FEATUREDApplication Development & Modernization
RYAN HARRIS | Sr. Network Engineer
This blog post is part of a series detailing the various parts of planning and deploying IPv6 for enterprise networks. It is meant as a primer for the network engineer or architect to understand the various concepts they may be unaware of when developing their IPv6 production design.
If you have not read the previous posts, I would highly recommend that you start at the beginning:
- Part 1 – Hierarchical Subnetting Design
- Part 2 – Routing Design
- Part 3 – OSPFv3
- Part 4 – Security
- Part 5 – Transitional Client Addressing
- Part 6 – SLAAC vs DHCPv6
- Part 7 – Internet Connectivity
- Part 8 – Optimization
Multicast Groups
IPv6 deprecates the idea of a broadcast address for a network segment and instead moves this functionality to use a multicast address.
For a full explanation of the various multicast address scopes, please refer to RFC 7346 as well as the IANA Multicast Address list for registered addresses.
All IPv6 multicast addresses begin with the FF00::/8 prefix.
Link-Local Scope Multicast Addresses
The link-local multicast scope (FF02::) is where the bulk of network services’ well-known multicast addresses are registered. This includes addresses for routing protocols, neighbor discovery, FHRP protocols, and more.
All-Nodes
The All-Nodes multicast address is analogous to the legacy broadcast address in IPv4. This multicast address should be registered to all hosts in a network segment. The All-Nodes address is FF02::1.
The All-Nodes multicast address in the context of neighbor discovery is the address to which unsolicited router advertisement packets are sent. As well, this is the destination address for DAD (Duplicate Address Detection) packets.
All-Routers
The All-Routers multicast address is a concept new to IPv6 that doesn’t necessarily have a similar concept in IPv4. The All-Routers address is meant to optimize communication between hosts on the network segment and just the routers. Primarily used by the ICMP neighbor discovery router solicitation message. The all-routers address is FF02::2
By using the All-Routers address, hosts on the network can be excluded from host to router solicitation messages.
Link-local IP addresses
One of the more unique changes to be introduced with IPv6 is the concept of a link-local IP address. The link-local address is a dynamically created address used by a device to communicate solely with other devices on the same link.
With IPv4, the bootstrap process that allows a device to dynamically learn its IP address information happens using the layer 2 address, the MAC address. However, because the neighbor discovery protocol is a layer 4 protocol, in IPv6 we have to create a link-local address of our own that we can communicate with other devices on the link before we get a globally unique address.
The default well-known link-local prefix is FE80::/10 and we use the same process as creating a SLAAC address to form our link-local address. In definition, the link-local prefix is FE80::/10, however in usage, because the middle 54 bits are intended to be all zeros with only the last 64 bits being unique, the link-local prefix can also be thought of as FE80::/64. Before a device can use its created link-local address, it must perform a Dual-Active-Detection check to verify uniqueness on the network segment. Assuming this address is not in use on another machine, this device can use its link-local address to send a router solicitation message and hopefully receive prefix information back.
Because every IPv6 enabled interface uses the same link-local prefix, you’ll see route information include the outgoing interface of an IP address. For example, on my Mac, I see routes in the output from the netstat command appended with outgoing interface of “%en0” as in, “fe80::36e5:ecff:fe8f:3811%en0”.
On routers, you can manually configure a link-local address with, “ipv6 address [ipv6 address]/[network mask] link-local”, however this is not necessary because a link-local address is created using the EUI-64 address of the link automatically when a globally unique IPv6 address is configured on the routers interface.
ICMP Neighbor Discovery
The ICMPv6 Neighbor Discovery Protocol (NDP) was introduced to replace much of the functionality of the Address Resolution Protocol (ARP) and Dynamic Host Control Protocol (DHCP). NDP uses IPv6 link-local addresses for source and destination addresses and consists of five message types: Neighbor Advertisement, Neighbor Solicitation, Router Advertisement, Router Solicitation, and Redirects.
- Neighbor Advertisement: The neighbor advertisement message is sent by a host advertising to its neighbors that it is the owner of a particular address. This is sent either gratuitously or in response to a neighbor solicitation request.
- Neighbor Solicitation: The neighbor solicitation message is sent as a request from a neighbor looking to resolve an IP address to a link-layer address (MAC address).
- Router Advertisement: Router Advertisement messages are sent either periodically or in response to a router solicitation message to inform neighbors on a segment of the existence of a router. Prefix information is included in RA messages and other information such as configuration flags and other configurable options. Router advertisement messages are meant to replace much of the functionality of DHCP messages in IPv4.
- Router Solicitation: Router Solicitation messages are sent by hosts on a network segment that are looking for network host configuration information. These messages are most similar to the DHCP discover messages in IPv4.
- Redirects: The redirect message exists to tell hosts on a network segment that there is a better route for a specific traffic flow.
Router Advertisement
The router advertisement (RA) packets are the most important and complex variation of the Neighbor Discovery packets. As the name suggests, the RA packet announces that a router is on the subnet and can be used as a default gateway for a LAN segment.
The RA packet contains information needed by the clients on the segment to obtain an IP address. The RA packet will have either the Managed config flag, the Other config flag, or the Address config flag enabled to indicate whether the client should use stateful DHCP, stateless DHCP, or SLAAC for an IP address.
Prefix information is included as a header extension to the RA packet, as well as lifetime information, preference, hop limit, and MTU announcement. It should be noted that the link-local address of the router is used as the source address of the RA packet and this address is what is used as the default-gateway by the client. The RA packet is sent periodically to the all-nodes multicast address and in response to a router solicitation message from a client.
Duplicate Address Detection
Duplicate Address Detection (DAD) is a key piece to the creation and assignment of IPv6 addresses and is used to prevent endpoints that are acting independently of each other from accidentally assigning the same address as another endpoint on the same subnet.
Because both SLAAC and Stateless DHCPv6 have no centralized server that can coordinate unique IP addresses within a subnet, which necessitates an additional mechanism to avoid this. While it’s extremely unlikely that two randomly created addresses in a /64 subnet would conflict with each other, the process by which IPv6 addresses are created is not always random, which greatly increases the likelihood of overlap. SLAAC was originally intended to use the MAC address of the endpoints NIC to formulate an IPv6 address which in theory should be unique, however, in practice, some manufacturers have erroneously assigned the same MAC address to multiple devices which could cause a conflict.
Functionally, the DAD process uses a special Neighbor Solicitation packet to perform a DAD check. This DAD NS packet differs from a normal NS packet by setting the source address to unspecified (::) and the destination to a solicited-node multicast address.
The Solicited-Node multicast address is created from the unicast address of the client using the last 24 bits of the address appended to the well-known prefix of “FF02:0:0:0:0:1:FF00/104″. This may seem unnecessary, but the thinking of this is to reduce the number of multicast groups that a client will need to join if it has multiple prefixes assigned.
Anycast Addresses
An anycast network message is a one-to-one-of-many network communication. This contrasts with unicast (one-to-one), broadcast (one-to-all), or multicast (one-to-many). This is a unicast communication, however the destination is not unique, the response could come from multiple sources. Anycast differs from these other communication formats in that it relies on routing protocols to determine the nearest anycast host.
For example, you may have multiple DNS servers in disparate geographic locations that are all configured with the same address. To the routing protocol, this looks no different than having multiple paths to the same network, and the metric of the routing protocol is the determining factor behind which path through the network is chosen. In the case of anycast, if one of these paths were to fail, traffic will simply be routed through the next nearest path.
This architecture was developed for IPv4 networks and is in wide use for the global Internet root nameservers.
With IPv6 the architecture was written to explicitly allow for distinctive anycast addresses.
