1 / 57

IPv6: Thanks for stopping by

IPv6: Thanks for stopping by. Bill Cheswick ches@lumeta.com http://www.lumeta.com. The Internet was engineered in the early 1980s, and before. A research project, with a lot of flaws Nobody thought it would succeed as it has

erik
Download Presentation

IPv6: Thanks for stopping by

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPv6:Thanks for stopping by Bill Cheswick ches@lumeta.com http://www.lumeta.com Pondering Perimeters: DOE

  2. Pondering Perimeters: DOE

  3. The Internet was engineered in the early 1980s, and before • A research project, with a lot of flaws • Nobody thought it would succeed as it has • Astonishing that the engineering choices have lasted so long, through so many orders of magnitude of growth • Relatively little tweaking: • DNS, BGP, CIDR addressing, TCP slow start, a few new ICMP messages Pondering Perimeters: DOE

  4. One of the choices: address size • 4 billion addresses (232) seemed like enough in 1982 • At Morris worm (nov 1988), estimated to be 6,000 hosts on the Internet (SWAG) • In Bell Labs, I counted 1,330 • AT&T acquired a class A network (12.0.0.0/8) when Mark Horton just asked for it Pondering Perimeters: DOE

  5. Fun with a class A (/8) network • We couldn’t figure out how to use it • Sub and sub-sub netmasking not well supported • The Cray had no trouble using it • IP-opaque firewall wouldn’t allow us to use it internally and externally • Steve Bellovin and I wondered how this empty address space was faring on the Internet • We built the first packet telescope Pondering Perimeters: DOE

  6. Packet telescopes Pondering Perimeters: DOE

  7. How do you make a packet telescope? • Announce the network on the Internet • Tell the router to forward all packets of that net to a non-existent Ethernet address (01:02:03:04:05:06) • The router doesn’t care that no-one is listening to the packets • Then listen with tcpdump, ethereal, etc. Pondering Perimeters: DOE

  8. What we found • Backscatter from dying hosts • Misconfigured routers, etc. • 15 – 25 MB per day of traffic • Steve wrote the paper “There Be Dragons” based on the results. Pondering Perimeters: DOE

  9. Backscatter • Some attacks on hosts require that tables be full, or the host be to busy to respond • Flood it with spoofed packets having random return addresses • Or chosen to be AT&T, because the phone company is evil • The (dying) host will emit some responses to the spoofed address, and we can see some of them Pondering Perimeters: DOE

  10. Packet telescopes are used by a number of researchers today • They cover a lot of address space • The address spaces covered are kept secret • Some are large, obvious spaces • Others are mixed in with normal space • More on this later Pondering Perimeters: DOE

  11. Brief history of Internet addressing1993 • Careless allocation seemed to be dooming us • My ASCII floor number in our class B network 135.104.x.0/16 • Address space was filling up • Routers we limited by memory holding all the routes on the Internet Pondering Perimeters: DOE

  12. Simple solution in 1993: more address bits • Painful, but not too bad • Would have gone into microsoft…win 95 was in the future • IETF had several proposals to change the IP packet format to add more address space • … and do a lot of other stuff, too, unfortunately • As long as you are going to change every IP stack, let’s get something done • Politics! Pondering Perimeters: DOE

  13. 0.0.0.0 Pondering Perimeters: DOE 255.255.255.255

  14. Class D and E networks: multicast Pondering Perimeters: DOE

  15. 10.0.0.0/8 RFC 1918 space Pondering Perimeters: DOE

  16. 127.0.0.0/8 Pondering Perimeters: DOE

  17. In 1993, IPv6 was 3 years away (C2 in ’92?) Pondering Perimeters: DOE

  18. But the emergency hasn’t come yet, at least in the US • RFC 1918, private address space, is used extensively • Companies were using IP-blocking firewalls, making their own address space • At one bank: 50 states -> 50 class A networks • Class A/B/C network sizes replaced with CIDR blocks: 209.123.16.96/28 • ARIN/RIPE/APNIC became very restrictive about handing out addresses Pondering Perimeters: DOE

  19. 1999 Pondering Perimeters: DOE

  20. 2000 Pondering Perimeters: DOE

  21. 2001 Pondering Perimeters: DOE

  22. 2002 Pondering Perimeters: DOE

  23. 2005 Pondering Perimeters: DOE

  24. IPv6: still 3 years away? Depends Pondering Perimeters: DOE

  25. ipv6.research.microsoft.com. 15M IN AAAA ::131.107.65.121 ipv6.research.microsoft.com. 15M IN AAAA 2002:836b:4179::836b:4179 Pondering Perimeters: DOE

  26. Pondering Perimeters: DOE

  27. IPv6 deployment • Widely deployed in the Far East, and in the new cell phones • Europe is getting on board • US Government mandate for 2005 • But what does “IPv6 capable” really mean? • None of the three ISPs I am connected to at home or work offer raw IPv6 feeds Pondering Perimeters: DOE

  28. IPv6 transition • 6bone: deprecated • IPv6 is available through IPv4/IPv6 tunnel brokers • www.hexago.com formerly freenet6.net • Easy to set up on Unix hosts, then it Just Works • In Windows XP for developers • IPv4/IPv6 NAT boxes? • Lumeta? We are working on it Pondering Perimeters: DOE

  29. IPv6 Some details Pondering Perimeters: DOE

  30. IPv4 vs. IPv6 address space Class A /8 /16 Class B (street value, $1MM?) /24 Class C China /32 soldier /48 link /64 Pondering Perimeters: DOE

  31. IPv6 address space • /48s seem to be freely available: • Each US soldier will have one • One for each home • Easy to hide hosts in that space • Hard to administer hosts in that space • Some interesting cryptographic and “IP hopping” applications come to mind. Pondering Perimeters: DOE

  32. soldier /48 • Host portion is 80 bits • Enough for four whole Internets-worth of addresses for each cell in the soldier’s body • Future nanotech really-intranet? • Roughly enough to assign an IP address to each molecule in one of the soldier’s bullets Pondering Perimeters: DOE

  33. IPv6 technical aspects • Addresses aren’t as bad as you might think: • 2001:5bfe:16::1 (easy to grep!) • Address format changes logfile processing • Math not easy for processing IPv6 addresses • The “socket dance” must be rewritten • It’s much cleaner now • Not a big deal, but requires changes to every Internet legacy programs Pondering Perimeters: DOE

  34. IPv6 dead ends • Google-based research will lead you down recently abandoned dead ends • A6 came and went, AAAA is what to use • Link level addressing is deprecated • The 6bone is dying, don’t go there • Use of bottom 128 – 48 = 80 bits not really settled Pondering Perimeters: DOE

  35. Conversion issues • IPv4-only hardware • Not available in • Some routers, wireless base stations, hubs, etc. • Programmers have to relearn the “socket dance” • Address format changes logfile processing • Have to replicate a whole new set of firewall rules Pondering Perimeters: DOE

  36. IPv6 pending problems • chicken-and-egg startup • DNS entries too small to hold all the root AAAA records • Asset management? Pondering Perimeters: DOE

  37. Reasons to go to IPv6 • Address space stops being a problem • Because the government policy says so • There could be useful IPv6-only sites • Early adopters (i.e. China) can restrict access to the IPv4 world • Perhaps worm spreads might be slowed • See below Pondering Perimeters: DOE

  38. Reasons not to go to IPv6 • Unnecessary expense for corporations using private address space • Unsupported by most cheap devices • Cable modems, base stations, etc. • Not really there yet: some standards unsettled Pondering Perimeters: DOE

  39. Who are the early adopters? • China and japan • Didn’t receive very large initial IPv4 allocations • Nascent industries • IP for cell phones • US government, supposedly Pondering Perimeters: DOE

  40. IPv6 is still three years away • From general acceptance • There are more than a thousand out there right now • IPv4 has nearly 200,000 Pondering Perimeters: DOE

  41. Some IPv6 web sites • www.ipv6.org • www.ipv6forum.com • vendors • www.hexago.com • Free IPv6 brokering Pondering Perimeters: DOE

  42. More on the Telescopes Watching today’s evil Pondering Perimeters: DOE

  43. How do you make a packet telescope? Part 2. • Choose some unused IP addresses • Near other address spaces is more likely to get hit • Have a host publish permanent arp entries for each address: • arp 209.123.16.100 01:02:03:04:05:06 pub • The router doesn’t care that nobody is listening • Then listen with tcpdump, ethereal, etc. Pondering Perimeters: DOE

  44. Internet background radiation • 209.123.16.100/30: a packet telescope with four addresses • 6 probes per hour per address • Results vary depending on who is “next door” to you in Internet addressing (i.e. shares an ISP) Pondering Perimeters: DOE

  45. first half of Thursday 4 addresses residential/commercial network (nac.net) Nothing in DNS or web about these addresses No windows PCs here Thursday, 4 addresses, res./com. network (nac.net) Pondering Perimeters: DOE

  46. Traffic by hour b:/var/tmp$ cut -d: -f1 x | sort | uniq -c | awk '{x = ""; for (i=1; i<=$1; i++) {x = x "="}; print $2, $1, x}‘ 00 67 =================================================================== 01 30 ============================== 02 37 ===================================== 03 47 =============================================== 04 42 ========================================== 05 42 ========================================== 06 54 ====================================================== 07 28 ============================ 08 46 ============================================== 09 37 ===================================== 10 18 ================== Pondering Perimeters: DOE

  47. Attack distribution by address 209.123.16.100 111 209.123.16.101 95 209.123.16.102 114 209.123.16.103 127 Pondering Perimeters: DOE

  48. 07:04:28.194878 IP 209.137.140.29.4908 > 209.123.16.103.135: S 3234716732:3234716732(0) win 16 07:07:34.165401 IP 209.11.240.115.4470 > 209.123.16.103.445: S 2381400493:2381400493(0) win 16 07:15:17.085918 IP 209.7.49.222.2681 > 209.123.16.101.135: S 2806496091:2806496091(0) win 1638 07:17:48.786333 IP 209.137.231.71.1825 > 209.123.16.103.135: S 1479393988:1479393988(0) win 87 07:18:51.474861 IP 219.145.170.26.3178 > 209.123.16.103.1434: UDP, length: 376 07:23:32.286715 IP 209.239.14.76.3293 > 209.123.16.100.135: S 269840468:269840468(0) win 64240 07:24:50.831650 IP 200.27.150.160.1078 > 209.123.16.100.1434: UDP, length: 376 07:25:04.705014 IP 209.77.237.109.1977 > 209.123.16.103.135: S 2766732623:2766732623(0) win 64 07:26:57.976816 IP 211.175.182.185.6000 > 209.123.16.100.1433: S 1132396544:1132396544(0) win 07:26:57.980013 IP 211.175.182.185.6000 > 209.123.16.103.1433: S 974782464:974782464(0) win 16 07:26:57.984673 IP 211.175.182.185.6000 > 209.123.16.102.1433: S 2010251264:2010251264(0) win 07:26:57.988127 IP 211.175.182.185.6000 > 209.123.16.101.1433: S 148832256:148832256(0) win 16 07:31:12.193510 IP 209.116.102.97.4415 > 209.123.16.102.135: S 2243180210:2243180210(0) win 64 07:37:01.279847 IP 61.147.119.92.80 > 209.123.16.103.15439: S 1394506562:1394506562(0) ack 157 07:38:23.276307 IP 209.11.240.139.3691 > 209.123.16.103.135: S 208658438:208658438(0) win 6553 07:39:33.883035 IP 209.11.240.139.4643 > 209.123.16.102.135: S 2559356627:2559356627(0) win 65 07:41:33.970959 IP 209.11.240.139.1053 > 209.123.16.100.135: S 1218141503:1218141503(0) win 65 07:46:19.098466 IP 209.123.117.250.3700 > 209.123.16.101.445: S 2483889535:2483889535(0) win 1 07:46:22.092386 IP 209.123.117.250.3700 > 209.123.16.101.445: S 2483889535:2483889535(0) win 1 07:46:48.374438 IP 209.123.117.250.4325 > 209.123.16.103.445: S 2521576092:2521576092(0) win 1 07:46:51.363928 IP 209.123.117.250.4325 > 209.123.16.103.445: S 2521576092:2521576092(0) win 1 07:51:45.253869 IP 209.7.49.222.4655 > 209.123.16.101.135: S 140404696:140404696(0) win 16384 07:52:11.682851 IP 209.123.117.250.3593 > 209.123.16.102.445: S 2944460873:2944460873(0) win 1 07:52:14.653648 IP 209.123.117.250.3593 > 209.123.16.102.445: S 2944460873:2944460873(0) win 1 07:53:01.116268 IP 209.123.117.250.4668 > 209.123.16.100.445: S 3009370338:3009370338(0) win 1 07:53:04.042178 IP 209.123.117.250.4668 > 209.123.16.100.445: S 3009370338:3009370338(0) win 1 07:54:14.805373 IP 209.123.117.250.2398 > 209.123.16.102.445: S 3105685114:3105685114(0) win 1 07:54:17.772847 IP 209.123.117.250.2398 > 209.123.16.102.445: S 3105685114:3105685114(0) win 1 Pondering Perimeters: DOE

  49. IP source address count 4 209.90.146.22 4 209.82.169.44 4 209.122.226.106 4 192.168.1.45 3 61.152.252.235 3 221.214.42.125 3 218.83.154.115 3 209.99.225.79 3 209.77.237.109 3 209.215.59.208 3 209.175.204.220 3 209.137.140.29 2 84.156.85.78 2 81.130.123.202 2 80.228.91.231 2 70.60.120.185 2 61.186.250.42 2 222.149.180.50 2 218.75.231.165 2 218.204.84.211 2 211.140.254.58 2 209.82.168.29 2 209.47.91.210 2 209.42.36.2 2 209.39.34.83 2 209.30.250.158 2 209.249.28.107 2 209.239.5.6 98 209.123.117.250 31 222.88.173.5 26 209.11.240.139 21 195.92.95.61 13 220.179.123.85 11 222.248.96.249 9 209.116.102.97 9 209.11.240.115 8 61.152.239.150 8 211.185.208.65 8 209.82.176.43 8 209.215.20.79 8 209.161.170.208 8 209.12.135.83 8 204.141.115.75 6 61.235.154.104 6 222.88.60.22 5 209.7.49.222 4 84.56.28.102 4 67.10.6.128 4 218.172.117.90 4 218.108.175.109 4 212.194.206.163 4 211.175.182.185 Pondering Perimeters: DOE

  50. Attack sources 36.dsli.com 43-176-82-209.g-net.net 56k.execulink.com a.dns.kr adsl.alicedsl.de ariston.netcraft.com biz.rr.com bumttx.swbell.net customer.vpls.net cydc.com.br d4.club-internet.fr dhcp.transact.bm dialup.rcn.com dip.t-dialin.net dns1.ntli.net dns1.xspedius.net dsl-xxx.arcor-ip.net dynamic.hinet.net ev1s-xxx.ev1servers.net fbx.proxad.net guangzhou.gd.cn hosfio.org.ar hsia.telus.net in-addr.btopenworld.com jan.bellsouth.net jax.bellsouth.net jukebox.e-migrate.com k12.il.us kinc.cablerocket.net mesh.ad.jp nosp3-xxx.i-55.com ns.cnmobile.net ns.uunet.ca ns01.unicom-alaska.com ns1.apnic.net ns1.hzman.net ns1.nac.net ns1.telehouse.com ns1.yipes.com nsf.algx.net ocn.ne.jp odo.warpspeed.com online.ln.cn prisoner.iana.org ptt.js.cn pubnet.ne.kr res.rr.com rev.gaoland.net sdjnptt.net.cn snfc21.pacbell.net sta.net.cn sunprairie.visionsystems.tv tj.unn.no tor.primus.ca us.xo.net zjhzptt.net.cn Pondering Perimeters: DOE

More Related