Appendix E
This appendix provides information about how you can use five computers to create a test lab to configure and test the IPv6 protocol for Windows XP and the Windows .NET Server 2003 family. These instructions are designed to guide you through a set of tasks, exposing you to the IPv6 protocol and its associated functionality. Beyond the set of tasks, these instructions allow you to create a functioning IPv6 configuration. You can use this configuration to learn about and experiment with IPv6 features and functionality, and to aid in developing applications for IPv6 or modifying existing IPv4 applications to work over both IPv4 and IPv6.
The infrastructure for the IPv6 test lab network consists of five computers performing the following services:
Figure E-1 shows the configuration of the IPv6 test lab.
Figure E-1. The configuration of the IPv6 test lab
There are three network segments:
All computers on each subnet are connected to a separate common hub or Layer 2 switch. The two router computers, ROUTER1 and ROUTER2, have two network adapters installed.
For the IPv4 configuration, each computer is configured manually with the appropriate IP address, subnet mask, default gateway, and DNS server IP address. DHCP and WINS servers are not used. For the IPv6 configuration, link-local addresses are used initially.
The following sections describe how each of the computers in the test lab is configured. To reconstruct this test lab, please configure the computers in the order presented.
The following instructions are for configuring an IPv6 test lab using a minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. You can use any member of the Windows .NET Server family for DNS1 and any version of Windows XP or Windows .NET Server for the other computers. This configuration is neither designed to reflect best practices nor is it designed to reflect a desired or recommended configuration for a production network. The configuration, including addresses and all other configuration parameters, is designed to work on a separate test lab network.
DNS1 is a computer running Windows .NET Standard Server. It is providing DNS Server services for the testlab.microsoft.com DNS domain. To configure DNS1 for this service, perform the following steps:
The domain name testlab.microsoft.com is used here for example purposes only. You can use any domain name in your test lab configuration.
CLIENT1 is a computer running Windows XP that is being used as a client. To configure CLIENT1 as a client computer, perform the following steps:
ROUTER1 is a computer running Windows XP that is being used as a router between Subnet 1 and Subnet 2. To configure ROUTER1 as a router, perform the following steps:
ROUTER2 is a computer running Windows XP that is being used as a router between Subnet 2 and Subnet 3. To configure ROUTER2 as a router, perform the following steps:
CLIENT2 is a computer running Windows XP that is being used as a client. To configure CLIENT2 as a client computer, perform the following steps:
ping 10.0.1.3
This tests whether or not IPv4 packets can be forwarded between CLIENT2 on Subnet 3 and CLIENT1 on Subnet 1.
The following tasks are designed to take you through the common IPv6 configurations by using the test lab infrastructure:
To ping a node using link-local addresses and view the entries created in the neighbor and destination caches, complete the following steps:
ping ROUTER1LinkLocalAddress%InterfaceIdentifier
For example, if the link-local address of ROUTER1's interface on Subnet 1 is FE80::2AA:FF:FE9D:10C5, and the interface index for the Local Area Connection interface on CLIENT1 is 3, the command is:
ping FE80::2AA:FF:FE9D:10C5%3
To configure a static routing infrastructure so that all test lab nodes are reachable using IPv6 traffic, complete the following steps:
netsh interface ipv6 set interface Subnet1InterfaceIndex forwarding=enabled advertise=enabled
netsh interface ipv6 set interface Subnet2InterfaceIndex forwarding=enabled advertise=enabled
netsh interface ipv6 add route FEC0:0:0:1::/64 Subnet1InterfaceIndex publish=yes
netsh interface ipv6 add route FEC0:0:0:2::/64 Subnet2InterfaceIndex publish=yes
netsh interface ipv6 add route ::/0 Subnet2InterfaceIndex/ROUTER2AddressOnSubnet2 publish=yes
in which:
For example, if ROUTER1's Subnet 1 Connection interface index is 4 and Subnet 2 Connection interface index is 5, and the link-local address of the ROUTER2's Subnet 2 Connection interface is FE80::2AA:FF:FE87:4D5C, the commands should be typed as follows:
netsh int ipv6 set int 4 forw=enabled adv=enabled
netsh int ipv6 set int 5 forw=enabled adv=enabled
netsh int ipv6 add rou FEC0:0:0:1::/64 4 pub=yes
netsh int ipv6 add rou FEC0:0:0:2::/64 5 pub=yes
netsh int ipv6 add rou ::/0 5 FE80::2AA:FF:FE87:4D5C pub=yes
netsh interface ipv6 set interface Subnet2InterfaceIndex forwarding=enabled advertise=enabled
netsh interface ipv6 set interface Subnet3InterfaceIndex forwarding=enabled advertise=enabled
netsh interface ipv6 add route FEC0:0:0:2::/64 Subnet2InterfaceIndex publish=yes
netsh interface ipv6 add route FEC0:0:0:3::/64 Subnet3InterfaceIndex publish=yes
netsh interface ipv6 add route ::/0 Subnet2InterfaceIndex/ROUTER1AddressOnSubnet2 publish=yes
For example, if the Subnet 2 interface index is 4, the Subnet 3 interface index is 5, and the link-local address of the ROUTER1 Subnet 2 interface is FE80::2AA:FF:FE9A:203F, the commands should be typed as follows:
netsh int ipv6 set int 4 forw=enabled adv=enabled
netsh int ipv6 set int 5 forw=enabled adv=enabled
netsh int ipv6 add rou FEC0:0:0:2::/64 4 pub=yes
netsh int ipv6 add rou FEC0:0:0:3::/64 5 pub=yes
netsh int ipv6 add rou ::/0 4 FE80::2AA:FF:FE9A:203F pub=yes
ping CLIENT2SiteLocalAddress
On CLIENT1, type the following tracert command with the -d option to trace the route between CLIENT1 and CLIENT2:
tracert -d CLIENT2SiteLocalAddress
In the tracert display, you can view the address of the Subnet 1 Connection for ROUTER1 and the address of the Subnet 2 Connection for ROUTER2.
netsh interface ipv6 show neighbors
to view the entries in the ROUTER1 neighbor cache for CLIENT1 and ROUTER2.
netsh interface ipv6 show destinationcache
to view the entries in the ROUTER1 destination cache for CLIENT1 and ROUTER2.
As described in Chapter 10 "IPv6 Routing," the IPv6 protocol for the Windows .NET Server 2003 family and Windows XP advertises off-link prefixes using the Route Information option in Router Advertisement messages. These prefixes become routes in the routing table of the receiving host.
To configure DNS and the local Hosts file to resolve names to IPv6 addresses, complete the following steps:
For example, if CLIENT2's site-local address is FEC0::3:260:8FF:FE52: F9D8, the AAAA resource record is configured as follows:
Host: client2
IP version 6 host address: FEC0:0:0:3:260:8FF:FE52:F9D8
ping client2.testlab.microsoft.com
The name client2.testlab.microsoft.com is resolved to its site-local address by sending a DNS query to DNS1.
Client1SiteLocalAddress cl1
For example, if CLIENT1's site-local address is FEC0::1:260:8FF:FE2A: 15F2, the entry in the Hosts file is:
fec0::1:260:8ff:fe2a:15f2 cl1
ping cl1
The name cl1 is resolved to its site-local address by using the local Hosts file.
To use IPSec between two computers running the IPv6 protocol for the Windows .NET Server 2003 family and Windows XP, complete the following steps:
Table E-1 shows the security policy entry that is added to the .spd file before the first entry (the first entry in Test.spd is not modified):
Table E-1. The Security Policy Entry for Traffic to and from CLIENT2
.spd File Field Name | Value |
---|---|
Policy | 2 |
RemoteIPAddr | - Client2SiteLocalAddress |
LocalIPAddr | - * |
Protocol | - * |
RemotePort | - * |
LocalPort | - * |
IPSecProtocol | AH |
IPSecMode | TRANSPORT |
RemoteGWIPAddr | * |
SABundleIndex | NONE |
Direction | BIDIRECT |
Action | APPLY |
InterfaceIndex | 0 |
Type a semicolon at the end of the entry configuring this security policy. Policy entries must be placed in decreasing numerical order.
Table E-2 shows the first SA entry that is added to the .sad file (for traffic to CLIENT2):
Table E-2. The Security Association Entry for Traffic to CLIENT2
.sad File Field Name | Value |
---|---|
SAEntry | 2 |
SPI | 3001 |
SADestIPAddr | Client2SiteLocalAddress |
DestIPAddr | POLICY |
SrcIPAddr | POLICY |
Protocol | POLICY |
DestPort | POLICY |
SrcPort | POLICY |
AuthAlg | HMAC-MD5 |
KeyFile | KeyFileName |
Direction | OUTBOUND |
SecPolicyIndex | 2 |
Type a semicolon at the end of the entry configuring this SA. For the KeyFile column, KeyFileName is the file name of a file that contains the IPSec key. This file is created in Step 4.
The following table shows the second SA entry that is added to the .sad file (for traffic from CLIENT2):
Table E-3. The Security Association Entry for Traffic from CLIENT2
.sad File Field Name | Value |
---|---|
SAEntry | 1 |
SPI | 3000 |
SADestIPAddr | Client2SiteLocalAddress |
DestIPAddr | POLICY |
SrcIPAddr | POLICY |
Protocol | POLICY |
DestPort | POLICY |
SrcPort | POLICY |
AuthAlg | HMAC-MD5 |
KeyFile | KeyFileName |
Direction | INBOUND |
SecPolicyIndex | 2 |
Type a semicolon at the end of the entry configuring this SA. SA entries must be placed in decreasing numerical order.
The IPv6 protocol for the Windows .NET Server 2003 family and Windows XP supports only manually configured keys for quick mode SAs (also known as IPSec or Phase II SAs), because main mode negotiation using IKE is not performed. Manual keys are configured by creating files that contain either the text or binary data of the manual key. In this example, the same key for the SAs is used in both directions. You can use different keys for inbound and outbound SAs by creating different key files and referencing them with the KeyFile field in the .sad file.
Table E-4 shows the security policy entry that is added to the .spd file before the first entry (The first entry in Test.spd is not modified.):
Table E-4. The Security Policy Entry for Traffic to and from CLIENT1
.spd File Field Name | Value |
---|---|
Policy | 2 |
RemoteIPAddr | - Client1SiteLocalAddress |
LocalIPAddr | - * |
Protocol | - * |
RemotePort | - * |
LocalPort | - * |
IPSecProtocol | AH |
IPSecMode | TRANSPORT |
RemoteGWIPAddr | * |
SABundleIndex | NONE |
Direction | BIDIRECT |
Action | APPLY |
InterfaceIndex | 0 |
Type a semicolon at the end of the entry configuring this security policy. Policy entries must be placed in decreasing numerical order.
Table E-5 shows the first SA entry that is added to the .sad file (for traffic to CLIENT1):
Table E-5. The Security Association Entry for Traffic to CLIENT1
.sad File Field Name | Value |
---|---|
SAEntry | 2 |
SPI | 3000 |
SADestIPAddr | Client1SiteLocalAddress |
DestIPAddr | POLICY |
SrcIPAddr | POLICY |
Protocol | POLICY |
DestPort | POLICY |
SrcPort | POLICY |
AuthAlg | HMAC-MD5 |
KeyFile | KeyFileName |
Direction | OUTBOUND |
SecPolicyIndex | 2 |
Type a semicolon at the end of the entry configuring this SA. For the KeyFile column, KeyFileName is the name of a file that contains the IPSec key. This file is created in Step 8.
The following table shows the second SA entry that is added to the .sad file (for traffic from CLIENT1):
Table E-6. The Security Association Entry for Traffic from CLIENT1
.sad File Field Name | Value |
---|---|
SAEntry | 1 |
SPI | 3001 |
SADestIPAddr | Client1SiteLocalAddress |
DestIPAddr | POLICY |
SrcIPAddr | POLICY |
Protocol | POLICY |
DestPort | POLICY |
SrcPort | POLICY |
AuthAlg | HMAC-MD5 |
KeyFile | KeyFileName |
Direction | INBOUND |
SecPolicyIndex | 2 |
Type a semicolon at the end of the entry configuring this SA. SA entries must be placed in decreasing numerical order.
If you use Network Monitor to capture the traffic, you should see the exchange of ICMPv6 Echo Request and Echo Reply messages, with an Authentication header (AH) between the IPv6 header and the ICMPv6 header.
ipsec6 d sp 2
ipsec6 d sa 1
ipsec6 d sa 2
To view the configuration temporary addresses (also known as anonymous addresses) for global address prefixes, complete the following steps:
netsh int ipv6 add rou 3FFE:FFFF:0:1::/64 Subnet1InterfaceIndex pub=yes
in which Subnet1InterfaceIndex is the interface index of ROUTER1's Subnet 1 Connection.
For example, if ROUTER1's Subnet 1 Connection interface index is 4, the command is:
netsh int ipv6 add rou 3FFE:FFFF:0:1::/64 4 pub=yes
There should be two addresses that are based on the 3FFE:FFFF:0:1::/64 prefix. One address uses an interface identifier that is based on the EUI-64 address of the interface. The other address is a temporary address for which the interface identifier is derived randomly.