IPv6
IPv6 is designed to address a number of problems present in IPv4. Most notably, IPv4 has a serious shortage of IP addresses, created by the explosion of the Internet, and by the waste of addresses due to multicast and loopback address reservation. . IPv4 allows for 4 billion possible addresses, but large numbers of these are reserved (all of 127.x.x.x for example, was taken up by the loopback address), and network addresses and broadcast addresses also waste possible IP addresses.
Other problems IPv6 solves are those of duplicate IP addresses, network traffic from ARP and RARP, and the growth of routing tables.
Fundamentally, IPv6 bases the IP address of the host on its MAC address. This allows IPv6 to autoconfigure create its own IP address at boot time. It also expands the IP address from 32 to 128 bits (in 8, 16 bit sets, allowing 340,282,366,920,938,463,463,374,607,431,768,211,456 (three hundred forty undecillion) nodes or about 1024 IP addresses per square meter of the earth's surface (land and ocean!). IPv6 also has a simpler header than IPv4, which will improve its performance, since less bandwidth will be devoted to headers, and more to data. The IPv6 header contains 8 fields, as opposed to 10 in IPv4: its version (IPv6-4 bits), a priority field (used to be traffic class-8 bits), a flow label that identifies packets in a single flow (20 bits), a payload length field which identifies the size of the datagram payload (16 bits), TCP/UDP header information (8 bits) , hop limit (8 bits) and source and destination IP address (128 bits each). The data payload follows. Additional optional headers, called "extension headers" may be added after the IP addresses. The extension headers include such things as security and routing information. The priority field will specify the priority for transmission and delivery of each datagram, which will help with high congestion networks.
IPv6 will (eventually) support IPsec fully, which has not generally been adopted in IPv4.
IPsec is the IP level security protocol. In IPv6 it allows two headers, an Authentication Header (AH) and an Encapsulating Security Payload (ESP) to be added to the IP header to provide authentication. The Authentication Header may contain data origin authentication, using MD5 and SHA-1. In IPv6 these are added as extension headers - so they are not required and can be turned on and off as desired (you might want to turn them off to improve throughput for example.) Extension headers, supported in IPv6, are headers added after the main header.
IPv6 address types: There are just three address types in IPv6, unicast, multicast and anycast. These addresses, like IPv4 addresses, are assigned to interfaces, not to nodes, though all interfaces on a node may have the same unicast addreses. The multicast addresses replace both broadcast and multicast in IPv4. Packets sent to a multicast address are potentially picked up by multiple systems. Unicast addresses go to a specified host. Each host might have up to three unicast addresses.
Finally, packets bearing anycast addresses are sent only by the nearest host supplying a particular service ("nearest" as defined by the routing protocol). These are addresses assigned to a group of interfaces, generally those providing some service such as routers. They have the same format as a unicast address.
IPv6 addressing: IPv6 allows for the creation of a set of 3 "stateless" addresses for each system. Stateless addresses are those autoconfigured from the system's MAC address. The first is the "link-local" address, also called the "link local unicast" address which contains no information about the network and is created solely from the MAC address. These 64 bits are in an IEEE format called End Unit Identifier-64, or EUI-64. This address works only on the link-local area, and allows an IPv6 system to be "plug and play." Such an address begins with FE8, (1111 1110 10), uses the last 64 bits of the IP address and is not routable. If a system has more than one interface on different networks, they will be configured with the same local-link address. The second, the "site-local" address, or "site local unicast" address, allows the system to configure network information into its IP address, which it obtains from router advertisements. It adds 16 bits (the SLA or site-level aggregator) to the front of the site-local address and begins with FEC (1111 1110 11) Such an address can be routed within an organization. Also see /etc/inet/ndpd.conf.The third type of unicast address is the "aggregatable global unicast" address, in which a prefix is assigned to a corporation, which prepends this value to all IP addresses it uses. This address begins with 2 (001) and includes 45 bits, the Next Level Aggregator to identify the organization, and the Top Level Aggregator, to identify the IANA top level authority. These are prepended to the site-local address. The format of an aggregatable global unicast address is:
3 bits 13 bits 32 bits 16 bits 64 bits
001 TLA NLA SLA EUI
The information necessary to set up an aggregatable global address is also obtained from router advertisements when the system autoconfigures its IP address. Global aggregatable addresses are routable world-wide. The portion of the IP address configured from the MAC address is called the interface identifier and is 64 bits. The portion which identifies the network is called the format prefix or subnet prefix, and varies in length These are analogous to the host number and network number in IPv4 format. The portion of each is identified by the /x suffix to the IP address, where x is the number of bits in the subnet prefix. In each case, when a system autoconfigures, it checks to see if the local network has a duplicate address by sending out a neighbor solicitation for a system with that address.
