Transition To IPv6 October 2011

Transcription

1 Transition To IPv6 October 2011 Fred Bovy ccie # Fred Bovy Transition to IPv6 1 1st Generation: The IPv6 Pioneers Tunnels for Experimental testing or Enterprises The Experimental 6BONE network was created from overlay IPv6 in Tunnels over the Internet. Dual-Stack Overlay IPv6 in Tunnels Manual 6in4 and automatic 6to4 And more automatic tunnels Again mostly introduced with Windows: TEREDO to bypass NAT devices and ISATAP to use networks as a NBMA network for IPv6. NAT and Private Addresses (RFC1918) In parallel to make the most of the remaining addresses, NAT44 and private addresses (RFC1918) were introduced 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6 2 2nd Generation: SPs transition 1st Phase, the 2000s SPs with MPLS/ Backbone: 6PE and 6VPE Most SPs were running /MPLS First Phase of the transition, deploy 6PE/6VPE SPs with Backbone: 6RD FREE a french SP deployed IPv6 in 5 Weeks from a 6to4 stack! Carrier Grade NAT or Large Scale NAT (Testing) DS-Lite = in IPv6 Tunnel + CGN SPs who deployed IPv6 choose DS-Lite to support the existing customers They deploy it as soon as they migrated from 6PE/6VPE to Native IPv6 Some of them planned to replace DS-Lite with A+P when it will be available Other protocols are designed, some of themare tested: CGN, NAT444, NAT464, divi, divi-pd Network Address Translation Protocols (NAT) NAT-PT First attempt to translate IPv6 to protocols. Deprecated! NAT64/DNS Fred Bovy fred@fredbovy.com. Transition to IPv6 3

2 3rd Generation: SPs going Stateless, the 2010s Stateful Carrier Grade NAT issues Because of the Stateful CGN known issues, a lot of work is being done to develop and test some Stateless protocols to share the remaining addresses without stateful NAT, CGN. A+P Architecture and Stateless NAT solutions Testing To share the remaining addresses using the Source Ports Without any Stateful NAT in the SP backbone. Users or CPE have some IP addresses and Source Ports assigned Not a new solution, FT ORANGE planned A+P in 2009 while they were choosing DS-Lite in the first place First proposal for A+P at the IETF Taipei 2011 is based on Stateless NAT464 aka divi, divi-pd and 4RD 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6 4 TransitionTools - Deployment Time BONE Deployed 6PE 6VPE IPv6 in Tunnels 6RD IETF Taipei 82 Nov 2011 DS-Lite NAT64 in IPv6 Tunnels divi-pd NAT464 NAT444 DS-Lite divi-pd divi A+P Testing Standardization Dual-Stack 6in4 NAT-PT 6to4 6VPE NAT64 divi-pd NAT444 DS-Lite A+P 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6 5 6RD 6PE Network Address Translation n NAT44 and private addresses in the 90s n IPv6 to translations NAT-PT NAT-PT is NAT64 + NAT46 + DNS ALG NAT-PT was replaced by NAT64 and DNS64 n Carrier Grade NAT or Large Scale NAT NAT444 or double NAT NAT464, divi, divi-pd DS-Lite = in IPv6 Tunnels + NAT44 (LSN) Frédéric Bovy Fred Bovy fred@fredbovy.com. Transition to IPv6 6

3 Dual Stack and Tunneling This was introduced at the very beginning of IPv6 in 1996 All clients are now configured by default as dual-stack nodes It is still the best approach for a smooth transition Tunnels are manually, statically configured It may be obvious but for dual-stack you still need addresses! IPv6 Hosts Tunneling IPv6 Packet IPv6 Hdr Hdr Dual Stack Router IPv6 IPv6 Host IPv6 IPv6 Dual Stack Router IPv6 Host 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6 7 Automatic Tunnels for Enterprises: 6to4 Tunnel destination address is embedded in the IPv6 address! 2002:C044:1::/48 prefix comes from :C046:1::/48 prefix comes from Fred Bovy fred@fredbovy.com. Transition to IPv6 8 SPs MPLS Enabled: 6PE and 6VPE In the very early 2000s, 6PE was introduced to help the SPs with an MPLS/ Background to provide an IPv6 Service No Backbone Routers Upgrade needed! 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6 9

4 6RD Automatic Tunnel for SPs Free, a french SP customized a 6to4 stack to allow a custom prefix instead of 2002::/16 Free deployed 6RD in 5 weeks in 2007 and immediately started an IPv6 service over the backbone, user configurable 4RD is in IPv Fred Bovy fred@fredbovy.com. Transition to IPv6 10 Dual Stack Lite or DS-Lite Once the SP have migrated their backbone to IPv6, DS-Lite is used to support RFC1918 Customers in IPv6 Tunnels + NAT44 (LSN at the SP) LSN inside mapping uses Source IPv6 + Source + Port LSN allows to share the remaining addresses efficienciently But LSN must keep a lot of states and is a Single Point of failure shared by Many Customers LSN 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6 11 DS-Lite: Help transition to IPv Fred Bovy fred@fredbovy.com. Transition to IPv6 12

5 Connecting IPv6-only with -only: AFT64 Residential Access Aggregation Edge Core IP/MPLS NAT64 DNS64 Public Internet Datacenter IPv6 ONLY connectivity ONLY New IPv6 clients must have access to content AFT64 technology is only applicable in case where there are IPv6 only end-points that need to talk to only end-points (AFT64 for going from IPv6 to ) AFT64:= stateful v6 to v4 translation or stateless translation, ALG still required Key components includes NAT64 and DNS64 Assumption: Network infrastructure and services have fully transitioned to IPv6 and has been phased out 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6 13 Protocol Translation: NAT64, DNS64 Client requests the IPv6 Address DNS64 translates the request to an Address NAT64 Web Server IPv6 h2.exemple.com? DNS64 h2.exemple.com? DNS AAAA 64:ff9b::c0:201 A: Fred Bovy fred@fredbovy.com. Transition to IPv6 14 NAT64 and DNS64 The session is initialized by IPv6 client Traffic route the 64:ff9b::/96 prefix to the NAT64 Router Web Server NAT64 then convert headers in both directions NAT64 SYN IPv6 SYN 64:ff9b::c0:201 SYN+ACK h2.exemple.com? DNS64 SYN+ACK h2.exemple.com? DNS A: AAAA 64:ff9b::c0:201 Frédéric Bovy Fred Bovy fred@fredbovy.com. Transition to IPv6 15

6 NAT444: A second level of NAT44 Solution to share the remaining addresses among multiple customers 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6 16 NAT444: LSN Scalability Issue n How many streams LSN will be able to manage? n LSN is a Single Point of failure Frédéric Bovy Fred Bovy fred@fredbovy.com. Transition to IPv6 17 NAT444: Overlapping Private Address! Frédéric Bovy Fred Bovy fred@fredbovy.com. Transition to IPv6 18

7 NAT444: 2 customers behind same LSN Frédéric Bovy Fred Bovy fred@fredbovy.com. Transition to IPv6 19 NAT444 Network Design Issues Overlapping Addresses If one of the customers network uses the same private network number than the NAT CPE to LSN link we have a sever duplicate network issue!!! Two Customers behind the same LSN want to communicate Packets with a private source address may be dropped by customer policy (Firewall, ACL, host policy). So LSN must be used also for local traffic Plus all the LSN Based solutions: Scalability Behind each CPE NAT there can be many devices. Each device may generate many application streams. How mansy stream will be supported by LSN? We have not enough experience to say??? Single Point of Failure The LSN device keeps many states. If it reboot, many users will have to restart their Frédéric Bovy 20 applications Fred Bovy fred@fredbovy.com. Transition to IPv6 20 DS-Lite: Connect the users Another solution to share the remaining addresses among multiple customers 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6 21

8 Stateful NAT464 or Stateless divi, divi-pd divi is the stateless version to share addresses among multiple users using source ports Stateless means NO NAT or LSN! Frédéric Bovy Fred Bovy Transition to IPv6 22 Address+Port (A+P) Experimental RFC6346 Use some bits of the source port to share an address without Stateful NAT, CGN or LSN. Can be implemented on hosts or CPEs which may have to do some translation for the non upgraded hosts Requires signaling to request which ports are granted Packets must be encapsulated/decapsulated to get sent into tunnels using the ports which are allocated for the host or the CPE The first proposal at the IETF in 2011 relies on Stateless NAT464 aka divi, divi-pd and 4RD and does not require signaling France Telecom-Orange has a software implementation: Frédéric Bovy Fred Bovy fred@fredbovy.com. Transition to IPv6 23 divi, divi-pd or Stateless NAT464 A+P proposal at the IETF actually relies on divi-pd and 4RD. divi-pd is Stateless NAT464 and permit to translate IPv6 addresses to Address+Source Port It is then possible to share an address among many users or CPEs. Without requiring any Stateful NAT with all the known problems associated A very interesting test in large SP domains : " For port configuration, since there are TCP/UDP ports for each IP address, and in fact one can use hundreds only for normal applications, so one address can be shared by multiple customers. In our experiment, we selected ratio to be 128. That is to say, one address is shared by 128 users, and there are 512 available ports per user." Frédéric Bovy Fred Bovy fred@fredbovy.com. Transition to IPv6 24

9 Security with to Transition to IPv Fred Bovy Transition to IPv6 25 Threats on Transition protocols n Dual-Stack scanning can be used to discover the node and IPv6 must be at the same security level n Tunnel Tunnels are an easy target for many possible attacks Packet Injection Automatic Tunnels are the most dangerous Automatic Servers can be the target of DoS attacks Manual Tunnel should use IPSec! n Stateful Translation Stateful NAT can be the target of DoS attacks DoS Attacks by address pool depletion DoS Attack by creating a lot of states or request which consumes CPU Frédéric Bovy Fred Bovy fred@fredbovy.com. Transition to IPv6 26 Dual Stack Issues Dual Stack Nodes may be very well protected and poorly IPv6 protected Dual Stack Nodes can be discovered thanks to an scan! And then attacked using IPv6 tools! Frédéric Bovy Fred Bovy fred@fredbovy.com. Transition to IPv6 27

10 Inability to inspect Tunneled Packet Firewall cannot inspect the IPv6 paquet encapsulated in Header IPv6 Header IPv6 Payload Frédéric Bovy Fred Bovy Transition to IPv6 28 Attacks on Tunnels Traffic tunneled cannot be inspected Access-List and paquet inspection cannot inspect the IPv6 paquet which is encapsulated in paquets Solution is to implement multiple Firewall which inspect paquets before they get encapsulated Other solution is when the Tunnel end point is on a Firewall, traffic can be inspected Easy to inject paquets coming from a known Tunnel If an attacker has the knowledge of manual tunnel configuration, it can sends paquet «originiated» from a known tunnel head-end With automatic tunnels it is even easier as paquet can be originated from any address in the network IPSec is the protection Frédéric Bovy Fred Bovy fred@fredbovy.com. Transition to IPv6 29 Attack by Paquet injection in a manual tunnel Frédéric Bovy Fred Bovy fred@fredbovy.com. Transition to IPv6 30

11 Attacks on Stateful NAT64 Stateful NAT can be the target of DoS attacks The attacker sends many IPv6 paquets with different source addresses to the same target. Each paquet consumes an address and a state which must be managed. When there is no more address available, there is no more access to hosts 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6 31 Thank You! fred@fredbovy.com 2011 Fred Bovy fred@fredbovy.com. Transition to IPv6 32