IPv6 Introduction and
Implications on Network
Security
Keith O’Brien
Cisco
Distinguished Engineer
kobrien@cisco.com
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
1
• Keith O’Brien
Distinguished Engineer
Cisco
kobrien@cisco.com
•
Specializes in large scale IP routing, network security and incident response within ISP and enterprise networks.
•
Working with major US based ISPs on their transition to an IPv6 network
•
Adjunct professor of Computer Science at NYU’s Polytechnic Institute - Graduate Studies
•
Visiting Professor of Electrical and Computer Engineering at the United States Coast Guard Academy
•
BSEE Lafayette College, MS Stevens Institute of Technology
•
CCIE, CISSP, SANS GIAC
•
http://keithobrien.org
•
Twitter: @keitheobrien
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2
• IPv6 – Why Now?
• Technology Intro
Comparison to IPv4
Addressing
ICMPv6 and Neighbor Discovery
DHCPv6 and DNS
• IPv4/IPv6 Transition and Coexistence
• IPv6 Security
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
3
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
4
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
5
More Devices
Nearly 15B Connections
More Internet Users
3 Billion Internet Users
Key
Growth
Factors
Faster Broadband Speeds
4-Fold Speed Increase
More Rich Media Content
1M Video Minutes per Second
Source: Cisco Visual Networking Index (VNI) Global IP Traffic Forecast, 2010–2015
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
6
 IETF IPv6 WG began in early 90s, to solve addressing growth issues,
but
CIDR, NAT,…were developed
 IPv4 32 bit address = 4 billion hosts
IANA recently issued their last /8 blocks to the regional registries
 IP is everywhere
Data, voice, audio and video integration is a reality
 Main Compelling reason: More IP addresses
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
7
Probability of when RIR reaches
“last /8 threshold”
http://www.bgpexpert.com/ianaglobalpool2.php
http://www.potaroo.net/tools/ipv4/rir.jpg
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
8
Service Segment
When do you run out
of IPv4 addresses?
Mobile
Enterprise
Now
Varies
Devices are already
being actively
deployed with IPv6
addresses
Now
A combination of NAT
and IPv6 enabled CPE
are being deployed
Slower ramp
When is most of the
content available on
IPv6 network?
Growing rapidly
What is the
device/CPE refresh
frequency?
Short refresh
cycle
© 2010 Cisco and/or its affiliates. All rights reserved.
NAT is already
being used at
peering points
where run out has
occurred
Wireline
Due to enterprise
specific applications
and longer
development cycles
Longer refresh
cycle
Growing rapidly
Longer refresh
cycle
Cisco Confidential
9
June 6, 2012
• Network equipment vendors, ISPs and content providers are coming together on
June 6 to permanently enable IPv6 on the Internet.
• Last June 6th “World IPv6 Day” was a 24 hour “soak” period
• Current players
Akamai
Comcast
AT&T
Cisco
D-Link
Facebook
Free Telecom
Google
Internode
KDDI
Limelight
Bing
Time Warner Cable
Yahoo
Netflix
AOL
NASA
Sprint
• http://www.worldipv6launch.org/
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
10
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
11
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
12
Service
IPv4
IPv6
32-bit, Network
Address Translation
128-bit, Multiple
Scopes
IP Provisioning
DHCP
SLAAC, Renumbering,
DHCP
Security
IPSec
IPSec Mandated, Works
End-to-End
Mobility
Mobile IP
Mobile IP with Direct
Routing
Differentiated Service,
Integrated Service
Differentiated Service,
Integrated Service
IGMP/PIM/MBGP
MLD/PIM/MBGP, Scope
Identifier
Addressing Range
Quality-of-Service
Multicast
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
13
IPv4 Header
Version IHL
Type of
Service
Identification
Time to Live
Total Length
Version
Flags
Protocol
IPv6 Header
Fragment
Offset
Header Checksum
Traffic
Class
Flow Label
Payload Length
Next
Header
Hop Limit
Source Address
Destination Address
Legend
Options
Padding
Source Address
Field’s Name Kept from IPv4 to IPv6
Fields Not Kept in IPv6
Name and Position Changed in IPv6
Destination Address
New Field in IPv6
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
14
V Class
Len
Flow
6
Hop
V Class
Len
Flow
43
Hop
V Class
Len
Destination
Destination
Destination
Source
Source
Source
Upper Layer TCP Header
Payload
17
Routing Header
Upper Layer UDP Header
Payload
60
6
Flow
43
Hop
Routing Header
Destination Options
Upper Layer TCP Header
Payload
• Extension Headers Are Daisy Chained
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
15
Order
Header Type
Header Code
1
Basic IPv6 Header
-
2
Hop-by-Hop Options
0
3
Dest Options (with Routing options)
60
4
Routing Header
43
5
Fragment Header
44
6
Authentication Header
51
7
ESP Header
50
8
Destination Options
60
9
Mobility Header
135
-
No Next Header
59
Upper Layer
TCP
6
Upper Layer
UDP
17
Upper Layer
ICMPv6
58
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
16
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
17
IPv4 32-bits
IPv6 128-bits
32
= 4,294,967,296
2
128
= 340,282,366,920,938,463,463,374,607,431,768,211,456
2
128
32
= 2 * 2 96
2
296
= 79,228,162,514,264,337,593,543,950,336 times the
number of possible IPv4 Addresses
(79 trillion trillion)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
18
• IPv6 addresses are 128 bits long
Segmented into 8 groups of four HEX characters (called HEXtets)
Separated by a colon (:)
Default is 50% for network ID, 50% for interface ID
Network portion is allocated by Internet registries 2^64 (1.8 x 1019)
Global Unicast Identifier Example
Network Portion
Interface ID
gggg:gggg:gggg: ssss:xxxx:xxxx:xxxx:xxxx
Global Routing Prefix
n <= 48 bits
Subnet ID
64 – n bits
Host
2001:0000:0000: 00A1:0000:0000:0000:1E2A
2001:0:0: A1::1E2A
© 2010 Cisco and/or its affiliates. All rights reserved.
