* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download IPv6 and Transition Mechanisms
Wireless security wikipedia , lookup
Point-to-Point Protocol over Ethernet wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
IEEE 802.1aq wikipedia , lookup
Internet protocol suite wikipedia , lookup
Dynamic Host Configuration Protocol wikipedia , lookup
SIP extensions for the IP Multimedia Subsystem wikipedia , lookup
Network tap wikipedia , lookup
Airborne Networking wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Computer network wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Deep packet inspection wikipedia , lookup
Distributed firewall wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Multiprotocol Label Switching wikipedia , lookup
Wake-on-LAN wikipedia , lookup
IPv6 Transition Mechanisms, their Security and Management Georgios Koutepas National Technical University of Athens, Greece 6DISS Workshop March 5 2006 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Transition to IPv6 • Not an after-thought but designed to be part of the new protocol since the beginning • Overview of transition requirements: – Gradual site transition: a site may have only some of its systems supporting IPv6 – Minimum transition requirements: a site can support IPv6 just by offering DNS services without any upgrade in the rest of the infrastructure – IP address compatibility: the v4 addresses can be converted to "corresponding" v6 addresses, allowing the system to operate in both environments – Ease of installation: Operating Systems should support IPv6 straightforwardly, without need for software upgrades. • The answer: SIT (Simple Internet Transition) mechanismsIPv6included in IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 IPv6 Transition Mechanisms • SIT offers a scheme for: – The conversion of IPv4 addresses to IPv6 – Dual stack OS operation – Tunnelling mechanisms via the encapsulation of v6 packets within v4 when passing over v4 clouds (and vise-versa) • The Result: – Dual Stack mechanisms – Translation Mechanisms – Tunnelling Mechanisms IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Dual Stack mechanisms Application Layer Web, Email, etc. Transport Layer TCP/UDP IP Layer Data Link Layer IPv4 IPv6 Ethernet, PPP, etc. IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Translation Mechanisms • NAT-PT (Network Address Translation - Protocol Translation) – Potential problems • Services based on protocol specific header info cannot be IPv6 Address Pool IPv4 Address Pool supported end-to-end • "Classic" NAT security issues Dual Stack Translation Router NAT-PT • Others Native IPv6 Network Native IPv4 Network – BIS (Bump in the Stack) - At the Transport Layer – BIA (Bump in the API) - At the Application Layer IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Tunnelling Mechanisms • How they work: – Encapsulation of IPv6 packets within IPv4 packets and vice versa …Which means it can also be used for IPv4 connections over IPv6 native networks – Protocol in the IPv4 header: 41 – The tunnel's end point performs the necessary operations on the protocol 41 IPv4 packets: • Reconnection of fragmented packets • Packet forwarding in the IPv6 network • Hop limit (equivalent to IPv4 TTL) reduction by 1: The tunnel is "transparent" to IPv6 – Nodes performing the (en/de)capsulation operation have Transition Mechanisms - 6DISS Workshop - 5 March 2006 to be dualIPv6 stack Types of tunnelling Based on the way we find the tunnel's other end: • (Pre)configured tunnel end-points • Automatic. Tunnel end-point may be derived from: – 6to4 address – IPv4 compatible IPv6 destination address IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Automatic Tunneling Mechanisms: Tunnel Brokers • The simplest way to IPv6 for single users (i.e. using dialup, ADSL, etc.) • May create security problems OR opositely protocol 41 may be banned by the sys-admins for security reasons • Operation – The user connects to a special web server (in the IPv4 network); makes tunnel application – The server assigns an IPv6 address, creates a DNS entry, informs the Tunnel Server, and sends a configuration script to the user – The user runs the script, installs the IPv6-over-IPv4 tunnel and onnects to the Tunnel Server that routs the packets to the native IPv6 network IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Automatic Tunneling Mechanisms: 6over4 • Deprecated... • "Multicast tunnelling" • Single IPv6 hosts use the IPv4 Multicast Network to connect between them or the native IPv6 network via a 6over4 router (usually a 6to4 router) • The result is IPv6 hosts directly connected, even using IPv6 Link Local addresses (derived fromtheir IPv4 addresses)! • Also supports IPv6 multicast etc. • 6over4 requires IPv4 Multicast support, which does not exist widely. IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Automatic Tunneling Mechanisms: ISATAP • Intra Site automatic Tunnel Addressing Protocol • Also uses the IPv4 infrastructure but without the need for Multicast • Can operate under v4 NAT • Operation: – The node (A.B.C.D)v4 gets the (FE80::5EFE:AB:CD)v6 Link Local address – Using DNSv4 queries for the name ISATAP a Potential Router List (PRL) is created (the Router usually is a 6to4 system) – A Router Solicitation message is sent; the answer (RouterAdvertisement message) gives the prefix for creating the universal IPv6 address • ISATAP router-to-node communication: using the last 4 bytes of the destination address • Node-to-router IPv6 Mechanisms network:- 6DISS via the ISATAP router IPv6 Transition Workshop - 5 March 2006 Automatic Tunneling Mechanisms: Teredo • Useful for hosts behind NAT • Encapsulates the IPv6 packets within UDP v4 packets to bypass the problem of NAT in many cases restricting protocol 41 (IP encapsulated) packets • The encapsulation takes place at the communicating node itself rather than at a border router (like it happens in 6to4) • The Teredo-relay then forwards the packets to the native IPv6 network IPv4 Header UDP Header Encapsulated IPv6 Packet • Issues: – Complex implementation – Can operate only with specific NAT types – Limited number of Teredo-relays available in the Internet • Used only there is no Mechanisms other available IPv6 Transition - 6DISS Workshopsolution… - 5 March 2006 Automatic Tunneling Mechanisms: 6to4 Overview • Connects isolated IPv6 "clouds" • Only the border routers need to implement the 6to4 functionality (and need to be dual stack too…) • Any site with single unicast IPv4 address can transmit to the IPv6 network using the 2002::/16 prefix • Many available relays to the IPv6 network, easy to find by (IPv4) anycast addressing (from 192.88.99.0 - RFC 3068) • The most widely used mechanism, thanks to its minimum requirements and ease of implementation it is preferred to other automatic tunneling methods and configured tunnels • However cannot be used behind NAT because it requires an available universal IPv4 address IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 6to4 Architecture and Components IPv6 Native Network IPv4 Anycast Address 192.88.99.1 IPv4 Internet 6to4 router (gateway) 6to4 relay router Tunnels IPv6 Host IPv4 address V4ADDR IPv6 address 2002:V4ADDR::1 6to4 client through IPv4 6to4 router (gateway) 6to4 client 6to4 subnet IPv6 Addresses: 2002:V4ADDR::/48 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 6to4 usage scenaria (1) 6to4 host to 6to4 host • Native v6 communication and routing (RIPng) IPv4 Internet 6to4 client 6to4 router (gateway) 6to4 subnet IPv6 Addresses: 2002:V4ADDR::/48 6to4 client IPv4 address V4ADDR IPv6 address 2002:V4ADDR::1 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 6to4 usage scenaria (2) Between two 6to4 sites • Useful for sites without native IPv6 ISP support • Within the 6to4 sites the hosts use IPv6 natively – Router advertisements and stateless address autoconfiguration – DNSv6 host records - The other site can know about the hosts it needs to communicate with • Non-local IPv6 addresses are sent to the default (6to4) router • The IPv4 address within the 6to4 destination IPv6 address is used as the tunnel termination point IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 6to4 usage scenaria (2) Between two 6to4 sites Destination IPv6 Address: 2002:V4ADDR-B::26 IPv6 Packet 6to4 client Destination IPv4 Address V4ADDR-B IPv4 Header Encapsulated IPv6 Packet 6to4 router (gateway) 6to4 router (gateway) 6to4 client 2002:V4ADDR-B::26 IPv4 Internet IPv4 address V4ADDR-B IPv6 address 2002:V4ADDR-B::1 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 6to4 usage scenaria (3) Between a 6to4 site and a native IPv6 network – Connection to the native IPv6 network through a 6to4 Relay Router (an IPv6 router with a 6to4 "Pseudo-interface") – Usage of the Relay Router's IPv4 address or the Anycast Address • 6to4 host to a native IPv6 host 1. The 6to4 host uses DNS to find the destination host 2. The 6to4 router forwards (via IPv4) the packet to the "next-hop", the closest 6to4 relay router 3. The IPv6 router forward the packet to its final destination • Native IPv6 host to a 6to4 host 1. The 6to4 relay router advertises the 2002::/16 prefix within the IPv6 network 2. A v6 host will use this information to send its packet to the corresponding IPv6 router and further to the 6to4 "pseudo-interface" via which (by the IPv4 network) the packet reaches the 6to4 network andIPv6 itsTransition final destination Mechanisms - 6DISS Workshop - 5 March 2006 6to4 usage scenaria (3) Between a 6to4 site and a native IPv6 network Destination IPv6 Address: V6ADDR IPv6 Packet Destination IPv4 Address 192.88.99.1 IPv4 Header Destination IPv6 Address: V6ADDR Encapsulated IPv6 Packet IPv6 Packet 6to4 router (gateway) 6to4 host IPv6 address 2002:V4ADDR-A::25 6to4 relay router IPv4 Internet IPv6 Packet IPv6 Internet Well known IPv4 address or the Anycast address 192.88.99.1 IPv4 address V4ADDR-A IPv6 address 2002:V4ADDR-A::1 Destination IPv6 Address: 2002:V4ADDR-A::25 Native IPv6 host V6ADDR Destination IPv4 Address V4ADDR-A IPv4 Header Encapsulated IPv6 Packet IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Destination IPv6 Address: 2002:V4ADDR-A::25 IPv6 Packet 6to4 Security or what can go wrong… • Vulnerabilities – 6to4 routers must accept packets from ALL 6to4 relay routers • It's not possible to know if the relay router is "Trusted" or even existent – 6to4 relay routers have to accept packets from 6to4 routers and native IPv6 hosts without any checks • Threats – – – – – DoS/DDoS against 6to4 components may result in unavailability 6to4 routers/relay routers may be used or "reflected" DDoS attacks "Service theft": unauthorized usage of relay router services Local IPv4 broadcast attacks Neighbor Discovery attacks • "Sanity Checks" necessary! IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 IPv4 Packet IPv4 src: ATTACKER IPv4 dst: V4ADDR-A 6to4 Security …an attack scenario • Reflected DoS Attack Encasulated IPv6 Packet IPv6 src: 2002:VICTIM::1 IPv6 dst: 2002:V4ADDR-A::25 IPv4 address V4ADDR-A IPv6 address 2002:V4ADDR-A::1 IPv4 Host ATTACKER 6to4 router 6to4 Host 2002:V4ADDR-A::25 IPv4 Internet IPv4 Packet IPv4 src: V4ADDR-A IPv4 dst: VICTIM • It is supposed that bandwidth and processing power limitations can prevent a large scale attack… Encasulated IPv6 Packet IPv6 src: 2002:V4ADDR-A::25 IPv6 dst: 2002:VICTIM::1 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 IPv4 Host VICTIM Securing 6to4 components • 6to4 routers – Check for correspondence between the IPv4 part of the packets and the 2002::/16 IPv6 encapsulated part – Implement "Sanity Checks" • IPv4: Do not allow strange (e.g. loopback) private, multicast, etc. addresses to be encapsulated • IPv6: Reject "wrong" addresses, like link local, multicast, etc. – Prevent routing of packets to other 6to4 sites via 6to4 relay routers – Reject packets coming from another 6to4 site via a relay router IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Securing 6to4 components (2) • 6to4 relay routers – Reject IPv4 packets from 6to4 routers that don't have matching IPv4 src address (V4ADDR) and equivalent 6to4 src address (2002:V4ADR) in the encapsulated IPv6 packet – Reject protocol 41 (IPv4) packets without destination address 192.88.99.1 – Deny packets to the IPv6 network without a universal IPv6 address – Reject packets from 6to4 routers to 6to4 addresses – Ingress Filtering and Access Control Lists for the IPv6 part! IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 A General Transition Roadmap for an enterprise or educational network Phase 1 • Network Design – Define Wide and Local network segments – Define “special” areas (due to requirements and operations) - VLANs, DMZs etc. – Define management entities and their areas of responsibility – Network management information flow – Security requirements: • For users and applications • For the network itself (protection of the management information, protection of network devices, security of management procedures) – Plan the steps to transition to the new protocol. Examine the possibility of deploying transition mechanisms (for communications between IPv6 areas within an IPv4 network and vise-versa) IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 A General Transition Roadmap (2) Phase 2 • Implementation of a mixed IPv4/IPv6 environment • Gradual transition of non-critical systems to IPv6 – Allows the evaluation of the operation and stability of the network devices and non-critical systems under IPv6 – Develops the transition procedures – Disseminates the usages of transition mechanisms (tunnels, gateways, etc.) for communications between exclusive IPv6 areas Phase 3 • Transition of all systems to IPv6 • Exclusive usage of IPv6 in the network – Maintaining transition mechanisms for legacy systems and contacts with IPv4 networks IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Any Questions ? IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006