Palo Alto Networks Study Topic

Introduction to IPv6

IPv6, the successor to IPv4, addresses the limitations of its predecessor by providing a vastly larger address space, simplified autoconfiguration, and improved security features. Understanding IPv6 is crucial for the PCNSE exam, as Palo Alto Networks firewalls extensively support and manage IPv6 networks. You will be expected to configure, troubleshoot, and secure IPv6 deployments.

IPv6 Address Types

IPv6 addresses are 128-bit, represented in hexadecimal notation and separated by colons. There are three main types:

Unicast: Identifies a single interface. Most common type, used for point-to-point communication. Example: 2001:db8:1234:5678:1:2:3:4
Anycast: Identifies a group of interfaces, usually belonging to different nodes. Traffic sent to an anycast address reaches the "nearest" interface. Used for load balancing and redundancy. Example: Used for server redundancy.
Multicast: Identifies a group of interfaces belonging to different nodes. Traffic sent to a multicast address is delivered to all members of the group. Used for things like video streaming. Example: ff02::1 (all nodes link-local)

     PCNSE Exam Note: Be familiar with how each address type is used in network deployments and how Palo Alto Networks firewalls handle them.
    

IPv6 Address Structure and Representation

IPv6 addresses are 128 bits long and are typically written in hexadecimal notation, grouped into eight 16-bit blocks separated by colons. For example:

2001:0db8:85a3:0000:0000:8a2e:0370:7334

To simplify representation, leading zeros within a block can be omitted, and consecutive blocks of zeros can be replaced with a double colon (::), but this can only be done once in an address. For instance:

2001:db8:85a3::8a2e:370:7334

     PCNSE Exam Note:  Understand address abbreviation and be able to interpret compressed IPv6 addresses.
    

Global Unicast Addresses (GUA)

GUAs are globally routable and equivalent to public IPv4 addresses. They are essential for internet connectivity. The structure includes a Global Routing Prefix, Subnet ID, and Interface Identifier.

Structure of a Global Unicast Address

     PCNSE Exam Note: Understand the hierarchy and allocation of GUA prefixes by IANA and Regional Internet Registries (RIRs).
    

Unique Local Addresses (ULA)

ULAs are private addresses, not routable on the public internet, similar to IPv4 private addresses (RFC 1918). They use the prefix fc00::/7 .

     PCNSE Exam Note: ULAs are important for internal networks and are often used in scenarios where global routing is not required. Configure security policies appropriately for ULA traffic.
    

     Gotcha! Be aware of the potential for overlapping ULAs if not generated properly.  Use a reliable method for ULA generation.
    

Link-Local Addresses (LLA)

LLAs are automatically configured on interfaces and are used for communication within the same link or subnet. They use the prefix fe80::/10 and are not routable beyond the local link.

     PCNSE Exam Note: LLAs are crucial for neighbor discovery and are used during the initial stages of IPv6 configuration.
    

EUI-64

EUI-64 is a method for generating the 64-bit Interface Identifier part of an IPv6 address. This is usually derived from the device's 48-bit MAC address. A key step in the process is inverting the 7th bit (U/L bit) of the MAC address. This format is very common but brings some inherent privacy risks from embedding a mac address into the public ipv6 interface address.

EUI-64 Process

Gotcha! Remember to invert the 7th bit! This is a common mistake.

Stateless Address Autoconfiguration (SLAAC)

SLAAC enables automatic IPv6 address configuration without a DHCPv6 server. Devices solicit routers for network prefixes via Router Solicitation (RS) messages. Routers respond with Router Advertisements (RA) containing prefixes. Devices then combine the prefix with an Interface Identifier (often using EUI-64) to create a unique address.

SLAAC Process

     PCNSE Exam Note: Be prepared to troubleshoot SLAAC issues.  Understand the role of RA messages and how to customize their parameters on a Palo Alto Networks firewall.
    

DHCPv6

DHCPv6 can be used in stateful (address assignment) or stateless (other configuration parameters) mode. It provides more control than SLAAC, allowing for centralized address management and distribution of additional network information (DNS servers, domain names, etc.).

DHCPv6 Stateful Address Assignment

     PCNSE Exam Note:  Understand the different DHCPv6 message types and how they are used in different configuration modes.  Be able to configure DHCPv6 relay and server functionality on a Palo Alto Networks firewall.
    

DHCPv6 Prefix Delegation (DHCPv6-PD)

DHCPv6-PD allows a client router to request an IPv6 prefix from a DHCPv6 server, typically an ISP. The client router then uses this delegated prefix to assign addresses to its downstream devices, enabling automated subnet management.

DHCPv6-PD Example

     PCNSE Exam Note:  Understand the role of DHCPv6-PD in ISP deployments and how it integrates with SLAAC and DHCPv6 for address assignment within customer networks. You might need to configure this on the external interface of a Palo Alto Networks firewall.
    

IPv6 Addressing and the PCNSE