Advisory Guidelines for 6to4 Deployment

Similar documents
Internet Engineering Task Force (IETF) Category: Informational August 2011 ISSN:

Intended status: Informational March 12, 2011 Expires: September 13, 2011

Internet Engineering Task Force (IETF) Request for Comments: Category: Best Current Practice May 2015 ISSN:

Considerations and Actions of Content Providers in Adopting IPv6

IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo

Request for Comments: 5569 Category: Informational January 2010 ISSN:

IPv6 implementation in a multi-vendor network.

World IPv6 Day: Enterprise Sites (and some IETF stuff)

Measuring IPv6 Deployment

draft-ietf-v6ops-tunnel-loops - Update and Status

IPv6 Prefix Delegation for Hosts. Fred L. Templin IETF100 v6ops Working Group November 16, 2017

Security Concerns With Tunneling draft-ietf-v6ops-tunnel-security-concerns-00

IPV6 SIMPLE SECURITY CAPABILITIES.

Shim6: Network Operator Concerns. Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI

IPv6 Multi-Prefix Environment ~ Concept, Issues, and Solutions ~

6to4 Reverse DNS Delegation

A Practical (and Personal) Perspective on IPv6 for Servers. Geoff Huston June 2011

IPv6: Are we really ready to turn off IPv4?

IPv6. Copyright 2017 NTT corp. All Rights Reserved. 1

Measuring IPv6 Deployment

CCNA Questions/Answers IPv6. Select the valid IPv6 address from given ones. (Choose two) A. FE63::0043::11:21 B :2:11.1 C.

Control Plane Protection

B. Carpenter. Oct Connection of IPv6 Domains via IPv4 Clouds without Explicit Tunnels. Copyright Notice. Placeholder for ISOC copyright.

Akamai's V6 Rollout Plan and Experience from a CDN Point of View. Christian Kaufmann Director Network Architecture Akamai Technologies, Inc.

Transition To IPv6 October 2011

B. Carpenter. January Connection of IPv6 Domains via IPv4 Clouds without Explicit Tunnels. Copyright Notice

IPv6 Rapid Deployment (6rd) in broadband networks. Allen Huotari Technical Leader June 14, 2010 NANOG49 San Francisco, CA

IPv6 Security. David Kelsey (STFC-RAL) IPv6 workshop pre-gdb, CERN 7 June 2016

Comcast IPv6 Trials NANOG50 John Jason Brzozowski

<draft-huitema-v6ops-teredo-04.txt> Expires July 17, 2005 January 17, Teredo: Tunneling IPv6 over UDP through NATs. Status of this memo

Security Considerations for IPv6 Networks. Yannis Nikolopoulos

In Defence of NATs. Geoff Huston APNIC. IEEE Global Internet Symposium, May 2017

A Sampling of Internetwork Security Issues Involving IPv6

Transition Strategies from IPv4 to IPv6: The case of GRNET

IPv6 Transitioning. An overview of what s around. Marco Hogewoning Trainer, RIPE NCC

IPv6 Packet Truncation

Remember Extension Headers?

CSCI-1680 Network Layer:

Measuring IPv6 Deployment

IPv6 Transition Mechanisms

Problem space matrix based on the guideline* Crossing IPv4 Island

B. Carpenter. March Connection of IPv6 Domains via IPv4 Clouds without Explicit Tunnels. Copyright Notice. Placeholder for ISOC copyright.

IPv6: Are we really ready to turn off IPv4? Geoff Huston APNIC

IPv6 Implementation Best Practices For Service Providers

Akamai's V6 Rollout Plan and Experience from a CDN Point of View. Christian Kaufmann Director Network Architecture Akamai Technologies, Inc.

IPv6 Addressing. There are three types of IPV6 Addresses. Unicast:Multicast:Anycast

Internet Engineering Task Force (IETF) C. Byrne T-Mobile USA April XLAT: Combination of Stateful and Stateless Translation

Help I need more IPv6 addresses!

The ISP Column A monthly column on things Internet. IPv6 Transition Tools and Tui. February Geoff Huston

IPv6 Transition Mechanisms

APT: A Practical Transit-Mapping Service Overview and Comparisons

IPv4/v6 Considerations Ralph Droms Cisco Systems

Enhanced Feasible-Path Unicast Reverse Path Filtering draft-sriram-opsec-urpf-improvements-01

B. Carpenter. June Connection of IPv6 Domains via IPv4 Clouds without Explicit Tunnels. Copyright Notice. Placeholder for ISOC copyright.

IPv6 Transition Technologies (TechRef)

Advanced BGP using Route Reflectors

Welcome to your IPv6 enabled transit network.

Request for Comments: 3904 Category: Informational ISC S. Satapati Cisco Systems, Inc. R. van der Pol NLnet Labs September 2004

Six Years of Six: Perspectives since the IPv6 Launch 2012

PRACTICAL IPV6 DEPLOYMENT FOR THE MASS MARKET

For the free video please see

IPv6 at Google. Lorenzo Colitti

Host Scanning in IPv6 Networks

Network Working Group Request for Comments: 5158 Category: Informational March 2008

Internet Engineering Task Force (IETF) Request for Comments: 5969 Category: Standards Track ISSN: August 2010

Mapping of Address and Port using Translation (MAP-T) E. Jordan Gottlieb Network Engineering and Architecture

IPv6 Security Safe, Secure, and Supported.

Campus Network: IPv6 and Firewalling

Dual-Stack lite. Alain Durand. May 28th, 2009

IPv6- IPv4 Threat Comparison v1.0. Darrin Miller Sean Convery

Migration Technologies. Dual Stack and Tunneling Using GRE, 6to4, and 6in4.

Multihoming Complex Cases & Caveats

Request for Comments: 5156 Category: Informational April 2008

MIPv6: New Capabilities for Seamless Roaming Among Wired, Wireless, and Cellular Networks

Results of a Security Assessment of the Internet Protocol version 6 (IPv6)

IPv6 in Campus Networks

Juniper Netscreen Security Device. How to Enable IPv6 Page-51

Internet Engineering Task Force (IETF) Request for Comments: Obsoletes: 4773, 5156, 5735, JHU April 2013

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

Implications of Global IPv4/v6 Routing Table Growth

IPv6 Deployment & Strategy

A QoS-Driven ISP Selection Mechanism for IPv6 Multi-Homed Sites

Introduction to IPv6 - II

TR-242 IPv6 Transition Mechanisms for Broadband Networks

Internet Engineering Task Force (IETF) Request for Comments: 7040 Category: Informational. O. Vautrin Juniper Networks Y. Lee Comcast November 2013

IPv6 Deployment - Security Issues Thinking outside the NAT box

Next Generation IPv6 Cyber Security Protection Through Assure6i TM Product Line

COE IPv6 Roadmap Planning. ZyXEL

IPv6 maintenance Working Group (6man) Updates: 3971, 4861 (if approved) January 12, 2012 Intended status: Standards Track Expires: July 15, 2012

Guide to TCP/IP Fourth Edition. Chapter 2: IP Addressing and Related Topics

IETF Activities Update

Operational Security Capabilities for IP Network Infrastructure

Introduction to IP Routing. Geoff Huston

Blockers to IPv6 Adoption

Performance Implications of Unilateral Enabling of IPv6

Carl Harris Chief Technology Officer Virginia Tech IT

Illegitimate Source IP Addresses At Internet Exchange Points

Introduction to Network Address Translation

Yasuo Kashimura Senior Manager, Japan, APAC IPCC Alcatel-lucent

IPv6 migration challenges and Security

Transcription:

Advisory Guidelines for 6to4 Deployment draft-carpenter-v6ops-6to4[-teredo]-advisory-03 Brian Carpenter March 2011 1

Acknowledgements Very useful and practical input from at least 20 people: Emile Aben, Tore Anderson, Jack Bates, Cameron Byrne, Remi Despres, Jason Fesler, Wes George, Geoff Huston, Eric Kline, Victor Kuarsingh, Martin Levy, David Malone, Martin Millnert, Keith Moore, Gabi Nakibly, Michael Newbery, Pekka Savola, Mark Smith, Nathan Ward, James Woodyatt 2

Why? Because there is quite a lot of 6to4 out there. Because it is responsible for quite a lot of operational issues, and in some cases for help desk advice to just switch IPv6 off. Because advising operators how to mitigate these issues is a lot more use than moaning. 3

Background Router 6to4 (RFC 3056) was not designed as an unmanaged solution. routing and relays need to be well managed Anycast 6to4 (RFC 3068) was aimed at unmanaged hosts but still needs well-managed relays. Empirically, 10-20% of connection attempts received from 6to4 clients at IPv6 servers fail [Aben, Huston] translates into a fraction of 1% of lost sessions for content providers. indirect evidence suggests that filtering of protocol 41 (IPv6-in-IPv4) is the major reason. 4

Summary of issues Outbound Black Hole: 192.88.99.1 unreachable Inbound Black Hole: protocol 41 filtered No Return Relay: content server has no 2002::/16 route, or the relay it reaches drops its traffic Large RTT: 6to4 path exists but is far too slow PMTUD Failure: and actual PMTU is 1280 Reverse DNS Failure Bogus Address: ISP assigns bogons to subscribers Faulty 6to4 Implementations Difficult Fault Diagnosis (given all of the above) 6to4 observed to be implicated in rogue RA 5

Advice to vendors Do not enable 6to4 by default Do not activate 6to4 for RFC 1918 addresses Adopt draft-ietf-6man-rfc3484-revise Do not emit rogue RAs for 6to4 prefix 6

Advice to consumer ISPs & enterprise networks that do not support IPv6 Find a transit provider willing to offer your users a route to a working 6to4 relay at 192.88.99.1 Be aware that 6to4 cannot work behind CGN If impossible, arrange to return destination unreachable for 192.88.99.1 In any case, allow inbound protocol 41 through firewalls. Necessary for 6to4, and allows users to use a configured IPv6 tunnel service if they want Never use "bogon" address space such as 1.1.1.0/24 Consider operating a 6to4 relay as a first baby step towards IPv6 7

Advice to consumer ISPs & enterprise networks that do support IPv6 Advise users to disable 6to4; do not create DNS records for any 6to4 addresses. Ensure that no routers are unintentionally or by default set up as active 6to4 relays. Defend against rogue RA messages (RFC 6105). 8

Advice to transit ISPs and IXPs that support IPv6 Run an Anycast 6to4 relay service for users 192.88.99.0/24 announced only towards IPv4 nets whose outbound 6to4 packets will be accepted 2002::/16 announced towards native IPv6. The relay must accept all traffic to 2002::/16 that reaches it when the relay sends 6to4 packets back to a 6to4 user, use 192.88.99.1 as the IPv4 source address ICMPv6 echo request and packet too big must work IPv4 Protocol 41 not filtered Performance must be adequate No NAT in sight 9

Advice to IPv6 content providers and their ISPs Run a 6to4 relay service announcing 2002::/16 towards the content servers dedicated to return traffic, not offering 192.88.99.1 scope advertisements for 2002::/16 so that content servers have a short path to the relay if ingress filtering allows, relay should use 192.88.99.1 as the IPv4 source address may embed a relay directly in the content server. Done by enabling a local 6to4 interface and using it to route 2002::/16 for outbound packets other recommendations as above Don t rely on reverse DNS. 10

Security considerations draft-ietf-v6ops-tunnel-security-concerns draft-ietf-v6ops-tunnel-loops RFC3964 However, if an operator provides well managed 6to4 relays, non-encapsulated IPv6 packets will pass through well defined points (the native IPv6 interfaces of the relays) at which IPv6 security mechanisms may be applied. A blanket recommendation to block Protocol 41 is not compatible with mitigating the 6to4 problems. 11

Discussion? Adopt the draft? Push to finish it by IPv6 Day? 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback