Aug 082013

The dynamic tunnels are point to multipoint, virtually treating the underlying IPv4 network as NBMA. This is because the destination IPv4 address is dynamically discovered from the destination IPv6 address. Thus if a protocol uses the destination of multicast address, they will get mapped to an IPv4 address which cannot be routed, there by dropped.

Because of this reason we have to trick the protocol to use unicast IPv6 destination addresses. The implementation of this depends on the routing protocol itself. In this blog I will be demonstrating using OSPFv3 over different tunnel types.


In the above topology R2 which will be the hub is configured for following tunneling methods:

  • Automatic 6to4 tunneling towards R1.
  • ISATAP tunneling towards R3, where it acts as a client.
  • ISATAP tunneling towards R4 where both R2 and R4 are servers.

Caveats: The most important point to take into account is the IPv6 address itself. The transport IPv6 destination address will be automatically discovered with help of the IPv6 destination address. So we must make take care that the IPv6 destination could be properly mapped to the IPv4 destination.

Continue reading »

Jul 302013

The automatic tunneling mechanisms like Automatic 6to4 tunnels and ISATAP (Intra Site Automatic Tunnel Addressing Protocol) tunnels are point to multipoint tunnels. The destination IPv4 address is encoded in the IPv6 address itself. These tunneling mechanisms treat the underlying IPv4 network as an NBMA network.

As the destination IPv4 address is found out from the IPv6 address itself, care must be taken when deploying dynamic routing protocols over these tunnels. Care must be taken that the intermediate routers on the path does know the route to the encoded IPv4 address in the IPv6 packet.


Continue reading »

Apr 072013

An IPv6 router does not need a global IP address on its interface like an IPv4 router because it only uses the link local address (LLA) for the convergence of the routing domain. In IPv6 an interface always has a LLA as soon as the interface is enabled for IPv6. The LLA as the name states is not routed across the local link (Broadcast Domain). Routing protocols either of link state nature or distance vector nature exchange updates with their corresponding LLA as source.


The core routers R1 and R2 only have a single global address assigned so that they could be accessed from outside their broadcast domain. This loopback address must also be advertised into the IGP which in our case is OSPF. The global address is also needed on the core routes so that they could send ICMP control messages like packet too big, network unreachable, TTL exceeded etc. to the requester.

The non-core routers R4 and R3 do have also global address assigned from their respective broadcast domains to the appropriate interfaces, so that the prefix could be advertised via OSPF for the network reachability.

Let’s now check the importance for having a global address on the core routers. First with a traceroute from H1 to H4

Continue reading »

Oct 272012

Fragmentation occurs if an IP device wants to send a packet on a link and the maximum transmission unit of the link is lower than the packet size. If do not fragment bit is set in the IP header, the packet will get dropped other vise FRAGMENTED! If any of the fragments gets lost in transit, the receiver has to request for the whole packet again.

Let’s have a look at how a packet is fragmented. There are a couple of control fields in the IP header to accomplish fragmentation. The Flags will indicate if there are more fragments following or if this is the last fragment. The Fragment Offset indicates the position of the fragment in the original datagram. The Identification field is responsible to uniquely identify each fragments of the original datagram.

Let’s work though the scenario where H1 sends an ICMP request to H2. The payload size of the packet is 1600 bytes. All links other than the segment between R2 and R3 support the default IP MTU of 1500 bytes.

Continue reading »

Oct 072012

R1 will be advertising the 123::/64 prefix to the local LAN. R2 and R3 are hosts which will generate IPv6 address from the Router Advertisement (RA).

IPv6 hosts in the same broadcast domain use Neighbor Discovery Protocol (NDP) to find out the data link layer address of others. The functions of NDP are Neighbor Discovery, Router Discovery, Address Auto configuration, Address Resolution, Neighbor Unreachability Detection, Duplicate Address Detection, and Redirection. The NDP same as ARP does not have any mechanism to prevent masquerading attacks.

We can use Secure Neighbor Discovery (SeND) to protect against such attacks. SeND uses a RSA key pair along with other parameters to generate an IPv6 address which is called Cryptographically Generated Address (CGA).

Continue reading »