation, example 2001:A58E:9CD:2947::49
prefix-length: the length of the prefix (network) portion. example /64


  • EUI-64 interface ID assignment. EUI-64 standard define the way to stretch the MAC address, which is 48 bits, of the interface to a 64 bits interface ID used for IPv6. the convertion is done by inserting the 4 hexadecimal values of "FFFE" at the 24th bit of the MAC address. example, a MAC address of 00:0c:4F:90:27:FC is converted to 00:0c:4F:FF:FE:90:27:FC. to assign an IPv6 with the EUI-64 scheme to an interface in Cisco router. enter the following command at the interface configuration level.
ipv6 address ipv6-prefix/prefix-length eui-64
ipv6-prefix: the network (prefix) portion of the address
prefix-length: the length of the prefix (network) portion

example,
 
ipv6 address 2001:A58E:9CD:2947::/64 eui-64



two ways to dynamically define IPv6 addresses ID are:
  • Stateless autoconfiguration. this is the plug-and-play feature of IPv6. this enables devices to connect to the network without the needs of any configuration and any servers.
  • DHCPv6 (statefull). this uses a DHCP server to pass address parameter configuration to IPv6 devices. it provides automatic address allocation of reusable addresses and additional configuration flexibility. this feature can be used concurrently with stateless autoconfiguration feature in IPv6.


IPv6 Transition
there are many transition mechanisms that enable smooth integration of IPv4 and IPv6. different situations require different strategis. the commonc techniques are (recall the advice "Dual stack where you can, tunnel where you must". these two are the most common techniques used.):
  • Dual stacking. routers and switches are configured to implement and provide connectivity for both IPv4 and IPv6 with IPv6 being the preferred protocol. this is the recommended option.
  • Tunneling. serveral tunneling techniques available are"
  • manual IPv6-over-IPv4 tunneling. encapsulates IPv6 packets within IPv4 protocol. this requires dual-stack routers.
  • Dynamic 6to4 tunneling. automatically establish conneciton between IPv6 networks over a IPv4 network (usually the internet). this dynamically applies a valid IPv6 prefix for each IPv6 network which enables fast deployment of IPv6 in a corporate network without the need of address retrieval from ISPs or registries.
  • Intra-Size Automatil Tunnel Addressing Protocol (ISATAP) tunneling. this uses the underlying IPv4 network as a link layer for IPv6. this allows IPv4 or IPv6 dual-stack hosts within a site to communicate with other such hosts on a virtual link, creating IPv6 network using the IPv4 infrastructure.
  • Teredo tunneling. this is an automatic host-to-host tunneling instead of gateway tunneling. this passes unicast IPv6 traffic when dual-stacked hosts are located behind one or multiple IPv4 NATs.
  • NAT-Protocol Translation (NAT-PT). this allows direct communication between hosts that use different IP protocol version. this translation is more complex than IPv4 NAT. at this time, this approach is the least favorable and should be used as a last resort(included in Cisco IOS releas 12.3.(2)T and later releas with the appropriate feature set).

Cisco IOS Dual Stack
dual stack is an integration method allowing a node to provides connectivity for both IPv4 and IPv6. each node has two protocol stacks with the configuration on the same interface or multiple interfaces. a dual-stack node should prefer IPv6 when it is available. old IPv4 applications continue to work as before. Cisco IOS Release 12.2(2)T and later (with appropriate feature set) are IPv6-ready. in order for Cisco routers to be able to forward IPv6 datagramse, use the global command "ipv6 unicast-routing". then configure every interface that forward IPv6 traffic with an IPv6 address.

example, configure interface FastEthernet0/1 to support both IPv4 and IPv6.
ipv6 unicast-routing
interface FastEthernet0/1
ip address 192.168.10.1 255.255.255.0
ipv6 address 2001:A58E:9CD:2947::49/64


when both protocols are configured on the interface, the interface is considered dual-stacked


IPv6 Tunneling
tunneling is an integration method by encapsulating IPv6 packets within another protocol, such as IPv4 protocol (when encapsulated into IPv4 protocol, a protocol type of 41 is specified at the IPv4 header). this enables connecting IPv6 networks without converting any intermediary networks to IPv6. tunneling requires the end routers to be dual-stacked (both border routers must support IPv4 and IPv6 and have their interfaces configured for IPv4 and IPv6 addresses). tunneling has two issues, it decreases the MTU by 20 octets because of the IPv4 header, tunneled networks are often difficult to troubleshoot. tunneling should not be considered as a final solution. a native IPv6 architecture should be the end goal.


Routing Consideration in IPv6
review of router's functionality in a network:
  • the control plane. handles the interaction of a the router with other network elements, providing needed information and control the overall router operation. this playe runs routing protocols and network management processes.
  • the data plane. this forward packets from a source interface to another interface. this involves switching mechanisms such as Cisco Express Forwarding (CEF) and process switching.
  • Enhanced services. advanced features such as ACL, QoS, encryption, etc.

Challenges in IPv6 routing
IPv6 Control Plane
  • IPv6 address size. address size affects the routing performance. in the same CPU environment, IPv6 takes more time to process source and destination address information. if routers relying only on software processing, they are likely to perform slower in IPv6 environment.
  • IPv6 routing protocols. more address size means, messages between routing procotols will be larger than messages in IPv4 environment.
  • Multiple IPv6 node addresses. IPv6 nodes may have multiple IPv6 unicast addresses, memory consumption on Neighbor Discovery cache may be affected.
  • Routing table size. increased IPv6 total address leads to larger routing table. this may require more memory to support it.

IPv6 Data Plane
the data plane forwards IP packet based on the decisions made by the control plane.
  • Parsing IPv6 extension headers. IPv6 packets may have some additional headers. these headers sometimes used by application in IPv6 environment. this additional fields require additional processing. if the length of the extension header exceeds the hardware register limits, the packet may be given to software switching or dropped. this somehow affect forwarding performance.
  • IPv6 address lookup. most routers today perform lookups using an Application Specific Integrated Circuit (ASIC) which is originally designed to work in IPv4 environment. when this is used to process IPv6 packets which have larger address size, this could result in punting the packets into software processing or dropping the packets.

Cisco IOS IPv6 Name Resolution
two ways to perform name resolution in Cisco IOS
  • Statically define a name for an IPv6 address. use the following command at global configuration level
ipv6 host name [port] ipv6addr [{ipv6addr}..]
name : name of the ipv6addr
port : telnet port to be used for the associated host
ipv6addr: the address of the hostname. there can be up to four addresses for a given hostname

example,

ipv6 host router1 2001:A58E:9CD:2947::1


Read more...

Network Address Translation

RFC 1918 defines private IP addresses. private IP addresses are a reserverd block of numbers that can be used by onyone. these addresses can be used only in private networks and are not to routed in the internet. this way, onyone can use private IP addresses for his internal needs, without worrying the same address will be used by someone else. since packets containing private ip addresses are not to be routed in public networks (internet). blocks of reserved number used for private ip addresses are:
  • Class A. 10.0.0.0 - 10.255.255.255. prefix length /8
  • Class B. 172.16.0.0 - 172.31.255.255. prefix length /12
  • Class C. 192.168.0.0 - 192.168.255.255. prefix length /16

unlike private ip addresses, public ip address must be registered with a Regional Internet Registry (RIR). Organizations can lease public addresses from an ISP. those RIRs are:
  • ARIN, America
  • RIPE, Europe
  • APNIC, Asia
  • LACNIC, South America
  • AfricNIC, Africa

in the old days, a device that needs to access the internet must be assigned with a public IP address. since there are not enough public addresses, there's no way an organization will assign each of its devices a public address. Network Address Translation provides a mechanism to enable private ip address devices to access the internet with only using one public address.

a NAT-enabled router has a pool of public IP addresses. these addresses can be used by the inside hosts when they want to communicate with a host outside the network (at the internet). the router will maintain a translation table. this table contains the inside local address, inside global address, outside global address. the router will act as a forwarder for the inside host, it will alter the source address of the packet sent to the outside network to one of the public address that it has. when the router receives a packet destined for a particular public address, it looks up at the table and find the corresponding inside local address. this allow the router to forward the packet to the correct host at the inside network.

some NAT terminologies:
  • inside local address. actual address of inside host, most likely a private address.
  • inside global address. public address given to an inside host when it wants to communicate with outside network.
  • outside global address. public address assigned to a host in the internet.
  • outside local addess. private address assigned to a host on the outside network. in most cases this is the same as outside global address.

the "inside" of a NAT is not synonymous with private addresses as defined by RFC 1918. "non-routable" means that it's not routable on the internet.


Types of NAT
Static NAT. one-to-one mapping, a particular inside host will always be given the same public address. this mapping remain constant. this is usually usefull for hosts that need a consistent public address (might be enterprise servers or networking devices).

Dynamic NAT. first-come, first-served basis mapping. when an inside host wants to communicate with outside network, it will be assigned with one of the public address from the pool that is available (not used by any other host yet).

NAT overload, also called Port Address Translation (PAT). maps multiple private addresses to a single public address or a few addresses. a PAT-enabled assigns a source port number to TCP/IP sessions opened by inside hosts. the router also ensures that every hosts use a different source port number. when reply messages come from the internet, the router will check the destination port of the messages and do a look up at the table to forward the message to the correct host at the inside network.

NAT overload assigns a next-available port if the port chosen by an inside host is already used by another host. if an inside host opens a session with outside network and choose port 1221 as it source port, NAT router will try not to alter the source port of inside local address, however if 1221 is already used by another host, NAT router will use the next available port (in this case 1222, if not used yet) for the inside global address of this session. it will choose a port number starting from appropriate port group 0-511, 512-1023, 1024-65535. if every ports has been used and there's more than one public ip addess, NAT router will use the next public address.


