IPv6 NAT. Open Source Days 9th-10th March 2013 Copenhagen, Denmark. Patrick McHardy

Similar documents
IPtables and Netfilter

Università Ca Foscari Venezia

NAT and Tunnels. Alessandro Barenghi. May 25, Dipartimento di Elettronica e Informazione Politecnico di Milano barenghi - at - elet.polimi.

Worksheet 8. Linux as a router, packet filtering, traffic shaping

Network Security Fundamentals

Linux. Sirindhorn International Institute of Technology Thammasat University. Linux. Firewalls with iptables. Concepts. Examples

Network Address Translation

Network security Exercise 9 How to build a wall of fire Linux Netfilter

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

CSC 474/574 Information Systems Security

Network Address Translation. All you want to know about

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Packet Filtering and NAT

Network Address Translation (NAT) Background Material for Overlay Networks Course. Jan, 2013

Certification. Securing Networks

Introduction to Firewalls using IPTables

Definition of firewall

ECE 435 Network Engineering Lecture 23

Network Address Translation (NAT) Contents. Firewalls. NATs and Firewalls. NATs. What is NAT. Port Ranges. NAT Example

The Research and Application of Firewall based on Netfilter

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

NDN iptables match extension

Network Security. Routing and Firewalls. Radboud University, The Netherlands. Spring 2018

Firewalls. Firewall types. Packet filter. Proxy server. linux, iptables-based Windows XP s built-in router device built-ins single TCP conversation

Realtime Multimedia in Presence of Firewalls and Network Address Translation

Realtime Multimedia in Presence of Firewalls and Network Address Translation. Knut Omang Ifi/Oracle 9 Nov, 2015

Network and Filesystem Security

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

Linux Firewalls. Frank Kuse, AfNOG / 30

Datagram. Source IP address. Destination IP address. Options. Data

THE INTERNET PROTOCOL INTERFACES

Firewalls. October 13, 2017

FireHOL Manual. Firewalling with FireHOL. FireHOL Team. Release pre3 Built 28 Oct 2013

The Internet Protocol

Design and Performance of the OpenBSD Stateful Packet Filter (pf)

IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker

Networking Potpourri: Plug-n-Play, Next Gen

ECE 435 Network Engineering Lecture 23

IPv6: Are we really ready to turn off IPv4?

Ref: A. Leon Garcia and I. Widjaja, Communication Networks, 2 nd Ed. McGraw Hill, 2006 Latest update of this lecture was on

Grandstream Networks, Inc. GWN Firewall Features Advanced NAT Configuration Guide

NAT Router Performance Evaluation

CS Computer and Network Security: Firewalls

while the LAN interface is in the DMZ. You can control access to the WAN port using either ACLs on the upstream router, or the built-in netfilter

THE INTERNET PROTOCOL/1


Network Interconnection

Mohammad Hossein Manshaei 1393

Laboratory 2 Dynamic routing using RIP. Iptables. Part1. Dynamic Routing

Firewalls. Content. Location of firewalls Design of firewalls. Definitions. Forwarding. Gateways, routers, firewalls.

sottotitolo A.A. 2016/17 Federico Reghenzani, Alessandro Barenghi

Computer Security Spring Firewalls. Aggelos Kiayias University of Connecticut

netfilter/iptables/conntrack debugging

CSC 4900 Computer Networks: Network Layer

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Politecnico di Milano Scuola di Ingegneria Industriale e dell Informazione. 09 Intranetting. Fundamentals of Communication Networks

Netfilter. Fedora Core 5 setting up firewall for NIS and NFS labs. June 2006

Network Address Translation

python-iptables Documentation

Subnet Masks. Address Boundaries. Address Assignment. Host. Net. Host. Subnet Mask. Non-contiguous masks. To Administrator. Outside the network

netfilters connection tracking subsystem

Network Address Translation

Athanassios Liakopoulos Slovenian IPv6 Training, Ljubljana, May 2010

CSCD58 WINTER 2018 WEEK 6 - NETWORK LAYER PART 1. Brian Harrington. February 13, University of Toronto Scarborough

Use this section to help you quickly locate a command.

COSC 301 Network Management

Implementing NAT-PT for IPv6

iptables and ip6tables An introduction to LINUX firewall

How to use IP Tables

NAT Tutorial. Dan Wing, IETF77, Anaheim March 21, 2010 V2.1

Cisco Network Address Translation (NAT)

History Page. Barracuda NextGen Firewall F

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

IPv6: Are we really ready to turn off IPv4? Geoff Huston APNIC

IPv6 Protocols and Networks Hadassah College Spring 2018 Wireless Dr. Martin Land

Lecture 17: Network Layer Addressing, Control Plane, and Routing

An Industry view of IPv6 Advantages

cs144 Midterm Review Fall 2010

Remember Extension Headers?

Stateful Network Address Translation 64

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco IP Routing (ROUTE v2.0) Version: Demo

LOGICAL ADDRESSING. Faisal Karim Shaikh.

Communication Systems DHCP

Internet Control Message Protocol (ICMP)

Internet Control Message Protocol

Loadbalancer.org Virtual Appliance quick start guide v6.3

Module: Firewalls. Professor Patrick McDaniel Fall CSE543 - Introduction to Computer and Network Security

Quick Note 05. Configuring Port Forwarding to access an IP camera user interface on a TransPort LR54. 7 November 2017

Planning for Information Network

Hashing on broken assumptions

Mapping of Address and Port Using Translation

FireHOL + FireQOS Reference

Mapping of Address and Port (MAP) an ISPs Perspective. E. Jordan Gottlieb Principal Engineer Charter Communications

Computer Network Fundamentals Spring Week 4 Network Layer Andreas Terzis

IPv6: An Introduction

A 10 years journey in Linux firewalling Pass the Salt, summer 2018 Lille, France Pablo Neira Ayuso

4. The transport layer

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network Security. by Avi Kak

Firewall Management With FireWall Synthesizer

Transcription:

IPv6 NAT Open Source Days 9th-10th March 2013 Copenhagen, Denmark Patrick McHardy <kaber@trash.net>

Netfilter and IPv6 NAT historically http://lists.netfilter.org/pipermail/netfilter/2005-march/059463.html Harald Welte laforge at netfilter.org Wed Mar 30 17:23:16 CEST 2005... > When is support NAT table for Ip6tables? Only over my dead body. We will never implement ipv6-to-ipv6 network address translation as long as I have any say in netfilter/iptables development. NAT is evil and causes horrible breakage of end-to-end on the internet. IPv6 has enough addresses and therefore no justification for NAT.

What s wrong with NAT? Most cases of NAT need statefulness Commonly used scenario breaks end-to-end (masquerading) Network addresses are usually included as "pseudo header" in transport layer checksums New transport layer protocols need support from NAT Network addresses and port numbers may be included in application layer protocol payload Need ALGs (helpers) for every such application layer protocol Need to intercept new connections negotiated through NATed control protocols and direct them to proper destination (FTP data, SIP RTP,...) Fragments, ICMP translation, IPsec,...

Why IPv6 NAT? Security? No. It s a wide spread misconception that NAT provides security. The only reason why the internal hosts of a NATed network are perceived to be "more secure" is because they often use globally unroutable addresses. These addresses are just *globally* unroutable though, anything connected directly to the NAT router on the ouside (next hop router, cable modem neighbours,...) can reach the internal network just fine, unless you use packet filtering.

Why IPv6 NAT? Dynamic IPv6 Prefixes Some ISPs assign dynamic IPv6 prefixes, which means your internal networking addresses change at every prefix change. If you want static internal addresses, you have little choice but to choose a different ISP or use NAT. NAT can be performed bi-directional if desired, so incoming connections can be established to the internal hosts using the assigned prefix.

Why IPv6 NAT? Server Load Balancing A very easy way to implement server load balancing is to perform destination NAT on incoming requests to multiple addresses of a server farm. There are other options, one advantage of using NAT is that the servers don t need any awareness of being load balanced. As long as NAT doesn t interfere with the proxied protocol, there s nothing wrong with it.

Why IPv6 NAT? Proxy redirection Transparent proxy redirection is often implemented using destination NAT to the proxy server/port. There are other options how to implement this, but these are harder to set up. Similar to server load balancing, as long as you know it won t interfere with the proxied protocol, there s nothing wrong with it.

Why IPv6 NAT? Easy test network setup When setting up a test network between virtual hosts that need to reach other networks, its very easy to just masquerade the outgoing traffic instead of requesting your own prefix that has to be known to other routers.

Why IPv6 NAT? People are doing it anyway Users are asking for IPv6 NAT Linux based router vendors have implemented it Various out of tree patches for netfilter exist Other operating systems have implemented it Providing a single, well debugged implementation for Linux is better than having many different implementations. Users have less bugs Users already know how it works Application developers can predict the behaviour of the NAT

Why IPv6 NAT? End-to-end is not always negatively affected End-to-end is not always required or desired Many protocols are not negatively affected by NAT The address space is large enough not to need NAT, that doesn t solve administrative problems Sometimes no other choice It seems unavoidable since users want it

Netfilter IPv6 NAT overview Implementation started at the end of 2011, merged in 2.6.37. Largely based on the old IPv4-only implementation Address family independant core based on old IPv4-only NAT Address family specific layer 3 protocol modules Address family independant layer 4 protocol modules Address family specific NAT tables Address family independant SNAT/DNAT/NETMAP/REDIRECT targets New MASQUERADE target for IPv6 NAT helpers adjusted to support IPv6 Small improvements to conntrack fragmentation handling

Netfilter IPv6 NAT Address family independant core Protocol book keeping NAT mapping setup Address/Port selection core Packet mangling dispatch IPsec session decoding dispatch IPsec policy recomputation Address family specific layer 3 protocol modules (IPv4, IPv6) Address selection Address replacement in packets Checksum updates IPsec session decoding ICMP/ICMPv6 error translations

Netfilter IPv6 NAT Address family independant layer 4 protocol modules (TCP, UDP,...) Port selection Port replacement in packets Checksum updates Address family specific NAT tables (iptable_nat, ip6table_nat) Provide user-visible NAT table and chains Bind NAT code to packet processing Invoke IPsec policy recomputation after NAT NAT targets (MASQUERADE, SNAT, DNAT,...) Set up NAT mappings

Netfilter IPv6 NAT NAT helpers (FTP, SIP,...) Mangle addresses in application layer protocols Redirect negotiated connections to the proper destination (FTP data, SIP RTP,...)

Netfilter IPv6 User perspective User perspective similar to IPv4 NAT IPv6 NAT table PREROUTING/INPUT/OUTPUT/POSTROUTING chains All IPv4 NAT targets supported NAT rules invoked for NEW connections Behaviour wrt. routing and IPsec similar to IPv4

Netfilter IPv6 User perspective Chain PREROUTING (policy ACCEPT 13 packets, 3782 bytes) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp eth0 * ::/0 ::/0 tcp dpt:80 redir ports 3128 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all * wlan0 ::/0 ::/0

Stateless Network Prefix Translation (RFC 6296) Stateless method of doing IPv6 NAT Only capable of mapping prefixes Performs checksum neutral address updates Preserves end-to-end reachability Transport agnostic Implemented as ip6tables target (SNPT/DNPT) Setup more complicated than stateful NAT

Stateless Network Prefix Translation (RFC 6296) Example of prefix translation for packets from eth0 to eth1: If connection tracking is used, packets using NPT must be exempt ip6tables -t raw -A PREROUTING -i eth0 -s 2001:db8::/64 -j NOTRACK ip6tables -t raw -A PREROUTING -i eth1 -d 2001:f00f::/64 -j NOTRACK Prefix translation needs to be configured for both directions ip6tables -t mangle -A POSTROUTING -o eth1 -s 2001:db8::/64 -j SNPT --src-pfx 2001:db8::/64 --dst-pfx 2001:f00f::/64 ip6tables -t mangle -A PREROUTING -i eth1 -d 2001:f00f::/64 -j DNPT --src-pfx 2001:f00f::/64 --dst-pfx 2001:db8::/64

Future plans Current work in progress is NAT64, which allows to translate between IPv6 and IPv4. This allows you to run your network using IPv6 only while still being able to reach IPv4 only hosts. Bulk work of the implementation is complete, some tricky parts remain to be done. Hope to finish the implementation during the hacking days of next weeks Netfilter Workshop.

Questions? http://goo.gl/mhv7m (YouTube) will answer all your quesions :)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback