Docstoc

IPv6 and Transition Mechanisms (PowerPoint)

Document Sample
IPv6 and Transition Mechanisms (PowerPoint) Powered By Docstoc
					IPv6 Transition Mechanisms, their Security and Management
Georgios Koutepas
National Technical University of Athens, Greece

6DISS Workshop March 5 2006

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006

Transition to IPv6
• Not an after-thought but designed to be part of the new protocol since the beginning • Overview of transition requirements:
– Gradual site transition: a site may have only some of its systems supporting IPv6 – Minimum transition requirements: a site can support IPv6 just by offering DNS services without any upgrade in the rest of the infrastructure – IP address compatibility: the v4 addresses can be converted to "corresponding" v6 addresses, allowing the system to operate in both environments – Ease of installation: Operating Systems should support IPv6 straightforwardly, without need for software upgrades.

• The answer: SIT (Simple Internet Transition) mechanisms included in IPv6 Workshop - 5 March 2006 IPv6 Transition Mechanisms - 6DISS

IPv6 Transition Mechanisms
• SIT offers a scheme for:
– The conversion of IPv4 addresses to IPv6 – Dual stack OS operation – Tunnelling mechanisms via the encapsulation of v6 packets within v4 when passing over v4 clouds (and vise-versa)

• The Result:
– Dual Stack mechanisms – Translation Mechanisms – Tunnelling Mechanisms

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006

Dual Stack mechanisms
Application Layer Web, Email, etc.

Transport Layer

TCP/UDP

IP Layer

IPv4

IPv6

Data Link Layer

Ethernet, PPP, etc.

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006

Translation Mechanisms
• NAT-PT (Network Address Translation - Protocol Translation)
– Potential problems
• Services based on protocol specific header info cannot be IPv6 Address Pool IPv4 Address Pool supported end-to-end • "Classic" NAT security issues
Dual Stack Translation Router NAT-PT

• Others

– BIS (Bump in the Stack) - At the Transport Layer – BIA (Bump in the API) - At the Application Layer
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006

Native IPv6 Network

Native IPv4 Network

Tunnelling Mechanisms
• How they work:
– Encapsulation of IPv6 packets within IPv4 packets and vice versa
…Which means it can also be used for IPv4 connections over IPv6 native networks

– Protocol in the IPv4 header: 41 – The tunnel's end point performs the necessary operations on the protocol 41 IPv4 packets:
• Reconnection of fragmented packets • Packet forwarding in the IPv6 network • Hop limit (equivalent to IPv4 TTL) reduction by 1: The tunnel is "transparent" to IPv6

– Nodes performing the (en/de)capsulation operation have to be dualIPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 stack

Types of tunnelling
Based on the way we find the tunnel's other end: • (Pre)configured tunnel end-points • Automatic. Tunnel end-point may be derived from:
– 6to4 address – IPv4 compatible IPv6 destination address

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006

Automatic Tunneling Mechanisms:
Tunnel Brokers
• The simplest way to IPv6 for single users (i.e. using dialup, ADSL, etc.) • May create security problems OR opositely protocol 41 may be banned by the sys-admins for security reasons • Operation
– The user connects to a special web server (in the IPv4 network); makes tunnel application – The server assigns an IPv6 address, creates a DNS entry, informs the Tunnel Server, and sends a configuration script to the user – The user runs the script, installs the IPv6-over-IPv4 tunnel and onnects to the Tunnel Server that routs the packets to the native IPv6 network

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006

Automatic Tunneling Mechanisms:
6over4
• Deprecated... • "Multicast tunnelling" • Single IPv6 hosts use the IPv4 Multicast Network to connect between them or the native IPv6 network via a 6over4 router (usually a 6to4 router) • The result is IPv6 hosts directly connected, even using IPv6 Link Local addresses (derived fromtheir IPv4 addresses)! • Also supports IPv6 multicast etc. • 6over4 requires IPv4 Multicast support, which does not exist widely.

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006

Automatic Tunneling Mechanisms:
ISATAP
• Intra Site automatic Tunnel Addressing Protocol • Also uses the IPv4 infrastructure but without the need for Multicast • Can operate under v4 NAT • Operation:
– The node (A.B.C.D)v4 gets the (FE80::5EFE:AB:CD)v6 Link Local address – Using DNSv4 queries for the name ISATAP a Potential Router List (PRL) is created (the Router usually is a 6to4 system) – A Router Solicitation message is sent; the answer (RouterAdvertisement message) gives the prefix for creating the universal IPv6 address
• ISATAP router-to-node communication: using the last 4 bytes of the destination address • Node-to-router IPv6 Mechanisms - via the ISATAP router IPv6 Transition network: 6DISS Workshop - 5 March 2006

Automatic Tunneling Mechanisms:
Teredo
• Useful for hosts behind NAT • Encapsulates the IPv6 packets within UDP v4 packets to bypass the problem of NAT in many cases restricting protocol 41 (IP encapsulated) packets • The encapsulation takes place at the communicating node itself rather than at a border router (like it happens in 6to4) • The Teredo-relay then forwards the packets to the native IPv6 network IPv4 Header UDP Header Encapsulated IPv6 Packet • Issues:
– Complex implementation – Can operate only with specific NAT types – Limited number of Teredo-relays available in the Internet

• Used only there Transition Mechanisms available solution… IPv6 is no other - 6DISS Workshop - 5 March 2006

Automatic Tunneling Mechanisms:
6to4 Overview
• Connects isolated IPv6 "clouds" • Only the border routers need to implement the 6to4 functionality (and need to be dual stack too…) • Any site with single unicast IPv4 address can transmit to the IPv6 network using the 2002::/16 prefix

• Many available relays to the IPv6 network, easy to find by (IPv4) anycast addressing (from 192.88.99.0 - RFC 3068) • The most widely used mechanism, thanks to its minimum requirements and ease of implementation it is preferred to other automatic tunneling methods and configured tunnels • However cannot be used behind NAT because it requires an available universal IPv4 address
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006

6to4 Architecture and Components
IPv6 Native Network IPv4 Anycast Address 192.88.99.1 IPv4 Internet 6to4 router (gateway) through IPv4 6to4 router (gateway)

6to4 relay router

Tunnels

6to4 client

IPv6 Host

IPv4 address V4ADDR IPv6 address 2002:V4ADDR::1

6to4 client

6to4 subnet IPv6 Addresses: 2002:V4ADDR::/48

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006

6to4 usage scenaria (1)
6to4 host to 6to4 host • Native v6 communication and routing (RIPng)

IPv4 Internet 6to4 router (gateway)

6to4 client 6to4 subnet IPv6 Addresses: 2002:V4ADDR::/48

6to4 client IPv4 address V4ADDR IPv6 address 2002:V4ADDR::1 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006

6to4 usage scenaria (2)
Between two 6to4 sites • Useful for sites without native IPv6 ISP support • Within the 6to4 sites the hosts use IPv6 natively
– Router advertisements and stateless address autoconfiguration – DNSv6 host records - The other site can know about the hosts it needs to communicate with

• Non-local IPv6 addresses are sent to the default (6to4) router • The IPv4 address within the 6to4 destination IPv6 address is used as the tunnel termination point

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006

6to4 usage scenaria (2)
Between two 6to4 sites
Destination IPv6 Address: 2002:V4ADDR-B::26 IPv6 Packet Destination IPv4 Address V4ADDR-B IPv4 Header Encapsulated IPv6 Packet

6to4 client

6to4 router (gateway)

6to4 router (gateway) 6to4 client 2002:V4ADDR-B::26 IPv4 Internet IPv4 address V4ADDR-B IPv6 address 2002:V4ADDR-B::1

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006

Between a 6to4 site and a native IPv6 network
– Connection to the native IPv6 network through a 6to4 Relay Router (an IPv6 router with a 6to4 "Pseudo-interface") – Usage of the Relay Router's IPv4 address or the Anycast Address

6to4 usage scenaria (3)

•

6to4 host to a native IPv6 host
1. The 6to4 host uses DNS to find the destination host 2. The 6to4 router forwards (via IPv4) the packet to the "next-hop", the closest 6to4 relay router 3. The IPv6 router forward the packet to its final destination

•

Native IPv6 host to a 6to4 host
1. The 6to4 relay router advertises the 2002::/16 prefix within the IPv6 network 2. A v6 host will use this information to send its packet to the corresponding IPv6 router and further to the 6to4 "pseudo-interface" via which (by the IPv4 network) the packet reaches the 6to4 network and its final destination Workshop - 5 March 2006 IPv6 Transition Mechanisms - 6DISS

Between a 6to4 site and a native IPv6 network
Destination IPv6 Address: V6ADDR IPv6 Packet Destination IPv4 Address 192.88.99.1 IPv4 Header Encapsulated IPv6 Packet Destination IPv6 Address: V6ADDR IPv6 Packet

6to4 usage scenaria (3)

6to4 host IPv6 address 2002:V4ADDR-A::25

6to4 router (gateway)

6to4 relay router

Native IPv6 host V6ADDR IPv6 Internet

IPv4 Internet IPv4 address V4ADDR-A IPv6 address 2002:V4ADDR-A::1 Well known IPv4 address or the Anycast address 192.88.99.1

Destination IPv6 Address: 2002:V4ADDR-A::25 IPv6 Packet

Destination IPv4 Address V4ADDR-A IPv4 Header Encapsulated IPv6 Packet

Destination IPv6 Address: 2002:V4ADDR-A::25 IPv6 Packet

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006

or what can go wrong… • Vulnerabilities
– 6to4 routers must accept packets from ALL 6to4 relay routers
• It's not possible to know if the relay router is "Trusted" or even existent

6to4 Security

– 6to4 relay routers have to accept packets from 6to4 routers and native IPv6 hosts without any checks

• Threats
– – – – – DoS/DDoS against 6to4 components may result in unavailability 6to4 routers/relay routers may be used or "reflected" DDoS attacks "Service theft": unauthorized usage of relay router services Local IPv4 broadcast attacks Neighbor Discovery attacks

• "Sanity Checks" necessary!
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006

6to4 Security
…an attack scenario
• Reflected DoS Attack
IPv4 address V4ADDR-A IPv6 address 2002:V4ADDR-A::1

IPv4 Packet IPv4 src: ATTACKER IPv4 dst: V4ADDR-A

Encasulated IPv6 Packet IPv6 src: 2002:VICTIM::1 IPv6 dst: 2002:V4ADDR-A::25

6to4 router 6to4 Host 2002:V4ADDR-A::25 IPv4 Internet
IPv4 Packet IPv4 src: V4ADDR-A IPv4 dst: VICTIM

IPv4 Host ATTACKER

IPv4 Host VICTIM

• It is supposed that bandwidth and processing power limitations can prevent a large scale attack…

Encasulated IPv6 Packet IPv6 src: 2002:V4ADDR-A::25 IPv6 dst: 2002:VICTIM::1

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006

Securing 6to4 components
• 6to4 routers
– Check for correspondence between the IPv4 part of the packets and the 2002::/16 IPv6 encapsulated part – Implement "Sanity Checks"
• IPv4: Do not allow strange (e.g. loopback) private, multicast, etc. addresses to be encapsulated • IPv6: Reject "wrong" addresses, like link local, multicast, etc.

– Prevent routing of packets to other 6to4 sites via 6to4 relay routers – Reject packets coming from another 6to4 site via a relay router
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006

Securing 6to4 components (2)
• 6to4 relay routers
– Reject IPv4 packets from 6to4 routers that don't have matching IPv4 src address (V4ADDR) and equivalent 6to4 src address (2002:V4ADR) in the encapsulated IPv6 packet – Reject protocol 41 (IPv4) packets without destination address 192.88.99.1 – Deny packets to the IPv6 network without a universal IPv6 address – Reject packets from 6to4 routers to 6to4 addresses – Ingress Filtering and Access Control Lists for the IPv6 part!
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006

A General Transition Roadmap
for an enterprise or educational network
Phase 1 • Network Design
– Define Wide and Local network segments – Define “special” areas (due to requirements and operations) - VLANs, DMZs etc. – Define management entities and their areas of responsibility – Network management information flow – Security requirements:
• For users and applications • For the network itself (protection of the management information, protection of network devices, security of management procedures)

– Plan the steps to transition to the new protocol. Examine the possibility of deploying transition mechanisms (for communications between IPv6 areas within an IPv4 network and vise-versa)
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006

A General Transition Roadmap (2)
Phase 2 • Implementation of a mixed IPv4/IPv6 environment • Gradual transition of non-critical systems to IPv6
– Allows the evaluation of the operation and stability of the network devices and non-critical systems under IPv6 – Develops the transition procedures – Disseminates the usages of transition mechanisms (tunnels, gateways, etc.) for communications between exclusive IPv6 areas

Phase 3 • Transition of all systems to IPv6 • Exclusive usage of IPv6 in the network
– Maintaining transition mechanisms for legacy systems and contacts with IPv4 networks
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006

Any Questions ?

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006


				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:146
posted:11/6/2009
language:English
pages:25