IPv6 -- A practical guide to Implementationfacweb.cs.depaul.edu/brewster/ipv6/Full Course...

Revised 2010 August 17 Hurricane Electric

IPv6 -- A practical guide to Implementation

Owen [email protected]

2010 August 17 Hurricane Electric Page

Acknowledgements

Special thanks for: Content and graphics:

Mukom Akong Tamon (AfriNIC) Nishal Goburdhan (AfriNIC)

Research, Data, and graphics Geoff Huston (APNIC)

Inviting me to present this Srinivas Chendi (APNIC)

Attending All of you

2


Logistics

Location of rest rooms Please turn off your mobile phone(s) Please ask questions

Please don’t be afraid to speak up For any non-native English speakers: No matter

your English skills, I assure you they are better than my skills at your native language.

3


History (August 17, 2010)

4

Now


Why is this important? - Today

5

Today

1/31/2010 Hurricane Electric Page

RIR Free Pool ProjectionsGeoff Huston’s math:

6


Why do we need IPv6?(1. NAT breaks IPSec)

This works fine until you want to secure the connection with IPSec

The NAT device modifies the packet header, breaking IPSec

7

Backend SQL Server

Private Network Public Network

Web Server

Client to Web Server

Web Server to SQL database

NAT Gateway


Why do we need IPv6?(2. NAT Complicates Communications)

Making this work (through NAT) is a nightmare.

It’s can be even worse for VOIP

8


Why do we need IPv6(3. NAT breaks remote management)

Branch offices behind NAT are not easily managed from remote locations

9

Kaduna Office

Bamenda Office

InternetRemote Management

Station

Tokyo Office

Adelaide Office


Why do we need IPv6(4. Other IPv4 Limitations) Only 3.2 billion global unicast addresses Figure at least 5 IP addresses per person World Population 6.5 Billion Also need addresses for servers, provider

infrastructure, etc. IPSec implemented as an afterthought mostly

at L4

10


Why do we need IPv6?(5. Other Implications of NAT) Single points of failure -- NAT Gateway keeps state Additional hardware resources to maintain state

tables/translation tables Breaks end-to-end model [p2p, voip, etc.] and hinders

incoming connections to inside hosts Significant overhead/application bloat dedicated to

working around NAT Causes problems for audit and abuse identification Complicates network troubleshooting and event

correlation

11


Why do we need IPv6?(6 -- The final answer) Even with NAT, we’re still rapidly running out of IPv4

addresses. IANA ran out in February. APNIC may be out as early as June. The largest three RIRs (APNIC, ARIN, RIPE NCC) will

likely be out* in less than a year, probably before the end of 2011.

* The definition of “out” is subjective and depends on the size block being requested.

12


Features of IPv6?

2^96 times as much address space (3.4x1038 addresses total)

No NAT IPSec built into the layer 3 protocol Path MTU discovery built in and required to work

(don’t indiscriminately block ICMP6) Multiple addresses per interface, easier and less

disruptive renumbering Very large subnets -- no more need to count

hosts13


Why a new protocol?

There simply aren’t enough addresses in IPv4 Restore the end-to-end model of communication enabling

significant innovation Smart grids IP Telephony & IPTV Smart devices (TVs, refrigerators, etc.) “Internet of Things” Internet access on planes, trains, and automobiles

Growing demand for addresses to reach more people While we’re at it, fix some (not all) of the issues with IPv4

14


Applications that require IPv6(not possible in IPv4) Green Tech - Give all energy consuming devices

an address and manage/monitor remotely Global IP Telephony - No intermediate servers Give all users the ability to host services

Video streams Personal web site or blog Host games (Console or PC games)

Natural Disaster warning systems Improved access to EMS, Medical telepresence

15


The choice to be made:

Which Approach will you take?

16

IPv4/IPv6 Dual Stack NowIPv4 is just fine.

We just need more NAT!!My dual stack

network is runninggreat!


Part 1 - Nuts and Bolts

First, we’ll teach you about all the little pieces that make IPv6 possible (basics)

Addresses Nomenclature Address Structure Address Scopes and Purposes Etc.

17


IPv6 -- The basics1. Address Notation 8 groups of 4 hex digits (16 bits) separated by colons (:) Rules for shortening:

Drop any leading zeroes in a group Replace ONE set of consecutive 0 groups with ::

Example: 2001:0001:0000:0000:00A1:0CC0:01AB:397A

18

2001:0001:0000:0000:00A1:0CC0:01AB:397A

2001:1:0:0:A1:CC0:1AB:397A

2001:1::A1:CC0:1AB:397A


IPv6 -- The Basics2. Types of IPv6 Addresses

19

Type Sub-Types Notes

Unicast

Global Unicast Currently 2000::/3

Unicast

Protocol Use Uses such as 6to4 , Teredo

Unicast Unspecified Default route or unknown address (::/0)Unicast

Loopback ::1/128

Unicast

Link Local fe80::/16 for use only on local link

Multicast Used to implement all ‘broadcast-like’ behaviorUsed to implement all ‘broadcast-like’ behavior

Anycast Globally Unique address shared by multiple hostsGlobally Unique address shared by multiple hosts


IPv6 -- The Basics3. Address Scopes

20

Type Notes

Global Routed throughout the entire IPv6 Internet

Link Local

•Can be used only by nodes on same link

•Never forwarded by routers•Prefix fe80::/10•IPv6 hosts automatically generate one per interface•Can also be manually configured•Requires ZoneID (%interface) for disambiguation

Unique Local

•Can be used with any site or group of sites on agreement•ULA Random (fd00::/8) High probability of uniqueness•fc00::/8 Reserved for future use (coordinated ULA?)


IPv6 -- The basicsAnatomy of a Global Unicast address

Every end site gets a /48 Global Unicast currently being allocated from 2000::/3

Top: Provider assigned Bottom: Provider Independent

21

3 bits 9 bits 20 bits 16 bits 16 bits 64 bits

001 IANA to RIR

RIR to ISP

ISP to End Site

Net Interface ID

001 IANA to RIR RIR to End SiteRIR to End Site Net Interface ID

3 bits 9 bits 36 bits36 bits 16 bits 64 bits


IPv6 -- The basicsAnatomy of a Link Local address

Always fe80::/64, re-used on every link Never forwarded off-link (link scope) Must be present for interface to participate in

IPv6, Automatically configured ZoneID used to disambiguate different links

22

16 bits 48 bits 64 bits

fe80 0 Interface ID


IPv6 -- The BasicsResolving Link Local Scope Ambiguity with Zone ID

Recall: every link has link local address in fe80::/64So out which interface should the router send out a packet to fe80/64?ZoneIDs (or scopeIDs) disambiguate by specifying the interface to which the address belongs.Specified as [RFC4007]: address%zoneIDZoneID could be the interface number or other identifier.e.g ping fe80::245:bcff:fe47:1530%fxp0 [on a FreeBSD system]

23

fe80::212:6bff:fe54:f99a

R

N1

Fe 0/0Fe 0/1

N2

M2 M1

fe80::212:6bff:fe3a:9e9a

fe80::212:6bff:fe17:fc0f fe80::245:bcff:fe47:1530

2010 August 17 Hurricane Electric

IPv6 -- The basicsAnatomy of Unique Local Addresses [RFC4193]

Like RFC1918 but lower chance of collision Prefix fc00::/7 + “L flag” (bit 8) indicates whether prefix is locally

assigned [1] or globally assigned [0]. (Global currently deprecated) Scope is global, but, filtered by most routers and ignored by most

eBGP peers fd00::/8 Global IDs generated at random (RFC4198) Uniqueness is NOT guaranteed but highly likely

17

8 bits 40 bits 16 bits 64 bits

fdXX Global ID SubnetID Interface ID


IPv6 -- The basicsAnatomy of a 6to4 Transition Address

WWXX:YYZZ is the hex form of a public IPv4 address Used to create global prefixes and hosts for v6 capable sites on the

IPv4 internet Better in theory than practice Example address: 192.159.10.200/32 (IPv4) becomes

2002:c09f:0ac8::/48 (65,536 IPv6 subnets for every IPv4 host)

17

48 bits48 bits 16 bits 64 bits

2002WWXX:YYZZIPv4 Address

SubnetID Interface ID


IPv6 -- The basicsAnatomy of an IPv4-Mapped Transition Address

Usually represented as ::ffff:w.x.y.z where w.x.y.z is a normal address Internally represents an IPv4 node to an IPv6 node Never used on the wire Simplifies software development for dual-stack (treat all connections as

IPv6)

17


0 ffff IPv4 Address


IPv6 -- The basicsISATAP Transition Addresses

64 bit prefix (fe80:: for link local, others depend on ISATAP server being used)

Patented by SRI, License free Most widespread implementation of ISATAP is Teredo Brittle and hard to troubleshoot A poor substitute for native IPv6 connectivity or better tunnel choices

17


Prefix 0000:5efe Private IPv4 Address


IPv6 -- The basicsAnatomy of a Multicast Address

Flags determine whether the address is transient, based on a unicast prefix, or embeds an RP address

ff00::/8 Permanent groupIDs are independent of scope while transient groupIDs

are only relevant within their scope.

17

8 bits 4 bits 4 bits 112 bits

ff Flags Scope GroupID


Flag and Scope Bits in Multicast Addresses

29

The Flag FieldThe Flag Field

Bit Position Description

Bit 3 Undefined

Bit 2 (R flag) Rendezvous Point address is embedded (1) or not (0)

Bit 1 (P flag) Address is based on a unicast prefix (1) or not (0)

Bit 0 (T flag) Address is IANA defined (0) or transient (1)

The Scope FieldThe Scope FieldThe Scope Field

Binary Hex Scope

0001 1 Interface

0010 2 Link

0100 4 Admin

0101 5 Site

1000 8 Organisation

1110 E Global

Others Unassigned or Reserved


Some Reserved/Well Known Multicast Groups

30

Some Well-Known/Reserved Multicast GroupsSome Well-Known/Reserved Multicast GroupsSome Well-Known/Reserved Multicast Groups

Address Scope Description

FF01::1 1=Interface All nodes on the interface

FF02::1 2=Link All nodes on the link

FF01::2 1=Interface All routers on the interface

FF02::2 2=Link All routers on the link

FF05::2 5=site All routers in the site

FF02::5 2=Link All OSPFv3 routers

FF02::6 2=Link OSPFv3 designated routers

FF02::A 2=Link All EIGRPv6 routers

FF02::D 2=Link All PIM routers

FF02::1:FFXX:XXXX 2=Link Solicited-node address


Solicited-Node Multicast Address

Used as destination for Neighbor Solicitation Constructed from prefix ff02::1:ff00:0/104 and the last

24 bits of the IPv6 address Every node will listen to and respond to its solicited

node address ALlows link-layer address resolution to not disturb

(most) unconcerned nodes.

31

Prefix InterfaceID

FF02:1::FF00: Lower 24 bits

104 bits 24 bits


IPv6 - The BasicsAddress Type Rehash

32

Summary of IPv6 Address TypesSummary of IPv6 Address TypesSummary of IPv6 Address TypesSummary of IPv6 Address TypesSummary of IPv6 Address TypesSummary of IPv6 Address TypesSummary of IPv6 Address TypesSummary of IPv6 Address TypesSummary of IPv6 Address Types

TYPESTRUCTURESTRUCTURESTRUCTURESTRUCTURESTRUCTURESTRUCTURESTRUCTURESTRUCTURE

TYPE16 BITS 16 BITS 16 BITS 16 BITS 16 BITS 16 BITS 16 BITS 16 BITS

Global Unicast Global IDGlobal IDGlobal ID Subnet ID Interface IDInterface IDInterface IDInterface ID

ULA-Reserved fcxx 00 Subnet ID Interface IDInterface IDInterface IDInterface ID

ULA-Local fdxx 00 Subnet ID Interface IDInterface IDInterface IDInterface ID

Link-Local fe80 000 Interface IDInterface IDInterface IDInterface ID

IPv4 Mapped 00000 ffff <IPv4 Address><IPv4 Address>

6to4 2002 <IPv4 Address><IPv4 Address> Subnet ID Interface IDInterface IDInterface IDInterface ID

ISATAP <64bit v6 Prefix><64bit v6 Prefix><64bit v6 Prefix><64bit v6 Prefix> 0 5efe <IPv4 Address><IPv4 Address>

Unspecified 00000000

Loopback 0000000 1

Multicast ff<LS> Multicast GroupIDMulticast GroupIDMulticast GroupIDMulticast GroupIDMulticast GroupIDMulticast GroupIDMulticast GroupID


IPv6 - The BasicsAddress Type Rehash

33

Summary of IPv6 Address TypesSummary of IPv6 Address TypesSummary of IPv6 Address Types

Type Range Application

Global Unicast 2000::/3 Normal host to host communications

Link-local fe80::/10 Connected-link communications

Anycast 2000::/3 One to Any (Any=topologically closest)

Unique-local fc00::/7 Normal host to host communications within a site

IPv4-mapped Represent an IPv4 address in IPv6 format

6to4 2002::/3 Automatic transition mechanism

ISATAP Intra-site transition mechanism

Unspecified ::/0 When node doesn’t have an address

Loopback ::1/128 Used for intra-node communications

Multicast ff00::/8 One to Many


IPv6 -- The basicsHow Global Unicast is Allocated

34

2000::/3 0::/0 (IETF»IANA)

2610::/12(IANA»RIR)

(RIR»LIR) 261f:1::/32 (204 /32s per Pixel)

261f:1:d405::/48 (409.6 /48s per pixel)(IANA or RIR » End Site)


IPv6 -- The basicsHow Global Unicast is Allocated

30

261f:1:d405::/48 (409.6 /48s per pixel)(IANA or RIR » End Site)

261f:1:d405:e008:/48 (409.6 /64s per pixel)(IANA or RIR » End Site)

The Numbers: 8 /3s, one of which is in use 512 /12 allocations to RIRs in first /3 (6 used so far) 1,048,576 LIR /32s in each RIR /12 65,536 /48 Assignments in each /32


IPv6 -- The BasicsGlobal Unicast in perspective The Numbers (cont.)

The first /12 assigned to each RIR can support 68,719,476,736 /48 End Sites

There are 506 /12s remaining if that’s not enough for any particular region.

Many ISPs will require more than a /32, but, even if we figure a /28 for every ISP on average, that’s still enough addresses for 65,536 ISPs in each RIR region without exhausting their first /12. (There are currently fewer than 30,000 BGP speaking ISPs worldwide)

In short... There is more than enough address space for liberal assignments under current and any likely policy.

