Transition To IPv6

First Phase of the transition, deploy 6PE/6VPE. ▫ SPs with IPv4 Backbone: 6RD. FREE a french SP deployed IPv6 in 5 Weeks from a 6to4 stack! ▫ Carrier Grade ...
Télécharger le PDF
2MB taille 5 téléchargements 374 vues
commentaire
Report
Transition To IPv6

October 2011 Fred Bovy

ccie #3013 [email protected]

© 2011 Fred Bovy [email protected].

Transition to IPv6—1

1st Generation: The IPv6 Pioneers §  Tunnels for Experimental testing or Enterprises The Experimental 6BONE network was created from overlay IPv6 in IPv4 Tunnels over the IPv4 Internet. §  Dual-Stack §  Overlay IPv6 in IPv4 Tunnels •  • 

Manual 6in4 and automatic 6to4 And more automatic tunnels •  Again mostly introduced with Windows: TEREDO to bypass NAT devices and ISATAP to use IPv4 networks as a NBMA network for IPv6.

§  NAT and Private Addresses (RFC1918) • 

In parallel to make the most of the remaining IPv4 addresses, NAT44 and IPv4 private addresses (RFC1918) were introduced

© 2011 Fred Bovy [email protected].

Transition to IPv6—2

2nd Generation: SPs transition 1st Phase, the 2000s §  SPs with MPLS/IPv4 Backbone: 6PE and 6VPE Most SPs were running IPv4/MPLS First Phase of the transition, deploy 6PE/6VPE

§  SPs with IPv4 Backbone: 6RD FREE a french SP deployed IPv6 in 5 Weeks from a 6to4 stack!

§  Carrier Grade NAT or Large Scale NAT (Testing) DS-Lite = IPv4 in IPv6 Tunnel + CGN –  SPs who deployed IPv6 choose DS-Lite to support the existing IPv4 customers –  They deploy it as soon as they migrated from 6PE/6VPE to Native IPv6 –  Some of them planned to replace DS-Lite with A+P when it will be available Other protocols are designed, some of themare tested: CGN, NAT444, NAT464, dIVI, dIVI-pd

§  Network Address Translation Protocols (NAT) NAT-PT –  First attempt to translate IPv6 to IPv4 protocols. Deprecated!

NAT64/DNS64 © 2011 Fred Bovy [email protected].

Copyright © 2011, Fred Bovy. All rights reserved

Transition to IPv6—3

.

3rd Generation: SPs going Stateless, the 2010s §  Stateful Carrier Grade NAT issues Because of the Stateful CGN known issues, a lot of work is being done to develop and test some Stateless protocols to share the remaining IPv4 addresses without stateful NAT, CGN.

§  A+P Architecture and Stateless NAT solutions Testing To share the remaining IPv4 addresses using the IPv4 Source Ports Without any Stateful NAT in the SP backbone. §  Users or CPE have some IP addresses and Source Ports assigned §  Not a new solution, FT ORANGE planned A+P in 2009 while they were choosing DS-Lite in the first place §  First proposal for A+P at the IETF Taipei 2011 is based on Stateless NAT464 aka dIVI, dIVI-pd and 4RD

© 2011 Fred Bovy [email protected].

Transition to IPv6—4

TransitionTools - Deployment IETF Taipei 82 – Nov 2011

Time

NAT64

DS-Lite

2010

Deployed

2007

NAT464

IPv4 in IPv6 Tunnels

6RD

dIVI-pd

NAT444 DS-Lite dIVI-pd dIVI

A+P

6VPE

Testing

6PE

2003

IPv6 in IPv4 Tunnels

6BONE †

1996

Standardization Dual-Stack 6in4 NAT-PT

6to4

6RD 6VPE

6PE

© 2011 Fred Bovy [email protected].

NAT64 dIVI-pd NAT444 DS-Lite A+P

Transition to IPv6—5

Network Address Translation n  NAT44 and IPv4 private addresses in the 90s

n IPv6 to IPv4 translations •  NAT-PT † NAT-PT is NAT64 + NAT46 + DNS ALG

•  NAT-PT was replaced by NAT64 and DNS64

n  Carrier Grade NAT or Large Scale NAT •  NAT444 or double NAT •  NAT464, dIVI, dIVI-pd •  DS-Lite = IPv4 in IPv6 Tunnels + NAT44 (LSN) © Frédéric Bovy 6 © 2011 Fred Bovy [email protected].

Copyright © 2011, Fred Bovy. All rights reserved

Transition to IPv6—6

.

Dual Stack and Tunneling This was introduced at the very beginning of IPv6 in 1996 All clients are now configured by default as dual-stack nodes It is still the best approach for a smooth transition Tunnels are manually, statically configured It may be obvious but for dual-stack you still need IPv4 addresses!

Tunneling

IPv6 Hosts

IPv6 Packet

IPv6 Hdr

IPv4 Hdr

Dual Stack Router

IPv6

IPv4

IPv4 IPv6

IPv6 Host IPv6

IPv4

IPv4

Dual Stack Router

IPv6 Host © 2011 Fred Bovy [email protected].

Transition to IPv6—7

Automatic Tunnels for Enterprises: 6to4 Tunnel destination IPv4 address is embedded in the IPv6 address !

2002:C044:1::/48 prefix comes from 192.68.0.1

2002:C046:1::/48 prefix comes from 192.70.0.1

© 2011 Fred Bovy [email protected].

Transition to IPv6—8

SPs MPLS Enabled: 6PE and 6VPE In the very early 2000s, 6PE was introduced to help the SPs with an MPLS/IPv4 Background to provide an IPv6 Service No Backbone Routers Upgrade needed!

© 2011 Fred Bovy [email protected].

Copyright © 2011, Fred Bovy. All rights reserved

Transition to IPv6—9

.

6RD Automatic Tunnel for SPs Free, a french SP customized a 6to4 stack to allow a custom prefix instead of 2002::/16 Free deployed 6RD in 5 weeks in 2007 and immediately started an IPv6 service over the IPv4 backbone, user configurable

4RD is IPv4 in IPv6

© 2011 Fred Bovy [email protected].

Transition to IPv6—10

Dual Stack Lite or DS-Lite Once the SP have migrated their backbone to IPv6, DS-Lite is used to support RFC1918 IPv4 Customers §  IPv4 in IPv6 Tunnels + NAT44 (LSN at the SP) §  LSN inside mapping uses Source IPv6 + Source IPv4 + Port §  LSN allows to share the remaining IPv4 addresses efficienciently But LSN must keep a lot of states and is a Single Point of failure shared by Many Customers LSN

© 2011 Fred Bovy [email protected].

Transition to IPv6—11

DS-Lite: Help transition to IPv6

© 2011 Fred Bovy [email protected].

Copyright © 2011, Fred Bovy. All rights reserved

Transition to IPv6—12

.

Connecting IPv6-only with IPv4-only: AFT64 Residential

Access

Aggregation

Edge

Core IP/MPLS

DNS64

NAT64

Public IPv4 Internet IPv4 Datacenter IPv6 ONLY connectivity

IPv4 ONLY

New IPv6 clients must have access to IPv4 content §  AFT64 technology is only applicable in case where there are IPv6 only end-points that need to talk to IPv4 only end-points (AFT64 for going from IPv6 to IPv4) §  AFT64:= “stateful v6 to v4 translation” or “stateless translation”, ALG still required §  Key components includes NAT64 and DNS64 §  Assumption: Network infrastructure and services have fully transitioned to IPv6 and IPv4 has been phased out © 2011 Fred Bovy [email protected].

Transition to IPv6—13

Protocol Translation: NAT64, DNS64 §  Client requests the IPv6 Address §  DNS64 translates the request to an IPv4 Address Web Server IPv4 NAT64

IPv6

IPv4 DNS

DNS64 h2.exemple.com ?

h2.exemple.com ? A: 192.0.2.1

AAAA 64:ff9b::c0:201 © 2011 Fred Bovy [email protected].

Transition to IPv6—14

NAT64 and DNS64 §  The session is initialized by IPv6 client §  Traffic route the 64:ff9b::/96 prefix to the NAT64 Router Web Server §  NAT64 then convert headers in both directions IPv4 NAT64

SYN 192.0.2.1 SYN+ACK

IPv6

SYN 64:ff9b::c0:201

K +AC SYN h2.exemple.com ?

IPv4 DNS

DNS64 h2.exemple.com ? A: 192.0.2.1

AAAA 64:ff9b::c0:201 © Frédéric Bovy 15 © 2011 Fred Bovy [email protected].

Copyright © 2011, Fred Bovy. All rights reserved

Transition to IPv6—15

.

NAT444: A second level of NAT44 Solution to share the remaining IPv4 addresses among multiple customers

© 2011 Fred Bovy [email protected].

Transition to IPv6—16

NAT444: LSN Scalability Issue n  How many streams LSN will be able to manage ? n  LSN is a Single Point of failure

© Frédéric Bovy 17 © 2011 Fred Bovy [email protected].

Transition to IPv6—17

NAT444: Overlapping Private Address !

© Frédéric Bovy 18 © 2011 Fred Bovy [email protected].

Copyright © 2011, Fred Bovy. All rights reserved

Transition to IPv6—18

.

NAT444: 2 customers behind same LSN

© Frédéric Bovy 19 © 2011 Fred Bovy [email protected].

Transition to IPv6—19

NAT444 Network Design Issues §  Overlapping Addresses If one of the customers network uses the same private network number than the NAT CPE to LSN link we have a sever duplicate network issue !!!

§  Two Customers behind the same LSN want to communicate Packets with a private source address may be dropped by customer policy (Firewall, ACL, host policy). So LSN must be used also for local traffic

§  Plus all the LSN Based solutions: –  Scalability Behind each CPE NAT there can be many devices. Each device may generate many application streams. How mansy stream will be supported by LSN ? We have not enough experience to say ???

–  Single Point of Failure The LSN device keeps many states. If it reboot, many users will have to restart their © Frédéric Bovy 20 applications. © 2011 Fred Bovy [email protected].

Transition to IPv6—20

DS-Lite: Connect the IPv4 users Another solution to share the remaining IPv4 addresses among multiple customers

© 2011 Fred Bovy [email protected].

Copyright © 2011, Fred Bovy. All rights reserved

Transition to IPv6—21

.

Stateful NAT464 or Stateless dIVI, dIVI-pd dIVI is the stateless version to share IPv4 addresses among multiple users using source ports Stateless means NO NAT or LSN!

© Frédéric Bovy 22 © 2011 Fred Bovy [email protected].

Transition to IPv6—22

Address+Port (A+P) §  Experimental RFC6346 §  Use some bits of the source port to share an IPv4 address without Stateful NAT, CGN or LSN. §  Can be implemented on hosts or CPEs which may have to do some translation for the non upgraded hosts §  Requires signaling to request which ports are granted §  IPv4 Packets must be encapsulated/decapsulated to get sent into tunnels using the ports which are allocated for the host or the CPE §  The first proposal at the IETF in 2011 relies on Stateless NAT464 aka dIVI, dIVI-pd and 4RD and does not require signaling §  France Telecom-Orange has a software implementation: http://opensourceaplusp.weebly.com/ © Frédéric Bovy 23 © 2011 Fred Bovy [email protected].

Transition to IPv6—23

dIVI, dIVI-pd or Stateless NAT464 A+P proposal at the IETF actually relies on dIVI-pd and 4RD.

§  dIVI-pd is Stateless NAT464 and permit to translate IPv6 addresses to IPv4 Address+Source Port It is then possible to share an IPv4 address among many users or CPEs. Without requiring any Stateful NAT with all the known problems associated

A very interesting test in large SP domains : " For port configuration, since there are 65536 TCP/UDP ports for each IP address, and in fact one can use hundreds only for normal applications, so one IPv4 address can be shared by multiple customers. In our experiment, we selected ratio to be 128. That is to say, one IPv4 address is shared by 128 users, and there are 512 available ports per user." http://tools.ietf.org/html/draft-sunq-v6ops-ivi-sp-02#page-7 © Frédéric Bovy 24 © 2011 Fred Bovy [email protected].

Copyright © 2011, Fred Bovy. All rights reserved

Transition to IPv6—24

.

Security with to Transition to IPv6

© 2011 Fred Bovy [email protected].

Transition to IPv6—25

Threats on Transition protocols n  Dual-Stack IPv4 scanning can be used to discover the node IPv4 and IPv6 must be at the same security level

n  Tunnel Tunnels are an easy target for many possible attacks Packet Injection Automatic Tunnels are the most dangerous Automatic Servers can be the target of DoS attacks Manual Tunnel should use IPSec!

n  Stateful Translation Stateful NAT can be the target of DoS attacks DoS Attacks by address pool depletion DoS Attack by creating a lot of states or request which consumes CPU © Frédéric Bovy 26 © 2011 Fred Bovy [email protected].

Transition to IPv6—26

Dual Stack Issues Dual Stack Nodes may be very well IPv4 protected and poorly IPv6 protected Dual Stack Nodes can be discovered thanks to an IPv4 scan ! And then attacked using IPv6 tools !

© Frédéric Bovy 27 © 2011 Fred Bovy [email protected].

Copyright © 2011, Fred Bovy. All rights reserved

Transition to IPv6—27

.

Inability to inspect Tunneled Packet IPv4 Firewall cannot inspect the IPv6 paquet encapsulated in IPv4 IPv4 Header

IPv6 Header

IPv6 Payload

© Frédéric Bovy 28 © 2011 Fred Bovy [email protected].

Transition to IPv6—28

Attacks on Tunnels Traffic tunneled cannot be inspected §  Access-List and paquet inspection cannot inspect the IPv6 paquet which is encapsulated in IPv4 paquets §  Solution is to implement multiple Firewall which inspect paquets before they get encapsulated §  Other solution is when the Tunnel end point is on a Firewall, traffic can be inspected

Easy to inject paquets coming from a known Tunnel §  If an attacker has the knowledge of manual tunnel configuration, it can sends paquet « originiated » from a known tunnel head-end §  With automatic tunnels it is even easier as paquet can be originated from any address in the network §  IPSec is the protection

© Frédéric Bovy 29 © 2011 Fred Bovy [email protected].

Transition to IPv6—29

Attack by Paquet injection in a manual tunnel

© Frédéric Bovy 30 © 2011 Fred Bovy [email protected].

Copyright © 2011, Fred Bovy. All rights reserved

Transition to IPv6—30

.

Attacks on Stateful NAT64 Stateful NAT can be the target of DoS attacks §  The attacker sends many IPv6 paquets with different source addresses to the same IPv4 target. §  Each paquet consumes an address and a state which must be managed. §  When there is no more IPv4 address available, there is no more access to IPv4 hosts

© 2011 Fred Bovy [email protected].

Transition to IPv6—31

Thank You! [email protected]

© 2011 Fred Bovy [email protected].

Copyright © 2011, Fred Bovy. All rights reserved

Transition to IPv6—32

.