|
Home > |
|---|
Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP). It is the result of a study effort from IETF to address limitations in IPv4 that date back to the 1970s. The "World IPv6 Launch" day occurred on June 6, 2012.
IPv6 upgrades to IPv4 are in the internet layer. The link layer remains unchanged. Transport layer and above are unchanged.
| application layer | SSH, TLS/SSL, HTTPS |
| transport layer | TCP/UPD |
| internet layer | IP ← All IPv4 to IPv6 upgrades are in this layer. |
| link layer | Ethernet |
In supporting IPv6, not everything in IPv4 was affected; some subsystems in the internet layer like routing protocols remain the same. The major internet layer upgrades to support IPv6 include:
•128-bit IP address
•Fixed length, 40-byte header with support for new, optional Extension Headers
•Native security
•Auto-configuration
The most talked about feature in IPv6 is the vastly increased availability of IP addresses due to the IP address size increase from 4 bytes (billions) to 16 bytes (undecillions).
Unlike IPv4, IPv6 doesn't have broadcast addresses; it only has unicast and multicast addresses. A broadcast address is the logical address used for transmission to all network-connected hosts. A multicast address is similar to a broadcast address but its scope is limited to a defined group of network-connected hosts. A unicast address is used for point-to-point transmission.
For more information on IPv6 addressing, refer to the IP Version 6 Working Group (IPv6) at https://datatracker.ietf.org/wg/ipv6/documents/. Also, try: https://en.wikipedia.org/wiki/IPv6.
Most software components in the SafeNet Network HSM operate in the application layer. They use TLS/SSL on top of TCP, but nothing uses the internet layer directly.
Likewise, changes in the internet layer shouldn't directly affect the application layer, but there are some utilities in SafeNet Network HSM that use information from the internet layer, particularly the IP address, for authentication purposes; they will be affected by upgrading IPv4 to IPv6.
You can configure IPv6 addresses using static, SLAAC, or DHCPv6 addressing.
| Static |
Use the command network interface static in the LunaSH Command Reference Guide. |
| SLAAC |
Use the command network interface slaac in the LunaSH Command Reference Guide Note: You must have a SLAAC-enabled router in your network that is reachable by the HSM appliance to configure a network interface and obtain an IPv6 address using SLAAC protocol. |
| DHCPv6 |
Use the command network interface dhcp in the LunaSH Command Reference Guide |
IPv6 devices must use an IPv6 gateway.
This is how you recognize it from the output of the lunash command network show.
Generally, the next hop from your network appliance is the gateway.
IPv6 devices must use CIDR notation for the subnet mask in IPv6 global unicast format.
For example, in IPv6 global unicast format, a subnet mask of /48 means that the 64-bit Network/Routing prefix will consists of a 48-bit site prefix, leaving 16 bits for the Subnet Identifier.
Typically, within a site, /64 is used to identify a whole subnet; global routing prefix + subnet ID.
The proper term in IPv6 context is "prefix length". This is how you recognize it from the output of the lunash command network show.
You should be aware of the following limitations before attempting to use IPv6 on your SafeNet Network HSM.
Clients connecting to the SafeNet Network HSM appliance must use the same IP version that is configured on the appliance port they are connecting to, so that certificates can resolve. Therefore, all clients connecting to an IPv4 port must have an IPv4 address, and all clients connecting to an IPv6 port must have an IPv6 address.
You can bind the NTLS service using either IPv4 or IPv6. Therefore, all clients connected to the SafeNet Network HSM at one time must use the same type of addressing.
You must use a single global IPv6 address for each active network interface: eth0 and/or eth1. You must use a single global IPv6 address for each active Luna Client.
IPv6 address assignment methods (Static, DHCPv6, or SLAAC) are all allowed, however only one is allowed at a time. For example, avoid configuring your network infrastructure such that the following unsupported condition (scheme # 5 in the following table) occurs.
|
Scheme # |
Address assignment scheme |
RA M flag (on/off) |
RA O flag (on/off) |
Has RA prefix info (yes/no) |
RA prefix info A flag(on/off) |
Supported |
|---|---|---|---|---|---|---|
| 1 | Static | either | either | either | either | yes |
| 2 | DHCPv6 (stateful) | on | either | either | off | yes |
| 3 | DHCPv6 (stateless) | off | on | yes | on | yes |
| 4 | SLAAC | off | off | yes | on | yes |
| 5 | SLAAC + DHCPv6 | on |
either |
yes | on | no |
Notes:
1.“RA” stands for Router Advertisement, the critical NDP message used in IPv6 auto-configuration.
2.The above table assumes that a functioning DHCPv6 server is on the network.
3.The configurations shown on this table apply to appliances and not clients.
The following example for the eth2 interface is not supported since it has both DHCP, 2018:1:2:3::dcd5/128 , and SLAAC, 2018:1:2:3:215:b2ff:fea8:fd44/64, global addresses (i.e. entries with “scope global”).
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:15:b2:a8:fd:44 brd ff:ff:ff:ff:ff:ff
inet6 2018:1:2:3::dcd5/128 scope global dynamic
valid_lft 1036733sec preferred_lft 691133sec
inet6 2018:1:2:3:215:b2ff:fea8:fd44/64 scope global noprefixroute dynamic
valid_lft 2591923sec preferred_lft 604723sec
inet6 fe80::215:b2ff:fea8:fd44/64 scope link
valid_lft forever preferred_lft forever
The following features are currently unsupported on IPv6 networks:
•Secure Trusted Channel
•Host Trust Link
•One-step NTLS (clientconfig deploy command)
•Port Bonding
•Server-initiated (peer-to-peer) Remote PED
•Network Time Protocol
•Remote System Logging
•Remote Backup Service (RBS)
•SNMP Monitoring
•IPv6 is not supported for use with UNIX Clients
To proceed with configuring the IP address and other network parameters for the SafeNet Network HSM, go to Configure the IP Address and Network Parameters.