Full Format
Abbreviated Format
Cisco Confidential
20
• Hex numbers are not case sensitive
• Abbreviations are possible
Leading zeros in contiguous block could be represented by (::)
2001:0db8:0000:130F:0000:0000:087C:140B
2001:db8:0:130F::87C:140B
Double colon can only appear once in the address
• IPv6 uses CIDR representation
IPv4 address looks like 98.10.0.0/16
IPv6 address is represented the same way 2001:db8:12::/48
• Only leading zeros are omitted, trailing zeros cannot be omitted
2001:0db8:0012::/48 = 2001:db8:12::/48
2001:db80:1200::/48 ≠ 2001:db8:12::/48
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
21
• Loopback address representation
0:0:0:0:0:0:0:1 == ::1
Same as 127.0.0.1 in IPv4
Identifies self
• Unspecified address representation
0:0:0:0:0:0:0:0 == ::
Used as a placeholder when no address available
(Initial DHCP request, Duplicate Address Detection DAD)
NOT the default route
• Default Route representation
::/0
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
22
IANA
2001::/3
AfriNIC
::/12 to::/23
APNIC
::/12 to::/23
ARIN
::/12 to::/23
LACNIC
::/12 to::/23
RIPE NCC
::/12 to::/23
ISP
ISP
ISP/32
/32
/32
ISP
ISP
ISP/32
/32
/32
ISP
ISP
ISP/32
/32
/32
ISP
ISP
ISP/32
/32
/32
ISP
ISP
ISP/32
/32
/32
Site
Site
Site/48
/48
/48
Site
Site
Site/48
/48
/48
Site
Site
Site/48
/48
/48
Site
Site
Site/48
/48
/48
Site
Site
Site/48
/48
/48
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
23
Partition of Allocated IPv6 Address Space
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
24
Partition of Allocated IPv6 Address Space (Cont.)
• Lowest-Order 64-bit field
of unicast address may
be assigned in several
different ways:
Auto-configured from a 64-bit
EUI-64, or expanded from a
48-bit MAC address
(e.g., Ethernet address)
Auto-generated
pseudo-random number
(to address privacy concerns)
Assigned via DHCP
Manually configured
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
25
• This format expands the
48 bit MAC address to
64 bits by inserting
FFFE into the middle 16
bits
MAC Address
00
00
90
90
27
• To make sure that the
chosen address is from
a unique Ethernet MAC
address, the
universal/local (“u” bit) is
set to 1 for global scope
and 0 for local scope
00
000000U0
U = 1
02
© 2010 Cisco and/or its affiliates. All rights reserved.
90
27
27
FF
FE
FF
FE
Where U=
90
27
17
FF
FC
0F
17
FC
0F
17
FC
0F
1 = Unique
0 = Not Unique
FE
17
FC
0F
Cisco Confidential
26
• Addresses are assigned to interfaces
Change from IPv4 mode:
• Interface “expected” to have multiple addresses
• Addresses have scope
Link Local
Unique Local
Global
• Addresses have lifetime
Global
Unique Local
Link Local
Valid and preferred lifetime
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
27
• Three types of unicast address scopes
Link-Local – Non routable exists on single layer 2 domain (FE80::/64)
FE80:0000:0000:0000: xxxx:xxxx:xxxx:xxxx
Unique-Local – Routable within administrative domain (FC00::/7)
FCgg:gggg:gggg: ssss:xxxx:xxxx:xxxx:xxxx
FDgg:gggg:gggg: ssss:xxxx:xxxx:xxxx:xxxx
Global – Routable across the Internet (2000::/3)
Link Local
2ggg:gggg:gggg: ssss:xxxx:xxxx:xxxx:xxxx
3ggg:gggg:gggg: ssss:xxxx:xxxx:xxxx:xxxx
• Multicast addresses (FF00::/8)
FFfs: xxxx:xxxx:xxxx:xxxx:xxxx
:xxxx:xxxx
Flags (f) in 3rd nibble (4 bits) Scope (s) into 4th nibble
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
28
• Unicast
Address of a single interface. One-to-one delivery to
single interface
• Multicast
Address of a set of interfaces. One-to-many delivery to all interfaces in the set
• Anycast
Address of a set of interfaces. One-to-one-of-many delivery to
a single interface in the set that is closest
• No more broadcast addresses
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
29
• An interface can have many addresses allocated to it
Address Type
Requirement
Comment
Link Local
Required
Required on all interfaces
Unique Local
Optional
Valid only within an Administrative
Domain
Global Unicast
Optional
Globally routed prefix
Auto-Config 6to4
Optional
Used for 2002:: 6to4 tunnelling
Solicited Node Multicast
Required
Neighbour Discovery and Duplicate
Detection (DAD)
All Nodes Multicast
Required
For ICMPv6 messages
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
30
Address
Scope
Meaning
FF01::1
Node-Local
All Nodes
FF01::2
Node-Local
All Routers
FF02::1
Link-Local
All Nodes
FF02::2
Link-Local
All Routers
FF02::5
Link-Local
OSPFv3 Routers
FF02::6
Link-Local
OSPFv3 DR Routers
FF02::1:FFXX:XXXX
Link-Local
Solicited-Node
http://www.iana.org/assignments/ipv6-multicast-addresses
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
32
R1#show ipv6 interface e0
Ethernet0 is up, line protocol is up
IPv6 is enabled, link-local address is
FE80::200:CFF:FE3A:8B18
No global unicast address is configured
Joined group address(es):
All Nodes
FF02::1
All Routers
FF02::2
Solicited Node Multicast Address
FF02::1:FF3A:8B18
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
Hosts use stateless autoconfig for addresses.
R1#
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
33
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
40
Function
IPv4
IPv6
Address Assignment
DHCPv4
DHCPv6, SLAAC,
Reconfiguration
Address Resolution
ARP, RARP
NS, NA
Router Discovery
Name Resolution
© 2010 Cisco and/or its affiliates. All rights reserved.
ICMP Router
Discovery
DNSv4
RS, RA
DNSv6
Cisco Confidential
41
• Internet Control Message Protocol version 6
• RFC 2463
• Modification of ICMP from IPv4
• Message types are similar
(but different types/codes)
Destination unreachable (type 1)
Packet too big (type 2)
Time exceeded (type 3)
Parameter problem (type 4)
Echo request/reply (type 128 and 129)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
42
• Replaces ARP, ICMP (redirects, router discovery)
• Reachability of neighbors
• Hosts use it to discover routers, auto configuration
of addresses
• Duplicate Address Detection (DAD)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
43
• Neighbor discovery uses ICMPv6 messages, originated from node on
link local with hop
limit of 255
• Consists of IPv6 header, ICMPv6 header, neighbor discovery header,
and neighbor discovery options
• Five neighbor discovery messages
Router solicitation (ICMPv6 type 133)
Router advertisement (ICMPv6 type 134)
Neighbor solicitation (ICMPv6 type 135)
Neighbor advertisement (ICMPv6 type 136)
Redirect (ICMPV6 type 137)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
44
A
B
NS
NA
Neighbour
Solicitation
ICMP Type
IPv6 Source
IPv6 Destination
Data
Query
135
A Unicast
B Solicited Node Multicast
FE80:: address of A
What is B link layer address?
Neighbour
Advertisment
ICMP Type
IPv6 Source
B Unicast
IPv6 Destination
A Unicast
Data
© 2010 Cisco and/or its affiliates. All rights reserved.
136
FE80:: address of B, MAC
Address
Cisco Confidential
45
RS
Router
Solicitation
ICMP Type
IPv6 Source
IPv6 Destination
Query
RA
Router
Advertisement
133
A Link Local (FE80::1)
All Routers Multicast (FF02::2)
Please send RA
ICMP Type
IPv6 Source
IPv6 Destination
Data
134
A Link Local (FE80::2)
All Nodes Multicast (FF02::1)
Options, subnet prefix, lifetime,
autoconfig flag
• Router solicitations (RS) are sent by booting nodes to request RAs for
configuring the interfaces
• Routers send periodic Router Advertisements (RA) to the all-nodes
multicast address
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
46
• Autoconfiguration is used to automatically assigned an address to a host “plug and play”
Generating a link-local address,
Generating global addresses via stateless address autoconfiguration
Duplicate Address Detection procedure to verify the uniqueness of the addresses on a
link
MAC
00:2c:04:00:fe:56
A
R1 2001:db8:face::/64
1
RS
2
RA
3
DAD
Host Autoconfigured Address
comprises
Prefix Received + Link-Layer
Address if DAD check passes
2001:db8:face::22c:4ff:fe00:fe56
Router
Advertisement
(RA)
Ethernet DA/SA
Router R2 / Host A
Prefix
Information
2001:db8:face::/64
Default Router
© 2010 Cisco and/or its affiliates. All rights reserved.
Router R1
Cisco Confidential
47
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
48
IPv4
Hostname to
IP address
IP address to
hostname
© 2010 Cisco and/or its affiliates. All rights reserved.
IPv6
A record:
AAAA record:
www.abc.test. A 192.168.30.1
www.abc.test AAAA 2001:db8:C18:1::2
PTR record:
PTR record:
1.30.168.192.in-addr.arpa. PTR
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0.
8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test.
www.abc.test.
Cisco Confidential
49
192.168.0.3
www.example.org = * ?
IPv4
DNS
Server
IPv4
IPv6
www IN A 192.168.0.3
www IN AAAA 2001:db8:1::1
IPv6
2001:db8:1::1
In a dual stack case an application that:
Is IPv4 and IPv6-enabled
Can query the DNS for IPv4 and/or IPv6 records (A) or (AAAA) records
Chooses one address and, for example, connects to the IPv6 address
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
50
Domain name with IPv6 address only
mSecs Source
Destination
Prot
Info
Initial Query over IPv4 for IPv4 A record
0.000
64.104.197.141 64.104.200.248
DNS
Standard query A ipv6.google.com
0.158
64.104.200.248 64.104.197.141
DNS
Standard query response CNAME
ipv6.l.google.com
0.000
64.104.197.141 64.104.200.248
DNS
Standard query AAAA ipv6.google.com
0.135
64.104.200.248 64.104.197.141
DNS
IPv6 address of canonical name returned
Standard query response CNAME
ipv6.l.google.com AAAA 2404:6800:8004::68
DNS response refers to an alias/canonical address
Host immediately sends a request for AAAA record (original FQDN)
Domain name with both addresses
mSecs Source
Destination
Prot
Info
0.000 64.104.197.141
64.104.200.248
DNS
Standard query A www.apnic.net
0.017 64.104.200.248
64.104.197.141
DNS
Standard query response A
202.12.29.211
0.000 64.104.197.141
64.104.200.248
DNS
Standard query AAAA
www.apnic.net
0.017 64.104.200.248
64.104.197.141
DNS
Standard query response AAAA
2001:dc0:2001:11::211
0.001 2001:420:1:fff:2
2001:dc0:2001:11::211
Hosts prefers IPv6 address (configurable)
ICMP
Echo request (Unknown (0x00))
v6
0.023 2001:dc0:2001:11::211 2001:420:1:fff::2
© 2010 Cisco and/or its affiliates. All rights reserved.
