AntiOnline Spotlight Tutorial - August 2008: IPv6
Results 1 to 8 of 8

Thread: AntiOnline Spotlight Tutorial - August 2008: IPv6

  1. #1
    Senior Member phernandez's Avatar
    Join Date
    Aug 2003
    Location
    NYC
    Posts
    246

    Exclamation AntiOnline Spotlight Tutorial - August 2008: IPv6

    Congrats to Negative, our first (of hopefully many) contributed spotlight tutorials. Read his tutorial below and discuss!

    Introduction

    While IPv4 addressing is basic knowledge for most of us, the same may not be true for IPv6 addressing.
    Below is a quick overview of some IPv4 key points, followed by a primer on IPv6.

    IPv4 Addresses

    An IPv4 address is expressed in either dotted-decimal notation (e.g. 200.125.248.12) or binary notation (11001000.01111101.11111000.00001100 in this case).

    An IPv4 address is divided into two parts: the network ID and the host ID.

    The network ID is used to determine what network a packet to send to, while the host ID is used to determine the host within that network. The only constant is that the network ID is always the first part, and the host ID is always the last part, and that both combined are always 32 bits long; how long each part is depends on the subnet mask.

    The Subnet Mask

    To indicate what part of the 200.125.248.12 address is the network ID and what part is the host ID, we use a subnet mask. Two main notational conventions exist for the subnet mask: the traditional dotted-decimal notation (255.255.255.0, for example, indicates that the first three octets of the IP are the network ID, while the last octet is the host ID), or the newer slash notation (“Classless Inter Domain Routing” (CIDR) notation): /24, for example, indicates that the first 24 bits, or 3 octets, make up the network ID.
    Similarly, 255.255.0.0 is /16, 255.0.0.0 is /8, and so on.

    Note: while the terms “Class A”, “Class B”, and “Class C” (for /8, /16, and /24, respectively) are still commonly used, they are obsolete.

    The /24, /16, and /8 examples are simple, as they happen to coincide with complete octets. Subnet masks, though, are not limited to these values, and it’s important to know how to convert between them. Worth remembering here is that the number behind the slash indicates the number of one-bits in the address: /21, for example, is a subnet mask with 21 one-bits, or 11111111.11111111.11111000.00000000, which converts to 255.255.248.0.

    IPv4 Routing

    When a computer needs to send an IP packet, it will first determine whether or not the packet needs to be sent locally, or remotely. To determine this, the computer looks at its own subnet mask, and compares the network ID of its own subnet mask to that of the packet’s. If the two match, the computer knows the packet is to be sent locally, and the packet is broadcast on the local network. If the two don’t match, however, the computer knows that the packet is destined for a remote network, and the computer sends the packet to the default gateway (a router on the local network, determined by the default gateway setting on the local computer). That router, upon receiving the packet, checks the network ID, and forwards it to the correct network, where it is broadcast.

    IPv4 Address Ranges

    - Automatic Private IP Address (APIPA): this address, in the 169.254.0.1 – 169.254.255.254 range, is used by the computer if it is configured to obtain an address automatically, but when no DHCP server is available.

    - Private Address: private addresses aren’t used on the Internet; rather, they are used within private networks. Ranges: 10.0.0.0 – 10.255.255.254, 172.16.0.0 – 172.16.255.254, and 192.168.0.0 – 192.168.255.254

    - Public Address: all the rest

    IPv6

    General

    Where IPv4 addresses consist of 32 bits, IPv6 addresses consist of eight blocks of 4 hexadecimal digits each. Four hexadecimal digits equals 16 bits, so an IPv6 address has 8*16 = 128 bits.
    An example of an IPv6 address is 2001:4CEA:8D8C:0000:0000:0000:00D2:7A4B

    IPv6 addresses can be shortened as follows:
    - First, you can get rid of all leading zero’s, and our address becomes 2001:4CEA:8D8C:0:0:0:D2:7A4B
    - Next, you can replace all consecutive zero’s with a single double colon: 2001:4CEA:8D8C::D2:7A4B

    Types of IPv6 addresses

    Remember how there are three main types of IPv4 addresses (APIPA, Private, and Public)? The same is true for IPv6, only they have different names:

    - Global Address (GA): this is the equivalent of IPv4’s public address. These addresses start with a first block in the 2000-3FFF range (so the address in the “General” paragraph above is an IPv6 GA, as it starts with 2000)

    - Link-Local Address (LLA): this is the equivalent of the IPv4 APIPA address. These addresses always start with “fe80”.

    - Unique Local Address (ULA): this is the equivalent of IPv4’s private address. Where IPv4 private addresses fall within three ranges, ULA’s always start with “fd”

    If you’re on Windows Vista or Server 2008, you’ll have built-in IPv6 support, and you can see your IPv6 address by opening a command prompt and typing “ipconfig /all”. Here’s actual output from my (Vista) machine:

    Code:
    Ethernet adapter Local Area Connection:
       Connection-specific DNS Suffix  . : tx.rr.com
       Description . . . . . . . . . . . : Intel(R) 82562V 10/100 Platform LAN Connect
       Physical Address. . . . . . . . . : 00-19-D1-08-1B-6D
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::4cea:2560:8d8c:289d%8(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.1.102(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Monday, July 28, 2008 6:19:30 PM
       Lease Expires . . . . . . . . . . : Thursday, August 07, 2008 7:24:53 AM
       Default Gateway . . . . . . . . . : 192.168.1.1
       DHCP Server . . . . . . . . . . . : 192.168.1.1
       DNS Servers . . . . . . . . . . . : 24.93.41.127
                                           24.93.41.128
       NetBIOS over Tcpip. . . . . . . . : Enabled
    Note how the machine has a private IPv4 address (192.168.1.102). It also has an IPv6 address (fe80::4cea:2560:8d8c:289d%8).
    First note the double colon in the IPv6 address; the actual address is fe80:0000:0000:0000:4cea:2560:8d8c:289d (per the rules above on IPv6 address shortening).

    Secondly, note how the IPv6 address is an LLA (starts with “fe80”), and not a ULA as one would expect (since a ULA is the IPv6 equivalent of the private IPv4 address): the reason is simply that my router doesn’t support IPv6, so it can’t assign my computer an ULA IPv6 address.

    Important to note about the LLA is that IPv6 will assign this address –and the computer will keep it – even after the computer has been assigned a routable address (in my case, that would be a ULA). This is not the case with IPv4: if a computer is assigned a routable address, the secondary APIPA address is dropped.

    Something else you may have noticed: the “%8” behind the IPv6 address. See “Zone ID’s” below for an explanation.

    Below is the complete output from my “ipconfig /all” command:

    Code:
    C:\Users\Dries>ipconfig /all
    
    Windows IP Configuration
    
       Host Name . . . . . . . . . . . . : Dries-Dell
       Primary Dns Suffix  . . . . . . . :
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : tx.rr.com
    
    Ethernet adapter Local Area Connection:
    
       Connection-specific DNS Suffix  . : tx.rr.com
       Description . . . . . . . . . . . : Intel(R) 82562V 10/100 Platform LAN Connect
       Physical Address. . . . . . . . . : 00-19-D1-08-1B-6D
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::4cea:2560:8d8c:289d%8(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.1.102(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Monday, July 28, 2008 6:19:30 PM
       Lease Expires . . . . . . . . . . : Thursday, August 07, 2008 7:24:53 AM
       Default Gateway . . . . . . . . . : 192.168.1.1
       DHCP Server . . . . . . . . . . . : 192.168.1.1
       DNS Servers . . . . . . . . . . . : 24.93.41.127
                                           24.93.41.128
       NetBIOS over Tcpip. . . . . . . . : Enabled
    
    Tunnel adapter Local Area Connection* 11:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 02-00-54-55-4E-01
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter Local Area Connection* 18:
    
       Connection-specific DNS Suffix  . : tx.rr.com
       Description . . . . . . . . . . . : isatap.tx.rr.com
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::5efe:192.168.1.102%20(Preferred)
       Default Gateway . . . . . . . . . :
       DNS Servers . . . . . . . . . . . : 24.93.41.127
                                           24.93.41.128
       NetBIOS over Tcpip. . . . . . . . : Disabled
    Note how there are three local area connections (Ethernet adapter Local Area Connection, Tunnel adapter Local Area Connection* 11, and Tunnel adapter Local Area Connection* 18). The first adapter is our regular network adapter, as covered above. The second and third adapters are interesting, as they signify transitioning technologies (implemented to make IPv4 and IPv6 coexist). The second is a “Teredo Tunneling Pseudo-Interface” – Teredo is a protocol that allows computers to use IPv6 over the Internet, even if those computers are behind routers that only support IPv4 (such as in my case). The third is an ISATAP connection, with ISATAP standing for Intra-Site Automatic Tunnel Addressing Protocol. This, like Teredo, is an intermediary protocol (to facilitate communication between IPv4 and IPv6).

    The ISATAP address (fe80::5efe:192.168.1.102) is interesting, as you can clearly see in it the private IPv4 address of my computer (192.168.1.102); this is because ISATAP encapsulates the IPv4 address within an IPv6 address.

    Zone ID’s

    The only thing left to explain is the “%8” behind the first adapter’s LLA, and the “%20” behind the third adapter’s LLA. All LLA’s have the same network ID (fe80), so it’s impossible to tell from the network ID what interface is connected to it (in my case, it could be the Ethernet adapter Local Area Connection, or it could be the Tunnel Adapter Local Area Connection* 18 – both have an LLA). To specify what interface you are referring to, the zone ID is used (8 and 20 in my case, respectively).

    To get an overview of assigned zone ID’s, issue the following command:

    Code:
    C:\Users\Dries>netsh interface ipv6 show interface
    
    Idx  Met   MTU   State        Name
    ---  ---  -----  -----------  -------------------
      1   50 4294967295  connected    Loopback Pseudo-Interface 1
     12   10   1280  disconnected  Local Area Connection* 11
      8   20   1500  connected    Local Area Connection
     20   25   1280  connected    Local Area Connection* 18
    As a last note: IPv6’s loopback address. Where IPv4’ is 127.0.0.1, IPv6’s is ::1 (and by now, you should know that that’s actually 0000:0000:0000:0000:0000:0000:0000:0001).

    Code:
    C:\Users\Dries>ping ::1
    
    Pinging ::1 from ::1 with 32 bytes of data:
    Reply from ::1: time<1ms
    Reply from ::1: time<1ms
    Reply from ::1: time<1ms
    Reply from ::1: time<1ms
    
    Ping statistics for ::1:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 0ms, Maximum = 0ms, Average = 0ms
    Further Reading

    Microsoft - IPv6
    Last edited by phernandez; September 9th, 2008 at 03:36 PM. Reason: Unwelcome smilies. All praise the noparse tag!

  2. #2
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Neg,

    I'm curious as what OS you're running...

    There's a general method on most computers to determine the link local address:
    1. Take the MAC address. - 00-0C-F1-EB-F0-43
    2. Insert FF-FE between the third and fourth bytes. - 00-0C-F1-FF-FE-EB-F0-43
    3. Complement the second low order bit of the first byte. - 02-0C-F1-FF-FE-EB-F0-43 (known at this point as the Interface Identifier)
    4. Combine the prefix (FE80::/64) with the interface identifier. - FE80::20C:F1FF:FEEB:F043

    Your box doesn't seem to follow that.
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,429
    Heya,

    This is on Vista. By default, both Vista and Server 2008 use a random identifier rather than adhering to the EUI-64 scheme. You can change this default behavior:

    Code:
    netsh interface ipv6 set global randomizeidentifiers=disabled

  4. #4
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Quote Originally Posted by Negative
    Heya,

    This is on Vista. By default, both Vista and Server 2008 use a random identifier rather than adhering to the EUI-64 scheme. You can change this default behavior:

    Code:
    netsh interface ipv6 set global randomizeidentifiers=disabled
    Very interesting... I didn't know that (sad that I have a Vista box in front of my and have never noticed that).
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  5. #5
    Senior Member
    Join Date
    Oct 2007
    Location
    do a whois search on my ip...
    Posts
    268
    Great Job Negative good stuff!
    http://i47.photobucket.com/albums/f1...naturecopy.jpg

    You Haven't Lived Until You Have Died...

  6. #6
    Junior Member Wite Hachie's Avatar
    Join Date
    Oct 2002
    Location
    Sweden
    Posts
    14
    Well written even for a nub like me. Thanks!
    )))therearenolimitsnothingisimpossible(((

  7. #7
    Banned
    Join Date
    Nov 2002
    Posts
    677
    Excellent tutorial. This is definitely worth a bookmark and even a printout. Thanks.

  8. #8
    Junior Member
    Join Date
    Jan 2011
    Posts
    3
    Well written even for a noob like me and english is not my native language....lol

Similar Threads

  1. Read Me First
    By Negative in forum The Security Tutorials Forum
    Replies: 12
    Last Post: June 2nd, 2004, 02:09 AM
  2. NEWS: This weeks security news
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 1
    Last Post: September 7th, 2002, 12:48 AM
  3. NEWS: This weeks security news
    By xmaddness in forum AntiOnline's General Chit Chat
    Replies: 1
    Last Post: August 28th, 2002, 09:55 PM
  4. NEWS: This weeks security news.
    By xmaddness in forum Security News
    Replies: 1
    Last Post: August 15th, 2002, 04:07 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •