IPv6 Adressing and Deployment in

a common WISP Network

Carlos Cárdenas Cebrián

April 2018
About me
Education Experience
Advanced Vocational certificate in Electronics 5 years as field engineer installing Wireless networks,
security systems and repairing RF equipment
Degree in Computer Science, Cádiz
University, Spain (in progress) 8 years as test bench engineer in Aeronautics field,
especially in RF comms and navigation aids devices
Networking enthusiast, self taught.
(VHF/UHF, RADAR, VOR/ILS, RADALT, TACAN, etc.)
Technical certifications in other manufacturers
4 years as Chief Network Engineer in WISPs and ISPs.
Mikrotik certifications:
Currently working in AUNNAIT as network admin.
MTCNA, MTCRE, MTCTCE, MTCWE,
MTCINE, MTCIPv6E

2
Course objectives:
 Understand the basics of IPv6

 Prepare an addressing plan

 Configure an OSPFv3 environment

 Understand security considerations

 Assign the IPv6 prefixes to the final customer

3
Learning objectives:
The students will be able to:

 Make their own IPv6 addressing plan

 Configure, manage and troubleshoot a RouterOS IPv6

network

 Give IPv6 service to the final customer

 Implement a minimal IPv6 security policy

4
 1.
IPv6
Introduction
IPv6 Highlights
▷ Development began in 1996
▷ First IPv6 specs in RFC2460 (1998)
▷ Huge addressing space: 2128 addresses
▷ No NAT, real point to point connectivity
▷ Fragmentation occurs on origin host, not on routers
▷ No more broadcast. Multicast is used instead.

6
 IPv6 address notation
▷ 8 fields of 16 bits length each one.
▷ Uses hexadecimal notation
▷ Each 4 digits are separated by colons “:”

▷ 2001:0db8:0001:0002:0003:0004:0005:0006

▷ It can be abbreviated by removing the leading

zeroes:
▷ 2001:db8:1:2:3:4:5:6

7
 IPv6 address notation
▷ If there is two or more consecutive quartets of zeroes,
replace them with double colon “::”
▷ Only once in a single address, otherwise might not be
clear. Pick the longest group

▷ 2001:0db8:0000:0000:0003:0000:0000:0006
▷ Can be abbreviated in two ways:
▷ 2001:db8::3:0:0:6 ←
Recommended
▷ 2001:db8:0:0:3::6
More Info: RFC5952

8
IPv6 address notation
▷ Abbreviate the following Ips:

▷ 2001:0db8:cafe:0000:d452:0000:0000:009e
▷ 2001:0db8:0000:0000:0000:3400:0dba:1200

▷ Expand the following ips:

▷ 2001:db8::1
▷ 2001:db8:45e2:56:301::3

More Info: RFC5952

9
EUI-64
▷ 64 bit extended unique identifier (EUI)
▷ Calculated from interface MAC address:

1. Split the MAC address in two halves (6 hex digits each)

1. 00:13:12 34:AB:CD
2. Insert FFFE between the two halves
 00:13:12:FF:FE:34:AB:CD

3. Invert the seventh bit of interface ID

 02:13:12:FF:FE:34:AB:CD

10
EUI-64
▷ IPv6 Prefix:
▷ 2001:db8:1111:2222::/64
▷ Interface ID:
▷ 0213:12FF:FE34:ABCD
▷ IPv6 address:
▷ 2001:db8:1111:2222:0213:12FF:FE34:ABCD

11
 IPv6 addresses
 Address types  Special Addresses

Type Range Type Range

Link local fe80::/10 Loopback ::1/128

Documentation 2001:db8::/32
Global Unicast 2000::/3
6to4 2002::/16

Multicast ff00::/8 Unespecified address ::/128

Teredo 2001::/32
Unique local fc00::/7
Anycast Any unicast (enable “no DAD”)

12
 2.
IPv6
Addressing plan
How we can do it?
IPv6 Prefixes (/48 taken from a /32)

Routing prefix Subnet Subnet Interface identifier

2001:db8:0001:0000:0000:0000:0000:0001/48
2001:db8:0002:0000:0000:0000:0000:0001/48
2001:db8:0003:0000:0000:0000:0000:0001/48

2001:db8:001a:0000:0000:0000:0000:0001/48

▷ Longest prefix to be assigned: /64

▷ Usual assignation to customers: /48 - /64

14
IPv6 Subnetting

2001:0db8:0000:0000:0000:0000:0000:0000

/64

/56 (256 x /64)

/48 (65536 x /64)

/32 (65536 x /48)

15
IPv6 Subnetting exercise

Identify prefix and/or subnet boundaries:

2a00:6081:0017:0000:6e3b:6bff:fe40:1559/64

2a0b:0db9:0056:4089:0000:87dc:a3e4:1569/56

2b01:beef:1257:3e21:ff56:32a7:cafe:face/48

16
IPv6 Address plan
Common questions:
 How many addresses do we have available?
 How do I will distribute them?
 How much address space should I give to my customers?

Caveats:
 Don’t be stingy, there is a lot of addresses
 No space reservation for future growth
 Aggregation is desirable in some scenarios
 Use an easy system for you. Keep it simple

17
IPv6 BCOP Ripe-690
▷ Don’t be concerned about exhausting IPv6 space
▷ Allocate at least a /48 for each customer. /56 is also acceptable
▷ Prefixes longer than /56 strongly discouraged
▷ Use persistent prefixes. If not possible, highest lease time.
▷ Reserve for each PtP a single /64 and use /112, /126 or /127 to
address it.
▷ Number the WAN links (Use GUAs): Eases troubleshoot and monitor
▷ Tip: Link-local addresses does not appear in a traceroute. WAN pingable

Source: BCOP ripe-690

18
IPv6 Address plan
▷ We receive a /56 from Mikrotik:

▷ 20a2:16d8:107:900::/56
▷ Divide it in subnets. In our lab, we’ll use /60 for each node
▷ First /60 prefix reserved for infraestructure. Divide it in /64
▷ One /64 for Loopback addressing, another for network services
▷ One or more /64 for PtP addresssing. I will use /112 for addressing
▷ Customer’s address pool: one /60 per node. /64 will be delegated
▷ Reserve space for future growth

19
IPv6 Address plan
Infraestructure
addressing
Prefix Use Location

2a02:16d8:107:900::/60 Infraestructure

2a02:16d8:107:900::/64 Loopbacks

2a02:16d8:107:901::/64 Services Datacenter

2a02:16d8:107:902::/64 PtP Addressing

2a02:16d8:107:903::/64 Reserved

2a02:16d8:107:904::/64 Reserved

20
IPv6 Address plan
Customers blocks

Prefixs Use Location

2a02:16d8:107:910::/60 Customers R1

2a02:16d8:107:920::/60 Customers R2

2a02:16d8:107:930::/60 Customer R3

2a02:16d8:107:940::/60 Customers R4

2a02:16d8:107:950::/60 Customers R5

2a02:16d8:107:960::/60 Customers R6

2a02:16d8:107:970::/60 Reserved

2a02:16d8:107:980::/60 Reserved

2a02:16d8:107:990::/60 Reserved

2a02:16d8:107:9a0::/60 Reserved

21
 3.
IPv6
Routing
OSPFv3
Adding IPv6 Addresses
▷ Manual:

▷ Dynamic: SLAAC, DHCPv6-PD

23
Adding IPv6 DNS

24
IPv6 routes
▷ Gateway will be the remote end interface’s link local addres
 %etherXX to specify the interface connected to the gateway
 ::/0 is the default route

▷ Actually there is no support for IPv6 policy routing in RouterOS

25
 Lab
Connection setup
Lab - Connection setup

27
Enabling IPv6 package

▷ Reboot
▷ Keep your device updated always (Check for updates)

28
Configuring OSPFv3
Where to find OSPFv3

▷ Tab “Interfaces”: Add the interfaces used in OSPFv3 process

▷ Tab “Instance”: Configure router ID and select what you want to redistribute

29
Configuring OSPFv3
Step 1 - Add local IPv6 addresses
▷ Loopback R1: 2a01:16d8:107:900::1
▷ TIP: Add an admin MAC address to your loopback interface
▷ TIP: Add one second ip from last prefix of the pool to loopback
▷ 2a02:16d8:107:900:ffff:ffff:ffff:ffff

30
Configuring OSPFv3
Step 2 - Configure OSPFv3 interfaces

▷ Click on “+” and add only the interfaces that will be used
▷ In our example, all interfaces belong to backbone area
▷ Use point to point when possible
▷ Good practice to set up the unused interfaces as passive

31
Configuring OSPFv3
Step 3 - Configure OSPFv3 instance
▷ Router ID is 32 bit number, same as OSPFv2
▷ Set “redistribute default route” only in R1

32
Configuring OSPFv3
Verify OSPFv3 configuration

33
Configuring OSPFv3
Verify OSPFv3 configuration (R2 routing table)

34
 4.
IPv6
Prefix Delegation
Giving addresses to others...
IPv6 Prefix Delegation

▷ Assign networks prefixes, not single addresses

▷ Only SLAAC and DHCPv6-PD supported in RouterOS
▷ Requires the use of address pools
▷ SLAAC used to give single addresses for end users/hosts
▷ DHCPv6-PD used to give a prefix to network hosts (routers)

36
IPv6 Pool

 Prefix: Prefix assigned to the router

 Prefix Length: Prefix that is assigned to the customer

37
Neighbor Discovery (ND)
▷ Menu: IPv6 → ND
▷ Tab “Interfaces”→ Select “all”
▷ Enable ”Advertise DNS”
 “Other Configuration”

38
DHCPv6-PD
▷ Menu: IPv6 → DHCP Server→ +
 Add a new DHCP server on the interface
 Set the address pool and the prefix size you want to give to your
customers

39
DHCPv6-PD Client Config
▷ Menu → IPv6 → DHCP Client → +

 Add a new DHCP client listening on a interface

 Uncheck “address”, check “Prefix”
 Configure Pool Name
 Configure Pool size (If you want to delegate must be > 64)

40
DHCPv6-PD Client Addressing
▷ Menu → IPv6 → Address → +

 Add a new Address from Delegated Prefix (Pool)

 Check “EUI-64” if you want to use interface’s MAC for the calculation
 Check “Advertise” if you want to use ND on that interface to give addresses to
another hosts

41
DHCPv6-PD Client Config
▷ Checking configuration from a host connected to a DHCPv6-PD client device (router):

42
 5.
IPv6
Security
A first step...
IPv6 Security considerations
▷ Allow ICMPv6 and Multicast. In IPv4 we used to block ICMP
▷ Key point: Use global addresses in the user’s device (Public IPs)
▷ Dual stack = Dual security

▷ We are going to block all inbound connections from the Internet to

our network if we don’t originate them.
▷ This is very basic, you must know your network and protect it.

44
 IPv6 basic firewall
▷ Tip: Add your interfaces to WAN and LAN interface list
/interface list
add name=LAN
add name=WAN

/ interface list
member add interface=wlan1 list=WAN
member add interface=ether2 list=LAN

/ipv6 firewall filter

#CHAIN INPUT
add action=accept chain=input comment="Allow established,related" connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow ICMPv6" protocol=icmpv6
add action=accept chain=input comment="Allow DHCPv6Client" dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="Allow DHCPv6Server" dst-port=547 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="Allow traceroute" port=33434-33534 protocol=udp
add action=drop chain=input comment="Drop all except from LAN" in-interface-list=!LAN

#CHAIN FORWARD
add action=accept chain=forward comment="Allow established,related" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow ICMPv6" protocol=icmpv6
add action=drop chain=forward comment="Drop all except from LAN" in-interface-list=!LAN

45
Thanks!
Any questions?
You can find me at:
[email protected]