36


IPv6 -- The BasicsSimple IPv6 Header

37

0....3 4...7 8...11 12...15 16...19 20...23 24...27 28...31Version Class of TrafficClass of Traffic Flow LabelFlow LabelFlow LabelFlow LabelFlow Label

Payload LengthPayload LengthPayload LengthPayload Length Next HeaderNext Header Hop LimitHop Limit

Source AddressSource AddressSource AddressSource AddressSource AddressSource AddressSource AddressSource Address

Destination AddressDestination AddressDestination AddressDestination AddressDestination AddressDestination AddressDestination AddressDestination Address

Total length: 40 octetsTotal length: 40 octetsTotal length: 40 octetsTotal length: 40 octetsTotal length: 40 octetsTotal length: 40 octetsTotal length: 40 octetsTotal length: 40 octets


IPv6 -- The BasicsExtension Headers

38

Hop-by-Hop Options Header(s)

Destination Options Header(s) (Intermediate)

Routing Header(s)

Fragmentation Header

Authentication Header

Encapsulation Secure Payload Header

Destination Options Header (final)


IPv6 -- The BasicsPutting Headers Together

39

40404040

242424

242424

88

Version Traffic ClassTraffic Class Flow LabelFlow LabelFlow LabelFlow LabelFlow LabelPayload LengthPayload LengthPayload LengthPayload Length Next Header=43 (Routing)Next Header=43 (Routing) H. LimitH. Limit

Source IPv6 Address (c/o Address of Mobile Node A) (128 bits)Source IPv6 Address (c/o Address of Mobile Node A) (128 bits)Source IPv6 Address (c/o Address of Mobile Node A) (128 bits)Source IPv6 Address (c/o Address of Mobile Node A) (128 bits)Source IPv6 Address (c/o Address of Mobile Node A) (128 bits)Source IPv6 Address (c/o Address of Mobile Node A) (128 bits)Source IPv6 Address (c/o Address of Mobile Node A) (128 bits)Source IPv6 Address (c/o Address of Mobile Node A) (128 bits)Destination IPv6 Address (c/o Address of Mobile Node B) (128 bits)Destination IPv6 Address (c/o Address of Mobile Node B) (128 bits)Destination IPv6 Address (c/o Address of Mobile Node B) (128 bits)Destination IPv6 Address (c/o Address of Mobile Node B) (128 bits)Destination IPv6 Address (c/o Address of Mobile Node B) (128 bits)Destination IPv6 Address (c/o Address of Mobile Node B) (128 bits)Destination IPv6 Address (c/o Address of Mobile Node B) (128 bits)Destination IPv6 Address (c/o Address of Mobile Node B) (128 bits)

NH=60 (Dest.)NH=60 (Dest.) HdrExtLen=2HdrExtLen=2 Rout.Type=2 Seg.Left=1Seg.Left=1Seg.Left=1Reserved (0) (32 bits)Reserved (0) (32 bits)Reserved (0) (32 bits)Reserved (0) (32 bits)Reserved (0) (32 bits)Reserved (0) (32 bits)Reserved (0) (32 bits)Reserved (0) (32 bits)

Home Address of Mobile Node B (128 bits / 16 Octets)Home Address of Mobile Node B (128 bits / 16 Octets)Home Address of Mobile Node B (128 bits / 16 Octets)Home Address of Mobile Node B (128 bits / 16 Octets)Home Address of Mobile Node B (128 bits / 16 Octets)Home Address of Mobile Node B (128 bits / 16 Octets)Home Address of Mobile Node B (128 bits / 16 Octets)Home Address of Mobile Node B (128 bits / 16 Octets)NH=44 (Fragment)NH=44 (Fragment) HdrExtLen=2HdrExtLen=2 Opt.Type=1 Opt.Len=2Opt.Len=2Opt.Len=2

0000 Opt.Type=201 Opt.Len=16Opt.Len=16Opt.Len=16Home Address of Mobile Node A (128 bits / 16 Octets)Home Address of Mobile Node A (128 bits / 16 Octets)Home Address of Mobile Node A (128 bits / 16 Octets)Home Address of Mobile Node A (128 bits / 16 Octets)Home Address of Mobile Node A (128 bits / 16 Octets)Home Address of Mobile Node A (128 bits / 16 Octets)Home Address of Mobile Node A (128 bits / 16 Octets)Home Address of Mobile Node A (128 bits / 16 Octets)

NH=6 (TCP) Rsvd. Fragment OffsetFragment OffsetFragment OffsetFragment Offset Res. MIdentificationIdentificationIdentificationIdentificationIdentificationIdentificationIdentificationIdentification

UL Header (TCP)UL Header (TCP) PayloadPayloadPayloadPayloadPayloadPayload


User Lab 1 -- IPv6 Newbie

Go to http://tunnelbroker.net Create an account Begin your training Take the Newbie Test

40


IPv6 -- Not your father’s IP

41


IPv6 -- Address PlanningDon’t oversimplify too much! There are lots of people saying “ISPs get

/32s, end sites get /48s.” That’s an unfortunate oversimplification. ISPs get AT LEAST a /32 and can get

whatever larger allocation they can justify. End sites should get at least a /48 and should

be given whatever larger assignment they can justify.

42


IPv6 -- Address PlanningMethodology Don’t start with a /32 and figure out how to

make your needs fit within it. Start by analyzing your needs and apply for a

prefix that will meet those needs. In your analysis, it’s worth while to try and

align allocation units to nibble boundaries. A nibble boundary is a single hex digit, or, a number 2^n such that n is a multiple of 4. (e.g. 16, 256, 4096, 16384, 65536...)

43


IPv6 Address PlanningAnalysis Start with the number of end sites served by

your largest POP. Figure a /48 for each. Round up to the a nibble boundary. (if it’s 3,000 end sites, round up to 4096, for example... a /36 per POP.

Next, calculate the number of POPs you will have. Include existing POPs and likely expansion for several years. Round that up to a nibble boundary, too. (140 POPs, round up to 256).

44


IPv6 Address PlanningAnalysis Now that you have an address size for each

POP (4096 = 12 bits in our example) and a number of POPs (256 = 8 bits in our example), you know that you need a total of POP*nPOPs /48s for your network (4096*256=1,048,576 or 12+8=20 bits).

48 bits - 20 bits is 28 bits, so, you actually need a /28 to properly number your network.

You probably could squeeze this into a /32, but, why complicate your life unnecessarily?

45


IPv6 Address PlanningApply for your addresses Now that you know what size block you need,

the next step is to contact your friendly neighborhood RIR (Regional Internet Registry) and apply.

Most RIRs provide either an email-based template or a web-based template for you to fill out to get addresses.

If you are a single-homed end-user, you usually should get your addresses from your upstream rather than an RIR.

46


IPv6 Address PlanningThe bad news The addressing methodology I described above

may not be consistent with RIR policy in all regions (yet)*.

This means you might have to negotiate to a smaller block.

All RIRs have an open policy process, so, you can submit a proposal to enable this kind of allocation, but, that may not help you immediately.

* Adopted 2011-3 in ARIN, mostly permitted in RIPE, not yet discussed in AfriNIC or LACNIC.

47


IPv6 Address PlanningThe good news Having things on nibble boundaries is

convenient, but, not necessary. ip6.arpa DNS delegations Human Factors Routing Table management Prefix lists

The techniques that follow should work either way.

48


IP Address PlanningCarving it up For the most part, you’ve already done this. Take the number you came up with for the

nPOPs round-up and convert that to a number of bits (256 = 8 bits in our example).

Now, take what the RIR gave you (/28 in our example) and add that number to the above number (28+8 = 36) and that’s what you need for each POP (a /36 in our example).

49


IPv6 Address PlanningCarving it up Now let’s give address segments to our POPs. First, let’s reserve the first /48 for our

infrastructure. Let’s use 2000:db80 - 2000:db8f as our example /28.

Since each POP gets a /36, that means we have 2 hex digits that designate a particular POP.

Unfortunately, in our example, that will be the last digit of the second group and the first digit of the third group.

50


IPv6 AddressingCarving it up Strategy

Sequential Allocation Advantage: Simple, easy to follow Advantage: POP Numbers correspond to addresses DisAdvantage: Complicates unexpected growth

Allocation by Bisection Advantage: Simplifies growth Advantage: Greatest probability of Aggregation Disadvantage: “Math is hard. Let’s go shopping!”

51


IPv6 AddressingAllocation by Bisection Bisection? What does THAT mean? Simple... It means to cut up the pieces by

taking the largest remaining piece and cutting in half until you have the number of pieces you need.

Imagine cutting up a pie into 8 pieces...

52

First, we cut it in half...Then we cut it in half againThen AgainAnd finally a fourth cut


IPv6 AddressingAllocation by Bisection It’s a similar process for IPv6 addresses.

Let’s start with our 2001:db80::/28 prefix. We’ve already allocated 2001:db80:0000::/48 Our available space is now 2001:db80:0001:: to

2001:db8f:ffff:ffff:ffff:ffff:ffff:ffff. Cutting that in half we get 2001:db88:0000::/36 as our first POP address.

That leaves the largest chunk at 2001:db88:1000:: to 2001:db8f:ffff:ffff:ffff:ffff:ffff:ffff. Cutting that in half, we get 2001:db8c:0000::/36 as our next POP

53


IPv6 Address PlanningAllocation by Bisection After repeating this for 19 POP allocations,

we have a table that looks like this:

54

Infrsastructure 2001:db80:0000:/48 POP1 2001:db88:0000::/36

POP12 2001:db80:8000::/36 POP13 2001:db88:8000::/36

POP8 2001:db81:0000::/36 POP9 2001:db89:0000::/36

POP4 2001:db82:0000::/36 POP5 2001:db8a:0000::/36

POP14 2001:db83:0000::/36 POP15 2001:db8b:0000::/36

POP2 2001:db84:0000::/36 POP3 2001:db8c:0000::/36

POP16 2001:db84:8000::/36 POP17 2001:db8c:8000::/36

POP10 2001:db85:0000::/36 POP11 2001:db8d:0000::/36

POP6 2001:db86:0000::/36 POP7 2001:db8e:0000::/36

POP18 2001:db87:0000::/36 POP19 2001:db8f:0000::/36


IPv6 Address PlanningAllocation by Bisection Notice how by doing that, most of the /36s we

created have 15 more /36s before they run into allocated space and all have at least 7.

Notice also that if any POPs get larger than we expect, we can expand them to /35s, /34s, /33s, and most all the way to a /32 without having to renumber.

By default, at /36, each pop has room for 4096 /48 customers. End sites that need more than a /48 should be extremely rare*.

55


IPv6 Address PlanningAllocation by Bisection* End Site means a single customer location,

not a single customer. Many customers may need more than a /48, but, with 65,536 /64 subnets available, even the largest building should be addressable within a /48.

56


TAKE A BREAK

It’s come time to accommodate that basic reality... Humans don’t do well sitting in one place for extended periods of time listening to the same person blather on and on no matter how interesting the topic.

EVERYONE stand up. EVERYONE leave the room for at least the

next 10 minutes. EVERYONE try to be back within 20 minutes,

please. There’s still lots to cover.57


LoL Kitteh sez:

58

More IPv4 NATAre you fscking kidding me?


Part 2 - Making it work

Now that we’ve covered the nuts and bolts, let’s talk about how they go together into subassemblies and assemblies to make a working network.

59


IPv6 Host Administration

Configuring IPv6 on Linux /etc/network/interfaces How to configure SLAAC How to configure a Static Address

60


IPv6 Host Administration

How to manually configure an interface Depends on your OS

MacOS -- System Preferences Linux

Debi-oid -- /etc[/network]/interfaces (depending on version) Red Hat-oids -- /etc/sysconfig/network-scripts/ifcfg-<iface>

Windows -- Control Panel Setting an interface up to get an address from

SLAAC Usually no configuration required Linux may require one-two line text config.

61


IPv6 and DNS

Forward IPv6 resolution AAAA Records

Mostly the same as A records Right Hand side is an IPv6 Address in standard

abbreviated form (e.g. 2620:0:930::200:2) 96 more bits, no magic.

Reverse IPv6 resolution PTR Records, just like IPv4

ip6.arpa instead of in-addr.arpa No abbreviating Each nibble is a zone boundary

62


IPv6 DNS Examples

Forward:dualhost.example.com. IN AAAA 2001:db8::5 IN A 192.9.200.5

Reverse:5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. IN PTR ipv6host.example.com

or:$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.5.0.0.0.0.0.0.0.0.0.0.0 IN PTR dualhost.example.com.

Note: in-addr.arpa and ip6.arpa are separate zones maintained in separate files.

63


IPv6 DeploymentNative connectivity Native connectivity is, by far, the simplest and

cleanest way to deploy IPv6. Just like IPv4 (mostly) but with bigger

addresses that look different. Example:

64

DEVICE=eth0ONBOOT=yesMTU=1280IPADDR=192.159.10.2NETMASK=255.255.255.0GATEWAY=192.159.10.254

IPV6INIT=yesIPV6ADDR=2620:0:930::0200:1/64IPV6_DEFAULTGW=2620:0:930::1IPV6_AUTOCONF=no


IPv6 DeploymentUsing Tunnels Slightly more complicated than native

connectivity MTU problems Lower MTU reduces performance on some

platforms. (Significantly on some versions of Windows)

Harder to Configure or harder to Troubleshoot (depending on tunnel solution chosen)

65


IPv6 Tunneling6in4 or GRE Tunnels Require manual configuration Direct point to point tunnel

between two known (and configured) IPv4 nodes

6in4 is very similar to GRE, but, only IPv6 inside IPv4 payload, protocol 41.

GRE can support both IPv6 and IPv4 in an IPv4 payload, protocol 47.

66

Example:gr-0/0/0 { unit 2 { description "HE Tunnel Broker"; point-to-point; tunnel { source 24.4.178.41; destination 64.71.128.83; path-mtu-discovery; } family inet6 { mtu 1280; address 2001:470:1f03:9c::2/64; } }

}


IPv6 Tunneling6to4 Autotunneling

67

Also uses protocol 41 like 6in4 tunneling, but, uses IPv4 anycast and automatic IPv6 address construction based on IPv4 address.

Nothing to configure, per se, just turn it on. Non-deterministic. Changes can occur anywhere in the network. No control over which 6to4 gateway you use. Hard to troubleshoot Easy to deploy (when it works)


IPv6 tunnelingTeredo

68

Developed by Microsoft. Automatically on by default in Windows since

Vista Present in Windows since XP SP1 Works through NAT Even Microsoft calls it a “Last Resort” for

IPv6 connectivity. Unless you absolutely need it, disable it and block it at your firewall.


Routing LAB 1

Design the Network Plan the addressing for the lab network Assign addresses to various hosts Configure your host with the following information

IPv4 Address IPv6 Address DNS Forward Zone

Add your host to the appropriate ip6.arpa zone

69


AS65201 AS65202

AS65203 AS65204

Team 1Machine 1

Team 1Machine 2

Team 1Machine 3

Team 1Machine 4

Team 2Machine 1

Team 2Machine 2

Team 2Machine 3

Team 2Machine 4

Team 3Machine 1

Team 3Machine 2

Team 3Machine 3

Team 3Machine 4

Team 3Machine 1

Team 3Machine 2

Team 3Machine 3

Team 3Machine 4

IXP

Routing Lab 1 Design Criteria

70

Divide into 4 teams Each team has 4 systems See Diagram Exercise Goals:

Numbering Plan Number all interfaces Ping all adjacent machines


IPv6 RoutingRIPng Just like RIPv2 for IPv4 Don’t do this Same reasons as RIPv2. Don’t do this It’s just a bad idea. Really, Don’t use RIP.

71


IPv6 RoutingOSPF OSPF3 can handle both IPv6 and IPv4 (most

vendors) OSPF2 (common version) is only IPv4. OSPF3 available on most routers, but,

requires configuration as OSPF3, not just “OSPF”.

Can run OSPF2 for IPv4 and OSPF3 simultaneously on most routers

Largely like IPv4 OSPF2 configuration

72


IPv6 RoutingOSPFv3 differences from OSPFv2 Router and Network LSA don’t carry IP addresses, new

type 9 LSA instead. Relies on AH and ESP instead of having authentication

in OSPF protocol Advertises all prefixes on the interface LSAs now have Flooding Scope Supports multiple instances per link - only routers in the

same instance form adjacencies For all neighbor communications, all packets are

sourced from link-local addresses with the exception of virtual links.

73


IPv6 RoutingOSPFv3 LSA types

74

LSA Type

Common Name

DescriptionDescription Flooding Scope

1 Router LSA Describes a router’s link states and costs of its links to one area.Describes a router’s link states and costs of its links to one area. Area

2 Network LSA Generated by a DR to describe the aggregated link state and costs for all routers attached to an areaGenerated by a DR to describe the aggregated link state and costs for all routers attached to an area

Area

3 Inter-Area Prefix LSA for ABRs

Originated by ABRs to describe interarea networks to routers in other areas.Originated by ABRs to describe interarea networks to routers in other areas.

Area

4 Inter-Area Router LSA for ASBRs

Originated by ASBRs to advertise the ASBR location.Originated by ASBRs to advertise the ASBR location. Area

5 Autonomous System External LSA

Originated by an ASBR to describe networks learned from other protocols (redistributed routes).Originated by an ASBR to describe networks learned from other protocols (redistributed routes).

Autonomous System

8 Link LSA Advertises link-local address and prefix(es) of a router to all other routers on the link as well as option information. Sent only if more than one router is present on a link.

Advertises link-local address and prefix(es) of a router to all other routers on the link as well as option information. Sent only if more than one router is present on a link.

Link

9 Inter-Area Prefix LSA for ABRs

Performs one of two functionsPerforms one of two functions Area9 Inter-Area Prefix LSA for ABRs

Associates a list of IPv6 prefixes with a transit network by pointing to a Network LSAAssociates a list of IPv6 prefixes with a router by pointing to a Router LSA

Area

Still requires a 32 bit Router ID Either configure a loopback interface with an IPv4

address or Set the router-id in the appropriate configuration

block Note: router-id does not require an

IPv4 address and OSPF3 can workwithout IPv4.

Example: Juniper SRX-100


IPv6 RoutingOSPFv3 Configuration

75

ospf3 { export static-to-ospf; area 0.0.0.0 { interface lo0.0 { passive; } interface fe-0/0/0.0; interface gr-0/0/0.20; interface gr-0/0/0.21; }}


Routing Lab 2OSPF within your AS Refer back to the lab diagram Exercise Goals:

Assign routable Loopback addresses to each router

Get Quagga running Configure OSPF for all intra-AS interfaces (do not

configure OSPF for interfaces that connect to the IXP or other AS machines)

Make sure that each router in your AS can ping the loopback of every other router in your AS.

76


IPv6 Security -- IPSEC

What is IPSEC? IPSEC is a mechanism for protecting the

authentication and privacy of IP datagrams. Essentially acts as a tunnel in most cases. IPv4 IPSEC was backported from IPv6

development. IPv4 hacked IPSEC in as an L4 protocol with

some additional UDP/other workarounds. IPv6 IPSEC is implemented entirely in extension

headers.

77


Authentication and Privacy --What they mean Authentication

Who sent this? Is it exactly what the originator sent?

Privacy Only the intended recipient should be able to

know the content. Replies should only be viewable by the original

sender. Others should only see nothing (or meaningless

gibberish).

78


Encryption does both? -- How?

Encryption for Authentication Usually involves digitally signing a digest (hash,

checksum, or CRC) of the protected data. Signing = encrypt with local private key. Recipient then recomputes digest and compares

to decrypted signature (decrypted with remote public key). (Anyone can validate the authentication in this case, not just the recipient).

Technically this is known as “Authentication Header” or AH.

79


Encryption does both? -- Continued. Encrypting for Privacy

Entire payload (and possibly original headers) are encrypted.

This is done using Encapsulated Secure Payload (ESP for short).

Can use either of two forms of encryption: Symmetric (both sides have a known shared secret)

Less resource (processor) intensive algorithms Key distribution issues

Asymmetric (Public Key/Private Keys used) Simpler Key dstribution Higher resource (processor) utilization (lower performance?)

80


Cryptography 101

Shared Secrets -- The Challenge: You don’t yet have a secure channel. A chooses the secret and must tell B. A must tell B without C seeing/hearing. How?

Mail (postal) a CD (some risk) Sneaker-Net a USB-key (high-overhead, low frequency

of key changes, difficulty increases with distance) Telephone (risky) Other suggestions?

81


Why not just use Asymmetric?

Very CPU intensive Need to encrypt high-data-rate flows at wire-

speed. (many of them in some cases). Capable hardware is extremely expensive

(though GPUs may be changing this). Maintaining a Reliable Public Key

Infrastructure is non-trivial Compute time goes up exponentially with key

length.

82


What about the best of both worlds? Known as a Diffie-Hellman-Merkle Key Exchange

83


Diffie-Hellman-Merkle continued Mathematically, this is done with “multiplicative group of

integers modulo P”. Alice and Bob agree on the value of P (the public

modulus, a prime number) and g (the public “base”, an agreed finite cyclic generator). These numbers can be very large prime numbers in the case of 2048 bit keys.

Alice and Bob pick random numbers a and b, respectively.

They each send the other (A)=ga%p and (B)=gb%p. They compute s=Ba%p=Ab%p Alice and Bob now both know s. Eavesdroppers may

know g,p,A,B, but not a, b, or s.

84


Why does that work?

For one and only one simple reason... Factoring large numbers is hard. Determining a,b, or s from A, B, p, and g basically

requires you to determine the original prime factors a and b. (which you can validate using A and B with p and g).

So far, no real improvements over brute force trials of all primes until a and b are “discovered”.

Caveat: GPUs are making brute force faster, cheaper, easier.

85


Getting back to IPSEC

IPSEC already does all the math for you and implements the Diffie-Hellman-Merkle algorithm. It’s often called “Perfect Forward Secrecy” or “PFS” and is part of the Internet Key Exchange or “IKE”.

Understanding the above basics helps when it comes time to troubleshoot IKE.

86


IPSEC -- How it works

Can use AH, ESP, or AH+ESP. Two modes of ESP

Tunnel Mode Entire original packet is encrypted as payload of a new

ESP datagram. Usually used to connect network(s) to network(s) across

public link. Sometimes used for host to network(s) (User VPN) or

host to host (Host VPN). Transport Mode

Only the packet payload is encrypted.

87


IPSECESP Transport Mode In transport mode, routing remains unaltered

and only the payload is encrypted. If AH is used with ESP Transport Mode, the

packet header cannot be modified without invalidating the packet.

Strictly a Host to Host security association.

88


IPSECESP Tunnel Mode The entire original IP datagram is encrypted

as payload of a new datagram. Used to create VPNs for network-to-network

or host-to-network communications. Can be used for host-to-host, but Transport

mode is usually preferred and has less overhead.

89


Configuring IPSECThis shouldn’t be this hard! It isn’t so much hard as it is complex. StrongSwan Configuration Files:

strongswan.conf Daemon Parameters Library Parameters

ipsec.conf Overall IPSEC configuration

ipsec.secrets Shared Secrets RSA Private Keys

[daemon_name].conf Daemon specific configuration e.g. xl2tpd.conf for xl2tp (L2TP) daemon.

90


Configuring IPSECConfiguration Files (cont.) Example strongswan.conf

Specifies which plugins to load into charon daemon.

91

# /etc/strongswan.conf - strongSwan configuration file

charon { hash_and_url = yes load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 \

revocation hmac stroke kernel-netlink socket-default updown}


Example ipsec.secrets

Local Private Key file is in moonKey.pem

Configuring IPSECConfiguration Files (cont.)

# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA moonKey.pem


Configuring IPSECConfiguration Files (Cont.) Example ipsec.conf file

93

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

ca strongswan! cacert=strongswanCert.pem! certuribase=http://ip6-winnetou.strongswan.org/certs/! crluri=http://ip6-winnetou.strongswan.org/strongswan.crl! auto=add

conn %default! ikelifetime=60m! keylife=20m! rekeymargin=3m! keyingtries=1! keyexchange=ikev2! mobike=no


Configuring IPSECConfiguration Files (Cont.) Example ipsec.conf file (Cont.)

conn net-net! also=host-host! leftsubnet=2001:db8:4000::/36! rightsubnet=2001:db8:c000::/36

conn host-host! left=2001:db8:4000::1! leftcert=moonCert.pem! [email protected]! leftfirewall=yes! right=2001:db8:c000::2! [email protected]! auto=add


Securing OSPF3

OSPF3 does not provide for MD5 or Password authentication the way OSPF2 did.

Instead, to secure OSPF3, you must establish the neighbor relationship across an IPSEC Security Association in transport mode.

95


OSPF3 Security

Juniper Example:

96

security {ipsec {

security-association ospf-neighbor {mode transport;manual {

direction bidirectional {protocol ah;spi 256;authentication {

algorithm hmac-md5-96;key ascii-text “$9$<encrypted key text>”;

}}

}}

}}


OSPF3 Security

Juniper Example (Cont.):

Note: All neighbors on a segment must share a common SA.

97

protocols {ospf3 {

area 0.0.0.0 {interface ge-0/0/0 {

ipsec-sa ospf-neighbor;}

}}

}


IPv6 RoutingeBGP Nearly identical to BGP for IPv4 Different vendors have different ways of

differentiating routing tables Cisco: address-family ipv6

Misconfigurations usually silently ignore your intent Juniper: family inet6

Misconfigurations usually result in an error message

98


IPv6 RoutingeBGP

99

Configuration Example: Juniper SRX-100

bgp { family inet { unicast; } family inet6 { unicast; } local-as 1734; group l42 { family inet { unicast; } family inet6 { unicast; } export to-l42; peer-as 8121; neighbor 192.124.40.129; neighbor 2620:0:930:7fff::1 { family inet6 { unicast; } } }}


IPv6 RoutingiBGP Same set of differences as IPv4 e vs. i BGP. All border routers must peer in a mesh IGP must provide reachable routes to all

routers. Peering best between loopbacks. All the IPv4 lessons and best practices apply.

100


IPv6 RoutingiBGP

101

Configuration Example: Juniper SRX-100

bgp { local-as 1734; group internal { type internal; export ibgp-next-hop-self; peer-as 1734; neighbor 2620:0:930:7000::1 { family inet6 { unicast; } export v6-next-hop-self; } neighbor 192.124.40.193 { local-address 192.124.40.194; import via-cable; family inet { unicast; } } }}


Routing Lab 3iBGP and eBGP Exercise Goals:

Configure iBGP mesh among all intra-AS loopbacks.

When complete, have an instructor or aide validate your team’s iBGP configuration before proceeding to the next step.

Configure eBGP sessions to each ASN at the IXP. Configure eBGP session to the neighboring ASN

via the private peering link.

102


User Lab 2 -- IPv6 Explorer

Go to http://tunnelbroker.net Log in if you aren’t still logged in Make sure you have working IPv6

connectivity Restart your browser, go back to tunnel

broker. Click on the link to get your Explorer

certification.

103


IPv6 -- Much like IPv4 was supposed to be This time with enough Addresses

Basic weight comparison: If IP addresses were a unit of mass, then, if IPv4 weighed the same as 7 liters of water, IPv6 would weigh the same as the entire planet Earth.

104


IPv6 Transition IssuesThings that don’t route packets Software Upgrades

In-house tools Porting to IPv6 network Adding IPv6 address capability to

databases parsers data structures etc.

Vendor Provided Software Start talking to them now if you aren’t already You’re not the only one asking, no matter what they say. Call their bluff.

105


IPv6 Transition IssuesThings that forward packets Hardware Upgrades

Firewalls Really old routers Intrusion Detection systems Load Balancers Printers -- Probably just leave on internal IPv4. Clock sources Other infrastructure Other odd appliances

106


SLAACThe gory Details

107


IPv6 OperationsSLAAC and the need for RA-Guard Stateless Autoconfiguration provides a very

convenient way to number hosts. Unfortunately, all routers are created equal,

including the ones created by someone else. In DHCP, a rogue server tends to break things. With RA, a rogue router can intercept traffic

without breaking anything. RA Guard blocks RA transmissions on

switchports not defined as routers.

108


IPv6 OperationsDHCPv6 Overview Can assign prefix lengths other than /64 Bootstrapped by RS/RA process DHCP-PD -- Potentially very useful feature for

ISPs Can provide DNS, NTP, and other server

locations (RA/SLAAC cannot, but, ND has a process for doing DNS servers).

Limited field deployment/support so far. IETF religious problem (SLAAC vs. DHCP war)

109


DHCPv6 Process and Options

It all begins with Router Solicitation Three ways to get an automatic address:

StateLess Address Auto-Configuration (SLAAC) Stateless DHCP (SLAAC address + DHCP “other info”) Stateful DHCP

All three methods start when the host sends a Router Solicitation Packet

110


DHCPv6 ProcessStep by Step

111

Step # SLAAC Statless DHCPv6

Stateful DHCPv6

1

22

3

Host sends out a Router Solicitation to the “All Routers on Link” multicast addressHost sends out a Router Solicitation to the “All Routers on Link” multicast addressHost sends out a Router Solicitation to the “All Routers on Link” multicast addressRouter(s) send back a Unicast Router AdvertisementRouter(s) send back a Unicast Router AdvertisementRouter(s) send back a Unicast Router AdvertisementM=0,O=0 M=0,O=1 M=1,O=?Host completes auto-configuration

Host requests DHCPv6 Information (if host supports DHCPv6)

Host requests DHCPv6 Information (if host supports DHCPv6)


DHCPv6 ProcessHost that supports SLAAC+DHCPv6

112

M0,O0 M0, O1 M1,O?

RA contains On-Link Prefixes

SLAAC SLAAC Address, DHCP other information

DHCP Address, SLAAC Address?, DHCP other information

RA does not contain On-Link Prefixes

No Automatic Global AddressNo Automatic Global Address

DHCP Address, DHCP other information


DHCPv6 ProcessSLAAC Only Host

113

M0,O0 M0, O1 M1,O?

RA contains On-Link Prefixes

SLAAC SLAAC Address

SLAAC Address?

RA does not contain On-Link Prefixes

No Automatic Global AddressNo Automatic Global AddressNo Automatic Global Address


Some caveats about RA contents Lots of knobs

It is important to understand what the nobs do before you turn them.

Example: No Advertise vs. No Autoconfig No Advertise removes the prefix from the issued RAs No Autoconfig leaves the prefix in the RA, but turns off

the A flag for that prefix which will prevent the host from using that prefix to configure a local address, but will still treat the prefix as local for Neighbor Solicitation rather than using the default router to reach hosts with that prefix.

114


Adding IPv6 to a Web Server

Start with a working IPv4 web server:

115

Listen 192.159.10.7:80<VirtualHost 192.159.10.7:80> Handler cgi-script .cgi .pl ServerName www.delong.com SuexecUserGroup owen nogroup Options +FollowSymLinks ServerAdmin [email protected] DocumentRoot /var/www/sites/delong.com/pages</VirtualHost>


Adding IPv6 to a Web Server

Add the configuration for IPv6:

Restart Apache Test!

116

Listen 192.159.10.7:80Listen [2620:0:930::400:7]:80<VirtualHost 192.159.10.7:80 [2620:0:930::400:7]:80> Handler cgi-script .cgi .pl ServerName www.delong.com SuexecUserGroup owen nogroup Options +FollowSymLinks ServerAdmin [email protected] DocumentRoot /var/www/sites/delong.com/pages</VirtualHost>


User Lab 3 -- IPv6 Enthusiast

Go to http://tunnelbroker.net Log in if you aren’t still logged in Get a user code If you need a domain, bring me your web server

IP address and I will create one for you. Configure your web server on your machine. Create a file named <usercode>.txt in your

document root. Test Take quiz, get Enthusiast Certification

117


Packet Filtersip6tables

118

ip6tables much like iptables Excerpt from my ip6tables configuration

-A RH-Firewall-1-INPUT -d 2620:0:930::200:2/128 -m state --state NEW -m tcp -p tcp --dport 3784 -j ACCEPT-A RH-Firewall-1-INPUT -d 2620:0:930::200:1/128 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT-A RH-Firewall-1-INPUT -d 2001:470:1f00:3142::200:1/128 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT-A RH-Firewall-1-INPUT -d 2620:0:930::200:2/128 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT


Packet FiltersCisco ACL Cisco ACLs for IPv6 just like IPv4 (mostly):

Reflexive Temporary ACL (REFLECTOUT) OUTBOUND creates state table entries using reflect

keyword INBOUND evaluates packets against state table.

119

ipv6 access-list OUTBOUND permit tcp 2001:DB8:0300:0201::/32 any reflect REFLECTOUT permit udp 2001:DB8:0300:0201::/32 any reflect REFLECTOUT deny fec0:0:0:0201::/64 any

ipv6 access-list INBOUND evaluate REFLECTOUT

interface ethernet 0 ipv6 traffic-filter OUTBOUND out ipv6 traffic-filter INBOUND in


Packet FiltersJuniper Filter Very similar to Juniper IPv4 filters

120

interfaces {ge-0/0/0 {

unit 0 {family inet6 {

filter {input tcp_filter;

}}

}}

}firewall {

family inet6 {filter tcp_filter {

term 1 {from {

next-header tcp;tcp-flags syn;

}then {

count tcp_syn_pkt;log;accept;

}}

}}

}


Security Concerns in IPv6

Mostly the same as IPv4 Buffer Overruns Misconfigured Firewalls Errant Route Filters Social Engineering Attacks Malware/Trojans/Adware DoS

Some new attacks unique to IPv6 Neighbor Table Overflow/Scanning Extension Headers

121


IPv6 Unique AttacksNeighbor/Router Discovery Unlikely, but possible

Most require Link Local acces High Risk, Low Value for attacker

Mostly DoS oriented Scanning Attack -- NT Exhaustion Fake ND Responses

Possible Traffic Snooping Rogue RA

122


IPv6 Unique AttacksExtension Headers Primarily used to facilitate other forms of

attack In some cases, extension headers can be used to

evade attack mitigation by pushing the relevant information into the second fragment.

Very low value proposition for most attackers Some hosts have Ext. Header vulnerabilities

due to bugs in the header parsing code. Most of these have been resolved in current software.

123


IPv6 Security Best Practices

Some good IPv6 Security resources: http://www.sans.org/reading_room/whitepapers/

detection/complete-guide-ipv6-attack-defense_33904

http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf

http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/IPv6.shtml

http://www.cisco.com/web/about/security/security_services/ciag/documents/v6-v4-threats.pdf

124


IPv6 Security Best Practices

IPv6 Security Toolkit Fernando Gont has released these tools:

http://twitter.com/teamcymru/status/234908090766589952

nmap 6 now supports IPv6 No host enumeration capabilities as yet.

125


Lazy IPv6 deployments = insecurity Many people add IPv6 to hosts without

applying the same diligence as the IPv4 configuration. If you have iptables rules, remember to add

comparable ip6tables rules. If your web server has rewrite rules for v4, make

sure they apply equally to v6. If your application has different v4 and v6 code

paths, make sure all the security patches, etc. get incorporated into the v6 code.

126


IPv6 SecurityExploitable Vulnerabilities From the SANS paper:

What is it about the IPv6 application vulnerability which may be exploited to gain access to the target machine? There is no difference with an IPv4 application vulnerability like stack-based buffer overflow, heap-based buffer overflow, format string vulnerability, off-by-one vulnerability, null pointer dereference, and others which may be used to execute the command remotely and to gain access to the vulnerable machine.

In other words... 96 more bits, no magic. All the same problems still have all the same solutions.

127


IPv6 SecurityMan in the Middle Various forms of MITM attacks possible in

IPv6 Spoofed ICMPv6 Neighbor Advertisement

Same as ARP spoofing in IPv4 Solution: Secure Neighbor Discovery (SEND)

Spoofed ICMPv6 Router Advertisement Similar to rogue DHCP server, but injects default router

only, so less visible. Solution: RA-Guard

128


IPv6 Smurf Attack

Similar principal to IPv4 smurf Must have local access to amplification network

(bigger challenge and easier to trace than IPv4 Smurf)

Send All-Hosts multicast packets with target as source address

129

Gargamel just turned on IPv6!!!


IPv6 SecurityDAD DOS DOH!

130

Duplicate Address Detection A denial of service attack is possible by making all

new nodes think any address they try is a duplicate Simply reply with an ICMPv6 Neighbor

Advertisement in response to any ICMPv6 Neighbor Solicitation.

Only disables new nodes trying to join network. Requires link local access Easily identified and mitigated, minimal benefit to

attacker


IPv6 SecurityFragmentation Attack Stick important headers in subsequent

fragments to avoid IDS Unique to IPv6 in that IPv6 extension headers

make this easier to do.

131


IPv6 SecurityOther attacks

Routing Loop attack against auto-tunnels Teredo can bypass IPv4 IDS and/or Firewall

132


Email over IPv6

Now that we have our web server running on IPv6, our next step is to get email working.

IPv4 only sendmail.mc fragment:

Same fragment for dual-stack:

133

dnl # The following causes sendmail to listen for both protocolsdnl #DAEMON_OPTIONS(`port=smtp, Name=MTA, Family=inet6')dnldnl #dnl # If IPv6_V6ONLY doesn’t work correctly you might also need:dnl #dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet')

dnl # IPv4 only Listener configurationDAEMON_OPTIONS(`Name=MTA-v4, Family=inet')


Postfix on Mac

Command Line launchctl unload /System/Library/LaunchDaemons/

org.postfix.master.plist defaults write /System/Library/LaunchDaemons/

org.postfix.master RunAtLoad -bool true defaults write /System/Library/LaunchDaemons/

org.postfix.master KeepAlive -bool true launchctl load /System/Library/LaunchDaemons/

org.postfix.master.plist; launchctl start org.postfix.master /etc/postfix/main.cf

inet_protocols = all myhostname = [yourname].training.delong.com

134


User Lab 4 -- Administrator

Use the same domain you used for the web site. Create a user account.

Set up your SMTP server to work with IPv6 Update sendmail.mc to listen on both protocols. “make sendmail.cf” Restart sendmail

Go back to Tunnelbroker. Generate new user code and put in email address. Receive email and put usercode from email into web

form. Take quiz

135


IPv6 DNS

DNS is very similar to IPv4 DNS. Forward:

IPv4: foo.com. IN A 192.0.2.123 IPv6: foo.com. IN AAAA 2001:db8::2:123

Reverse: IPv4: 123.2.0.192.in-addr.arpa. IN PTR foo.com. IPv6:3.2.1.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. IN PTR foo.com.

(See, identical except the font size) ;-)

136


User lab 5 -- IPv6 Professional

This one is a gimme. Your RDNS for your mail server should already be set up.

Go to Tunnelbroker. Test the RDNS for your mail server. If it

reports a problem, come to me, we’ll look at it together.

Take the quiz.

137


IPv6 Glue Records

What is a glue record? DNS Hierarchy has a bootstrapping problem. If ns.he.net serves he.net, you need to have the

address of ns.he.net in order to ask ns.he.net about he.net (or ns.he.net).

Glue records are address records in the parent domain that point give “hints” to reach nameservers inside the child domain.

A records for IPv4 AAAA records for IPv6

138


IPv6 Glue Records

Example:

Note each of these nameservers are inside the he.net zone. All 5 require glue to be resolvable in order to query the he.net zone.

139

$ORIGIN NET.he IN NS ns1.he.net. IN NS ns2.he.net. IN NS ns3.he.net. IN NS ns4.he.net. IN NS ns5.he.net.


IPv6 Glue Records

IPv4 Only glue record set:

For dual-stack, we added these:

140

ns1.he.net. IN A 216.218.130.2ns2.he.net. IN A 216.218.131.2ns3.he.net. IN A 216.218.132.2ns4.he.net. IN A 216.66.1.2ns5.he.net. IN A 216.66.80.18

ns2.he.net. IN AAAA 2001:470:200::2ns3.he.net. IN AAAA 2001:470:300::2ns4.he.net. IN AAAA 2001:470:400::2 ns5.he.net. IN AAAA 2001:470:500::2


User lab 6 -- IPv6 Sage

This one is also a gimme as your zone should already have glue records.

Browse Tunnelbroker Test the glue records Take the quiz Don’t forget to specify your T-Shirt size

141


Congratulations

You are all IPv6 Sage Certified now.

142


IPv6 Anycast

Two Kinds of Anycast Both essentially provide a common service from

multiple hosts. Both deliver a packet to at least one of a group of

hosts sharing a common IP address. IPv6 RFCs define certain types of subnet local

anycast addresses (prefix:fdff:ffff:ffff:ffxx where xx is in the range 80-ff)

More general anycast is implemented identical to IPv4 Anycast and is in much more common use.

143


IPv6 Deployment -- Next Steps This was just an introduction. Hopefully you have enough knowledge to build

an IPv6 test lab and start gaining experience. Use a tunnel at first if you need to. Don’t forget to pressure your vendors so that

they are ready when you need them to be (or only a little late) Network Equipment

144


IPv6 Deployment -- Next Steps part 2 Build your test lab Try it out Try different scenarios Get to know what works and doesn’t work in

your particular environment Help is available

ARIN IPv6 wiki: http://www.getipv6.info Hurricane Electric: http://www.tunnelbroker.net “Rent” me: [email protected]

145


Parting Thoughts: What if IP Addresses were M&Ms -- IPv4 IPv4: Standard network size: /24

Number of usable addresses: 254

Number of /24s: Aprox. 14.5 Mililon

146

One IPv4 /24 -- 254 M&Ms

Full Address Space, One M&M per/24 covers 70% of a football* field

*An American Football field


Parting Thoughts: IP Addresses as M&Ms -- IPv6 How many M&Ms in IPv6? Standard Network size: /64

Host addresses: 18,446,744,073,709,551,616 Number of Networks:

18,446,744,073,709,551,616 In short, Enough M&Ms to fill the great lakes

in either measure*

147

*Warning: Do not eat 18,446,744,073,709,551,616 M&Ms as adverse health consequences are likely.


If IP addresses were M&MsFinal thought:

They’d taste better.

148


OK.. The real conclusion

You’ve learned a lot about the structure of IPv6 and IPv6 addressing

You’ve learned how to plan your addressing strategy.

You’ve learned a little about deploying IPv6. Mostly, deployment is a lot like IPv4, but,

without the address scarcity.

149


Similarities

Same routing protocols (mostly) Same issues Same solutions (mostly) Similar security models and tactics

Note: NAT isn’t security in IPv4. Stateful ispection provides security, NAT just depends on stateful inspection.

Similar host configuration methods

150


Differences

Much bigger address space Restoration of the End-to-End model of

networking (Really, this is a good thing, even if you find it a little scary at first)

Stateless Autoconfiguration (Slightly) Crippled DHCP DHCP Prefix Delegation Hex Notation No more writing out netmasks (YAY!)

151


Q&A

Contact: Owen DeLong IPv6 Evangelist Hurricane Electric 760 Mission Court Fremont, CA 94539, USA http://he.net/ owend at he dot net +1 (408) 890 7992

?

152


The end

153

Contact: Owen DeLong IPv6 Evangelist Hurricane Electric 760 Mission Court Fremont, CA 94539, USA http://he.net/ owend at he dot net +1 (408) 890 7992

Thank you

78

IPv6 -- A practical guide to Implementationfacweb.cs.depaul.edu/brewster/ipv6/Full Course...

Documents

Transcript of IPv6 -- A practical guide to Implementationfacweb.cs.depaul.edu/brewster/ipv6/Full Course...