Thursday, October 24, 2013

Windows Server 2012 - IPv6 (only)

My objective was to continue my exploration of DHCP functionality in Windows Server 2012 and attempt to configure DHCPv6. I had studied IPv6 somewhat superficially for previous Microsoft certification (Windows 2008) and in some detail for my CCNA. As it is not something I use often, I thought it would be preferable to review some concepts and begin by configuring what will be my DHCPv6 server.
I'm going to concentrate on static IPv6 addressing - not a general overview of IPv6, a vast subject in itself and amply discussed elsewhere on the Internet.
 
In IPv6, these are the most common types of IP addresses to be found on a host:
  • Global Unicast addresses - more or less the equivalent of routable IPv4 addresses
  • Unique Local addresses  (ULA) - comparable to "private" IPv4 addresses like 10.0.0.1 or 192.168.0.1
  • Link Local addresses - similar to the "APIPA" or autoconfigured 169.254.x.x addresses.
Note: since I will only use Unique Local addresses here, I will not provide additional details on each type of address. Once again, there is already ample information on this subject on the Internet. 
 
Ideally, we would obtain a range of Global Unicast addresses from our ISP. One of the objectives of IPv6 is to provide end-to-end connections without having to resort to NAT (or PAT), which became necessary because of the shortage of IPv4 addresses.
However, not all ISPs offer IPv6 addresses.
So, for the time being, most of us, if we really want to use IPv6 internally, will have to use Unique Local addresses on our internal network with some sort of IPv6 to IPv4 translation at the perimeter (or simply run both IPv4 and IPv4 on all devices).
I'm going to attempt to use IPv6 only for internal network connectivity and examine possible translation options later. So let's start with the LAN first.
An IPv6 address is 128 bits long, separated into three parts:
  • the first 48 bits (three octets) form the network part. In the case of a global unicast address, this part would be assigned by an ISP.
  • the next 16 bits form the subnet part - for a total of over 65,000 possible subnets.
  • the last 64 bits are used for devices - with a total of 18 quintillion addresses to chose from.
So even with a single network address, we would have enough subnet and device addresses for even the most massive networks.
Unique Local addresses, in practice, start with fd00:0000:0000:0000 for the network and subnet.
So it looks like my first subnet could be...
fd00:0000:0000:0000
and my second...
fd00:0000:0000:0001
and my third...
fd00:0000:0000:0002
I'm assuming that I can count from zero.
Otherwise, I could label my first network and first subnet, respectively, from 1
fd00:0000:0001:0001
Or I could skip the first 10 hexadecimal characters (0-9) and start with "a" for each:
fd00:0000:000a:000a
We can also shorten the IPv6 address from...

fd00:0000:0000:0001

to...

fd00:0:0:1
 
and even...

 
fd00::1
 


Since Unique Local addresses are not routable (like IPv4 "private" addresses), I can configure them as I like. However...
According to RFC 4193, Unique Local addresses must be randomly generated (or more precisely, the "Global ID", more on that in the next lines).
But why? Since they cannot be routed on the "global Internet"?
Because like private IPv4 addresses, they can be routed within a site and between various sites of a particular organization. There is a risk that if two administrators both decide to configure their first subnet...
fd00:0000:0000:0001
Routing between sites will become impossible - how would the router know where to send packets destined for the fd00:0000:0000:0001 subnet when there are two of them?
One could hope that proper coordination within a single organization would avoid such a scenario. However, in the case of a merger, impossible to predict beforehand, there is no way for the respective network administrators to coordinate the numbering of their networks.
 
So RFC 4193 stipulates that the 40 bit Global ID "MUST BE" randomly generated. This is the part of the 48 bit Network address that follows the prefix:
      | 7 bits |1|    40 bits   |     16 bits      |     64 bits 
+--------+-+------------+-----------+----------------------------+
      | Prefix |L|   Global ID  | Subnet ID |  Interface ID
+--------+-+------------+-----------+----------------------------+
 
Diagram from:
 
But... how do I generate a random Global ID?
 
We can go to a site like...
or
to generate such a random address.

 
For this exercise however, I'll adopt the addressing schema that follows, to improve readability if nothing else.
fd00:0000:0000:0000:0000:0000:0000:0010 - for the server named DC-001
fd00:0000:0000:0000:0000:0000:0000:0015 - for the client named PC1
And for concision... I will abbreviate as allowed, and as follows, by eliminating leading and consecutive zeros.
fd00::10 - for the server named DC-001
fd00::11 - for the client named PC1



IPv6 only - will it work?
 

First, I disabled (unchecked) IPv4 in the properties of the network card.
Second, using the command line, I'll configure the domain controller as follows:
 
netsh interface ipv6 set address "Ethernet" FD00::10
netsh interface ipv6 add dnsserver "Ethernet" FD00::10

Some remarks...

Note the change in syntax from ipv4: we no longer add "static"

PS C:\> netsh int ipv6 set address "Ethernet" static fd00::12
Invalid address parameter (static). It should be a valid IPv6 address.

PS C:\> netsh int ipv6 set dnsserver "Ethernet" static fd00::10

set dnsserver worked... but we should apparently use "add dnsserver"

And here again, with add dnsserver, we must omit "static":

PS C:\> netsh int ipv6 add dnsserver "Ethernet" static fd00::10
The parameter is incorrect.


For information, this is how the address would be configured in the GUI (network interface properties).


 


According to ipconfig /all, this gives us...

[snip]
Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
Physical Address. . . . . . . . . : 00-0C-29-5A-C2-C0
DHCP Enabled. . . . . . . . . .     . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . .      . : fd00::10(Preferred)
Link-local IPv6 Address . . . . . : fe80::20a2:f095:4940:cae%12(Preferred)
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . ....  . : 251661353
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-3F-1F-EF-00-0C-29-5A-C2-C0
DNS Servers . . . . . . . . . . .... : fd00::10
NetBIOS over Tcpip. . . . . . . . : Disabled

 
Some quick remarks:
 
  • There is no IPv4 address.
  • The Unique Local address is displayed in its abbreviated form.
  • Even when a Global Unicast or Unique Local address is assigned, there will also be a Link Local IPv6 address
  • NetBIOS over TCP/IP is disabled by default in Windows Server 2012.


We'll see DHCPv6 later. For now, I'll simply provide our client, PC1, with this address:
netsh interface ipv6 set address "Local Area Connection" FD00::15

So we are using IPv6 only. Lets's see what happens.
 
*
First, Local Area Connection Status shows that there is "No network access" for either IPv4 or IPv6.

 


 
 
Yet packets are both sent and received (status may be due to lack of Internet connectivity).

Moreover, PC1 can ping DC-001

C:\>ping fd00::10
Pinging fd00::10 with 32 bytes of data:
Reply from fd00::10: time=2ms
Reply from fd00::10: time<1ms
Reply from fd00::10: time<1ms
Reply from fd00::10: time=1ms
Ping statistics for fd00::10:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
and (if we disable the firewall) vice versa...
PS C:\> ping fd00::15

Pinging fd00::15 with 32 bytes of data:
Reply from fd00::15: time=1ms
Reply from fd00::15: time<1ms
Reply from fd00::15: time=1ms
Reply from fd00::15: time<1ms
Ping statistics for fd00::15:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),


If we run DCDIAG on the domain controller, the output seems to indicate a failure in network connectivity (other tests are successful however):

PS C:\> dcdiag
Directory Server Diagnosis
Performing initial setup:
  Trying to find home server...
  Home Server = DC-001
  * Identified AD Forest.
  Done gathering initial info.
Doing initial required tests
  Testing server: Default-First-Site-Name\DC-001
     Starting test: Connectivity
        Both IPV4 and IPV6 channels are disabled on all adapter cards of the local server. Hence no connectivity to the server.
        Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
        ......................... DC-001 failed test Connectivity
Doing primary tests
  Testing server: Default-First-Site-Name\DC-001
     Skipping all tests, because server DC-001 is not responding to directory service requests.

Is it the firewall rules? Apparently not, since the error occurs even with the firewall disabled.
 
Despite these warnings in the DCDIAG output, PC1 can register its IPv6 address in DNS and establishes a secure channel with DC-001.
 
 
 
C:\Windows\system32>nltest /sc_query:machlinkit
Flags: 30 HAS_IP  HAS_TIMESERV
Trusted DC Name \\DC-001.machlinkit.biz
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

C:\Windows\system32>nltest /sc_verify:machlinkit
Flags: b0 HAS_IP  HAS_TIMESERV
Trusted DC Name \\DC-001.machlinkit.biz
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully
C:\Windows\system32>

*

In conclusion, it appears that an IPv6 only network is functional despite some error messages.
 

That's for a start. I'm aiming to do more with IPv6 in future posts.
 

 

 
 

No comments:

Post a Comment