Technology Updates in IPv6 SUZUKI, Shinsuke Hitachi, Ltd. / KAME Project [email protected]

Technology Updates in IPv6

SUZUKI, ShinsukeHitachi, Ltd. / KAME Project

[email protected]

Copyright(c)2003 All rights reserved, Hitachi, Ltd.

2

Abstract

IPv6-related issues in IETF Core Protocol issues Routing Protocol issues DNS-related issues Transition Mechanisim issues Security-related issues


3

Core Protocol Issues

Site-Local AddressPrefix DelegationFlow-LabelRouter Renumbering(Mobile-IPv6 is covered in later

presentation)


4

Site-local Address (Overview)Site-local address spec. has two distinct

characteristics Private use is allowed, like 192.168.0.0/16 Site-Border Router has to distinguish addresses in

different sitese.g. FEC0::1%site1 and FEC0::1%site2 are different

Issues Site-local addresses are often duplicated among

networkse.g. When multiple networks are merged together, and both

networks use fec0:1:2::/48 Site-Border-Router is a serious headache

for implementors, standardization, and operation.


5

Site-local Address (Proposal) “Deprecate Site-local” and introduce a new solution

Remove ‘Site-Border’, but keep localness and uniqueness Global-Unique Local Address (FC00::/7)

Locally used unique addressguarantees 40-bit uniquenessnot allowed to redistribute to the Internet

Split into two partsFC00::/8=Centrally assigned by some registries (TBD)FD00::/8=Locally assigned without any registries

1111 110 MD5-hash SLA Interface-ID0/1

7 bit 40 bit 16 bit 64 bit


6

Remaining Issues in FC00::/7 It may lead to an IPv6-NAT introduction?

Simultaneous use of global address and FC00::/7 is better Source address selection

Longest-match algorithm (RFC3484) is sufficient DNS server

Two-face DNS server is necessary, like IPv4 private address handling.

Well-known site-local address? e.g. DNS server address (FEC0:0:0:FFFF::1) Global-unique local address is not suitable

Since it varies by networks Use of FEC0::/10 needs further consideration, even after site-local

address deprecation Who manages the ‘registry’? 40-bit uniqueness is enough?


7

Prefix Delegation (Overview)

Plug & Play for (esp.) SOHO RoutersUse some protocol to automatically delegate

prefix from upstream router to downstream routers

PC SOHO Router

Delegates prefixautomatically (normally /48)

ISP Router

Plug and Play by RA (/64)

Choose a prefix (/64) for PC segment


8

Prefix Delegation (Status)Standardization almost finished

Concept and requirement are approved in IPv6 WG. Various protocols are proposed, but DHCPv6-based one

seems to be the winnerDoes not distribute IPv6 addresses in DHCPv6Just uses DHCPv6 protocol framework to distribute IPv6 prefixesDistributes other information (e.g. DNS server) as well

Lots of Implementations gone through lots of Interoperability testing

TAHI, Connectathon, IPv6 Showcase, DHCPv6-Interop

ISPs have already started PD service in Japan


9

IPv6 Flow LabelIssue

IPv6 architecture defines a flow-label field in IPv6 header, but its usage is not explicitly defined.

Status Framework is approved in WG.

Sender determines Flow Label by some meansIntermediate routers don't overwrite Flow LabelReceiver handles the packet appropriately according to

the Flow Label field value. How to use this framework?

Up to the controlling protocols, like RSVP etc.


10

Router RenumberingOverview

Router Renumbering protocol is defined, but is it really practical?

If not so, what is the right procedure for manual renumbering?

Status Does not seem practical; it cannot change embedded

prefixes.DNS record

• Even with A6, you have to reconfigure some record manually.• A6 does not work if a prefix is referred to by other DNS domains

(e.g. www.tcpdump.org refers to KAME’s IPv6 address)Packet Filter, IPv4/v6 TranslatorServer info in Application Installer (e.g. NetBSD), URL

Do you really have to ‘renumber’ on some flag-day?Unlike IPv4, you can use old prefix and new prefix in the same

time


11

Routing Protocol Issues

General commentBGP4+ issueIS-ISv6 issuesMultihome


12

Routing Protocol Issues (General Comment)

Almost all of the routing protocol supports IPv6, except for the obsolete ones. RIPRIPng, OSPFOSPFv3, (ISIS), BGPBGP4+ IGMPv2MLDv1, IGMPv3MLDv2, (PIM-SM/DM) DVMRP, MSDPno protocol)

IPv6-specific issues are rare: Most of the routing protocol problem is version-

independent if there is a problem in XXX for IPv6, it is also a problem in

XXX for IPv4.


13

BGP4+ issue

Link-local BGP4+ peering IPv6 nexthop in BGP4+ spec

What should be included in Global Nexthop field in case of link-local BGP4+ peering?Unspecified address(::) or linklocal addressBGP4+ implementations should obey the ‘IETF

principle’• Send in either manner, but accept both cases

Global Nexthop(Optional) link-local Nexthop

(if the peer is directly connected together)


14

IS-ISv6 issues IPv6-over-IPv4 tunnel in ISIS-Topology database?

IS-IS protocol handshake has to be done in OSI packet (not IPv4 nor IPv6)

IS-IS protocol mandates GRE tunnel All the IPv6-over-IPv4 tunnel has to shift to GRE tunnel?

(at least router-router tunnel)What if IPv4 and IPv6 network topologies are

different? IS-IS protocol assumes network topology is same

among protocols M-ISIS (Multi-topology ISIS) is proposed


15

MultihomeOverview

When a site wants to have multiple upstream ISPs, what should it do?

1. Obtain their own IPv6 prefix and do E-BGP routingAS number & BGP operation is mandatory

2. Receives a prefix from each ISP, and use proper prefix according to destination

Source address selection on HostNexthop selection based on source address (and destination) How to renumber when upstream ISP changes

Status Being discussed in IETF Multi6 WG, but still no

concensus...


16

DNS-related Issues

DNS Server DiscoveryAAAA vs A6ip6.int vs ip6.arpaPTR record usage


17

DNS Server Discovery (Overview)

IPv6 address is automatically configured, but other information still needs manual configuration. e.g. DNS server, NTP server, ...

Especially DNS server autoconfiguration is important in IPv6, considering the length of IPv6 address. (recursive) DNS server address DNS domain search path Hostname registration


18

DNS Server Discovery (Status)

Still under discussion in DNSOP WGRoughly three solutions are proposed:

Anycast solution RA-based solution (stateless) DHCPv6-based solution

PC Router

Have an anycast address(FEC0:0:0:FFFF::1~3)

DNS-Server

PC Router

DNS server addr=the anycast addr(s)

Sends RA with anew NDP option

PC Router

DHCPv6 Reply with DNS Server option

DHCPv6 Information-Requestwith Rapid-Commit option

DNS server addr=addr(s) in the new NDP option

DNS server addr=addr(s) in the DNS server option

Sends RS


19

DNS Server Discovery (Issues)

1. How to update the DNS server address when it changes?2. What happens when a different server advertises a different

DNS server address?3. Should it allow dynamic DNS registration?4. How about other information? (e.g. NTP server, SIP server …)

Anycast

RA

DHCPv6

4321Anycast Mechanisms solves it

(no address change)

Use the Dynamic DNS update (out of scope,

seems like using a special DNS record)

Use the Dynamic DNS update

Use the existing DHCPv6 option

DHCPv6 handshake prevents it

DHCPv6 Reconfigmessage

Use a DNS server lifetime?

Use a DNS server preference?

-Use the Dynamic DNS update.- Handle within it


20

AAAA vs A6

Overview Two kinds of DNS records are configured

AAAA: a simple extension of A-recordA6: DNS record supporting router-renumbering

But A6 is not deployed, because of its complexity

Status IETF decision

AAAA : for normal IPv6 operationA6: for further experimental study


21

ip6.int vs ip6.arpa

Overview IPv6 PTR record had used “ip6.int” as its domain

name. “ip6.int” was registered later as an international

TLD.Status

“ip6.arpa” is proposed2001::/16 uses ip6.arpa (and ip6.int for the time being)3ffe::/16 still uses only “ip6.int” (owing to a

administrative reason), but “ip6.arpa” introduction is planned.


22

PTR record usage

Some protocol (implementation) requires PTR-record lookup for authentication If there is a PTR record for the source address of the

client, then it is authenticated Is it really practical in IPv6 world?

Not all the IPv6 addresses are available from PTR recordLink-local addressMost of IPv6 addresses generated by stateless autoconfigurationPrivacy address extension

If they just wanted to look up name from address, ICMP-node-information-query is available.


23

Transition Mechanism Issues

Transition MechanismsTransition Mechanism Issues(Detailed transition scenario is

discussed in later presentation)


24

Transition Mechanisms

Many kinds of Mechanisms Tunnel-based

Tunnel Session Protocol (DTCP, Freenet6 etc), 6to4, ISATAP, Teredo, DSTM

Translator-basedNAT-PT, SIIT, FAITH

Proxy-basedApplication-level Gateway (HTTP proxy, SMTP

gateway etc)


25

Transition Mechanism IssuesThere is no perfect mechanism

Tunnel-basedIPv6 network topology IPv4 network topology IPv4 address is necessary

• i.e. IPv4 address shortage problem remains unsolvedCannot go through NAT

• (Teredo is the only exception, but it’s too complex…) Translator-based

In general, IPv4 to IPv6 tranlation is difficult.Not works for the applications embedding IP address in their

payload. (e.g. FTP, SIP) Proxy-based

Works only on the specific protocol

Are they really easier than simple dual-stack network?


26

Security-related Issues

Securing Neighbor DiscoveryPrivacy Address ExtensionIPv6 Firewall Architecture


27

Securing Neighbor Discovery Overview

Plug & Play can lead to an improper network use by wrong NDP cache by NA spoofing wrong RA announcement by RA spoofing

Status CGA(Cryptographically-Generated Address)

Use a specially-authenticated link-local address in NDP-related handshake.

discussed in SEND WG L2 authentication

PAP/CHAP (for PPP), 802.1x (for Ethernet) etc IPv6 over IPv4 tunnel

Not a perfect answer If IPv4 network use is permitted (politically), IPv6 does not introduce any

additional security-risk.


28

Privacy Address Extension Overview

Normally IPv6 interface-ID constructed by EUI-64 using MAC address

Source address in IPv6 packet tells who sends the packet Privacy Address Extension

use random interface-ID Status

Standardized and implemented RFC3041 Windows-XP enabled it by default

Issues DNS reverse PTR record? How to accept connection from outside?

hostname to address mapping? Does it really provides enough “privacy”?


29

IPv6 Firewall Architecture IPv4-like firewall does not coexist with ‘End-to-End

principle’ (esp. IPsec) Layer-3/4 Packet Filter

How to protect or permit End-to-End IPsec communication? Application-level Gateway

It terminates End-to-End communication Personal Firewall

Can it torelate with DoS attack?

Firewall architecture needs update in IPv6 era. There are some ‘IPv6-firewall’ products or solutions, but

most of them just support IPv6 in their legacy firewall.

Documents

Technology Updates in IPv6 SUZUKI, Shinsuke Hitachi, Ltd. / KAME Project [email protected]