Draft-vandevelde-v6ops-harmful-tunnels-01.txt 1 Are they the future of the Internet? Non-Managed Tunnels Considered Harmful Gunter Van de Velde, Ole Troan,

Slides:

Advertisements

Similar presentations

IPv6 Transition Roque Gagliano What is transition? IPv4 only.IPv4 Only Bone is borned IPv4 Only Experimental IPv6. Majority:

Advertisements

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.

IPv6 Privacy Hannes Tschofenig, Tara Whalen. Agenda Privacy Threats Layering Addressing Policy Questionnaire.

1 Teredo - Tunneling IPv6 through NATs Date: Speaker: Quincy Wu National Chiao Tung University.

Enabling IPv6 in Corporate Intranet Networks

17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© N. Ganesan, All rights reserved. Chapter IP Addressing Format.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Self-Citation More than 7 papers at places of least relevance Nothing new except for the problem We stress however that our proposal is somewhat motivated.

A Guide to major network components

Draft-vandevelde-v6ops-ra-guard-01.txt1 IPv6 RA-Guard G. Van de Velde, E. Levy- Abegnoli, C. Popoviciu, J. Mohacsi IETF 71, March 11/14th 2008 Philadelphia.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

1 Content Distribution Networks. 2 Replication Issues Request distribution: how to transparently distribute requests for content among replication servers.

Polycom Conference Firewall Solutions. 2 The use of Video Conferencing Is Rapidly Growing More and More people are adopting IP conferencing Audio and.

Campus IPv6 Deployment Phillip Deneault WPI Network Security Officer 1.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

NW Security and Firewalls Network Security

Intranet, Extranet, Firewall. Intranet and Extranet.

Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.

Happy Network Administrators  Happy Packets  Happy Users WIRED Position Statement Aman Shaikh AT&T Labs – Research October 16,

1 Internet Firewalls What it is all about Concurrency System Lab, EE, National Taiwan University R355.

APNIC Update The state of IP address distribution and IPv6 deployment status Miwa Fujii Senior IPv6 Program Specialist APNIC.

Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.

Russ Housley IETF Chair Internet2 Spring Member Meeting 28 April 2009 Successful Protocol Development.

Draft-vandevelde-v6ops-addcon-00.txt IPv6 Unicast Address Assignment Considerations Gunter Van de Velde (editor) Tim Chown Ciprian Popoviciu IETF 65, March.

Wireline: Incremental IPv6 draft-kuarsingh-wireline-incremental-ipv6-00 Victor Kuarsingh, Rogers Communications Inc.

IPv6/IPv4 XLATE Trial Service for sharing IPv4 address Japan Internet Exchange Co., Ltd. Masataka MAWATARI.

Ch 6: IPv6 Deployment Last modified Topics 6.3 Transition Mechanisms 6.4 Dual Stack IPv4/IPv6 Environments 6.5 Tunneling.

The necessity of 4-over-6 stateless address sharing mechanism Satoru Matsushima Jie Jiao Chunfa Sun 0.

Guidance for Running Multiple IPv6 Prefixes (draft-liu-v6ops-running-multiple-prefixes-02) Bing Liu, Sheng Jiang (Speaker), Yang Bo IETF91

Network Architecture Protection (draft-vandevelde-v6ops-nap-01.txt) Brian Carpenter, Ralph Droms, Tony Hain, Eric L Klein, Gunter Van de Velde.

1 © 2004 Cisco Systems, Inc. All rights reserved. Draft-vandevelde-v6ops-nap-00 Network Architecture Protection (

Deploying IPv6, Now Christian Huitema Architect Windows Networking & Communications Microsoft Corporation.

Analysis and recommendation for the ULA usage draft-liu-v6ops-ula-usage-analysis-00 draft-liu-v6ops-ula-usage-analysis-00 Bing Liu(speaker), Sheng Jiang.

1 Firewalls - Introduction l What is a firewall? –Firewalls are frequently thought of as a very complex system that is some sort of magical, mystical..

6.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 6: Designing.

IPv6 - The Way Ahead Christian Huitema Architect Windows Networking & Communications

Post IPv4 “completion” Making IPv6 incrementally deployable by making it backward compatible with IPv4. Alain Durand.

Characteristics of Scaleable Internetworks

17/10/031 Euronetlab – Implementation of Teredo

Slide title minimum 48 pt Slide subtitle minimum 30 pt Tunnel Security Concerns draft-ietf-v6ops-tunnel-security-concerns-02 James Hoagland Suresh Krishnan.

IS3220 Information Technology Infrastructure Security

Draft-carpenter-v6ops-label-balance-02 Brian Carpenter Sheng Jiang (Speaker) Willy Tarreau March 2012 IPv6 Flow Label for Server Load Balancing - update.

Draft-ietf-v6ops-addcon-01.txt IPv6 Unicast Address Assignment Considerations Gunter Van de Velde (editor), Tim Chown, Ciprian Popoviciu, Olaf Bonness,

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 IPv6 Transition Mechanisms, their Security and Management Georgios Koutepas National Technical.

Network Security SUBMITTED BY:- HARENDRA KUMAR IT-3 RD YR. 1.

Security Implications of IPv6 on IPv4 Networks

Connecting MPLS-SPRING Islands over IP Networks

IPv6 Deployment: Business Cases and Development Options

Internet and Intranet.

Internet and Intranet.

Virtual Private Network

Planning a Network Upgrade

Firewalls Jiang Long Spring 2002.

Internet and Intranet.

Matías Heinrich VP Operations Latam October 2011

Outline The spoofing problem Approaches to handle spoofing

Internet and Intranet.

Outline The concept of perimeter defense and networks Firewalls.

Presentation transcript:

draft-vandevelde-v6ops-harmful-tunnels-01.txt 1 Are they the future of the Internet? Non-Managed Tunnels Considered Harmful Gunter Van de Velde, Ole Troan, Tim Chown

The Controverse-o-Meter Highly controversial Medium controversial (whatever that means) Not controversial

Objectives The noble goal of the IPv6 Internet What do people say? What are managed tunnels? Non-managed tunnel properties Conclusion Why do Non-managed tunnels exist?

What is a Managed tunnel? The user has a contact “to bark at” when connectivity is not working as expected The tunneling is facilitated by a contactable administration Realm for the tunnel head and tail-end Security, performance and integrity of the tunnel is managed The user experience for using either IPv4 or IPv6 is invisible, so that the network environment feels and smells like true native connectivity

Tunnel Experiences The end-user view My ISP does not provide IPv6, so 6to4/Teredo is my easy way to get IPv6… and I am very happy with the IPv6 quality Oh… I didn’t know I was using IPv6…. The enterprise view 6to4 has capability for sub-optimal routing, however, 6to4 does not have always sub-optimal routing (ie. When sending packets between two 6to4 sites) The service provider Some ISP deliver on purpose a 6to4 relay to increase the quality of IPv6 for their customers, but it costs $ and resources to maintain… and the service is not just (always) restricted to the ISP’s customers Content providers observe a measurable difference in RTT and reliability in some cases, and are hence reluctant to bring all services to mainstream IPv6 for all users “just yet”

The noble goal of the IPv6 Internet Provide a platform for content and services to be developed with high quality and performance A simple control plane for end-2-end connectivity The IPv6 Internet connectivity should be as good (or better) as the perceived quality of the IPv4 Internet All people and devices around the globe have the potential to be connected Allow connectivity to grow without limits Do non-managed tunnels follow these fundamentals?

The noble goal of the IPv6 Internet Provide a platform for content and services to be developed with high quality and performance A simple control plane for end-2-end connectivity The IPv6 Internet connectivity should be as good (or better) as the perceived quality of the IPv4 Internet All people and devices around the globe have the potential to be connected Allow connectivity to grow without limits Do non-managed tunnels follow these fundamentals?

Why do non-managed tunnels exist? Early adopters Not trivial to move a system in lock-step towards IPv6, and tunnels aid in this process Provide de-coupling between infrastructure IPv6 readiness and application readiness

Anycast/well-known address usage Asymmetric connectivity models when relying on 3 rd party relay Impacts statefull security services (firewalls) Anycast or other well known addresses may direct towards badly functioning relay-router 6to4 well-known relay addresses /24 Teredo MSFT default: teredo.ipv6.microsoft.com Non-managed Tunnel Properties IP Anycast/well known based service

Non-managed Tunnel Properties Performance There is a logistic decoupling of performance between (1) What the relay router can provide (2) What the user is expecting The impact is that initial deployments have been working really well, but if used for mainstream operation (for millions of customers, instead of the technologist), then performance expectation may not be stable (no motivation for the relay-router providers to upgrade capacity for non-customers) IP Anycast/well known based service User does typically not know who is owner of the relay listening to the well-known address

Non-managed Tunnel Properties Realm of control Operational provisioning - good tunnel performance and reliability is often outside the control of the person using the tunnel (3 rd party involvement, unforeseen traffic paths) Sub-optimal flows (increase in RTT and packet loss) If a low performance relay-router is overloaded due to non-managed tunnels, then how can user provide feedback on the bad performance? Who is responsible for troubleshooting if connectivity is degraded?

Non-managed Tunnel Properties Security Do you trust the 3 rd party ag/de-gregator Firewall, IDS and tunneling Lawful Intercept Tunnel security issues documented in “draft-ietf-v6ops-tunnel-security- concerns-02” are amplified by un-managed tunnels due to a lack of trust Tunnels may bypass Security inspection IP Ingress and Egress Filtering Source Routing after the tunnel client Non-trust of enterprise NOC manager towards tunnel security and openness DPI for tunneled packets NAT holes increase attack surface Tunnel address related risks 6to4 security considerations - rfc3964 – RFC from 2004

Conclusion Early adopters have been working fine with non- managed tunnels For mainstream usage: Blackholing Perverse traffic paths Lack of business incentive Difficult security model Hard to have a managed service relying on non-managed infrastructure Consequence: Reason that Content providers can’t offer universal IPv6 services Reason that white-listing complexity is being discussed

Next Steps Adopt as WG item? draft-vandevelde-v6ops-pref-ps-0014

15 draft-vandevelde-v6ops-harmful-tunnels-01.txt THANK YOU!