SlideShare une entreprise Scribd logo

Transition To I Pv6

Fred Bovy
Fred Bovy

This is a short history of the solutions for Transition to IPv6

1  sur  11
Télécharger pour lire hors ligne
Copyright © 2011, Fred Bovy. All rights reserved . © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—1 Transition To IPv6 October 2011 Fred Bovy ccie #3013 fred@fredbovy.com © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—2 §  Tunnels for Experimental testing or Enterprises The Experimental 6BONE network was created from overlay IPv6 in IPv4 Tunnels over the IPv4 Internet. §  Dual-Stack §  Overlay IPv6 in IPv4 Tunnels •  Manual 6in4 and automatic 6to4 •  And more automatic tunnels •  Again mostly introduced with Windows: TEREDO to bypass NAT devices and ISATAP to use IPv4 networks as a NBMA network for IPv6. §  NAT and Private Addresses (RFC1918) •  In parallel to make the most of the remaining IPv4 addresses, NAT44 and IPv4 private addresses (RFC1918) were introduced 1st Generation: The IPv6 Pioneers © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—3 §  SPs with MPLS/IPv4 Backbone: 6PE and 6VPE Most SPs were running IPv4/MPLS First Phase of the transition, deploy 6PE/6VPE §  SPs with IPv4 Backbone: 6RD FREE a french SP deployed IPv6 in 5 Weeks from a 6to4 stack! §  Carrier Grade NAT or Large Scale NAT (Testing) DS-Lite = IPv4 in IPv6 Tunnel + CGN –  SPs who deployed IPv6 choose DS-Lite to support the existing IPv4 customers –  They deploy it as soon as they migrated from 6PE/6VPE to Native IPv6 –  Some of them planned to replace DS-Lite with A+P when it will be available Other protocols are designed, some of themare tested: CGN, NAT444, NAT464, dIVI, dIVI-pd §  Network Address Translation Protocols (NAT) NAT-PT –  First attempt to translate IPv6 to IPv4 protocols. Deprecated! NAT64/DNS64 2nd Generation: SPs transition 1st Phase, the 2000s
Copyright © 2011, Fred Bovy. All rights reserved . © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—4 §  Stateful Carrier Grade NAT issues Because of the Stateful CGN known issues, a lot of work is being done to develop and test some Stateless protocols to share the remaining IPv4 addresses without stateful NAT, CGN. §  A+P Architecture and Stateless NAT solutions Testing To share the remaining IPv4 addresses using the IPv4 Source Ports Without any Stateful NAT in the SP backbone. §  Users or CPE have some IP addresses and Source Ports assigned §  Not a new solution, FT ORANGE planned A+P in 2009 while they were choosing DS-Lite in the first place §  First proposal for A+P at the IETF Taipei 2011 is based on Stateless NAT464 aka dIVI, dIVI-pd and 4RD 3rd Generation: SPs going Stateless, the 2010s © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—5 TransitionTools - Deployment 1996 2003 2010 2007 6to4Dual-Stack 6in4 NAT-PT 6VPE NAT64 NAT444 dIVI-pd DS-Lite 6RD A+P 6PE 6BONE † 6PE 6RD 6VPE DS-Lite Standardization NAT64 NAT444 dIVI-pd DS-Lite A+P IETF Taipei 82 – Nov 2011Time IPv6 in IPv4 Tunnels IPv4 in IPv6 Tunnels NAT464 Deployed Testing dIVI-pd dIVI © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—6 © Frédéric Bovy 6 Network Address Translation n NAT44 and IPv4 private addresses in the 90s n IPv6 to IPv4 translations •  NAT-PT † NAT-PT is NAT64 + NAT46 + DNS ALG •  NAT-PT was replaced by NAT64 and DNS64 n Carrier Grade NAT or Large Scale NAT •  NAT444 or double NAT •  NAT464, dIVI, dIVI-pd •  DS-Lite = IPv4 in IPv6 Tunnels + NAT44 (LSN)
Copyright © 2011, Fred Bovy. All rights reserved . © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—7 Dual Stack and Tunneling This was introduced at the very beginning of IPv6 in 1996 All clients are now configured by default as dual-stack nodes It is still the best approach for a smooth transition Tunnels are manually, statically configured It may be obvious but for dual-stack you still need IPv4 addresses! IPv4 IPv6 Host Dual Stack Router Dual Stack Router IPv6 Host IPv6 Hosts IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 Packet IPv6 Hdr IPv4 Hdr Tunneling © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—8 2002:C044:1::/48 prefix comes from 192.68.0.1 2002:C046:1::/48 prefix comes from 192.70.0.1 Automatic Tunnels for Enterprises: 6to4 Tunnel destination IPv4 address is embedded in the IPv6 address ! © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—9 SPs MPLS Enabled: 6PE and 6VPE In the very early 2000s, 6PE was introduced to help the SPs with an MPLS/IPv4 Background to provide an IPv6 Service No Backbone Routers Upgrade needed!
Copyright © 2011, Fred Bovy. All rights reserved . © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—10 6RD Automatic Tunnel for SPs Free, a french SP customized a 6to4 stack to allow a custom prefix instead of 2002::/16 Free deployed 6RD in 5 weeks in 2007 and immediately started an IPv6 service over the IPv4 backbone, user configurable 4RD is IPv4 in IPv6 © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—11 Dual Stack Lite or DS-Lite Once the SP have migrated their backbone to IPv6, DS-Lite is used to support RFC1918 IPv4 Customers §  IPv4 in IPv6 Tunnels + NAT44 (LSN at the SP) §  LSN inside mapping uses Source IPv6 + Source IPv4 + Port §  LSN allows to share the remaining IPv4 addresses efficienciently But LSN must keep a lot of states and is a Single Point of failure shared by Many Customers LSN © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—12 DS-Lite: Help transition to IPv6
Copyright © 2011, Fred Bovy. All rights reserved . © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—13 Connecting IPv6-only with IPv4-only: AFT64 New IPv6 clients must have access to IPv4 content §  AFT64 technology is only applicable in case where there are IPv6 only end-points that need to talk to IPv4 only end-points (AFT64 for going from IPv6 to IPv4) §  AFT64:= “stateful v6 to v4 translation” or “stateless translation”, ALG still required §  Key components includes NAT64 and DNS64 §  Assumption: Network infrastructure and services have fully transitioned to IPv6 and IPv4 has been phased out CoreEdgeAggregationAccess IP/MPLS Residential IPv6 ONLY connectivity NAT64 IPv4 ONLY DNS64 Public IPv4 Internet IPv4 Datacenter © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—14 Protocol Translation: NAT64, DNS64 §  Client requests the IPv6 Address §  DNS64 translates the request to an IPv4 Address DNS64 DNS Web Server IPv4 h2.exemple.com ? h2.exemple.com ? A: 192.0.2.1 AAAA 64:ff9b::c0:201 NAT64 IPv4IPv6 © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—15 © Frédéric Bovy 15 NAT64 and DNS64 §  The session is initialized by IPv6 client §  Traffic route the 64:ff9b::/96 prefix to the NAT64 Router §  NAT64 then convert headers in both directions DNS64 DNS Web Server IPv4 h2.exemple.com ? h2.exemple.com ? A: 192.0.2.1 AAAA 64:ff9b::c0:201 SYN 64:ff9b::c0:201 SYN 192.0.2.1NAT64 IPv4IPv6 SYN+ACK SYN+ACK
