Contenu connexe
Similaire à Transition To I Pv6 (20)
Transition To I Pv6
- 1. Copyright © 2011, Fred Bovy. All rights reserved .
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—1
Transition To IPv6
October 2011
Fred Bovy
ccie #3013
fred@fredbovy.com
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—2
§ Tunnels for Experimental testing or Enterprises
The Experimental 6BONE network was created from overlay IPv6
in IPv4 Tunnels over the IPv4 Internet.
§ Dual-Stack
§ Overlay IPv6 in IPv4 Tunnels
• Manual 6in4 and automatic 6to4
• And more automatic tunnels
• Again mostly introduced with Windows: TEREDO to bypass NAT
devices and ISATAP to use IPv4 networks as a NBMA network for
IPv6.
§ NAT and Private Addresses (RFC1918)
• In parallel to make the most of the remaining IPv4 addresses, NAT44 and
IPv4 private addresses (RFC1918) were introduced
1st Generation: The IPv6 Pioneers
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—3
§ SPs with MPLS/IPv4 Backbone: 6PE and 6VPE
Most SPs were running IPv4/MPLS
First Phase of the transition, deploy 6PE/6VPE
§ SPs with IPv4 Backbone: 6RD
FREE a french SP deployed IPv6 in 5 Weeks from a 6to4 stack!
§ Carrier Grade NAT or Large Scale NAT (Testing)
DS-Lite = IPv4 in IPv6 Tunnel + CGN
– SPs who deployed IPv6 choose DS-Lite to support the existing IPv4 customers
– They deploy it as soon as they migrated from 6PE/6VPE to Native IPv6
– Some of them planned to replace DS-Lite with A+P when it will be available
Other protocols are designed, some of themare tested: CGN, NAT444, NAT464, dIVI, dIVI-pd
§ Network Address Translation Protocols (NAT)
NAT-PT
– First attempt to translate IPv6 to IPv4 protocols. Deprecated!
NAT64/DNS64
2nd Generation: SPs transition 1st Phase, the 2000s
- 2. Copyright © 2011, Fred Bovy. All rights reserved .
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—4
§ Stateful Carrier Grade NAT issues
Because of the Stateful CGN known issues, a lot of work is being
done to develop and test some Stateless protocols to share the
remaining IPv4 addresses without stateful NAT, CGN.
§ A+P Architecture and Stateless NAT solutions Testing
To share the remaining IPv4 addresses using the IPv4 Source Ports
Without any Stateful NAT in the SP backbone.
§ Users or CPE have some IP addresses and Source Ports assigned
§ Not a new solution, FT ORANGE planned A+P in 2009 while they
were choosing DS-Lite in the first place
§ First proposal for A+P at the IETF Taipei 2011 is based on
Stateless NAT464 aka dIVI, dIVI-pd and 4RD
3rd Generation: SPs going Stateless, the 2010s
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—5
TransitionTools - Deployment
1996
2003
2010
2007
6to4Dual-Stack
6in4 NAT-PT
6VPE
NAT64
NAT444
dIVI-pd
DS-Lite
6RD
A+P
6PE
6BONE †
6PE
6RD
6VPE
DS-Lite
Standardization
NAT64
NAT444
dIVI-pd
DS-Lite
A+P
IETF Taipei 82 – Nov 2011Time
IPv6 in IPv4
Tunnels
IPv4 in IPv6
Tunnels
NAT464
Deployed
Testing
dIVI-pd
dIVI
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—6
© Frédéric Bovy 6
Network Address Translation
n NAT44 and IPv4 private addresses in the 90s
n IPv6 to IPv4 translations
• NAT-PT †
NAT-PT is NAT64 + NAT46 + DNS ALG
• NAT-PT was replaced by NAT64 and DNS64
n Carrier Grade NAT or Large Scale NAT
• NAT444 or double NAT
• NAT464, dIVI, dIVI-pd
• DS-Lite = IPv4 in IPv6 Tunnels + NAT44 (LSN)
- 3. Copyright © 2011, Fred Bovy. All rights reserved .
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—7
Dual Stack and Tunneling
This was introduced at the very beginning of IPv6 in 1996
All clients are now configured by default as dual-stack nodes
It is still the best approach for a smooth transition
Tunnels are manually, statically configured
It may be obvious but for dual-stack you still need IPv4 addresses!
IPv4
IPv6 Host
Dual Stack
Router
Dual Stack
Router
IPv6 Host
IPv6 Hosts
IPv6 IPv4
IPv6 IPv4
IPv6 IPv4
IPv6 Packet IPv6 Hdr IPv4 Hdr
Tunneling
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—8
2002:C044:1::/48 prefix
comes from 192.68.0.1
2002:C046:1::/48 prefix
comes from 192.70.0.1
Automatic Tunnels for Enterprises: 6to4
Tunnel destination IPv4 address is embedded in the IPv6 address !
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—9
SPs MPLS Enabled: 6PE and 6VPE
In the very early 2000s, 6PE was introduced to help the SPs with an
MPLS/IPv4 Background to provide an IPv6 Service
No Backbone Routers Upgrade needed!
- 4. Copyright © 2011, Fred Bovy. All rights reserved .
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—10
6RD Automatic Tunnel for SPs
Free, a french SP customized a 6to4 stack to allow a custom
prefix instead of 2002::/16
Free deployed 6RD in 5 weeks in 2007 and immediately
started an IPv6 service over the IPv4 backbone, user
configurable
4RD is IPv4 in IPv6
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—11
Dual Stack Lite or DS-Lite
Once the SP have migrated their backbone to IPv6, DS-Lite
is used to support RFC1918 IPv4 Customers
§ IPv4 in IPv6 Tunnels + NAT44 (LSN at the SP)
§ LSN inside mapping uses Source IPv6 + Source IPv4 + Port
§ LSN allows to share the remaining IPv4 addresses efficienciently
But LSN must keep a lot of states and is a Single Point of failure
shared by Many Customers
LSN
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—12
DS-Lite: Help transition to IPv6
- 5. Copyright © 2011, Fred Bovy. All rights reserved .
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—13
Connecting IPv6-only with IPv4-only: AFT64
New IPv6 clients must have access to IPv4 content
§ AFT64 technology is only applicable in case where there are IPv6 only end-points
that need to talk to IPv4 only end-points (AFT64 for going from IPv6 to IPv4)
§ AFT64:= “stateful v6 to v4 translation” or “stateless translation”, ALG still required
§ Key components includes NAT64 and DNS64
§ Assumption: Network infrastructure and services have fully transitioned to IPv6 and
IPv4 has been phased out
CoreEdgeAggregationAccess
IP/MPLS
Residential
IPv6 ONLY connectivity
NAT64
IPv4 ONLY
DNS64
Public IPv4
Internet
IPv4
Datacenter
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—14
Protocol Translation: NAT64, DNS64
§ Client requests the IPv6 Address
§ DNS64 translates the request to an IPv4 Address
DNS64 DNS
Web Server
IPv4
h2.exemple.com ?
h2.exemple.com ?
A: 192.0.2.1
AAAA
64:ff9b::c0:201
NAT64
IPv4IPv6
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—15
© Frédéric Bovy 15
NAT64 and DNS64
§ The session is initialized by IPv6 client
§ Traffic route the 64:ff9b::/96 prefix to the NAT64 Router
§ NAT64 then convert headers in both directions
DNS64 DNS
Web Server
IPv4
h2.exemple.com ?
h2.exemple.com ?
A: 192.0.2.1
AAAA
64:ff9b::c0:201
SYN
64:ff9b::c0:201
SYN 192.0.2.1NAT64
IPv4IPv6
SYN+ACK
SYN+ACK
- 6. Copyright © 2011, Fred Bovy. All rights reserved .
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—16
NAT444: A second level of NAT44
Solution to share the remaining IPv4 addresses among
multiple customers
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—17
© Frédéric Bovy 17
NAT444: LSN Scalability Issue
n How many streams LSN will be able to manage ?
n LSN is a Single Point of failure
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—18
© Frédéric Bovy 18
NAT444: Overlapping Private Address !
- 7. Copyright © 2011, Fred Bovy. All rights reserved .
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—19
© Frédéric Bovy 19
NAT444: 2 customers behind same LSN
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—20
© Frédéric Bovy 20
NAT444 Network Design Issues
§ Overlapping Addresses
If one of the customers network uses the same private network number than
the NAT CPE to LSN link we have a sever duplicate network issue !!!
§ Two Customers behind the same LSN want to
communicate
Packets with a private source address may be dropped by customer policy
(Firewall, ACL, host policy). So LSN must be used also for local traffic
§ Plus all the LSN Based solutions:
– Scalability
Behind each CPE NAT there can be many devices. Each device may generate many
application streams. How mansy stream will be supported by LSN ? We have not enough
experience to say ???
– Single Point of Failure
The LSN device keeps many states. If it reboot, many users will have to restart their
applications.
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—21
DS-Lite: Connect the IPv4 users
Another solution to share the
remaining IPv4 addresses among
multiple customers
- 8. Copyright © 2011, Fred Bovy. All rights reserved .
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—22
© Frédéric Bovy 22
Stateful NAT464 or Stateless dIVI, dIVI-pd
dIVI is the stateless version to share IPv4 addresses
among multiple users using source ports
Stateless means NO NAT or LSN!
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—23
© Frédéric Bovy 23
Address+Port (A+P)
§ Experimental RFC6346
§ Use some bits of the source port to share an IPv4 address
without Stateful NAT, CGN or LSN.
§ Can be implemented on hosts or CPEs which may have to do
some translation for the non upgraded hosts
§ Requires signaling to request which ports are granted
§ IPv4 Packets must be encapsulated/decapsulated to get sent
into tunnels using the ports which are allocated for the host or
the CPE
§ The first proposal at the IETF in 2011 relies on Stateless
NAT464 aka dIVI, dIVI-pd and 4RD and does not require
signaling
§ France Telecom-Orange has a software implementation:
http://opensourceaplusp.weebly.com/
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—24
© Frédéric Bovy 24
dIVI, dIVI-pd or Stateless NAT464
A+P proposal at the IETF actually relies on dIVI-pd and 4RD.
§ dIVI-pd is Stateless NAT464 and permit to translate IPv6
addresses to IPv4 Address+Source Port
It is then possible to share an IPv4 address among many users or CPEs.
Without requiring any Stateful NAT with all the known problems associated
A very interesting test in large SP domains :
" For port configuration, since there are 65536 TCP/UDP ports for each
IP address, and in fact one can use hundreds only for normal
applications, so one IPv4 address can be shared by multiple customers.
In our experiment, we selected ratio to be 128. That is to say, one
IPv4 address is shared by 128 users, and there are 512 available
ports per user."
http://tools.ietf.org/html/draft-sunq-v6ops-ivi-sp-02#page-7
- 9. Copyright © 2011, Fred Bovy. All rights reserved .
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—25
Security with to Transition to IPv6
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—26
© Frédéric Bovy 26
Threats on Transition protocols
n Dual-Stack
IPv4 scanning can be used to discover the node
IPv4 and IPv6 must be at the same security level
n Tunnel
Tunnels are an easy target for many possible attacks
Packet Injection
Automatic Tunnels are the most dangerous
Automatic Servers can be the target of DoS attacks
Manual Tunnel should use IPSec!
n Stateful Translation
Stateful NAT can be the target of DoS attacks
DoS Attacks by address pool depletion
DoS Attack by creating a lot of states or request which consumes
CPU
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—27
© Frédéric Bovy 27
Dual Stack Issues
Dual Stack Nodes may be very well IPv4 protected and
poorly IPv6 protected
Dual Stack Nodes can be discovered thanks to an IPv4
scan !
And then attacked using IPv6 tools !
- 10. Copyright © 2011, Fred Bovy. All rights reserved .
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—28
© Frédéric Bovy 28
Inability to inspect Tunneled Packet
IPv4 Firewall cannot inspect the IPv6 paquet
encapsulated in IPv4
IPv4 Header IPv6 Header IPv6 Payload
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—29
© Frédéric Bovy 29
Attacks on Tunnels
Traffic tunneled cannot be inspected
§ Access-List and paquet inspection cannot inspect the IPv6 paquet which
is encapsulated in IPv4 paquets
§ Solution is to implement multiple Firewall which inspect paquets before
they get encapsulated
§ Other solution is when the Tunnel end point is on a Firewall, traffic can be
inspected
Easy to inject paquets coming from a known Tunnel
§ If an attacker has the knowledge of manual tunnel configuration, it can
sends paquet « originiated » from a known tunnel head-end
§ With automatic tunnels it is even easier as paquet can be originated from
any address in the network
§ IPSec is the protection
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—30
© Frédéric Bovy 30
Attack by Paquet injection in a
manual tunnel
- 11. Copyright © 2011, Fred Bovy. All rights reserved .
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—31
Attacks on Stateful NAT64
Stateful NAT can be the target of DoS attacks
§ The attacker sends many IPv6 paquets with different
source addresses to the same IPv4 target.
§ Each paquet consumes an address and a state which
must be managed.
§ When there is no more IPv4 address available, there is no
more access to IPv4 hosts
© 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—32
Thank You!
fred@fredbovy.com