Upload
dallin-thames
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
2
Abstract
IPv6-related issues in IETF Core Protocol issues Routing Protocol issues DNS-related issues Transition Mechanisim issues Security-related issues
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
3
Core Protocol Issues
Site-Local AddressPrefix DelegationFlow-LabelRouter Renumbering(Mobile-IPv6 is covered in later
presentation)
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
4
Site-local Address (Overview)Site-local address spec. has two distinct
characteristics Private use is allowed, like 192.168.0.0/16 Site-Border Router has to distinguish addresses in
different sitese.g. FEC0::1%site1 and FEC0::1%site2 are different
Issues Site-local addresses are often duplicated among
networkse.g. When multiple networks are merged together, and both
networks use fec0:1:2::/48 Site-Border-Router is a serious headache
for implementors, standardization, and operation.
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
5
Site-local Address (Proposal) “Deprecate Site-local” and introduce a new solution
Remove ‘Site-Border’, but keep localness and uniqueness Global-Unique Local Address (FC00::/7)
Locally used unique addressguarantees 40-bit uniquenessnot allowed to redistribute to the Internet
Split into two partsFC00::/8=Centrally assigned by some registries (TBD)FD00::/8=Locally assigned without any registries
1111 110 MD5-hash SLA Interface-ID0/1
7 bit 40 bit 16 bit 64 bit
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
6
Remaining Issues in FC00::/7 It may lead to an IPv6-NAT introduction?
Simultaneous use of global address and FC00::/7 is better Source address selection
Longest-match algorithm (RFC3484) is sufficient DNS server
Two-face DNS server is necessary, like IPv4 private address handling.
Well-known site-local address? e.g. DNS server address (FEC0:0:0:FFFF::1) Global-unique local address is not suitable
Since it varies by networks Use of FEC0::/10 needs further consideration, even after site-local
address deprecation Who manages the ‘registry’? 40-bit uniqueness is enough?
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
7
Prefix Delegation (Overview)
Plug & Play for (esp.) SOHO RoutersUse some protocol to automatically delegate
prefix from upstream router to downstream routers
PC SOHO Router
Delegates prefixautomatically (normally /48)
ISP Router
Plug and Play by RA (/64)
Choose a prefix (/64) for PC segment
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
8
Prefix Delegation (Status)Standardization almost finished
Concept and requirement are approved in IPv6 WG. Various protocols are proposed, but DHCPv6-based one
seems to be the winnerDoes not distribute IPv6 addresses in DHCPv6Just uses DHCPv6 protocol framework to distribute IPv6 prefixesDistributes other information (e.g. DNS server) as well
Lots of Implementations gone through lots of Interoperability testing
TAHI, Connectathon, IPv6 Showcase, DHCPv6-Interop
ISPs have already started PD service in Japan
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
9
IPv6 Flow LabelIssue
IPv6 architecture defines a flow-label field in IPv6 header, but its usage is not explicitly defined.
Status Framework is approved in WG.
Sender determines Flow Label by some meansIntermediate routers don't overwrite Flow LabelReceiver handles the packet appropriately according to
the Flow Label field value. How to use this framework?
Up to the controlling protocols, like RSVP etc.
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
10
Router RenumberingOverview
Router Renumbering protocol is defined, but is it really practical?
If not so, what is the right procedure for manual renumbering?
Status Does not seem practical; it cannot change embedded
prefixes.DNS record
• Even with A6, you have to reconfigure some record manually.• A6 does not work if a prefix is referred to by other DNS domains
(e.g. www.tcpdump.org refers to KAME’s IPv6 address)Packet Filter, IPv4/v6 TranslatorServer info in Application Installer (e.g. NetBSD), URL
Do you really have to ‘renumber’ on some flag-day?Unlike IPv4, you can use old prefix and new prefix in the same
time
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
11
Routing Protocol Issues
General commentBGP4+ issueIS-ISv6 issuesMultihome
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
12
Routing Protocol Issues (General Comment)
Almost all of the routing protocol supports IPv6, except for the obsolete ones. RIPRIPng, OSPFOSPFv3, (ISIS), BGPBGP4+ IGMPv2MLDv1, IGMPv3MLDv2, (PIM-SM/DM) DVMRP, MSDPno protocol)
IPv6-specific issues are rare: Most of the routing protocol problem is version-
independent if there is a problem in XXX for IPv6, it is also a problem in
XXX for IPv4.
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
13
BGP4+ issue
Link-local BGP4+ peering IPv6 nexthop in BGP4+ spec
What should be included in Global Nexthop field in case of link-local BGP4+ peering?Unspecified address(::) or linklocal addressBGP4+ implementations should obey the ‘IETF
principle’• Send in either manner, but accept both cases
Global Nexthop(Optional) link-local Nexthop
(if the peer is directly connected together)
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
14
IS-ISv6 issues IPv6-over-IPv4 tunnel in ISIS-Topology database?
IS-IS protocol handshake has to be done in OSI packet (not IPv4 nor IPv6)
IS-IS protocol mandates GRE tunnel All the IPv6-over-IPv4 tunnel has to shift to GRE tunnel?
(at least router-router tunnel)What if IPv4 and IPv6 network topologies are
different? IS-IS protocol assumes network topology is same
among protocols M-ISIS (Multi-topology ISIS) is proposed
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
15
MultihomeOverview
When a site wants to have multiple upstream ISPs, what should it do?
1. Obtain their own IPv6 prefix and do E-BGP routingAS number & BGP operation is mandatory
2. Receives a prefix from each ISP, and use proper prefix according to destination
Source address selection on HostNexthop selection based on source address (and destination) How to renumber when upstream ISP changes
Status Being discussed in IETF Multi6 WG, but still no
concensus...
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
16
DNS-related Issues
DNS Server DiscoveryAAAA vs A6ip6.int vs ip6.arpaPTR record usage
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
17
DNS Server Discovery (Overview)
IPv6 address is automatically configured, but other information still needs manual configuration. e.g. DNS server, NTP server, ...
Especially DNS server autoconfiguration is important in IPv6, considering the length of IPv6 address. (recursive) DNS server address DNS domain search path Hostname registration
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
18
DNS Server Discovery (Status)
Still under discussion in DNSOP WGRoughly three solutions are proposed:
Anycast solution RA-based solution (stateless) DHCPv6-based solution
PC Router
Have an anycast address(FEC0:0:0:FFFF::1~3)
DNS-Server
PC Router
DNS server addr=the anycast addr(s)
Sends RA with anew NDP option
PC Router
DHCPv6 Reply with DNS Server option
DHCPv6 Information-Requestwith Rapid-Commit option
DNS server addr=addr(s) in the new NDP option
DNS server addr=addr(s) in the DNS server option
Sends RS
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
19
DNS Server Discovery (Issues)
1. How to update the DNS server address when it changes?2. What happens when a different server advertises a different
DNS server address?3. Should it allow dynamic DNS registration?4. How about other information? (e.g. NTP server, SIP server …)
Anycast
RA
DHCPv6
4321Anycast Mechanisms solves it
(no address change)
Use the Dynamic DNS update (out of scope,
seems like using a special DNS record)
Use the Dynamic DNS update
Use the existing DHCPv6 option
DHCPv6 handshake prevents it
DHCPv6 Reconfigmessage
Use a DNS server lifetime?
Use a DNS server preference?
-Use the Dynamic DNS update.- Handle within it
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
20
AAAA vs A6
Overview Two kinds of DNS records are configured
AAAA: a simple extension of A-recordA6: DNS record supporting router-renumbering
But A6 is not deployed, because of its complexity
Status IETF decision
AAAA : for normal IPv6 operationA6: for further experimental study
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
21
ip6.int vs ip6.arpa
Overview IPv6 PTR record had used “ip6.int” as its domain
name. “ip6.int” was registered later as an international
TLD.Status
“ip6.arpa” is proposed2001::/16 uses ip6.arpa (and ip6.int for the time being)3ffe::/16 still uses only “ip6.int” (owing to a
administrative reason), but “ip6.arpa” introduction is planned.
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
22
PTR record usage
Some protocol (implementation) requires PTR-record lookup for authentication If there is a PTR record for the source address of the
client, then it is authenticated Is it really practical in IPv6 world?
Not all the IPv6 addresses are available from PTR recordLink-local addressMost of IPv6 addresses generated by stateless autoconfigurationPrivacy address extension
If they just wanted to look up name from address, ICMP-node-information-query is available.
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
23
Transition Mechanism Issues
Transition MechanismsTransition Mechanism Issues(Detailed transition scenario is
discussed in later presentation)
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
24
Transition Mechanisms
Many kinds of Mechanisms Tunnel-based
Tunnel Session Protocol (DTCP, Freenet6 etc), 6to4, ISATAP, Teredo, DSTM
Translator-basedNAT-PT, SIIT, FAITH
Proxy-basedApplication-level Gateway (HTTP proxy, SMTP
gateway etc)
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
25
Transition Mechanism IssuesThere is no perfect mechanism
Tunnel-basedIPv6 network topology IPv4 network topology IPv4 address is necessary
• i.e. IPv4 address shortage problem remains unsolvedCannot go through NAT
• (Teredo is the only exception, but it’s too complex…) Translator-based
In general, IPv4 to IPv6 tranlation is difficult.Not works for the applications embedding IP address in their
payload. (e.g. FTP, SIP) Proxy-based
Works only on the specific protocol
Are they really easier than simple dual-stack network?
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
26
Security-related Issues
Securing Neighbor DiscoveryPrivacy Address ExtensionIPv6 Firewall Architecture
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
27
Securing Neighbor Discovery Overview
Plug & Play can lead to an improper network use by wrong NDP cache by NA spoofing wrong RA announcement by RA spoofing
Status CGA(Cryptographically-Generated Address)
Use a specially-authenticated link-local address in NDP-related handshake.
discussed in SEND WG L2 authentication
PAP/CHAP (for PPP), 802.1x (for Ethernet) etc IPv6 over IPv4 tunnel
Not a perfect answer If IPv4 network use is permitted (politically), IPv6 does not introduce any
additional security-risk.
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
28
Privacy Address Extension Overview
Normally IPv6 interface-ID constructed by EUI-64 using MAC address
Source address in IPv6 packet tells who sends the packet Privacy Address Extension
use random interface-ID Status
Standardized and implemented RFC3041 Windows-XP enabled it by default
Issues DNS reverse PTR record? How to accept connection from outside?
hostname to address mapping? Does it really provides enough “privacy”?
Copyright(c)2003 All rights reserved, Hitachi, Ltd.
29
IPv6 Firewall Architecture IPv4-like firewall does not coexist with ‘End-to-End
principle’ (esp. IPsec) Layer-3/4 Packet Filter
How to protect or permit End-to-End IPsec communication? Application-level Gateway
It terminates End-to-End communication Personal Firewall
Can it torelate with DoS attack?
Firewall architecture needs update in IPv6 era. There are some ‘IPv6-firewall’ products or solutions, but
most of them just support IPv6 in their legacy firewall.