stateless source address mapping for icmpv6 packets
Download
Skip this Video
Download Presentation
Stateless Source Address Mapping for ICMPv6 Packets

Loading in 2 Seconds...

play fullscreen
1 / 8

Stateless Source Address Mapping for ICMPv6 Packets - PowerPoint PPT Presentation


  • 103 Views
  • Uploaded on

Stateless Source Address Mapping for ICMPv6 Packets. X. Li, C. Bao, D. Wing, R. Vaithianathan, G. Huston 2012-03-23. Non-IPv4-translatable address. 2001:db8:1::1. 1.1.1.1. 2001:db8:2::2.2.2.2. H4. R4. XLAT. R6. H6. Normal traffic:. dst=1.1.1.1 srct=2.2.2.2. dst=2001:db8:2::1.1.1.1

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Stateless Source Address Mapping for ICMPv6 Packets' - dermot


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
stateless source address mapping for icmpv6 packets

Stateless Source Address Mapping for ICMPv6 Packets

X. Li, C. Bao, D. Wing,

R. Vaithianathan, G. Huston

2012-03-23

introduction

Non-IPv4-translatable address

2001:db8:1::1

1.1.1.1

2001:db8:2::2.2.2.2

H4

R4

XLAT

R6

H6

Normal traffic:

dst=1.1.1.1

srct=2.2.2.2

dst=2001:db8:2::1.1.1.1

src=2001:db8:2::2.2.2.2

ICMP:

dst=1.1.1.1

srct=????

dst=2001:db8:2::1.1.1.1

src=2001:db8:1::1

ICMP PTB

ICMPv6 PTB

Introduction

IPv4-translatable address

RFC6145: The IPv6 addresses in the ICMPv6 header may not be IPv4-translatable addresses. … A mechanism by which the translator can instead do stateless translation is left for future work.

requirements 1

ICMP:

dst=1.1.1.1

srct=10.0.0.1

dst=2001:db8:2::1.1.1.1

src=2001:db8:1::1

ICMP PTB

ICMPv6 PTB

Requirements (1)

Non-IPv4-translatable address

  • uRPF  cannot use RFC1918 addresses
  • IPv4 address depletion  hard to use public IPv4 addresses

2001:db8:1::1

IPv4-translatable address

1.1.1.1

2001:db8:2::2.2.2.2

H4

R4.1

R4 .2

XLAT

R6

H6

requirements 2

H4

H6

IVI

1

2

3

4

5

7

8

9

10

11

12

3.3.3.3

3.3.3.3

3.3.3.3

3.3.3.3

3.3.3.3

3.3.3.3

Requirements (2)
  • IPv4 recipient of the ICMP message should be able to distinguish between different IPv6 ICMPv6 origination needs a pool

X

progress
Progress
  • IANA reversed prefix 192.70.192.0/24
    • Scope: Addresses from the assigned address prefix are intended to be used as source addresses and not as destination addresses in the context of the public network.
  • According to the comments received from the mailing-list and in the Taipei meeting. The major updates are:
    • Add RFC5837 requirements for identify the source IPv6 address in ICMP.
    • Only propose hop count mapping algorithm
    • Add filtering and rate-limiting recommendations
rfc5837 issue
RFC5837 issue
  • When translator is configured to use the IANA-assigned /24 to map non IPv4-translatable address, the translator MUST implement ICMP extension defined by [RFC5837].
  • The resulting ICMP extension MUST include the IP address Sub-Objects that specify the source IPv6 addresses in the original ICMPv6.
filtering and rate limiting recommendations
Filtering and rate-limiting recommendations
  • Filtering Recommendations
    • SHOULD allow ICMP type 3 - Destination Unreachable (inc PTB).
    • SHOULD allow ICMP type 11 - Time Exceeded.
    • MAY allow ICMP type 12 - Parameter Problem.
    • SHOULD NOT allow any of the various ICMP request messages.
  • Rate-limiting Recommendations
    • The rate limiting of traffic from the prefix SHOULD also be enabled as additional countermeasure against abuse of this prefix.
    • The methods presented in [RFC4443] [RFC5597] [RFC6192] [RFC6398] [RFC6450] can be used.
  • RFC5837 Recommendations
    • Advanced filtering and rate-limiting techniques which can process the ICMP extension defined in [RFC5837] MAY also be used to control the source of the ICMP.
remarks
Remarks
  • When setting up the ACL correctly
    • The network only allows ICMP packets using this block as the source address.
    • No responses will be generated from any network device in the network.
  • The original IPv6 address is traceable
    • RFC5837 is a MUST requirement
  • Rate-limiting can be used as additonal protection scheme
ad