Cisco Blogs


Cisco Blog > Enterprise Networks

IPv6 MTU Gotchas and other ICMP issues

From my home network, I can successfully ping or traceroute to some IPv6 hosts, but I cannot subsequently open a web page or use other applications with it.  How can this be?  Maximum Transmission Unit (MTU) gotchas…

HISTORY

There is a subtle difference between IPv4 and IPv6 fragmentation strategies. IPv4 routers fragment traffic in the network when needed and then the receiving host reassembles those fragments.  This generally works well, but there are a number of potential issues.  Because of these issues, the IETF developed means for higher layer protocols such as TCP to determine the smallest MTU on a path and send appropriately sized datagrams in order to avoid fragmentation. The IPv6 designers presumed the presence of this Path MTU Discovery so that in IPv6, fragmentation no longer happens in the network but only at the hosts -- and then only in special cases in that absolutely require it.

Read More »

Tags: , ,

IPv6 Addressing

In the previous installment of our series of IPv6 posts, we covered some of the ways ICMP has changed in IPv6 compared to IPv4. In this post, we’ll talk about how addressing has changed in IPv6 compared to IPv4.

While IPv4 addresses are 32 bits log, the IPv6 address space has been extended to 128 bits, which will make it virtually impossible to remember the numeric representation of the address for a given host. This will definitely lead to more reliance on DNS. It will be difficult to operate even very simple test networks  without relying on DNS to resolve host names to IPv6 addresses. Because of this, more attacks will be targeted against your DNS servers. Making sure your DNS configuration and servers are secure will be very more important in IPv6. DNS will also be targeted by attackers to attempt to locate systems on the network by trying to resolve “common host names,” since scanning a remote IPv6 network is essentially impossible due to the size of the IPv6 address space.

Read More »

Tags: , ,

Disable IPv6: Don’t do it!

Most people already have IPv6 capability whether they know it or not.  All Microsoft operating systems such as Windows Vista and all MacOS releases since 10.2 have IPv6 installed enabled by default.  Mobile devices running Android 2.1, Apple iOS 4.0, and Symbian 7.0 are configured likewise as is nearly every *nix variant you can name.  Even the venerable and ubiquitous Windows XP has a latent IPv6 stack which can be activated with a single command.

Typically, IPv6 enabled systems will prefer IPv6 connections over IPv4, so a misconfigured or malfunctioning IPv6 network will cause connectivity problems.  Many popular troubleshooting regimens simply prescribe disabling IPv6 as the “solution,” which really does nothing more than to hide the underlying problem with the IPv6 network.  When you have a network problem that is “solved” by disabling IPv6, you have masked the symptom of a bigger problem that warrants further investigation.

Read More »

Tags: ,

IPv6 and DNS – Getting your DNS infrastructure ready for IPv6

You can make your named network services available via IPv6 with a few simple steps.  First, your DNS server or DNS service provider should first hand out AAAA DNS records (pronounced quad-A record) which map hostnames to IPv6 addresses.  Second, you should provide PTR records to allow IPv6 Reverse DNS (rDNS) lookups.  Finally, you should take steps to make the DNS server itself reachable via IPv6.

Setup your DNS Server to start serving AAAA records

To allow resolution of hostnames to IPv6 addresses, your DNS Server must respond to requests for AAAA records.  Adding AAAA records to your forward zones will enable clients with IPv6 connectivity to learn the IPv6 addresses of your resources. Be aware there is a small risk that if a requesting client is among the minority with broken IPv6 connectivity, it can appear to the client that your website is down.  Some companies use DNS whitelisting to mitigate such issues, but there are concerns around that approach.

Read More »

Tags: , , , , ,

ICMP and Security in IPv6

In the previous installment of our series of IPv6 posts, we covered some common myths regarding IPv6. In this post, we’ll talk about how the role of ICMP has changed in IPv6 compared to IPv4.

In IPv4, ICMP provides error reporting, flow control and first-hop gateway redirection. This functionality, which is also available in IPv6, is usually not essential to the operation of your network. With IPv6, however, ICMP has gained a much more significant and essential role because of new functionality that is now performed through ICMP. Fragmentation, Neighbor Discovery, and StateLess Address AutoConfiguration (SLAAC) represent essential functionality which is now performed using ICMP messages. Furthermore, many ICMP messages are designed to be sent to multicast addresses instead of only unicast addresses. Therefore, ICMP in IPv6 gains a whole new importance along with a new set of security concerns.

Read More »

Tags: , , ,