ipv6 transition mechanisms their security and management l.
Skip this Video
Loading SlideShow in 5 Seconds..
IPv6 Transition Mechanisms, their Security and Management PowerPoint Presentation
Download Presentation
IPv6 Transition Mechanisms, their Security and Management

Loading in 2 Seconds...

play fullscreen
1 / 25

IPv6 Transition Mechanisms, their Security and Management - PowerPoint PPT Presentation

  • Uploaded on

IPv6 Transition Mechanisms, their Security and Management. Georgios Koutepas National Technical University of Athens, Greece 6DISS Workshop March 5 2006 . Transition to IPv6. Not an after-thought but designed to be part of the new protocol since the beginning

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'IPv6 Transition Mechanisms, their Security and Management' - isi

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
ipv6 transition mechanisms their security and management

IPv6 Transition Mechanisms,their Security and Management

Georgios Koutepas

National Technical University of Athens, Greece

6DISS Workshop

March 5 2006

transition to ipv6
Transition to IPv6
  • Not an after-thought but designed to be part of the new protocol since the beginning
  • Overview of transition requirements:
    • Gradual site transition: a site may have only some of its systems supporting IPv6
    • Minimum transition requirements: a site can support IPv6 just by offering DNS services without any upgrade in the rest of the infrastructure
    • IP address compatibility: the v4 addresses can be converted to "corresponding" v6 addresses, allowing the system to operate in both environments
    • Ease of installation: Operating Systems should support IPv6 straightforwardly, without need for software upgrades.
  • The answer: SIT (Simple Internet Transition) mechanisms included in IPv6
ipv6 transition mechanisms
IPv6 Transition Mechanisms
  • SIT offers a scheme for:
    • The conversion of IPv4 addresses to IPv6
    • Dual stack OS operation
    • Tunnelling mechanisms via the encapsulation of v6 packets within v4 when passing over v4 clouds (and vise-versa)
  • The Result:
    • Dual Stack mechanisms
    • Translation Mechanisms
    • Tunnelling Mechanisms
translation mechanisms
Translation Mechanisms
  • NAT-PT (Network Address Translation - Protocol Translation)
    • Potential problems
      • Services based on protocol specific header info cannot be supported end-to-end
      • "Classic" NAT security issues
  • Others
    • BIS (Bump in the Stack) - At the Transport Layer
    • BIA (Bump in the API) - At the Application Layer

Tunnelling Mechanisms

  • How they work:
    • Encapsulation of IPv6 packets within IPv4 packets and vice versa

…Which means it can also be used for IPv4 connections over IPv6 native networks

    • Protocol in the IPv4 header: 41
    • The tunnel's end point performs the necessary operations on the protocol 41 IPv4 packets:
      • Reconnection of fragmented packets
      • Packet forwarding in the IPv6 network
      • Hop limit (equivalent to IPv4 TTL) reduction by 1: The tunnel is "transparent" to IPv6
    • Nodes performing the (en/de)capsulation operation have to be dual stack

Types of tunnelling

Based on the way we find the tunnel's other end:

  • (Pre)configured tunnel end-points
  • Automatic. Tunnel end-point may be derived from:
    • 6to4 address
    • IPv4 compatible IPv6 destination address
automatic tunneling mechanisms tunnel brokers
Automatic Tunneling Mechanisms:Tunnel Brokers
  • The simplest way to IPv6 for single users (i.e. using dialup, ADSL, etc.)
  • May create security problems OR opositely protocol 41 may be banned by the sys-admins for security reasons
  • Operation
    • The user connects to a special web server (in the IPv4 network); makes tunnel application
    • The server assigns an IPv6 address, creates a DNS entry, informs the Tunnel Server, and sends a configuration script to the user
    • The user runs the script, installs the IPv6-over-IPv4 tunnel and onnects to the Tunnel Server that routs the packets to the native IPv6 network
automatic tunneling mechanisms 6over4
Automatic Tunneling Mechanisms:6over4
  • Deprecated...
  • "Multicast tunnelling"
  • Single IPv6 hosts use the IPv4 Multicast Network to connect between them or the native IPv6 network via a 6over4 router (usually a 6to4 router)
  • The result is IPv6 hosts directly connected, even using IPv6 Link Local addresses (derived fromtheir IPv4 addresses)!
  • Also supports IPv6 multicast etc.
  • 6over4 requires IPv4 Multicast support, which does not exist widely.
automatic tunneling mechanisms isatap
Automatic Tunneling Mechanisms:ISATAP
  • Intra Site automatic Tunnel Addressing Protocol
  • Also uses the IPv4 infrastructure but without the need for Multicast
  • Can operate under v4 NAT
  • Operation:
    • The node (A.B.C.D)v4 gets the (FE80::5EFE:AB:CD)v6 Link Local address
    • Using DNSv4 queries for the name ISATAP a Potential Router List (PRL) is created (the Router usually is a 6to4 system)
    • A Router Solicitation message is sent; the answer (Router-Advertisement message) gives the prefix for creating the universal IPv6 address
      • ISATAP router-to-node communication: using the last 4 bytes of the destination address
      • Node-to-router IPv6 network: via the ISATAP router
automatic tunneling mechanisms teredo
Automatic Tunneling Mechanisms:Teredo
  • Useful for hosts behind NAT
  • Encapsulates the IPv6 packets within UDP v4 packets to bypass the problem of NAT in many cases restricting protocol 41 (IP encapsulated) packets
  • The encapsulation takes place at the communicating node itself rather than at a border router (like it happens in 6to4)
  • The Teredo-relay then forwards the packets to the native IPv6 network
  • Issues:
    • Complex implementation
    • Can operate only with specific NAT types
    • Limited number of Teredo-relays available in the Internet
  • Used only there is no other available solution…
automatic tunneling mechanisms 6to4 overview
Automatic Tunneling Mechanisms:6to4 Overview
  • Connects isolated IPv6 "clouds"
  • Only the border routers need to implement the 6to4 functionality (and need to be dual stack too…)
  • Any site with single unicast IPv4 address can transmit to the IPv6 network using the 2002::/16 prefix
  • Many available relays to the IPv6 network, easy to find by (IPv4) anycast addressing (from - RFC 3068)
  • The most widely used mechanism, thanks to its minimum requirements and ease of implementation it is preferred to other automatic tunneling methods and configured tunnels
  • However cannot be used behind NAT because it requires an available universal IPv4 address
6to4 usage scenaria 1 6to4 host to 6to4 host
6to4 usage scenaria (1)6to4 host to 6to4 host
  • Native v6 communication and routing (RIPng)
6to4 usage scenaria 2 between two 6to4 sites
6to4 usage scenaria (2)Between two 6to4 sites
  • Useful for sites without native IPv6 ISP support
  • Within the 6to4 sites the hosts use IPv6 natively
    • Router advertisements and stateless address autoconfiguration
    • DNSv6 host records - The other site can know about the hosts it needs to communicate with
  • Non-local IPv6 addresses are sent to the default (6to4) router
  • The IPv4 address within the 6to4 destination IPv6 address is used as the tunnel termination point
6to4 usage scenaria 3 between a 6to4 site and a native ipv6 network
6to4 usage scenaria (3)Between a 6to4 site and a native IPv6 network
    • Connection to the native IPv6 network through a 6to4 Relay Router (an IPv6 router with a 6to4 "Pseudo-interface")
    • Usage of the Relay Router's IPv4 address or the Anycast Address
  • 6to4 host to a native IPv6 host
    • The 6to4 host uses DNS to find the destination host
    • The 6to4 router forwards (via IPv4) the packet to the "next-hop", the closest 6to4 relay router
    • The IPv6 router forward the packet to its final destination
  • Native IPv6 host to a 6to4 host
    • The 6to4 relay router advertises the 2002::/16 prefix within the IPv6 network
    • A v6 host will use this information to send its packet to the corresponding IPv6 router and further to the 6to4 "pseudo-interface" via which (by the IPv4 network) the packet reaches the 6to4 network and its final destination
6to4 security or what can go wrong
6to4 Securityor what can go wrong…
  • Vulnerabilities
    • 6to4 routers must accept packets from ALL 6to4 relay routers
      • It's not possible to know if the relay router is "Trusted" or even existent
    • 6to4 relay routershave to accept packets from 6to4 routers and native IPv6 hosts without any checks
  • Threats
    • DoS/DDoS against 6to4 components may result in unavailability
    • 6to4 routers/relay routers may be used or "reflected" DDoS attacks
    • "Service theft": unauthorized usage of relay router services
    • Local IPv4 broadcast attacks
    • Neighbor Discovery attacks
  • "Sanity Checks" necessary!
6to4 security an attack scenario
6to4 Security …an attack scenario
  • Reflected DoS Attack
  • It is supposed that bandwidth and processing power limitations can prevent a large scale attack…
securing 6to4 components
Securing 6to4 components
  • 6to4 routers
    • Check for correspondence between the IPv4 part of the packets and the 2002::/16 IPv6 encapsulated part
    • Implement "Sanity Checks"
      • IPv4: Do not allow strange (e.g. loopback) private, multicast, etc. addresses to be encapsulated
      • IPv6: Reject "wrong" addresses, like link local, multicast, etc.
    • Prevent routing of packets to other 6to4 sites via 6to4 relay routers
    • Reject packets coming from another 6to4 site via a relay router
securing 6to4 components 2
Securing 6to4 components (2)
  • 6to4 relay routers
    • Reject IPv4 packets from 6to4 routers that don't have matching IPv4 src address (V4ADDR) and equivalent 6to4 src address (2002:V4ADR) in the encapsulated IPv6 packet
    • Reject protocol 41 (IPv4) packets without destination address
    • Deny packets to the IPv6 network without a universal IPv6 address
    • Reject packets from 6to4 routers to 6to4 addresses
    • Ingress Filtering and Access Control Lists for the IPv6 part!
a general transition roadmap for an enterprise or educational network
A General Transition Roadmapfor an enterprise or educational network

Phase 1

  • Network Design
    • Define Wide and Local network segments
    • Define “special” areas (due to requirements and operations)- VLANs, DMZs etc.
    • Define management entities and their areas of responsibility
    • Network management information flow
    • Security requirements:
      • For users and applications
      • For the network itself (protection of the management information, protection of network devices, security of management procedures)
    • Plan the steps to transition to the new protocol. Examine the possibility of deploying transition mechanisms (for communications between IPv6 areas within anIPv4network and vise-versa)
a general transition roadmap 2
A General Transition Roadmap (2)

Phase 2

  • Implementation of a mixedIPv4/IPv6 environment
  • Gradual transition of non-critical systems to IPv6
    • Allows the evaluation of the operation and stability of the network devices and non-critical systems under IPv6
    • Develops the transition procedures
    • Disseminates the usages of transition mechanisms(tunnels, gateways, etc.)for communications between exclusiveIPv6 areas

Phase 3

  • Transition of all systems to IPv6
  • Exclusive usage of IPv6 in the network
    • Maintaining transition mechanisms for legacy systems and contacts with IPv4 networks