IPv6 Address Configuration and Name Resolution - SITPUG
IPv6 Address Configuration and Name Resolution - SITPUG
IPv6 Address Configuration and Name Resolution - SITPUG
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Joe Davies<br />
Principal Writer<br />
Windows Server Information Experience<br />
Presented at:<br />
Seattle Windows Networking User Group<br />
June 1, 2011<br />
© 2011 Microsoft Corporation
<strong>IPv6</strong> addressing <strong>and</strong> DNS review<br />
<strong>IPv6</strong> subnetting <strong>and</strong> address allocation<br />
Stateful vs. stateless address<br />
autoconfiguration<br />
◦ Routers vs. DHCPv6 servers<br />
DNS servers <strong>and</strong> name resolution<br />
◦ Registration of AAAA records<br />
◦ DNS traffic over <strong>IPv6</strong><br />
◦ Source <strong>and</strong> destination address selection
What are <strong>IPv6</strong> addresses<br />
again?
<strong>IPv6</strong> address in binary form<br />
0010000000000001000011011011100000000000000000000010111100111011<br />
0000001010101010000000001111111111111110001010001001110001011010<br />
Divide along 16-bit boundaries<br />
0010000000000001 0000110110111000 0000000000000000 0010111100111011<br />
0000001010101010 0000000011111111 1111111000101000 1001110001011010<br />
Convert each 16-bit block to hexadecimal<br />
<strong>and</strong> delimit with colons<br />
◦ 2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A<br />
Suppress leading zeros within each block<br />
◦ 2001:DB8:0:2F3B:2AA:FF:FE28:9C5A
A single contiguous sequence of 16-bit<br />
blocks set to 0 can be compressed to “::”<br />
(double-colon)<br />
Example:<br />
◦ FE80:0:0:0:2AA:FF:FE9A:4CA2 becomes<br />
FE80::2AA:FF:FE9A:4CA2<br />
◦ FF02:0:0:0:0:0:0:2 becomes FF02::2<br />
◦ 2001:DB8:0:2F3B:2AA:FF:FE28:9C5A becomes<br />
2001:DB8::2F3B:2AA:FF:FE28:9C5A
Express routes, address spaces, or address<br />
ranges<br />
<strong>IPv6</strong> always uses address/prefix-length<br />
notation<br />
◦ Similar to CIDR notation<br />
Examples<br />
◦ 2001:DB8:0:2F3B::/64 for a subnet prefix<br />
◦ 2001:DB8:3F::/48 for a route prefix
Link-local addresses<br />
Global addresses<br />
Unique local addresses
<strong>Address</strong> scope is a single link<br />
◦ Equivalent to APIPA IPv4 addresses (169.254/16)<br />
FE80::/64 prefix<br />
Used for:<br />
◦ Single subnet, routerless configurations<br />
◦ Neighbor Discovery processes<br />
64 bits<br />
64 bits<br />
1111 1110 1000 0000 . . . 0000<br />
Interface ID
<strong>Address</strong> scope is the entire <strong>IPv6</strong> Internet<br />
◦ Equivalent to public IPv4 addresses<br />
Structure<br />
◦ Global Routing Prefix<br />
◦ Subnet ID<br />
◦ Interface ID<br />
45 bits<br />
16 bits<br />
64 bits<br />
001 Global Routing Prefix<br />
Subnet ID<br />
Interface ID
Private to an organization, yet unique per<br />
site <strong>and</strong> per organization<br />
FD00::/8 prefix<br />
40-bit Global ID r<strong>and</strong>omly assigned<br />
◦ Unique 48-bit prefix between sites of an<br />
organization <strong>and</strong> between organizations<br />
8 bits 40 bits<br />
16 bits<br />
64 bits<br />
1111 1101 Global ID Subnet ID Interface ID
RFC 1886<br />
◦ DNS extensions to support IP version 6<br />
<strong>Name</strong> to address records<br />
◦ AAAA record type (equivalent to IPv4 A record)<br />
◦ Example record<br />
host1.example.com IN AAAA<br />
2001:db8::1:dd48:ab34:d07c:3914<br />
<strong>Address</strong> to name records<br />
◦ New reverse domain called IP6.ARPA.<br />
◦ Example record<br />
4.1.9.3.c.7.0.d.4.3.b.a.8.4.d.d.1.0.0.0.0.0.0.0.8.b.d.0.1.0.<br />
0.2.ip6.arpa. IN PTR host1.example.com
DNS clients only register global <strong>and</strong> uniquelocal<br />
addresses<br />
Windows dynamic update behavior<br />
◦ DNS client<br />
• On the DNS tab of advanced TCP/IP settings<br />
◦ DNS server<br />
• On the General tab of the properties of a zone<br />
• None<br />
• Secure only (default)<br />
• Nonsecure <strong>and</strong> secure
Domain members<br />
◦ No problem<br />
Non-domain<br />
members<br />
◦ Use DHCP service to<br />
register on the DNS<br />
client’s behalf<br />
◦ DNS tab of the<br />
properties of a DHCP<br />
scope
How do I divide up an <strong>IPv6</strong><br />
address prefix?
Using the 16 bits in the Subnet ID portion of the<br />
global or unique local address prefix<br />
<br />
<br />
Step 1: Determining the number of bits to subnet<br />
◦ Subnetting on nibble (hex digit) boundaries<br />
• 4 hex digits<br />
• Example: Region-Location-Building-Floor<br />
• 2001:DB8:1719:2A3E::/64<br />
• 2 – Region<br />
• A – Location<br />
• 3 – Building<br />
• E - Floor<br />
◦ Subnetting on bit boundaries<br />
Step 2: Enumerating the subnetted address prefixes
f = number of fixed bits<br />
s = number of bits for<br />
subnetting<br />
r = remaining bits<br />
f+s+r=16<br />
f<br />
r<br />
[48-bit prefix]: ::<br />
s
Binary<br />
◦ Use binary representations of the subnet ID <strong>and</strong><br />
convert to hexadecimal<br />
Hexadecimal<br />
◦ Use hexadecimal representations of the subnet ID<br />
<strong>and</strong> a calculated increment<br />
Decimal<br />
◦ Using decimal representations of the subnet ID <strong>and</strong><br />
increment
1. Calculate the hexadecimal increment<br />
between subnetted address prefixes<br />
2. Create 2-column table:<br />
◦ Network prefix number<br />
◦ Subnetted address prefix<br />
3. First entry is starting prefix with new prefix<br />
length<br />
4. Next entry is starting prefix plus increment<br />
with new prefix length<br />
5. Repeat step 4 until table is complete
Step 1<br />
◦ Starting prefix: 2001:DB8:0:C000::/51<br />
• f = 51 – 48 = 3<br />
◦ Number of bits to subnet: 3<br />
• s = 3<br />
◦ New prefix length is 51+3=54<br />
• l = 51 + s<br />
◦ Increment between subnets:<br />
• i = 2 16-(f+s) = 2 16-(3+3) = 1024 = 0x400<br />
C000 is 1100 0000 0000 0000<br />
Fixed bits<br />
Bits for subnetting
Steps 2 <strong>and</strong> 3<br />
Network Prefix Number<br />
Subnetted <strong>Address</strong> Prefix<br />
1 2001:DB8:0:C000::/54<br />
C000 is 1100 0000 0000 0000
Step 4<br />
Network Prefix Number<br />
Subnetted <strong>Address</strong> Prefix<br />
1 2001:DB8:0:C000::/54<br />
2 2001:DB8:0:C400::/54<br />
add 0x400<br />
C400 is 1100 0100 0000 0000
Step 5<br />
Network Prefix Number<br />
Subnetted <strong>Address</strong> Prefix<br />
1 2001:DB8:0:C000::/54<br />
2 2001:DB8:0:C400::/54<br />
3 2001:DB8:0:C800::/54<br />
add 0x400<br />
C800 is 1100 1000 0000 0000
Step 5<br />
Network Prefix Number<br />
Subnetted <strong>Address</strong> Prefix<br />
1 2001:DB8:0:C000::/54<br />
2 2001:DB8:0:C400::/54<br />
3 2001:DB8:0:C800::/54<br />
4 2001:DB8:0:CC00::/54<br />
5 2001:DB8:0:D000::/54<br />
6 2001:DB8:0:D400::/54<br />
7 2001:DB8:0:D800::/54<br />
8 2001:DB8:0:DC00::/54<br />
add 0x400<br />
add 0x400<br />
add 0x400<br />
add 0x400<br />
add 0x400<br />
DC00 is 1101 1100 0000 0000
How does the host know<br />
where to get its configuration<br />
settings?
