IPv6: Why "next year" is now
-
Upload
wildpackets -
Category
Technology
-
view
592 -
download
0
description
Transcript of IPv6: Why "next year" is now
www.wildpackets.com © WildPackets, Inc.
Jim MacLeod
Product Manager
WildPackets
Follow me @shewfig
IPv6
“Next Year” is Now!
Show us your tweets! Use today’s webinar hashtag:
#wp_ipv6 with any questions, comments, or feedback.
Follow us @wildpackets
© WildPackets, Inc.
Agenda
• Primer ‒ Address types
‒ Address format
‒ Address resolution
• Issues ‒ Implementation
‒ Interoperability
‒ Security
• WildPackets
2
www.wildpackets.com © WildPackets, Inc.
Primer: IPv6 Addressing
© WildPackets, Inc.
Address Lexical Conventions
• 128 bits of hexadecimal ‒ IPv4 had 32 bits in dotted-decimal
• Separated by colons ‒ 8 groups of 16 bits
‒ 8 bits = “octet”
‒ 16 bits = “sedectet” or “hexadectet”
• Shortcuts ‒ Leading zeros can be omitted
• 2001:0db8::/32 same as 2001:db8::/32
‒ Multiple consecutive zeros written as “::” • 2001:db8:0:0:0:0:0:1 same as 2001:db8::1
‒ Localhost is ::1, default route is ::/0
4
© WildPackets, Inc.
Address Sections
• Sections ‒ Network
• RIR-assigned or local
‒ Subnet • Subnetting within org/site
‒ Host • 64-bit interface identifier
• Example ‒ 2001:db8::/32
• 32 bit prefix, 32 bits of subnet, 64 bits of interface ID
• 32 bits of subnet =~ entire size of IPv4, each with 64 bits of host
‒ 2001:db8:de30::/48 • 48 bits of prefix, 16 bits of subnet, 64 bits of interface ID
• 16 bits of subnet =~ class B IPv4 address block
5
© WildPackets, Inc.
Address Types
• Unicast ‒ “Normal” address
• Local ‒ Link-Local: not-routable, subnet only
‒ ULA (Unique Local Addresses): private address
• Multicast ‒ Multiple scopes from host-internal to Internet-wide
• NO explicit Broadcast ‒ Implemented as local-scope multicast
‒ Several specific multicast addresses defined and used • All Routers, All DHCP servers, etc…
6
© WildPackets, Inc.
Local Addresses
• Link-Local: non-routable, subnet only ‒ Defined as fe80::/10. In practice, fe80::/64
‒ Nodes auto-generate address for each interface
‒ On-box, append interface ID to address (e.g. %eth0)
• Similar in concept to 169.254.0.0/16 ‒ Auto-defined, unique per subnet
• Why? ‒ Bootstrap addressing: no “naked” protocols like ARP
‒ Used by ICMPv6 Neighbor Discovery (“ARPv6”)
‒ Used by DHCPv6, no need for broadcast
• Impact ‒ Every IPv6 interface will have at least 2 addresses
7
© WildPackets, Inc.
Unique Local Addresses (ULA)
• Routable private address space ‒ fd00::/8, plus 40 “random” bits -> fdx:y:z:://48
‒ Like 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
• Can be used to create isolated networks ‒ Potentially routable among connected systems
‒ Non-routable across the Internet
• Potential uses ‒ Lab networks
‒ Air-gapped networks
‒ Pilot projects
• NOT intended for use with NAT ‒ NAT was a work-around on IP, IPv6 is the solution
8
© WildPackets, Inc.
Subnetting Review
• Q: Does 2001::/32 contain 2001:db8::/32? ‒ 2001::/32
• 2001:0:0:0:0:0:0:0 – 2001:0:ffff:ffff:ffff:ffff:ffff:ffff
‒ 2001:db8::/32 • 2001:db8:0:0:0:0:0:0 – 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff
‒ A: no, the 2nd sedectet is different
• Q: How large is fe80::/10 ? ‒ fe80::/16 – febf::/16
‒ 64 /16 blocks, 4B /32 blocks, 18 quadrillion /64 blocks
9
© WildPackets, Inc.
Address “Magic Numbers”
• Node ‒ ::1/128 – localhost
‒ ::/0 – default route (like 0.0.0.0/0)
• Local ‒ fe80::/10 – Link-local
‒ fc::/7 – ULA • Likely deployment: fd::/8
• Global ‒ 2001:db8::/32 – “Example” addresses
‒ 2001::/32 – Teredo
‒ 2001:678::/29 – Provider-independent (Multihomed end-users)
‒ 2001:7f8::/29 – Internet Exchange Points (ISP interconnect)
10
© WildPackets, Inc.
IP to IPv6 “Magic Numbers”
• ::ffff:0:0/96 – IPv4-mapped IPv6 ‒ server socket-level compliance for application compatibility
‒ Can be written ::ffff:0:0:a.b.c.d
• ::ffff:0:0:0/96 – Stateless IP/ICMP Translation (SIIT) ‒ To allow an IPv6 client to connect to IPv4 hosts
• 64:ff9b::/96 – “Well-Known” Prefix ‒ NAT64 address translation, connect IPv6 island to IPv4
• 2002::/16 – 6to4 translation ‒ To connect IPv6 islands via IPv4
• Over time, these should all go away ‒ Dual stack makes all of these unnecessary
11
www.wildpackets.com © WildPackets, Inc.
Address Resolution
© WildPackets, Inc.
Resolving Addresses
• ICMPv6 Neighbor Discovery Protocol (NDP) ‒ Replaces ARP
‒ Runs over IPv6, not over DLC/Ethernet
‒ Uses Link-local addresses
• Neighbor solicitation ‒ Unicast fe80::/10 source (unique to interface)
‒ Link-local multicast destination at both L2 and L3
‒ last 24 bits of multicast are last 24 bits of target address • Allows quick validation on receiver node: keep/discard
• Neighbor Announcement ‒ Response is unicast-unicast
13
© WildPackets, Inc.
NDP in Action
14
Search for 2001:db8:2::4
• L2 address (MAC)
• OUI is IPv6 multicast prefix (33:33:FF)
• Least significant 24 bits of target address (00:00:04)
• L3 address – targeted multicast
• Local-scope IPv6 multicast (ff02)
• Least significant 48 bits
• Header is ::1:ff
• Same least-significant bits (00:00:04)
Implication: IPv6 is optimized to reduce broadcast at both L2 and L3
• Frame is delivered to all nodes in broadcast domain
• Frame is quickly rejected by NIC except on target node
© WildPackets, Inc.
Getting an Address
• Static ‒ All parameters configured by hand
• Dynamic ‒ Node bootstrap includes Router Discovery
‒ Similar to Neighbor Discovery
‒ Destination is link-local “all routers” address
• Router Advertisement includes flags to use either: ‒ Stateless Address Autoconfiguration (SLAAC)
‒ DHCPv6
15
© WildPackets, Inc.
SLAAC
• Network info from Router
• Node portion of address ‒ Use MAC, insert “ff:fe” in the middle
‒ Alternatively use Privacy Extensions • Pseudo-random instead of extended MAC
• Implications ‒ Track IPv6 nodes by MAC
• Good for network management, bad for privacy
‒ Addresses distributed nearly randomly in subnet
16
© WildPackets, Inc.
DHCPv6
• Controlled by Router Advertisement ‒ Managed Address flag – get address from DHCPv6
‒ Other Stateful Config flag • Generate address using SLAAC
• Get other configs from DHCP
• Similar to DHCP in IPv4
• Link-local multicast for DHCP ‒ ff02:1::2 – all DHCP servers and relays
‒ ff02:1:3 – all DHCP servers
• Implications ‒ Managed IPv6 addresses
‒ Potential point of failure
17
www.wildpackets.com © WildPackets, Inc.
IPv6 Issues
18
© WildPackets, Inc.
Implementation Issues
• Two address scopes
• Packet size issues
• DNS
• Global routing
19
© WildPackets, Inc.
Two Address Scopes
• Every interface on a node has at least 2 addresses ‒ Link-local (fe80::)
‒ Unicast
• Data uses unicast address ‒ Just like IPv4 address
• Net administrative protocols may use link-local ‒ NDP
‒ DHCP
‒ Sometime other ICMPv6
20
© WildPackets, Inc.
What’s Going On Here?
21
How many data frames are there? What protocol?
What’s going on in packets 2-3? 4-5? 8-9?
NDP for 2001:db8:2::4, ::253, and ::253 again
3 Data frames: 1, 6, 10. HTTP.
© WildPackets, Inc.
Tracking What’s Going On
22
Use Horizontal Split to show Nodes on left, Packets on right
© WildPackets, Inc.
Packet Size
• Minimum MTU raised from 576 to 1280 ‒ Not a problem for anything modern
• Longer header, less room for data ‒ IPv6 header 20+ bytes longer than IP
‒ TCP MSS reduced by 20 bytes
‒ Some applications may be hard-coded to 1460
• No router fragmentation allowed in IPv6 ‒ Node must fragment own datagrams
• Overhead in transit = Oversized packet ‒ MPLS and similar ok, internal to network, use Jumbo frames
‒ IPSec across the Internet, no Jumbos allowed
‒ Oversized packets will be discarded
23
© WildPackets, Inc.
Packet Size – How to fix
• Path MTU Discovery ‒ Inline during transmission
• MTU violation reported by ICMPv6 ‒ “Packet Too Big” from router, e.g. VPN ingress
• ICMPv6 MUST be allowed ‒ ICMP in IPv4 sometimes blocked for security reasons
‒ Will cause black holes in IPv6 if blocked
24
© WildPackets, Inc.
DNS
• Same protocol, New record type: AAAA ‒ Can resolve IPv6 addresses over IPv4
‒ Default behavior on Windows: DNS over IPv4, even for AAAA
• Host-driven choice: ‒ Explicit resolution of IPv4 A or IPv6 AAAA
‒ Multiple packets each way
• Server-driven choice: ‒ Single generic query from client
‒ DNS responses vary by implementation
‒ Google does reverse lookup on client
‒ Many DNS servers return both A and AAAA
• Single query, dual response most common
25
© WildPackets, Inc.
Routing
• BGP tables are huge on IPv4, what about IPv6?
• Solution: aggregation via allocation ‒ Fully hierarchical
• IANA global RIR regional LIR local
• LIR can be ISP, university, large company, etc.
• Allows much better aggregation
‒ Special allocation for small multihomed blocks • 2001:678::/29
• Minimum allocation /48
• Hardware-based forwarding ‒ Anecdotal evidence IPv6 slow on current equipment
‒ Future devices will be optimized for IPv6, not IPv4
‒ IPv6: no checksum, no router fragmentation faster routing
26
© WildPackets, Inc.
Interoperability Issues
• Network versus Application
• 6-4 failback
27
© WildPackets, Inc.
Network versus Application
• Different protocols ‒ IPv4 and IPv6 don’t interact on the wire
‒ Lots of transition mechanisms • Unclear whether will ever be used
• Applications may have issues ‒ Socket level APIs “should” be compatible
‒ Greatest challenges: • Legacy applications
• Custom / homegrown applications
• Solution: keep using IPv4 for incompatible apps ‒ Enabling IPv6 doesn’t disable IPv4
28
© WildPackets, Inc.
6-4 Fallback
• Most visible IPv6 issue when using the Web!
• Primary issue: 6 or 4? ‒ DNS AAAA or A record?
‒ Old method: try IPv6 first, wait for timeout • Windows: 20s. MacOS: 75s. Linux: 75-180s.
• Impact on Web ‒ Web pages cross-link locations (average of 8 sites/page!)
‒ Will IPv6 pages contain IPv4 content? • Pages already load slowly, add MULTIPLE 20s+ delays…
• Great research ‒ Geoff Huston at APNIC, “Bemused Eyeballs”
‒ Prior research from NTT, presented at NANOG39, 2007
29
© WildPackets, Inc.
6-4 Fallback Solution
• “Happy Eyeballs” – dual stack fastest first ‒ Proposed by Dan Wing, Andrew Yourtchenko at Cisco
‒ Resolve both IPv4 and IPv6 addresses
‒ TCP SYN connect to both at once
‒ Use first to connect, RST other socket
• Solution: Switch browsers! ‒ Chrome: 300ms (aggressive IPv6 timeout)
‒ Firefox: instant (Happy Eyeballs)
‒ Safari on MacOS: 270ms (aggressive RTT-based timer)
• Potential work-arounds on Enterprise networks ‒ Local DNS server tweaks – but probably insufficient
‒ Gateway proxy – but maybe not fast enough
30
© WildPackets, Inc.
Security Issues
• Addresses
• Enforcement
31
© WildPackets, Inc.
IPv6 Address Security Issues
• All routable addresses are global ‒ Can we feel safe without NAT?
‒ Remember: NAT is a security placebo (with side-effects)
• Address spacing ‒ 64 bits dedicated to host = 18 x 10^18 nodes per network
• “Impossible” to scan that range, can nodes “hide”?
‒ Enterprise network management • Cross-layer view: MAC, IP/IPv6, name, etc.
• Even “stealth” hosts must use switches
• Secure Neighbor Discovery (SEND) ‒ Uses public/private keys to validate ND (“ARPv6”)
‒ Doesn’t need PKI, but no standard method to list public keys
32
© WildPackets, Inc.
IPv6 Security Enforcement Issues
• DPI / layer 7 application security scanning ‒ IPv6 header different than IPv4
‒ IPv6 header longer than IPv4 • Changes offset for upper layers
• Biggest impact on hardware-based devices
‒ Transition and Interoperability Issues • Multiple different tunnel standards
• Multiple different translation standards
• Teredo – IPv6 over IPv4 w/ NAT traversal ‒ Node gets IPv6 address directly on Internet
‒ Bypass network firewall controls
• There have already been IPv6 DoS attacks
33
www.wildpackets.com © WildPackets, Inc.
Company Overview
© WildPackets, Inc.
Corporate Background
• Experts in network monitoring, analysis, and troubleshooting
‒ Founded: 1990 / Headquarters: Walnut Creek, CA
‒ Offices throughout the US, EMEA, and APAC
• Our customers are leading edge organizations
‒ Mid-market, and enterprise lines of business
‒ Financial, manufacturing, ISPs, major federal agencies,
state and local governments, and universities
‒ Over 7,000 customers / 60+ countries / 80% of Fortune 1,000
• Award-winning solutions that improve network performance
‒ Internet Telephony, Network Magazine, Network Computing Awards
‒ United States Patent 5,787,253 issued July 28, 1998 • Different approach to maintaining availability of network services
© WildPackets, Inc.
Real-World Deployments
Education
Health Care / Retail
Financial
Telecom
Government
Technology
www.wildpackets.com © WildPackets, Inc.
Product Line Overview
© WildPackets, Inc.
OmniPeek/Compass Enterprise Packet Capture, Decode and Analysis
• 10/100/1000 Ethernet, Wireless, WAN, 10G
• Portable capture and OmniEngine console
• VoIP analysis and call playback
Omnipliance / TimeLine Distributed Enterprise Network Forensics
• Packet capture and real-time analysis
• Stream-to-disk for forensics analysis
• Integrated OmniAdapter network analysis cards
WatchPoint Centralized Enterprise Network Monitoring Appliance
• Aggregation and graphical display of network data
• WildPackets OmniEngines
• NetFlow and sFlow
Product Line Overview
© WildPackets, Inc.
OmniPeek Network Analyzer
• OmniEngine Manager
– Connect and configure distributed OmniEngines/Omnipliances
• Comprehensive dashboards present network traffic in real-time
– Vital statistics and graphs display trends on network and application
performance
– Visual peer-map shows conversations and protocols
– Intuitive drill-down for root-cause analysis of performance bottlenecks
• Visual Expert diagnosis speeds problem resolution
– Packet and Payload visualizers provide business-centric views
• Automated analytics and problem detection 24/7
– Easily create filters, triggers, scripting, advanced alarms and alerts
© WildPackets, Inc.
Omnipliance Network Recorders
• Captures and analyzes all network traffic 24x7
– Runs our OmniEngine software probe
– Generates vital statistics on network and application performance
– Intuitive root-cause analysis of performance bottlenecks
• Expert analysis speeds problem resolution
– Fault analysis, statistical analysis, and independent notification
• Multiple Issue Digital Forensics
– Real-time and post capture data mining for compliance and troubleshooting
• Intelligent data transport
– Network data analyzed locally
– Detailed analysis passed to OmniPeek on demand
– Summary statistics sent to WatchPoint for long term trending and reporting
– Efficient use of network bandwidth
• User-Extensible Platform
– Plug-in architecture and SDK
© WildPackets, Inc.
Omnipliance Network Recorders Price/performance solutions for every application
Portable Edge Core
Ruggedized
Troubleshooting
Small Networks
Remote Offices
Datacenter Workhorse
Easily Expandable
Aluminum chassis / 17” LCD 1U rack mountable chassis 3U rack mountable chassis
Quad-Core Xeon 2.5GHz Quad-Core Intel Xeon
X3460 2.80Ghz
Two Quad-Core Intel Xeon
E5530 2.4Ghz
4GB RAM 4GB RAM 6GB RAM
2 PCI-E Slots 2 PCI-E Slots 4 PCI-E Slots
2 Built-in Ethernet Ports 2 Built-in Ethernet Ports 2 Built-in Ethernet Ports
500GB and 2.5TB SATA
storage capacity
1TB SATA storage capacity 2TB SATA storage capacity
© WildPackets, Inc.
TimeLine
• Fastest network recording and real-time statistical
display — simultaneously ‒ 11.7Gbps sustained capture with zero packet loss
‒ Network statistics display in TimeLine visualization format
• Rapid, intuitive forensics search and retrieval ‒ Historical network traffic analysis and quick data rewinding
‒ Several pre-defined forensics search templates making
searches easy and fast
• A natural extension to the WildPackets product line
• Turnkey bundled solution ‒ Appliance + OmniEngine, OmniAdapter, OmniPeek Connect
© WildPackets, Inc.
TimeLine For the most demanding network analysis tasks
TimeLine
10g Network Forensics
3U rack mountable chassis
Two Quad-Core Intel Xeon 5560 2.8Ghz
18GB RAM
4 PCI-E Slots
2 Built-in Ethernet Ports
8/16/32TB SATA storage capacity
© WildPackets, Inc.
WatchPoint Centralized Monitoring for Distributed Enterprise Networks
• High-level, aggregated
view of all network
segments
– Monitor per campus, per
region, per country
• Wide range of network
data
– NetFlow, sFlow, OmniFlow
• Web-based, customizable
network dashboards
• Flexible detailed reports
• Omnipliances must be
configured for continuous
capture
© WildPackets, Inc.
WildPackets Key Differentiators
• Visual Expert Intelligence with Intuitive Drill-down
– Let computer do the hard work, and return results, real-time
– Packet / Payload Visualizers are faster than packet-per-packet diagnostics
– Experts and analytics can be memorized and automated
• Automated Capture Analytics
– Filters, triggers, scripting and advanced alarming system combine to provide
automated network problem detection 24x7
• Multiple Issue Network Forensics
– Can be tracked by one or more people simultaneously
– Real-time or post capture
• User-Extensible Platform
– Plug-in architecture and SDK
• Aggregated Network Views and Reporting
– NetFlow, sFlow, and OmniFlow
www.wildpackets.com © WildPackets, Inc.
Q&A
Show us your tweets! Use today’s webinar hashtag:
#wp_ipv6 with any questions, comments, or feedback.
Follow us @wildpackets
Follow us on SlideShare! Check out today’s slides on SlideShare
www.slideshare.net/wildpackets
www.wildpackets.com © WildPackets, Inc.
Thank You!
WildPackets, Inc.
1340 Treat Boulevard, Suite 500
Walnut Creek, CA 94597
(925) 937-3200