IPv6
IPv6¶
νμ΅ λͺ©ν¶
- IPv6μ νμμ±κ³Ό IPv4μ νκ³ μ΄ν΄νκΈ°
- IPv6 μ£Όμ νμ, νκΈ°λ², μ ν λ§μ€ν°νκΈ°
- IPv6 ν€λ ꡬ쑰μ IPv4 λλΉ κ°μ μ¬ν νμ΅νκΈ°
- μ£Όμ μλ κ΅¬μ± λ©μ»€λμ¦(SLAAC, DHCPv6) μ΄ν΄νκΈ°
- μΈμ νμ νλ‘ν μ½(NDP)κ³Ό μν νμ΅νκΈ°
- IPv4μμ IPv6λ‘μ μ ν λ©μ»€λμ¦ νꡬνκΈ°
- IPv6 λΌμ°ν νλ‘ν μ½ μ΄ν΄νκΈ°
- IPv6 보μ κ³ λ €μ¬ν νμ΅νκΈ°
- IPv6 λ€νΈμν¬ κ΅¬μ± λ° λ¬Έμ ν΄κ²°νκΈ°
λͺ©μ°¨¶
- μ IPv6μΈκ°?
- IPv6 μ£Όμ νμ
- IPv6 μ£Όμ μ ν
- IPv6 ν€λ
- μ£Όμ μλ ꡬμ±
- μΈμ νμ νλ‘ν μ½
- μ ν λ©μ»€λμ¦
- IPv6 λΌμ°ν
- IPv6 보μ
- μ€μ ꡬμ±
- μ°μ΅ λ¬Έμ
1. μ IPv6μΈκ°?¶
IPv4 κ³ κ°¶
IPv4λ 32λΉνΈ μ£Όμλ₯Ό μ¬μ©νμ¬ μ½ 43μ΅ κ°μ μ£Όμλ₯Ό μ 곡ν©λλ€:
Total IPv4 addresses = 2^32 = 4,294,967,296
κ³ κ° νμλΌμΈ: - 2011: IANA μ€μ ν κ³ κ° - 2015: ARIN (λΆλ―Έ) κ³ κ° - 2019: RIPE NCC (μ λ½) κ³ κ° - 2021: λͺ¨λ μ§μ μΈν°λ· λ μ§μ€νΈλ¦¬(RIRs) κ³ κ°
NATμ ν곶
λ€νΈμν¬ μ£Όμ λ³ν(NAT)μ μμ ν΄κ²°μ± μ΄μμ΅λλ€:
NATμ λ¨μ : - End-to-end μ°κ²°μ± νκ΄΄ - P2P μ ν리μΌμ΄μ 볡μ‘ν - μ²λ¦¬ μ€λ²ν€λ μΆκ° - λ¬Έμ ν΄κ²° μ΄λ €μ - μΌλΆ νλ‘ν μ½κ³Ό νΈν λΆκ°(IPsec, SIP)
IPv6μ μ₯μ ¶
λκ·λͺ¨ μ£Όμ 곡κ°:
IPv6 addresses = 2^128 β 3.4 Γ 10^38 addresses
κΈ°ν μ΄μ : - NAT λΆνμ(End-to-end μ°κ²°μ± 볡μ) - λΉ λ₯Έ μ²λ¦¬λ₯Ό μν κ°μνλ ν€λ - λ΄μ₯ IPsec μ§μ - ν₯μλ λ©ν°μΊμ€νΈ μ§μ - μλ ꡬμ±(SLAAC) - λΈλ‘λμΊμ€νΈ μμ(λ©ν°μΊμ€νΈλ‘ λ체) - νλ‘μ° λ μ΄λΈμ ν΅ν ν₯μλ QoS
2. IPv6 μ£Όμ νμ¶
128λΉνΈ μ£Όμ ꡬ쑰¶
IPv6 μ£Όμλ 128λΉνΈ κΈΈμ΄λ‘, 4μ리 16μ§μ 8κ·Έλ£ΉμΌλ‘ νκΈ°ν©λλ€:
IPv6 Address Structure:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 16 bits β 16 bits β 16 bits β 16 bits β ... β 16 bits β
β (0-FFFF)β (0-FFFF)β (0-FFFF)β (0-FFFF)β ... β (0-FFFF) β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Group 1 Group 2 Group 3 Group 4 ... Group 8
Example:
2001:0db8:85a3:0000:0000:8a2e:0370:7334
νκΈ° κ·μΉ¶
μ 체 νκΈ°λ²:
2001:0db8:0000:0042:0000:8a2e:0370:7334
κ·μΉ 1: μμ 0μ μλ΅ κ°λ₯
2001:db8:0:42:0:8a2e:370:7334
κ·μΉ 2: μ°μλ 0 κ·Έλ£Ήμ ::λ‘ λ체 κ°λ₯
2001:db8:0:42::8a2e:370:7334
μ€μ: ::λ μ£ΌμλΉ ν λ²λ§ μ¬μ© κ°λ₯
# Valid
2001:db8::1
ff02::1
::1 (loopback)
# Invalid (multiple ::)
2001::25de::cade # β Ambiguous
μ£Όμ λ¨μΆ μμ ¶
Original: 2001:0db8:0000:0000:0000:0000:0000:0001
Shortened: 2001:db8::1
Original: fe80:0000:0000:0000:0202:b3ff:fe1e:8329
Shortened: fe80::202:b3ff:fe1e:8329
Original: 0000:0000:0000:0000:0000:0000:0000:0001
Shortest: ::1 (loopback)
Original: 0000:0000:0000:0000:0000:0000:0000:0000
Shortest: :: (unspecified address)
ν리ν½μ€ ν기벶
IPv4μ CIDRκ³Ό μ μ¬:
2001:db8:abcd:0012::/64
βββββββββββ
Network prefix (64 bits)
3. IPv6 μ£Όμ μ ν¶
μ λμΊμ€νΈ μ£Όμ(Unicast Addresses)¶
κΈλ‘λ² μ λμΊμ€νΈ(Global Unicast, GUA)¶
μΈν°λ·μμ λΌμ°ν κ°λ₯(κ³΅μΈ IPv4μ λλ±):
Address Range: 2000::/3 (currently 2000:: to 3fff::)
Structure:
ββββββββββββββββ¬βββββββββββββββ¬βββββββββββββββ¬βββββββββββββββ
β Global β Subnet ID β Interface β β
β Routing β β Identifier β β
β Prefix β β (IID) β β
β (48 bits) β (16 bits) β (64 bits) β β
ββββββββββββββββ΄βββββββββββββββ΄βββββββββββββββ΄βββββββββββββββ
Example:
2001:db8:1234:5678::1/64
βββββββββββββ ββββ ββββββββ
ISP Subnet Host
λ§ν¬-λ‘컬 μ£Όμ(Link-Local Addresses, LLA)¶
λ‘컬 λ§ν¬μμλ§ μ ν¨(IPv4μ 169.254.x.xμ μ μ¬):
Address Range: fe80::/10
Structure:
βββββββββ¬βββββββββ¬βββββββββββββββββββββββββββββ
β fe80 β 0000 β Interface ID (64 bits) β
βββββββββ΄βββββββββ΄βββββββββββββββββββββββββββββ
Example:
fe80::1
fe80::202:b3ff:fe1e:8329
λͺ¨λ IPv6 μΈν°νμ΄μ€μ νμ!
κ³ μ λ‘컬 μ£Όμ(Unique Local Addresses, ULA)¶
μ¬μ€ μ£Όμ(IPv4μ 10.x.x.x, 192.168.x.xμ μ μ¬):
Address Range: fc00::/7 (fd00::/8 in practice)
Structure:
ββββββ¬ββββ¬βββββββββββββ¬βββββββββ¬βββββββββββββββ
β fd β 0 β Global ID β Subnet β Interface ID β
β β β (40 bits) β(16 bit)β (64 bits) β
ββββββ΄ββββ΄βββββββββββββ΄βββββββββ΄βββββββββββββββ
Example:
fd00:1234:5678:1::1/64
λ©ν°μΊμ€νΈ μ£Όμ(Multicast Addresses)¶
Address Range: ff00::/8
Structure:
ββββββ¬ββββββββ¬βββββββββββββββββββββββ
β ff β Flags β Group ID β
β β Scope β β
ββββββ΄ββββββββ΄βββββββββββββββββββββββ
Common multicast addresses:
ff02::1 All nodes on link
ff02::2 All routers on link
ff02::1:ff00:0/104 Solicited-node multicast
μ€μ½ν(Scopes):
- 1 - Interface-local
- 2 - Link-local
- 5 - Site-local
- 8 - Organization-local
- e - Global
μ λμΊμ€νΈ μ£Όμ(Anycast Addresses)¶
μ λμΊμ€νΈμ λμΌν νμμ΄μ§λ§ μ¬λ¬ μΈν°νμ΄μ€μ ν λΉλ©λλ€. ν¨ν·μ κ°μ₯ κ°κΉμ΄ μΈν°νμ΄μ€λ‘ μ λ¬λ©λλ€.
Example use case: DNS root servers
2001:db8::1 assigned to multiple servers
νΉμ μ£Όμ(Special Addresses)¶
::1/128 Loopback (localhost)
::/128 Unspecified address (like 0.0.0.0)
::ffff:0:0/96 IPv4-mapped IPv6 (::ffff:192.0.2.1)
2001:db8::/32 Documentation prefix
4. IPv6 ν€λ¶
κ°μνλ ν€λ ꡬ쑰¶
IPv6 ν€λλ λ κ°λ¨νλ©° κ³ μ κΈΈμ΄(40λ°μ΄νΈ)μ λλ€:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| Traffic Class | Flow Label |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Payload Length | Next Header | Hop Limit |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| |
+ Source Address +
| |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| |
+ Destination Address +
| |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
νλ μ€λͺ ¶
| νλ | ν¬κΈ° | μ€λͺ |
|---|---|---|
| Version | 4 bits | νμ 6 |
| Traffic Class | 8 bits | QoS μ°μ μμ (IPv4μ DSCPμ μ μ¬) |
| Flow Label | 20 bits | QoS νλ‘μ° μλ³ |
| Payload Length | 16 bits | νμ΄λ‘λ κΈΈμ΄ (ν€λ μ μΈ) |
| Next Header | 8 bits | λ€μ ν€λ μ ν (TCP=6, UDP=17 λ±) |
| Hop Limit | 8 bits | κ° λΌμ°ν°μμ κ°μ (TTLκ³Ό μ μ¬) |
| Source Address | 128 bits | μΆλ°μ§ IPv6 μ£Όμ |
| Destination Address | 128 bits | λͺ©μ μ§ IPv6 μ£Όμ |
IPv4 λλΉ κ°μ μ¬ν¶
μ κ±°λ νλ: - Header Length (40λ°μ΄νΈλ‘ κ³ μ ) - Identification, Flags, Fragment Offset (νμ₯ ν€λλ‘ μ΄λ) - Header Checksum (λ§ν¬ κ³μΈ΅κ³Ό μ μ‘ κ³μΈ΅μμ μ²λ¦¬)
μ΄μ : - λΉ λ₯Έ μ²λ¦¬ (체ν¬μ¬ κ³μ° μμ) - κ³ μ ν€λ ν¬κΈ° (νλμ¨μ΄ ꡬν μ©μ΄) - νμ₯ ν€λμ μ νμ κΈ°λ₯
νμ₯ ν€λ(Extension Headers)¶
νμ₯ ν€λλ μ μ°μ±μ μ 곡ν©λλ€:
IPv6 Header β Ext Header 1 β Ext Header 2 β TCP/UDP Header β Data
μΌλ°μ μΈ νμ₯ ν€λ: 1. Hop-by-Hop Options (0) - λͺ¨λ λ Έλμμ μ²λ¦¬ 2. Routing (43) - μμ€ λΌμ°ν 3. Fragment (44) - λ¨νΈν μ 보 4. Destination Options (60) - λͺ©μ μ§ μ΅μ 5. Authentication (51) - IPsec AH 6. Encapsulating Security Payload (50) - IPsec ESP
λ¨νΈν μμ :
βββββββββββββββ¬βββββββββββββββ¬βββββββββββ¬βββββββ
β IPv6 Header β Fragment β TCP Hdr β Data β
β Next=44 β Header β β β
β β Next=6 β β β
βββββββββββββββ΄βββββββββββββββ΄βββββββββββ΄βββββββ
5. μ£Όμ μλ ꡬ챶
SLAAC (Stateless Address Autoconfiguration)¶
IPv6 μ₯μΉλ DHCP μμ΄ μ€μ€λ‘ ꡬμ±ν μ μμ΅λλ€:
Process:
ββββββββββββ ββββββββββββ
β Host β β Router β
ββββββ¬ββββββ ββββββ¬ββββββ
β β
β 1. Generate link-local address β
β (fe80::IID) β
β β
β 2. Router Solicitation (RS) β
βββββββββββββββββββββββββββββββββββββββΆβ
β (ICMPv6 type 133) β
β β
β 3. Router Advertisement (RA) β
ββββββββββββββββββββββββββββββββββββββββ
β (prefix, gateway, flags) β
β (ICMPv6 type 134) β
β β
β 4. Generate global address β
β (prefix + IID) β
β β
