The procedure is the same as for IPv4 address resolution with the computer name and IPv6 address pair being stored in a AAAA quad-A DNS resource record, which is equivalent to an A or ho
Trang 1The Advantages of IPv6
IPv6 was designed to overcome the limitations of IPv4 The main advantages that IPv6 has
over its predecessor are as follows:
n Increased address space IPv6 provides sufficient addresses for every device that
needs to have a unique public IPv6 address In addition, the 64-bit host portion
(interface ID) of an IPv6 address can be automatically generated from the network
adapter hardware
n automatic address Configuration Typically IPv4 is configured either manually or by
using DHCP Automatic configuration (autoconfiguration) through APIPA is available
for isolated subnets that are not routed to other networks IPv6 deals with the need
for simpler and more automatic address configuration by supporting both stateful and
stateless address configuration
n Network level security Communication over the Internet requires encryption to
protect data from being viewed or modified in transit Internet Protocol Security
(IPSec) provides this facility and IPv6 makes IPSec mandatory
n real-time data delivery Quality of Service (QoS) exists in IPv4, and bandwidth can be
guaranteed for real-time traffic over a network, but not when an IPv4 packet’s payload
is encrypted Payload identification is included in the Flow Label field of the IPv6
header, so payload encryption does not affect QoS operation
n routing table size On the IPv6 Internet, backbone routers have greatly reduced
routing tables that use route aggregation, which permits a number of contiguous
address blocks to be combined and summarized as a larger address block
n header size and extension headers IPv4 and IPv6 headers are not compatible,
and a host or router must use both IPv4 and IPv6 implementations to recognize and
process both header formats Therefore, the IPv6 header was designed to be as small
as was practical Nonessential and optional fields are moved to extension headers
placed after the IPv6 header
n removal of broadcast traffic IPv4 relies on ARP broadcasts to resolve the MAC
addresses of the network adapters The IPv6 Neighbor Discovery (ND) protocol uses
a series of ICMPv6 messages ND replaces ARP broadcasts, ICMPv4 Router Discovery,
and ICMPv4 Redirect messages with efficient multicast and unicast ND messages
quick Check
1 How many bits are in an IPv4 address?
2 How many bits are in an IPv6 address?
quick Check answers
1 32
Trang 2Address Resolution in IPv6
The ND protocol resolves IPv6 addresses to MAC addresses This is typically a straightforward process For example, in unicast global IPv6 addresses the 64-bit host portion of the IPv6 address is derived from the MAC address of the network adapter in the first place
The resolution of host names to IPv6 addresses is accomplished through DNS (apart from link-local addresses that are not stored by DNS and resolve automatically) The procedure is the same as for IPv4 address resolution with the computer name and IPv6 address pair being stored in a AAAA (quad-A) DNS resource record, which is equivalent to an A or host record for IPv4 Reverse DNS lookup that returns a computer name for an IPv6 address is implemented
by a pointer (PTR) DNS resource record that is referred to the IPv6 reverse lookup zone
(or tree) ipv6.arpa, which is the equivalent of the in-addr.arpa reverse lookup zone in IPv4 Creating an ipv6.arpa reverse lookup zone is a complex procedure that involves splitting
the IPv6 address into 4-bit nibbles and entering these in reverse order This is beyond the scope of the 70-680 examination
In peer-to-peer environments where DNS is not available (for example, ad hoc networks), the Peer Name Resolution Protocol (PNRP) provides dynamic name registration and name resolution PNRP can apply peer names to the machine or to individual applications and services on the machine A peer name resolution includes an address, port, and possibly
an extended payload Peer names can be published as secured (protected) or unsecured (unprotected) PNRP uses public key cryptography to protect secure peer names against spoofing
More Info peer NaMe reSOLUtION prOtOCOL
For more information about PNRP, see http://msdn.microsoft.com/en-us/library/
bb968779.aspx.
Implementing IPv4-to-IPv6 Compatibility
In addition to the various types of addresses described earlier in this lesson, IPv6 provides the following types of compatibility addresses to aid migration from IPv4 to IPv6 and to implement transition technologies
IPv4-Compatible Address
The IPv4-compatible address 0:0:0:0:0:0:w.x.y.z (or ::w.x.y.z) is used by dual-stack nodes that are communicating with IPv6 over an IPv4 infrastructure The last four octets (w.x.y.z)
represent the dotted decimal representation of an IPv4 address When the IPv4-compatible address is used as an IPv6 destination, the IPv6 traffic is automatically encapsulated with an IPv4 header and sent to the destination using the IPv4 infrastructure
Trang 3IPv4-Mapped Address
The mapped address 0:0:0:0:0:ffff:w.x.y.z (or ::fffff:w.x.y.z) is used to represent an
IPv4-only node to an IPv6 node and hence to map IPv4 devices that are not compatible with IPv6
into the IPv6 address space
6to4 Address
A 6to4 address enables IPv6 packets to be transmitted over an IPv4 network (generally the
IPv4 Internet) without the need to configure explicit tunnels 6to4 hosts can communicate
with hosts on the IPv6 Internet A 6to4 address is typically used when a user wants to connect
to the IPv6 Internet using their existing IPv4 connection It takes the form 2002:<first two
bytes of the IPv4 address>:<second two bytes of the IPv4 address>::/16
To use a 6to4 address, you do not need to configure or support IPv6 on any nearby
networking devices relative to the host As a result, 6to4 is relevant during the initial phases
of deployment to full, native IPv6 connectivity It is intended only as a transition mechanism
and is not meant to be used permanently It does not facilitate interoperation between
IPv4-only hosts and IPv6-IPv4-only hosts
Teredo Address
A Teredo address consists of a 32-bit Teredo prefix In Windows 7 (and in Windows Vista
and Windows Server 2008), this is 2001::/32 The prefix is followed by the IPv4 (32-bit) public
address of the Teredo server that assisted in the configuration of the address The next 16 bits
are reserved for Teredo flags Currently, only the highest-ordered flag bit is defined This is
the cone flag and is set when the NAT connected to the Internet is a cone NAT
note tereDO IN WINDOWS Xp aND WINDOWS SerVer 2003
In Windows XP and Windows Server 2003, the Teredo prefix was originally 3ffe:831f::/32
Computers running Windows XP and Windows Server 2003 use the 2001::/32 Teredo prefix
when updated with Microsoft Security Bulletin MS06-064.
The next 16 bits store an obscured version of the external UDP port that corresponds to
all Teredo traffic for the Teredo client interface When a Teredo client sends its initial packet
to a Teredo server, NAT maps the source UDP port of the packet to a different, external UDP
port All Teredo traffic for the host interface uses the same external, mapped UDP port The
value representing this external port is masked or obscured by exclusive ORing (XORing) it
with 0xffff Obscuring the external port prevents NATs from translating it within the payload
of packets that are being forwarded
The final 32 bits store an obscured version of the external IPv4 address that corresponds to
all Teredo traffic for the Teredo client interface The external address is obscured by XORing
the external address with 0xffffffff As with the UDP port, this prevents NATs from translating
the external IPv4 address within the payload of packets that are being forwarded
Trang 4The external address is obscured by XORing the external address with 0xffffffff For
example, the obscured version of the public IPv4 address 131 107 0 1 in colon-hexadecimal
format is 7c94:fffe (131 107 0 1 equals 0x836b0001, and 0x836b0001 XOR 0xffffffff equals 0x7c94fffe.) Obscuring the external address prevents NATs from translating it within the
payload of the packets that are being forwarded
For example, Northwind Traders currently implements the following IPv4 private networks
at its headquarters and branch offices:
n Headquarters: 10 0 100 0 /24
n Branch1: 10 0 0 0 /24
n Branch2: 10 0 10 0 /24
n Branch3: 10 0 20 0 /24
The company wants to establish IPv6 communication between Teredo clients and other Teredo clients, and between Teredo clients and IPv6-only hosts The presence of Teredo servers on the IPv4 Internet enables this communication to take place A Teredo server is
an IPv6/IPv4 node connected to both the IPv4 Internet and the IPv6 Internet that supports
a Teredo tunneling interface The Teredo addresses of the Northwind Traders networks depend on a number of factors, such as the port and type of NAT server used, but they could, for example, be the following:
n Headquarters: 2001::ce49:7601:e866:efff:f5ff:9bfe through 2001::0a0a:64fe:e866:efff: f5ff:9b01
n Branch 1: 2001:: ce49:7601:e866:efff:f5ff:fffe through 2001::0a0a:0afe:e866:efff: f5ff:ff01
n Branch 2: 2001:: ce49:7601:e866:efff:f5ff:f5fe through 2001::0a0a:14fe:e866:efff:f5ff:f501
n Branch 3: 2001:: ce49:7601:e866:efff:f5ff:ebfe through 2001::0a0a:1efe:e866:efff:f5ff:ebfe Note that, for example, 10 0 100 1 is the equivalent of 0a00:6401, and 0a00:6401 XORed with ffff:ffff is f5ff:9bfe
eXaM tIP
The 70-680 examination objectives specifically mention Teredo addresses, which are
supported by Microsoft However the examination is unlikely to ask you to generate
a Teredo address You might, however, be asked to identify such an address and work out its included IPv4 address Fortunately you have access to a scientific calculator during the examination You are more likely to be asked to identify a Teredo or a 6to4 address Both are public addresses A Teredo address starts with 2001; a 6to4 address starts with 2002.
note tereDO
For more information about Teredo, see http://www.ietf.org/rfc/rfc4380.txt and
http://www.microsoft.com/technet/network/ipv6/teredo.mspx.
