Presentation is loading. Please wait.

Presentation is loading. Please wait.

IPv6 NAP: There is no need for NAT in IPv6 Note: Based on IETF draft standard Local Network Protection for IPv6 www.ietf.org/internet-drafts/draft-ietf-v6ops-nap-06.txt.

Published byJustin Greenfield Modified over 9 years ago

Similar presentations

Presentation on theme: "IPv6 NAP: There is no need for NAT in IPv6 Note: Based on IETF draft standard Local Network Protection for IPv6 www.ietf.org/internet-drafts/draft-ietf-v6ops-nap-06.txt."— Presentation transcript:

1 IPv6 NAP: There is no need for NAT in IPv6 Note: Based on IETF draft standard Local Network Protection for IPv6 www.ietf.org/internet-drafts/draft-ietf-v6ops-nap-06.txt Eric Klein, MSc. Leon Recanati Graduate School of Business Administration and the Netvision Institute for Internet Studies, Tel Aviv University

2 Background IPv6 - NAPSummary Address Translation Addresses Allocation IP Allocation IPv4 - NAT Originally IP addresses were allocated in a “classful” method Class A 126 Class As Class B16,384 Class Bs Class C2,097,152 Class Cs Class DMulticast addresses Class EReserved for experimental use Hosts per server:.................................... 16,777,214........................................... 65,532............................................... 254 For more on: IP Classes see RFC 791 Class D Addresses see RFC 1112

3 IPv4 Address Allocation History 1981 – IPv4 protocol published – IP addresses used to uniquely identify and locate IP devices 1985 – 1/16 of total space 1990 – 1/8 of total space 1995 – 1/3 of total space 2000 – 1/2 of total space 2002.5 – 2/3 of total space This consumption despite increasingly intense conservation efforts Source: Neil Lovering, Cisco Systems “IPv6 and Semantic Interoperability” (http://colab.cim3.net/file/work/SICoP/2006-04-2728/NLovering04272006.ppt )http://colab.cim3.net/file/work/SICoP/2006-04-2728/NLovering04272006.ppt Current estimates predict that all IPv4 addresses will be used between 2008 and 2015, the most common prediction is sometime in 2010. Background IPv6 - NAPSummary Address Translation Addresses Allocation IP Allocation IPv4 - NAT

4 RFC 1918 opened up the reserved spaces for private networks with the following private address spaces: Class A: 10.*.*.* Class B: 172.16.*.* - 172.31.*.* Class C: 192.168.*.* This was not based on a planned action, but was the reaction to common practice codified in order to prevent future problems Most NAT implementations use one of these 3 ranges rather than a registered address range, or as was the practice prior to these utilizing any address space that the network administrator wanted to use. This enabled the deepening shortage to be offset by thousands of sites utilizing these addresses behind NAT routers. Then in 1993 came Classless Inter-Domain Routing (CIDR) which allowed those large blocks of addresses to be opened up as they became available. Effectively increasing the pool of available addresses. So each time a Class A address was returned to the pool, instead of one company benefiting, hundreds benefited. - For more on CIDR See RFCs 1517, 1519, and 1817 Background IPv6 - NAPSummary Address Translation Addresses Allocation IP Allocation IPv4 - NAT

5 In the early 1990’s the two most compelling problems facing the IP Internet are IP address depletion and scaling in routing. Long-term and short-term solutions to these problems are being developed. The short-term solution is CIDR (Classless Inter-Domain Routing). The long-term solutions consist of various proposals for new internet protocols with larger addresses (IPv6). Until the long-term solutions are ready an easy way to hold down the demand for IP addresses is through address reuse. This solution takes advantage of the fact that a very small percentage of hosts in a stub domain are communicating outside of the domain at any given time. Thus it was possible to use fewer addresses publicly while using Network Address Translation to support a large pool of numbers inside an organization. For Example: In most home networks there is only one IP address assigned that is publicly announced, and thus addressable by outside services. This does not stop you from having more than one computer on a home LAN. This is done via NAT in the broadband router that connects the home to the public internet. Internet IP Address Without NAT = 5 public addresses With-NAT = 1 public address 1 2 3 4 5 Background IPv6 - NAPSummary Address Translation Addresses Allocation IP Allocation IPv4 - NAT

6 IPv4 Problems NAT RequirementsWhy Nat? Originally NAT was designed because there were not enough addresses available from the different ISPs. “Our ISP will only give me one address and I need to support many computers.” Over time other uses of NAT were found and became the “reason” for its implementation: “It offers security by hiding the network topology.” “It is easier to configure DCHP on a NAT pool when setting up the network.” “When we merge sites, manage multiple sites, it is easier to renumber.” For more on DHCP see RFCs 2131 and 2132 Background IPv6 - NAPSummary IPv4 - NAT

7 DescriptionGoal Connect a private network with addresses allocated from any part of the space (registered & unregistered address) towards the Internet Simple Gateway as default router and address pool manager Through its session-oriented operation, NAT puts in an extra barrier to keep the private network protected from outside influences. Simple Security One usage of NAT is for the local network administrator to track user and application traffic. Local usage tracking One goal of 'topology hiding' is to prevent external entities from making a correlation between the topological location of devices on the local network. NAT hides the end device behind a wall of other devices that use the same address but are not on the same network. Thus giving some privacy to the host and hiding the real topology of the LAN. End-system privacy Topology hiding Many private IPv4 networks make use of the address space defined in RFC 1918 to enlarge the available addressing space for their private network, and at the same time reduce their need for globally routable addresses. Addressing Autonomy Use of IPv4+NAT has reduced the potential consumption rateGlobal Address Pool Conservation Often sited as examples where NAT helps enterprises.Renumbering and Multi-homing IPv4 Problems NAT RequirementsWhy Nat? IPv6 - NAPSummary Background IPv4 - NAT

8 IPv4 ProblemsIPv4 SolutionGoal Extra effort is needed when the same range exists on both sides of the NAT. NAT works well in the client/server model. For peer-to- peer, multi- party, or servers deployed on the private side of the NAT, helper technologies must also be deployed DHCP - single address upstream DHCP - limited number of individual devices downstream Simple Gateway as default router and address pool manager Experienced hackers are well aware of NAT devices and are very familiar with private address space, and have devised methods of attack that readily penetrate NAT boundaries. Filtering side effect due to lack of translation state Simple Security Checking of this database is not always a simple task, especially if Port Address Translation is used. NAT state tableLocal usage tracking Scanning is a particular concern because the subnet size is small enough that once the topology is known it is easy to find all the hosts, then start scanning them for vulnerable ports. NAT transforms device ID bits in the address End-system privacy NAT transforms subnet bits in the address Topology hiding Can cause problems when merging networks or moving between ISPs. RFC 1918Addressing Autonomy Over use leads to cascading NATs, or multiple LAN using the same address spaces, and many do not filter properly. RFC 1918 << 2 48 application end points topology restricted Global Address Pool Conservation IPv4 was not designed to facilitate either of these maneuvers. However, only the NAT boxes need to deal with multi-homing and renumbering issues. Address translation at borderRenumbering and Multi-homing IPv4 Problems NAT RequirementsWhy Nat? IPv6 - NAPSummary Background IPv4 - NAT

9 Private Addresses IPv6 SolutionsHistory Untraceable Addresses Started in 1994 IPv6 was originally conceived of as the evolution of the IP address pool and an update of the protocol architecture. IPv6 has been heralded as the savior of the Internet by offering all sorts of catch phrases: “An IP address for everyone alive today born in the next 100 years.” “It is more secure than IPv4 because it has IPSec built in.” And others. As you have heard in the other presentations in this panel, IPv6 is coming, some would say that it is already here as services are available from many different ISPs while software and hardware vendors are including support for the protocol for up to the past 4 years. Background IPv6 - NAPSummary IPv4 - NAT There is a reality that you need to understand: IPv6 is being resisted by companies that don’t want to spend money to upgrade but it is mandated by many governments starting in 2008.

10 IPv6 SolutionIPv4 ProblemGoal IPv6 routers should have a default configuration to advertise inside the site a locally generated random Unique Local Address (ULA) prefix, independently from the state of any external connectivity Extra effort is needed when the same range exists on both sides of the NAT. For peer-to-peer, multi- party, or servers deployed on the private side of the NAT, helper technologies must also be deployed Simple Gateway as default router and address pool manager Short lifetimes on privacy extension suffixes. IPsec is often cited as the reason for improved security because it is a mandatory service for IPv6 implementations. The size of a typical subnet makes a complete subnet ping sweep usually significantly harder and more expensive Experienced hackers are well aware of NAT devices and are very familiar with private address space, and have devised methods of attack that readily penetrate NAT boundaries. Simple Security IPv6 enables the collection of information about data flows.Checking of this database is not always a simple task, especially if Port Address Translation is used. Local usage tracking Temporary use privacy addresses based on RFC 3041 pseudo- random privacy addresses which are generated as required Scanning is a particular concern because the subnet size is small enough that once the topology is known it is easy to find all the hosts, then start scanning them for vulnerable ports. End-system privacy Untraceable addresses using IGP host routes /or MIPv6 tunnels Topology hiding IPv6 provides for autonomy in local use addresses through ULAs and simplifies simultaneous use of multiple addresses per interface Can cause problems when merging networks or moving between ISPs. Addressing Autonomy 17*10 18 subnets 3.4*10 38 addresses full port list giving an unrestricted topology Over use leads to cascading NATs, or multiple LAN using the same address spaces, and many do not filter properly. Global Address Pool Conservation Preferred lifetime per prefix & Multiple addresses per interface IPv4 was not designed to facilitate either of these maneuvers. Renumbering and Multi-homing Private Addresses IPv6 SolutionsHistory Untraceable Addresses Background IPv6 - NAPSummary IPv4 - NAT

11 In IPv4 there was no way to officially have private addresses, so Network Admins would randomly choose a set of addresses and use them internally. Initially this was fine as LANs were local only. This became a problem when the addresses chosen were registered to other companies and then the various LANs were connected to the Internet. To solve this NAT and the private address spaces were assigned. In IPv6, learning from the past, Unique Local Addresses (ULAs) were defined with the following characteristics: For all practical purposes a globally unique prefix. Allows networks to be combined or privately interconnected without creating address conflicts or requiring renumbering. If accidentally leaked outside of a network via routing or DNS, it is highly unlikely that there will be a conflict with any other addresses. ISP independent and can be used for communications inside of a network. Well-known prefix to allow for easy filtering at network boundaries. In practice, applications may treat these addresses like global scoped addresses. Private Addresses IPv6 SolutionsHistory Untraceable Addresses Background IPv6 - NAPSummary IPv4 - NAT

12 The main goal of untraceable IPv6 addresses is to create an apparently amorphous network infrastructure, as seen from external networks, to protect the local infrastructure from malicious outside influences and from mapping of any correlation between the network activities of multiple devices from external networks. When using untraceable IPv6 addresses, it could be that two apparently sequential addresses are allocated to devices on very different parts of the local network instead of belonging to devices adjacent to each other on the same subnet. Since IPv6 addresses will not be in short supply even within a single /64 (or shorter) prefix, it is possible to generate them effectively at random when untraceability is required. They will be globally routable IPv6 addresses under the site's prefix, which can be randomly and independently assigned to IPv6 devices. The random assignment is intended to mislead the outside world about the structure of the local network. Private Addresses IPv6 SolutionsHistory Untraceable Addresses Background IPv6 - NAPSummary IPv4 - NAT As the DHCP algorithm can include a random seed, two hosts connecting one after the other can have addresses that are non-sequential.

13 Acknowledgements Status of the DraftConclusions Companies that have traditionally relied on NAT for security and ease of numbering will no longer need it under IPv6. For companies where multiple networks/segments exist, but must maintain independence between them like Service Providers with both public ISP and private management networks Large corporations with special security requirements for some subnets (finance dept., legal dept., Development vs. Live networks, etc.) It is possible to assign specific ULAs to those special areas, filter them at the router while maintaining global connectivity. Background IPv6 - NAPSummary IPv4 - NAT

14 Status of the draft standard Local Network Protection for IPv6 Detail Info Draft Name: draft-ietf-v6ops-nap-06.txt (WG submission)draft-ietf-v6ops-nap-06.txt Version:06 Intended Status:Informational Current State:Approved-announcement to be sent (14-02-2007) Approved-announcement to be sent: The IESG has approved the document for publication, but the Secretariat has not yet sent out on official approval message. A RFC number should be assigned within 2 months due to the backlog in the RFC editor. Latest version can be found at: www.ietf.org/internet-drafts/draft-ietf-v6ops-nap-06.txt Acknowledgements Status of the DraftConclusions Background IPv6 - NAPSummary IPv4 - NAT

15 I would like to thank my fellow authors: Gunter Van de Velde of Cisco Systems Diegem, Belgium Tony Hain of Cisco Systems Bellevue, WA. USA Ralph Droms of Cisco Systems Boxborough, MA USA Brian Carpenter of IBM Vernier, Switzerland Acknowledgements Status of the DraftConclusions Background IPv6 - NAPSummary IPv4 - NAT

16 Thank You Eric Klein EricLKlein@Softhome.net This Presentation can be found at: http://www.tau.ac.il/~ericklei/ISOC-IL-2007-No-Need -For-NAT.pdf http://www.tau.ac.il/~ericklei/ISOC-IL-2007-No-Need -For-NAT.pdf

Download ppt "IPv6 NAP: There is no need for NAT in IPv6 Note: Based on IETF draft standard Local Network Protection for IPv6 www.ietf.org/internet-drafts/draft-ietf-v6ops-nap-06.txt."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
CST 415 - Computer Networks NAT CST 415 4/10/2017 CST 415 - Computer Networks.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
Marla Azinger, Frontier Communications

Marla Azinger, Frontier Communications
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.
Enabling IPv6 in Corporate Intranet Networks

Enabling IPv6 in Corporate Intranet Networks
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Information Networking Security and Assurance Lab National Chung Cheng University Private IP(RFC1918) The Internet Assigned Numbers Authority (IANA) has.

Information Networking Security and Assurance Lab National Chung Cheng University Private IP(RFC1918) The Internet Assigned Numbers Authority (IANA) has.
CSE5803 Advanced Internet Protocols and Applications (7) 1 7.1 Introduction The IP addressing scheme discussed in Chapter 2 are classful and can be summarised.

CSE5803 Advanced Internet Protocols and Applications (7) Introduction The IP addressing scheme discussed in Chapter 2 are classful and can be summarised.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.

CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.
TDC365 Spring 2001John Kristoff - DePaul University1 Interconnection Technologies Routing I.

TDC365 Spring 2001John Kristoff - DePaul University1 Interconnection Technologies Routing I.
Sybex CCENT 100-101 Chapter 13: Network Address Translation Instructor & Todd Lammle.

Sybex CCENT Chapter 13: Network Address Translation Instructor & Todd Lammle.
Andrew Smith 1 NAT and DHCP ( Network Address Translation and Dynamic Host Configuration Protocol )

Andrew Smith 1 NAT and DHCP ( Network Address Translation and Dynamic Host Configuration Protocol )
Network Addressing Issues in 1994 94/err_con/crc.htm.

Network Addressing Issues in /err_con/crc.htm.
1 Chapter Overview Subnet. What is a subnet When you break a network into a few smaller networks, you have created several subnets Like IP address where.

1 Chapter Overview Subnet. What is a subnet When you break a network into a few smaller networks, you have created several subnets Like IP address where.
Spring 20031 Ch 18 IP Addresses. 2 Internet Protocol  Only protocol at Layer 3  Defines Internet addressing Internet packet format Internet routing.

Spring Ch 18 IP Addresses. 2 Internet Protocol  Only protocol at Layer 3  Defines Internet addressing Internet packet format Internet routing.
1 26-Aug-15 Addressing the network using IPv4 Lecture # 2 Engr. Orland G. Basas Prepared by: Engr. Orland G. Basas IT Lecturer.

1 26-Aug-15 Addressing the network using IPv4 Lecture # 2 Engr. Orland G. Basas Prepared by: Engr. Orland G. Basas IT Lecturer.
Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.

Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.
4: Addressing Working At A Small-to-Medium Business or ISP.

4: Addressing Working At A Small-to-Medium Business or ISP.

Similar presentations

Ads by Google