β 5. Duplicate Address Detection (DAD) β
β (Neighbor Solicitation) β
βββββββββββββββββββββββββββββββββββββββΆβ
β β
μΈν°νμ΄μ€ μλ³μ(Interface Identifier, IID) μ챶
λ°©λ² 1: EUI-64 (MAC μ£Όμμμ)
MAC address: 00:1A:2B:3C:4D:5E
Steps:
1. Split MAC: 001A2B | 3C4D5E
2. Insert FFFE: 001A2B | FFFE | 3C4D5E
3. Flip U/L bit: 021A2B | FFFE | 3C4D5E
(7th bit of first byte: 00 β 02)
Result IID: 021a:2bff:fe3c:4d5e
λ°©λ² 2: νλΌμ΄λ²μ νμ₯(Privacy Extensions, RFC 4941)
νλΌμ΄λ²μλ₯Ό μν΄ μ£ΌκΈ°μ μΌλ‘ μμ±λλ λλ€ IID:
Temporary IID: 1234:5678:9abc:def0 (random)
Lifetime: 1 day (configurable)
DHCPv6¶
μ€ν μ΄νΈλ¦¬μ€ DHCPv6(Stateless DHCPv6): - SLAACλ‘λΆν° μ£Όμ - DHCPv6λ‘λΆν° DNS, NTP
μ€ν μ΄νΈν DHCPv6(Stateful DHCPv6): - DHCPv6 μλ²λ‘λΆν° μ 체 μ£Όμ - μ ν΅μ μΈ DHCPμ μ μ¬
DHCPv6 νλ‘μΈμ€:
Client Server
β β
β SOLICIT (multicast ff02::1:2) β
ββββββββββββββββββββββββββββββββββββΆβ
β β
β ADVERTISE β
βββββββββββββββββββββββββββββββββββββ
β β
β REQUEST β
ββββββββββββββββββββββββββββββββββββΆβ
β β
β REPLY (address, DNS, etc.) β
βββββββββββββββββββββββββββββββββββββ
λΌμ°ν° κ΄κ³ νλκ·Έ(Router Advertisement Flags)¶
M flag (Managed): 1 = Use DHCPv6 for address
O flag (Other): 1 = Use DHCPv6 for other config (DNS)
Combinations:
M=0, O=0 β SLAAC only
M=0, O=1 β SLAAC + stateless DHCPv6
M=1, O=0 β Stateful DHCPv6
M=1, O=1 β Stateful DHCPv6
6. μΈμ νμ νλ‘ν 콶
NDP vs ARP¶
NDP(Neighbor Discovery Protocol)λ IPv6μμ ARPλ₯Ό λ체ν©λλ€:
| κΈ°λ₯ | IPv4 | IPv6 |
|---|---|---|
| μ£Όμ ν΄μ | ARP | NDP (NS/NA) |
| λΌμ°ν° λ°κ²¬ | ICMP Router Discovery | NDP (RS/RA) |
| 리λ€μ΄λ νΈ | ICMP Redirect | NDP Redirect |
| MTU λ°κ²¬ | - | NDP (RA) |
NDP λ©μμ§ μ ν¶
λͺ¨λ NDP λ©μμ§λ ICMPv6λ₯Ό μ¬μ©ν©λλ€:
- Router Solicitation (RS) - Type 133
- Router Advertisement (RA) - Type 134
- Neighbor Solicitation (NS) - Type 135
- Neighbor Advertisement (NA) - Type 136
- Redirect - Type 137
μΈμ μμ²/κ΄κ³ (Neighbor Solicitation/Advertisement, NS/NA)¶
μ£Όμ ν΄μ μμ :
Host A wants to communicate with Host B (2001:db8::2)
1. Host A sends NS to solicited-node multicast:
Src: 2001:db8::1
Dst: ff02::1:ff00:2 (solicited-node for ::2)
"Who has 2001:db8::2?"
2. Host B sends NA:
Src: 2001:db8::2
Dst: 2001:db8::1
"I am 2001:db8::2, my MAC is 00:1A:2B:3C:4D:5E"
μμ²-λ Έλ λ©ν°μΊμ€νΈ(Solicited-Node Multicast)¶
ν¨μ¨μ μΈ μ£Όμ ν΄μ:
Target address: 2001:db8::1234:5678
Solicited-node multicast:
ff02::1:ff34:5678
ββββββββ ββββββββββ
prefix last 24 bits
μ€λ³΅ μ£Όμ νμ§(Duplicate Address Detection, DAD)¶
μ£Όμ μ¬μ© μ :
1. Host sends NS for its own address:
Src: :: (unspecified)
Dst: ff02::1:ff00:1 (solicited-node)
Target: 2001:db8::1 (tentative address)
2. If NA received β address conflict!
3. If no response β address is unique
μΈμ λλ¬ λΆκ° νμ§(Neighbor Unreachability Detection, NUD)¶
μ΄μμ΄ μ¬μ ν λλ¬ κ°λ₯νμ§ νμΈ:
States:
INCOMPLETE β REACHABLE β STALE β DELAY β PROBE β UNREACHABLE
Transitions:
- REACHABLE: confirmation received within 30s
- STALE: no recent confirmation
- PROBE: sending NS to verify
7. μ ν λ©μ»€λ즶
μ΄μ€ μ€ν(Dual-Stack)¶
IPv4μ IPv6λ₯Ό λμμ μ€ν:
βββββββββββββββββββββββββββββββ
β Applications β
βββββββββββββββ¬ββββββββββββββββ
β
βββββββββββ΄ββββββββββ
β β
βββββΌβββββ ββββββΌβββββ
β IPv4 β β IPv6 β
β Stack β β Stack β
βββββ¬βββββ ββββββ¬βββββ
β β
ββββββββββββ¬ββββββββ
β
ββββββββΌβββββββ
β Network β
βββββββββββββββ
κ΅¬μ± μμ :
# Linux interface with dual-stack
ip addr show eth0
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP>
inet 192.0.2.1/24
inet6 2001:db8::1/64
inet6 fe80::1/64 scope link
ν°λλ§ λ©μ»€λμ¦(Tunneling Mechanisms)¶
6to4 ν°λ(6to4 Tunnel)¶
IPv4 μΈνλΌλ₯Ό μ¬μ©ν μλ ν°λλ§:
IPv6 Packet
β
βΌ
βββββββββββββββββ
β IPv4 Header β
βββββββββββββββββ€
β IPv6 Packet β
βββββββββββββββββ
6to4 address format:
2002:WWXX:YYZZ::/48
ββββββββββ
IPv4 address in hex
Example:
IPv4: 192.0.2.1 β C000:0201
6to4: 2002:c000:0201::/48
Teredo ν°λ(Teredo Tunnel)¶
IPv6λ₯Ό μν NAT ν΅κ³Ό:
Structure:
ββββββββββ¬ββββββββββ¬βββββββ¬βββββββββ¬ββββββββββ
β 2001 β 0 β IPv4 β Flags β Obscuredβ
β β βServerβ β Client β
ββββββββββ΄ββββββββββ΄βββββββ΄βββββββββ΄ββββββββββ
Example:
2001:0000:4136:e378:8000:63bf:3fff:fdd2
ββββββββββ ββββββββββββββββ
Server IP Client info
ISATAP¶
Intra-Site Automatic Tunnel Addressing Protocol:
Address format:
[prefix]:0:5efe:[IPv4 address]
Example:
2001:db8:1:2:0:5efe:192.0.2.1
ββββββββββββ
IPv4 address
λ³ν λ©μ»€λμ¦(Translation Mechanisms)¶
NAT64/DNS64¶
IPv6 μ μ© ν΄λΌμ΄μΈνΈκ° IPv4 μλ²μ μ κ·Ό κ°λ₯:
IPv6 Client IPv4 Server
2001:db8::1 192.0.2.1
β β
β 1. DNS query (AAAA) β
βββββββββββββββΆDNS64 β
β β β
β β 2. No AAAA, β
β β query A β
β βββββββββββββββββΆβ
β β β
β β 3. A=192.0.2.1 β
β ββββββββββββββββββ
β β β
β 4. AAAA= β β
β 64:ff9b:: β β
β c000:0201 β β
ββββββββββββββββ β
β β
β 5. Packet to β
β 64:ff9b::c000:0201 β
ββββββββββββΆNAT64ββββββββββββββββΆβ
β Translates to β
β 192.0.2.1 β
Well-Known Prefix: 64:ff9b::/96
8. IPv6 λΌμ°ν ¶
OSPFv3¶
IPv6μ© OSPF:
Differences from OSPFv2:
- Runs directly over IPv6
- Link-local addresses for neighbor discovery
- Multiple instances per link
- Authentication via IPsec (not built-in)
κ΅¬μ± μμ (Cisco):
ipv6 router ospf 1
router-id 1.1.1.1
interface GigabitEthernet0/0
ipv6 ospf 1 area 0
ipv6 address 2001:db8:1::1/64
IPv6μ© BGP¶
λ©ν° νλ‘ν μ½ BGP (MP-BGP):
router bgp 65001
neighbor 2001:db8::2 remote-as 65002
address-family ipv6 unicast
neighbor 2001:db8::2 activate
network 2001:db8:1::/48
exit-address-family
κ²½λ‘ μ§μ½(Route Aggregation)¶
IPv6μ λκ·λͺ¨ μ£Όμ 곡κ°μ λ λμ μ§μ½μ κ°λ₯νκ² ν©λλ€:
ISP allocation: 2001:db8::/32
Customer subnets:
2001:db8:0001::/48
2001:db8:0002::/48
2001:db8:0003::/48
...
2001:db8:ffff::/48
Advertise only: 2001:db8::/32
λΌμ°ν ν μ΄λΈ μμ ¶
# Linux routing table
ip -6 route show
2001:db8:1::/64 dev eth0 proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
default via fe80::1 dev eth0 metric 1024
9. IPv6 보μ¶
λ΄μ₯ IPsec¶
IPv6λ IPsecμ μΌλμ λκ³ μ€κ³λμμ΅λλ€:
ββββββββββββββ¬ββββββββββ¬ββββββββββ¬βββββββββββ¬βββββββ
β IPv6 Hdr β ESP Hdr β TCP Hdr β Data β ESP β
β β β β β Auth β
β Next=50 β Next=6 β β(Encrypted)β β
ββββββββββββββ΄ββββββββββ΄ββββββββββ΄βββββββββββ΄βββββββ
μ°Έκ³ : IPsecμ μ€μ λ‘λ μ νμ¬νμ΄μ§λ§ λ°°ν¬κ° λ μ½μ΅λλ€.
νλΌμ΄λ²μ νμ₯(Privacy Extensions)¶
μμ μ μΈ IIDλ₯Ό ν΅ν μΆμ λ°©μ§:
# Enable privacy extensions (Linux)
sysctl net.ipv6.conf.all.use_tempaddr=2
# Temporary address
2001:db8::1234:5678:9abc:def0 (changes daily)
# Stable address (for incoming connections)
2001:db8::21a:2bff:fe3c:4d5e (EUI-64)
λ°©νλ²½ κ³ λ €μ¬ν¶
μ€μ: λͺ¨λ ICMPv6λ₯Ό μ°¨λ¨νμ§ λ§μΈμ!
Required ICMPv6 types:
- Type 1: Destination Unreachable
- Type 2: Packet Too Big (for PMTUD)
- Type 3: Time Exceeded
- Type 4: Parameter Problem
- Type 133-137: NDP messages
μμ iptables:
# Allow essential ICMPv6
ip6tables -A INPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
# Allow NDP
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
보μ μν¶
μ μμ μΈ λΌμ°ν° κ΄κ³ (Rogue Router Advertisements): - 곡격μκ° κ°μ§ RA μ μ‘ - μν: RA Guard
NDP μ€νΈν(NDP Spoofing): - ARP μ€νΈνκ³Ό μ μ¬ - μν: SEcure Neighbor Discovery (SEND)
μ£Όμ μ€μΊλ(Address Scanning): - λκ·λͺ¨ μλΈλ·μΌλ‘ λ¬΄μ°¨λ³ λμ 곡격 μ΄λ €μ - νμ§λ§ μμΈ‘ κ°λ₯ν IID(EUI-64)λ νμ μ΄ λ μ μμ - μν: νλΌμ΄λ²μ νμ₯ μ¬μ©
10. μ€μ ꡬ챶
Linux ꡬ챶
IPv6 μ°κ²°μ± νμΈ:
# Show IPv6 addresses
ip -6 addr show
# Show IPv6 routes
ip -6 route show
# Ping IPv6 address
ping6 2001:4860:4860::8888
# Traceroute
traceroute6 google.com
μλ μ£Όμ ꡬμ±:
# Add IPv6 address
sudo ip -6 addr add 2001:db8::1/64 dev eth0
# Add default route
sudo ip -6 route add default via fe80::1 dev eth0
# Enable IPv6 forwarding
sudo sysctl -w net.ipv6.conf.all.forwarding=1
μ μ κ΅¬μ± (Ubuntu/Debian):
# /etc/netplan/01-netcfg.yaml
network:
version: 2
ethernets:
eth0:
dhcp6: no
addresses:
- 2001:db8::1/64
gateway6: fe80::1
nameservers:
addresses:
- 2001:4860:4860::8888
- 2001:4860:4860::8844
SLAAC νμ±ν:
# Accept Router Advertisements
sudo sysctl -w net.ipv6.conf.eth0.accept_ra=1
# Autoconf
sudo sysctl -w net.ipv6.conf.eth0.autoconf=1
Windows ꡬ챶
λͺ λ Ήμ€:
REM Show IPv6 configuration
ipconfig
REM Show IPv6 routing table
netsh interface ipv6 show route
REM Add static IPv6 address
netsh interface ipv6 add address "Ethernet" 2001:db8::1/64
REM Add default route
netsh interface ipv6 add route ::/0 "Ethernet" fe80::1
REM Test connectivity
ping 2001:4860:4860::8888
tracert google.com
PowerShell:
# Get IPv6 configuration
Get-NetIPAddress -AddressFamily IPv6
# Add IPv6 address
New-NetIPAddress -InterfaceAlias "Ethernet" -IPAddress "2001:db8::1" -PrefixLength 64
# Add default route
New-NetRoute -DestinationPrefix "::/0" -InterfaceAlias "Ethernet" -NextHop "fe80::1"
μ°κ²°μ± ν μ€νΈ¶
μ΄μ€ μ€ν ν μ€νΈ:
# IPv4 connectivity
ping google.com
# IPv6 connectivity
ping6 google.com
# Check which protocol is used
curl -v https://google.com
# Look for "Trying 2001:..." (IPv6) or "Trying 192..." (IPv4)
# Force IPv6
curl -6 https://google.com
# Force IPv4
curl -4 https://google.com
μ¨λΌμΈ ν μ€νΈ: - https://test-ipv6.com/ - https://ipv6-test.com/ - https://www.whatismyipv6.com/
μΌλ°μ μΈ λ¬Έμ λ° ν΄κ²°¶
IPv6 μ°κ²°μ± μμ:
# 1. Check if IPv6 is enabled
cat /proc/sys/net/ipv6/conf/all/disable_ipv6
# Should be 0 (enabled)
# 2. Check for IPv6 addresses
ip -6 addr show
# Should see link-local (fe80::) and possibly global
# 3. Check for default route
ip -6 route show
# Should see default via fe80::...
# 4. Check Router Advertisements
sudo rdisc6 eth0
# Should see RA from router
# 5. Test local connectivity
ping6 fe80::1%eth0 # Ping link-local gateway
MTU λ¬Έμ :
# IPv6 minimum MTU is 1280 bytes
# Check current MTU
ip link show eth0
# Test PMTUD
ping6 -s 1500 2001:4860:4860::8888
11. μ°μ΅ λ¬Έμ ¶
λ¬Έμ 1: μ£Όμ λ¨μΆ¶
λ€μ IPv6 μ£Όμλ₯Ό κ°μ₯ 짧μ ννλ‘ λ¨μΆνμΈμ:
a) 2001:0db8:0000:0000:0000:0000:0000:0001
b) fe80:0000:0000:0000:0202:b3ff:fe1e:8329
c) 2001:0db8:0001:0000:0000:0000:0000:0000
d) 0000:0000:0000:0000:0000:0000:0000:0000
μ λ΅:
a) 2001:db8::1
b) fe80::202:b3ff:fe1e:8329
c) 2001:db8:1::
d) ::
λ¬Έμ 2: EUI-64 λ³ν¶
MAC μ£Όμ 00:50:56:A1:B2:C3κ° μ£Όμ΄μ‘μ λ κ³μ°νμΈμ:
- EUI-64 μΈν°νμ΄μ€ μλ³μ
- μμ ν λ§ν¬-λ‘컬 μ£Όμ
- ν리ν½μ€ 2001:db8:1::/64λ₯Ό κ°μ§ μμ ν κΈλ‘λ² μ£Όμ
μ λ΅:
MAC: 00:50:56:A1:B2:C3
1. Split: 005056 | A1B2C3
2. Insert FFFE: 005056FFFE | A1B2C3
3. Flip 7th bit: 025056FFFE | A1B2C3
IID: 0250:56ff:fea1:b2c3
Link-local: fe80::250:56ff:fea1:b2c3
Global: 2001:db8:1::250:56ff:fea1:b2c3
λ¬Έμ 3: μλΈλ·ν ¶
2001:db8:abcd::/48μ΄ ν λΉλμμ΅λλ€. λ€μμ μν μλΈλ·ν
λ°©μμ μ€κ³νμΈμ:
- 4κ° μ§μ μ¬λ¬΄μ (κ°κ° 256κ° μλΈλ· νμ)
- κ° μλΈλ·μ μ΅μ’
μ¬μ©μλ₯Ό μν /64 μ§μ
μ λ΅:
/48 prefix: 2001:db8:abcd::/48
Use bits 49-52 for regions (4 bits = 16 regions):
Region 0: 2001:db8:abcd:0000::/52
Region 1: 2001:db8:abcd:1000::/52
Region 2: 2001:db8:abcd:2000::/52
Region 3: 2001:db8:abcd:3000::/52
Each /52 contains 4096 /64 subnets (2^12).
Region 0 examples:
2001:db8:abcd:0000::/64
2001:db8:abcd:0001::/64
2001:db8:abcd:0002::/64
...
2001:db8:abcd:0fff::/64
λ¬Έμ 4: NDP λΆμ¶
λ€μ κ²½μ°μ NDP λ©μμ§ μμλ₯Ό μ€λͺ νμΈμ: 1. νΈμ€νΈκ° λΆν λμ΄ IPv6 μ°κ²°μ±μ μ»μ λ 2. νΈμ€νΈ Aκ° κ°μ λ§ν¬μ νΈμ€νΈ Bλ‘ ν¨ν·μ 보λ΄λ € ν λ
μ λ΅:
1. Host boot sequence:
a. Generate link-local address (fe80::IID)
b. DAD: Send NS for own address
c. If no NA, address is valid
d. Send RS to ff02::2
e. Receive RA with prefix, M/O flags
f. Generate global address (prefix + IID)
g. DAD for global address
h. Optional: DHCPv6 if M=1 or O=1
2. Host A β Host B communication:
a. Check neighbor cache for B's MAC
b. If not found, send NS to B's solicited-node multicast
c. Receive NA from B with MAC address
d. Cache entry created (REACHABLE state)
e. Send packet to B
λ¬Έμ 5: μ ν λ©μ»€λμ¦ μ ν¶
κ° μλ리μ€μ κ°μ₯ μ ν©ν IPv6 μ ν λ©μ»€λμ¦μ μΆμ²νμΈμ:
a) μ΄μ€ μ€ν λΌμ°ν°λ₯Ό κ°μ§ κΈ°μ , IPv4 λ°±λ³Έμ ν΅ν΄ IPv6 μμΌλλ μ°κ²° νμ b) NAT λ€μ κ°μ μ¬μ©μ, IPv6 μ μ© μλΉμ€ μ¬μ© c) IPv6 μ μ© κ³ κ°μκ² IPv4 μ½ν μΈ μ 곡νλ €λ ISP d) IPv4λ§ μ 곡νλ ISPλ₯Ό μ¬μ©νλ μκ·λͺ¨ μ¬λ¬΄μ€, IPv6 μν¨
μ λ΅:
a) 6to4 or manual tunnels (GRE/IPsec)
- Controlled environment, static config acceptable
b) Teredo
- NAT traversal required
- Automatic, no config needed
c) NAT64/DNS64
- Translates IPv6 requests to IPv4
- ISP-level deployment
d) 6to4 or Tunnel Broker (Hurricane Electric)
- Automatic or semi-automatic
- Works over any IPv4 connection
λ¬Έμ 6: 보μ ꡬ챶
λ€μμ μννλ ip6tables κ·μΉμ μμ±νμΈμ: - ν립λ μ°κ²° νμ© - νμ ICMPv6 νμ© - νΉμ ν리ν½μ€μμ SSH νμ© - κΈ°ν λͺ¨λ μΈλ°μ΄λ νΈλν½ μ°¨λ¨
μ λ΅:
#!/bin/bash
# Flush existing rules
ip6tables -F
# Default policy
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT
# Allow loopback
ip6tables -A INPUT -i lo -j ACCEPT
# Allow established/related
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow essential ICMPv6
ip6tables -A INPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
# Allow NDP
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
# Allow SSH from 2001:db8::/32
ip6tables -A INPUT -p tcp --dport 22 -s 2001:db8::/32 -j ACCEPT
# Log dropped packets (optional)
ip6tables -A INPUT -j LOG --log-prefix "IPv6-DROP: "
# Drop everything else (already default policy)
μ콶
IPv6λ μΈν°λ· μ£Όμ μ§μ μ λ―Έλμ λλ€:
ν΅μ¬ μμ : 1. 128λΉνΈ μ£Όμλ μ¬μ€μ 무μ νμ μ£Όμ κ³΅κ° μ 곡 2. κ°μνλ ν€λλ λΌμ°ν ν¨μ¨μ± ν₯μ 3. μλ ꡬμ±(SLAAC)μ κ΅¬μ± μ€λ²ν€λ κ°μ 4. NDPλ ν₯μλ κΈ°λ₯μΌλ‘ ARP λ체 5. μ ν λ©μ»€λμ¦μ μ μ§μ λ§μ΄κ·Έλ μ΄μ κ°λ₯ 6. λ΄μ₯ 보μμ IPsec μ§μ 7. NAT λΆνμλ End-to-end μ°κ²°μ± 볡μ
λ§μ΄κ·Έλ μ΄μ μ λ΅: - μ΄μ€ μ€νμΌλ‘ μμ - λͺ¨λ μλΉμ€κ° IPv6 μ§μνλμ§ νμΈ - νμμ λ°λΌ μ ν λ©μ»€λμ¦ μ¬μ© - IPv6 νΈλν½ μ¦κ° λͺ¨λν°λ§ - μ΅μ’ μ μΌλ‘ IPv4 λ¨κ³μ νμ§
IPv6 μ±νμ΄ μ¦κ°νκ³ μμΌλ©°, μ΄λ₯Ό μ΄ν΄νλ κ²μ νλ λ€νΈμν¬ μμ§λμ΄λ§μ νμμ μ λλ€.
λμ΄λ: βββ
μΆκ° μ½μ거리: - RFC 8200: IPv6 Specification - RFC 4862: IPv6 Stateless Address Autoconfiguration - RFC 4861: Neighbor Discovery for IPv6 - RFC 7084: Basic Requirements for IPv6 Customer Edge Routers
μ΄μ : 17_Practical_Network_Tools | λ€μ: 19_Container_Networking