1. Trang chủ
  2. » Công Nghệ Thông Tin

Configuring Windows 7 (Training Kit) - Part 37 pps

10 212 0

Đang tải... (xem toàn văn)

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 10
Dung lượng 270,47 KB

Nội dung

Lesson 2: Configuring IPv6 CHAPTER 6 333 The Advantages of IPv6 IPv6 was designed to overcome the limitations of IPv4. The main advantages that IPv6 has over its predecessor are as follows: n Increased address space IPv6 provides sufficient addresses for every device that needs to have a unique public IPv6 address. In addition, the 64-bit host portion (interface ID) of an IPv6 address can be automatically generated from the network adapter hardware. n Automatic Address Configuration Typically IPv4 is configured either manually or by using DHCP. Automatic configuration (autoconfiguration) through APIPA is available for isolated subnets that are not routed to other networks. IPv6 deals with the need for simpler and more automatic address configuration by supporting both stateful and stateless address configuration. n Network level security Communication over the Internet requires encryption to protect data from being viewed or modified in transit. Internet Protocol Security (IPSec) provides this facility and IPv6 makes IPSec mandatory. n Real-time data delivery Quality of Service (QoS) exists in IPv4, and bandwidth can be guaranteed for real-time traffic over a network, but not when an IPv4 packet’s payload is encrypted. Payload identification is included in the Flow Label field of the IPv6 header, so payload encryption does not affect QoS operation. n Routing table size On the IPv6 Internet, backbone routers have greatly reduced routing tables that use route aggregation, which permits a number of contiguous address blocks to be combined and summarized as a larger address block. n Header size and extension headers IPv4 and IPv6 headers are not compatible, and a host or router must use both IPv4 and IPv6 implementations to recognize and process both header formats. Therefore, the IPv6 header was designed to be as small as was practical. Nonessential and optional fields are moved to extension headers placed after the IPv6 header. n Removal of broadcast traffic IPv4 relies on ARP broadcasts to resolve the MAC addresses of the network adapters. The IPv6 Neighbor Discovery (ND) protocol uses a series of ICMPv6 messages. ND replaces ARP broadcasts, ICMPv4 Router Discovery, and ICMPv4 Redirect messages with efficient multicast and unicast ND messages. Quick Check 1. How many bits are in an IPv4 address? 2. How many bits are in an IPv6 address? Quick Check Answers 1. 32 2. 128 3 3 4 CHAPTER 6 Network Settings Address Resolution in IPv6 The ND protocol resolves IPv6 addresses to MAC addresses. This is typically a straightforward process. For example, in unicast global IPv6 addresses the 64-bit host portion of the IPv6 address is derived from the MAC address of the network adapter in the first place. The resolution of host names to IPv6 addresses is accomplished through DNS (apart from link-local addresses that are not stored by DNS and resolve automatically). The procedure is the same as for IPv4 address resolution with the computer name and IPv6 address pair being stored in a AAAA (quad-A) DNS resource record, which is equivalent to an A or host record for IPv4. Reverse DNS lookup that returns a computer name for an IPv6 address is implemented by a pointer (PTR) DNS resource record that is referred to the IPv6 reverse lookup zone (or tree) ipv6.arpa, which is the equivalent of the in-addr.arpa reverse lookup zone in IPv4. Creating an ipv6.arpa reverse lookup zone is a complex procedure that involves splitting the IPv6 address into 4-bit nibbles and entering these in reverse order. This is beyond the scope of the 70-680 examination. In peer-to-peer environments where DNS is not available (for example, ad hoc networks), the Peer Name Resolution Protocol (PNRP) provides dynamic name registration and name resolution. PNRP can apply peer names to the machine or to individual applications and services on the machine. A peer name resolution includes an address, port, and possibly an extended payload. Peer names can be published as secured (protected) or unsecured (unprotected). PNRP uses public key cryptography to protect secure peer names against spoofing. More Info PEER NAME RESOLUTION PROTOCOL For more information about PNRP, see http://msdn.microsoft.com/en-us/library/ bb968779.aspx. Implementing IPv4-to-IPv6 Compatibility In addition to the various types of addresses described earlier in this lesson, IPv6 provides the following types of compatibility addresses to aid migration from IPv4 to IPv6 and to implement transition technologies. IPv4-Compatible Address The IPv4-compatible address 0:0:0:0:0:0:w.x.y.z (or ::w.x.y.z) is used by dual-stack nodes that are communicating with IPv6 over an IPv4 infrastructure. The last four octets (w.x.y.z) represent the dotted decimal representation of an IPv4 address. When the IPv4-compatible address is used as an IPv6 destination, the IPv6 traffic is automatically encapsulated with an IPv4 header and sent to the destination using the IPv4 infrastructure. Lesson 2: Configuring IPv6 CHAPTER 6 335 IPv4-Mapped Address The IPv4-mapped address 0:0:0:0:0:ffff:w.x.y.z (or ::fffff:w.x.y.z) is used to represent an IPv4- only node to an IPv6 node and hence to map IPv4 devices that are not compatible with IPv6 into the IPv6 address space. 6to4 Address A 6to4 address enables IPv6 packets to be transmitted over an IPv4 network (generally the IPv4 Internet) without the need to configure explicit tunnels. 6to4 hosts can communicate with hosts on the IPv6 Internet. A 6to4 address is typically used when a user wants to connect to the IPv6 Internet using their existing IPv4 connection. It takes the form 2002:<first two bytes of the IPv4 address>:<second two bytes of the IPv4 address>::/16. To use a 6to4 address, you do not need to configure or support IPv6 on any nearby networking devices relative to the host. As a result, 6to4 is relevant during the initial phases of deployment to full, native IPv6 connectivity. It is intended only as a transition mechanism and is not meant to be used permanently. It does not facilitate interoperation between IPv4- only hosts and IPv6-only hosts. Teredo Address A Teredo address consists of a 32-bit Teredo prefix. In Windows 7 (and in Windows Vista and Windows Server 2008), this is 2001::/32. The prefix is followed by the IPv4 (32-bit) public address of the Teredo server that assisted in the configuration of the address. The next 16 bits are reserved for Teredo flags. Currently, only the highest-ordered flag bit is defined. This is the cone flag and is set when the NAT connected to the Internet is a cone NAT. note TEREDO IN WINDOWS XP AND WINDOWS SERVER 2003 In Windows XP and Windows Server 2003, the Teredo prefix was originally 3ffe:831f::/32. Computers running Windows XP and Windows Server 2003 use the 2001::/32 Teredo prefix when updated with Microsoft Security Bulletin MS06-064. The next 16 bits store an obscured version of the external UDP port that corresponds to all Teredo traffic for the Teredo client interface. When a Teredo client sends its initial packet to a Teredo server, NAT maps the source UDP port of the packet to a different, external UDP port. All Teredo traffic for the host interface uses the same external, mapped UDP port. The value representing this external port is masked or obscured by exclusive ORing (XORing) it with 0xffff. Obscuring the external port prevents NATs from translating it within the payload of packets that are being forwarded. The final 32 bits store an obscured version of the external IPv4 address that corresponds to all Teredo traffic for the Teredo client interface. The external address is obscured by XORing the external address with 0xffffffff. As with the UDP port, this prevents NATs from translating the external IPv4 address within the payload of packets that are being forwarded. 3 3 6 CHAPTER 6 Network Settings The external address is obscured by XORing the external address with 0xffffffff. For example, the obscured version of the public IPv4 address 131.107.0.1 in colon-hexadecimal format is 7c94:fffe. (131.107.0.1 equals 0x836b0001, and 0x836b0001 XOR 0xffffffff equals 0x7c94fffe.) Obscuring the external address prevents NATs from translating it within the payload of the packets that are being forwarded. For example, Northwind Traders currently implements the following IPv4 private networks at its headquarters and branch offices: n Headquarters: 10.0.100.0 /24 n Branch1: 10.0.0.0 /24 n Branch2: 10.0.10.0 /24 n Branch3: 10.0.20.0 /24 The company wants to establish IPv6 communication between Teredo clients and other Teredo clients, and between Teredo clients and IPv6-only hosts. The presence of Teredo servers on the IPv4 Internet enables this communication to take place. A Teredo server is an IPv6/IPv4 node connected to both the IPv4 Internet and the IPv6 Internet that supports a Teredo tunneling interface. The Teredo addresses of the Northwind Traders networks depend on a number of factors, such as the port and type of NAT server used, but they could, for example, be the following: n Headquarters: 2001::ce49:7601:e866:efff:f5ff:9bfe through 2001::0a0a:64fe:e866:efff: f5ff:9b01 n Branch 1: 2001:: ce49:7601:e866:efff:f5ff:fffe through 2001::0a0a:0afe:e866:efff: f5ff:ff01 n Branch 2: 2001:: ce49:7601:e866:efff:f5ff:f5fe through 2001::0a0a:14fe:e866:efff:f5ff:f501 n Branch 3: 2001:: ce49:7601:e866:efff:f5ff:ebfe through 2001::0a0a:1efe:e866:efff:f5ff:ebfe Note that, for example, 10.0.100.1 is the equivalent of 0a00:6401, and 0a00:6401 XORed with ffff:ffff is f5ff:9bfe. eXaM tIP The 70-680 examination objectives specifically mention Teredo addresses, which are supported by Microsoft. However the examination is unlikely to ask you to generate a Teredo address. You might, however, be asked to identify such an address and work out its included IPv4 address. Fortunately you have access to a scientific calculator during the examination. You are more likely to be asked to identify a Teredo or a 6to4 address. Both are public addresses. A Teredo address starts with 2001; a 6to4 address starts with 2002. note TEREDO For more information about Teredo, see http://www.ietf.org/rfc/rfc4380.txt and http://www.microsoft.com/technet/network/ipv6/teredo.mspx. Lesson 2: Configuring IPv6 CHAPTER 6 337 Cone NATs C one NATs can be full cone, restricted cone, or port-restricted cone. In a full-cone NAT, all requests from the same internal IP address and port are mapped to the same external IP address and port and any external host can send a packet to the internal host by sending a packet to the mapped external address. In a restricted-cone NAT, all requests from the same internal IP address and port are mapped to the same external IP address and port but an external host can send a packet to the internal host only if the internal host had previously sent a packet to the external host. In a port-restricted-cone NAT, the restriction includes port numbers. An external host with a specified IP address and source port can send a packet to an internal host only if the internal host had previously sent a packet to that IP address and port. Intra-Site Automatic Tunneling Addressing Protocol (ISATAP) Address IPv6 can use an Intra-Site Automatic Tunneling Addressing Protocol (ISATAP) address to communicate between two nodes over an IPv4 intranet. An ISATAP address starts with a 64-bit unicast link-local, site-local, global, or 6to4 global prefix. The next 32 bits are the ISATAP identifier 0:5efe. The final 32 bits hold the IPv4 address in either dotted decimal or hexadecimal notation. An ISATAP address can incorporate either a public or a private IPv4 address. To identify an ISATAP address look for 5efe followed by an IP address in either dotted decimal or hexadecimal format. Implementing IPv6-to-IPv4 Compatibility You can implement IPv6-to-IPv4 compatibility by using the IPv6 tools Netsh interface ipv6 6to4, Netsh interface ipv6 isatap, and Netsh interface ipv6 add v6v4tunnel. For example, to create an IPv6-in-IPv4 tunnel between the local address 10.0.0.11 and the remote address 192.168.123.116 on an interface named Remote, you would enter netsh interface ipv6 add v6v4tunnel “Remote” 10.0.0.11 192.168.123.116. note TRANSITION TECHNOLOGIES The various methods of implementing IPv6-to-IPv4 compatibility are known as transition technologies. note 6TO4CFG Windows 7 does not support the 6to4cfg tool. 3 3 8 CHAPTER 6 Network Settings Configuring IPv6 Connectivity Windows Server 2008 provides tools that let you configure IPv6 interfaces and check IPv6 connectivity and routing. Tools also exist that implement and check IPv4-to-IPv6 compatibility. In Windows 7 the standard command-line tools such as Ping, Ipconfig, Pathping, Tracert, Netstat, and Route have full IPv6 functionality. For example, Figure 6-22 shows the Ping command used to check a link-local IPv6 address on the Canberra computer. The IPv6 address on your computer is different. Note that if you were pinging from one host to another using link-local addresses, you would also need to include the interface ID (for example, ping fe80::d1ff:d166:7888:2fd6%12). Interface IDs are discussed later in this lesson. Note also that this command works because you are pinging a link-local address in the same computer. To ping between computers you need to allow ICMPv6 traffic though each computer’s firewall. FIGURE 6-22 Pinging an IPv6 link-local address note Ping6 The Ping6 command-line tool is not supported in Windows 7. Tools specific to IPv6 are provided in the Netsh command structure. For example, the netsh interface ipv6 show neighbors command shows the IPv6 interfaces of all hosts on the local subnet. You use this command in the practice later in this lesson, after you have configured IPv6 connectivity on a subnet. Verifying IPv6 Configuration and Connectivity If you are troubleshooting connectivity problems or merely want to check your configuration, arguably the most useful tool—and certainly one of the most used—is Ipconfig. If you enter ipconfig /all, this displays both IPv4 and IPv6 configuration. The output from this tool was shown in Figure 6-6. If you want to display the configuration of only the IPv6 interfaces on the local computer, you can enter netsh interface ipv6 show address. Figure 6-23 shows the output of this command run on the Canberra computer. Note the % character followed by a number after each IPv6 address. This is the interface ID, which identifies the interface that is configured with the IPv6 address. Lesson 2: Configuring IPv6 CHAPTER 6 339 FIGURE 6-23 Displaying IPv6 addresses and interface IDs note NETWORK CONNECTION DETAILS INFORMATION BOX You can also find the IPv6 address of an interface by accessing the Network Connection Details information box. The procedure to do this is described in Lesson 3 and the information box is shown in Figure 6-38 in that lesson. However, the Network Connection Details information box does not show the interface ID. If you are administering an enterprise network with a number of sites, you also need to know site IDs. You can obtain a site ID by entering the command netsh interface ipv6 show address level=verbose. Part of the output from this command is shown in Figure 6-24. FIGURE 6-24 Displaying IPv6 addresses and site IDs 3 4 0 CHAPTER 6 Network Settings Configuring IPv6 Interfaces Typically, most IPv6 addresses are configured through autoconfiguration or DHCPv6. However, if you need to manually configure an IPv6 address, you can use the Netsh interface ipv6 set address command, as in this example: netsh interface ipv6 set address "local area connection" fec0:0:0:ffee::2. You need to run the command prompt as an administrator to use this command. In Windows 7, you can also manually configure IPv6 addresses from the properties of the Internet Protocol Version 6 (TCP/IPv6) GUI. Figure 6-25 shows this configuration. FIGURE 6-25 Configuring an IPv6 address through a GUI The advantage of using the TCP/IPv6 GUI is that you can specify the IPv6 addresses of one or more DNS servers in addition to specifying the interface address. If, however, you choose to use Command Line Interface (CLI) commands, the command to add IPv6 addresses of DNS servers is Netsh interface ipv6 add dnsserver, as in this example: netsh interface ipv6 add dnsserver "local area connection" fec0:0:0:ffee::ff. The command to add a default gateway is Netsh interface ipv6 add route followed by the metric (the order of preference if there are multiple routes), as in this example: netsh interface ipv6 add route ::/0 "local area connection" fec0:0:0:ffee::1. To change the properties of IPv6 interfaces (but not their configuration), use the Netsh interface ipv6 set interface command, as in this example: netsh interface ipv6 set interface "local area connection" forwarding=enabled. You need to run the command prompt as an administrator to use any Netsh configuration commands. Lesson 2: Configuring IPv6 CHAPTER 6 341 More Info Netsh Netsh is an exceptionally powerful and versatile utility that enables you to carry out a very large number of configuration tasks through a command-line interface. For more information, see http://technet.microsoft.com/en-us/library/cc785383.aspx. Quick Check n What Netsh command lists site IDs? Quick Check Answer n netsh interface ipv6 show address level=verbose Verifying IPv6 Connectivity To verify connectivity on a local network, your first step should be to flush the neighbor cache, which stores recently resolved link-layer addresses and might give a false result if you are checking changes that involve address resolution. You can check the contents of the neighbor cache by entering netsh interface ipv6 show neighbors. Entering netsh interface ipv6 delete neighbors flushes the cache. You need to run the command prompt as an administrator to use these commands. You can test connectivity to a local host on your subnet and to your default gateway by using the Ping command. Note that Windows Firewall blocks Ping commands by default and you need to allow ICMPv6 packets through the firewalls of both computers before one can ping the other by its IPv4 address. You can add the interface ID to the IPv6 interface address to ensure that the address is configured on the correct interface. Figure 6-22 shows a Ping command using an IPv6 address and an interface ID. To check connectivity to a host on a remote network, your first task should be to check and clear the destination cache, which stores next-hop IPv6 addresses for destinations. You can display the current contents of the destination cache by entering netsh interface ipv6 show destinationcache. To flush the destination cache, enter netsh interface ipv6 delete destinationcache. As before, these commands need administrator credentials. Your next step is to check connectivity to the default router interface on your local subnet. This is your default gateway. You can identify the IPv6 address of your default router interface by using the Ipconfig, Netsh interface ipv6 show routes, or Route print command. You can also specify the zone ID, which is the interface ID for the default gateway on the interface on which you want the ICMPv6 Echo Request messages to be sent. When you have ensured that you can reach the default gateway on your local subnet, ping the remote host by its IPv6 address. Note that you cannot ping a remote host (or a router interface) by its link-local IPv6 address because link-local addresses are not routable. 3 4 2 CHAPTER 6 Network Settings If you can connect to the default gateway but cannot reach the remote destination address, trace the route to the remote destination by using the Tracert –d command followed by the destination IPv6 address. The –d command-line switch prevents the Tracert tool from performing a DNS reverse query on router interfaces in the routing path. This speeds up the display of the routing path. If you want more information about the routers in the path, and particularly if you want to verify router reliability, use the Pathping -d command, again followed by the destination IPv6 address. Quick Check n What Netsh command could you use to identify the IPv6 address of your default router interface? Quick Check Answer n netsh interface ipv6 show route Troubleshooting Connectivity If you cannot connect to a remote host, you first need to check the various hardware connections (wired and wireless) in your organization and ensure that all network devices are up and running. If these basic checks do not find the problem, the Internet Protocol Security (IPSec) configuration might not be properly configured, or firewall problems (such as incorrectly configured packet filters) might exist. You can use the IP Security Policies Management console, shown in Figure 6-26, to check and configure IPSec policies and the Windows Firewall With Advanced Security console (shown previously in Figures 6-11 and 6-12 in Lesson 1) to check and configure IPv6-based packet filters. FIGURE 6-26 The IP Security Policies Management console . interoperation between IPv 4- only hosts and IPv6-only hosts. Teredo Address A Teredo address consists of a 32-bit Teredo prefix. In Windows 7 (and in Windows Vista and Windows Server 2008), this. NAT. note TEREDO IN WINDOWS XP AND WINDOWS SERVER 2003 In Windows XP and Windows Server 2003, the Teredo prefix was originally 3ffe:831f::/32. Computers running Windows XP and Windows Server 2003. IPv4-to-IPv6 compatibility. In Windows 7 the standard command-line tools such as Ping, Ipconfig, Pathping, Tracert, Netstat, and Route have full IPv6 functionality. For example, Figure 6-2 2

Ngày đăng: 02/07/2014, 10:21

TỪ KHÓA LIÊN QUAN

w