Stateless source address mapping for icmpv6 packets
Download
1 / 8

Stateless Source Address Mapping for ICMPv6 Packets - PowerPoint PPT Presentation


  • 102 Views
  • Uploaded on

Stateless Source Address Mapping for ICMPv6 Packets. X. Li, C. Bao, D. Wing, R. Vaithianathan, G. Huston 2012-03-23. Non-IPv4-translatable address. 2001:db8:1::1. 1.1.1.1. 2001:db8:2::2.2.2.2. H4. R4. XLAT. R6. H6. Normal traffic:. dst=1.1.1.1 srct=2.2.2.2. dst=2001:db8:2::1.1.1.1

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Stateless Source Address Mapping for ICMPv6 Packets' - dermot


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Stateless source address mapping for icmpv6 packets

Stateless Source Address Mapping for ICMPv6 Packets

X. Li, C. Bao, D. Wing,

R. Vaithianathan, G. Huston

2012-03-23


Introduction

Non-IPv4-translatable address

2001:db8:1::1

1.1.1.1

2001:db8:2::2.2.2.2

H4

R4

XLAT

R6

H6

Normal traffic:

dst=1.1.1.1

srct=2.2.2.2

dst=2001:db8:2::1.1.1.1

src=2001:db8:2::2.2.2.2

ICMP:

dst=1.1.1.1

srct=????

dst=2001:db8:2::1.1.1.1

src=2001:db8:1::1

ICMP PTB

ICMPv6 PTB

Introduction

IPv4-translatable address

RFC6145: The IPv6 addresses in the ICMPv6 header may not be IPv4-translatable addresses. … A mechanism by which the translator can instead do stateless translation is left for future work.


Requirements 1

ICMP:

dst=1.1.1.1

srct=10.0.0.1

dst=2001:db8:2::1.1.1.1

src=2001:db8:1::1

ICMP PTB

ICMPv6 PTB

Requirements (1)

Non-IPv4-translatable address

  • uRPF  cannot use RFC1918 addresses

  • IPv4 address depletion  hard to use public IPv4 addresses

2001:db8:1::1

IPv4-translatable address

1.1.1.1

2001:db8:2::2.2.2.2

H4

R4.1

R4 .2

XLAT

R6

H6


Requirements 2

H4

H6

IVI

1

2

3

4

5

7

8

9

10

11

12

3.3.3.3

3.3.3.3

3.3.3.3

3.3.3.3

3.3.3.3

3.3.3.3

Requirements (2)

  • IPv4 recipient of the ICMP message should be able to distinguish between different IPv6 ICMPv6 origination needs a pool

X


Progress
Progress

  • IANA reversed prefix 192.70.192.0/24

    • Scope: Addresses from the assigned address prefix are intended to be used as source addresses and not as destination addresses in the context of the public network.

  • According to the comments received from the mailing-list and in the Taipei meeting. The major updates are:

    • Add RFC5837 requirements for identify the source IPv6 address in ICMP.

    • Only propose hop count mapping algorithm

    • Add filtering and rate-limiting recommendations


Rfc5837 issue
RFC5837 issue

  • When translator is configured to use the IANA-assigned /24 to map non IPv4-translatable address, the translator MUST implement ICMP extension defined by [RFC5837].

  • The resulting ICMP extension MUST include the IP address Sub-Objects that specify the source IPv6 addresses in the original ICMPv6.


Filtering and rate limiting recommendations
Filtering and rate-limiting recommendations

  • Filtering Recommendations

    • SHOULD allow ICMP type 3 - Destination Unreachable (inc PTB).

    • SHOULD allow ICMP type 11 - Time Exceeded.

    • MAY allow ICMP type 12 - Parameter Problem.

    • SHOULD NOT allow any of the various ICMP request messages.

  • Rate-limiting Recommendations

    • The rate limiting of traffic from the prefix SHOULD also be enabled as additional countermeasure against abuse of this prefix.

    • The methods presented in [RFC4443] [RFC5597] [RFC6192] [RFC6398] [RFC6450] can be used.

  • RFC5837 Recommendations

    • Advanced filtering and rate-limiting techniques which can process the ICMP extension defined in [RFC5837] MAY also be used to control the source of the ICMP.


Remarks
Remarks

  • When setting up the ACL correctly

    • The network only allows ICMP packets using this block as the source address.

    • No responses will be generated from any network device in the network.

  • The original IPv6 address is traceable

    • RFC5837 is a MUST requirement

  • Rate-limiting can be used as additonal protection scheme


ad