IPv6 Support and Limitations
Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP). It is the result of a study effort from IETF to address limitations in IPv4 that date back to the 1970s. The "World IPv6 Launch" day occurred on June 6, 2012.
IPv6 upgrades to IPv4 are in the internet layer. The link layer remains unchanged. Transport layer and above are unchanged.
application layer | SSH, TLS/SSL, HTTPS |
transport layer | TCP/UPD |
internet layer | IP ← All IPv4 to IPv6 upgrades are in this layer. |
link layer | Ethernet |
In supporting IPv6, not everything in IPv4 was affected; some subsystems in the internet layer like routing protocols remain the same. The major internet layer upgrades to support IPv6 include:
>128-bit IP address
>Fixed length, 40-byte header with support for new, optional Extension Headers
>Native security
>Auto-configuration
The most talked about feature in IPv6 is the vastly increased availability of IP addresses due to the IP address size increase from 4 bytes (billions) to 16 bytes (undecillions).
Unlike IPv4, IPv6 doesn't have broadcast addresses; it only has unicast and multicast addresses. A broadcast address is the logical address used for transmission to all network-connected hosts. A multicast address is similar to a broadcast address but its scope is limited to a defined group of network-connected hosts. A unicast address is used for point-to-point transmission.
Global Unicast Address format
For more information on IPv6 addressing, refer to the IP Version 6 Working Group (IPv6) at https://datatracker.ietf.org/wg/ipv6/documents/. Also, try: https://en.wikipedia.org/wiki/IPv6.
IPv6 in the Context of the SafeNet Luna Network HSM
Most software components in the SafeNet Luna Network HSM operate in the application layer. They use TLS/SSL on top of TCP, but nothing uses the internet layer directly.
Likewise, changes in the internet layer shouldn't directly affect the application layer, but there are some utilities in SafeNet Luna Network HSM that use information from the internet layer, particularly the IP address, for authentication purposes; they will be affected by upgrading IPv4 to IPv6.
IPv6 Address Configuration Options
You can configure IPv6 addresses using static, SLAAC, or DHCPv6 addressing.
Static |
Use the command network interface static in the LunaSH Command Reference Guide. |
SLAAC |
Use the command network interface slaac in the LunaSH Command Reference Guide Note: You must have a SLAAC-enabled router in your network that is reachable by the HSM appliance to configure a network interface and obtain an IPv6 address using SLAAC protocol. |
DHCPv6 |
Use the command network interface dhcp in the LunaSH Command Reference Guide |
IPv6 Network Gateway
IPv6 devices must use an IPv6 gateway.
IPv6 Subnet Mask (Network Mask)
IPv6 devices must use CIDR notation for the subnet mask in IPv6 global unicast format.
For example, in IPv6 global unicast format, a subnet mask of /48 means that the 64-bit Network/Routing prefix will consists of a 48-bit site prefix, leaving 16 bits for the Subnet Identifier.
Typically, within a site, /64 is used to identify a whole subnet; global routing prefix + subnet ID.
Limitations When Using IPv6 on the SafeNet Luna Network HSM
You should be aware of the following limitations before attempting to use IPv6 on your SafeNet Luna Network HSM.
Client and SafeNet Luna Network HSM must use the same IP version
Clients connecting to the SafeNet Luna Network HSM appliance must use the same IP version that is configured on the appliance port they are connecting to, so certificates can resolve. Therefore, all clients connecting to an IPv4 port must have an IPv4 address, and all clients connecting to an IPv6 port must have an IPv6 address.
Secure Trusted Channel (STC) links not available via IPv6
STC links are not supported over an IPv6 network. You must use NTLS to make partition-client connections via IPv6.
Single global IPv6 address per network interface
You must use a single global IPv6 address for each active network interface: eth0, eth1, eth2, and/or eth3. You must use a single global IPv6 address for each active Luna Client.
IPv6 address assignment methods (Static, DHCPv6, or SLAAC) are all allowed, however only one is allowed at a time. For example, avoid configuring your network infrastructure such that the following unsupported condition (scheme # 5 in the following table) occurs.
Scheme # |
Address assignment scheme | RA M flag (on/off) | RA O flag (on/off) | Has RA prefix info (yes/no) | RA prefix info A flag(on/off) | Supported |
---|---|---|---|---|---|---|
1 | Static | either | either | either | either | yes |
2 | DHCPv6 (stateful) | on | either | either | off | yes |
3 | DHCPv6 (stateless) | off | on | yes | on | yes |
4 | SLAAC | off | off | yes | on | yes |
5 | SLAAC + DHCPv6 | on |
either |
yes | on | no |
Notes:
1.“RA” stands for Router Advertisement, the critical NDP message used in IPv6 auto-configuration.
2.The above table assumes that a functioning DHCPv6 server is on the network.
3.Scheme #3 (“Stateless” DHCPv6) is configured on SafeNet Luna Network HSM 7.x using SLAAC for address assignment, but DHCPv6 is still used to configure network services like DNS.
Example:
The following example for the eth2 interface is not supported since it has both DHCP, 2018:1:2:3::dcd5/128
, and SLAAC, 2018:1:2:3:215:b2ff:fea8:fd44/64
, global addresses (i.e. entries with “scope global”).
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:15:b2:a8:fd:44 brd ff:ff:ff:ff:ff:ff inet6 2018:1:2:3::dcd5/128 scope global dynamic valid_lft 1036733sec preferred_lft 691133sec inet6 2018:1:2:3:215:b2ff:fea8:fd44/64 scope global noprefixroute dynamic valid_lft 2591923sec preferred_lft 604723sec inet6 fe80::215:b2ff:fea8:fd44/64 scope link valid_lft forever preferred_lft forever
Configure the IP Address and Network Parameters
To proceed with configuring the IP address and other network parameters for the SafeNet Luna Network HSM, go to Network Configuration.