1 / 112

IPv6 Introduction and Implications on Network Security

IPv6 Introduction and Implications on Network Security. Keith O’Brien Cisco Distinguished Engineer kobrien@cisco.com. Speaker. Keith O’Brien Distinguished Engineer Cisco kobrien@cisco.com

luu
Download Presentation

IPv6 Introduction and Implications on Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPv6 Introduction and Implications on Network Security Keith O’Brien Cisco Distinguished Engineer kobrien@cisco.com

  2. Speaker • Keith O’Brien • Distinguished Engineer • Cisco • kobrien@cisco.com • Specializes in large scale IP routing, network security and incident response within ISP and enterprise networks. • Working with major US based ISPs on their transition to an IPv6 network • Adjunct professor of Computer Science at NYU’s Polytechnic Institute - Graduate Studies • Visiting Professor of Electrical and Computer Engineering at the United States Coast Guard Academy • BSEE Lafayette College, MS Stevens Institute of Technology • CCIE, CISSP, SANS GIAC • http://keithobrien.org • Twitter: @keitheobrien

  3. Agenda • IPv6 – Why Now? • Technology Intro • Comparison to IPv4 • Addressing • ICMPv6 and Neighbor Discovery • DHCPv6 and DNS • IPv4/IPv6 Transition and Coexistence • IPv6 Security

  4. IPv6 – Why Now?

  5. Global IP Traffic Drivers, 2010–2015 More Devices Faster Broadband Speeds Key Growth Factors Nearly 15B Connections 4-Fold Speed Increase More Internet Users More Rich Media Content 3 Billion Internet Users 1M Video Minutes per Second Source: Cisco Visual Networking Index (VNI) Global IP Traffic Forecast, 2010–2015

  6. The Need for IPv6 • IETF IPv6 WG began in early 90s, to solve addressing growth issues, but • CIDR, NAT,…were developed • IPv4 32 bit address = 4 billion hosts • IANA recently issued their last /8 blocks to the regional registries • IP is everywhere • Data, voice, audio and video integration is a reality • Main Compellingreason: More IP addresses

  7. Address Run Out is Here! Probability of when RIR reaches “last /8 threshold” http://www.bgpexpert.com/ianaglobalpool2.php http://www.potaroo.net/tools/ipv4/rir.jpg

  8. Adoption Rate by Service Segment

  9. World IPv6 Launch June 6, 2012 • Network equipment vendors, ISPs and content providers are coming together on June 6 to permanently enable IPv6 on the Internet. • Last June 6th “World IPv6 Day” was a 24 hour “soak” period • Current players • Akamai Comcast AT&T Cisco • D-Link Facebook Free Telecom Google • Internode KDDI Limelight Bing • Time Warner Cable Yahoo Netflix AOL • NASA Sprint • http://www.worldipv6launch.org/

  10. What Does it Mean?

  11. IPv6 – Technology Introduction

  12. IPv4/IPv6 Technology Comparison

  13. Version IHL Type of Service Total Length Version Traffic Class Flow Label Identification Flags Fragment Offset Payload Length Next Header Hop Limit Time to Live Protocol Header Checksum Source Address Source Address Destination Address Options Padding Destination Address IPv4 and IPv6 Header Comparison IPv4 Header IPv6 Header Field’s Name Kept from IPv4 to IPv6 Fields Not Kept in IPv6 Name and Position Changed in IPv6 New Field in IPv6 Legend

  14. V Class Flow Extension Headers Len 6 Hop Destination V Class Flow V Class Flow Source Len 43 Hop Len 43 Hop Destination Destination Upper Layer TCP Header Source Source Payload Routing Header 17 Routing Header 60 Upper Layer UDP Header Destination Options 6 Payload Upper Layer TCP Header Payload • Extension Headers Are Daisy Chained

  15. Extension Header Order

  16. Addressing

  17. IPv6 Addressing

  18. IPv6 Addresses • IPv6 addresses are 128 bits long • Segmented into 8 groups of four HEX characters (called HEXtets) • Separated by a colon (:) • Default is 50% for network ID, 50% for interface ID • Network portion is allocated by Internet registries 2^64 (1.8 x 1019) Global Unicast Identifier Example Network Portion Interface ID gggg:gggg:gggg: ssss: xxxx:xxxx:xxxx:xxxx Host Subnet ID 64 – n bits Global Routing Prefix n <= 48 bits 00A1: 0000:0000:0000:1E2A 2001:0000:0000: Full Format Abbreviated Format 2001:0:0: A1: :1E2A

  19. Addressing Format Details • Hex numbers are not case sensitive • Abbreviations are possible • Leading zeros in contiguous block could be represented by (::) • 2001:0db8:0000:130F:0000:0000:087C:140B • 2001:db8:0:130F::87C:140B • Double colon can only appear once in the address • IPv6 uses CIDR representation • IPv4 address looks like 98.10.0.0/16 • IPv6 address is represented the same way 2001:db8:12::/48 • Only leading zeros are omitted, trailing zeros cannot be omitted • 2001:0db8:0012::/48 = 2001:db8:12::/48 • 2001:db80:1200::/48 ≠ 2001:db8:12::/48

  20. IPv6 Address Representation • Loopback address representation • 0:0:0:0:0:0:0:1 == ::1 • Same as 127.0.0.1 in IPv4 • Identifies self • Unspecified address representation • 0:0:0:0:0:0:0:0 == :: • Used as a placeholder when no address available • (Initial DHCP request, Duplicate Address Detection DAD) • NOT the default route • Default Route representation • ::/0

  21. IPv6 Prefix Allocation Hierarchy and Policy Example IANA 2001::/3 AfriNIC ::/12 to::/23 APNIC ::/12 to::/23 ARIN ::/12 to::/23 LACNIC ::/12 to::/23 RIPE NCC ::/12 to::/23 ISP /32 ISP /32 ISP /32 ISP /32 ISP /32 ISP /32 ISP /32 ISP /32 ISP /32 ISP /32 ISP /32 ISP /32 ISP /32 ISP /32 ISP /32 Site /48 Site /48 Site /48 Site /48 Site /48 Site /48 Site /48 Site /48 Site /48 Site /48 Site /48 Site /48 Site /48 Site /48 Site /48

  22. IPv6 Address Allocation ProcessPartition of Allocated IPv6 Address Space

  23. IPv6 Address Allocation ProcessPartition of Allocated IPv6 Address Space (Cont.) • Lowest-Order 64-bit field of unicast address may be assigned in several different ways: • Auto-configured from a 64-bit EUI-64, or expanded from a 48-bit MAC address (e.g., Ethernet address) • Auto-generated pseudo-random number(to address privacy concerns) • Assigned via DHCP • Manually configured

  24. IPv6 Interface Identifier (EUI-64 format) MAC Address • This format expands the 48 bit MAC address to 64 bits by inserting FFFE into the middle 16 bits • To make sure that the chosen address is from a unique Ethernet MAC address, the universal/local (“u” bit) is set to 1 for global scope and 0 for local scope 00 90 27 17 FC 0F 00 90 27 17 FC 0F FF FE 00 90 27 FF FE 17 FC 0F 1 = Unique 0 = Not Unique 000000U0 Where U= U = 1 02 90 27 FF FE 17 FC 0F

  25. IPv6—Addressing Model • Addresses are assigned to interfaces • Change from IPv4 mode: • Interface “expected” to have multiple addresses • Addresses have scope • Link Local • Unique Local • Global • Addresses have lifetime • Valid and preferred lifetime Link Local Global Unique Local

  26. IPv6—Addressing Model • Three types of unicast address scopes • Link-Local – Non routable exists on single layer 2 domain (FE80::/64) FE80:0000:0000:0000: xxxx:xxxx:xxxx:xxxx • Unique-Local –Routable within administrative domain (FC00::/7) xxxx:xxxx:xxxx:xxxx FCgg:gggg:gggg: ssss: FDgg:gggg:gggg: ssss: xxxx:xxxx:xxxx:xxxx • Global –Routable across the Internet (2000::/3) Link Local xxxx:xxxx:xxxx:xxxx 2ggg:gggg:gggg: ssss: xxxx:xxxx:xxxx:xxxx 3ggg:gggg:gggg: ssss: • Multicast addresses (FF00::/8) • Flags (f) in 3rd nibble (4 bits) Scope (s) into 4thnibble xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx FFfs:

  27. Types of IPv6 Addresses – RFC 4291 • Unicast • Address of a single interface. One-to-one delivery to single interface • Multicast • Address of a set of interfaces. One-to-many delivery to all interfaces in the set • Anycast • Address of a set of interfaces. One-to-one-of-many delivery to a single interface in the set that is closest • No more broadcast addresses

  28. Interface Address Set • An interface can have many addresses allocated to it

  29. Some Well Known Multicast Addresses • http://www.iana.org/assignments/ipv6-multicast-addresses

  30. Interface Example R1#showipv6interface e0 Ethernet0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::200:CFF:FE3A:8B18 No global unicast address is configured Joined group address(es): FF02::1 FF02::2 FF02::1:FF3A:8B18 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses. R1# All Nodes All Routers SolicitedNode Multicast Address

  31. ICMPv6 and Neighbor Discovery

  32. IPv4/IPv6 Provisioning Comparison

  33. ICMPv6 • Internet Control Message Protocol version 6 • RFC 2463 • Modification of ICMP from IPv4 • Message types are similar (but different types/codes) • Destination unreachable (type 1) • Packet too big (type 2) • Time exceeded (type 3) • Parameter problem (type 4) • Echo request/reply (type 128 and 129)

  34. Neighbor Discovery • Replaces ARP, ICMP (redirects, router discovery) • Reachability of neighbors • Hosts use it to discover routers, auto configuration of addresses • Duplicate Address Detection (DAD)

  35. Neighbor Discovery • Neighbor discovery uses ICMPv6 messages, originated from node on link local with hop limit of 255 • Consists of IPv6 header, ICMPv6 header, neighbor discovery header, and neighbor discovery options • Five neighbor discovery messages • Router solicitation (ICMPv6 type 133) • Router advertisement (ICMPv6 type 134) • Neighbor solicitation (ICMPv6 type 135) • Neighbor advertisement (ICMPv6 type 136) • Redirect (ICMPV6 type 137)

  36. Neighbor Solicitation & Advertisement A B NS NA

  37. Router Solicitation and Advertisement • Router solicitations (RS) are sent by booting nodes to request RAs for configuring the interfaces • Routers send periodic Router Advertisements (RA) to the all-nodes multicast address RS RA

  38. Stateless Address Autoconfiguration (RFC4862) • Autoconfiguration is used to automatically assigned an address to a host “plug and play” • Generating a link-local address, • Generating global addresses via stateless address autoconfiguration • Duplicate Address Detection procedure to verify the uniqueness of the addresses on a link MAC00:2c:04:00:fe:56 A 2001:db8:face::/64 R1 1 2 RS RA 3 DAD Host Autoconfigured Address comprises Prefix Received + Link-Layer Address if DAD check passes 2001:db8:face::22c:4ff:fe00:fe56

  39. DHCPv6 and DNS

  40. IPv6 and DNS IPv4 IPv6 AAAA record: www.abc.test AAAA 2001:db8:C18:1::2 A record: www.abc.test. A 192.168.30.1 Hostname to IP address PTR record: 1.30.168.192.in-addr.arpa. PTR www.abc.test. PTR record: 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0. 8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test. IP address to hostname

  41. Dual Stack Approach & DNS In a dual stack case an application that: • Is IPv4 and IPv6-enabled • Can query the DNS for IPv4 and/or IPv6 records (A) or (AAAA) records • Chooses one address and, for example, connects to the IPv6 address 192.168.0.3 www.example.org = * ? IPv4 DNSServer IPv4IPv6 IPv6 www IN A 192.168.0.3www IN AAAA 2001:db8:1::1 2001:db8:1::1

  42. DNS Query on Windows 7 (Dual Stack) Domain name with IPv6 address only Initial Query over IPv4 for IPv4 A record DNS response refers to an alias/canonical address Host immediately sends a request for AAAA record (original FQDN) IPv6 address of canonical name returned Domain name with both addresses Initial Query over IPv4 for IPv4 A record IPv4 address returned Host immediately sends a request for AAAA record IPv6 address of FQDN returned Hosts prefers IPv6 address (configurable)

  43. IPv6 Host Address Assignment Methods • Manual Assignment • Statically configured by human operator • Stateless Address Autoconfiguration (SLAAC RFC 4862) • Allows auto assignment of address through Router Advertisements • StatefulDHCPv6 (RFC 3315) • Allows DHCPv6 to allocate IPv6 address plus other configuration parameters (DNS, NTP etc…) • DHCPv6-PD (RFC 3633) • Allows DHCPv6 to allocate entire subnets to a router/CPE device for further allocation • Stateless DHCPv6 (RFC 3736) • Combination of SLAAC for host address allocation • DHCPv6 for additional parameters such as DNS Servers and NTP

  44. DHCPv6 • Updated version of DHCP for IPv4 • Supports new addressing • Can be used for renumbering • DHCP Process is same as in IPv4, but, • Client first detect the presence of routers on the link • If found, then examines router advertisements to determine if DHCP can be used • If no router found or if DHCP can be used, then • DHCP Solicit message is sent to the All-DHCP-Agents multicast address • Using the link-local address as the source address • Multicast addresses used: • FF02::1:2 = All DHCP Agents (servers or relays, Link-local scope) • FF05::1:3 = All DHCP Servers (Site-local scope) • DHCP Messages: Clients listen UDP port 546; servers and relay agents listen on UDP port 547

  45. Router Advertisement for StatefulDHCPv6 • RA message contain flags that indicate address allocation combination (A, M and O bits) • Use SLAAC only, Use DHCPv6stateful, Use SLAAC and DHCPv6 for other options Router 1(DHCPv6 Relay) 2001:db8:face::/64 A 1 DHCPServer RA 3 2 2001:db8:face::1/64, DNS1, DNS2, NTP Send DHCP Solicit to FF02::1:2 (All DHCP Relays)

  46. Router Advertisement for Stateless DHCPv6 • RA message contain flags that indicate address allocation combination (A, M and O bits) • Use SLAAC only, Use DHCPv6stateful, Use SLAACand DHCPv6 for other options 2001:db8:face::22c:4ff:fe00:fe56 2 Router 1(DHCPv6 Relay) A 1 DHCPServer RA 4 2001:db8:face::/64 3 DNS1, DNS2, NTP Send DHCP Solicit to FF02::1:2 for options only

  47. IPv4/IPv6 Transition and Coexistence

  48. IPv4-IPv6 Transition/Coexistence • A wide range of techniques have been identified and implemented, basically falling into three categories: • Dual-stack techniques, to allow IPv4 and IPv6 toco-exist in the same devices and networks • Tunneling techniques, to avoid order dependencies when upgrading hosts, routers, or regions • Translation techniques, to allow IPv6-only devices to communicate with IPv4-only devices • Expect all of these to be used, in combination

  49. IPv6 Using Dual Stack Backbone Dual Stack App IPv4 + IPv6 Edge IPv6 + IPv4 Core IPv4 and/or IPv4 edge • All P + PE routers are capable of IPv4+IPv6 support • Two IGPs supporting IPv4 and IPv6 • Memory considerations for larger routing tables • Native IPv6 multicast support • All IPv6 traffic routed in global space • Good for content distribution and global services (Internet) IPv4/IPv6 Core IPv4 PE P P PE CE CE IPv6 IPv4 IPv4 configured interface IPv6 Some or all interfaces in cloud dual configured IPv6 configured interface

More Related