This article is the second of "common problems" "IPv6" series of articles immediately "Getting Started Guide" for answers to 10 common problems IPv6.
Small slow brother of the original article, welcome to reprint
table of Contents
▪ article reason
▪ plagued 1. IPv4 and IPv6 address format only do different
▪ troubled 2. IPv4 to IPv6 is transparent to the application do not perceive
▪ plagued 3. To provide WEB service, you need to configure each server IPv6 address you
▪ troubled 4. IPv4 and IPv6 to be on the same card with you
▪ troubled 5. I have a network card address beginning with fe80, it can be used on the public network
▪ troubled by how 6. IPv6 address configuration
▪ troubled 7. Without ARP, how resolve the MAC address
▪ troubled 8. IPv6 multicast using alternative broadcast, what needs to be done renovation
▪ distress 9. IPv6 it really safe
▪ trouble learning how to 10. IPv6
▪ follow instructions
This article reason
In my last article "IPv6 Series - Getting Started", the brief describes the following:
▷ grasp the necessity of IPv6
▷ IPv6 three common concerns
▷ IPv6 basics
▷ commonly used test methods
In a further study in practice, you will encounter a lot of trouble . The author in conjunction with their counterparts around and troubled brothers encountered, carefully selected out of 10 bothered to answer in this article.
If you do not read the "IPv6 Series - Getting Started", please read the trouble down to coherent knowledge.
Plagued 1. IPv4 and IPv6 address format only do different
In addition to a different address formats, IPv4 and IPv6 protocol stacks are different, they are logically different two world
In practice often encounter the following four exceptions:
▷ basic communication process : ND substitute ARP, multicast alternative broadcast, fe80 address as standard, ICMP become the core communications
▷ IP configuration : Client to stateless auto-configuration IP into the mainstream, weakening the DHCP
▷ the DNS name resolution : AAAA records in lieu of a record of IPv4, the presence of the priority application problems (a or AAAA priority parsing)
▷ application layer adaptation : socket programming AF_INET only supports IPv4, IPv6 only the AF_INET6
Troubled 2. IPv4 to IPv6 is transparent to the application no perception of it
Wrong, there is a perception , the upper application needs to be transformed.
For example, when accessing fzxiaomange.com, the priority is to resolve IPv6 addresses (AAAA) or the IPv4 address (A), because he will have to send the request selected from a line. Many framework will give priority to IPv6.
Note: If you parse out the AAAA records, even if the unit is not routable IPv6 address, there may still attempt to requests by IPv6, request failed .
Another typical example is a program in the interactive application layer in the bottom of the IP address , such as FTP active mode interaction IPv4 address in the application layer, and if the actual IPv6 address is available, it may cause abnormal subsequent connections.
Can not be done without clear perception, it is one of the reasons resulting in part of the transition plan from IPv4 to IPv6 is.
3. troubled provide WEB service, you need to configure each server IPv6 address you
Now there is a speech, saying, "IPv6 Address infinite number, each server can be equipped with an IP address, do not do NAT".
It's easy to mislead people, specifically how to use IPv6, according to have on the scene . Such as the author's personal blog fzxiaomange.com, the nginx-> php-> mysql composition, which are located on three servers, you would only need to configure an IPv6 address on nginx, and add a AAAA record in DNS points to an IPv6 address that is L7 can. Absolutely no need to configure an IPv6 address on php, mysql server, and once configured, it is directly exposed to the network.
Each device configured IPv6, mainly applicable to partial and large address client demand scenario , things such as equipment, cell phones 4G, home broadband.
In addition, IPv6 has NAT , for office PC, server room, etc. need to access the IPv6 network, but do not want to take the initiative to visit the scene of the others.
4. IPv4 and IPv6 to be bothered with it on the same card
Can, you first need to understand two words "single-stack" and "dual-stack" :
The node is an angle (general explanation):
▷ single-stack: IPv6 represents a node, that is, a server, or a cell phone, only IPv6 addresses, IPv4 address or only the former is called "IPv6 single-stack" or "IPv6-Only" , which is called "IPv4 single-stack " or " IPv4-Only " .
▷ dual-stack: IPv6 represents a node, have both IPv6 and IPv4 addresses
NIC is at an angle :
▷ single-stack: only indicates an IPv6 address of the NIC, or an IPv4 address only the simplified diagram below
▷ dual stack: Indicates a network card have both IPv6 and IPv4 addresses
IPv4和IPv6在逻辑上是两个完全不相交的世界。如果终端处位于同一个物理层,比如同一个VLAN,那么网卡就只能同时配置IPv6地址和IPv4地址;反之,就必须一张网卡配置IPv6,另一张网卡配置IPv4。所以,关键看网络架构是如何设计,各有利弊。比如放同一张网卡上,就可以做到带宽共享,而放不同网卡,可以做到带宽分别限制与计费。
困扰5. 我的网卡有fe80开头的地址,可以用来上公网吗
当网卡启动的时候,会自动生成“链路本地地址”(Link-Local Address),这是一个fe80::/10的单播地址。“链路本地地址”用于IP自动配置、邻居发现等。
注意事项:
▷ 核心:每张网卡都会存在“链路本地地址”,这是IPv6协议通讯的核心,不应当删掉
▷ 范围:仅在同一个二层范围内进行传播,不会被路由器做转发
▷ 地址:“链路本地地址”的算法不统一,有的操作系统会根据mac地址计算而来(EUI-64),而有的则是随机或其他某种算法计算而来
▷ 服务:“链路本地地址”虽然可以在二层内互通,但主要用于核心通讯以及某些网络高级协议。不适用于上层应用业务之间的通讯。因此不能用来上公网,也不能用于对外提供服务
困扰6. IPv6地址如何配置
公网地址和私网地址
▷ 公网地址:“全球单播地址”(Global Unicast Address,2000::/3)
▷ 私网地址:“唯一本地地址”(Unique-Local Address,fc00::/7)
细心的人可能会发现,为什么这里叫做“全球单播地址”,而“唯一本地地址”却不叫做“唯一本地单播地址”,好吧,其实都是简称,在RFC里是这么定义的:“Global Unicast Addresses”、“Link-Local IPv6 Unicast Addresses”。其实“全球单播地址”是可以叫做“全球地址”的,只是这样显得有点别扭。
自动生成还是固定IP
在IPv6里,任何单播地址都可以自动生成,也可以手工配置固定IP,具体看应用场景:
▷ 客户端:如果我想访问ipv6互联网,而不对外提供服务,那么使用自动生成即可,无需使用固定的ip地址
▷ 服务端:如果需要对外提供服务,那么ip地址就需要固定了,不能使用自动生成
自动配置IP
在ipv6里还分为2种方法:“有状态”与“无状态”
▷ 有状态(Stateful):地址由DHCPv6 Server统一管理,DHCPv6 Client从中获得一个可用的IP地址
▷ 无状态(Stateless,简称SLAAC):路由器发出“路由通告”报文(Router Advertisement,简称RA),报文内包含了IPv6地址的前缀信息。当收到RA包后,就会根据其中前缀信息,自动生成一个或多个IP地址
困扰7. 没有了ARP,如何解析MAC地址
ARP协议是IPv4用于解析目标MAC地址的协议,而在IPv6里,解析地址采用的是邻居发现(Neighbor Discovery Protocol,简称NDP或ND)
ND不是一个具体协议,而是用来描述多个相关功能的协议的抽象集合,所涵盖的所有协议均是基于ICMPv6。其中有2种报文与解析MAC地址有关:
▷ 邻居请求报文NS(Neighbor Solicitation):请求解析
▷ 邻居通告报文NA(Neighbor Advertisement):响应解析
这与ping是非常类似的:
▷ ping:发送icmp的echo request报文,对端响应icmp的echo reply报文
▷ 地址解析:发送icmp的ns报文,对端响应icmp的na报文
困扰8. IPv6使用多播替代广播,需要做哪些改造
IPv6使用多播替代了广播,多播的特点是不会像广播那样完全泛洪,而是数据包只发送给加入了多播组的机器。
但是,这有个前提,就是交换机要能识别并维护多播组的信息,主流交换机都具备此功能,然而并不都是默认开启的。对于二层交换机来说,需要开启MLDv2 Snooping。
顾名思义,就是交换机会识别“MLDv2成员报告”报文从哪个端口发来的,并记录下来,之后当交换机收到多播包后,会先查找其多播地址是否能在缓存里匹配上
▷ 匹配成功:仅会将数据包从相应的端口发出
▷ 匹配失败:就会泛洪,此时和广播毫无差异
困扰9. IPv6真的安全吗
理想很美好,IPv6从设计之初,就进行了大量的安全方面的设计,“完整的”IPv6在安全方面有至少以下3个优势:
▷ 原生支持的端到端加密
▷ 安全的邻居发现(Secure Neighbor Discovery,简称SEND)
▷ 更大的地址空间
The reality is very cruel , only the first 3:00 to play a role in larger address space, reducing the probability of being illegally scanned. The first and second point did not really become popular, because the protocol itself is very complicated, very difficult to learn, it is not easy to achieve . Therefore, the IETF in order to accelerate the popularization of IPv6, security is no longer mandatory . This also led to IPv6 does not actually expected less secure, there is in IPv4 address fraud, false gateway, etc., still exists in IPv6.
10. How troubled to learn IPv6
Internet can find a lot of IPv6 tutorials, many of which are used throughout the tutorial speak IPv6 address, IP packet format, ICMP packet format, which makes it easy for beginners to beat a retreat. Although the author is not a professional web workers, we hope to initiate the study recommended the following steps:
1️⃣ IPv6 history, design
2️⃣ IPv6 address format, classification, prefix computation, and the contrast of IPv4
3️⃣ IP address, gateway routing configuration and viewing
4️⃣ server practice, try to give your website to increase IPv6
5️⃣ client practice, let your PC to access the Internet IPv6
6️⃣ application layer practice, wrote one pair of C / S program, can support both IPv4 and IPv6
7️⃣ IPv6 communication theory, each packet capture analysis, familiar ND, DHCPv6 and other
mutual 8️⃣ IPv4 and IPv6, visit the transition
9️⃣ IPv6 security