Appendix E

Setting Up an IPv6 Test Lab

This appendix provides information about how you can use five computers to create a test lab to configure and test the IPv6 protocol for Windows XP and the Windows .NET Server 2003 family. These instructions are designed to guide you through a set of tasks, exposing you to the IPv6 protocol and its associated functionality. Beyond the set of tasks, these instructions allow you to create a functioning IPv6 configuration. You can use this configuration to learn about and experiment with IPv6 features and functionality, and to aid in developing applications for IPv6 or modifying existing IPv4 applications to work over both IPv4 and IPv6.

Setting Up the Infrastructure

The infrastructure for the IPv6 test lab network consists of five computers performing the following services:

• A computer running Windows .NET Standard Server that is used as a DNS server. This computer is named DNS1.
• A computer running Windows XP that is used as a client. This computer is named CLIENT1.
• A computer running Windows XP that is used as a router. This computer is named ROUTER1.
• A computer running Windows XP that is used as a router. This computer is named ROUTER2.
• A computer running Windows XP that is used as a client. This computer is named CLIENT2.

  Figure E-1 shows the configuration of the IPv6 test lab.

  

  Figure E-1. The configuration of the IPv6 test lab

  There are three network segments:

• A network segment known as Subnet 1 that uses the private IP network ID of 10.0.1.0/24 and site-local subnet ID of FEC0:0:0:1::/64
• A network segment known as Subnet 2 that uses the private IP network ID of 10.0.2.0/24 and site-local subnet ID of FEC0:0:0:2::/64
• A network segment known as Subnet 3 that uses the private IP network ID of 10.0.3.0/24 and site-local subnet ID of FEC0:0:0:3::/64

All computers on each subnet are connected to a separate common hub or Layer 2 switch. The two router computers, ROUTER1 and ROUTER2, have two network adapters installed.

For the IPv4 configuration, each computer is configured manually with the appropriate IP address, subnet mask, default gateway, and DNS server IP address. DHCP and WINS servers are not used. For the IPv6 configuration, link-local addresses are used initially.

The following sections describe how each of the computers in the test lab is configured. To reconstruct this test lab, please configure the computers in the order presented.

The following instructions are for configuring an IPv6 test lab using a minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. You can use any member of the Windows .NET Server family for DNS1 and any version of Windows XP or Windows .NET Server for the other computers. This configuration is neither designed to reflect best practices nor is it designed to reflect a desired or recommended configuration for a production network. The configuration, including addresses and all other configuration parameters, is designed to work on a separate test lab network.

DNS1

DNS1 is a computer running Windows .NET Standard Server. It is providing DNS Server services for the testlab.microsoft.com DNS domain. To configure DNS1 for this service, perform the following steps:

1. Install Windows .NET Standard Server as a stand-alone server. Set the Administrator password.
2. After restarting, log on as Administrator.
3. Configure the TCP/IP protocol with the IP address of 10.0.1.2, the subnet mask of 255.255.255.0, and the default gateway of 10.0.1.1.
4. Install the DNS Server service.
5. Create a forward lookup zone named "testlab.microsoft.com" as a primary zone that allows dynamic updates.
6. Install the IPv6 protocol.

The domain name testlab.microsoft.com is used here for example purposes only. You can use any domain name in your test lab configuration.

CLIENT1

CLIENT1 is a computer running Windows XP that is being used as a client. To configure CLIENT1 as a client computer, perform the following steps:

1. On CLIENT1, install Windows XP as a workgroup computer. Set the Administrator password.
2. After restarting, log on as Administrator.
3. Configure the TCP/IP protocol with the IP address of 10.0.1.3, the subnet mask of 255.255.255.0, a default gateway of 10.0.1.1, and the DNS server IP address of 10.0.1.2. Configure DNS properties so that the connection-specific suffix for the LAN connection is "testlab.microsoft.com" and specify to use the connection's DNS suffix in DNS registration.
4. Install the IPv6 protocol.

ROUTER1

ROUTER1 is a computer running Windows XP that is being used as a router between Subnet 1 and Subnet 2. To configure ROUTER1 as a router, perform the following steps:

1. On ROUTER1, install Windows XP as a workgroup computer. Set the Administrator password.
2. After restarting, log on as Administrator.
3. Install the IPv6 protocol.
4. In Control Panel-Network Connections, rename the LAN connection connected to Subnet 1 to "Subnet 1 Connection" and rename the LAN connection connected to Subnet 2 to "Subnet 2 Connection."
5. For Subnet 1 Connection, configure the TCP/IP protocol with the IP address of 10.0.1.1, the subnet mask of 255.255.255.0, and the DNS server IP address of 10.0.1.2. Configure DNS properties so that the connection-specific suffix for the connection is "testlab.microsoft.com" and specify to use the connection's DNS suffix in DNS registration.
6. For Subnet 2 Connection, configure the TCP/IP protocol with the IP address of 10.0.2.1, the subnet mask of 255.255.255.0, and a default gateway of 10.0.2.2. Configure DNS properties so that the connection-specific suffix for the connection is "testlab.microsoft.com" and specify to use the connection's DNS suffix in DNS registration.
7. Run the registry editor (Regedit.exe) and set HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ IPEnableRouter to 1. This enables IPv4 routing between Subnet 1 and Subnet 2.
8. Restart ROUTER1.

ROUTER2

ROUTER2 is a computer running Windows XP that is being used as a router between Subnet 2 and Subnet 3. To configure ROUTER2 as a router, perform the following steps:

1. On ROUTER2, install Windows XP as a workgroup computer. Set the Administrator password.
2. After restarting, log on as Administrator.
3. Install the IPv6 protocol.
4. In Control Panel-Network Connections, rename the LAN connection connected to Subnet 2 to "Subnet 2 Connection" and rename the LAN connection connected to Subnet 3 to "Subnet 3 Connection."
5. For Subnet 2 Connection, configure the TCP/IP protocol with the IP address of 10.0.2.2, the subnet mask of 255.255.255.0, a default gateway of 10.0.2.1, and the DNS server IP address of 10.0.1.2. Configure DNS properties so that the connection-specific suffix for the connection is "testlab.microsoft.com" and specify to use the connection's DNS suffix in DNS registration.
6. For Subnet 3 Connection, configure the TCP/IP protocol with the IP address of 10.0.3.1, and the subnet mask of 255.255.255.0. Configure DNS properties so that the connection-specific suffix for the connection is "testlab.microsoft.com" and specify to use the connection's DNS suffix in DNS registration.
7. Run the registry editor (Regedit.exe) and set HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ IPEnableRouter to 1. This enables IPv4 routing between Subnet 2 and Subnet 3.
8. Restart ROUTER2.

CLIENT2

CLIENT2 is a computer running Windows XP that is being used as a client. To configure CLIENT2 as a client computer, perform the following steps:

1. On CLIENT2, install Windows XP as a workgroup computer. Set the Administrator password.
2. After restarting, log on as Administrator.
3. Configure the TCP/IP protocol with the IP address of 10.0.3.2, the subnet mask of 255.255.255.0, a default gateway of 10.0.3.1, and the DNS server IP address of 10.0.1.2. Configure DNS properties so that the connection-specific suffix for the connection is "testlab.microsoft.com" and specify to use the connection's DNS suffix in DNS registration.
4. Verify the integrity of the IPv4 routing infrastructure with the following command:

   ping 10.0.1.3

   This tests whether or not IPv4 packets can be forwarded between CLIENT2 on Subnet 3 and CLIENT1 on Subnet 1.

5. Install the IPv6 protocol.

IPv6 Test Lab Tasks

The following tasks are designed to take you through the common IPv6 configurations by using the test lab infrastructure:

• Link-local ping
• Creating an IPv6 static routing infrastructure
• Using name resolution
• Using IPSec
• Using temporary addresses

Link-Local Ping

To ping a node using link-local addresses and view the entries created in the neighbor and destination caches, complete the following steps:

1. On ROUTER1, type the netsh interface ipv6 show address command to obtain the link-local address of the interface named Subnet 1 Connection.
2. On CLIENT1, type the netsh interface ipv6 show address command to obtain the link-local address and interface index of the interface named Local Area Connection.
3. On CLIENT1, type the following command to ping the link-local address of ROUTER1's interface on Subnet 1:

   ping ROUTER1LinkLocalAddress%InterfaceIdentifier

   For example, if the link-local address of ROUTER1's interface on Subnet 1 is FE80::2AA:FF:FE9D:10C5, and the interface index for the Local Area Connection interface on CLIENT1 is 3, the command is:

   ping FE80::2AA:FF:FE9D:10C5%3

4. On CLIENT1, type the netsh interface ipv6 show neighbors command to view the entry in the CLIENT1 neighbor cache for ROUTER1. You should see an entry for ROUTER1's link-local address.
5. On CLIENT1, type the netsh interface ipv6 show destinationcache command to view the entry in the CLIENT1 destination cache for ROUTER1.
6. On CLIENT1, type the netsh interface ipv6 show routes command to view the entries in the CLIENT1 routing table.

Creating an IPv6 Static Routing Infrastructure

To configure a static routing infrastructure so that all test lab nodes are reachable using IPv6 traffic, complete the following steps:

1. On ROUTER1, type the netsh interface ipv6 show address command to obtain the link-local addresses and interface index numbers of interfaces named Subnet 1 Connection and Subnet 2 Connection.
2. On ROUTER1, type the following commands:

   netsh interface ipv6 set interface Subnet1InterfaceIndex forwarding=enabled advertise=enabled

   netsh interface ipv6 set interface Subnet2InterfaceIndex forwarding=enabled advertise=enabled

   netsh interface ipv6 add route FEC0:0:0:1::/64 Subnet1InterfaceIndex publish=yes

   netsh interface ipv6 add route FEC0:0:0:2::/64 Subnet2InterfaceIndex publish=yes

   netsh interface ipv6 add route ::/0 Subnet2InterfaceIndex/ROUTER2AddressOnSubnet2 publish=yes

   in which:

   • Subnet1InterfaceIndex is the interface index of ROUTER1's Subnet 1 Connection.
   • Subnet2InterfaceIndex is the interface index of the ROUTER1's Subnet 2 Connection.
   • ROUTER2AddressOnSubnet2 is the link-local address assigned to ROUTER2's Subnet 2 Connection.

   For example, if ROUTER1's Subnet 1 Connection interface index is 4 and Subnet 2 Connection interface index is 5, and the link-local address of the ROUTER2's Subnet 2 Connection interface is FE80::2AA:FF:FE87:4D5C, the commands should be typed as follows:

   netsh int ipv6 set int 4 forw=enabled adv=enabled

   netsh int ipv6 set int 5 forw=enabled adv=enabled

   netsh int ipv6 add rou FEC0:0:0:1::/64 4 pub=yes

   netsh int ipv6 add rou FEC0:0:0:2::/64 5 pub=yes

   netsh int ipv6 add rou ::/0 5 FE80::2AA:FF:FE87:4D5C pub=yes

3. On ROUTER2, type the netsh interface ipv6 show address command to obtain the link-local addresses and interface index numbers of the Subnet 2 and Subnet 3 interfaces.
4. On ROUTER2, type the following commands:

   netsh interface ipv6 set interface Subnet2InterfaceIndex forwarding=enabled advertise=enabled

   netsh interface ipv6 set interface Subnet3InterfaceIndex forwarding=enabled advertise=enabled

   netsh interface ipv6 add route FEC0:0:0:2::/64 Subnet2InterfaceIndex publish=yes

   netsh interface ipv6 add route FEC0:0:0:3::/64 Subnet3InterfaceIndex publish=yes

   netsh interface ipv6 add route ::/0 Subnet2InterfaceIndex/ROUTER1AddressOnSubnet2 publish=yes

   For example, if the Subnet 2 interface index is 4, the Subnet 3 interface index is 5, and the link-local address of the ROUTER1 Subnet 2 interface is FE80::2AA:FF:FE9A:203F, the commands should be typed as follows:

   netsh int ipv6 set int 4 forw=enabled adv=enabled

   netsh int ipv6 set int 5 forw=enabled adv=enabled

   netsh int ipv6 add rou FEC0:0:0:2::/64 4 pub=yes

   netsh int ipv6 add rou FEC0:0:0:3::/64 5 pub=yes

   netsh int ipv6 add rou ::/0 4 FE80::2AA:FF:FE9A:203F pub=yes

5. On CLIENT1, type the netsh interface ipv6 show address command to view a new address on the LAN interface that is based on the site-local prefix of FEC0:0:0:1::/64.
6. On CLIENT1, type the netsh interface ipv6 show routes command to view new routes for FEC0:0:0:1::/64, FEC0:0:0:2::/64, and ::/0.
7. On CLIENT2, type the netsh interface ipv6 show address command to view a new address on the LAN interface that is based on the site-local prefix of FEC0:0:0:3::/64.
8. On CLIENT2, type the netsh interface ipv6 show routes command to view new routes for FEC0:0:0:2::/64, FEC0:0:0:3::/64, and ::/0.
9. On CLIENT1, type the following ping command to ping CLIENT2's site-local address:

   ping CLIENT2SiteLocalAddress

   On CLIENT1, type the following tracert command with the -d option to trace the route between CLIENT1 and CLIENT2:

   tracert -d CLIENT2SiteLocalAddress

   In the tracert display, you can view the address of the Subnet 1 Connection for ROUTER1 and the address of the Subnet 2 Connection for ROUTER2.

10. On ROUTER1, type the following commands:

    netsh interface ipv6 show neighbors

    to view the entries in the ROUTER1 neighbor cache for CLIENT1 and ROUTER2.

    netsh interface ipv6 show destinationcache

    to view the entries in the ROUTER1 destination cache for CLIENT1 and ROUTER2.

As described in Chapter 10 "IPv6 Routing," the IPv6 protocol for the Windows .NET Server 2003 family and Windows XP advertises off-link prefixes using the Route Information option in Router Advertisement messages. These prefixes become routes in the routing table of the receiving host.

Using Name Resolution

To configure DNS and the local Hosts file to resolve names to IPv6 addresses, complete the following steps:

1. On DNS1, use the DNS snap-in to view the A and AAAA records in the testlab.microsoft.com forward lookup zone that were dynamically registered by the computers in the test lab. Verify that an AAAA, or "quad A," record for CLIENT2 exists.
2. If an AAAA record for CLIENT2 does not exist, create an AAAA resource record for CLIENT2 with the DNS name client2.testlab. microsoft.com for its site-local IPv6 address using the IPv6 Host resource record type.

   For example, if CLIENT2's site-local address is FEC0::3:260:8FF:FE52: F9D8, the AAAA resource record is configured as follows:

   Host: client2

   IP version 6 host address: FEC0:0:0:3:260:8FF:FE52:F9D8

3. On CLIENT1, type the following command:

   ping client2.testlab.microsoft.com

   The name client2.testlab.microsoft.com is resolved to its site-local address by sending a DNS query to DNS1.

4. On CLIENT2, create the following entry in the Hosts file (located in the SystemRoot\System32\Drivers\Etc folder):

   Client1SiteLocalAddress cl1

   For example, if CLIENT1's site-local address is FEC0::1:260:8FF:FE2A: 15F2, the entry in the Hosts file is:

   fec0::1:260:8ff:fe2a:15f2 cl1

5. On CLIENT2, type the following command:

   ping cl1

   The name cl1 is resolved to its site-local address by using the local Hosts file.

Using IPSec

To use IPSec between two computers running the IPv6 protocol for the Windows .NET Server 2003 family and Windows XP, complete the following steps:

1. On CLIENT1, create blank security association (.sad) and security policy (.spd) files by using the ipsec6 s command. For example, the command ipsec6 s test creates two files that have blank entries for manually configuring security associations (Test.sad) and security policies (Test.spd).
2. On CLIENT1, edit the .spd file, adding a security policy that secures all traffic between CLIENT1 and CLIENT2.

   Table E-1 shows the security policy entry that is added to the .spd file before the first entry (the first entry in Test.spd is not modified):

   Table E-1. The Security Policy Entry for Traffic to and from CLIENT2

   .spd File Field Name	Value
   Policy	2
   RemoteIPAddr	- Client2SiteLocalAddress
   LocalIPAddr	- *
   Protocol	- *
   RemotePort	- *
   LocalPort	- *
   IPSecProtocol	AH
   IPSecMode	TRANSPORT
   RemoteGWIPAddr	*
   SABundleIndex	NONE
   Direction	BIDIRECT
   Action	APPLY
   InterfaceIndex	0

   Type a semicolon at the end of the entry configuring this security policy. Policy entries must be placed in decreasing numerical order.

3. On CLIENT1, edit the .sad file, adding SA entries to secure all traffic between CLIENT1 and CLIENT2. Two security associations must be created, one for traffic to CLIENT2 and one for traffic from CLIENT2.

   Table E-2 shows the first SA entry that is added to the .sad file (for traffic to CLIENT2):

   Table E-2. The Security Association Entry for Traffic to CLIENT2

   .sad File Field Name	Value
   SAEntry	2
   SPI	3001
   SADestIPAddr	Client2SiteLocalAddress
   DestIPAddr	POLICY
   SrcIPAddr	POLICY
   Protocol	POLICY
   DestPort	POLICY
   SrcPort	POLICY
   AuthAlg	HMAC-MD5
   KeyFile	KeyFileName
   Direction	OUTBOUND
   SecPolicyIndex	2

   Type a semicolon at the end of the entry configuring this SA. For the KeyFile column, KeyFileName is the file name of a file that contains the IPSec key. This file is created in Step 4.

   The following table shows the second SA entry that is added to the .sad file (for traffic from CLIENT2):

   Table E-3. The Security Association Entry for Traffic from CLIENT2

   .sad File Field Name	Value
   SAEntry	1
   SPI	3000
   SADestIPAddr	Client2SiteLocalAddress
   DestIPAddr	POLICY
   SrcIPAddr	POLICY
   Protocol	POLICY
   DestPort	POLICY
   SrcPort	POLICY
   AuthAlg	HMAC-MD5
   KeyFile	KeyFileName
   Direction	INBOUND
   SecPolicyIndex	2

   Type a semicolon at the end of the entry configuring this SA. SA entries must be placed in decreasing numerical order.

4. On CLIENT1, create a file that contains data used to create and validate the Message Digest 5 (MD5) keyed hash on each IPSec-protected packet that is exchanged with CLIENT2. For example, create the file Test.key with the contents "This is a test." and no extra characters, spaces, or lines.

   The IPv6 protocol for the Windows .NET Server 2003 family and Windows XP supports only manually configured keys for quick mode SAs (also known as IPSec or Phase II SAs), because main mode negotiation using IKE is not performed. Manual keys are configured by creating files that contain either the text or binary data of the manual key. In this example, the same key for the SAs is used in both directions. You can use different keys for inbound and outbound SAs by creating different key files and referencing them with the KeyFile field in the .sad file.

5. On CLIENT2, use the ipsec6 s command to create blank security association (.sad) and security policy (.spd) files. For example, the ipsec6 s test command creates two files that have blank entries for manually configuring security associations (Test.sad) and security policies (Test.spd). In this example, the same file names for the .sad and .spd files are used on CLIENT2. You can choose to use different file names on each host.
6. On CLIENT2, edit the .spd file, adding a security policy that secures all traffic between CLIENT2 and CLIENT1.

   Table E-4 shows the security policy entry that is added to the .spd file before the first entry (The first entry in Test.spd is not modified.):

   Table E-4. The Security Policy Entry for Traffic to and from CLIENT1

   .spd File Field Name	Value
   Policy	2
   RemoteIPAddr	- Client1SiteLocalAddress
   LocalIPAddr	- *
   Protocol	- *
   RemotePort	- *
   LocalPort	- *
   IPSecProtocol	AH
   IPSecMode	TRANSPORT
   RemoteGWIPAddr	*
   SABundleIndex	NONE
   Direction	BIDIRECT
   Action	APPLY
   InterfaceIndex	0

   Type a semicolon at the end of the entry configuring this security policy. Policy entries must be placed in decreasing numerical order.

