Who is Office of The CISO? - How to Get Into Cybersecurity - What is a Chief Information Security Officer?
What is a SOC Analyst?
Chapter 15 – IPv6
The origins of Internet Protocol Version 6 (IPv6) date back to December 1998 with the publication of RFC 2460, which describes IPv6 as the successor to IPv4, the standard communications protocol still in use by the majority of users today. This transition away from IPv4 was a direct response to the foreseeable exhaustion of 32-bit IPv4 addresses, which are virtually all but assigned—all 4.3 billion.
IPv4 uses 32-bit addresses, which means that there is a theoretical address limit of 2 to the power of 32. The IPv6 address scheme is based on a 128-bit address, resulting in a theoretical address limit of 2 to the power of 128.
IPv4 = Roughly 4.3 billion
IPv6 = Over 340 undecillion (340 followed by 36 digits)
Assuming a world population of approximately 8 billion people, IPv6 would allow for each individual to have approximately 42,535,295,865,117,200,000, 000,000,000 devices with an IP address. That’s 42 quintillion devices, so it’s unlikely that we will ever need to worry about the availability of IPv6 addresses.
Aside from the difference of possible addresses, there is also the different formatting of the addresses. A computer would view an IPv4 address as a 32-bit string of binary digits made up of 1s and 0s, broken up into 4 octets of 8 digits separated by a period: 10101100.00010000.11111110.00000001
To make the number more user-friendly, we translate the address into decimal, again 4 octets separated by a period: 172.16.254.1
A computer would view an IPv6 address as a 128-bit string of binary digits made up of 1s and 0s, broken up into 8 octets of 16 digits separated by a colon: 0010000000000001:0000110110111:0000000000000000:000000000000010:0000000000000000:000000000
To make this number a little more user-friendly, we translate it into hexadecimal, again 8 octets separated by a colon, for example: 2001:0db8:0000:0002:0000:0000:0000:0020
We can further simplify the above address. Because any four-digit group of zeros within an IPv6 address may be reduced to a single zero or altogether omitted, the above address can be reduced to: 2001:0db8:0000:0002:0:0:0:20 or 2001:db8:0:2::20
IPv6 packet structure
Each IPv6 packet consists of a mandatory fixed header and optional extension headers, and carries a payload, which is typically either a datagram and/or Transport Layer information. The payload could also contain data for the Internet Layer or Link Layer. Unlike IPv4, IPv6 packets aren’t fragmented by routers, requiring hosts to implement Maximum Transmission Unit (MTU) Path Discovery for MTUs larger than the smallest MTU (which is 1280 octets).
Jumbograms and jumbo payloads
In IPv6, packets which exceed the MTU of the underlying network are labelled jumbograms, which consist of a jumbo payload. A jumbogram typically exceeds the IP MTU size limit of 65,535 octets, and provides the jumbo payload option, which can allow up to nearly 4GiB of payload data, as defined in RFC 2675. When the MTU is determined to be too large, the receiving host sends a ‘Packet too Big’ ICMPv6 type 2 message to the sender.
Fragmentation and reassembly
As noted, packets that are too large for the MTU require hosts to perform MTU Path Discovery to determine the maximum size of packets to send. Packets that are too large require a ‘Fragment’ extension header, to divide the payload into segments that are 8 octets in length (except for the last fragment, which is smaller). Packets are reassembled according to the extension header and the fragment offset.
Benefits of IPv6
Some of the benefits of IPv6 include:
- More efficient routing
- Reduced management requirement
- Stateless auto-reconfiguration of hosts
- Improved methods to change Internet Service Providers
- Better mobility support
- Scoped address: link-local, site-local, and global address space
What‘s new in FortiOS 5.4
DHCPv6 server is configurable in delegated mode (295007)
Downstream IPv6 interfaces can receive address assignments on delegated subnets from a DHCP server that serves an upstream interface.
Enable DHCPv6 Prefix Delegation on upstream interface (port10):
config system interface
edit “port10” config ipv6
set dhcp6-prefix-delegation enable end
Assign delegated prefix on downstream interface (port1). Optionally, specific delegated prefixes can be specified:
config system interface edit “port1”
set ip6-mode delegated
set ip6-upstream-interface “port10” set ip6-subnet ::1:0:0:0:1/64
set ip6-send-adv enable
config ipv6-delegated-prefix-list edit 1
set upstream-interface “port10” set autonomous-flag enable
set onlink-flag enable
set subnet 0:0:0:100::/64 end
DHCPv6 Server configuration
Configuring a server that uses delegated prefix and DNS from upstream:
config system dhcp6 server edit 1
set dns-service delegated set interface “wan2”
set upstream-interface “wan1” set ip-mode delegated
set subnet 0:0:0:102::/64 end
FortiGate can connect to FortiAnalyzer using IPv6 addresses (245620)
When configuring your FortiGate to send logs to a FortiAnalyzer you can specify an IPv4 or an IPv6 address.
IPv6 neighbor discovery limits changes(248076)
You can use the following command to configure the maximum number of IPv6 neighbors that can be discovered by the IPv6 Neighbor Discovery Protocol (NDP) and added to the IPv6 neighbor database.
config system global
set ndp-max-entry <integer>
The number of entries can be in the range 65,536 to 2,147,483,647. The default value of 0 means 65,536 entries.
Support IPv6 blackhole routing (220101)
Similar to IPv4 blackhole routing, IPv6 blackhole routing is now supported. Use the following command to enable IPv6 blackhole routing:
config router static6 edit 1
set blackhole enable/disable next
TFTP session helper for IPv6 (263127)
FTP is supported over nat66 and nat46.
FTP, PPTP and RTSP session helper enhancements for IPv6 (244986)
The FTP, PPTP and RTSP session helpers support NAT-64 customer-side translator (CLAT) sessions.
Central Management ratings and update servers can use IPv6 addresses (297144)
You can configure servers for Central Management using either IPv4 or IPv6 addresses. The addr-type field sets the address type. The address is entered in the server-address or server-address6 field as appropriate.
config system central-management set type fortimanager
set fmg “2000:172:16:200::207” set vdom “vdom1”
config server-list edit 1
set server-type rating update set addr-type ipv6
set server-address6 2000:172:16:200::207 end
Allow asymmetric routing for ICMP (258734)
Where network topology requires asymmetric routing for ICMP traffic, you can configure the FortiGate to permit the asymmetric ICMP traffic. This is done in the CLI. There are separate fields for IPv4 and IPv6 versions of ICMP.
config system settings
set asymroute-icmp enable set asymroute-icmp6 enable
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos