IP Version 6

IP version 6 (IPv6) is a new IP protocol developed to fix the shortcomings of the current IPv4 implementations. When IPv4 was standardized in 1981, the current challenges were not anticipated. The challenges include:

  • Exponential growth of Internet usage
  • Scalability of large routing tables on the Internet backbone routers
  • Supportability of real-time data delivery

IPv6 not only fixes these problems but also provides improvements to IPv4 in areas such as IP security and network auto-configuration.

With the increased use of IP-enabled wireless phones and PDAs, the IPv4 address space is running out. Although network techniques such as Network Address Translation (NAT) and short-term DHCP leases have helped to conserve these addresses, more and more home users are demanding always-on Internet connections.

To accommodate the growing global demand for IP addresses, the new IPv6 implementation quadruples the number of bits used in an IPv4 address-from 32 bits to 128 bits. It provides 2128 routable IP addresses, enough to assign over a thousand IP addresses per person on this planet.

IPv6 Header

IPv6 specifications, defined in RFC 2460, describe an IPv6 header, as shown in Figure 4-6. Table 4-4 lists and describes the fields in an IPv6 header.

Figure 4-6. IPv6 Header

Table 4-4. IPv6 Header Fields

Field

Description

Version

A 4-bit Internet Protocol version number = 6

Traffic Class

An 8-bit field that enables the source to specify a desired delivery priority of its packets relative to other packets

Flow Label

A 24-bit field that may be set to request special handling of the packets by the IPv6-based router

Payload Length

A 16-bit integer that specifies the length of the data payload

Next Header

An 8-bit field that identifies the type of header following the IPv6 header

Hop Limit

An 8-bit integer that is decremented by 1 whenever the packet passes through a network node

Source Address

A 128-bit address to identify the source of the packet

Destination Address

A 128-bit address to identify the destination of the packet

In case of IPv4, an IP address is represented in four octets, separated by dots (.). To accommodate a 128-bit IPv6 address, it is divided into 8 blocks of 16 bits each, separated by colons (:). Consequently, this representation is referred to as colon-hexadecimal notation.

The following are a few examples of IPv6 addresses:


    FEDC:BA98:0001:3210:FEDC:BA98:0001:3210
    1080:0000:0000:0000:0008:0800:200C:417A
    0000:0000:0000:0000:0000:0000:0000:0001

In an IPv6 address, it is not required to write the leading zeros in the individual block, similar to an IPv4 address. Thus the preceding addresses can be rewritten as follows:


    FEDC:BA98:1:3210:FEDC:BA98:1:3210
    1080:0:0:0:8:800:200C:417A
    0:0:0:0:0:0:0:1

As you can see from the preceding addresses, an IPv6 address may have long strings of zero bits. For the ease of representation, an IPv6 address with long sequences of zeros can be compressed and replaced with ::. This notation, also known as double colon, can compress contiguous blocks of zeros. However, the :: notation can only appear once in an address, to avoid confusion on how many zeros should go to which instance of ::. The preceding addresses, with zero compression, can be written as follows:


    FEDC:BA98:1:3210:FEDC:BA98:1:3210
    1080::8:800:200C:417A
    ::1

Configuring IPv6

The security appliance supports a limited set of IPv6 features, which includes IP address assignment, packet filtering, and basic routing using static routes. This section discusses IP address assignment, whereas packet filtering and basic routing using static routes are discussed in subsequent chapters.

IP Address Assignment

The security appliance supports simultaneous IPv4 and IPv6 addresses on an interface. An IPv6 address can be configured on an interface by using the ipv6 address command. The syntax for the ipv6 address command is as follows:

ipv6 address {autoconfig | ipv6-prefix/prefix-length [eui-64] | ipv6-address link-

 local}

Table 4-5 lists the arguments of the ipv6 address command.

Table 4-5. The ipv6 address Command Arguments

Syntax

Syntax Description

autoconfig

Configures the assignment of IPv6 addresses using Router Advertisement messages. These messages are used to announce the network prefix.

ipv6-prefix

Specifies the IPv6 network address.

prefix-length

Specifies the high-order contiguous bits in the IPv6 prefix to determine the network part of the IPv6 address.

eui-64

Uses the EUI-64 format interface ID as the host part of the IPv6 address.

ipv6-address

Overrides the auto-generated IPv6 link-local address.

link-local

Identifies that the IPv6 address is a link-local address.

The security appliance supports four types of interface address assignments:

  • Global address
  • Site-local address
  • Link-local address
  • Auto-configuration address

Note

For detailed information about these types, consult RFC 3513.

 

Global Address

A global IPv6 address, similar to an IPv4 public routable address, is used for Internet connectivity. It uses a prefix of 2000::/3 and requires a 64-bit interface identifier in the extended universal identifier 64 (EUI-64) format.

Each physical interface has an embedded 48-bit MAC address that specifies a unique link-layer address. The EUI-64 format interface ID is derived from the interface MAC address by using the following rules:

  1. Insert FFFE between the upper and the lower 24 bits. For example, if the interface's MAC address is 000F.F775.4B57, the modified address will be 000F.F7FF.FE75.4B57.
  2. Change the 7th bit in the leftmost byte to 1. For example, if the 64-bit address is 000F.F7FF.FE75.4B57 (derived in the previous step), after the 7th bit is changed, the new address becomes 020F.F7FF.FE75.4B57. This new address is in the EUI-64 format.

Example 4-18 shows how to set up a global IPv6 address of 2001:1ae2:123f with a mask of /48 followed by the EUI-64 format identifier.

Example 4-18. Assigning a Global IPv6 Address

Chicago(config-if)# ipv6 address 2001:1ae2:123f::/48 eui-64

Note

You can set up multiple IPv6 addresses on an interface.

 

Site-Local Address

A site-local IPv6 address, similar to an IPv4 private address, is used for the hosts on the trusted networks that do not require Internet connectivity. It uses a prefix range of FEC0::/10 and uses the EUI-64 format interface ID for a complete IPv6 address. Example 4-19 shows how to set up a global IPv6 address of fec0:1ae2:123f with a mask of /48 and using EUI-64 format identifier.

Example 4-19. Assigning a Site-Local IPv6 Address

Chicago(config-if)# ipv6 address fec0:1ae2:123f::/48 eui-64

 

Link-Local Address

A link-local IPv6 address allows IPv6-enabled hosts to communicate with each other using the neighbor discovery protocol without the need to configure a global or site-local address. The neighbor discovery protocol provides a messaging channel on which the neighbor IPv6 devices can interact. It uses a prefix of FE80::/10 and the EUI-64 format interface ID as the complete link-local address. The link-local address is auto-assigned to an interface when IPv6 is enabled. To manually assign a different link-local address, use the ipv6 address command with the link-local keyword, as shown in Example 4-20, where an IPv6 address of fe80::20f:f7ff:fe75:4b58 is being assigned.

Example 4-20. Assigning a Static Link-Local IPv6 Address

Chicago(config-if)# ipv6 address fe80::20f:f7ff:fe75:4b58 link-local

 

Auto-Configuration Address

The auto-configuration method assigns a link-local address on the interface when the ipv6 address autoconfig command is set up, as shown in Example 4-21. The security appliance listens for the Router Advertisement messages to determine the prefix, and generates an IPv6 address by using the EUI-64 format interface ID.

Example 4-21. Assigning an Auto-Configuration Address

Chicago(config-if)# ipv6 address autoconfig

Note

The current implementation of IPv6 on the security appliances does not support anycast addresses.


Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies



Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net