There are more layers than just layer 3 Paul Ebersman, IPv6 NANOG57, Orlando, FL (04-06 Feb 2013)

Similar documents
IPv6: Problems above Layer 3 Paul Ebersman, IPv6 PLNOG10, Warsaw, 28 Feb 2013

IPv6 deployment for Enterprise/Sysadmins Paul NAv6 Summit 2013, Denver, Apr 2013

IPv6: Are we there yet? NANOG 58 New Orleans Paul Ebersman IPv6

But we ve always done it this

Don't have the plaid polyester leisure suit of IPv6 networks! Paul Ebersman, IPv6 Evangelist NANOG56, Dallas, TX (21-24 Oct 2012)

IPv6 and IPv4: Twins or Distant Relatives

IPv6 Security: Oxymoron or Oxycodone? NANOG 60 Atlanta Paul Ebersman IPv6

DHCPv6 OPERATIONAL ISSUES Tom Coffeen 4/7/2016

SECURITY IN AN IPv6 WORLD MYTH & REALITY. RIPE 68 Warsaw May 2014 Chris Grundemann

IPv6 Security. David Kelsey (STFC-RAL) IPv6 workshop pre-gdb, CERN 7 June 2016

IPv6 Protocol. Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer Cisco Systems, Inc.

Considerations and Actions of Content Providers in Adopting IPv6

IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo

Step 2. Manual configuration of global unicast and link-local addresses

It's the economy, stupid: the transition from IPv4 to IPv6

IPv6 Multi-Prefix Environment ~ Concept, Issues, and Solutions ~

Workshop on Scientific Applications for the Internet of Things (IoT) March

IPv6 address configuration and local operation

Recent IPv6 Security Standardization Efforts. Fernando Gont

Multi-requirement Extensions for DHCPv6 (draft-ren-dhc-mredhcpv6-00)

Security in an IPv6 World Myth & Reality

A Practical (and Personal) Perspective on IPv6 for Servers. Geoff Huston June 2011

IPv6 Community Wifi. Unique IPv6 Prefix per Host. IPv6 Enhanced Subscriber Access for WLAN Access Gunter Van de Velde Public.

Setup. Grab a vncviewer like: Or

IPv6: Are we really ready to turn off IPv4?

Experiences in Setting Up Automatic Home Networking. Jari Arkko Ericsson Research

Introduction to IPv6 - II

IPv6: Are we really ready to turn off IPv4? Geoff Huston APNIC

Recent Advances in IPv6 Security. Fernando Gont

The state of IPv6 (and IPv4)

Depreciation of site local address

Internet Protocol, Version 6

IPv6 Protocol & Structure. npnog Dec, 2017 Chitwan, NEPAL

ECE 435 Network Engineering Lecture 14

DHCP and DDNS Services

Enterprise IPv6 Deployment Security and other topics

The Latest Developments in DHCPv6. RIPE66, Dublin, Ireland May Tomek Mrugalski

Rocky Mountain IPv6 Summit April 9, 2008

Configuring DHCP. About DHCP Snooping, page 2 About the DHCPv6 Relay Agent, page 8

IPv6 Next generation IP

Learning/Playing with IPv6 at home. Keith Garner, Gradebook Team Lead

IPv6 Security Course Preview RIPE 76

ipxe Finding Feature Information Information About ipxe

Configuration Examples for DHCP, on page 37 Configuration Examples for DHCP Client, on page 38 Additional References for DHCP, on page 38

Network Management. IPv6 Bootcamp. Zhiyi Huang University of Otago

IPv6 Protocol Architecture

Configure 6in4 Tunnel in pfsense. Lawrence E. Hughes. 18 November 2017

DHCP and DDNS Services for Threat Defense

OSPFv3-Based Home Networking draft-arkko-homenet-prefix-assignment-02.txt. Jari Arkko, Ericsson Acee Lindem, Ericsson Benjamin Paterson, Cisco

Subnet Masks. Address Boundaries. Address Assignment. Host. Net. Host. Subnet Mask. Non-contiguous masks. To Administrator. Outside the network

YANG Data Model for DHCPv6 Configuration

IPv6 CONSORTIUM TEST SUITE Address Architecture Conformance Test Specification

TD#RNG#2# B.Stévant#

DHCP and DDNS Services

Using IPv6. Daniel Hagerty

IPv6 on Campus. The stuff you need to know

IPv6 It starts TODAY!

IPv6 Rapid Deployment (6rd) in broadband networks. Allen Huotari Technical Leader June 14, 2010 NANOG49 San Francisco, CA

IPv6 Security Safe, Secure, and Supported.

Recent advances in IPv6 insecurities reloaded Marc van Hauser Heuse GOVCERT NL Marc Heuse

IETF Update about IPv6

IETF IPv6 Update. Thomas Narten April 19, 2005

IPv6 Deployment at ORNL

Create a Dual Stack Virtual Private Cloud (VPC) in AWS

6 Misconceptions About IPv6. Jen Linkova,

The Netwok Layer IPv4 and IPv6 Part 2

Stacking it Up Experimental Observa6ons on the opera6on of Dual Stack Services

Practical IPv6 for Windows Administrators

IPv6 Network Services

IPV6 SIMPLE SECURITY CAPABILITIES.

IETF Activities Update

Advisory Guidelines for 6to4 Deployment

Introduction to IPv6

Why do we really want an ID/locator split anyway?

IPv6 Source Addresses

IPv6 Deployment at the University of Pennsylvania

Security Considerations for IPv6 Networks. Yannis Nikolopoulos

Implementing DHCP for IPv6

Best Current Operational Practice for operators: choose. Jordi Palet

SLAACers. IPv6 Accountability without DHCPv6. Library and Information Services School of Oriental and African Studies London. Networkshop 39, 2011

DNS, DHCP and Auto- Configuration. IPv6 Training Day 18 th September 2012 Philip Smith APNIC

Configuring IPv6 for Gigabit Ethernet Interfaces

ETSF05/ETSF10 Internet Protocols Network Layer Protocols

DHCPv6 Individual Address Assignment

IPv6. (Internet Protocol version 6)

DHCPv6 (RFC3315 RFC4361)

IPv6 Standards Update. Steve Deering June 5, 2002

IPv6 Bootcamp Course (5 Days)

TCP/IP Protocol Suite

ETSF10 Internet Protocols Network Layer Protocols

Campus Networking Workshop CIS 399. Core Network Design

Elmic Systems: From IPv4 to MoonV6. The most fluent way to speak Internet

IPv6 Specifications to Internet Standard

A Characterization of IPv6 Network Security Policy

Implementing DHCP for IPv6

ODL Summit Bangalore - Nov 2016 IPv6 Design in OpenDaylight

IETF 101, London March 19, Jaehoon (Paul) Jeong [Presenter] and Yiwen (Chris) Shen

Host Scanning in IPv6 Networks

A Sampling of Internetwork Security Issues Involving IPv6

IPv6 Traffic Hijack Test System and Defense Tools Using DNSSEC

Transcription:

There are more layers than just layer 3 Paul Ebersman, IPv6 Evangelist pebersman@infoblox.com, @paul_ipv6 NANOG57, Orlando, FL (04-06 Feb 2013) 1

Lots of Changes 2

Cause the IETF likes change SLAAC vs DHCP Identifying users/machines Interface magic Org/political challenges 3

Cause the IETF likes change App changes (esp. browsers) Policy changes (PTR) Security and broadcast domain changes IPSEC Continually evolving ecosystem 4

I m a Mac 5

DUID > Mac address Mac address as ID is flawed: Not always unique Can be altered Multi-interface hosts confuse things But it s what most of the eyeballs on the Internet are ID ed by currently DUID (DHCP Unique Identifier) is the replacement in IPv6 6

What DUIDs do right One DUID per DHCP server or client One Identity Association (IA) per network interface on a host A host can DHCP for all interfaces via DUID/ IA as unique key 7

Where DUIDs don t work Anyone using mac address for identification or filtering Anyone trying to correlate IPv4 and IPv6 to the same machine/user Persistent storage of DUID may cause surprises 8

But I do dual stack How to correlate all addrs to same client: draft in ietf: draft-ietf-dhc-dhcpv6-clientlink-layer-addr-opt (headed to IESG) circuit-id/remote-id work as with DHCPv4 9

Happy Eyeballs 10

IPv6. Yes. Have some. Original plan: Always use IPv6/AAAA if available Result: poor user experience (long timeouts, use of slower links, etc.) 11

Err We meant Happy Next attempt was to specify draft/rfc But that doubles DNS traffic And OS and browser folks both dived on it 12

Hence Hampering Eyeballs Testing by Geoff Huston Problems with browsers Lots of problems with OS X Windows trying to fix at network layer 13

How do it know? 14

Source/Destination Address Multiple interfaces w/ multiple addrs Multiple prefixes Dual stack How to choose RFC 6724 (formerly RFC 3484) 15

RFC 6724 Types of addrs: IPv6: GUA, ULA, Link Local, privacy IPv4: public, APIPA, 1918 Some better than others Consider scope, type, prefix length Avoid deprecated Allow local policy overrides 16

Debugging will be fun Decisions time/context sensitive How to train staff and users Local tools to dump all info Packet sniffers? 17

And what don t we know yet 18

Default route Multiple default routes from RAs No more HSRP/VRRP! Maybe But does this actually work? Not all Oss did the right thing (Fedora,???) 19

What else will we find AIX makes multiple AAAA/ip6.arpa queries with no working IPv6 stack And there will be more 20

RAs (Why can t we get along?) 21

IPv4 routing Static default route DHCP server gives default route Changing network might miss changing DHCP def route 22

IPv6 routing Static default route (link local). Ick. DHCP server can t give default route Folks changing routers probably own RA configs 23

Layer 9 (political) Different groups for DNS, DHCP, routers, RAs, IP addr assignment? Can t just change DHCPv6 or RA, need to coordinate with systems, network, maybe security 24

Reverse/PTR goo 25

How did this all start? ftp (ftp.uu.net, ftp.wustl.edu) SMTP Security devices Silly web things 26

How did we do it IPv4 By hand (ow) Scripts $GENERATE IPAM 27

How would that work for IPv6 A single subnet is a /64 A /64 has 18 quintillion (4 bil x 4 bil) addrs A PTR record has 34 labels in IPv6 Anyone got a computer with enough disk or RAM to hold one /64 zone file? 28

So what are we left with? Admit that PTRs are pointless Pre-populate (assuming FTL travel ) Pre-populate statics for routers & big servers As above plus DHCP server adding clients Lie on the fly (if not doing DNSSEC) 29

ICMPv6 30

ICMPv6 Required for: DAD Finding routers (RA/SLAAC) Finding servers (DHCP) PMTUD Connectivity (echo request/response) Network errors 31

ICMPv6 Filtering Filter it all and you don t have a useful network ICMPv6 much more detailed/precise in types and functions RFC 4890 has excellent filtering practices 32

IPSEC Myth vs Reality 33

The Myth IPSEC in IPv6 is better than IPv4 because it was designed in and mandated. 34

And the reality RFCs said MUST support IPSEC (but softening to SHOULD ) Didn t define support, let vendors do it Vendors shipped, didn t enable No PKI 35

IETF Blue Light Special 36

The more things change the more they keep changing DHC: 19 drafts, 73 RFCs IPv6: 12 drafts, 52 RFCs More every IETF meeting 37

What to do? Join the WG mailing lists Come to IETF if you can Coordinate with other operators (BOF) Beat on vendors 38

Q&A 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback