slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Are they the future of the Internet? PowerPoint Presentation
Download Presentation
Are they the future of the Internet?

Loading in 2 Seconds...

play fullscreen
1 / 15

Are they the future of the Internet? - PowerPoint PPT Presentation


  • 111 Views
  • Uploaded on

Non-Managed Tunnels Considered Harmful. Are they the future of the Internet?. Gunter Van de Velde, Ole Troan, Tim Chown. The Controverse-o-Meter. Highly controversial. Medium controversial (whatever that means). Not controversial. What are managed tunnels?. What do people say?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Are they the future of the Internet?' - jacqui


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Non-Managed Tunnels Considered Harmful

Are they the future of the Internet?

Gunter Van de Velde, Ole Troan, Tim Chown

the controverse o meter
The Controverse-o-Meter

Highly controversial

Medium controversial (whatever that means)

Not controversial

slide3

What are managed tunnels?

What do people say?

Objectives

The noble goal of the IPv6 Internet

Why do Non-managed tunnels exist?

Non-managed tunnel properties

Conclusion

what is a managed tunnel
What is a Managed tunnel?
  • The user has a contact “to bark at” when connectivity is not working as expected
  • The tunneling is facilitated by a contactable administration Realm for the tunnel head and tail-end
  • Security, performance and integrity of the tunnel is managed
  • The user experience for using either IPv4 or IPv6 is invisible, so that the network environment feels and smells like true native connectivity
tunnel experiences
Tunnel Experiences
  • The end-user view
    • My ISP does not provide IPv6, so 6to4/Teredo is my easy way to get IPv6… and I am very happy with the IPv6 quality
    • Oh… I didn’t know I was using IPv6….
  • The enterprise view
    • 6to4 has capability for sub-optimal routing, however,
    • 6to4 does not have always sub-optimal routing (ie. When sending packets between two 6to4 sites)
  • The service provider
    • Some ISP deliver on purpose a 6to4 relay to increase the quality of IPv6 for their customers, but it costs $ and resources to maintain… and the service is not just (always) restricted to the ISP’s customers
    • Content providers observe a measurable difference in RTT and reliability in some cases, and are hence reluctant to bring all services to mainstream IPv6 for all users “just yet”
the noble goal of the ipv6 internet
The noble goal of the IPv6 Internet
  • Provide a platform for content and services to be developed with high quality and performance
  • A simple control plane for end-2-end connectivity
  • The IPv6 Internet connectivity should be as good (or better) as the perceived quality of the IPv4 Internet
  • All people and devices around the globe have the potential to be connected
  • Allow connectivity to grow without limits

Do non-managed tunnels follow these fundamentals?

the noble goal of the ipv6 internet1
The noble goal of the IPv6 Internet
  • Provide a platform for content and services to be developed with high quality and performance
  • A simple control plane for end-2-end connectivity
  • The IPv6 Internet connectivity should be as good (or better) as the perceived quality of the IPv4 Internet
  • All people and devices around the globe have the potential to be connected
  • Allow connectivity to grow without limits

Do non-managed tunnels follow these fundamentals?

why do non managed tunnels exist
Why do non-managed tunnels exist?
  • Early adopters
  • Not trivial to move a system in lock-step towards IPv6, and tunnels aid in this process
  • Provide de-coupling between infrastructure IPv6 readiness and application readiness
non managed tunnel properties
Non-managed Tunnel Properties
  • Anycast/well-known address usage
    • Asymmetric connectivity models when relying on 3rd party relay
      • Impacts statefull security services (firewalls)
    • Anycast or other well known addresses may direct towards badly functioning relay-router
      • 6to4 well-known relay addresses 192.88.99.0/24
      • Teredo MSFT default: teredo.ipv6.microsoft.com

IP Anycast/well known based service

non managed tunnel properties1
Non-managed Tunnel Properties
  • Performance
    • There is a logistic decoupling of performance between
      • What the relay router can provide
      • What the user is expecting
    • The impact is that initial deployments have been working really well, but if used for mainstream operation (for millions of customers, instead of the technologist), then performance expectation may not be stable (no motivation for the relay-router providers to upgrade capacity for non-customers)

IP Anycast/well known based service

User does typically not know who

is owner of the relay listening

to the well-known address

non managed tunnel properties2
Non-managed Tunnel Properties
  • Realm of control
    • Operational provisioning - good tunnel performance and reliability is often outside the control of the person using the tunnel (3rd party involvement, unforeseen traffic paths)
    • Sub-optimal flows (increase in RTT and packet loss)
    • If a low performance relay-router is overloaded due to non-managed tunnels, then how can user provide feedback on the bad performance?
    • Who is responsible for troubleshooting if connectivity is degraded?
non managed tunnel properties3
Non-managed Tunnel Properties
  • Security
    • Do you trust the 3rd party ag/de-gregator
    • Firewall, IDS and tunneling
    • Lawful Intercept
    • Tunnel security issues documented in “draft-ietf-v6ops-tunnel-security-concerns-02” are amplified by un-managed tunnels due to a lack of trust
      • Tunnels may bypass Security inspection
      • IP Ingress and Egress Filtering
      • Source Routing after the tunnel client
      • Non-trust of enterprise NOC manager towards tunnel security and openness
      • DPI for tunneled packets
      • NAT holes increase attack surface
      • Tunnel address related risks
    • 6to4 security considerations - rfc3964 – RFC from 2004
conclusion
Conclusion
  • Early adopters have been working fine with non-managed tunnels
  • For mainstream usage:
    • Blackholing
    • Perverse traffic paths
    • Lack of business incentive
    • Difficult security model
    • Hard to have a managed service relying on non-managed infrastructure
  • Consequence:
    • Reason that Content providers can’t offer universal IPv6 services
    • Reason that white-listing complexity is being discussed
next steps
Next Steps
  • Adopt as WG item?

draft-vandevelde-v6ops-pref-ps-00