IPv6 and Transition Mechanisms
Download
Report
Transcript IPv6 and Transition Mechanisms
IPv6 Transition Mechanisms,
their Security and Management
Georgios Koutepas
National Technical University of Athens, Greece
6DISS Workshop
March 5 2006
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006
Transition to IPv6
• Not an after-thought but designed to be part of the new
protocol since the beginning
• Overview of transition requirements:
– Gradual site transition: a site may have only some of its systems
supporting IPv6
– Minimum transition requirements: a site can support IPv6 just by
offering DNS services without any upgrade in the rest of the
infrastructure
– IP address compatibility: the v4 addresses can be converted to
"corresponding" v6 addresses, allowing the system to operate in
both environments
– Ease of installation: Operating Systems should support IPv6
straightforwardly, without need for software upgrades.
• The answer: SIT (Simple Internet Transition)
mechanismsIPv6included
in IPv6
Transition Mechanisms
- 6DISS Workshop - 5 March 2006
IPv6 Transition Mechanisms
• SIT offers a scheme for:
– The conversion of IPv4 addresses to IPv6
– Dual stack OS operation
– Tunnelling mechanisms via the encapsulation of v6 packets
within v4 when passing over v4 clouds (and vise-versa)
• The Result:
– Dual Stack mechanisms
– Translation Mechanisms
– Tunnelling Mechanisms
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006
Dual Stack mechanisms
Application Layer
Web, Email, etc.
Transport Layer
TCP/UDP
IP Layer
Data Link Layer
IPv4
IPv6
Ethernet, PPP, etc.
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006
Translation Mechanisms
• NAT-PT (Network Address Translation - Protocol
Translation)
– Potential problems
• Services based on protocol specific header info cannot be
IPv6 Address Pool
IPv4 Address Pool
supported end-to-end
• "Classic" NAT security issues
Dual Stack
Translation
Router
NAT-PT
• Others
Native IPv6 Network
Native IPv4 Network
– BIS (Bump in the Stack) - At the Transport Layer
– BIA (Bump in the API) - At the Application Layer
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006
Tunnelling Mechanisms
• How they work:
– Encapsulation of IPv6 packets within IPv4 packets and
vice versa
…Which means it can also be used for IPv4 connections over IPv6
native networks
– Protocol in the IPv4 header: 41
– The tunnel's end point performs the necessary operations
on the protocol 41 IPv4 packets:
• Reconnection of fragmented packets
• Packet forwarding in the IPv6 network
• Hop limit (equivalent to IPv4 TTL) reduction by 1: The tunnel is
"transparent" to IPv6
– Nodes performing the (en/de)capsulation operation have
Transition Mechanisms - 6DISS Workshop - 5 March 2006
to be dualIPv6
stack
Types of tunnelling
Based on the way we find the tunnel's other end:
• (Pre)configured tunnel end-points
• Automatic. Tunnel end-point may be derived from:
– 6to4 address
– IPv4 compatible IPv6 destination address
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006
Automatic Tunneling Mechanisms:
Tunnel Brokers
• The simplest way to IPv6 for single users (i.e. using dialup,
ADSL, etc.)
• May create security problems OR opositely protocol 41 may
be banned by the sys-admins for security reasons
• Operation
– The user connects to a special web server (in the IPv4 network);
makes tunnel application
– The server assigns an IPv6 address, creates a DNS entry, informs the
Tunnel Server, and sends a configuration script to the user
– The user runs the script, installs the IPv6-over-IPv4 tunnel and
onnects to the Tunnel Server that routs the packets to the native IPv6
network
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006
Automatic Tunneling Mechanisms:
6over4
• Deprecated...
• "Multicast tunnelling"
• Single IPv6 hosts use the IPv4 Multicast Network to connect
between them or the native IPv6 network via a 6over4
router (usually a 6to4 router)
• The result is IPv6 hosts directly connected, even using IPv6
Link Local addresses (derived fromtheir IPv4 addresses)!
• Also supports IPv6 multicast etc.
• 6over4 requires IPv4 Multicast support, which does not exist
widely.
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006
Automatic Tunneling Mechanisms:
ISATAP
• Intra Site automatic Tunnel Addressing Protocol
• Also uses the IPv4 infrastructure but without the need for
Multicast
• Can operate under v4 NAT
• Operation:
– The node (A.B.C.D)v4 gets the (FE80::5EFE:AB:CD)v6 Link Local
address
– Using DNSv4 queries for the name ISATAP a Potential Router List
(PRL) is created (the Router usually is a 6to4 system)
– A Router Solicitation message is sent; the answer (RouterAdvertisement message) gives the prefix for creating the universal
IPv6 address
• ISATAP router-to-node communication: using the last 4 bytes of the
destination address
• Node-to-router
IPv6 Mechanisms
network:- 6DISS
via the
ISATAP
router
IPv6 Transition
Workshop
- 5 March
2006
Automatic Tunneling Mechanisms:
Teredo
• Useful for hosts behind NAT
• Encapsulates the IPv6 packets within UDP v4 packets to
bypass the problem of NAT in many cases restricting protocol
41 (IP encapsulated) packets
• The encapsulation takes place at the communicating node
itself rather than at a border router (like it happens in 6to4)
• The Teredo-relay then forwards the packets to the native
IPv6 network
IPv4 Header UDP Header Encapsulated IPv6 Packet
• Issues:
– Complex implementation
– Can operate only with specific NAT types
– Limited number of Teredo-relays available in the Internet
• Used only there
is no Mechanisms
other available
IPv6 Transition
- 6DISS Workshopsolution…
- 5 March 2006
Automatic Tunneling Mechanisms:
6to4 Overview
• Connects isolated IPv6 "clouds"
• Only the border routers need to implement the 6to4
functionality (and need to be dual stack too…)
• Any site with single unicast IPv4 address can transmit to the
IPv6 network using the 2002::/16 prefix
• Many available relays to the IPv6 network, easy to find by
(IPv4) anycast addressing (from 192.88.99.0 - RFC 3068)
• The most widely used mechanism, thanks to its minimum
requirements and ease of implementation it is preferred to
other automatic tunneling methods and configured tunnels
• However cannot be used behind NAT because it requires an
available universal IPv4 address
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006
6to4 Architecture and Components
IPv6
Native Network
IPv4 Anycast Address
192.88.99.1
IPv4
Internet
6to4
router
(gateway)
6to4 relay
router
Tunnels
IPv6 Host
IPv4 address
V4ADDR
IPv6 address
2002:V4ADDR::1
6to4 client
through IPv4
6to4
router
(gateway)
6to4 client
6to4 subnet
IPv6 Addresses:
2002:V4ADDR::/48
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006
6to4 usage scenaria (1)
6to4 host to 6to4 host
• Native v6 communication and routing (RIPng)
IPv4 Internet
6to4 client
6to4
router
(gateway)
6to4 subnet
IPv6 Addresses:
2002:V4ADDR::/48
6to4 client
IPv4 address
V4ADDR
IPv6 address
2002:V4ADDR::1
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006
6to4 usage scenaria (2)
Between two 6to4 sites
• Useful for sites without native IPv6 ISP support
• Within the 6to4 sites the hosts use IPv6 natively
– Router advertisements and stateless address autoconfiguration
– DNSv6 host records - The other site can know about the hosts it
needs to communicate with
• Non-local IPv6 addresses are sent to the default (6to4)
router
• The IPv4 address within the 6to4 destination IPv6
address is used as the tunnel termination point
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006
6to4 usage scenaria (2)
Between two 6to4 sites
Destination IPv6 Address:
2002:V4ADDR-B::26
IPv6 Packet
6to4 client
Destination IPv4 Address
V4ADDR-B
IPv4 Header
Encapsulated IPv6 Packet
6to4
router
(gateway)
6to4
router
(gateway)
6to4 client
2002:V4ADDR-B::26
IPv4 Internet
IPv4 address
V4ADDR-B
IPv6 address
2002:V4ADDR-B::1
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006
6to4 usage scenaria (3)
Between a 6to4 site and a native IPv6 network
– Connection to the native IPv6 network through a 6to4 Relay Router
(an IPv6 router with a 6to4 "Pseudo-interface")
– Usage of the Relay Router's IPv4 address or the Anycast Address
•
6to4 host to a native IPv6 host
1. The 6to4 host uses DNS to find the destination host
2. The 6to4 router forwards (via IPv4) the packet to the "next-hop",
the closest 6to4 relay router
3. The IPv6 router forward the packet to its final destination
•
Native IPv6 host to a 6to4 host
1. The 6to4 relay router advertises the 2002::/16 prefix within the IPv6
network
2. A v6 host will use this information to send its packet to the
corresponding IPv6 router and further to the 6to4 "pseudo-interface"
via which (by the IPv4 network) the packet reaches the 6to4
network andIPv6
itsTransition
final destination
Mechanisms - 6DISS Workshop - 5 March 2006
6to4 usage scenaria (3)
Between a 6to4 site and a native IPv6 network
Destination IPv6 Address:
V6ADDR
IPv6 Packet
Destination IPv4 Address
192.88.99.1
IPv4 Header
Destination IPv6 Address:
V6ADDR
Encapsulated IPv6 Packet
IPv6 Packet
6to4
router
(gateway)
6to4 host
IPv6 address
2002:V4ADDR-A::25
6to4
relay
router
IPv4 Internet
IPv6 Packet
IPv6 Internet
Well known IPv4 address
or
the Anycast address
192.88.99.1
IPv4 address
V4ADDR-A
IPv6 address
2002:V4ADDR-A::1
Destination IPv6 Address:
2002:V4ADDR-A::25
Native IPv6 host
V6ADDR
Destination IPv4 Address
V4ADDR-A
IPv4 Header
Encapsulated IPv6 Packet
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006
Destination IPv6 Address:
2002:V4ADDR-A::25
IPv6 Packet
6to4 Security
or what can go wrong…
• Vulnerabilities
– 6to4 routers must accept packets from ALL 6to4 relay routers
• It's not possible to know if the relay router is "Trusted" or even existent
– 6to4 relay routers have to accept packets from 6to4 routers and
native IPv6 hosts without any checks
• Threats
–
–
–
–
–
DoS/DDoS against 6to4 components may result in unavailability
6to4 routers/relay routers may be used or "reflected" DDoS attacks
"Service theft": unauthorized usage of relay router services
Local IPv4 broadcast attacks
Neighbor Discovery attacks
• "Sanity Checks" necessary!
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006
IPv4 Packet
IPv4 src: ATTACKER
IPv4 dst: V4ADDR-A
6to4 Security
…an attack scenario
• Reflected DoS Attack
Encasulated IPv6 Packet
IPv6 src: 2002:VICTIM::1
IPv6 dst: 2002:V4ADDR-A::25
IPv4 address
V4ADDR-A
IPv6 address
2002:V4ADDR-A::1
IPv4 Host
ATTACKER
6to4
router
6to4 Host
2002:V4ADDR-A::25
IPv4 Internet
IPv4 Packet
IPv4 src: V4ADDR-A
IPv4 dst: VICTIM
• It is supposed that bandwidth and
processing power limitations can
prevent a large scale attack…
Encasulated IPv6 Packet
IPv6 src: 2002:V4ADDR-A::25
IPv6 dst: 2002:VICTIM::1
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006
IPv4 Host
VICTIM
Securing 6to4 components
• 6to4 routers
– Check for correspondence between the IPv4 part of
the packets and the 2002::/16 IPv6 encapsulated
part
– Implement "Sanity Checks"
• IPv4: Do not allow strange (e.g. loopback) private, multicast,
etc. addresses to be encapsulated
• IPv6: Reject "wrong" addresses, like link local, multicast, etc.
– Prevent routing of packets to other 6to4 sites via 6to4
relay routers
– Reject packets coming from another 6to4 site via a
relay router
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006
Securing 6to4 components (2)
• 6to4 relay routers
– Reject IPv4 packets from 6to4 routers that don't have
matching IPv4 src address (V4ADDR) and equivalent
6to4 src address (2002:V4ADR) in the encapsulated
IPv6 packet
– Reject protocol 41 (IPv4) packets without destination
address 192.88.99.1
– Deny packets to the IPv6 network without a universal
IPv6 address
– Reject packets from 6to4 routers to 6to4 addresses
– Ingress Filtering and Access Control Lists for the IPv6
part!
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006
A General Transition Roadmap
for an enterprise or educational network
Phase 1
• Network Design
– Define Wide and Local network segments
– Define “special” areas (due to requirements and operations) - VLANs,
DMZs etc.
– Define management entities and their areas of responsibility
– Network management information flow
– Security requirements:
• For users and applications
• For the network itself (protection of the management information,
protection of network devices, security of management procedures)
– Plan the steps to transition to the new protocol. Examine the possibility
of deploying transition mechanisms (for communications between
IPv6 areas within an IPv4 network and vise-versa)
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006
A General Transition Roadmap (2)
Phase 2
• Implementation of a mixed IPv4/IPv6 environment
• Gradual transition of non-critical systems to IPv6
– Allows the evaluation of the operation and stability of the network
devices and non-critical systems under IPv6
– Develops the transition procedures
– Disseminates the usages of transition mechanisms (tunnels, gateways,
etc.) for communications between exclusive IPv6 areas
Phase 3
• Transition of all systems to IPv6
• Exclusive usage of IPv6 in the network
– Maintaining transition mechanisms for legacy systems and contacts
with IPv4 networks
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006
Any Questions ?
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006