Networking

IPv6: A larger, more secure Net

With many new technologies on the horizon, you need to prepare for the new version of the IP protocol. IPv6 is coming. Debra Shinder offers an informative look at this new version of the Net's most fundamental protocol.


Microsoft’s newest OSs, the Windows XP client and the .Net server family, include a number of improvements that take advantage of current and future technologies in order to make life easier for users and administrators.

One such improvement available in both OSs is built-in support for Internet Protocol version 6 (IPv6), also referred to as the next generation IP or IPng. This version of IP provides several advancements over the most-used IP version, IPv4. In this article, I'll give a brief overview of IPv6, discuss the features of Microsoft’s implementation, and show you how to install and configure the protocol as supported by XP and .Net.

What is it and why is it needed?
The global Internet and most medium-to-large private networks run on the TCP/IP protocol stack. The half of that team that works at the network layer is the Internet Protocol (IP).

The currently most-used version of IP, IPv4, is based on the assignment to each network interface of a 32-bit address, usually denoted in “dotted quad” decimal format; for example: 192.168.1.1.

The binary address
The decimal number 192.168.1.1 actually represents the binary address 11000000.10101000.00000001.00000001, but the decimal equivalent is generally easier for people to work with. Computers, of course, process all data in binary format.

As more and more nodes have joined the global network over the years, a flaw in IPv4 has become apparent. For IP addressing to work, every network device must have a unique address. When IPv4 was developed, the 32-bit address space provided more than enough unique addresses. However, today, the world is running out of available IP addresses.

Workaround for the address shortage
One way of dealing with this shortage of IP addresses is for private networks that connect to the Internet to use Network Address Translation (NAT). With NAT, one or a few public IP addresses that are visible to the Internet can be used to connect a large number of computers to the Internet.

NAT has some drawbacks, though. One of the most serious in today’s security-conscious environment is the fact that the IPSecurity protocol (IPSec) does not work through an address translator. Also, there are a number of application programs that will not work with NAT.

NAT is a stopgap solution, not a permanent one. The number of computers and other devices connected to the Internet continues to grow at an amazing rate. Larger address space—which will allow for more addresses—is needed. That’s where IPv6 comes in.

What about IPv5?
IPv5 never existed. The version number "5" in the IP header was assigned to identify packets carrying an experimental, non-IP, real-time stream protocol called ST. ST was never widely used, but since the version number five had already been allocated, the new version of IP was given the number six. ST is described in RFC 1819.

Advantages of IPv6
IPv6 provides for a 128-bit address space, which will exponentially increase the number of available public IP addresses. However, IPv6 offers other improvements over IPv4:
  • It supports IPSec, for better security when sending data across a TCP/IP network.
  • It supports Quality of Service (QoS), for better transmission of real time, high-bandwidth applications such as videoconferencing and voice over IP.
  • It is more efficient; header overhead is minimized, and backbone routers require smaller routing tables.
  • Configuration is easier; both stateful addressing (where addresses are automatically assigned by a DHCP server) and stateless addressing (use of local-link autoconfiguration without DHCP) are supported.

Denoting IPv6 addresses
While IPv4 addresses are traditionally denoted in decimal format, the longer and more complex IPv6 addresses are expressed in hexadecimal format. A sample IPv6 address looks like this: 21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A.

Each hexadecimal number, separated by colons, represents 16 bits (binary digits). Zeros at the beginning of a block can be omitted to simplify the address.

Characteristics of IPv6 addressing
Unlike those on IPv4 networks, computers on IPv6 networks generally have more than one IP address assigned to a single network interface. This is called logical multihoming.

IPv6 addresses fall into the following categories:
  • Unicast addresses, which are used to identify an individual network interface
  • Multicast addresses, which identify a group of network interfaces for simultaneously sending to many interfaces
  • Anycast addresses, which identify multiple interfaces but send the packet only to the nearest interface

Features of Microsoft's IPv6
IPv6 is an Internet standard, developed by the Internet Engineering Task Force (IETF). Microsoft’s implementation of IPv6 is based on these standards. Various aspects of IPv6 are laid out in a number of Request for Comment pages (RFCs), which are available on the IETF Web site. The IPv6 specification is contained in RFC 2460.

Microsoft’s IPv6 for Windows XP and .NET Server includes many useful features. Some of these include:
  • 4to6 and 4over6 tunneling for interoperability between IPv4 and IPv6 networks.
  • Anonymous global addresses for privacy when connected to the Internet.
  • Support for DNS name resolution using IPv4 DNS servers.
  • The ability to act as a static IPv6 router to forward IPv6 packets between two installed network interfaces.
  • Internet Explorer version 6 (included in Windows XP and .NET Server) and the telnet and FTP client programs included with the new Microsoft operating systems support IPv6 for connection to IPv6-enabled FTP, telnet, and Web servers.

IPv6 and IE 6 proxy servers
If IE 6 is configured to use a proxy server, you will not be able to access IPv6 Web sites unless the proxy server is IPv6 enabled.

For the most up-to-date information about IPv6, see Microsoft’s IPv6 support site.

IPv6 name resolution
For users to use “friendly names” (for example, URLs such as www.microsoft.com) instead of IP addresses for communicating on a network, there must be a mechanism by which the names are resolved (or matched) to their corresponding IP addresses, because computers process information in numerical form.

Hosts on the IPv6 network can be identified by nicknames (host names that use a flat namespace) or by hierarchical domain names. Name resolution is performed by the same methods used to resolve the name of IPv4 hosts. It can be either:
  • A HOSTS file stored in the systemroot\System32\Drivers\Etc directory on each computer’s hard disk with the addresses expressed in hexadecimal notation, as described previously.
  • A DNS server that has mapping records for IPv6 addresses. Because the DNS queries are sent using IPv4, the address of the DNS server entered in the computer’s TCP/IP properties configuration must be an IPv4 address.

How to install IPv6
IPv6 is installed as a networking protocol. The IPv6 command-line utility is used to install the protocol on an XP or .Net computer.

Follow this procedure to install IPv6:
  1. Click Start | Run.
  2. In the Run box, type ipv6 install.

Note that you cannot tell if IPv6 has been installed by checking the networking protocols on the properties sheet for the network interface because it will not be listed there.

To find out whether IPv6 is installed, use the ipv6 if command. If IPv6 is installed, this will display a list of IPv6 addresses assigned to each interface. Note, to uninstall IPv6, use the ipv6 uninstall command.

How to configure IPv6
To configure an IPv6 address manually, you must first know the interface index for the interface you want to configure. This is a number that represents the interface. You can find this out using the ipv6 if command as described above.

At the command line, enter the following:
ipv6 adu <interface index number>/<address you want to assign>

There are a number of attributes you can configure for each interface, using various switches with the ipv6 command.

For example, if you want the packets received on the interface to be forwarded, use the /forwards switch. To turn off forwarding, use the /-forwards switch.

You can also set the maximum transmission unit (MTU) size (with the /mtu switch), enable or disable router advertisements on the interface (the /advertises or /-advertises switches), or configure a site identifier (the /site switch).

IPv6 diagnostic utilities
Most TCP/IP network administrators are familiar with the use of the ping utility to test connectivity on an IPv4 network. You can perform the same type of test on an IPv6 network with the ping6 utility.

The familiar tracert command also has an IPv6 counterpart, appropriately named tracert6, which is used to trace the routes of IPv6 packets.

Currently supported applications
The majority of applications supporting IPv6 belong to the Linux/UNIX space. As of this writing, that list looks like:

Chat software
  • UNIX IRC chat application—This is the first IPv6 version of this popular IRC client.
  • RAT and SDR—These two utilities—the audio tool, RAT, and session directory tool, SDR—are used in conferencing for an IPv6 network.

DNS
  • BIND 9.2.0—The new version of BIND uses A6 records to map a domain name to an IPv6 address and offers IPv6 transport of packets.
  • Totd—This lightweight DNS proxy nameserver supports IPv6.
  • IPv6 transport for BIND 8—A patch for BIND 8.2.3 that helps resolvers talk to nameservers using IPv6

Firewalls
  • IPFilter—Download this software package that supports IPv6 filtering.
  • IPFW—This IPv6-aware IPFW tool is included within the FreeBSD 4.0 release

FTP
  • LFTP—This FTP client supports IPv6.
  • NcFTP (Windows)—This is a robust IPv6 FTP client for Windows.
  • NcFTP (BSD)—This is a robust IPv6 FTP client for BSD.

Games
  • Quakeforge—A FreeBSD port of Quakeforge is available that's IPv6-aware.

  • IPsec
    • IPv6 FreeS/WAN for Linux—Download this prototype IPsec implementation that was developed by IABG as part of the 6INIT project.
    • IPv6 IPsec in KAME—KAME IPv6 supports IPsec with Racoon.

    Mail
    • Exim—This mail transfer agent offers built-in IPv6 support.
    • Qmail—IPv6 support is available through the v1.03 patch by Kazunori Fujiwara.
    • Public Sendmail—Version 8.10 of this mail product officially supports IPv6.
    • WIDE Sendmail—Version 8.9.1 of this popular Sendmail tool supports IPv6.
    • Fetchmail—This mail utility supports both IPv6 and IPsec.

    Mobile IPv6
  • MIPL Mobile IPv6 for Linux—Developed at HUT software project in Finland, it's freely available under GPL.

  • Monitoring tools
    • ASpath-tree—Use this tool on an IPv6 site to monitor BGP4+ routing.
    • COLD—Download this free IPv6-aware packet sniffer.

    News
    • INN v2.3.2—Download this IPv6 patch from the Japanese NORTH site.
    • IPv6 socket 1.1—Here's a simple and useful example of Advanced Socket API programming that's IPv6 aware.

    Web servers and clients
    • Apache (Linux)—This release of the Apache Web server for Linux has built-in IPv6 support.
    • Apache (BSD)—The Apache Web server for BSD offers built-in IPv6 support.
    • Apache 2.0.x—This beta code of Apache 2.0 supports IPv6.

    About

    Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

    Editor's Picks