Configuring Static NAT
static NAT allows connections initiated by external devices to inside hosts. for example you may want to map an inside global address to your web server inside local address. the steps for configuring static NAT are:
  • step 1. establish a static translation between an inside local address and an inside global address.
ip nat inside source static local-ip global-ip

local-ip: inside local address of a specific device
global-ip: public address available for the local device

  • step 2. specify the inside interface.
interface type number
ip nat inside
type: the type of the interface [FastEthernet | Serial]
number: interface number

  • step 3. specify the outside interface
interface type number
ip nat outside

type: the type of the interface [FastEthernet | Serial]
number: interface number


Configuring Dynamic NAT
dynamic NAT translates private addresses to public addresses from a pool. the steps are:
  • step 1. Define a pool of global addresses to be allocated as needed.
ip nat pool name start-ip end-ip {netmask netmask-number|prefix-length pref-length}
name: word. name of the pool
start-ip: lowest public address to be available in the pool
end-ip: highest public addess to be available in the pool
netmask-number: subnet mask of the public addresses
pref-length: prefix length of the public addresses


  • step 2. create a standard access-list permitting the addresses to be translated.
access-list acl-number permit source [ source-wildcard ]
acl-number: a number that identifies the the standard acl
source: private address/network to be permitted
source-wildcard: wildcard of the source permitted (see ACL)

  • step 3. establish dynamic translation between private addresses and public addresses
ip nat inside source list acl-number pool name
acl-number: the number of ACL which permits private addresses to be translated
name: name of the pool that contains public addresses

  • step 4. specify the inside interface.
interface type number
ip nat inside

type: the type of the interface [FastEthernet | Serial]
number: interface number

  • step 5. specify the outside interface
interface type number
ip nat outside
type: the type of the interface [FastEthernet | Serial]
number: interface number


Configuring NAT overload
there are two ways to configure overloaded NAT. it depends on how many public address is given by the ISP. if only one address is given, the steps are:
  • step 1. create a standard access-list permitting the addresses to be translated.
access-list acl-number permit source [ source-wildcard ]
acl-number: a number that identifies the the standard acl
source: private address/network to be permitted
source-wildcard: wildcard of the source permitted (see ACL)

  • -step 2. establish overload translation.
ip nat inside source list acl-number interface interface-type/number overload
acl-number: the number of ACL which permits private addresses to be translated
interface-type/number: specify the interface that is assigned the public address (typically, address given by the ISP)

the "overload" keywords enables the addition of the source port number to the translation.

  • step 3. specify the inside interface.
interface type number
ip nat inside

type: the type of the interface [FastEthernet | Serial]
number: interface number

  • step 4. specify the outside interface
interface type number
ip nat outside

type: the type of the interface [FastEthernet | Serial]
number: interface number

to configure overloaded NAT with more than one public ip address:
  • step 1. create a standard access-list permitting the addresses to be translated.
access-list acl-number permit source [ source-wildcard ]

acl-number: a number that identifies the standard acl
source: private address/network to be permitted
source-wildcard: wildcard of the source permitted (see ACL)

  • step 2. Specify the global addresses as a pool.
ip nat pool name start-ip end-ip {netmask netmask-number|prefix-length pref-length}
name: word. name of the pool
start-ip: lowest public address to be available in the pool
end-ip: highest public addess to be available in the pool
netmask-number: subnet mask of the public addresses
pref-length: prefix length of the public addresses

  • step 3. establish overload translation
ip nat inside source list acl-number pool name overload
acl-number: the number of ACL which permits private addresses to be translated
name: name of the pool that contains public addresses

  • step 4. specify the inside interface.
interface type number
ip nat inside

type: the type of the interface [FastEthernet | Serial]
number: interface number

  • step 5. specify the outside interface
interface type number
ip nat outside

type: the type of the interface [FastEthernet | Serial]
number: interface number


by default translation will time out after 24 hours, you can change the timers with the command "ip nat translation timeout timeout-seconds".

you can see the NAT you've configured using the command "show run". to verify NAT operations use the command "show ip nat translations [verbose]". the command "show ip nat statistics" displays information about total number of active translations, NAT configuration parameters, total addresses in the pool, and allocated addresses from the pool.

you can debug NAT operations using the command "debug ip nat".


Port Forwarding
port forwarding enables external users (from outside network) to initiate a connection to inside hosts. Port Forwarding does this by translating received messages destined to a specified port, to a particular host and destination port number at inside network.

for example, you have a web server in you inside network of which ip address is 192.168.1.252, if you want to enable external users to access your web server you can configure port forwarding HTTP traffic from your border router to the web server. you can specify traffic received at the WAN interface destined to port 80 (HTTP works at port 80), to be forwarded to inside interface with destination address 192.168.1.252 and destination port is 80. in this case, the external port and the internal port are the same. you can change the external port and the internal port to something else. if you change the external port, the external users must know the specific port number you use.

Read more...
top