1 / 25

IPv6 Transition Mechanisms, their Security and Management

IPv6 Transition Mechanisms, their Security and Management. Georgios Koutepas National Technical University of Athens, Greece 6DISS Workshop March 5 2006 . Transition to IPv6. Not an after-thought but designed to be part of the new protocol since the beginning

isi
Download Presentation

IPv6 Transition Mechanisms, their Security and Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPv6 Transition Mechanisms,their Security and Management Georgios Koutepas National Technical University of Athens, Greece 6DISS Workshop March 5 2006

  2. Transition to IPv6 • Not an after-thought but designed to be part of the new protocol since the beginning • Overview of transition requirements: • Gradual site transition: a site may have only some of its systems supporting IPv6 • Minimum transition requirements: a site can support IPv6 just by offering DNS services without any upgrade in the rest of the infrastructure • IP address compatibility: the v4 addresses can be converted to "corresponding" v6 addresses, allowing the system to operate in both environments • Ease of installation: Operating Systems should support IPv6 straightforwardly, without need for software upgrades. • The answer: SIT (Simple Internet Transition) mechanisms included in IPv6

  3. IPv6 Transition Mechanisms • SIT offers a scheme for: • The conversion of IPv4 addresses to IPv6 • Dual stack OS operation • Tunnelling mechanisms via the encapsulation of v6 packets within v4 when passing over v4 clouds (and vise-versa) • The Result: • Dual Stack mechanisms • Translation Mechanisms • Tunnelling Mechanisms

  4. Dual Stack mechanisms

  5. Translation Mechanisms • NAT-PT (Network Address Translation - Protocol Translation) • Potential problems • Services based on protocol specific header info cannot be supported end-to-end • "Classic" NAT security issues • Others • BIS (Bump in the Stack) - At the Transport Layer • BIA (Bump in the API) - At the Application Layer

  6. Tunnelling Mechanisms • How they work: • Encapsulation of IPv6 packets within IPv4 packets and vice versa …Which means it can also be used for IPv4 connections over IPv6 native networks • Protocol in the IPv4 header: 41 • The tunnel's end point performs the necessary operations on the protocol 41 IPv4 packets: • Reconnection of fragmented packets • Packet forwarding in the IPv6 network • Hop limit (equivalent to IPv4 TTL) reduction by 1: The tunnel is "transparent" to IPv6 • Nodes performing the (en/de)capsulation operation have to be dual stack

  7. Types of tunnelling Based on the way we find the tunnel's other end: • (Pre)configured tunnel end-points • Automatic. Tunnel end-point may be derived from: • 6to4 address • IPv4 compatible IPv6 destination address

  8. Automatic Tunneling Mechanisms:Tunnel Brokers • The simplest way to IPv6 for single users (i.e. using dialup, ADSL, etc.) • May create security problems OR opositely protocol 41 may be banned by the sys-admins for security reasons • Operation • The user connects to a special web server (in the IPv4 network); makes tunnel application • The server assigns an IPv6 address, creates a DNS entry, informs the Tunnel Server, and sends a configuration script to the user • The user runs the script, installs the IPv6-over-IPv4 tunnel and onnects to the Tunnel Server that routs the packets to the native IPv6 network

  9. Automatic Tunneling Mechanisms:6over4 • Deprecated... • "Multicast tunnelling" • Single IPv6 hosts use the IPv4 Multicast Network to connect between them or the native IPv6 network via a 6over4 router (usually a 6to4 router) • The result is IPv6 hosts directly connected, even using IPv6 Link Local addresses (derived fromtheir IPv4 addresses)! • Also supports IPv6 multicast etc. • 6over4 requires IPv4 Multicast support, which does not exist widely.

  10. Automatic Tunneling Mechanisms:ISATAP • Intra Site automatic Tunnel Addressing Protocol • Also uses the IPv4 infrastructure but without the need for Multicast • Can operate under v4 NAT • Operation: • The node (A.B.C.D)v4 gets the (FE80::5EFE:AB:CD)v6 Link Local address • Using DNSv4 queries for the name ISATAP a Potential Router List (PRL) is created (the Router usually is a 6to4 system) • A Router Solicitation message is sent; the answer (Router-Advertisement message) gives the prefix for creating the universal IPv6 address • ISATAP router-to-node communication: using the last 4 bytes of the destination address • Node-to-router IPv6 network: via the ISATAP router

  11. Automatic Tunneling Mechanisms:Teredo • Useful for hosts behind NAT • Encapsulates the IPv6 packets within UDP v4 packets to bypass the problem of NAT in many cases restricting protocol 41 (IP encapsulated) packets • The encapsulation takes place at the communicating node itself rather than at a border router (like it happens in 6to4) • The Teredo-relay then forwards the packets to the native IPv6 network • Issues: • Complex implementation • Can operate only with specific NAT types • Limited number of Teredo-relays available in the Internet • Used only there is no other available solution…

  12. Automatic Tunneling Mechanisms:6to4 Overview • Connects isolated IPv6 "clouds" • Only the border routers need to implement the 6to4 functionality (and need to be dual stack too…) • Any site with single unicast IPv4 address can transmit to the IPv6 network using the 2002::/16 prefix • Many available relays to the IPv6 network, easy to find by (IPv4) anycast addressing (from 192.88.99.0 - RFC 3068) • The most widely used mechanism, thanks to its minimum requirements and ease of implementation it is preferred to other automatic tunneling methods and configured tunnels • However cannot be used behind NAT because it requires an available universal IPv4 address

  13. 6to4 Architecture and Components

  14. 6to4 usage scenaria (1)6to4 host to 6to4 host • Native v6 communication and routing (RIPng)

  15. 6to4 usage scenaria (2)Between two 6to4 sites • Useful for sites without native IPv6 ISP support • Within the 6to4 sites the hosts use IPv6 natively • Router advertisements and stateless address autoconfiguration • DNSv6 host records - The other site can know about the hosts it needs to communicate with • Non-local IPv6 addresses are sent to the default (6to4) router • The IPv4 address within the 6to4 destination IPv6 address is used as the tunnel termination point

  16. 6to4 usage scenaria (2)Between two 6to4 sites

  17. 6to4 usage scenaria (3)Between a 6to4 site and a native IPv6 network • Connection to the native IPv6 network through a 6to4 Relay Router (an IPv6 router with a 6to4 "Pseudo-interface") • Usage of the Relay Router's IPv4 address or the Anycast Address • 6to4 host to a native IPv6 host • The 6to4 host uses DNS to find the destination host • The 6to4 router forwards (via IPv4) the packet to the "next-hop", the closest 6to4 relay router • The IPv6 router forward the packet to its final destination • Native IPv6 host to a 6to4 host • The 6to4 relay router advertises the 2002::/16 prefix within the IPv6 network • A v6 host will use this information to send its packet to the corresponding IPv6 router and further to the 6to4 "pseudo-interface" via which (by the IPv4 network) the packet reaches the 6to4 network and its final destination

  18. 6to4 usage scenaria (3)Between a 6to4 site and a native IPv6 network

  19. 6to4 Securityor what can go wrong… • Vulnerabilities • 6to4 routers must accept packets from ALL 6to4 relay routers • It's not possible to know if the relay router is "Trusted" or even existent • 6to4 relay routershave to accept packets from 6to4 routers and native IPv6 hosts without any checks • Threats • DoS/DDoS against 6to4 components may result in unavailability • 6to4 routers/relay routers may be used or "reflected" DDoS attacks • "Service theft": unauthorized usage of relay router services • Local IPv4 broadcast attacks • Neighbor Discovery attacks • "Sanity Checks" necessary!

  20. 6to4 Security …an attack scenario • Reflected DoS Attack • It is supposed that bandwidth and processing power limitations can prevent a large scale attack…

  21. Securing 6to4 components • 6to4 routers • Check for correspondence between the IPv4 part of the packets and the 2002::/16 IPv6 encapsulated part • Implement "Sanity Checks" • IPv4: Do not allow strange (e.g. loopback) private, multicast, etc. addresses to be encapsulated • IPv6: Reject "wrong" addresses, like link local, multicast, etc. • Prevent routing of packets to other 6to4 sites via 6to4 relay routers • Reject packets coming from another 6to4 site via a relay router

  22. Securing 6to4 components (2) • 6to4 relay routers • Reject IPv4 packets from 6to4 routers that don't have matching IPv4 src address (V4ADDR) and equivalent 6to4 src address (2002:V4ADR) in the encapsulated IPv6 packet • Reject protocol 41 (IPv4) packets without destination address 192.88.99.1 • Deny packets to the IPv6 network without a universal IPv6 address • Reject packets from 6to4 routers to 6to4 addresses • Ingress Filtering and Access Control Lists for the IPv6 part!

  23. A General Transition Roadmapfor an enterprise or educational network Phase 1 • Network Design • Define Wide and Local network segments • Define “special” areas (due to requirements and operations)- VLANs, DMZs etc. • Define management entities and their areas of responsibility • Network management information flow • Security requirements: • For users and applications • For the network itself (protection of the management information, protection of network devices, security of management procedures) • Plan the steps to transition to the new protocol. Examine the possibility of deploying transition mechanisms (for communications between IPv6 areas within anIPv4network and vise-versa)

  24. A General Transition Roadmap (2) Phase 2 • Implementation of a mixedIPv4/IPv6 environment • Gradual transition of non-critical systems to IPv6 • Allows the evaluation of the operation and stability of the network devices and non-critical systems under IPv6 • Develops the transition procedures • Disseminates the usages of transition mechanisms(tunnels, gateways, etc.)for communications between exclusiveIPv6 areas Phase 3 • Transition of all systems to IPv6 • Exclusive usage of IPv6 in the network • Maintaining transition mechanisms for legacy systems and contacts with IPv4 networks

  25. Any Questions ?

More Related