IPv6
OSI
Open Systems Interconnection was a joint workgroup with ISO and the ITU-T (former CCITT). OSI consists of a model and protocols.
ITU-T publishes the OSI model and protocols in Series X, Data networks and open system communications. The OSI model is defined in x.200
ISO publishes the same as ISO/IEC:7498
- Part 1: The Basic Model
- Part 2: Security Architecture
- Part 3: Naming and addressing
- Part 4: Management framework
The OSI protocols were designed as telecom grade data networks, by the national standardization organizations participating in ISO and national telecommunications bodies. The many standardization meetings created cumbersome and complicated, created over many years by committee. As a movement to create simpler network stacks, in the protocol wars, IETF created request for comments IPv4 rfc791 in 1981. Which got standardized as IETF STD-7. Though much greater emphasis is put on RFC's written by a small team of experts with input from the IETF members.
Ethernet
Gigabit Ethernet 1Gbps IEEE 802.1 consists of a MII and a PHY
1000BASE-TX PHY uses 4 cable pairs running on 125Mhz with PAM-5 modulation, which uses 5 differential voltage levels between the pairs
Hardware addresses for Ethernet, Wifi and Bluetooth are 6 byte MAC addresses (EUI-48)
The first 3 bytes (OUI) are the Vendor identifier
https://www.rfc-editor.org/rfc/rfc4291.html#appendix-A
EUI-48 can be translated to EUI-64 by inserting FF:FE and adding a bit in the 6th bit of the first byte (setting the first byte to 2)
|00 15|16 31|32 47| +----------------+----------------+----------------+ |cccccc0gcccccccc|ccccccccmmmmmmmm|mmmmmmmmmmmmmmmm| +----------------+----------------+----------------+
|00 15|16 31|32 47|48 63| +----------------+----------------+----------------+----------------+ |cccccc1gcccccccc|cccccccc11111111|11111110mmmmmmmm|mmmmmmmmmmmmmmmm| +----------------+----------------+----------------+----------------+
A network interface should respond only to packets sent to it's unique MAC address and to broadcast messages.
|Preamble | Start frame delimiter (SFD) | MAC destination | MAC source | 802.1Q tag (optional) | Ethertype or length | Payload | Frame check sequence | Interpacket gap (IPG) | | 7 byte | 1 byte | 6 byte | 6 byte | 4 byte | 2 byte | 1500 byte| 4 byte CRC | 12 byte |
Most interfaces can also sniff the network traffic that reaches the interface in promiscuous mode.
IPv4
IPv4 uses ARP tables to map between IP addresses and Hardware Addresses
IPv4 is a network protocol on layer 3. It runs on layer 2 link (e.g. Ethernet) and it provides it's services to a layer 4 transport protocol (e.g. TCP, UDP or ICMP).
An IPv4 address is 4 byte long (32 bits) and it is split into a network and a host part. The netmask defines how many bits are used for the network and how many for the hosts.
An IPv4 address can be written in hexadecimal like 0A.00.00.01 or in decimal dot notation like 10.0.0.1
An IPv6 address is 16 byte long (128 bits)
IPv6 addresses use the hexadecimal colon notation: FE80::1, where :: represents a long string of zero's
IPv4 can have only one address per interface, but you can define an alias
IPv6 has by default a link-local address (FE80::) and it can have a temporary IPv6 address which can be changed frequently and an assigned address.
IP nodes can reach other nodes in the same network and reach other networks when it can route to a gateway. Where the gateway is connected to two networks and has an IP address in the two networks.
The network part has to be identical for the hosts to be in the network and the host part must be unique inside the same network.
IP routing is hop by hop, an IP packet is forwarded from one host to another
The host has a route table, which maps which network interface can connect to other hosts.
The host may have a default route which can route to the next hop
route tables are (always/mostly?) chosen based on the longest matching prefix
IPv4 has to use NAT tables to track each connection and translate between two networks, where the NAT Gateway tracks each network connection in a table and changes the IP addresses and TCP or UDP ports for every packet that matches the filter.
A NAT is a workaround to use one IP address for a group of computers. The tradeoff is that each incoming and outgoing TCP/IP and UDP/IP packet needs to be rewritten.
NAT works as a firewall where no connections can be initiated from the outside network
In IPv6 this is easily done with a single firewall rule.
Binary and Hex
Decimal counting goes to 10. Hexadecimal counts to 16. It uses the numbers 0-10 and then A,B,C,D,E,F. Computers use binary counting with bit 0 or 1 and 4-bit groups can be expressed in hexadecimal.
| BIN | DEC | HEX | size | |
|---|---|---|---|---|
| 0000 | 0 | 0 | bit | |
| 0001 | 1 | 1 | bit | |
| 0010 | 2 | 2 | ||
| 0011 | 3 | 4 | ||
| 0100 | 4 | 4 | ||
| 0101 | 5 | 5 | ||
| 0110 | 6 | 6 | ||
| 0111 | 7 | 7 | ||
| 1000 | 8 | 8 | ||
| 1001 | 9 | 9 | ||
| 1010 | 10 | A | ||
| 1011 | 11 | B | ||
| 1100 | 12 | C | ||
| 1101 | 13 | D | ||
| 1110 | 14 | E | ||
| 1111 | 15 | F | nible | |
| 0001_0000 | 16 | 10 | ||
| 0001_0001 | 17 | 11 | ||
| 0111_1111 | 127 | 7F | ||
| 1000_0000 | 128 | 80 | ||
| 1111_1111 | 255 | FF | byte | |
| 1_0000_0000 | 256 | 100 | ||
| 1_1111_1111 | 512 | 1FF | ||
| 1_1111_1111 | 1023 | |||
| 10_0000_0000 | 1024 | 1000 | kilo byte | |
| 11_1111_1111 |
Two characters together is a byte 1000 0000 is 0x80 and 1111 1111 is 0xFF is 255
IPv6 Addresses
IPv6 Addresses are 128 bits long, written down in 8 times 2 bytes long separated by a colon, 2 colons to shorten a long row of zero's ::1 means loopback address, so "own interface"
Mask
How many bits belong to the network. It is used for routing
FE80::/10 is used for local communication.
FF01::/16 is used for Multicast addresses, where the network gets to decide which service is closest.
2001::/16 is used for Global Unicast Addresses.
The mask /16 defines how many bits are used for the network part. The rest is the host part, routing works on the network part
Each interface has one or more addresses. The link will have a default fe80 address which is not routable outside the link scope
fe80::7c0e:e6ff:fe7b:40f0/64 fe80 is link-local address ff:fe (plus the first 'bit') makes eui-48 mac an eui-64 rfc8064 replace the address with a hash
The gateway gets an IP address from the provider. Global address starts with 2001, the provider is abcd, the subnet is efg0, the
2001:db8:efg0:1234::1/128 /16 2001 is for unicast addresses /48 0db8 is for the providers, db8 specifically is for documentation /56 efg0 is for the subnet-id /64 bits for end users to subdivide
Scope
%5
clients
Google Android does not support DHCPv6. It must use SLAAC for assigning IPv6 addresses. SLAAC must use /64 prefixes with EUI-64 host addresses.
OPNSense - WAN IPv6 DHCP Client: Request Prefix-only - LAN IPv6 track WAN, Prefix-ID 0x0
IPv6 Prefix ID
Manual configuration V
DUID
https://askubuntu.com/questions/1198955/how-can-i-change-my-ubuntus-ipv6-duid
https://man7.org/linux/man-pages/man5/machine-id.5.html
DHCPv6 Configured
- a000 - ::f000
/usr/local/sbin/radvd -p /var/run/radvd.pid -C /var/etc/radvd.conf -m syslog
/var/etc/rarvd.conf
foreach ($stanzas as $stanza) {
$radvdconf .= "#\tprefix {$stanza} {\n";
$stanza = strtok($stanza, '/');
$stanza = $stanza."/64";
$radvdconf .= "\tprefix {$stanza} {\n";
Stanza should have included Prefix-ID to make it /64
https://github.com/opnsense/docs/blob/master/source/manual/ipv6.rst
https://github.com/opnsense/docs/blob/master/source/manual/radvd.rst
src/etc/inc/plugins.inc.d/dhcpd.inc
list (, $networkv6) = interfaces_primary_address6($dhcpv6if, $ifconfig_details); if (is_subnetv6($networkv6)) {
$stanzas[] = $networkv6;
} $stanzas[] = "{$subnetv6}/{$vip['subnet_bits']}";
https://github.com/opnsense/core/blob/master/src/etc/inc/plugins.inc.d/dhcpd.inc#L353
Add If statement to replace prefix to /64
IPv6
assign IP address
Setup routes
DNS servers
DHCPv6
SLAAC
M Managed Flag, advertise dhcpv6 exists
O Other Flag, use DHCP to assign other parameters
A Autonomous, use SLAAC Prefix to use EUI-64 and Privacy address
Prefix must be /64