Master Thesis Supporting IPv6 host-based multihoming ... · Master Thesis Supporting IPv6...

Theoretic overviewShim6 and Firewalls: Problem statement

ImplementationPerformance evaluation

Configuring a shim6-firewallConclusion

Master Thesis

Supporting IPv6 host-based multihoming (shim6)in Linux Firewalls

Christoph Paasch

December 20, 2010

Christoph Paasch Master Thesis - Shim6-firewall

1 Theoretic overview

2 Shim6 and Firewalls: Problem statement

3 Implementation

4 Performance evaluation

5 Configuring a shim6-firewall

6 Conclusion

MultihomingShim6Statefull firewall

1 Theoretic overviewMultihomingShim6Statefull firewall

2 Shim6 and Firewalls: Problem statementDesign of the shim6 firewall

3 ImplementationShim6-firewall architecture

6 Conclusion

Multihoming

Supporting IPv6 host-based multihoming (shim6) in Linux Firewalls

Multihoming

Separate Locators from Identifiers.

Identifier Identifies a connection and is passed to the upper layerprotocols.

Locators Used inside the packet.

Shim6 control messagesEstablish the shim6 sessionAssure connectivitySwitch locators

Shim6 payload messagesTransport payload-data, tagged with the context tag

Statefull firewall

Supporting IPv6 host-based multihoming(shim6) in Linux Firewalls

Statefull firewall

Design of the shim6 firewall

6 Conclusion

Shim6 vs. Stateful Firewalls

Solution

Associate the new flow to the original state

Track shim6 context establishment

Map Context Tag to the pair of identifiers

ProblemsShim6 does not allow support of each feature in stateful firewalls.Shim6 needs to be changed.

Shim6-firewall architecture

6 Conclusion

Shim6-Firewall architecture

6 Conclusion

Test Setup

Creation of a huge number of firewall-states

Delay measured that the firewall introduces

Session Initiation messages

0 50000 100000 150000 200000 250000 300000

Number of states created

Delay introduced by the firewall for shim6/TCP state initiation messages

TCP-syn on shim6-firewallI1-message on shim6-firewall

TCP-syn on clean Kernel

6 Conclusion

Express consistent rules

Filter on identifiers rather than on locators.

Avoid locator-specific rules.

Avoid per-locators rate-limiting rules.

6 Conclusion

Conclusion

Most parts of shim6 are supported in the Linux firewall.

Performs very well even with a huge number of states.

Configuring the firewall needs to be done carfully.

Future WorkMinor modifications to the shim6 protocol.

Adapt firewall to these changes.

Tweak the firewall to achieve best performance.

Questions?

Master Thesis Supporting IPv6 host-based multihoming ... · Master Thesis Supporting IPv6...

Documents

Transcript of Master Thesis Supporting IPv6 host-based multihoming ... · Master Thesis Supporting IPv6...

IPv6 DNS, Routing, and Multihoming - · PDF fileIPv6 DNS, Routing, and Multihoming Jeff Doyle IPv6 Solutions Manager jeff@juniper.net. Agenda

BGP Multihoming Techniques - MENOG · MENOG 1 3 BGP Multihoming Techniques •Why Multihome? •Definition & Options •Preparing the Network •Basic Multihoming •Service Provider

BGP Multihoming Techniquesarchive.apnic.net/meetings/16/...multihoming-smith.pdf · BGP Multihoming Techniques ... • Preparing the Network • Connecting to the same ISP • Connecting

Multihoming Using Juniper MX80

Management Changes in IPv6 - share.confex.com · 23.02.2011 · 3178 IPv6 Multihoming Support at Site Exit Routers . 3226 DNNSSEC and IPv6 A6 aware server/resolver messages . 3266

Supporting IPv6 host-based multihoming (shim6) in … · Supporting IPv6 host-based multihoming (shim6) in Linux ﬁrewalls ... 6.1.3 Firewall blocking the new locator pairs ... This

Multihoming Techniques

BGP Multihoming - NSRC

Scaling the Internet for our Next Generations · The multihoming approaches currently used in IPv4 can of course be used in IPv6, but IPv6 represents an opportunity for more scalable

D - Enterprise Multihoming

BGP Multihoming Techniques

RFC 8678: Enterprise Multihoming Using Provider-Assigned ...describes a translation solution speciﬁcally tailored to meet the requirements of multihoming with provider-assigned IPv6

Internet Multihoming Techniques · Internet Multihoming Techniques. 2 ISP Hierarchy • Default free zone ... Multihoming • More than one upstream ISP – Multi-homed ISP2 ISP1

Multihoming in IPv6 Mobile Networks - · PDF fileMultihoming in IPv6 Mobile Networks Internship Report realized in WIDE Project Master of Network Computer Engineering September 2003

The Paths Towards IPv6 Multihoming - UCLouvain...the BGP routing tables in the Internet, the way to get multi-homed in IPv6 is required to allow route aggregation in order to preserve

AARNet BGP multihoming

Novel results on SCTP multihoming performance in native ...huszak/publ/Novel Results on SCTP Multihoming... · Novel results on SCTP multihoming performance in native IPv6 ... ‘Novel

1 An Update on Multihoming in IPv6 Report on IETF Activity IPv6 Technical SIG 1 Sept 2004 APNIC18, Nadi, Fiji Geoff Huston.

Multihoming in IPV6 Habib Naderi Department of Computer Science University of Auckland.

Implementation and evaluation of the Shim6 protocol in the ... · multihoming techniques such as shim6. Keywords: Shim6, IPv6, Multihoming 1. Introduction The current IPv4 Internet