Copyright © 2011, Fred Bovy. All rights reserved . © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—16 NAT444: A second level of NAT44 Solution to share the remaining IPv4 addresses among multiple customers © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—17 © Frédéric Bovy 17 NAT444: LSN Scalability Issue n  How many streams LSN will be able to manage ? n  LSN is a Single Point of failure © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—18 © Frédéric Bovy 18 NAT444: Overlapping Private Address !
Copyright © 2011, Fred Bovy. All rights reserved . © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—19 © Frédéric Bovy 19 NAT444: 2 customers behind same LSN © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—20 © Frédéric Bovy 20 NAT444 Network Design Issues §  Overlapping Addresses If one of the customers network uses the same private network number than the NAT CPE to LSN link we have a sever duplicate network issue !!! §  Two Customers behind the same LSN want to communicate Packets with a private source address may be dropped by customer policy (Firewall, ACL, host policy). So LSN must be used also for local traffic §  Plus all the LSN Based solutions: –  Scalability Behind each CPE NAT there can be many devices. Each device may generate many application streams. How mansy stream will be supported by LSN ? We have not enough experience to say ??? –  Single Point of Failure The LSN device keeps many states. If it reboot, many users will have to restart their applications. © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—21 DS-Lite: Connect the IPv4 users Another solution to share the remaining IPv4 addresses among multiple customers
Copyright © 2011, Fred Bovy. All rights reserved . © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—22 © Frédéric Bovy 22 Stateful NAT464 or Stateless dIVI, dIVI-pd dIVI is the stateless version to share IPv4 addresses among multiple users using source ports Stateless means NO NAT or LSN! © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—23 © Frédéric Bovy 23 Address+Port (A+P) §  Experimental RFC6346 §  Use some bits of the source port to share an IPv4 address without Stateful NAT, CGN or LSN. §  Can be implemented on hosts or CPEs which may have to do some translation for the non upgraded hosts §  Requires signaling to request which ports are granted §  IPv4 Packets must be encapsulated/decapsulated to get sent into tunnels using the ports which are allocated for the host or the CPE §  The first proposal at the IETF in 2011 relies on Stateless NAT464 aka dIVI, dIVI-pd and 4RD and does not require signaling §  France Telecom-Orange has a software implementation: http://opensourceaplusp.weebly.com/ © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—24 © Frédéric Bovy 24 dIVI, dIVI-pd or Stateless NAT464 A+P proposal at the IETF actually relies on dIVI-pd and 4RD. §  dIVI-pd is Stateless NAT464 and permit to translate IPv6 addresses to IPv4 Address+Source Port It is then possible to share an IPv4 address among many users or CPEs. Without requiring any Stateful NAT with all the known problems associated A very interesting test in large SP domains : " For port configuration, since there are 65536 TCP/UDP ports for each IP address, and in fact one can use hundreds only for normal applications, so one IPv4 address can be shared by multiple customers. In our experiment, we selected ratio to be 128. That is to say, one IPv4 address is shared by 128 users, and there are 512 available ports per user." http://tools.ietf.org/html/draft-sunq-v6ops-ivi-sp-02#page-7
Copyright © 2011, Fred Bovy. All rights reserved . © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—25 Security with to Transition to IPv6 © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—26 © Frédéric Bovy 26 Threats on Transition protocols n  Dual-Stack IPv4 scanning can be used to discover the node IPv4 and IPv6 must be at the same security level n  Tunnel Tunnels are an easy target for many possible attacks Packet Injection Automatic Tunnels are the most dangerous Automatic Servers can be the target of DoS attacks Manual Tunnel should use IPSec! n  Stateful Translation Stateful NAT can be the target of DoS attacks DoS Attacks by address pool depletion DoS Attack by creating a lot of states or request which consumes CPU © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—27 © Frédéric Bovy 27 Dual Stack Issues Dual Stack Nodes may be very well IPv4 protected and poorly IPv6 protected Dual Stack Nodes can be discovered thanks to an IPv4 scan ! And then attacked using IPv6 tools !
Copyright © 2011, Fred Bovy. All rights reserved . © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—28 © Frédéric Bovy 28 Inability to inspect Tunneled Packet IPv4 Firewall cannot inspect the IPv6 paquet encapsulated in IPv4 IPv4 Header IPv6 Header IPv6 Payload © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—29 © Frédéric Bovy 29 Attacks on Tunnels Traffic tunneled cannot be inspected §  Access-List and paquet inspection cannot inspect the IPv6 paquet which is encapsulated in IPv4 paquets §  Solution is to implement multiple Firewall which inspect paquets before they get encapsulated §  Other solution is when the Tunnel end point is on a Firewall, traffic can be inspected Easy to inject paquets coming from a known Tunnel §  If an attacker has the knowledge of manual tunnel configuration, it can sends paquet « originiated » from a known tunnel head-end §  With automatic tunnels it is even easier as paquet can be originated from any address in the network §  IPSec is the protection © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—30 © Frédéric Bovy 30 Attack by Paquet injection in a manual tunnel
Copyright © 2011, Fred Bovy. All rights reserved . © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—31 Attacks on Stateful NAT64 Stateful NAT can be the target of DoS attacks §  The attacker sends many IPv6 paquets with different source addresses to the same IPv4 target. §  Each paquet consumes an address and a state which must be managed. §  When there is no more IPv4 address available, there is no more access to IPv4 hosts © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—32 Thank You! fred@fredbovy.com

Recommandé

IPv6 Autoconfig
IPv6 AutoconfigIPv6 Autoconfig
IPv6 Autoconfig
Fred Bovy
 
Robert Raszuk - Technologies for IPv4/IPv6 coexistance
Robert Raszuk - Technologies for IPv4/IPv6 coexistanceRobert Raszuk - Technologies for IPv4/IPv6 coexistance
Robert Raszuk - Technologies for IPv4/IPv6 coexistance
PROIDEA
 
IPv6 How To Set Up a Linux IPv6 Lan
IPv6 How To Set Up a Linux IPv6 LanIPv6 How To Set Up a Linux IPv6 Lan
IPv6 How To Set Up a Linux IPv6 Lan
Jumping Bean
 
Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0
Fred Bovy
 
IPv6 Transition,Transcición IPv6
IPv6 Transition,Transcición IPv6IPv6 Transition,Transcición IPv6
IPv6 Transition,Transcición IPv6
Suministros Obras y Sistemas
 
Journey to IPv6 - A Real-World deployment for Mobiles
Journey to IPv6 - A Real-World deployment for MobilesJourney to IPv6 - A Real-World deployment for Mobiles
Journey to IPv6 - A Real-World deployment for Mobiles
APNIC
 
IPv6 in IPv4/MPLS in a Nutshell
IPv6 in IPv4/MPLS in a NutshellIPv6 in IPv4/MPLS in a Nutshell
IPv6 in IPv4/MPLS in a Nutshell
Fred Bovy
 
IPv6 Transition Strategies
IPv6 Transition StrategiesIPv6 Transition Strategies
IPv6 Transition Strategies
APNIC
 

Recommandé

IPv6 Autoconfig
IPv6 AutoconfigIPv6 Autoconfig
IPv6 Autoconfig
Fred Bovy
 
Robert Raszuk - Technologies for IPv4/IPv6 coexistance
Robert Raszuk - Technologies for IPv4/IPv6 coexistanceRobert Raszuk - Technologies for IPv4/IPv6 coexistance
Robert Raszuk - Technologies for IPv4/IPv6 coexistance
PROIDEA
 
IPv6 How To Set Up a Linux IPv6 Lan
IPv6 How To Set Up a Linux IPv6 LanIPv6 How To Set Up a Linux IPv6 Lan
IPv6 How To Set Up a Linux IPv6 Lan
Jumping Bean
 
Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0
Fred Bovy
 
IPv6 Transition,Transcición IPv6
IPv6 Transition,Transcición IPv6IPv6 Transition,Transcición IPv6
IPv6 Transition,Transcición IPv6
Suministros Obras y Sistemas
 
Journey to IPv6 - A Real-World deployment for Mobiles
Journey to IPv6 - A Real-World deployment for MobilesJourney to IPv6 - A Real-World deployment for Mobiles
Journey to IPv6 - A Real-World deployment for Mobiles
APNIC
 
IPv6 in IPv4/MPLS in a Nutshell
IPv6 in IPv4/MPLS in a NutshellIPv6 in IPv4/MPLS in a Nutshell
IPv6 in IPv4/MPLS in a Nutshell
Fred Bovy
 
IPv6 Transition Strategies
IPv6 Transition StrategiesIPv6 Transition Strategies
IPv6 Transition Strategies
APNIC
 
I pv6 tutorial
I pv6 tutorialI pv6 tutorial
I pv6 tutorial
Fred Bovy
 
I pv6 autoconfig20c
I pv6 autoconfig20cI pv6 autoconfig20c
I pv6 autoconfig20c
Frederic Bovy
 
IPv4 and IPv6
IPv4 and IPv6IPv4 and IPv6
IPv4 and IPv6
RIPE NCC
 
Ipv6 introduction - MUM 2011 presentation
Ipv6 introduction - MUM 2011 presentationIpv6 introduction - MUM 2011 presentation
Ipv6 introduction - MUM 2011 presentation
IDEA4PRO
 
464XLAT Tutorial
464XLAT Tutorial464XLAT Tutorial
464XLAT Tutorial
APNIC
 
Upcoming internet challenges
Upcoming internet challengesUpcoming internet challenges
Upcoming internet challenges
Ivan Pepelnjak
 
Ipv6
Ipv6Ipv6
Ipv6
maha5960
 
Gogo6 I Pv6 Access 2010 Sahara
Gogo6 I Pv6 Access 2010 SaharaGogo6 I Pv6 Access 2010 Sahara
Gogo6 I Pv6 Access 2010 Sahara
Haris Padinharethil
 
Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Introduction to ipv6 v1.3
Introduction to ipv6 v1.3
Karunakant Rai
 
6Rd
6Rd6Rd
6Rd
Fred Bovy
 
Samba and Vista with IPv6
Samba and Vista with IPv6Samba and Vista with IPv6
Samba and Vista with IPv6
dinomasch
 
Content over IPv6: no excuses
Content over IPv6: no excusesContent over IPv6: no excuses
Content over IPv6: no excuses
Ivan Pepelnjak
 
IPv6 Transition
IPv6 TransitionIPv6 Transition
IPv6 Transition
Swiss IPv6 Council
 
Modern networking for php developers - Dutch PHP conference 2015
Modern networking for php developers - Dutch PHP conference 2015Modern networking for php developers - Dutch PHP conference 2015
Modern networking for php developers - Dutch PHP conference 2015
SynchroM
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
Private
 
IPv6 in the Telco Cloud
IPv6 in the Telco CloudIPv6 in the Telco Cloud
IPv6 in the Telco Cloud
APNIC
 
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
cyberjoex
 
Sip & IPv6 - time for action!
Sip & IPv6 - time for action!Sip & IPv6 - time for action!
Sip & IPv6 - time for action!
Olle E Johansson
 
Introduction of ipv6
Introduction of ipv6Introduction of ipv6
Introduction of ipv6
KaushikMajumder22
 
IPv6 In z/VSE:IBM z/VSE Live Virtual Class 2012
IPv6 In z/VSE:IBM z/VSE Live Virtual Class 2012IPv6 In z/VSE:IBM z/VSE Live Virtual Class 2012
IPv6 In z/VSE:IBM z/VSE Live Virtual Class 2012
IBM India Smarter Computing
 
2011 TWNIC SP IPv6 Transition
2011 TWNIC SP IPv6 Transition2011 TWNIC SP IPv6 Transition
2011 TWNIC SP IPv6 Transition
Johnson Liu
 
APNIC Update
APNIC Update APNIC Update
APNIC Update
APNIC
 

Contenu connexe

Tendances

I pv6 tutorial
I pv6 tutorialI pv6 tutorial
I pv6 tutorial
Fred Bovy
 
Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Introduction to ipv6 v1.3
Introduction to ipv6 v1.3
Karunakant Rai
 
6Rd
6Rd6Rd
6Rd
Fred Bovy
 

Tendances (20)

I pv6 tutorial
I pv6 tutorialI pv6 tutorial
I pv6 tutorial
 
I pv6 autoconfig20c
I pv6 autoconfig20cI pv6 autoconfig20c
I pv6 autoconfig20c
 
IPv4 and IPv6
IPv4 and IPv6IPv4 and IPv6
IPv4 and IPv6
 
Ipv6 introduction - MUM 2011 presentation
Ipv6 introduction - MUM 2011 presentationIpv6 introduction - MUM 2011 presentation
Ipv6 introduction - MUM 2011 presentation
 
464XLAT Tutorial
464XLAT Tutorial464XLAT Tutorial
464XLAT Tutorial
 
Upcoming internet challenges
Upcoming internet challengesUpcoming internet challenges
Upcoming internet challenges
 
Ipv6
Ipv6Ipv6
Ipv6
 
Gogo6 I Pv6 Access 2010 Sahara
Gogo6 I Pv6 Access 2010 SaharaGogo6 I Pv6 Access 2010 Sahara
Gogo6 I Pv6 Access 2010 Sahara
 
Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Introduction to ipv6 v1.3
Introduction to ipv6 v1.3
 
6Rd
6Rd6Rd
6Rd
 
Samba and Vista with IPv6
Samba and Vista with IPv6Samba and Vista with IPv6
Samba and Vista with IPv6
 
Content over IPv6: no excuses
Content over IPv6: no excusesContent over IPv6: no excuses
Content over IPv6: no excuses
 
IPv6 Transition
IPv6 TransitionIPv6 Transition
IPv6 Transition
 
Modern networking for php developers - Dutch PHP conference 2015
Modern networking for php developers - Dutch PHP conference 2015Modern networking for php developers - Dutch PHP conference 2015
Modern networking for php developers - Dutch PHP conference 2015
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
 
IPv6 in the Telco Cloud
IPv6 in the Telco CloudIPv6 in the Telco Cloud
IPv6 in the Telco Cloud
 
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
 
Sip & IPv6 - time for action!
Sip & IPv6 - time for action!Sip & IPv6 - time for action!
Sip & IPv6 - time for action!
 
Introduction of ipv6
Introduction of ipv6Introduction of ipv6
Introduction of ipv6
 
IPv6 In z/VSE:IBM z/VSE Live Virtual Class 2012
IPv6 In z/VSE:IBM z/VSE Live Virtual Class 2012IPv6 In z/VSE:IBM z/VSE Live Virtual Class 2012
IPv6 In z/VSE:IBM z/VSE Live Virtual Class 2012
 

Similaire à Transition To I Pv6

2011 TWNIC SP IPv6 Transition
2011 TWNIC SP IPv6 Transition2011 TWNIC SP IPv6 Transition
2011 TWNIC SP IPv6 Transition
Johnson Liu
 
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
gogo6
 
IPv6
IPv6IPv6
IPv6
Peter R. Egli
 
PLNOG 6: Julian Curtis - IPv6 Overview
PLNOG 6: Julian Curtis - IPv6 Overview PLNOG 6: Julian Curtis - IPv6 Overview
PLNOG 6: Julian Curtis - IPv6 Overview
PROIDEA
 
2009 11 06 3gpp Ietf Ipv6 Shanghai Nat64
2009 11 06 3gpp Ietf Ipv6 Shanghai Nat642009 11 06 3gpp Ietf Ipv6 Shanghai Nat64
2009 11 06 3gpp Ietf Ipv6 Shanghai Nat64
yacc2000
 

Similaire à Transition To I Pv6 (20)

2011 TWNIC SP IPv6 Transition
2011 TWNIC SP IPv6 Transition2011 TWNIC SP IPv6 Transition
2011 TWNIC SP IPv6 Transition
 
APNIC Update
APNIC Update APNIC Update
APNIC Update
 
Getting The World IPv6 Enabled
Getting The World IPv6 EnabledGetting The World IPv6 Enabled
Getting The World IPv6 Enabled
 
Internet Protocol version 10 (IPv10).
Internet Protocol version 10 (IPv10).Internet Protocol version 10 (IPv10).
Internet Protocol version 10 (IPv10).
 
mpls CNNA.pdf
mpls CNNA.pdfmpls CNNA.pdf
mpls CNNA.pdf
 
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
 
CodiLime Tech Talk - Adam Kułagowski: IPv6 - introduction
CodiLime Tech Talk - Adam Kułagowski: IPv6 - introductionCodiLime Tech Talk - Adam Kułagowski: IPv6 - introduction
CodiLime Tech Talk - Adam Kułagowski: IPv6 - introduction
 
Ipv4 over ipv6 by Jigar Tarsariya
Ipv4 over ipv6 by Jigar TarsariyaIpv4 over ipv6 by Jigar Tarsariya
Ipv4 over ipv6 by Jigar Tarsariya
 
Transitioning IPv4 to IPv6
Transitioning IPv4 to IPv6Transitioning IPv4 to IPv6
Transitioning IPv4 to IPv6
 
IPv6
IPv6IPv6
IPv6
 
Apnic IPv6 Deployment
Apnic IPv6 DeploymentApnic IPv6 Deployment
Apnic IPv6 Deployment
 
PLNOG 6: Julian Curtis - IPv6 Overview
PLNOG 6: Julian Curtis - IPv6 Overview PLNOG 6: Julian Curtis - IPv6 Overview
PLNOG 6: Julian Curtis - IPv6 Overview
 
Ipv 4 and ipv6
Ipv 4 and ipv6Ipv 4 and ipv6
Ipv 4 and ipv6
 
Suggestion for an IPv6 Roll Out
Suggestion for an IPv6 Roll OutSuggestion for an IPv6 Roll Out
Suggestion for an IPv6 Roll Out
 
IPv6 in cellular networks - Jordi Palet
IPv6 in cellular networks - Jordi PaletIPv6 in cellular networks - Jordi Palet
IPv6 in cellular networks - Jordi Palet
 
IPv6 at LinkedIn
IPv6 at LinkedInIPv6 at LinkedIn
IPv6 at LinkedIn
 
2009 11 06 3gpp Ietf Ipv6 Shanghai Nat64
2009 11 06 3gpp Ietf Ipv6 Shanghai Nat642009 11 06 3gpp Ietf Ipv6 Shanghai Nat64
2009 11 06 3gpp Ietf Ipv6 Shanghai Nat64
 
Ceph Day Amsterdam 2015 - Ceph over IPv6
Ceph Day Amsterdam 2015 - Ceph over IPv6 Ceph Day Amsterdam 2015 - Ceph over IPv6
Ceph Day Amsterdam 2015 - Ceph over IPv6
 
IPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-onIPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-on
 
IPv6
IPv6IPv6
IPv6
 

Plus de Fred Bovy

Neighbor discoverydhcp
Neighbor discoverydhcpNeighbor discoverydhcp
Neighbor discoverydhcp
Fred Bovy
 
Inter as cisco1
Inter as cisco1Inter as cisco1
Inter as cisco1
Fred Bovy
 
I pv6 better than IPv4 but why ?
I pv6 better than IPv4 but why ?I pv6 better than IPv4 but why ?
I pv6 better than IPv4 but why ?
Fred Bovy
 
Fred explainsi pv6-v2-alpha
Fred explainsi pv6-v2-alphaFred explainsi pv6-v2-alpha
Fred explainsi pv6-v2-alpha
Fred Bovy
 
Transition to ipv6 cgv6-edited
Transition to ipv6 cgv6-editedTransition to ipv6 cgv6-edited
Transition to ipv6 cgv6-edited
Fred Bovy
 

Plus de Fred Bovy (19)

Ospfv3 News version 2
Ospfv3 News version 2Ospfv3 News version 2
Ospfv3 News version 2
 
Ospfv3 primer
Ospfv3 primerOspfv3 primer
Ospfv3 primer
 
Osp fv3 cs
Osp fv3 csOsp fv3 cs
Osp fv3 cs
 
IPv6 training
IPv6 trainingIPv6 training
IPv6 training
 
CEFv6 in a nutshell
CEFv6 in a nutshellCEFv6 in a nutshell
CEFv6 in a nutshell
 
Routing ipv6 v3
Routing ipv6 v3Routing ipv6 v3
Routing ipv6 v3
 
Autoconfig
AutoconfigAutoconfig
Autoconfig
 
Neighbor discoverydhcp
Neighbor discoverydhcpNeighbor discoverydhcp
Neighbor discoverydhcp
 
Inter as cisco1
Inter as cisco1Inter as cisco1
Inter as cisco1
 
I pv6 better than IPv4 but why ?
I pv6 better than IPv4 but why ?I pv6 better than IPv4 but why ?
I pv6 better than IPv4 but why ?
 
Fred explainsi pv6-v2-alpha
Fred explainsi pv6-v2-alphaFred explainsi pv6-v2-alpha
Fred explainsi pv6-v2-alpha
 
Resume
ResumeResume
Resume
 
Transition to ipv6 cgv6-edited
Transition to ipv6 cgv6-editedTransition to ipv6 cgv6-edited
Transition to ipv6 cgv6-edited
 
Fred bovyresume@2
Fred bovyresume@2Fred bovyresume@2
Fred bovyresume@2
 
CEFv6 in a nutshell
CEFv6 in a nutshellCEFv6 in a nutshell
CEFv6 in a nutshell
 
Fred explains IPv6
Fred explains IPv6Fred explains IPv6
Fred explains IPv6
 
IPv6 tools
IPv6 toolsIPv6 tools
IPv6 tools
 
Multicast for IPv6
Multicast for IPv6Multicast for IPv6
Multicast for IPv6
 
Dhcp pd in brief
Dhcp pd in briefDhcp pd in brief
Dhcp pd in brief
 

Transition To I Pv6

  • 1. Copyright © 2011, Fred Bovy. All rights reserved . © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—1 Transition To IPv6 October 2011 Fred Bovy ccie #3013 fred@fredbovy.com © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—2 §  Tunnels for Experimental testing or Enterprises The Experimental 6BONE network was created from overlay IPv6 in IPv4 Tunnels over the IPv4 Internet. §  Dual-Stack §  Overlay IPv6 in IPv4 Tunnels •  Manual 6in4 and automatic 6to4 •  And more automatic tunnels •  Again mostly introduced with Windows: TEREDO to bypass NAT devices and ISATAP to use IPv4 networks as a NBMA network for IPv6. §  NAT and Private Addresses (RFC1918) •  In parallel to make the most of the remaining IPv4 addresses, NAT44 and IPv4 private addresses (RFC1918) were introduced 1st Generation: The IPv6 Pioneers © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—3 §  SPs with MPLS/IPv4 Backbone: 6PE and 6VPE Most SPs were running IPv4/MPLS First Phase of the transition, deploy 6PE/6VPE §  SPs with IPv4 Backbone: 6RD FREE a french SP deployed IPv6 in 5 Weeks from a 6to4 stack! §  Carrier Grade NAT or Large Scale NAT (Testing) DS-Lite = IPv4 in IPv6 Tunnel + CGN –  SPs who deployed IPv6 choose DS-Lite to support the existing IPv4 customers –  They deploy it as soon as they migrated from 6PE/6VPE to Native IPv6 –  Some of them planned to replace DS-Lite with A+P when it will be available Other protocols are designed, some of themare tested: CGN, NAT444, NAT464, dIVI, dIVI-pd §  Network Address Translation Protocols (NAT) NAT-PT –  First attempt to translate IPv6 to IPv4 protocols. Deprecated! NAT64/DNS64 2nd Generation: SPs transition 1st Phase, the 2000s
  • 2. Copyright © 2011, Fred Bovy. All rights reserved . © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—4 §  Stateful Carrier Grade NAT issues Because of the Stateful CGN known issues, a lot of work is being done to develop and test some Stateless protocols to share the remaining IPv4 addresses without stateful NAT, CGN. §  A+P Architecture and Stateless NAT solutions Testing To share the remaining IPv4 addresses using the IPv4 Source Ports Without any Stateful NAT in the SP backbone. §  Users or CPE have some IP addresses and Source Ports assigned §  Not a new solution, FT ORANGE planned A+P in 2009 while they were choosing DS-Lite in the first place §  First proposal for A+P at the IETF Taipei 2011 is based on Stateless NAT464 aka dIVI, dIVI-pd and 4RD 3rd Generation: SPs going Stateless, the 2010s © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—5 TransitionTools - Deployment 1996 2003 2010 2007 6to4Dual-Stack 6in4 NAT-PT 6VPE NAT64 NAT444 dIVI-pd DS-Lite 6RD A+P 6PE 6BONE † 6PE 6RD 6VPE DS-Lite Standardization NAT64 NAT444 dIVI-pd DS-Lite A+P IETF Taipei 82 – Nov 2011Time IPv6 in IPv4 Tunnels IPv4 in IPv6 Tunnels NAT464 Deployed Testing dIVI-pd dIVI © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—6 © Frédéric Bovy 6 Network Address Translation n NAT44 and IPv4 private addresses in the 90s n IPv6 to IPv4 translations •  NAT-PT † NAT-PT is NAT64 + NAT46 + DNS ALG •  NAT-PT was replaced by NAT64 and DNS64 n Carrier Grade NAT or Large Scale NAT •  NAT444 or double NAT •  NAT464, dIVI, dIVI-pd •  DS-Lite = IPv4 in IPv6 Tunnels + NAT44 (LSN)
  • 3. Copyright © 2011, Fred Bovy. All rights reserved . © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—7 Dual Stack and Tunneling This was introduced at the very beginning of IPv6 in 1996 All clients are now configured by default as dual-stack nodes It is still the best approach for a smooth transition Tunnels are manually, statically configured It may be obvious but for dual-stack you still need IPv4 addresses! IPv4 IPv6 Host Dual Stack Router Dual Stack Router IPv6 Host IPv6 Hosts IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 Packet IPv6 Hdr IPv4 Hdr Tunneling © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—8 2002:C044:1::/48 prefix comes from 192.68.0.1 2002:C046:1::/48 prefix comes from 192.70.0.1 Automatic Tunnels for Enterprises: 6to4 Tunnel destination IPv4 address is embedded in the IPv6 address ! © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—9 SPs MPLS Enabled: 6PE and 6VPE In the very early 2000s, 6PE was introduced to help the SPs with an MPLS/IPv4 Background to provide an IPv6 Service No Backbone Routers Upgrade needed!
  • 4. Copyright © 2011, Fred Bovy. All rights reserved . © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—10 6RD Automatic Tunnel for SPs Free, a french SP customized a 6to4 stack to allow a custom prefix instead of 2002::/16 Free deployed 6RD in 5 weeks in 2007 and immediately started an IPv6 service over the IPv4 backbone, user configurable 4RD is IPv4 in IPv6 © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—11 Dual Stack Lite or DS-Lite Once the SP have migrated their backbone to IPv6, DS-Lite is used to support RFC1918 IPv4 Customers §  IPv4 in IPv6 Tunnels + NAT44 (LSN at the SP) §  LSN inside mapping uses Source IPv6 + Source IPv4 + Port §  LSN allows to share the remaining IPv4 addresses efficienciently But LSN must keep a lot of states and is a Single Point of failure shared by Many Customers LSN © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—12 DS-Lite: Help transition to IPv6
  • 5. Copyright © 2011, Fred Bovy. All rights reserved . © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—13 Connecting IPv6-only with IPv4-only: AFT64 New IPv6 clients must have access to IPv4 content §  AFT64 technology is only applicable in case where there are IPv6 only end-points that need to talk to IPv4 only end-points (AFT64 for going from IPv6 to IPv4) §  AFT64:= “stateful v6 to v4 translation” or “stateless translation”, ALG still required §  Key components includes NAT64 and DNS64 §  Assumption: Network infrastructure and services have fully transitioned to IPv6 and IPv4 has been phased out CoreEdgeAggregationAccess IP/MPLS Residential IPv6 ONLY connectivity NAT64 IPv4 ONLY DNS64 Public IPv4 Internet IPv4 Datacenter © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—14 Protocol Translation: NAT64, DNS64 §  Client requests the IPv6 Address §  DNS64 translates the request to an IPv4 Address DNS64 DNS Web Server IPv4 h2.exemple.com ? h2.exemple.com ? A: 192.0.2.1 AAAA 64:ff9b::c0:201 NAT64 IPv4IPv6 © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—15 © Frédéric Bovy 15 NAT64 and DNS64 §  The session is initialized by IPv6 client §  Traffic route the 64:ff9b::/96 prefix to the NAT64 Router §  NAT64 then convert headers in both directions DNS64 DNS Web Server IPv4 h2.exemple.com ? h2.exemple.com ? A: 192.0.2.1 AAAA 64:ff9b::c0:201 SYN 64:ff9b::c0:201 SYN 192.0.2.1NAT64 IPv4IPv6 SYN+ACK SYN+ACK
  • 6. Copyright © 2011, Fred Bovy. All rights reserved . © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—16 NAT444: A second level of NAT44 Solution to share the remaining IPv4 addresses among multiple customers © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—17 © Frédéric Bovy 17 NAT444: LSN Scalability Issue n  How many streams LSN will be able to manage ? n  LSN is a Single Point of failure © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—18 © Frédéric Bovy 18 NAT444: Overlapping Private Address !
  • 7. Copyright © 2011, Fred Bovy. All rights reserved . © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—19 © Frédéric Bovy 19 NAT444: 2 customers behind same LSN © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—20 © Frédéric Bovy 20 NAT444 Network Design Issues §  Overlapping Addresses If one of the customers network uses the same private network number than the NAT CPE to LSN link we have a sever duplicate network issue !!! §  Two Customers behind the same LSN want to communicate Packets with a private source address may be dropped by customer policy (Firewall, ACL, host policy). So LSN must be used also for local traffic §  Plus all the LSN Based solutions: –  Scalability Behind each CPE NAT there can be many devices. Each device may generate many application streams. How mansy stream will be supported by LSN ? We have not enough experience to say ??? –  Single Point of Failure The LSN device keeps many states. If it reboot, many users will have to restart their applications. © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—21 DS-Lite: Connect the IPv4 users Another solution to share the remaining IPv4 addresses among multiple customers
  • 8. Copyright © 2011, Fred Bovy. All rights reserved . © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—22 © Frédéric Bovy 22 Stateful NAT464 or Stateless dIVI, dIVI-pd dIVI is the stateless version to share IPv4 addresses among multiple users using source ports Stateless means NO NAT or LSN! © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—23 © Frédéric Bovy 23 Address+Port (A+P) §  Experimental RFC6346 §  Use some bits of the source port to share an IPv4 address without Stateful NAT, CGN or LSN. §  Can be implemented on hosts or CPEs which may have to do some translation for the non upgraded hosts §  Requires signaling to request which ports are granted §  IPv4 Packets must be encapsulated/decapsulated to get sent into tunnels using the ports which are allocated for the host or the CPE §  The first proposal at the IETF in 2011 relies on Stateless NAT464 aka dIVI, dIVI-pd and 4RD and does not require signaling §  France Telecom-Orange has a software implementation: http://opensourceaplusp.weebly.com/ © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—24 © Frédéric Bovy 24 dIVI, dIVI-pd or Stateless NAT464 A+P proposal at the IETF actually relies on dIVI-pd and 4RD. §  dIVI-pd is Stateless NAT464 and permit to translate IPv6 addresses to IPv4 Address+Source Port It is then possible to share an IPv4 address among many users or CPEs. Without requiring any Stateful NAT with all the known problems associated A very interesting test in large SP domains : " For port configuration, since there are 65536 TCP/UDP ports for each IP address, and in fact one can use hundreds only for normal applications, so one IPv4 address can be shared by multiple customers. In our experiment, we selected ratio to be 128. That is to say, one IPv4 address is shared by 128 users, and there are 512 available ports per user." http://tools.ietf.org/html/draft-sunq-v6ops-ivi-sp-02#page-7
  • 9. Copyright © 2011, Fred Bovy. All rights reserved . © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—25 Security with to Transition to IPv6 © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—26 © Frédéric Bovy 26 Threats on Transition protocols n  Dual-Stack IPv4 scanning can be used to discover the node IPv4 and IPv6 must be at the same security level n  Tunnel Tunnels are an easy target for many possible attacks Packet Injection Automatic Tunnels are the most dangerous Automatic Servers can be the target of DoS attacks Manual Tunnel should use IPSec! n  Stateful Translation Stateful NAT can be the target of DoS attacks DoS Attacks by address pool depletion DoS Attack by creating a lot of states or request which consumes CPU © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—27 © Frédéric Bovy 27 Dual Stack Issues Dual Stack Nodes may be very well IPv4 protected and poorly IPv6 protected Dual Stack Nodes can be discovered thanks to an IPv4 scan ! And then attacked using IPv6 tools !
  • 10. Copyright © 2011, Fred Bovy. All rights reserved . © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—28 © Frédéric Bovy 28 Inability to inspect Tunneled Packet IPv4 Firewall cannot inspect the IPv6 paquet encapsulated in IPv4 IPv4 Header IPv6 Header IPv6 Payload © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—29 © Frédéric Bovy 29 Attacks on Tunnels Traffic tunneled cannot be inspected §  Access-List and paquet inspection cannot inspect the IPv6 paquet which is encapsulated in IPv4 paquets §  Solution is to implement multiple Firewall which inspect paquets before they get encapsulated §  Other solution is when the Tunnel end point is on a Firewall, traffic can be inspected Easy to inject paquets coming from a known Tunnel §  If an attacker has the knowledge of manual tunnel configuration, it can sends paquet « originiated » from a known tunnel head-end §  With automatic tunnels it is even easier as paquet can be originated from any address in the network §  IPSec is the protection © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—30 © Frédéric Bovy 30 Attack by Paquet injection in a manual tunnel
  • 11. Copyright © 2011, Fred Bovy. All rights reserved . © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—31 Attacks on Stateful NAT64 Stateful NAT can be the target of DoS attacks §  The attacker sends many IPv6 paquets with different source addresses to the same IPv4 target. §  Each paquet consumes an address and a state which must be managed. §  When there is no more IPv4 address available, there is no more access to IPv4 hosts © 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6—32 Thank You! fred@fredbovy.com