Trang 5Cone Nats
Cone NATs can be full cone, restricted cone, or port-restricted cone In a full-cone
NAT, all requests from the same internal IP address and port are mapped to the
same external IP address and port and any external host can send a packet to the
internal host by sending a packet to the mapped external address.
In a restricted-cone NAT, all requests from the same internal IP address and port
are mapped to the same external IP address and port but an external host can send
a packet to the internal host only if the internal host had previously sent a packet to
the external host.
In a port-restricted-cone NAT, the restriction includes port numbers An external
host with a specified IP address and source port can send a packet to an internal host
only if the internal host had previously sent a packet to that IP address and port.
Intra-Site Automatic Tunneling Addressing Protocol (ISATAP) Address
IPv6 can use an Intra-Site Automatic Tunneling Addressing Protocol (ISATAP) address to
communicate between two nodes over an IPv4 intranet An ISATAP address starts with
a 64-bit unicast link-local, site-local, global, or 6to4 global prefix The next 32 bits are the
ISATAP identifier 0:5efe The final 32 bits hold the IPv4 address in either dotted decimal or
hexadecimal notation An ISATAP address can incorporate either a public or a private IPv4
address To identify an ISATAP address look for 5efe followed by an IP address in either
dotted decimal or hexadecimal format
Implementing IPv6-to-IPv4 Compatibility
You can implement IPv6-to-IPv4 compatibility by using the IPv6 tools Netsh interface ipv6
6to4, Netsh interface ipv6 isatap, and Netsh interface ipv6 add v6v4tunnel For example, to
create an IPv6-in-IPv4 tunnel between the local address 10 0 0 11 and the remote address
192 168 123 116 on an interface named Remote, you would enter netsh interface ipv6 add
v6v4tunnel “remote” 10.0.0.11 192.168.123.116.
note traNSItION teChNOLOgIeS
The various methods of implementing IPv6-to-IPv4 compatibility are known as transition
technologies
note 6tO4CFg
Trang 6Configuring IPv6 Connectivity
Windows Server 2008 provides tools that let you configure IPv6 interfaces and check IPv6 connectivity and routing Tools also exist that implement and check IPv4-to-IPv6 compatibility
In Windows 7 the standard command-line tools such as Ping, Ipconfig, Pathping, Tracert, Netstat, and Route have full IPv6 functionality For example, Figure 6-22 shows the Ping
command used to check a link-local IPv6 address on the Canberra computer The IPv6 address
on your computer is different Note that if you were pinging from one host to another using
link-local addresses, you would also need to include the interface ID (for example, ping
fe80::d1ff:d166:7888:2fd6%12) Interface IDs are discussed later in this lesson Note also that this
command works because you are pinging a link-local address in the same computer To ping between computers you need to allow ICMPv6 traffic though each computer’s firewall
note ping6
The Ping6 command-line tool is not supported in Windows 7.
Tools specific to IPv6 are provided in the Netsh command structure For example, the netsh interface ipv6 show neighbors command shows the IPv6 interfaces of all hosts on the local
subnet You use this command in the practice later in this lesson, after you have configured IPv6 connectivity on a subnet
Verifying IPv6 Configuration and Connectivity
If you are troubleshooting connectivity problems or merely want to check your configuration, arguably the most useful tool—and certainly one of the most used—is Ipconfig If you enter
ipconfig /all, this displays both IPv4 and IPv6 configuration The output from this tool was
shown in Figure 6-6
If you want to display the configuration of only the IPv6 interfaces on the local computer,
you can enter netsh interface ipv6 show address Figure 6-23 shows the output of this
command run on the Canberra computer Note the % character followed by a number after
Trang 7FIgUre 6-23 Displaying IPv6 addresses and interface IDs
note NetWOrK CONNeCtION DetaILS INFOrMatION BOX
You can also find the IPv6 address of an interface by accessing the Network Connection
Details information box The procedure to do this is described in Lesson 3 and the
information box is shown in Figure 6-38 in that lesson However, the Network Connection
Details information box does not show the interface ID.
If you are administering an enterprise network with a number of sites, you also need to
know site IDs You can obtain a site ID by entering the command netsh interface ipv6 show
address level=verbose Part of the output from this command is shown in Figure 6-24
Trang 8Configuring IPv6 Interfaces
Typically, most IPv6 addresses are configured through autoconfiguration or DHCPv6
However, if you need to manually configure an IPv6 address, you can use the Netsh
interface ipv6 set address command, as in this example: netsh interface ipv6 set address
"local area connection" fec0:0:0:ffee::2. You need to run the command prompt as an administrator to use this command In Windows 7, you can also manually configure IPv6 addresses from the properties of the Internet Protocol Version 6 (TCP/IPv6) GUI Figure 6-25 shows this configuration
The advantage of using the TCP/IPv6 GUI is that you can specify the IPv6 addresses of one
or more DNS servers in addition to specifying the interface address If, however, you choose
to use Command Line Interface (CLI) commands, the command to add IPv6 addresses of DNS
servers is Netsh interface ipv6 add dnsserver, as in this example: netsh interface ipv6 add dnsserver "local area connection" fec0:0:0:ffee::ff. The command to add a default
gateway is Netsh interface ipv6 add route followed by the metric (the order of preference if
there are multiple routes), as in this example: netsh interface ipv6 add route ::/0 "local area connection" fec0:0:0:ffee::1.
To change the properties of IPv6 interfaces (but not their configuration), use the Netsh interface ipv6 set interface command, as in this example: netsh interface ipv6 set interface "local area connection" forwarding=enabled. You need to run the command
prompt as an administrator to use any Netsh configuration commands
Trang 9More Info Netsh
Netsh is an exceptionally powerful and versatile utility that enables you to carry out a very
large number of configuration tasks through a command-line interface For more information,
see http://technet.microsoft.com/en-us/library/cc785383.aspx.
quick Check
n What Netsh command lists site IDs?
quick Check answer
n netsh interface ipv6 show address level=verbose
Verifying IPv6 Connectivity
To verify connectivity on a local network, your first step should be to flush the neighbor
cache, which stores recently resolved link-layer addresses and might give a false result if
you are checking changes that involve address resolution You can check the contents of
the neighbor cache by entering netsh interface ipv6 show neighbors Entering netsh
interface ipv6 delete neighbors flushes the cache You need to run the command prompt
as an administrator to use these commands
You can test connectivity to a local host on your subnet and to your default gateway by
using the Ping command Note that Windows Firewall blocks Ping commands by default and
you need to allow ICMPv6 packets through the firewalls of both computers before one can
ping the other by its IPv4 address You can add the interface ID to the IPv6 interface address
to ensure that the address is configured on the correct interface Figure 6-22 shows a Ping
command using an IPv6 address and an interface ID
To check connectivity to a host on a remote network, your first task should be to check
and clear the destination cache, which stores next-hop IPv6 addresses for destinations You
can display the current contents of the destination cache by entering netsh interface ipv6
show destinationcache To flush the destination cache, enter netsh interface ipv6 delete
destinationcache As before, these commands need administrator credentials
Your next step is to check connectivity to the default router interface on your local subnet
This is your default gateway You can identify the IPv6 address of your default router interface
by using the Ipconfig, Netsh interface ipv6 show routes, or Route print command You can
also specify the zone ID, which is the interface ID for the default gateway on the interface
on which you want the ICMPv6 Echo Request messages to be sent When you have ensured
that you can reach the default gateway on your local subnet, ping the remote host by its IPv6
address Note that you cannot ping a remote host (or a router interface) by its link-local IPv6
address because link-local addresses are not routable
Trang 10If you can connect to the default gateway but cannot reach the remote destination
address, trace the route to the remote destination by using the Tracert –d command followed
by the destination IPv6 address The –d command-line switch prevents the Tracert tool from
performing a DNS reverse query on router interfaces in the routing path This speeds up the display of the routing path If you want more information about the routers in the path,
and particularly if you want to verify router reliability, use the Pathping -d command, again
followed by the destination IPv6 address
quick Check
n What Netsh command could you use to identify the IPv6 address of your default
router interface?
quick Check answer
n netsh interface ipv6 show route
Troubleshooting Connectivity
If you cannot connect to a remote host, you first need to check the various hardware
connections (wired and wireless) in your organization and ensure that all network devices are up and running If these basic checks do not find the problem, the Internet Protocol Security (IPSec) configuration might not be properly configured, or firewall problems (such as incorrectly configured packet filters) might exist
You can use the IP Security Policies Management console, shown in Figure 6-26, to check and configure IPSec policies and the Windows Firewall With Advanced Security console (shown previously in Figures 6-11 and 6-12 in Lesson 1) to check and configure IPv6-based packet filters