IP version 6 (IPv6) is a new IP protocol developed to fix the shortcomings of the current IPv4 implementations. When IPv4 was standardized in 1981, the current challenges were not anticipated. The challenges include:
IPv6 not only fixes these problems but also provides improvements to IPv4 in areas such as IP security and network auto-configuration.
With the increased use of IP-enabled wireless phones and PDAs, the IPv4 address space is running out. Although network techniques such as Network Address Translation (NAT) and short-term DHCP leases have helped to conserve these addresses, more and more home users are demanding always-on Internet connections.
To accommodate the growing global demand for IP addresses, the new IPv6 implementation quadruples the number of bits used in an IPv4 address-from 32 bits to 128 bits. It provides 2128 routable IP addresses, enough to assign over a thousand IP addresses per person on this planet.
IPv6 Header
IPv6 specifications, defined in RFC 2460, describe an IPv6 header, as shown in Figure 4-6. Table 4-4 lists and describes the fields in an IPv6 header.
Figure 4-6. IPv6 Header
Field |
Description |
---|---|
Version |
A 4-bit Internet Protocol version number = 6 |
Traffic Class |
An 8-bit field that enables the source to specify a desired delivery priority of its packets relative to other packets |
Flow Label |
A 24-bit field that may be set to request special handling of the packets by the IPv6-based router |
Payload Length |
A 16-bit integer that specifies the length of the data payload |
Next Header |
An 8-bit field that identifies the type of header following the IPv6 header |
Hop Limit |
An 8-bit integer that is decremented by 1 whenever the packet passes through a network node |
Source Address |
A 128-bit address to identify the source of the packet |
Destination Address |
A 128-bit address to identify the destination of the packet |
In case of IPv4, an IP address is represented in four octets, separated by dots (.). To accommodate a 128-bit IPv6 address, it is divided into 8 blocks of 16 bits each, separated by colons (:). Consequently, this representation is referred to as colon-hexadecimal notation.
The following are a few examples of IPv6 addresses:
FEDC:BA98:0001:3210:FEDC:BA98:0001:3210
1080:0000:0000:0000:0008:0800:200C:417A
0000:0000:0000:0000:0000:0000:0000:0001
In an IPv6 address, it is not required to write the leading zeros in the individual block, similar to an IPv4 address. Thus the preceding addresses can be rewritten as follows:
FEDC:BA98:1:3210:FEDC:BA98:1:3210
1080:0:0:0:8:800:200C:417A
0:0:0:0:0:0:0:1
As you can see from the preceding addresses, an IPv6 address may have long strings of zero bits. For the ease of representation, an IPv6 address with long sequences of zeros can be compressed and replaced with ::. This notation, also known as double colon, can compress contiguous blocks of zeros. However, the :: notation can only appear once in an address, to avoid confusion on how many zeros should go to which instance of ::. The preceding addresses, with zero compression, can be written as follows:
FEDC:BA98:1:3210:FEDC:BA98:1:3210
1080::8:800:200C:417A
::1
Configuring IPv6
The security appliance supports a limited set of IPv6 features, which includes IP address assignment, packet filtering, and basic routing using static routes. This section discusses IP address assignment, whereas packet filtering and basic routing using static routes are discussed in subsequent chapters.
IP Address Assignment
The security appliance supports simultaneous IPv4 and IPv6 addresses on an interface. An IPv6 address can be configured on an interface by using the ipv6 address command. The syntax for the ipv6 address command is as follows:
ipv6 address {autoconfig | ipv6-prefix/prefix-length [eui-64] | ipv6-address link- local}
Table 4-5 lists the arguments of the ipv6 address command.
Syntax |
Syntax Description |
---|---|
autoconfig |
Configures the assignment of IPv6 addresses using Router Advertisement messages. These messages are used to announce the network prefix. |
ipv6-prefix |
Specifies the IPv6 network address. |
prefix-length |
Specifies the high-order contiguous bits in the IPv6 prefix to determine the network part of the IPv6 address. |
eui-64 |
Uses the EUI-64 format interface ID as the host part of the IPv6 address. |
ipv6-address |
Overrides the auto-generated IPv6 link-local address. |
link-local |
Identifies that the IPv6 address is a link-local address. |
The security appliance supports four types of interface address assignments:
Note
For detailed information about these types, consult RFC 3513.
Global Address
A global IPv6 address, similar to an IPv4 public routable address, is used for Internet connectivity. It uses a prefix of 2000::/3 and requires a 64-bit interface identifier in the extended universal identifier 64 (EUI-64) format.
Each physical interface has an embedded 48-bit MAC address that specifies a unique link-layer address. The EUI-64 format interface ID is derived from the interface MAC address by using the following rules:
Example 4-18 shows how to set up a global IPv6 address of 2001:1ae2:123f with a mask of /48 followed by the EUI-64 format identifier.
Example 4-18. Assigning a Global IPv6 Address
Chicago(config-if)# ipv6 address 2001:1ae2:123f::/48 eui-64
Note
You can set up multiple IPv6 addresses on an interface.
Site-Local Address
A site-local IPv6 address, similar to an IPv4 private address, is used for the hosts on the trusted networks that do not require Internet connectivity. It uses a prefix range of FEC0::/10 and uses the EUI-64 format interface ID for a complete IPv6 address. Example 4-19 shows how to set up a global IPv6 address of fec0:1ae2:123f with a mask of /48 and using EUI-64 format identifier.
Example 4-19. Assigning a Site-Local IPv6 Address
Chicago(config-if)# ipv6 address fec0:1ae2:123f::/48 eui-64
Link-Local Address
A link-local IPv6 address allows IPv6-enabled hosts to communicate with each other using the neighbor discovery protocol without the need to configure a global or site-local address. The neighbor discovery protocol provides a messaging channel on which the neighbor IPv6 devices can interact. It uses a prefix of FE80::/10 and the EUI-64 format interface ID as the complete link-local address. The link-local address is auto-assigned to an interface when IPv6 is enabled. To manually assign a different link-local address, use the ipv6 address command with the link-local keyword, as shown in Example 4-20, where an IPv6 address of fe80::20f:f7ff:fe75:4b58 is being assigned.
Example 4-20. Assigning a Static Link-Local IPv6 Address
Chicago(config-if)# ipv6 address fe80::20f:f7ff:fe75:4b58 link-local
Auto-Configuration Address
The auto-configuration method assigns a link-local address on the interface when the ipv6 address autoconfig command is set up, as shown in Example 4-21. The security appliance listens for the Router Advertisement messages to determine the prefix, and generates an IPv6 address by using the EUI-64 format interface ID.
Example 4-21. Assigning an Auto-Configuration Address
Chicago(config-if)# ipv6 address autoconfig
Note
The current implementation of IPv6 on the security appliances does not support anycast addresses.
Part I: Product Overview
Introduction to Network Security
Product History
Hardware Overview
Part II: Firewall Solution
Initial Setup and System Maintenance
Network Access Control
IP Routing
Authentication, Authorization, and Accounting (AAA)
Application Inspection
Security Contexts
Transparent Firewalls
Failover and Redundancy
Quality of Service
Part III: Intrusion Prevention System (IPS) Solution
Intrusion Prevention System Integration
Configuring and Troubleshooting Cisco IPS Software via CLI
Part IV: Virtual Private Network (VPN) Solution
Site-to-Site IPSec VPNs
Remote Access VPN
Public Key Infrastructure (PKI)
Part V: Adaptive Security Device Manager
Introduction to ASDM
Firewall Management Using ASDM
IPS Management Using ASDM
VPN Management Using ASDM
Case Studies