7. On CLIENT2, edit the .sad file, adding SA entries to secure all traffic between CLIENT2 and CLIENT1. Two security associations must be created: one for traffic to CLIENT1 and one for traffic from CLIENT1.

   Table E-5 shows the first SA entry that is added to the .sad file (for traffic to CLIENT1):

   Table E-5. The Security Association Entry for Traffic to CLIENT1

   .sad File Field Name	Value
   SAEntry	2
   SPI	3000
   SADestIPAddr	Client1SiteLocalAddress
   DestIPAddr	POLICY
   SrcIPAddr	POLICY
   Protocol	POLICY
   DestPort	POLICY
   SrcPort	POLICY
   AuthAlg	HMAC-MD5
   KeyFile	KeyFileName
   Direction	OUTBOUND
   SecPolicyIndex	2

   Type a semicolon at the end of the entry configuring this SA. For the KeyFile column, KeyFileName is the name of a file that contains the IPSec key. This file is created in Step 8.

   The following table shows the second SA entry that is added to the .sad file (for traffic from CLIENT1):

   Table E-6. The Security Association Entry for Traffic from CLIENT1

   .sad File Field Name	Value
   SAEntry	1
   SPI	3001
   SADestIPAddr	Client1SiteLocalAddress
   DestIPAddr	POLICY
   SrcIPAddr	POLICY
   Protocol	POLICY
   DestPort	POLICY
   SrcPort	POLICY
   AuthAlg	HMAC-MD5
   KeyFile	KeyFileName
   Direction	INBOUND
   SecPolicyIndex	2

   Type a semicolon at the end of the entry configuring this SA. SA entries must be placed in decreasing numerical order.

8. On CLIENT2, create a file that contains data used to create and validate the Message Digest 5 (MD5) keyed hash on each IPSec-protected packet that is exchanged with CLIENT1. This must be the same data that is configured for the key file on CLIENT1. For example, create the file Test.key with the contents "This is a test." and no extra characters, spaces, or lines.
9. On CLIENT1, use the ipsec6 l command to add the configured security policies and SAs from the .spd and .sad files. For example, the ipsec6 l test command is run on CLIENT1 to load the Test.spd and Test.sad files stored on CLIENT1.
10. On CLIENT2, use the ipsec6 l command to add the configured security policies and SAs from the .spd and .sad files. For example, the ipsec6 l test command is run on CLIENT2 to load the Test.spd and Test.sad files stored on CLIENT2.
11. On CLIENT2, use the ping command to ping CLIENT1.

    If you use Network Monitor to capture the traffic, you should see the exchange of ICMPv6 Echo Request and Echo Reply messages, with an Authentication header (AH) between the IPv6 header and the ICMPv6 header.

12. On CLIENT1 and CLIENT2, type the following command lines:

    ipsec6 d sp 2

    ipsec6 d sa 1

    ipsec6 d sa 2

Using Temporary Addresses

To view the configuration temporary addresses (also known as anonymous addresses) for global address prefixes, complete the following steps:

1. On ROUTER1, type the following command:

   netsh int ipv6 add rou 3FFE:FFFF:0:1::/64 Subnet1InterfaceIndex pub=yes

   in which Subnet1InterfaceIndex is the interface index of ROUTER1's Subnet 1 Connection.

   For example, if ROUTER1's Subnet 1 Connection interface index is 4, the command is:

   netsh int ipv6 add rou 3FFE:FFFF:0:1::/64 4 pub=yes

2. On CLIENT1, type the netsh interface ipv6 show address command to view new addresses on the interface named Local Area Connection that is based on the global prefix of 3FFE:FFFF:0:1::/64.

   There should be two addresses that are based on the 3FFE:FFFF:0:1::/64 prefix. One address uses an interface identifier that is based on the EUI-64 address of the interface. The other address is a temporary address for which the interface identifier is derived randomly.