Transition To I Pv6

Copyright © 2011, Fred Bovy. All rights reserved .

© 2011 Fred Bovy [email protected]. Transition to IPv6—1

Transition To IPv6 October 2011

Fred Bovy

ccie #3013 [email protected]


§  Tunnels for Experimental testing or Enterprises The Experimental 6BONE network was created from overlay IPv6 in IPv4 Tunnels over the IPv4 Internet.

§  Dual-Stack §  Overlay IPv6 in IPv4 Tunnels

•  Manual 6in4 and automatic 6to4 •  And more automatic tunnels

•  Again mostly introduced with Windows: TEREDO to bypass NAT devices and ISATAP to use IPv4 networks as a NBMA network for IPv6.

§  NAT and Private Addresses (RFC1918) •  In parallel to make the most of the remaining IPv4 addresses, NAT44 and

IPv4 private addresses (RFC1918) were introduced

1st Generation: The IPv6 Pioneers


§  SPs with MPLS/IPv4 Backbone: 6PE and 6VPE Most SPs were running IPv4/MPLS First Phase of the transition, deploy 6PE/6VPE

§  SPs with IPv4 Backbone: 6RD FREE a french SP deployed IPv6 in 5 Weeks from a 6to4 stack!

§  Carrier Grade NAT or Large Scale NAT (Testing) DS-Lite = IPv4 in IPv6 Tunnel + CGN

–  SPs who deployed IPv6 choose DS-Lite to support the existing IPv4 customers –  They deploy it as soon as they migrated from 6PE/6VPE to Native IPv6 –  Some of them planned to replace DS-Lite with A+P when it will be available

Other protocols are designed, some of themare tested: CGN, NAT444, NAT464, dIVI, dIVI-pd

§  Network Address Translation Protocols (NAT) NAT-PT

–  First attempt to translate IPv6 to IPv4 protocols. Deprecated!

NAT64/DNS64

2nd Generation: SPs transition 1st Phase, the 2000s



§  Stateful Carrier Grade NAT issues Because of the Stateful CGN known issues, a lot of work is being done to develop and test some Stateless protocols to share the remaining IPv4 addresses without stateful NAT, CGN.

§  A+P Architecture and Stateless NAT solutions Testing To share the remaining IPv4 addresses using the IPv4 Source Ports Without any Stateful NAT in the SP backbone. §  Users or CPE have some IP addresses and Source Ports assigned §  Not a new solution, FT ORANGE planned A+P in 2009 while they

were choosing DS-Lite in the first place §  First proposal for A+P at the IETF Taipei 2011 is based on

Stateless NAT464 aka dIVI, dIVI-pd and 4RD

3rd Generation: SPs going Stateless, the 2010s


TransitionTools - Deployment

1996

2003

2010

2007

6to4 Dual-Stack 6in4 NAT-PT 6VPE

NAT64 NAT444

dIVI-pd

DS-Lite

6RD

A+P 6PE

6BONE †

6PE

6RD

6VPE

DS-Lite

Standardization

NAT64

NAT444

dIVI-pd

DS-Lite

A+P

IETF Taipei 82 – Nov 2011 Time

IPv6 in IPv4 Tunnels

IPv4 in IPv6 Tunnels

NAT464

Deployed

Testing

dIVI-pd dIVI


© Frédéric Bovy 6

Network Address Translation n NAT44 and IPv4 private addresses in the 90s n IPv6 to IPv4 translations

•  NAT-PT † NAT-PT is NAT64 + NAT46 + DNS ALG

•  NAT-PT was replaced by NAT64 and DNS64

n Carrier Grade NAT or Large Scale NAT •  NAT444 or double NAT •  NAT464, dIVI, dIVI-pd

•  DS-Lite = IPv4 in IPv6 Tunnels + NAT44 (LSN)



Dual Stack and Tunneling This was introduced at the very beginning of IPv6 in 1996 All clients are now configured by default as dual-stack nodes It is still the best approach for a smooth transition Tunnels are manually, statically configured It may be obvious but for dual-stack you still need IPv4 addresses!

IPv4

IPv6 Host

Dual StackRouter

Dual StackRouter

IPv6 Host

IPv6 Hosts

IPv6 IPv4

IPv6 IPv4IPv6 IPv4

IPv6 Packet IPv6 Hdr IPv4 HdrTunneling


2002:C044:1::/48 prefix comes from 192.68.0.1

2002:C046:1::/48 prefix comes from 192.70.0.1

Automatic Tunnels for Enterprises: 6to4 Tunnel destination IPv4 address is embedded in the IPv6 address !


SPs MPLS Enabled: 6PE and 6VPE In the very early 2000s, 6PE was introduced to help the SPs with an MPLS/IPv4 Background to provide an IPv6 Service No Backbone Routers Upgrade needed!



6RD Automatic Tunnel for SPs Free, a french SP customized a 6to4 stack to allow a custom prefix instead of 2002::/16 Free deployed 6RD in 5 weeks in 2007 and immediately started an IPv6 service over the IPv4 backbone, user configurable 4RD is IPv4 in IPv6


Dual Stack Lite or DS-Lite Once the SP have migrated their backbone to IPv6, DS-Lite is used to support RFC1918 IPv4 Customers §  IPv4 in IPv6 Tunnels + NAT44 (LSN at the SP) §  LSN inside mapping uses Source IPv6 + Source IPv4 + Port §  LSN allows to share the remaining IPv4 addresses efficienciently

But LSN must keep a lot of states and is a Single Point of failure shared by Many Customers

LSN


DS-Lite: Help transition to IPv6



Connecting IPv6-only with IPv4-only: AFT64

New IPv6 clients must have access to IPv4 content §  AFT64 technology is only applicable in case where there are IPv6 only end-points

that need to talk to IPv4 only end-points (AFT64 for going from IPv6 to IPv4) §  AFT64:= “stateful v6 to v4 translation” or “stateless translation”, ALG still required

§  Key components includes NAT64 and DNS64

§  Assumption: Network infrastructure and services have fully transitioned to IPv6 and IPv4 has been phased out

Core Edge Aggregation Access

IP/MPLS

Residential

IPv6 ONLY connectivity

NAT64

IPv4 ONLY

DNS64

Public IPv4 Internet

IPv4 Datacenter


Protocol Translation: NAT64, DNS64 §  Client requests the IPv6 Address §  DNS64 translates the request to an IPv4 Address

DNS64

DNS

Web Server IPv4

h2.exemple.com ? h2.exemple.com ?

A: 192.0.2.1 AAAA 64:ff9b::c0:201

NAT64

IPv4 IPv6



NAT64 and DNS64 §  The session is initialized by IPv6 client §  Traffic route the 64:ff9b::/96 prefix to the NAT64 Router §  NAT64 then convert headers in both directions

DNS64

DNS

Web Server IPv4

h2.exemple.com ? h2.exemple.com ?

A: 192.0.2.1

AAAA 64:ff9b::c0:201

SYN 64:ff9b::c0:201

SYN 192.0.2.1 NAT64

IPv4 IPv6

SYN+ACK

SYN+ACK



NAT444: A second level of NAT44 Solution to share the remaining IPv4 addresses among multiple customers



NAT444: LSN Scalability Issue n  How many streams LSN will be able to manage ? n  LSN is a Single Point of failure



NAT444: Overlapping Private Address !




NAT444: 2 customers behind same LSN



NAT444 Network Design Issues §  Overlapping Addresses

If one of the customers network uses the same private network number than the NAT CPE to LSN link we have a sever duplicate network issue !!!

§  Two Customers behind the same LSN want to communicate Packets with a private source address may be dropped by customer policy (Firewall, ACL, host policy). So LSN must be used also for local traffic

§  Plus all the LSN Based solutions: –  Scalability

Behind each CPE NAT there can be many devices. Each device may generate many application streams. How mansy stream will be supported by LSN ? We have not enough experience to say ???

–  Single Point of Failure The LSN device keeps many states. If it reboot, many users will have to restart their

applications.


DS-Lite: Connect the IPv4 users Another solution to share the remaining IPv4 addresses among multiple customers




Stateful NAT464 or Stateless dIVI, dIVI-pd dIVI is the stateless version to share IPv4 addresses among multiple users using source ports Stateless means NO NAT or LSN!



Address+Port (A+P) §  Experimental RFC6346 §  Use some bits of the source port to share an IPv4 address

without Stateful NAT, CGN or LSN. §  Can be implemented on hosts or CPEs which may have to do

some translation for the non upgraded hosts §  Requires signaling to request which ports are granted §  IPv4 Packets must be encapsulated/decapsulated to get sent

into tunnels using the ports which are allocated for the host or the CPE

§  The first proposal at the IETF in 2011 relies on Stateless NAT464 aka dIVI, dIVI-pd and 4RD and does not require signaling

§  France Telecom-Orange has a software implementation: http://opensourceaplusp.weebly.com/



dIVI, dIVI-pd or Stateless NAT464 A+P proposal at the IETF actually relies on dIVI-pd and 4RD. §  dIVI-pd is Stateless NAT464 and permit to translate IPv6

addresses to IPv4 Address+Source Port It is then possible to share an IPv4 address among many users or CPEs. Without requiring any Stateful NAT with all the known problems associated

A very interesting test in large SP domains : " For port configuration, since there are 65536 TCP/UDP ports for each IP address, and in fact one can use hundreds only for normal applications, so one IPv4 address can be shared by multiple customers. In our experiment, we selected ratio to be 128. That is to say, one IPv4 address is shared by 128 users, and there are 512 available ports per user." http://tools.ietf.org/html/draft-sunq-v6ops-ivi-sp-02#page-7



Security with to Transition to IPv6



Threats on Transition protocols n  Dual-Stack

IPv4 scanning can be used to discover the node IPv4 and IPv6 must be at the same security level

n  Tunnel Tunnels are an easy target for many possible attacks Packet Injection Automatic Tunnels are the most dangerous Automatic Servers can be the target of DoS attacks Manual Tunnel should use IPSec!

n  Stateful Translation Stateful NAT can be the target of DoS attacks DoS Attacks by address pool depletion DoS Attack by creating a lot of states or request which consumes CPU



Dual Stack Issues Dual Stack Nodes may be very well IPv4 protected and poorly IPv6 protected Dual Stack Nodes can be discovered thanks to an IPv4 scan ! And then attacked using IPv6 tools !




Inability to inspect Tunneled Packet

IPv4 Firewall cannot inspect the IPv6 paquet encapsulated in IPv4

IPv4 Header IPv6 Header IPv6 Payload



Attacks on Tunnels Traffic tunneled cannot be inspected §  Access-List and paquet inspection cannot inspect the IPv6 paquet which

is encapsulated in IPv4 paquets §  Solution is to implement multiple Firewall which inspect paquets before

they get encapsulated §  Other solution is when the Tunnel end point is on a Firewall, traffic can be

inspected

Easy to inject paquets coming from a known Tunnel §  If an attacker has the knowledge of manual tunnel configuration, it can

sends paquet « originiated » from a known tunnel head-end §  With automatic tunnels it is even easier as paquet can be originated from

any address in the network §  IPSec is the protection



Attack by Paquet injection in a manual tunnel



Attacks on Stateful NAT64

Stateful NAT can be the target of DoS attacks

§ The attacker sends many IPv6 paquets with different source addresses to the same IPv4 target.

§ Each paquet consumes an address and a state which must be managed.

§ When there is no more IPv4 address available, there is no more access to IPv4 hosts


Thank You! [email protected]

Documents

Transition To I Pv6