Nodes discover the set of routers on the local<br />
link<br />
<strong>IPv6</strong> router discovery also provides:<br />
◦ Default value of Hop Limit field<br />
◦ Use of stateful address protocol for addresses or<br />
other settings<br />
◦ Reachability <strong>and</strong> retransmission timers<br />
◦ Network prefixes for the link<br />
◦ MTU of the local link<br />
◦ How long the advertising router is the default router<br />
◦ Specific routes<br />
Exchange of Router Solicitation/Router<br />
Advertisement (RA) messages
Ethernet Header<br />
• Destination MAC is 33-33-00-00-00-02<br />
<strong>IPv6</strong> Header<br />
• Source <strong>Address</strong> is ::<br />
• Destination <strong>Address</strong> is FF02::2<br />
• Hop limit is 255<br />
Router Solicitation Header<br />
Host A<br />
MAC: 00-B0-D0-E9-41-43<br />
IP: none<br />
Send multicast Router Solicitation<br />
Router Solicitation<br />
Router<br />
MAC: 00-10-FF-D6-58-C0<br />
IP: FE80::210:FFFF:FED6:58C0
Ethernet Header<br />
• Destination MAC is 33-33-00-00-00-01<br />
<strong>IPv6</strong> Header<br />
• Source <strong>Address</strong> is FE80::210:FFFF:FED6:58C0<br />
• Destination <strong>Address</strong> is FF02::1<br />
• Hop limit is 255<br />
Router Advertisement Header<br />
• Current Hop Limit, Flags, Router Lifetime,<br />
Reachable <strong>and</strong> Retransmission Timers<br />
Neighbor Discovery Options<br />
• Source Link-Layer <strong>Address</strong><br />
• MTU<br />
• Prefix Information<br />
Host A<br />
MAC: 00-B0-D0-E9-41-43<br />
IP: none<br />
Router Advertisement<br />
Send multicast Router Advertisement<br />
MAC: 00-10-FF-D6-58-C0<br />
IP: FE80::210:FFFF:FED6:58C0<br />
Router
1. Stateless<br />
◦ Receipt of Router Advertisement messages with one<br />
or more Prefix Information options<br />
2. Stateful<br />
◦ Use of a stateful address configuration protocol such<br />
as DHCPv6<br />
3. Both<br />
◦ Receipt of Router Advertisement messages <strong>and</strong><br />
stateful configuration protocol<br />
For all types, a link-local address is always<br />
configured
Configure link-local address<br />
◦ Perform duplicate address detection<br />
Perform router discovery<br />
◦ Use Router Advertisements to determine<br />
• <strong>Configuration</strong> parameters<br />
• Stateless addresses <strong>and</strong> on-link prefixes<br />
• For stateless addresses, perform duplicate address detection<br />
• Whether to use DHCPv6<br />
• Request address prefixes via Managed <strong>Address</strong> <strong>Configuration</strong><br />
flag<br />
• Request options via Other Stateful <strong>Address</strong> <strong>Configuration</strong> flag<br />
◦ If no responses, use DHCPv6
Set Hop Limit, Reachable Time,<br />
Retrans Timer, MTU.<br />
Are Prefix<br />
Information<br />
options<br />
present?<br />
Yes<br />
Configure stateless addresses.<br />
Send Router Solicitation.<br />
No<br />
Router<br />
Advertisement<br />
response<br />
received?<br />
No<br />
Use DHCPv6.<br />
Is Managed<br />
<strong>Address</strong><br />
<strong>Configuration</strong> flag<br />
set to 1?<br />
Yes<br />
Yes<br />
No<br />
Is<br />
Other<br />
Stateful<br />
<strong>Configuration</strong><br />
flag set<br />
to 1?<br />
Yes<br />
Use DHCPv6.<br />
No<br />
Stop address autoconfiguration.
Managed <strong>Address</strong> <strong>Configuration</strong> flag<br />
◦ netsh interface ipv6 set interface <br />
managedaddress=enabled<br />
Other Stateful <strong>Address</strong> <strong>Configuration</strong> flag<br />
◦ netsh interface ipv6 set interface <br />
otherstateful=enabled
DHCPv6 clients<br />
◦ Windows Vista <strong>and</strong> higher, Windows Server 2008<br />
<strong>and</strong> higher<br />
DHCPv6 servers<br />
◦ Windows Server 2008/R2 DHCP Server service<br />
DHCPv6 relay agents<br />
◦ Windows Server 2008/R2 Routing <strong>and</strong> Remote<br />
Access service
User Datagram Protocol (UDP) messages<br />
◦ DHCPv6 clients listen on UDP port 546<br />
◦ DHCPv6 servers <strong>and</strong> relay agents listen on UDP port 547<br />
Solicit<br />
◦ Sent by a client to locate servers<br />
Advertise<br />
◦ Sent by a server in response to a Solicit message to indicate availability<br />
Request<br />
◦ Sent by a client to request addresses or configuration settings from a<br />
specific server<br />
Reply<br />
◦ Sent by a specific server <strong>and</strong> contains addresses <strong>and</strong> configuration<br />
settings<br />
Renew<br />
◦ Sent by a client to a specific server to extend the lifetimes of assigned<br />
addresses <strong>and</strong> obtain updated configuration settings
1. A Solicit message sent by the client to locate the<br />
servers.<br />
2. An Advertise message sent by a server to indicate<br />
that it can provide addresses <strong>and</strong> configuration<br />
settings.<br />
3. A Request message sent by the client to request<br />
addresses <strong>and</strong> configuration settings from a<br />
specific server.<br />
4. A Reply message sent by the requested server that<br />
contains addresses <strong>and</strong> configuration settings.
1. An Information-Request message sent by<br />
the client to request configuration settings<br />
from a server.<br />
2. A Reply message sent by a server that<br />
contains the requested configuration<br />
settings.
Built-in to DHCP Server service<br />
<strong>IPv6</strong> node in the console tree<br />
Must configure a static <strong>IPv6</strong> address on each<br />
interface
<strong>IPv6</strong> node properties<br />
Creating a scope<br />
Configuring scope options<br />
Configuring reservations
Component of Routing <strong>and</strong> Remote Access<br />
service<br />
1. Add DHCPv6 Relay Agent routing protocol from<br />
the <strong>IPv6</strong>\General node<br />
2. Add interfaces<br />
3. Configure the <strong>IPv6</strong> addresses (global or unique<br />
local) of DHCPv6 servers<br />
DEMO
Most like IPv4<br />
◦ Routers advertise themselves as default routers only<br />
◦ DHCPv6 servers assign address prefixes <strong>and</strong> options<br />
• Managed <strong>Address</strong> <strong>Configuration</strong> flag set to 1<br />
• Other Stateful <strong>Address</strong> <strong>Configuration</strong> flag set to 1<br />
Stateless addresses with DHCPv6-based options<br />
◦ Routers advertise address prefixes <strong>and</strong> themselves as<br />
default routers<br />
◦ DHCPv6 servers assign address prefixes <strong>and</strong> options<br />
• Managed <strong>Address</strong> <strong>Configuration</strong> flag set to 0<br />
• Other Stateful <strong>Address</strong> <strong>Configuration</strong> flag set to 1
How does the host know what<br />
to request <strong>and</strong> where to send<br />
it <strong>and</strong> what to do with the<br />
results?
Special h<strong>and</strong>ling for DNS queries<br />
◦ DirectAccess<br />
◦ DNS Security Extensions (DNSSEC)<br />
For DirectAccess, acts as a client-side conditional forwarder<br />
◦ Determines which names should be directed to which DNS servers<br />
Internet DNS server<br />
DirectAccess server<br />
NRPT<br />
<strong>IPv6</strong> addresses for s1.corp.contoso.com? <br />
AAAA = 2002:836b:1:1:0:5efe:10.0.21.117<br />
intranet DNS<br />
server<br />
DirectAccess<br />
client<br />
Internet<br />
intranet
.corp.contoso.com<br />
nls.corp.contoso.com<br />
NRPT<br />
2002:836b:2:1:0:5efe:10.0.0.1<br />
<strong>Name</strong>space rules<br />
◦ <strong>Name</strong>space or name with address of DNS server<br />
• Result: Use the specified DNS server<br />
Exemption rules<br />
◦ <strong>Name</strong>space or name with no DNS server<br />
• Result: Use interface-configured DNS server<br />
<strong>Name</strong> does not match an NRPT rule, use interfaceconfigured<br />
DNS server
1. Check DNS resolver cache<br />
2. Check NRPT<br />
◦ Determine the set of DNS servers to use<br />
3. Resolve name<br />
◦ FQDNs<br />
• DNS<br />
◦ Single-label, unqualified names<br />
• DNS (with suffixes <strong>and</strong> name devolution)<br />
• Link-Local Multicast <strong>Name</strong> <strong>Resolution</strong> (LLMNR)
DNS messages sent over <strong>IPv6</strong> or over IPv4?<br />
◦ Based on IP addresses of determined DNS servers<br />
All records or AAAA-only query?<br />
◦ Most queries are for all records<br />
◦ DirectAccess clients perform AAAA-only queries<br />
DNS query results<br />
◦ Set of A records (IPv4 addresses)<br />
◦ Set of AAAA records (<strong>IPv6</strong> addresses)<br />
Now what?<br />
◦ How does the node determine the set of sourcedestination<br />
address pairs with which to initiate<br />
communication?
By default, <strong>IPv6</strong> addresses are preferred<br />
◦ To prefer IPv4 addresses<br />
• Set DisabledComponents=0x20<br />
• Modify prefix policy table<br />
<strong>Address</strong> selection process<br />
◦ A source address selection algorithm to choose the best<br />
source address to use with a destination address<br />
◦ A destination address selection algorithm to sort the list<br />
of possible destination addresses in order of preference<br />
Local prefix policy table to customize preference<br />
of source <strong>and</strong> destination addresses
netsh interface ipv6 show prefixpolicies<br />
Precedence Label Prefix<br />
---------- ----- ---------------<br />
50 0 ::1/128 (loopback)<br />
40 1 ::/0 (<strong>IPv6</strong> addresses)<br />
30 2 2002::/16 (6to4 addresses)<br />
20 3 ::/96 (IPv4-comp addresses)<br />
10 4 ::ffff:0:0/96 (IPv4 addresses)<br />
5 5 2001::/32 (Teredo addresses)<br />
Modify with netsh interface ipv6<br />
add|set|delete prefixpolicy
Application or Winsock obtains the set of destination<br />
addresses (name resolution) <strong>and</strong> calls the stack for<br />
destination address sorting:<br />
1. For each destination address, perform a route<br />
lookup to determine the sending interface <strong>and</strong><br />
source address c<strong>and</strong>idates (strong host send)<br />
2. For each destination address, select the best<br />
source address <strong>and</strong> create source-destination<br />
pairs (source address selection)<br />
3. Sort source-destination address pairs (destination<br />
address selection)
To determine the best source for each<br />
destination:<br />
◦ Prefer the source address that has a scope<br />
appropriate for the destination address<br />
◦ Prefer a non-deprecated address<br />
◦ Prefer the source address that has the same label in<br />
the prefix policy table as the destination address<br />
◦ Prefer a temporary address over a public address<br />
◦ Prefer the source address that has the longest<br />
matching prefix with the destination
To sort the list of destinations:<br />
◦ Prefer the destination address that matches the scope of<br />
the source address<br />
◦ Prefer destination addresses with source addresses that<br />
are not deprecated<br />
◦ Prefer the destination address that has the same label<br />
from the prefix policy table as its source address<br />
◦ Prefer the destination address that has the highest<br />
precedence from the prefix policy table<br />
◦ Prefer a native <strong>IPv6</strong> destination address to an <strong>IPv6</strong><br />
transition technology destination address<br />
◦ Prefer the destination address with the smallest scope
Domain members<br />
◦ No problem<br />
Non-domain members<br />
using DHCPv6<br />
◦ DNS tab on the DHCPv6<br />
scope<br />
GOTCHA: Non-domain<br />
members using only<br />
RAs (stateless) can’t<br />
register
Who is assigning <strong>IPv6</strong> prefixes/addresses?<br />
◦ Router (stateless)<br />
◦ DHCPv6 server (stateful)<br />
Is DNS traffic to be sent over <strong>IPv6</strong>?<br />
◦ If yes, assign DNS server <strong>and</strong> domain name via<br />
DHCPv6<br />
How are nodes registering their AAAA<br />
records?<br />
◦ If via stateless, watch out for requiring secure<br />
updates<br />
• Non-domain joined computers can’t register stateless<br />
(RA) addresses
Portal page<br />
Demonstrate <strong>IPv6</strong><br />
DHCPv6 test lab extension<br />
<strong>IPv6</strong>-only test lab extension
Windows Server Networking on TechNet<br />
Windows Server Networking on MSDN<br />
Windows Networking Writing Team blog<br />
Windows Server Documentation Twitter feed