IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 IPv6 Transition Mechanisms, their Security and Management Georgios Koutepas National Technical.

Slides:



Advertisements
Similar presentations
NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.
Advertisements

IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
December 5, 2007 CS-622 IPv6: The Next Generation 1 IPv6 The Next Generation Saroj Patil Nadine Sundquist Chuck Short CS622-F2007 University of Colorado,
IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.
1 IPv6. 2 Problem: 32-bit address space will be completely allocated by Solution: Design a new IP with a larger address space, called the IP version.
Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.
Implementing IPv6 Module B 8: Implementing IPv6
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Transitioning to IPv6.
1 Teredo - Tunneling IPv6 through NATs Date: Speaker: Quincy Wu National Chiao Tung University.
IPv4 & IPv6 Coexistence & Migration Joe Zhao SW2 Great China R&D Center ZyXEL Communications, Inc.
17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.
IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
IPv6 Transition : Why a new security mechanisms model is necessary?
IPv6 Management Methods and Tools for Managing IPv6 Networks Georgios Koutepas, NTUA “IPv6 Technology and Advanced Services” Oct. 19, 2004.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
Transition Mechanisms for Ipv6 Hosts and Routers RFC2893 By Michael Pfeiffer.
Internet Protocol Security (IPSec)
Notes for IPv6 Terrance Lee. Transition Mechanisms for IPv6 Hosts and Routers (RFC 2893)
IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker
1 IPv6 Address Management Rajiv Kumar. 2 Lecture Overview Introduction to IP Address Management Rationale for IPv6 IPv6 Addressing IPv6 Policies & Procedures.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
資 管 Lee Lesson 11 Coexistence and Migration. 資 管 Lee Lesson Objectives Coexistence and migration overview Coexistence mechanisms ◦ Dual Stack ◦ Tunneling.
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Windows Internet Connection Sharing Dave Eitelbach Program Manager Networking And Communications Microsoft Corporation.
Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;
Summary of Certification Process (part 1). IPv6 Client IPv6 packets inside IPv4 packets.
CSE 8343 Group 3 Advanced OS Inter Operability Between IPv4 and IPv6 Team Members Aman Preet Singh Rohit Singh Nipun Aggarwal Chirag Shah Eugene Novak.
Coexistence and Migration
Common Devices Used In Computer Networks
Guide to TCP/IP Fourth Edition
Basic Transition Mechanisms for IPv6 Hosts and Routers -RFC 4213 Kai-Po Yang
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Module 3: Designing IP Addressing. Module Overview Designing an IPv4 Addressing Scheme Designing DHCP Implementation Designing DHCP Configuration Options.
IPv6 – What You Need To Know Tom Hollingsworth CCNP,CCVP,CCSP, MCSE.
CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration IPv6.
Addressing IP v4 W.Lilakiatsakun. Anatomy of IPv4 (1) Dotted Decimal Address Network Address Host Address.
1 Objectives Identify the basic components of a network Describe the features of Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6)
1 Network Layer Lecture 16 Imran Ahmed University of Management & Technology.
IPv6 transition strategies IPv6 forum OSAKA 12/19/2000 1/29.
Ch 6: IPv6 Deployment Last modified Topics 6.3 Transition Mechanisms 6.4 Dual Stack IPv4/IPv6 Environments 6.5 Tunneling.
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
RFC 3964 Security Considerations for 6to4 Speaker: Chungyi Wang Adviser: Quincy Wu Date:
1 Use of VLANs for IPv4-IPv6 Coexistence in Enterprise Networks presented by tech3 R322 rfc 4554.
W&L Page 1 CCNA CCNA Training 3.4 Describe the technological requirements for running IPv6 in conjunction with IPv4 Jose Luis Flores /
Deploying IPv6, Now Christian Huitema Architect Windows Networking & Communications Microsoft Corporation.
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://
Engineering Workshops Transition and Tunnels Dale Finkelson.
17/10/031 Euronetlab – Implementation of Teredo
1 Objectives Identify the basic components of a network Describe the features of Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6)
6to4
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
Routing Loop Attack Using IPv6 Automatic Tunnels: Problem Statement and Proposed Mitigations (RFC 6324) Po-Kang Chen Oct 19,
Objective: To understand IPv6 implementation in the Intranet and Internet.
IP: Addressing, ARP, Routing
Introduction Wireless devices offering IP connectivity
Chapter 6 Exploring IPv6.
LESSON 3.3_A Networking Fundamentals Understand IPv6 Part 1.
Copyright © 2006 Juniper Networks
* Essential Network Security Book Slides.
Network Virtualization
Presentation transcript:

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 IPv6 Transition Mechanisms, their Security and Management Georgios Koutepas National Technical University of Athens, Greece 6DISS Workshop March

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Transition to IPv6 Not an after-thought but designed to be part of the new protocol since the beginning Overview of transition requirements: –Gradual site transition: a site may have only some of its systems supporting IPv6 –Minimum transition requirements: a site can support IPv6 just by offering DNS services without any upgrade in the rest of the infrastructure –IP address compatibility: the v4 addresses can be converted to "corresponding" v6 addresses, allowing the system to operate in both environments –Ease of installation: Operating Systems should support IPv6 straightforwardly, without need for software upgrades. The answer: SIT (Simple Internet Transition) mechanisms included in IPv6

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 IPv6 Transition Mechanisms SIT offers a scheme for: –The conversion of IPv4 addresses to IPv6 –Dual stack OS operation –Tunnelling mechanisms via the encapsulation of v6 packets within v4 when passing over v4 clouds (and vise-versa) The Result: –Dual Stack mechanisms –Translation Mechanisms –Tunnelling Mechanisms

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Dual Stack mechanisms

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Translation Mechanisms NAT-PT (Network Address Translation - Protocol Translation) –Potential problems Services based on protocol specific header info cannot be supported end-to-end "Classic" NAT security issues Others –BIS (Bump in the Stack) - At the Transport Layer –BIA (Bump in the API) - At the Application Layer

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 How they work: –Encapsulation of IPv6 packets within IPv4 packets and vice versa …Which means it can also be used for IPv4 connections over IPv6 native networks –Protocol in the IPv4 header: 41 –The tunnel's end point performs the necessary operations on the protocol 41 IPv4 packets: Reconnection of fragmented packets Packet forwarding in the IPv6 network Hop limit (equivalent to IPv4 TTL) reduction by 1: The tunnel is "transparent" to IPv6 –Nodes performing the (en/de)capsulation operation have to be dual stack Tunnelling Mechanisms

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Based on the way we find the tunnel's other end: (Pre)configured tunnel end-points Automatic. Tunnel end-point may be derived from: –6to4 address –IPv4 compatible IPv6 destination address Types of tunnelling

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Automatic Tunneling Mechanisms: Tunnel Brokers The simplest way to IPv6 for single users (i.e. using dialup, ADSL, etc.) May create security problems OR opositely protocol 41 may be banned by the sys-admins for security reasons Operation –The user connects to a special web server (in the IPv4 network); makes tunnel application –The server assigns an IPv6 address, creates a DNS entry, informs the Tunnel Server, and sends a configuration script to the user –The user runs the script, installs the IPv6-over-IPv4 tunnel and onnects to the Tunnel Server that routs the packets to the native IPv6 network

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Deprecated... "Multicast tunnelling" Single IPv6 hosts use the IPv4 Multicast Network to connect between them or the native IPv6 network via a 6over4 router (usually a 6to4 router) The result is IPv6 hosts directly connected, even using IPv6 Link Local addresses (derived fromtheir IPv4 addresses)! Also supports IPv6 multicast etc. 6over4 requires IPv4 Multicast support, which does not exist widely. Automatic Tunneling Mechanisms: 6over4

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Intra Site automatic Tunnel Addressing Protocol Also uses the IPv4 infrastructure but without the need for Multicast Can operate under v4 NAT Operation: –The node ( A.B.C.D ) v4 gets the ( FE80::5EFE:AB:CD ) v6 Link Local address –Using DNS v4 queries for the name ISATAP a Potential Router List (PRL) is created (the Router usually is a 6to4 system) –A Router Solicitation message is sent; the answer (Router- Advertisement message) gives the prefix for creating the universal IPv6 address ISATAP router-to-node communication: using the last 4 bytes of the destination address Node-to-router IPv6 network: via the ISATAP router Automatic Tunneling Mechanisms: ISATAP

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Automatic Tunneling Mechanisms: Teredo Useful for hosts behind NAT Encapsulates the IPv6 packets within UDP v4 packets to bypass the problem of NAT in many cases restricting protocol 41 (IP encapsulated) packets The encapsulation takes place at the communicating node itself rather than at a border router (like it happens in 6to4) The Teredo-relay then forwards the packets to the native IPv6 network Issues: –Complex implementation –Can operate only with specific NAT types –Limited number of Teredo-relays available in the Internet Used only there is no other available solution…

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Connects isolated IPv6 "clouds" Only the border routers need to implement the 6to4 functionality (and need to be dual stack too…) Any site with single unicast IPv4 address can transmit to the IPv6 network using the 2002::/16 prefix Many available relays to the IPv6 network, easy to find by (IPv4) anycast addressing (from RFC 3068) The most widely used mechanism, thanks to its minimum requirements and ease of implementation it is preferred to other automatic tunneling methods and configured tunnels However cannot be used behind NAT because it requires an available universal IPv4 address Automatic Tunneling Mechanisms: 6to4 Overview

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March to4 Architecture and Components

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March to4 usage scenaria (1) 6to4 host to 6to4 host Native v6 communication and routing (RIPng)

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Useful for sites without native IPv6 ISP support Within the 6to4 sites the hosts use IPv6 natively –Router advertisements and stateless address autoconfiguration –DNS v6 host records - The other site can know about the hosts it needs to communicate with Non-local IPv6 addresses are sent to the default (6to4) router The IPv4 address within the 6to4 destination IPv6 address is used as the tunnel termination point 6to4 usage scenaria (2) Between two 6to4 sites

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March to4 usage scenaria (2) Between two 6to4 sites

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 –Connection to the native IPv6 network through a 6to4 Relay Router (an IPv6 router with a 6to4 "Pseudo-interface") –Usage of the Relay Router's IPv4 address or the Anycast Address 6to4 host to a native IPv6 host 1.The 6to4 host uses DNS to find the destination host 2.The 6to4 router forwards (via IPv4) the packet to the "next-hop", the closest 6to4 relay router 3.The IPv6 router forward the packet to its final destination Native IPv6 host to a 6to4 host 1.The 6to4 relay router advertises the 2002::/16 prefix within the IPv6 network 2.A v6 host will use this information to send its packet to the corresponding IPv6 router and further to the 6to4 "pseudo-interface" via which (by the IPv4 network) the packet reaches the 6to4 network and its final destination 6to4 usage scenaria (3) Between a 6to4 site and a native IPv6 network

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March to4 usage scenaria (3) Between a 6to4 site and a native IPv6 network

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March to4 Security or what can go wrong… Vulnerabilities –6to4 routers must accept packets from ALL 6to4 relay routers It's not possible to know if the relay router is "Trusted" or even existent –6to4 relay routers have to accept packets from 6to4 routers and native IPv6 hosts without any checks Threats –DoS/DDoS against 6to4 components may result in unavailability –6to4 routers/relay routers may be used or "reflected" DDoS attacks –"Service theft": unauthorized usage of relay router services –Local IPv4 broadcast attacks –Neighbor Discovery attacks "Sanity Checks" necessary!

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March to4 Security …an attack scenario Reflected DoS Attack It is supposed that bandwidth and processing power limitations can prevent a large scale attack…

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Securing 6to4 components 6to4 routers –Check for correspondence between the IPv4 part of the packets and the 2002::/16 IPv6 encapsulated part –Implement "Sanity Checks" IPv4: Do not allow strange (e.g. loopback) private, multicast, etc. addresses to be encapsulated IPv6: Reject "wrong" addresses, like link local, multicast, etc. –Prevent routing of packets to other 6to4 sites via 6to4 relay routers –Reject packets coming from another 6to4 site via a relay router

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Securing 6to4 components (2) 6to4 relay routers –Reject IPv4 packets from 6to4 routers that don't have matching IPv4 src address ( V4ADDR ) and equivalent 6to4 src address ( 2002:V4ADR ) in the encapsulated IPv6 packet –Reject protocol 41 (IPv4) packets without destination address –Deny packets to the IPv6 network without a universal IPv6 address –Reject packets from 6to4 routers to 6to4 addresses –Ingress Filtering and Access Control Lists for the IPv6 part!

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Phase 1 Network Design –Define Wide and Local network segments –Define “special” areas (due to requirements and operations) - VLANs, DMZs etc. –Define management entities and their areas of responsibility –Network management information flow –Security requirements: For users and applications For the network itself (protection of the management information, protection of network devices, security of management procedures) –Plan the steps to transition to the new protocol. Examine the possibility of deploying transition mechanisms (for communications between IPv6 areas within an IPv4 network and vise-versa) A General Transition Roadmap for an enterprise or educational network

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 A General Transition Roadmap (2) Phase 2 Implementation of a mixed IPv4/IPv6 environment Gradual transition of non-critical systems to IPv6 –Allows the evaluation of the operation and stability of the network devices and non-critical systems under IPv6 –Develops the transition procedures –Disseminates the usages of transition mechanisms (tunnels, gateways, etc.) for communications between exclusive IPv6 areas Phase 3 Transition of all systems to IPv6 Exclusive usage of IPv6 in the network –Maintaining transition mechanisms for legacy systems and contacts with IPv4 networks

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Any Questions ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.