Understanding IPv6

advertisement
Understanding IPv6
Nicholas A. Hay
Monroe County ISD
nicholas.hay@monroeisd.us
Some of the session materials in the
presentation were from a presentation that
Merit sponsored with a presenter from
NYSERNet. A thank you goes to Jeff
Harrington for his presentation and materials
I used for this presentation.
Why IPv6?
• Address Depletion
– As of 2/2011, the IANA free pool has been depleted.
– APNIC and RIPE are under emergency allocation
policies and ARIN is projected to be depleted in
March 2015.
• Services Providers who run out of IPV4 addresses
are planning on implementing Carrier Grade NATs
(sometimes referred to as NAT444)
– Services like VPNs, Remote Desktop, Skype, etc.
may stop working from home networks to campuses.
– How will that impact your user community?
Why IPv6?
• Removes the need to NAT since every address is
a public address.
– NAT can break things, especially multimedia.
• The size of the address space is 2^128, versus
2^32 in IPv4.
• Every organization receiving IPv6 address space
will have enough addresses to cover current and
long term needs.
• IPv6 may be the only way to continue to provide
some services.
• IPv4 will probably be phased out over the next 15
years. It is not a matter of if but when.
Why IPv6?
• IPv6 only networks on the internet are
increasing.
– The XBOX network is a IPv6 only network.
• Note: a lot of IP phone systems do not
support IPv6.
Why move to IPv6?
• Worldwide communication. IPv6 is needed for
populated areas such as China and Europe.
• IPv6 only networks will be appearing sooner than
later.
• Networks have grown haphazardly and
organically.
– Subnets have been allocated inefficiently.
– Services have grown past their intended purpose.
– Cannot make changes to design now, cannot impact
services in production.
• IPv6 gives you the opportunity for a fresh look at
your network design.
Why move to IPv6?
• Adoption has been slow for no particular
reason.
– No deadline like Y2K
– No killer app
– IPv6 compatibility is now a requirement for
government bids.
– People are desentizied since there has been
a lot of buzz about it but people are not
seeing any urgency at implementing.
Why move to IPv6 now?
• Security
– Most devices are already running IPv6.
– Exploits for IPv6 already exist
• Deployment
– IPv6 requires planning and may take 1-2
years to implement
• Eliminate the need to NAT users and
devices.
IPv4 vs IPv6 Packet Types
• Similarities
– Unicast
– Multicast
– Anycast
• Differences
– No Broadcast in IPv6.
• This feature is taken over by multicast
• Helps mitigate some DDoS attacks
IPv6 Addressing Usage
• 2 distinct components
– 64-bit field designated for the network portion
– 64-bit field designated for the host portion
• There are a few exceptions
IPv6 Address Representation
• All addresses are 128 bits
• Write as sequence of eight groups of four
hex digits (16 bits each) separated by
colons
• E.g.
3ffe:3700:0200:00ff:0000:0000:0000:0001
Types of Unicast Addresses
• Unspecified address
– All zeros (::)
– Used as source address during initialization
– Also used in representing default
• Loopback address
– Low-order one bit (::1)
– Same as 127.0.0.1 in IPv4
• Link-local address
–
–
–
–
–
Unique on a subnet
Auto configured
High-order: FE80::/10
Low-order: interface identifier
Routers must not forward any packets with link-local source or
destination addresses
Obtaining IPv6 Addresses
• Provider-Independent (PI)
– You can reserve a range from ARIN and you
can move it from one ISP to another.
• Provider-Assigned (PA)
– The minimum you should receive is a /48
– Only usable if you have a single connection.
– You get this from your ISP that is part of their
scope.
IPv6 Addresses Scope
• Sizing
– http://www.howfunky.com/2014/01/gettingyour-first-ipv6-address.html
Number of Sites
Prefix Block Size
1
/48
2-12
/44
13-192
/40
193-3,072
/36
3,072 - 49,152
/32
Representation of IPv6 Address
• All addresses are 128 bits
• Write as sequence of eight groups of four
hex digits (16 bits each) separated by
colons
– Leading zeros in group may be omitted
– A contiguous all-zero group may be replaced
by “::”
• Only one such group can be replaced
IPv6 Notation
• In IPv6 every address is written:
– <ipv6-address> / <prefix length>
• For example:
– 2001:0db8::/36
– 2001:0db8::/32
• At the bit level:
– 0010 0000 0000 0001: 0000 1101 1011 1000::/36
– 0010 0000 0000 0001: 0000 1101 1011 1000::/32
• These look the same, except for the prefix length
IPv6 Addressing Example
• Consider
– 3ffe:3700:0200:00ff:0000:0000:0000:0001
• This can be written as
– 3ffe:3700:200:ff:0:0:0:1 or
– 3ffe:3700:200:ff::1
• Both reduction methods are used here.
Assigning IPv6 Addresses
• Static
– Similar to IPv6, but it is not as easy to configure or
remember as IPv6
– Good for Servers and Printers.
• Stateless Address Autoconfiguration (SLAAC)
– Assumes that each interface can provide a unique
identifier for that interface
• DHCPv6
– Provides DNS info
– Better control and tracking of IPv6 usage
– Doesn’t work on Android devices. SLAAC is needed.
Assigning IPv6 Addresses
• Most organizations will probably need to
implement SLAAC and DHCPv6
IPv6 Security Considerations
• Most of the same threats still exist
–
–
–
–
Sniffing
Rogue devices
Man-in-the-middle (MITM) attacks
Flooding
• IPsec is built-in to IPv6 spec
– Could mitigate most of these threats, if used
– IPv4 ESP traffic estimated as low as 0.9%
– IPv6 accounts for <1% of traffic on Internet2,
making IPsec usage largely insignificant
– http://www.uoregon.edu/~joe/ipv6-security/
IPv6 Security Considerations
• Most host OS implementations have IPv6
on by default
– Devices can communicate using the link-local
addresses
– Autoconfiguration means no administrative
involvement necessary to have “live” IPv6
hosts on your network
IPv6 DNS
• Similar to IPv4
• It is impossible to remember IPv6 addresses
and DNS is the only way to remain sane.
• Forward Lookups use AAAA to assign
addresses to names.
• Can advertise both A and AAAA in the same
the same domain.
• Host OS’s prefer IPv6 responses by default.
It will first use IPv6 before IPv4
IPv6 Planning
• IPv6 requires some thoughtful planning to
help address future growth and grouping of
subnets
• Perform an assessment of existing
infrastructure
– Get all swtiches, software versions, end of
service dates and validate if they support IPv6.
Check to see what features are supported since
IPv6 can mean many things.
• Access applications and validate if they are
IPv6 ready.
IPv6 Planning: Subnetting
• Each “site” should receive a /48. This will leave 16
bits left for subnetting (0000 – FFFF). So what do you
do with it?
Network address (48 bits)
16 bits
EUI host address (64 bits)
• Subnets or combinations of nets & subnets, or VLANs,
etc., e.g.
– 192.168.129.0/24
– 172.16.32.0/24
– 10.0.164.0/24
2001:DB8:C0A8:0081::/64
2001:DB8:AC10:0020::/64
2001:DB8:0A00:00A4::/64
• /64 is what a subnet SHOULD BE!!!!! DON'T
CHANGE IT. THIS MAY BREAK SOME SERVICES
IPv6 Planning: Subnetting
• A site is /48
• First level subnetting (i.e. districts for
ISD’s) would be /52 top level subnets (16
subnets)
• Second level is usually /56 or /60
• Third level usually /60
• /64 is the host/user level.
IPv6 Planning: Subnetting
New Subnet Concepts
• You can use “all 0s” and “all 1s”! (0000, ffff)
• You’re not limited to 254 hosts per subnet!
• Switch-rich LANs allow for larger broadcast domains
(with tiny collision domains), perhaps thousands of
hosts/LAN…
• No “secondary subnets” (though >1 address/interface)
• Every /64 subnet has far more than enough addresses
to contain all of the computers on the planet, and with
a /48 you have 65536 of those subnets - use this
power wisely!
IPv6 Planning
• Develop a plan once you get your address
space subnets developed
– Will probably run in Dual Stack mode rather than
just IPv4 or IPv6. Both will run side by side.
– Get IPv6 address space
– Work with ISP to advertise IPv6 range
– Set up router/firewall
– Configure other network switches with IPv6
– Configure IPv6 on servers and other devices
– Clients
IPv6 Tools
• UK CPNI Toolkit
– Provides assessment tools to discover known ipv6
exploits - icmp, na/nd, ra/rs, etc.
– http://www.si6networks.com/tools/ipv6toolkit/
• THC-ipv6
– Scans for IPv6 vulnerabilities
– www.thc.org/thc-ipv6
• Ipv6mon
– Active probes to discover IP addresses in use.
– http://www.si6networks.com/tools/ipv6mon
• Chrome Plugin to detect IPv4 or IPv6 website
– IPvFoo
Dual Stack
• This will be for many organizations that will
allow you to run IPv4 and IPv6 together
and makes migration painless since clients
can use both.
Securing your Current Network
• http://blogs.cisco.com/security/securingipv6/
• RA (Router Advertisement) Guard
– ipv6 nd suppress-ra
– This will ensure that a device that is plugged
into your network can’t hijack traffic by
advertising it’s route since IPv6 routes take
priority over IPv4.
Sample Network Diagram
Our IPv6 Space
• We have approx. 20 districts and over 100
buildings. We are looking to tread each
district as a “site” that get’s a /48.
Our IPv6 Space
• 2620:11B:1000::/48
– 2620:11B:1000:00::/56
• 2620:11B:1000:0000::/64
• 2620:11B:1000:0001::/64
District 1
Building 1 (up to 256)
network a (up to 256)
network b
– Could do a /60 and /64 to segment network rather than /56
and /64 to further identify equipment
» Ex: one nibble could be an identifier if the network is
wireless, wired, staff, students, printers, etc.
– Each /64 network can have up to
18,446,744,073,709,551,616 IP addresses!
– 2620:11B:1000:0f::/56
• 2620:11B:1001::/48
Building 15
District 2
Download