HP 635n HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an
HP 635n - JetDirect IPv6/IPsec Print Server Manual
 |
UPC - 882780301016
View all HP 635n manuals
Add to My Manuals
Save this manual to your list of manuals |
HP 635n manual content summary:
- HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 1
for the Intranet 27 The IPv6 Only Subnets...27 IPv6 Discovery, Attacks, and Mitigations 28 HP Jetdirect Security Options with IPv6 31 Summary ...33 Appendix A: Changing Vista's Preferences 34 Appendix B: IPv6 Service Discovery 37 Introduction The change from IPv4 to IPv6 is coming. There will - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 2
This focus is based upon HP's printing and imaging experience with IPv4, IPv6, and IPsec. HP has been working on IPv6 for quite a while and shipping products that support IPv6. For example: • HP introduced the HP Jetdirect 635n EIO print server which supports IPv4, IPv6, and IPsec in October of 2005 - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 3
whether these devices have an IPv6 upgrade and support plan. As an example, the latest HP printing and imaging products with Jetdirect technology allow for IPv4 and IPv6 to be treated equally in regards to security configurations, such as the negotiation of IPsec or the configuration of packet - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 4
operational on new workstations with Vista, servers with Windows Server 2008, and newly deployed printers and MFPs as well as many other network devices targeting the IPv6 market. Customers will be deploying these devices in predominately IPv4 environments. Is your network ready for it? If you don - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 5
. An application that can run transparently over IPv4 or IPv6 is called an IP Neutral application. Let's assume that an impromptu meeting is setup in a conference room. A couple of laptops with Microsoft Vista and the latest HP Multi-Function Printer (MFP) are installed on a switch and everything is - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 6
values for each network device after boot IPv4 and IPv6 and Vista1 will try IPv6 first. An HP MFP with an Embedded Jetdirect version of V.37.XX and lower does not support LLMNR and the LLMNR packets go unanswered (Note: We will discuss Jetdirect's LLMNR implementation, available in a later firmware - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 7
only DNS would be used (Numbers 1 and 2 in Figure 2) because the other name resolution protocols only support single label names. Second, because the network is an ad-hoc network or Link Local network, there is no DNS configuration, no WINS configuration, and the lookup up LAN Manager hosts (LMHOSTS - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 8
\Drivers IP Neutral, internally calls getaddrinfo() IPv6 using a destination IPv6 multicast address of FF02::1:3 first, then Vista1 sends an LLMNR Name Query Request packet over IPv4 using a destination IPv4 network environment, and the protocols supported by the network HP MFP would be done using IPv4 - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 9
any link local name resolution traffic. In short, Link Local Network 1 does not know Link Local Network 2 exists and vice versa. LLMNR Support in HP Jetdirect Just to shake things up a bit, HP Jetdirect introduced LLMNR support based on RFC 4795 in firmware versions V.38.XX and later, which was just - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 10
of 224.0.0.252. Jetdirect responds to both requests. Vista1 prefers IPv6 over IPv4. • The ICMP Echo Request/Reply over IPv6 is sent. (3) Vista1 executes the command "ping mfp2", mfp2 does not support LLMNR. • Step 0: The ping application, which on Vista is IP Neutral, internally calls getaddrinfo - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 11
on HP Jetdirect. When LLMNR is supported but disabled, NetBIOS name resolution will result in IPv4 being used. IPv6 Link Local Islands When Microsoft began rolling out Windows NT, DHCP was used to automatically assign IPv4 addresses and the Windows Internet Naming Service (WINS) provided a server - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 12
! Essentially, if your HP MFP is on a different network and it is not in a centralized name server such as WINS, name resolution will fail. How can we overcome this failure? Well, we can manually add the entry to the %SystemRoot%\System32\Drivers\Etc\Hosts file. Assuming the IPv4 address of "mfp2 - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 13
the DHCPv4 server to update DNS on their behalf. A typical network setup would be that the DHCPv4 supplies the DNS server address, server is provided in the DHCPv4 configuration, the HP devices will register their names with the WINS server too. In the DNS database for the zone "example.internal - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 14
IPv6 multicast address of FF02::1:3 first, then Vista1 sends an LLMNR Name Query Request packet over IPv4 using a destination IPv4 multicast address of 224.0.0.252. There is no response since the HP MFP doesn't support the DNS server to resolve the name "mfp3.example.internal" to an IPv4 address (an - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 15
have failed because "ping mfp2.example.internal" effectively says: "only check the DNS server". Effectively in these last few configurations, although all the Vista machines and HP MFPs have an IPv6 address, communication only goes over IPv4. Can we force IPv6 to be used in these environments? Sure - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 16
Figure 8 - Die Roll to Binary Conversion 16 - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 17
Once we have this table, we can bring up the Windows calculator to do the rest of the work for us. Figure 9 - Standard View Calculator Change to the Scientific View. Figure 10 - Change to Scientific View 17 - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 18
Select Binary. Figure 11 - Scientific View Figure 12 - Select Binary Enter the Binary values from your dice rolls. 18 - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 19
Figure 53 - Enter Binary Value Select Hex, which will automatically conver the Binary value to Hexadecimal, to get the Global ID. Figure 64 - Convert to Hexadecimal The format of the unique-local address would be as follows: FD [insert random string here] [subnet]::/64 Assuming a subnet of zero and - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 20
HP printers and MFPs) is to look for IPv6 routers so that they may provide IPv6 automatic address configuration information. Suddenly, every IPv6 enabled device now has at least two IPv6 addresses: A link local IPv6 address and a non link local IPv6 address. Refer to Figure 16 - IPv4/IPv6 Network - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 21
In our example, the DNS server only has an IPv4 address which Vista1 will use to ask the DNS server name resolution questions. Therefore, Vista1 is asking for IPv6 information over the IPv4 protocol. This network behavior is perfectly valid. DNS resolvers and servers are not supposed to make any - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 22
because there is no DHCPv6 server operating on the network, it doesn't appear as though the same name registration can happen automatically with IPv6. Therefore, only the A record is available for mfp1 and mfp2 in DNS. In short, "ping mfp2.example.internal" will result in IPv4 being used based upon - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 23
on it. What happens when a given protocol is supported over IPv4 but not IPv6? What would the behavior be? Let's look at a trace where we are trying to open a telnet connection to mfp3.remote.example.internal. HP Jetdirect does not support telnet on IPv6. Here we can see that the DNS query behaves - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 24
to the user, the second command switches to use IPv4 after the IPv6 connection fails. This leads us to a second important point about IP Neutral services - there should be no difference in the service capability when accessed over IPv6 as compared to IPv4. Why? In most cases, users will be using - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 25
add IPv6 capability to internal routers. When IPv6 is fully network where we've separated out our Public Servers from our Internal Servers. The public servers remain IPv4 and the components that provide security to our network from the Internet remain IPv4 of network appliances, not just printers and - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 26
there is no need for DHCPv6 to provide anything but those "Other" parameters, such as IPv6 addresses for DNS servers. What DHCPv6 and stateful IPv6 address management does provide is the following: • Centralized IPv6 Address Management • DNS Update via the FQDN option First and foremost, if one has - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 27
used, the application could utilize "mfp2.ipv6.example.internal" and not have to type in an IPv6 address. Although this initially sounds like a good idea, the main problem is that a device may only be able to handle one domain name for both IPv4 and IPv6. HP Jedirect handle separate domain names if - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 28
some concerns over IPv6-only network deployments is to first talk about an IPv4 only network. Here is a scenario Web Jetadmin administrator working on an IPv4 only network: I am a Web Jetadmin administrator responsible for a network of 100 subnets. Anytime someone installs a printer or MFP on - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 29
everything in about a week. Here is the same Web Jetadmin administrator in an IPv6 only environment. I am a Web Jetadmin administrator responsible for a network of 100 subnets. Anytime someone installs a printer or MFP on the network, I want to find this device in a reasonable amount of time and put - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 30
, but were the ACLs updated for IPv6 when IPv6 was deployed? This is true of any management protocol, not just SNMP. • Check if the DNS servers support unsecured DNS updates. If so, modify entries or populate new service records. • Check for IPv6 web servers - they may not have the same security as - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 31
server for a decision. Some fun work needs to be done! HP Jetdirect Security Options with IPv6 In terms of IPv4, IPv6 and IPsec, there are three types of HP Jetdirect products: • IPv4 Support, no IPv6 support, no IPsec support • IPv4 Support, IPv6 Support, no IPsec support • IPv4 Support, IPv6 - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 32
to have IPv6 capability for certain services and have other services disabled, HP Jetdirect provides a Firewall configuration which can be used to control access to the printer/MFP (NOTE: Please follow normal security precautions by setting passwords and controlling access to the Networking tab. See - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 33
used to force IPsec to be used for certain services, like management services. All an all, the Firewall provided by HP Jetdirect allows for a variety of configurations and a lot of flexibility for the administrator. Summary Microsoft's Vista, Windows Server 2008, and the new HP Printing and Imaging - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 34
having a device that supports IPv6. In the hosts file located in SystemRoot\System32\Drivers\Etc, there are two network itself. Because there are two records for the name "localhost", one IPv4 and IPv6 address, and Microsoft's Vista will prefer IPv6 addresses in the default configuration, IPv6 - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 35
::1". Since there are two localhost entries, we know that IPv6 must be preferred. We can change Vista's preferences by modifying We can see that the key resides here: • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters The key needs to be called DisabledComponents and should be - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 36
Refer to Figure 24. Figure 12 - Ping Now the reply is coming from 127.0.0.1, the IPv4 loopback address. Therefore, we have made Vista prefer IPv4 over IPv6. To disable all tunneling technologies, but not IPv6, use 0x01 for this key. This setting would be recommended for those customers committed to - HP 635n | HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 37
, HP's Universal Print Driver uses the service discovery technology of Bonjour as one of its methods to find printers and MFPs. An alternative way of discovery services on the network is called Web Services Discovery or WS-Discovery. HP printer's and MFPs that support IPv6 support WSDiscovery
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
 |
 |
1
Practical IPv6 Deployment for Printing and Imaging Devices
May 2008
Table of Contents:
Introduction
.....................................................................................................................................
1
IPv6 – Truths, Myths, and Practical Considerations
...............................................................................
2
The Importance of Names and Name Resolution
.................................................................................
4
The Isolated Dual-Stack
.....................................................................................................................
5
LLMNR Support in HP Jetdirect
...........................................................................................................
9
IPv6 Link Local Islands
....................................................................................................................
11
What IPv6 Address Range Should We Use?
.....................................................................................
15
IPv6 Stateless Automatic Address Configuration (SLAAC)
....................................................................
20
Preparing the Intranet for IPv6
.........................................................................................................
24
DNS Zone Options for the Intranet
...................................................................................................
27
The IPv6 Only Subnets
....................................................................................................................
27
IPv6 Discovery, Attacks, and Mitigations
...........................................................................................
28
HP Jetdirect Security Options with IPv6
.............................................................................................
31
Summary
......................................................................................................................................
33
Appendix A: Changing Vista’s Preferences
.......................................................................................
34
Appendix B: IPv6 Service Discovery
.................................................................................................
37
Introduction
The change from IPv4 to IPv6 is coming.
There will be deployment difficulties, security concerns, and
potentially a whole new peer-to-peer connectivity model ushered in by the transition to IPv6.
The
benefits could be tremendous, but they could also be risky due to lack of IPv6 experience.
Although
the transition to IPv6 has been slow, there are many signs it is increasing.
The recent resolution of the
American Registry for Internet Numbers (ARIN) has tried to encouraged IPv6 adoption due to IPv4
address space being depleted (
) and prompted additional
interest in IPv6.
Lockheed Martin has also announced an IPv6 pilot as they plan on moving towards
an IPv6 infrastructure. Microsoft shipped Vista in 2007 and included IPv4, IPv6, and IPsec as fully
supported connectivity solutions for applications that run on Vista.
Windows Server 2008 follows in
Vista’s footsteps with a server platform and fully supported IPv4, IPv6, and IPsec solutions.
whitepaper