Sonicwall IPV6 SONICOS FEATURE MODULE

IPv6 in SonicOS

Document Scope

This docume nt provide s an overview of So nicWAL L’s implementation of IPv6, how IPv6 operates, and how
to configure IPv6 for your network.

This document contains the following sections:

• “Feature Overview” section on page 1

–

“IPv6 Technology Overview” section on page 2

–

“IPv6 Benefits” section on page 3

–

“IPv6 Feature Support” section on page 4

• “Configuring IPv6” on page 4

–

“IPv6 Interface Configuration” section on page 5

–

“Configuring IPv6 Tunnel Interfaces” section on page 12

–

“Accessing the SonicWALL User Interface Using IPv6” section on page 16

–

“IPv6 Network Configuration” section on page 16

–

“IPv6 Access Rules Configuration” section on page 19

–

“IPv6 IPSec VPN Configuration” section on page 19

–

“SSL VPN Configuration for IPv6” section on page 20

• “IPv6 Diagnostics and Monitoring” section on page 21

–

“Packet Capture” on page 22

–

“IPv6 Ping” on page 23

–

“IPv6 DNS Lookup and Reverse Name Lookup” on page 24

–

“Connection Monitor” on page 24

Feature Overview

The following sections provide an overview of IPv6:

• “IPv6 Technology Overview” section on page 2

• “IPv6 Benefits” section on page 3

• “IPv6 Feature Support” section on page 4

SonicOS 5.5 - IPv6

1

Feature Overview

IPv6 Technology Overview

Around 1992, the IETF became aware of a global shortage of IPv4 addresses, and technical obstacles in
deploying new protocols due to limitations imposed by IPv4. IPv6 base specification is specified in
RFC2460. IPv6 dramatically increases the number of available addresses.

IPv4’s 32-bit addresses = 4,294,967,296 possible devices

IPv6’s 128-bit addresses = 340,282,366,920,938,463,463,374,607,431,768,211,456 possible devices!

(or approximately 5 x 1028 addresses per person on the planet)

Address Allocations

• 2001::/16 is allocated for ipv6internet

• IANA has subdivided 2001::/16 address space to following RIRs

–

APNIC - 2001:02xx::/23, 2001:0cxx/23

–

ARIN - 2001:04xx::/23

–

RIPE NCC - 2001:06xx::/23

• ISPs allocates /48 to individual customers

• Customers allocate /64 to their multiple sites/subnets

ICMP Extension

ICMP packets in IPv6 are used in the IPv6 neighbor discovery process, path MTU discovery, and the
Multicast Listener Discovery (MLD) protocol for IPv6.

Transition Mechanisms

To coexist with an IPv4 infrastructure and to provide an eventual transition to an IPv6-only infrastructure,
the following mechanisms are used:

• IPv6 over IPv4 tunneling

• Translation

Sonicwall will provide IPv6 support to networks where no prior IPv6 connectivity exists via IPv6 Internet
gateway.

Note Networks must have IPv4 internet connectivity in order to get connected to IPv6 internet.

Note IPv6 stack must be enabled for PCs at SMB sites.

2

SonicOS 5.5 - IPv6

Here is a simplified picture showing connectivity model for a typical IPv6 deployment.

Feature Overview

IPv6 communication:

PC1 to PC2
PC2 to PC3
PC1 to S1,S2
PC2 to S1,S2
PC3 to S1, S2

SonicWALL

IPv6 Internet

Gateway

IPv6/IPv4

IPv4

PC1

SMB2

IPv4 Internet

IPv4

IPv4

SonicWALL FWSonicWALL FW

IPv6/IPv4

S1

IPv6 Internet

SonicWALL

IPv6 Internet

Gateway

PC2

IPv6 Public Servers

IPv6

S2

IPv6

SMB1

PC3

IPv6/IPv4

The following diagram shows a comparison of the header elements between IPv4 and IPv6.

IPv6 Benefits

IPv6 brings some key features to improve the limitations exposed by IPv4. The new IP standard extends
IPv4 in a number of important aspects:

• New header format

• Simplified IPv6 header - 40 Bytes with options removed from header

SonicOS 5.5 - IPv6

3

Configuring IPv6

• Large address space - 128 bit IP address (6 x 1023 addresses per square meter of land on earth)

• Efficient and hierarchical addressing and routing infrastructure

• Auto address assignment to hosts/routers - NDP, DHCPv6

• Stateless and stateful address configuration

• Built-in security - AH and ESP strongly recommended

• Better support for QoS - Flow label in the header

• New protocol for neighboring node interaction

• Extensibility for new features using extension headers

IPv6 Feature Support

The following is a IPv6 services and features are supported:

• Site to site IPv6 connectivity

• Site to site IPv6 tunnel with IPSec for security.

• Access to hosted IPv4 services via IPv6 from outside

• Access to IPv4 website from inside via IPv6

• DNS Proxy.

• Security Services for IPv6 traffic with DPI

• Support for a stateful inspection of IPv6 traffic.

• Support for HTTP/HTTPS management and ping via IPv6.

• Support of logging IPv6 Events.

• Support for debugging tools for IPv6 like packet capture, connection monitor, etc.

Configuring IPv6

• “IPv6 Interface Configuration” on page 5

• “Configuring IPv6 Tunnel Interfaces” on page 12

• “Accessing the SonicWALL User Interface Using IPv6” on page 16

• “IPv6 Network Configuration” on page 16

• “IPv6 Access Rules Configuration” on page 19

• “IPv6 User Authentication Configuration” on page 21

• “IPv6 IPSec VPN Configuration” on page 19

• “SSL VPN Configuration for IPv6” on page 20

4

SonicOS 5.5 - IPv6

IPv6 Interface Configuration

IPv6 interfaces are configured on the Network > Interfaces page by clicking the IPv6 option for the View
IP Version radio button at the top right corner of the page.

By default, all IPv6 interfaces appear as routed with no IP address. Multiple IPv6 addresses can be added
on the same interface. Auto IP assignment can only be configured on WAN interface.

Each interface can be configured to receive router advertisement or not. IPv6 can be enabled or disabled
on each interface.

Note Zone must be configured prior to configuring IPv6 interfaces from IPv4 interface page.

Configuring IPv6

IPv6 Interface Configuration Constraints:

• The HA interface cannot be configured for IPv6.

• Only parent interface of a SwitchPort group can be configured as an IPv6 interface, hence all child of

a switch port group must be excluded from this list.

• IPv6 and IPv4 interface must remain in the same zone.

• Zone and L2Bridge are shared configuration both by IPv4 and IPv6. Once they are configured at IPv4

side, IPv6 will use the same configuration.

• Default Gateway and DNS Server 1/2/3 are only available for WAN zone interface.

• VLAN interfaces are not currently supported.

• An IPv6 assigned interface cannot be configured either as a switch port non-parent interface.

Configuring an Interface for IPv6 Static Mode

Static mode provides user a way to assign static IPv6 address besides auto-assigned address. Under this
mode, IPv6 interface could still listen to Router Advertisement and learn autonomous address from
appropriate prefix option. Static Mode doesn't disturb the running of Stateless Address Autoconfiguration
on IPv6 interface unless the user manually disables it.

SonicOS 5.5 - IPv6

5

Configuring IPv6

The following diagram shows a sample topology with IPv6 configured in static mode.

3 types of IPv6 address are possible to assign under this mode:

• Automatic Address

• Autonomous Address

• Static Address

In Static Mode, the Primary Static Address is specified on the General tab. Default Gateway and DNS
Servers could also be set if it is a WAN zone interface.

Select Enable Router Advertisement to make this an advertising interface that distributes network and
prefix information.

Select Advertise Subnet Prefix of IPv6 Primary Static Address to add a default prefix into the interface
advertising prefix list. This prefix is the subnet prefix of interface IPv6 primary static address. This option
will help all hosts on the link stay in the same subnet.

6

SonicOS 5.5 - IPv6

Configuring IPv6

If there is need to configure multiple static IPv6 addresses, Advanced tab provide a GUI to configure
additional static addresses.

Click the Add Address button to configure multiple static IPv6 addresses for the interface.

The following options can be configured on the Advanced tab:

• Select Disable all IPv6 Traffic on the Interface to stop the interface from handling all IPv6 traffic.

Disabling IPv6 traffic can improve firewall performance for non-IPv6 traffic. If t he firewall is deployed
in a pure IPv4 environment, SonicWALL recommends enabling this option.

• Select Enable Listening to Router Advertisement to have the firewall receive router advertisement.

If disabled, the interface filters all incoming Router Advertisement message, which can enhance security
by eliminating the possibility of receiving malicious network parameters (e.g. prefix information or
default gateway). This option is not visible for Auto mode. In Auto mode, it is always enabled.

• Select Enable Stateless Address Autoconfiguration to allow autonomous IPv6 addresses to be

assigned to this interface. If unchecked, all assigned autonomous IPv6 address will be removed from
this interface. This option is not visible for Auto mode. In Auto mode, it is always enabled.

• Enter a numeric value for Duplicate Address Detection Transmits to specify the number of

consecutive Neighbor Solicitation messages sent while performing Duplicate Address Detection
(DAD) before assigning a tentative address to interface. A value of 0 indicates that DAD is not
performed on the interface.

Similar with IPv4 gratuitous ARP, IPv6 node uses Neighbor Solicitation message to detect duplicate
IPv6 address on the same link. DAD must be performed on any Unicast address (except Anycast
address) before assigning a tentative to an IPv6 interface.

Configuring Router Advertisement Settings

SonicWALL IPv6 is full conformable with RFC 4861 in Router and Prefix Discovery.

SonicOS 5.5 - IPv6

7

Configuring IPv6

Note Router Advertisement can only be enabled when interface is under Static mode.

The following options can be configured on the Router Advertisement tab:

• Enable Router Advertisement - If enabled, this interface becomes an advertising interface and starts

to distribute network and prefix information.

• Router Adv Interval Range - The time interval allowed between sending unsolicited multicast Router

Advertisements from the interface, in seconds.

• Link MTU - The recommended MTU for the interface link. A value of 0 means firewall will not

advertise link MTU for the link.

• Reachable Time - The time that a node assumes a neighbor is reachable after having received a

reachability confirmation. A value of 0 means this parameter is unspecified by this firewall.

• Retrans Time - The time between retransmitted Neighbor Solicitation messages. A value of 0 means

this parameter is unspecified by this firewall.

• Current Hop Limit - The default value that should be placed in the Hop Count field of the IP header

for outgoing IP packets. A value of 0 means this parameter is unspecified by this firewall.

• Router Lifetime - The lifetime when firewall is accepted as a default router. A value of 0 means that

the router is not a default router.

• Managed - Sets the managed address configuration flag in the Router Advertisement message. If set,

it indicates that IPv6 addresses are available via Dynamic Host Configuration Protocol.

• Other Configuration - Sets the Other configuration flag in Router Advertisement message. If set, it

indicates that other configuration information is available via Dynamic Host Configuration Protocol.

• Add Prefix - Adds an advertising prefix.

8

SonicOS 5.5 - IPv6