Initial Query over IPv4 for IPv4 A record
IPv4 address returned
Host immediately sends a request for AAAA record
IPv6 address of FQDN returned
ICMP
Echo reply (Unknown (0x00))
v6
Cisco Confidential
51
• Manual Assignment
Statically configured by human operator
• Stateless Address Autoconfiguration (SLAAC RFC 4862)
Allows auto assignment of address through Router Advertisements
• Stateful DHCPv6 (RFC 3315)
Allows DHCPv6 to allocate IPv6 address plus other configuration parameters
(DNS, NTP etc…)
• DHCPv6-PD (RFC 3633)
Allows DHCPv6 to allocate entire subnets to a router/CPE device for further
allocation
• Stateless DHCPv6 (RFC 3736)
Combination of SLAAC for host address allocation
DHCPv6 for additional parameters such as DNS Servers and NTP
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
52
• Updated version of DHCP for IPv4
• Supports new addressing
• Can be used for renumbering
• DHCP Process is same as in IPv4, but,
• Client first detect the presence of routers on the link
• If found, then examines router advertisements to determine if DHCP can be used
• If no router found or if DHCP can be used, then
DHCP Solicit message is sent to the All-DHCP-Agents
multicast address
Using the link-local address as the source address
• Multicast addresses used:
FF02::1:2 = All DHCP Agents (servers or relays, Link-local scope)
FF05::1:3 = All DHCP Servers (Site-local scope)
DHCP Messages: Clients listen UDP port 546; servers and relay agents listen on
UDP port 547
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
53
• RA message contain flags that indicate address allocation combination (A, M
and O bits)
Use SLAAC only, Use DHCPv6 stateful, Use SLAAC and DHCPv6 for other
options
Router 1
(DHCPv6 Relay)
A
2001:db8:face::/64
1
DHCP
Server
RA
3
2
2001:db8:face::1/64, DNS1, DNS2, NTP
Send DHCP Solicit to FF02::1:2 (All DHCP Relays)
Router
Advertisement (RA)
A bit (Address config flag)
M bit (Managed address configuration flag)
O bit (Other configuration flag)
© 2010 Cisco and/or its affiliates. All rights reserved.
Set to 0 - Do not use SLAAC for host config
Set to 1 - Use DHCPv6 for host IPv6 address
Set to 1 - Use DHCPv6 for additional info (DNS, NTP)
Cisco Confidential
54
•
RA message contain flags that indicate address allocation combination (A, M and O bits)
Use SLAAC only, Use DHCPv6 stateful, Use SLAAC and DHCPv6 for other options
2
2001:db8:face::22c:4ff:fe00:fe56
Router 1
(DHCPv6 Relay)
A
1
DHCP
Server
RA
3
2001:db8:face::/64
4
DNS1, DNS2, NTP
Send DHCP Solicit to FF02::1:2 for options only
Router
Advertisement (RA)
A bit (Address config flag)
On-link Prefix
M bit (Managed address configuration flag)
O bit (Other configuration flag)
© 2010 Cisco and/or its affiliates. All rights reserved.
Set to 1 - Use SLAAC for host address config
2001:db8:face::/64
Set to 0 - Do not use DHCPv6 for IPv6 address
Set to 1 - Use DHCPv6 for additional info (DNS, NTP)
Cisco Confidential
55
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
56
• A wide range of techniques have been identified and implemented,
basically falling into three categories:
Dual-stack techniques, to allow IPv4 and IPv6 to
co-exist in the same devices and networks
Tunneling techniques, to avoid order dependencies when upgrading hosts,
routers, or regions
Translation techniques, to allow IPv6-only devices to communicate with IPv4only devices
• Expect all of these to be used, in combination
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
57
Dual Stack App
IPv6 + IPv4
Core
IPv4 + IPv6 Edge
PE
P
IPv4 and/or IPv4 edge
P
PE
CE
IPv4
CE
IPv6
IPv4
IPv4 configured interface
IPv4/IPv6
Core
IPv6
Some or all interfaces in cloud
dual configured
IPv6 configured interface
• All P + PE routers are capable of IPv4+IPv6 support
• Two IGPs supporting IPv4 and IPv6
• Memory considerations for larger routing tables
• Native IPv6 multicast support
• All IPv6 traffic routed in global space
• Good for content distribution and global services (Internet)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
58
Dual Stack App
IPv6 + IPv4
Core
IPv4 + IPv6 Edge
CE
PE
P
P
IPv4 and/or IPv4 edge
PE
CE
IPv4
IPv6
IPv4
IPv4/IPv6
Core
IPv6
ipv6 unicast-routing
interface Ethernet0
ip address 192.168.99.1 255.255.255.0
ipv6 address 2001:db8:213:1::1/64
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
59
IPv6-Enabled Application
Application
TCP
IPv4
UDP
IPv6
0x0800
0x86dd
Data Link (Ethernet)
TCP
IPv4
UDP
Preferred Method
on Application’s
Servers
IPv6
0x0800
0x86dd
Frame
Protocol ID
Data Link (Ethernet)
Dual Stack Node Means:
• Both IPv4 and IPv6 stacks enabled
• Applications can talk to both
• Choice of the IP version is based on name lookup and
application preference
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
60
• GRE
• Manual
• 6to4
• DMVPN
• ISATAP
• MPLS Manual
• MPLS 6PE
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
61
Dual-Stack
Router1
IPv6
Network
IPv4
IPv4: 192.168.99.1
IPv6: 2001:db8:800:1::3
Dual-Stack
Router2
IPv6
Network
IPv4: 192.168.30.1
IPv6: 2001:db8:800:1::2
router1#
router2#
interface Tunnel0
ipv6 enable
ipv6 address 2001:db8:c18:1::3/128
tunnel source 192.168.99.1
tunnel destination 192.168.30.1
tunnel mode gre ipv6
interface Tunnel0
ipv6 enable
ipv6 address 2001:db8:c18:1::2/128
tunnel source 192.168.30.1
tunnel destination 192.168.99.1
tunnel mode gre ipv6
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
62
Dual-Stack
Router1
IPv6
network
IPv4
IPv4: 192.168.99.1
IPv6: 2001:db8:800:1::3
Dual-Stack
Router2
IPv6
network
IPv4: 192.168.30.1
IPv6: 2001:db8:800:1::2
router1#
router2#
interface Tunnel0
ipv6 enable
ipv6 address2001:db8:c18:1::3/127
tunnel source 192.168.99.1
tunnel destination 192.168.30.1
tunnel mode ipv6ip
interface Tunnel0
ipv6 enable
ipv6 address 2001:db8:c18:1::2/127
tunnel source 192.168.30.1
tunnel destination 192.168.99.1
tunnel mode ipv6ip
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
63
IPv6
Packet
IPv6
Packet
IPv6 Network
IPv4
Header
IPv6
Packet
IPv4 Backbone Network
IPv6 Network
200.15.15.1 (e0/0)
200.11.11.1 (e0/0)
PE
IPv6
2002:c80f:0f01
IPv4
Backbone Network
PE
IPv6
2002:c80b:0b01
6 to 4 Tunnel
CE
CE
P
P
2002:c80f:0f01:100::1
2002:c80b:0b01:100::1
• Automatic tunnel method using 2002:IPv4::/48 IPv6 range
IPv4 embedded in IPv6 format eg. 2002:c80f:0f01:: = 200.15.15.1
• No impact on existing IPv4 or MPLS Core (IPv6 unaware)
• Tunnel endpoints have to be IPv6 and IPv4 aware (Dual stack)
• Transition technology – not for long term use
• No multicast support, Static Routing
• Intrinsic linkage between destination IPv6 Subnet and IPv4 gateway interface
IPv4 Gateway = Tunnel End point
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
64
IPv6
Packet
IPv6
Packet
IPv6 Network
IPv4
Header
IPv4 Backbone Network
200.15.15.1 (e0/0)
PE
IPv6
2002:c80f:0f01
IPv4
Backbone Network
192.88.99.1 (lo0)
2002:c058:6301::1 (lo0)
PE
IPv6 Relay
6 to 4 Tunnel
CE
P
P
PE
2002:c80f:0f01:100::1
192.88.99.1 (lo0)
2002:c058:6301::1 (lo0)
IPv6 Internet
2000::/3
IPv6 Relay
• 6 to 4 relay allows access to IPv6 global network
• Can use tunnel Anycast address 192.88.99.1
6 to 4 router finds closest 6-to-4 relay router
Return path could be asymmetric
• Default route to IPv6 Internet
BGP can also be used to select particular 6 to 4 relay based on prefix
Allows more granular routing policy
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
65
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
66
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
67
• Additional and increased focus on IPv6 at security conference
such as Blackhat, CanSecWest and others.
• Companies putting additional effort into IPv6 vulnerability
research – Stonesoft released 163 new “Advanced Evasion
Techniques” – 12 of those are IPv6-specific
• Private security researchers are also putting additional focus on
IPv6. Chinese “researchers”, Marc Heuse, Fernando Gont – to
name a few
• UK’s CPNI – The Centre for the Protection of National
Infrastructure – 220 page report “Security Assessment of the
Internet Protocol version 6 (IPv6)”
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
68
• The Hacker’s Choice – http://thc.org/thc-ipv6/
• Over 30 tools – Included in BackTrack
• “Private” version available
• A sampling
Parasite6: icmp neighbor solicitation/advertisement spoofer, puts you as man-in-themiddle, same as ARP mitm (and parasite)
dnsdict6: parallized dns ipv6 dictionary bruteforcer
fake_router6: announce yourself as a router on the network, with the highest priority
flood_router6: flood a target with random router advertisements
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
69
• Industry as a whole has far less experience with IPv6 vs IPv4
• IPv6 implementations have not been proven over time
• Security tools such as firewalls, IDS have varying levels of IPv6
support. Even when it is claimed to be supported that level of
support varies widely
• IPv6 brings added complexity which is the enemy of security
• Network engineers and security operations staff are not fully
trained on IPv6
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
70
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
71
• Default subnets in IPv6 have 264 addresses
10 Mpps = more than 50 000 years
• NMAP doesn’t even support ping sweeps on
IPv6 networks
2128
6.5
Billion
= 52 Trillion Trillion IPv6
addresses per person
World’s population is
approximately 6.5 billion
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
72
• Public servers will still need to be DNS reachable
• Increased deployment and reliance on Dynamic DNS –
More info in DNS
• Admins might adopt easy to remember addresses such as:
::20, ::F00D, ::CAFE, or the last IPv4 octet
• Transition technologies derive IPv6 address from IPv6 addresses
• Brute force IPv6 scanning assumes that the addresses are
randomly distributed. This has been shown not to be the case*:
SLACC – IP based on MAC
IPv4 based – (2001:0db8::192.168.100.1)
Low number – (2001:0db8:1:1::1)
(*) Malone, D. 2008. Observations of IPv6 Addresses. Passive and Active Measurement Conference (PAM 2008,
LNCS 4979), 29–30 April 2008.
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
73
• 3 site-local multicast addresses
FF05::2 all-routers, FF05::FB mDNSv6, FF05::1:3 all DHCP servers
• Several link-local multicast addresses
FF02::1 all nodes, FF02::2 all routers, FF02::F all UPnP, ...
• Some deprecated (RFC 3879) site-local addresses but still used
FEC0:0:0:FFFF::1 DNS server
• Not feasible from remote
Source
Destination
Payload
2001:db8:2::50
Attacker FF05::1:3
DHCP Attack
2001:db8:1::60
2001:db8:3::70
http://www.iana.org/assignments/ipv6-multicast-addresses/
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
74
• Bittorrent will expose IPv6 peers
• Look in web server log files for IPv6 address. Convince the target
to browse to web server
• Email headers from target
• Mailing list archives
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
75
• ICMPv6 echo/response
• Send invalid ICMPv6 options and nodes will be forced to reply
• Use Traceroute6
• Look for well know IPv4 addresses which are linked to IPv6 (e.g.
Teredo)
• Neighbor discovery cache for already compromised hosts
root@bt:~# alive6 -s 1 eth1
Alive: 2001:470:67b9:1:234:36ff:fe9c:3132
Alive: 2001:470:67b9:1:21d:29ff:fef9:bc06
Alive: 2001:470:67b9:1:22f:29ff:fe61:1ea1
Alive: 2001:470:67b9:1:259:29ff:fe40:e19a
Alive: 2001:470:67b9:1:231:ebff:fef7:f140
Alive: fe80::ebff:d4ff:fedd:c572
Alive: 2001:470:67b9:1:b917:c2ff:fed9:6b1b
Alive: 2001:470:67b9:1:993:cbff:fea3:1733
Alive: 2001:470:67b9:1:675:dfff:fede:4875
Alive: 2001:470:67b9:1:b67d:caff:fe1b:c7a7
Alive: 2001:470:67b9:1:b78f:cbff:fee9:fd7f
Found 11 systems alive
© 2010 Cisco and/or its affiliates. All rights reserved.
root@bt:~# ip -6 neigh show
2001:470:67b9:1:7273:cbff:fee9:ddf3 dev eth1 lladdr 70:73:cb:e9:dd:f3 DELAY
2001:470:67b9:1:224:36ff:fe9c:ff56 dev eth1 lladdr 00:24:36:9c:ff:56 DELAY
2001:470:67b9:1:216:cbff:fea3:dd44 dev eth1 lladdr 00:16:cb:a3:dd:44 DELAY
2001:470:67b9:1:223:dfff:fede:1122 dev eth1 lladdr 00:23:df:de:11:22 DELAY
fe80::223:ebff:fedd:1298 dev eth1 lladdr 00:23:eb:dd:12:98 DELAY
2001:470:67b9:1:ba17:c2ff:fed9:11ed dev eth1 lladdr b8:17:c2:d9:11:ed DELAY
2001:470:67b9:1:5a55:caff:fe1b:dfee dev eth1 lladdr 58:55:ca:1b:df:ee DELAY
Cisco Confidential
76
/23
/32
/48
/64
2001
Interface ID
• Temporary addresses for IPv6 host client application,
e.g. web browser
Inhibit device/user tracking
Random 64 bit interface ID, then run Duplicate Address Detection
before using it
Rate of change based on local policy
Can have this address in addition to EUI-64 address on an interface
(based on mac address)
Recommendation: Use Privacy Extensions for
External Communication but not for Internal
Networks (Troubleshooting and Attack Trace Back)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
77
• Google – Many sites use ipv6.example.com or ip6.example.com
during the transition phase.
Search for “site: ipv6*” or “site: ip6*”
• Do a AXFR if DNS is misconfigured
• If DNSSEC is being used try NSEC walk*. NSEC3 records make
this more difficult.
• Try a “brute force”. Perform automated AAAA lookups based on
a preconfigured dictionary. (i.e. lookup firewall.example.com,
server1.example.com, mail.example.com)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
78
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
79
• Your host:
IPv4 is protected by your favorite personal firewall...
IPv6 is enabled by default (Vista, Linux, Mac OS/X, ...)
• Your network:
Does not run IPv6
• Your assumption:
I’m safe
• Reality
You are not safe
Attacker sends Router Advertisements
Your host configures silently to IPv6
You are now under IPv6 attack
• => Probably time to think about IPv6 in your network
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
80
• Easy to check!
• Look inside NetFlow records
Protocol 41: IPv6 over IPv4 or 6to4 tunnels
IPv4 address: 192.88.99.1 (6to4 anycast server)
UDP 3544, the public part of Teredo, yet another tunnel
• Look into DNS server log for resolution of ISATAP
• Beware of the IPv6 latent threat: your IPv4-only network may be
vulnerable to IPv6 attacks NOW
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
81
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
82
Router Advertisements contains:
-Prefix to be used by hosts
-Data-link layer address of the router
-Miscellaneous options: MTU, DHCPv6 use, …
RA w/o Any
Authentication
Gives Exactly Same
Level of Security as
DHCPv4 (None)
MITM
1. RS
2. RA
1. RS:
Data = Query: please send RA
© 2010 Cisco and/or its affiliates. All rights reserved.
DoS
2. RA
2. RA:
Data= options, prefix, lifetime,
A+M+O flags
Cisco Confidential
83
• Devastating:
Denial of service: all traffic sent to a black hole
Man in the Middle attack: attacker can intercept, listen, modify unprotected
data
• Also affects legacy IPv4-only network with IPv6-enabled hosts
• Most of the time from non-malicious users
• Requires layer-2 adjacency (some relief…)
• The major blocking factor for enterprise IPv6 deployment
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
84
Where
What
Routers
Increase “legal” router preference
Hosts
Disabling Stateless Address Autoconfiguration
Routers & Hosts
SeND “Router Authorization”
Switch (First Hop)
Host isolation
Switch (First Hop)
Port Access List (PACL)
Switch (First Hop)
RA Guard
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
85
• RFC 3972 Cryptographically Generated Addresses (CGA)
IPv6 addresses whose interface identifiers are cryptographically generated
from node public key
• SeND adds a signature option to Neighbor Discovery Protocol
Using node private key
Node public key is sent in the clear (and linked to CGA)
• Very powerful
If MAC spoofing is prevented
But, not a lot of implementations: Cisco IOS, Linux, some H3C, third party for
Windows
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
86
• Each devices has a RSA key pair (no need for cert)
• Ultra light check for validity
• Prevent spoofing a valid CGA address
RSA Keys
Priv
Pub
Modifier
Public
Key
Subnet
Prefix
Signature
SHA-1
CGA Params
Subnet
Prefix
SeND Messages
© 2010 Cisco and/or its affiliates. All rights reserved.
Interface
Identifier
Crypto. Generated Address
Cisco Confidential
87
• Adding a X.509 certificate to RA
• Subject Name contains the list of authorized IPv6 prefixes
Trust
Anchor
X.509
cert
Router Advertisement
Source Addr = CGA
CGA param block (incl pub key)
Signed
X.509
cert
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
88
• Prevent Node-Node Layer-2 communication by using:
1 VLAN per host (SP access network with Broadband Network Gateway)
Private VLANs (PVLAN) where node can only contact the official router
• Link-local scope multicast (RA, DHCP request, etc) sent only to the local
official router: no harm
• Can also be used on Wireless in ‘AP Isolation Mode’
PC
(public V6 )
CPE
PVLAN
RA
PC
(public V6 )
CPE
© 2010 Cisco and/or its affiliates. All rights reserved.
BNG
PVLAN
Cisco Confidential
89
• Port ACL blocks all ICMPv6 Router
Advertisements from hosts
interface FastEthernet3/13
ipv6 traffic-filter ACCESS_PORT in
RA
switchport mode access
RA
RA
access-group mode prefer port
RA
RA
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
90
host
?
“I am the default gateway”
Router Advertisement
Option: prefix(s)
• Configuration- based
• Learning-based
• Challenge-based
Verification
succeeded ?
Bridge RA
• Switch selectively accepts or rejects RAs based on various criteria’s
• Can be ACL based, learning based or challenge (SeND) based.
• Hosts see only allowed RAs, and RAs with allowed content
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
91
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
92
• Pretty much like RA: no authentication
Any node can ‘steal’ the IP address of any other node
Impersonation leading to denial of service or MITM
• Requires layer-2 adjacency
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
93
Where
What
Routers & Hosts
configure static neighbor cache entries
Routers & Hosts
Use CryptoGraphic Addresses (SeND CGA)
Switch (First Hop)
Host isolation
Switch (First Hop)
Address watch
•
•
© 2010 Cisco and/or its affiliates. All rights reserved.
Glean addresses in NDP and DHCP
Establish and enforce rules for address ownership
Cisco Confidential
94
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
95
Remote
• Remote router CPU/memory DoS attack if aggressive scanning
Router will do Neighbor Discovery... And waste CPU and memory
• Local router DoS with NS/RS/…
NS: 2001:db8::3
NS: 2001:db8::2
NS: 2001:db8::1
NS: 2001:db8::3
NS: 2001:db8::2
NS: 2001:db8::1
NS: 2001:db8::3
NS: 2001:db8::2
NS: 2001:db8::1
2001:db8::/64
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
96
• Mainly an implementation issue
Rate limiter on a global and per interface
Prioritize renewal (PROBE) rather than new resolution
Maximum Neighbor cache entries per interface and per MAC address
• Internet edge/presence: a target of choice
Ingress ACL permitting traffic to specific statically configured (virtual)
IPv6 addresses only
=> Allocate and configure a /64 but uses addresses fitting in a /120 in
order to have a simple ingress ACL
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
97
• Built-in rate limiter but no option to tune it
Since 15.1(3)T: ipv6 nd cache interface-limit
Or IOS-XE 2.6: ipv6 nd resolution data limit
Destination-guard is coming with First Hop Security phase 3
• Using a /64 on point-to-point links => a lot of addresses to scan!
Using /127 could help (RFC 6164)
• Internet edge/presence: a target of choice
Ingress ACL permitting traffic to specific statically configured (virtual)
IPv6 addresses only
• Using infrastructure ACL prevents this scanning
iACL: edge ACL denying packets addressed to your routers
Easy with IPv6 because new addressing scheme can be done 
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
98
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
99
• RFC allows for multiple and repeating extension headers.
• RFC 3128 is not applicable to IPv6; extension header can be
fragmented
• Packets get increasing complex to parse
Original Packet
IPv6 hdr
Dest Option Dest Option
TCP
data
TCP
data
First Fragment
IPv6 hdr
Frag Header Dest Option
Second Fragment
IPv6 hdr
© 2010 Cisco and/or its affiliates. All rights reserved.
Frag Header Dest Option
Cisco Confidential
100
• Unlimited size of header chain (spec-wise) can make
filtering difficult
• Potential DoS with poor IPv6 stack implementations
More boundary conditions to exploit
Can I overrun buffers with a lot of extension headers?
Perfectly Valid IPv6 Packet
According to the Sniffer
Header Should Only Appear Once
Destination Header Which Should
Occur at Most Twice
Destination Options Header Should
Be the Last
See also: http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html
Cisco Confidential
© 2010 Cisco and/or its affiliates. All rights reserved.
101
• Use a stateful firewall which reassembles all of the fragments and
then applies the filtering rules
• This only has limited usefulness as the attacker can keep adding
headers and increasing the number of fragments to a point where
the firewall can no longer reassemble
• Filter out packets with specific combinations of Extension
Headers or number of Extension Headers
• Filter out packets that combine fragmentation with additional
Extension Headers
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
102
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
103
• Most IPv4/IPv6 transition mechanisms have no authentication
built in
• => an IPv4 attacker can inject traffic if spoofing on IPv4 and
IPv6 addresses
IPv4
IPv6 ACLs Are Ineffective
Since IPv4 & IPv6 Is Spoofed
Tunnel Termination Forwards
the Inner IPv6 Packet
IPv6
IPv6 Network
Public IPv4
Internet
IPv6 Network
IPv6 in IPv4
Tunnel
Server A
© 2010 Cisco and/or its affiliates. All rights reserved.
Tunnel
Termination
Tunnel
Termination
Server B
Cisco Confidential
104
• Unauthorized tunnels—firewall bypass (protocol 41)
• IPv4 infrastructure looks like a Layer 2 network to ALL ISATAP hosts in the
enterprise
This has implications on network segmentation and network discovery
• No authentication in ISATAP—rogue routers are possible
Windows default to isatap.example.com
• Ipv6 addresses can be guessed based on IPv4 prefix
ISATAP Router
Any Host Can Talk
to the Router
ISATAP Tunnels
IPv4 Network ~ Layer 2 for IPv6 Service
Direct
Communication
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
105
6to4 relay
IPv6
Internet
ACL
tunnel
6to4
router
IPv4
6to4
router
Direct tunneled
traffic ignores
hub ACL
© 2010 Cisco and/or its affiliates. All rights reserved.
6to4 router
Cisco Confidential
106
• Teredo navalis
A shipworm drilling holes
in boat hulls
• Teredo Microsoftis
IPv6 in IPv4 punching holes
in NAT devices
Source: United States Geological Survey
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
107
• All outbound traffic inspected: e.g., P2P is blocked
• All inbound traffic blocked by firewall
IPv6 Internet
IPv4 Internet
Teredo Relay
IPv4 Firewall
IPv4 Intranet
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
108
Teredo threats—IPv6 Over UDP (port 3544)
• Internal users wants to get P2P over IPv6
• Configure the Teredo tunnel (already enabled by default!)
• FW just sees IPv4 UDP traffic (may be on port 53)
• No more outbound control by FW
IPv6 Internet
IPv4 Internet
Teredo Relay
IPv4 Firewall
IPv4 Intranet
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
109
Once Teredo Configured
• Inbound connections are allowed
• IPv4 firewall unable to control
• IPv6 hackers can penetrate
• Host security needs IPv6 support now
IPv6 Internet
IPv4 Internet
Teredo Relay
IPv4 Firewall
IPv4 Intranet
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
110
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
111
Red : New
or Changed
Function in
the network
Residential Broadband Service Case: CPE based
Scenario 1 thru 5 And Future
IPv6
IPv4
6RD CE
IPv4-Only
IPv4 Address
Sharing
CGN
IPv4
IPv6
6RD CE
IPv4
IPv6
Dual Stack
IPv4-Only
IPv4-Only
Dual-Stack
IPv4 Internet
Access
IPv4 Address
Sharing
IPv4 Internet
Access
IPv6
Internet Access
IPv6 Internet
Access
IPv6
Internet Access
6rd BR
IPv4
DualStack
IPv6
IPv4
DualStack
Dual-Stack
IPv6 only
IPv4 Address
Sharing
IPv4 Address
Sharing
IPv6 Internet
Access
IPv6 Internet
Access
CGN
CGN +
6rd
IPv6
IPv4
Private IPv4
IPv4
Stateful
[DS Lite]
Stateless 46
IPv4
Public IPv4
IPv4
IP NGN Backbone
1. Running 6PE/6vPE
2. Running Dual-Stack
IPv6
Internet
© 2010 Cisco and/or its affiliates. All rights reserved.
IPv4
Internet
Cisco Confidential
112
• Use of Carrier Grade NAT will require more information to be
gathered in order to accurately identify a subscriber.
• Currently a simple IPv4 address and a time frame is normally
sufficient
• With the advent of IPv6 and IPv4 address exhaustion you will
need more.
• The following should be gathered:
IPv4 address (source and destination)
IPv6 address if in use
TCP/UDP ports (source and destination)
Time
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
113
IPv4
IPv6 host
Customer
Router
IPv6
Internet
IPv4+IPv6 host
SP NAT
Sharing IPv4 address(es)
IPv6
IPv4
Internet
IPv4 host
Subscriber Network
Dual-Stack SP Network using
RFC1918 addresses
Internet
• More likely scenario:
IPv6 being available all the way to the consumer
SP core and customer has to use IPv4 NAT due to v4 depletion
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
114
• Every IPv4 address has a reputation
Either blacklist or more sophisticated (senderbase.org)
Used to detect spam, botnet members, …
• It is fine as long as:
One IPv4 == One legal entity (subscriber)
• What if
One IPv4 == 10.000 entities/subscribers through SP NAT?
© 2010 Cisco and/or its affiliates. All rights reserved.
11
5
Cisco Confidential
115
• Usual way to block a Denial of Service (DoS) against a server is to block
the source IPv4 address(es)
Before SP NAT: ok because it blocks only the attacker
With SP NAT: will block the attacker but also 9.999 potential users/customers
© 2010 Cisco and/or its affiliates. All rights reserved.
11
6
Cisco Confidential
116
• Servers currently keep only the remote IPv4 address in their log
• Law Enforcement Agencies (LEA) can request any ISP to get the
subscriber ID of this IPv4 address on a specific time
• With SP NAT, there will be 10,000 subscribers using this IPv4 address
© 2010 Cisco and/or its affiliates. All rights reserved.
11
7
Cisco Confidential
117
• SP will have to keep all the translation log (data retention)
<time, subscriber internal IP, subscriber internal TCP/UDP port, subscriber
external TCP/UDP port, Internet IP, Internet TCP/UDP port>
<10:23:02 UTC, 10.1.2.3, 6543, 23944, 91.121.200.122, 80>
• AND, the server will have to extend the log to include the TCP/UDP
port
• “At 10:23:02 who was using the shared port 23944?”
© 2010 Cisco and/or its affiliates. All rights reserved.
11
8
Cisco Confidential
118
Operator has expanding customer base, but does not have enough IPv4 addresses
to service new customers.
Business need is to be able to assign new users an IP address and give those new
subscribers access to IPv4 Internet content as well as IPv6 internet content.
Possible Scenarios
1.1 IPv6 address to subscriber with Carrier Grade NAT
1.2 Carrier Grade NAT with private v4 address
1.3 Dual stack private v4 and public v6 at customer.
1.4 Dual stack public v4 and public v6 at customer
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
119
Thank you.