Stateful addresses also exist, which would be typical of those downloaded by a DHCP router. In that case, an address is autoconfigured by the system based on an address downloaded to it, rather than on its own MAC address.
Calculation of the IP address can be seen in the book. A single set of contiguous zeros may be compressed and dropped out of the address, leaving the two colons behind. A set of all zeros between two colons may be compressed into a single zero any time, leaving all colons in place.
There are also special addresses: the unspecified address, 0:0:0:0:0:0:0:0, which identifies a system without an IP address, (compressed ::) and the loopback address, thriftily composed mostly of zeros: 0:0:0:0:0:0:0:1 (compressed ::1). The unspecified address is used by systems which do not yet have an IP address, for example, those sending packets to a DHCP server. The IPv4 addresses can be supported in IPv6 by casting the IPv4 address in an IPv6 format. The IPv4 address is appended on to the first six 16-bit section of the address. For an IPv4 system that supports IPv6, such as Solaris 9, 223.45.34.5 becomes 0:0:0:0:0:0:223.45.34.5 or ::223.45.34.5. In contrast, for an IPv4 system that does not support Solaris 9, the IPv6 address becomes ::FFFF.yyyy:yyyy, where yyyy.yyyy is the IP address in hexadecimal. This address can be used to tunnel IPv6 packets through IPv4 routers that don't support IPv6. The yyyy.yyyy portion of the address is translated into an IPv4 address, and then back to an IPv6 address.
Multicast in IPv6: IPv6 uses multicast instead of broadcast and multicast in IPv4. An address that begins with 11111111 (ff) is a multicast address. The next 4 bits are 000 always, followed by 0 if a well known multicast address is being used, and 1 if a special, temporary multicast address follows (Such an address might be used for a videoconference, for example). The next 4 bits identify the scope of the multicast. If the scope bits are 0001, the multicast is limited to the node itself. If the scope bits are 0010, the multicast is limited to the link-local area. If they are 0101, the multicast is limited to the site, and if they are 0111, the multicast is limited to the organization. When the scope bits are 1111, the multicast goes to the entire Internet. The last 32 bits of the multicast address specify the multicast group: 1 is all nodes, 2 is routers, 9 is RIP routers,101 is NTP servers, etc. All intervening bits are zero. A node decides if it wants to belong to a multicast group, and can configure itself out of a group. Routers can forward multicasts in IPv6. Hosts joining or leaving a multicast group use IGMP (Internet Group Management Protocol) to report this information to routers.
The in.ndpd daemon: The in.ndpd daemon implements the Neighbor Discovery Protocol on Solaris systems. This protocol performs autoconfiguration, and multicasts onto the local link to solicit the link-local unicast address of neighboring systems, which can then be translated back into a MAC address for inclusion in the neighbor cache, which replaces the ARP table. This is a neighbor solicitation message. It also routinely sends out messages to discover new neighbors and discover routers. Routers also send out regular messages about their availability.
Routing in IPv6: In Solaris, routing in IPv6 is done by the daemons in.ripngd and in.ndpd. Routing is started when /etc/inet/ndpd.conf is created and the system rebooted. This file contains the prefixes assigned to each interface on the router; these prefixes are generally one site-local and one global-aggregatable.
To start routing without a reboot, you must perform the following: turn on IPv6 routing:
ndd -set /dev/ip ip6_forwarding 1
Start in.ndpd
/usr/lib/inet/in.ndpd
Start in.ripndg in speaking mode:
/usr/lib/inet/in.ripngd -s
Each prefix will be associated with a logical interface. For example, on a system where the interface qfe0 has a site-local and global aggregatable address associated with it in the ndpd.conf file, the link-local address will usually be assigned qfe0, the site-local address will be qfe0:1, and the global address will be qfe0:2. That information is then advertised to hosts on the router's network, which use it to autoconfigure their IPv6 addresses. IPv6 routing is hierarchical. The 3 different portions of the subnet addresses, the Site Level Aggregator (SLA), the Next Level Aggregator (NLA) and the Top Level Aggregator (TLA) each indicate the route a packet should take to its destination. This greatly simplifies routing.
When a
system has two interfaces it does not act as an IPv6 router by default. This is
totally different from the IPv4 behavior.
With only the local, auto-configured IPv6-address you won't be able to get off
the local segment of the network, no matter how many the system is connected
to. You must apply for a site-address that is routeable (or make one up for
test reasons, as done in the lab).
Effect on protocols: Other protocols than IP addressing are also affected by IPv6 changes. There are a new set of ICMP messages, and a new protocol called IGMP or Internet Group Management Protocol. This is the protocol that allows hosts to report their multicast groups to routers. ARP and RARP no longer exist, and instead the protocols Neighbor Discovery and Router Discovery are used. These new protocols allow systems to discover routers and other systems attached to the link local area, as well as to find out about the address prefixes for the link. Nodes can also discover the link MTU so they can fragment their own packets before they are sent, reducing the load on routers. These functions are carried out by ICMP messages.
Enabling IPv6 on Solaris 9: Adding the file /etc/hostname6.<interface> and rebooting (or using ifconfig) will bring up the interface supporting both IPv6 and IPv4. There are no entries in this file as a rule. Any IP address or hostname will disable autoconfiguration and generate a stateful IP address. IPv6 can also be configured on an interface using the command ifconfig, as you would for an IPv4 configured interface, but using the keyword "inet6" described below.
The hosts file for IPv6 is /etc/inet/ipnodes, and this file is supported in NIS with ipnodes.byname and ipnodes.byaddr. It is consulted prior to /etc/hosts, so an incorrect, forgotten entry in this table can cause major problems for your IPv4 address resolution. One table is added to NIS+, ipnodes.org_dir. An ipnodes line must also be added to nsswitch.conf, with DNS and other name service info appended as:
ipnodes: files nisplus dns. The DNS files add a value of AAAA type used to point to IPv6 addresses.
Commands: The utilities netstat and ifconfig are also used in managing IPv6 interfaces. The option -f inet6 can be appended to netstat commands to give only IPv6 information. For example, netstat f inet6 displays usage information for IPv6, and the state of all interfaces configured with IPv6 can be displayed with netstat ia. netstat -f inet6 -g shows multicast group membership for all interfaces. netstat -rn -f inet6 will display routing table information for IPv6 only. ifconfig <interface> inet6 displays IPv6 specific information about the interface named. These interfaces can also be managed with ifconfig just as IPv4 interfaces are, as long as the inet6 keyword is used. For example, to bring up and plumb an IPv6 interface, you can use ifconfig hme1:2 inet6 plumb up. Snoop can also capture IPv6 packets with snoop ip6 or snoop icmp6, or with snoop inet6 hostname. Systems can be pinged with ping a hostname ipv6.
Acronyms:
AH Authentication Headers
ESP Encapsulating Security Payload
EUI End Unit Identifier.
FP Format Prefix the leading bits, such as FEC for a site-local address.
IAB - Internet Architecture Board - group responsible for development of IPv6
IGMP Internet Group Membership Protocol used by hosts belonging to multicast groups to report their memberships to routers.
NDP Neighbor Discovery Protocol
NLA Next Level Aggregator address assigned to the company or organization by its ISP.
SLA Site Level Aggregator subnet number assigned to networks within a company.
TLA Top Level Aggregator the identification number of the IANA authority at the top of an IP hierarchy.
Definitions:
link local address an address which cannot pass through a router. It is configured by a system from its MAC address.
stateful autoconfiguration a configuration server (DHCP) provides address rather than system's using their own MAC addresses.
stateless autoconfiguration the MAC address and router information are used by a system to generate its own IP address.
Neighbor Discovery Protocol router solicitation protcol which replaces rdisc in IPv6.
unspecified address: 0:0:0:0:0:0:0:0 = ::
loopback address 0:0:0:0:0:0:0:1 = ::1
aggregatable global unicast an address with the FP of 2, along with the TLA, SLA, NLA and EUI it is routable anywhere.
link-local unicast an address with the FP of FE8 = FP + 0s + EUI used only on the local link.
site-local unicast - an address with the FP of FEC = FP + 0s + subnet + EUI used to route at the site.
IPv4 addressing if system supports IPv6: ::x.x.x.x (where x.x.x.x is the IPv4 address).
if the system does not support IPv6: ::FFFF:x.x.x.x.
multicast addresses = prefix ff0000 (if well known) or ff0001 (if temporary).
Files:
/etc/inet/ipnodes equivalent of hosts file for IPv6.
/etc/inet/ndpd.conf file which configures routing in IPv6. Format:
prefix <fec0:0:0<site local prefix>::0/64 <interface>
prefix 2<rest of global aggregatable prefix>:<site local prefix>::0/64 <interface>
/etc/hostname6.hme0 this file must exist for every interface to be configured with IPv6.
Commands:
netstat f inet6 - displays IPv6 information
netstat -ia -all interfaces displayed
netstat -f inet6 -g - displays multicast group membership for IPv6 interfaces.
netstat -rn -f inet6 -gives IPv6 routing information
ndd -set /dev/ip ip6_forwarding 1|0 - turn IPv6 routing on|off
ndd -set /dev/ip ip6_send_redirects 1|0 - turn on|off routing redirects. You may wish to disable this (it is normally enabled) as a security feature.
ndd -set /dev/ip ip6_ignore_redirect 1|0 - turn on|off ignoring routing redirects
ifconfig hme0 inet6 - same as ifconfig hme0 for IPv4
ifconfig -a inet6 - same as ifconfig -a for IPv4
ifconfig hme0:1 inet6 plumb up - same as ifconfig hme0:1 plumb up for IPv4
snoop ip6 - snoops IPv6 packets
snoop icmp6 - snoops IPv6 ICMP packets
snoop inet6 <hostname> - snoops IPv6 packets from a particular host.
ping -a <hostname|IP address> ipv6 - pings an IPv6 configured host.
/usr/lib/inet/in.in.ndpd - start in.ndpd
/usr/lib/inet/in.ripngd -s - start in.ripngd in speaking mode, so it advertises its routes.
Misc:
How to configure IPv6:
Touch /etc/hostname6.<interface> and reboot.
Populate /etc/inet/ipnodes.
NIS/NIS+ with IPv6
NIS maps:
ipnodes.byaddr
ipnodes.byname
NIS+ tables
ipnodes.org_dir
New DNS entry type: quad A: AAAA for IPv6 IP addresses, in place of A records.
Changes in scripts from Solaris 7:
Essentially, Solaris 8 "lifted" the network related configuration steps (dhcp, configuring and plumbing interfaces) out of rootuser.sh and made them a separate script called "S30network.sh". (It also added in appropriate steps related to IPv6). However, the original "rootusr" script remains to still serve the purpose of establish proper mounts for '/' and '/usr' during the building of Single-User mode.