IPv6 deployment for Enterprise/Sysadmins Paul NAv6 Summit 2013, Denver, Apr 2013

Similar documents
IPv6: Problems above Layer 3 Paul Ebersman, IPv6 PLNOG10, Warsaw, 28 Feb 2013

There are more layers than just layer 3 Paul Ebersman, IPv6 NANOG57, Orlando, FL (04-06 Feb 2013)

IPv6: Are we there yet? NANOG 58 New Orleans Paul Ebersman IPv6

But we ve always done it this

Don't have the plaid polyester leisure suit of IPv6 networks! Paul Ebersman, IPv6 Evangelist NANOG56, Dallas, TX (21-24 Oct 2012)

IPv6 and IPv4: Twins or Distant Relatives

IPv6 Security: Oxymoron or Oxycodone? NANOG 60 Atlanta Paul Ebersman IPv6

DHCPv6 OPERATIONAL ISSUES Tom Coffeen 4/7/2016

SECURITY IN AN IPv6 WORLD MYTH & REALITY. RIPE 68 Warsaw May 2014 Chris Grundemann

Workshop on Scientific Applications for the Internet of Things (IoT) March

IPv6 Security. David Kelsey (STFC-RAL) IPv6 workshop pre-gdb, CERN 7 June 2016

Considerations and Actions of Content Providers in Adopting IPv6

IPv6 Protocol. Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer Cisco Systems, Inc.

IPv6 Community Wifi. Unique IPv6 Prefix per Host. IPv6 Enhanced Subscriber Access for WLAN Access Gunter Van de Velde Public.

IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo

IPv6: Are we really ready to turn off IPv4? Geoff Huston APNIC

IPv6 Multi-Prefix Environment ~ Concept, Issues, and Solutions ~

Recent IPv6 Security Standardization Efforts. Fernando Gont

Enterprise IPv6 Deployment Security and other topics

IPv6: Are we really ready to turn off IPv4?

Introduction to IPv6 - II

Multi-requirement Extensions for DHCPv6 (draft-ren-dhc-mredhcpv6-00)

Step 2. Manual configuration of global unicast and link-local addresses

IPv6 address configuration and local operation

Security in an IPv6 World Myth & Reality

A Practical (and Personal) Perspective on IPv6 for Servers. Geoff Huston June 2011

Setup. Grab a vncviewer like: Or

It's the economy, stupid: the transition from IPv4 to IPv6

Learning/Playing with IPv6 at home. Keith Garner, Gradebook Team Lead

IPv6 Next generation IP

Internet Protocol, Version 6

Recent Advances in IPv6 Security. Fernando Gont

Rocky Mountain IPv6 Summit April 9, 2008

IPv6 on Campus. The stuff you need to know

IPv6 It starts TODAY!

Using IPv6. Daniel Hagerty

Network Management. IPv6 Bootcamp. Zhiyi Huang University of Otago

6 Misconceptions About IPv6. Jen Linkova,

DHCP and DDNS Services for Threat Defense

The state of IPv6 (and IPv4)

Measuring IPv6 Deployment

Customer IPv6 Delivery

Advisory Guidelines for 6to4 Deployment

IPv6 Deployment at the University of Pennsylvania

IPv6 Security Course Preview RIPE 76

TD#RNG#2# B.Stévant#

DHCP and DDNS Services

Security Considerations for IPv6 Networks. Yannis Nikolopoulos

IPv6 Security Safe, Secure, and Supported.

Configure 6in4 Tunnel in pfsense. Lawrence E. Hughes. 18 November 2017

Best Current Operational Practice for operators: choose. Jordi Palet

Experiences in Setting Up Automatic Home Networking. Jari Arkko Ericsson Research

IPv6 Specifications to Internet Standard

Depreciation of site local address

Practical IPv6 for Windows Administrators

Configuring DHCP. About DHCP Snooping, page 2 About the DHCPv6 Relay Agent, page 8

Recent advances in IPv6 insecurities reloaded Marc van Hauser Heuse GOVCERT NL Marc Heuse

IPv6 Protocol & Structure. npnog Dec, 2017 Chitwan, NEPAL

Configuration Examples for DHCP, on page 37 Configuration Examples for DHCP Client, on page 38 Additional References for DHCP, on page 38

TCP/IP Protocol Suite

Subnet Masks. Address Boundaries. Address Assignment. Host. Net. Host. Subnet Mask. Non-contiguous masks. To Administrator. Outside the network

IPV6 SIMPLE SECURITY CAPABILITIES.

Measuring IPv6 Deployment

IPv6 Basics. APNIC Training Bali, Indonesia February, Jordi Palet - 1

Results of a Security Assessment of the Internet Protocol version 6 (IPv6)

DHCP and DDNS Services

Measuring IPv6 Deployment

IPv6 CONSORTIUM TEST SUITE Address Architecture Conformance Test Specification

IPv6 Implementation Best Practices For Service Providers

ipxe Finding Feature Information Information About ipxe

IPv6 Source Addresses

IPv6 Protocol Architecture

The Latest Developments in DHCPv6. RIPE66, Dublin, Ireland May Tomek Mrugalski

IPv6 Deployment at ORNL

ETSF05/ETSF10 Internet Protocols Network Layer Protocols

DHCPv6 Fingerprinting and BYOD

IPv4/v6 Considerations Ralph Droms Cisco Systems

Stacking it Up Experimental Observa6ons on the opera6on of Dual Stack Services

IPv6 Bootcamp Course (5 Days)

Measuring IPv6 Day. Geoff Huston APNIC

The Netwok Layer IPv4 and IPv6 Part 2

Stacking it Up Experimental Observa6ons on the opera6on of Dual Stack Services

ECE 435 Network Engineering Lecture 14

ODL Summit Bangalore - Nov 2016 IPv6 Design in OpenDaylight

IPv6. (Internet Protocol version 6)

DNS Flag day. A tale of five cctlds. Hugo Salgado,.CL Sebastián Castro,.NZ DNS-OARC 29, Amsterdam

Cisco IOS IPv6. Cisco IOS IPv6 IPv6 IPv6 service provider IPv6. IPv6. data link IPv6 Cisco IOS IPv6. IPv6

ETSF10 Internet Protocols Network Layer Protocols

DHCPv6 (RFC3315 RFC4361)

Campus Networking Workshop CIS 399. Core Network Design

IPv6 Traffic Hijack Test System and Defense Tools Using DNSSEC

IPv6 tutorial. RedIRIS Miguel Angel Sotos

Internetworking with WSNs IPv6 Principles and Practice

A Characterization of IPv6 Network Security Policy

6to4 reverse domain delegation ip6.arpa

IPv6 Standards Update. Steve Deering June 5, 2002

Host Scanning in IPv6 Networks

Tik Network Application Frameworks. IPv6. Pekka Nikander Professor (acting) / Chief Scientist HUT/TML / Ericsson Research NomadicLab

INF204x Module 1 Lab 1: Configuring and Troubleshooting Networking Part 1

Reliable & Secure DHCPv6

Transcription:

IPv6 deployment for Enterprise/Sysadmins Paul Ebersman pebersman@infoblox.com, @paul_ipv6 NAv6 Summit 2013, Denver, 17-19 Apr 2013 2013 Infoblox Inc. All Rights Reserved. 1

The only constant is change 2013 Infoblox Inc. All Rights Reserved. 2

Cause the IETF likes change SLAAC vs DHCP Identifying users/machines Interface magic Org/political challenges 2013 Infoblox Inc. All Rights Reserved. 3

Cause the IETF likes change App changes (esp. browsers) Policy changes (PTR) Security and broadcast domain changes IPSEC Continually evolving ecosystem 2013 Infoblox Inc. All Rights Reserved. 4

McDUID 2013 Infoblox Inc. All Rights Reserved. 5

DUID > Mac address Mac address as ID is flawed: Not always unique Can be altered Multi-interface hosts confuse things But it s works for a huge percentage of the internet DUID (DHCP Unique Identifier) is the replacement in IPv6 2013 Infoblox Inc. All Rights Reserved. 6

What DUIDs do right One DUID per DHCP server or client One Identity Association (IA) per network interface on a host A host can DHCP for all interfaces via DUID/ IA as unique key 2013 Infoblox Inc. All Rights Reserved. 7

Where DUIDs don t work Anyone using mac address for identification or filtering Anyone trying to correlate IPv4 and IPv6 to the same machine/user Persistent storage of DUID may cause surprises 2013 Infoblox Inc. All Rights Reserved. 8

But I do dual stack How to correlate all addrs to same client: draft in ietf: draft-ietf-dhc-dhcpv6-clientlink-layer-addr-opt (headed to IESG) circuit-id/remote-id work as with DHCPv4 2013 Infoblox Inc. All Rights Reserved. 9

Happy Eyeballs 2013 Infoblox Inc. All Rights Reserved. 10

IPv6. Yes. Have some. Original plan: Always use IPv6/AAAA if available Result: poor user experience (long timeouts, use of slower links, etc.) 2013 Infoblox Inc. All Rights Reserved. 11

Err We meant Happy Next attempt was to specify draft/rfc But that doubles DNS traffic And OS and browser folks both dived on it 2013 Infoblox Inc. All Rights Reserved. 12

Hence Hampering Eyeballs Testing by Geoff Huston (https://labs.ripe.net/ Members/emileaben/hampered-eyeballs) Problems with browsers Lots of problems with OS X Windows trying to fix at network layer 2013 Infoblox Inc. All Rights Reserved. 13

How do it know? 2013 Infoblox Inc. All Rights Reserved. 14

Source/Destination Address Multiple interfaces w/ multiple addrs Multiple prefixes Dual stack How to choose RFC 6724 (formerly RFC 3484) 2013 Infoblox Inc. All Rights Reserved. 15

RFC 6724 (was 3484) Types of addrs: IPv6: GUA, ULA, Link Local, privacy IPv4: public, APIPA, 1918 Some better than others Consider scope, type, prefix length Avoid deprecated Allow local policy overrides 2013 Infoblox Inc. All Rights Reserved. 16

Debugging will be fun Decisions time/context sensitive How to train staff and users Local tools to dump all info Packet sniffers? 2013 Infoblox Inc. All Rights Reserved. 17

Who owns what 2013 Infoblox Inc. All Rights Reserved. 18

Turf wars Who assigns IP addrs Who owns DHCP servers Who owns DNS Who owns routers/ras Who supports OS/apps 2013 Infoblox Inc. All Rights Reserved. 19

Apps 2013 Infoblox Inc. All Rights Reserved. 20

We ll make up our own darned minds OS makes decisions on DNS lookups and using v4 vs v6 Browsers and other apps do own DNS lookups and picking of v4 vs v6 How to debug 2013 Infoblox Inc. All Rights Reserved. 21

Reverse/PTR goo 2013 Infoblox Inc. All Rights Reserved. 22

How did we do it IPv4 By hand (ow) Scripts $GENERATE IPAM 2013 Infoblox Inc. All Rights Reserved. 23

How would that work for IPv6 A single subnet is a /64 A /64 has 18 quintillion (4 bil x 4 bil) addrs A PTR record has 34 labels in IPv6 Anyone got a computer with enough disk or RAM to hold one /64 zone file? 2013 Infoblox Inc. All Rights Reserved. 24

So what are we left with? Admit that PTRs are pointless Pre-populate (assuming FTL travel ) Pre-populate statics for routers & big servers As above plus DHCP server adding clients Lie on the fly (if not doing DNSSEC) 2013 Infoblox Inc. All Rights Reserved. 25

Security 2013 Infoblox Inc. All Rights Reserved. 26

The Myth IPSEC in IPv6 is better than IPv4 because it was designed in and mandated. 2013 Infoblox Inc. All Rights Reserved. 27

And the reality RFCs said MUST support IPSEC (but softening to SHOULD ) Didn t define support, let vendors do it Vendors shipped, didn t enable No PKI 2013 Infoblox Inc. All Rights Reserved. 28

ICMPv6 Required for: DAD Finding routers (RA/SLAAC) Finding servers (DHCP) PMTUD Connectivity (echo request/response) Network errors 2013 Infoblox Inc. All Rights Reserved. 29

ICMPv6 Filtering Filter it all and you don t have a useful network ICMPv6 much more detailed/precise in types and functions RFC 4890 has excellent filtering practices 2013 Infoblox Inc. All Rights Reserved. 30

And what don t we know yet 2013 Infoblox Inc. All Rights Reserved. 31

Default route Multiple default routes from RAs No more HSRP/VRRP! Maybe But does this actually work? Not all OSs did the right thing (Fedora,???) 2013 Infoblox Inc. All Rights Reserved. 32

What else will we find AIX makes multiple AAAA/ip6.arpa queries with no working IPv6 stack Changing A/O/M bits Interesting (see draftliu-bonica-dhcpv6-slaac-problem) And there will be more 2013 Infoblox Inc. All Rights Reserved. 33

Questions? 2013 Infoblox Inc. All Rights Reserved. 34

Thank you! 2013 Infoblox Inc. All Rights Reserved. 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback