Presentation is loading. Please wait.

Presentation is loading. Please wait.

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 IPv6 Transition Mechanisms, their Security and Management Georgios Koutepas National Technical.

Published byMarcus Wright Modified over 8 years ago

Similar presentations

Presentation on theme: "IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 IPv6 Transition Mechanisms, their Security and Management Georgios Koutepas National Technical."— Presentation transcript:

1 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 IPv6 Transition Mechanisms, their Security and Management Georgios Koutepas National Technical University of Athens, Greece 6DISS Workshop March 5 2006

2 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Transition to IPv6 Not an after-thought but designed to be part of the new protocol since the beginning Overview of transition requirements: –Gradual site transition: a site may have only some of its systems supporting IPv6 –Minimum transition requirements: a site can support IPv6 just by offering DNS services without any upgrade in the rest of the infrastructure –IP address compatibility: the v4 addresses can be converted to "corresponding" v6 addresses, allowing the system to operate in both environments –Ease of installation: Operating Systems should support IPv6 straightforwardly, without need for software upgrades. The answer: SIT (Simple Internet Transition) mechanisms included in IPv6

3 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 IPv6 Transition Mechanisms SIT offers a scheme for: –The conversion of IPv4 addresses to IPv6 –Dual stack OS operation –Tunnelling mechanisms via the encapsulation of v6 packets within v4 when passing over v4 clouds (and vise-versa) The Result: –Dual Stack mechanisms –Translation Mechanisms –Tunnelling Mechanisms

4 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Dual Stack mechanisms

5 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Translation Mechanisms NAT-PT (Network Address Translation - Protocol Translation) –Potential problems Services based on protocol specific header info cannot be supported end-to-end "Classic" NAT security issues Others –BIS (Bump in the Stack) - At the Transport Layer –BIA (Bump in the API) - At the Application Layer

6 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 How they work: –Encapsulation of IPv6 packets within IPv4 packets and vice versa …Which means it can also be used for IPv4 connections over IPv6 native networks –Protocol in the IPv4 header: 41 –The tunnel's end point performs the necessary operations on the protocol 41 IPv4 packets: Reconnection of fragmented packets Packet forwarding in the IPv6 network Hop limit (equivalent to IPv4 TTL) reduction by 1: The tunnel is "transparent" to IPv6 –Nodes performing the (en/de)capsulation operation have to be dual stack Tunnelling Mechanisms

7 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Based on the way we find the tunnel's other end: (Pre)configured tunnel end-points Automatic. Tunnel end-point may be derived from: –6to4 address –IPv4 compatible IPv6 destination address Types of tunnelling

8 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Automatic Tunneling Mechanisms: Tunnel Brokers The simplest way to IPv6 for single users (i.e. using dialup, ADSL, etc.) May create security problems OR opositely protocol 41 may be banned by the sys-admins for security reasons Operation –The user connects to a special web server (in the IPv4 network); makes tunnel application –The server assigns an IPv6 address, creates a DNS entry, informs the Tunnel Server, and sends a configuration script to the user –The user runs the script, installs the IPv6-over-IPv4 tunnel and onnects to the Tunnel Server that routs the packets to the native IPv6 network

9 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Deprecated... "Multicast tunnelling" Single IPv6 hosts use the IPv4 Multicast Network to connect between them or the native IPv6 network via a 6over4 router (usually a 6to4 router) The result is IPv6 hosts directly connected, even using IPv6 Link Local addresses (derived fromtheir IPv4 addresses)! Also supports IPv6 multicast etc. 6over4 requires IPv4 Multicast support, which does not exist widely. Automatic Tunneling Mechanisms: 6over4

10 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Intra Site automatic Tunnel Addressing Protocol Also uses the IPv4 infrastructure but without the need for Multicast Can operate under v4 NAT Operation: –The node ( A.B.C.D ) v4 gets the ( FE80::5EFE:AB:CD ) v6 Link Local address –Using DNS v4 queries for the name ISATAP a Potential Router List (PRL) is created (the Router usually is a 6to4 system) –A Router Solicitation message is sent; the answer (Router- Advertisement message) gives the prefix for creating the universal IPv6 address ISATAP router-to-node communication: using the last 4 bytes of the destination address Node-to-router IPv6 network: via the ISATAP router Automatic Tunneling Mechanisms: ISATAP

11 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Automatic Tunneling Mechanisms: Teredo Useful for hosts behind NAT Encapsulates the IPv6 packets within UDP v4 packets to bypass the problem of NAT in many cases restricting protocol 41 (IP encapsulated) packets The encapsulation takes place at the communicating node itself rather than at a border router (like it happens in 6to4) The Teredo-relay then forwards the packets to the native IPv6 network Issues: –Complex implementation –Can operate only with specific NAT types –Limited number of Teredo-relays available in the Internet Used only there is no other available solution…

12 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Connects isolated IPv6 "clouds" Only the border routers need to implement the 6to4 functionality (and need to be dual stack too…) Any site with single unicast IPv4 address can transmit to the IPv6 network using the 2002::/16 prefix Many available relays to the IPv6 network, easy to find by (IPv4) anycast addressing (from 192.88.99.0 - RFC 3068) The most widely used mechanism, thanks to its minimum requirements and ease of implementation it is preferred to other automatic tunneling methods and configured tunnels However cannot be used behind NAT because it requires an available universal IPv4 address Automatic Tunneling Mechanisms: 6to4 Overview

13 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 6to4 Architecture and Components

14 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 6to4 usage scenaria (1) 6to4 host to 6to4 host Native v6 communication and routing (RIPng)

15 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Useful for sites without native IPv6 ISP support Within the 6to4 sites the hosts use IPv6 natively –Router advertisements and stateless address autoconfiguration –DNS v6 host records - The other site can know about the hosts it needs to communicate with Non-local IPv6 addresses are sent to the default (6to4) router The IPv4 address within the 6to4 destination IPv6 address is used as the tunnel termination point 6to4 usage scenaria (2) Between two 6to4 sites

16 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 6to4 usage scenaria (2) Between two 6to4 sites

17 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 –Connection to the native IPv6 network through a 6to4 Relay Router (an IPv6 router with a 6to4 "Pseudo-interface") –Usage of the Relay Router's IPv4 address or the Anycast Address 6to4 host to a native IPv6 host 1.The 6to4 host uses DNS to find the destination host 2.The 6to4 router forwards (via IPv4) the packet to the "next-hop", the closest 6to4 relay router 3.The IPv6 router forward the packet to its final destination Native IPv6 host to a 6to4 host 1.The 6to4 relay router advertises the 2002::/16 prefix within the IPv6 network 2.A v6 host will use this information to send its packet to the corresponding IPv6 router and further to the 6to4 "pseudo-interface" via which (by the IPv4 network) the packet reaches the 6to4 network and its final destination 6to4 usage scenaria (3) Between a 6to4 site and a native IPv6 network

18 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 6to4 usage scenaria (3) Between a 6to4 site and a native IPv6 network

19 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 6to4 Security or what can go wrong… Vulnerabilities –6to4 routers must accept packets from ALL 6to4 relay routers It's not possible to know if the relay router is "Trusted" or even existent –6to4 relay routers have to accept packets from 6to4 routers and native IPv6 hosts without any checks Threats –DoS/DDoS against 6to4 components may result in unavailability –6to4 routers/relay routers may be used or "reflected" DDoS attacks –"Service theft": unauthorized usage of relay router services –Local IPv4 broadcast attacks –Neighbor Discovery attacks "Sanity Checks" necessary!

20 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 6to4 Security …an attack scenario Reflected DoS Attack It is supposed that bandwidth and processing power limitations can prevent a large scale attack…

21 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Securing 6to4 components 6to4 routers –Check for correspondence between the IPv4 part of the packets and the 2002::/16 IPv6 encapsulated part –Implement "Sanity Checks" IPv4: Do not allow strange (e.g. loopback) private, multicast, etc. addresses to be encapsulated IPv6: Reject "wrong" addresses, like link local, multicast, etc. –Prevent routing of packets to other 6to4 sites via 6to4 relay routers –Reject packets coming from another 6to4 site via a relay router

22 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Securing 6to4 components (2) 6to4 relay routers –Reject IPv4 packets from 6to4 routers that don't have matching IPv4 src address ( V4ADDR ) and equivalent 6to4 src address ( 2002:V4ADR ) in the encapsulated IPv6 packet –Reject protocol 41 (IPv4) packets without destination address 192.88.99.1 –Deny packets to the IPv6 network without a universal IPv6 address –Reject packets from 6to4 routers to 6to4 addresses –Ingress Filtering and Access Control Lists for the IPv6 part!

23 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Phase 1 Network Design –Define Wide and Local network segments –Define “special” areas (due to requirements and operations) - VLANs, DMZs etc. –Define management entities and their areas of responsibility –Network management information flow –Security requirements: For users and applications For the network itself (protection of the management information, protection of network devices, security of management procedures) –Plan the steps to transition to the new protocol. Examine the possibility of deploying transition mechanisms (for communications between IPv6 areas within an IPv4 network and vise-versa) A General Transition Roadmap for an enterprise or educational network

24 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 A General Transition Roadmap (2) Phase 2 Implementation of a mixed IPv4/IPv6 environment Gradual transition of non-critical systems to IPv6 –Allows the evaluation of the operation and stability of the network devices and non-critical systems under IPv6 –Develops the transition procedures –Disseminates the usages of transition mechanisms (tunnels, gateways, etc.) for communications between exclusive IPv6 areas Phase 3 Transition of all systems to IPv6 Exclusive usage of IPv6 in the network –Maintaining transition mechanisms for legacy systems and contacts with IPv4 networks

25 IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 Any Questions ?

Download ppt "IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 IPv6 Transition Mechanisms, their Security and Management Georgios Koutepas National Technical."

Similar presentations

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.
IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.

IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
December 5, 2007 CS-622 IPv6: The Next Generation 1 IPv6 The Next Generation Saroj Patil Nadine Sundquist Chuck Short CS622-F2007 University of Colorado,

December 5, 2007 CS-622 IPv6: The Next Generation 1 IPv6 The Next Generation Saroj Patil Nadine Sundquist Chuck Short CS622-F2007 University of Colorado,
IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.

IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.
1 IPv6. 2 Problem: 32-bit address space will be completely allocated by 2008. Solution: Design a new IP with a larger address space, called the IP version.

1 IPv6. 2 Problem: 32-bit address space will be completely allocated by Solution: Design a new IP with a larger address space, called the IP version.
Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.

Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.
Implementing IPv6 Module B 8: Implementing IPv6

Implementing IPv6 Module B 8: Implementing IPv6
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Transitioning to IPv6.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Transitioning to IPv6.
1 Teredo - Tunneling IPv6 through NATs Date: 2003-10-31 Speaker: Quincy Wu National Chiao Tung University.

1 Teredo - Tunneling IPv6 through NATs Date: Speaker: Quincy Wu National Chiao Tung University.
IPv4 & IPv6 Coexistence & Migration Joe Zhao SW2 Great China R&D Center ZyXEL Communications, Inc.

IPv4 & IPv6 Coexistence & Migration Joe Zhao SW2 Great China R&D Center ZyXEL Communications, Inc.
17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.

17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.

Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.
IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.

IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
IPv6 Transition : Why a new security mechanisms model is necessary?

IPv6 Transition : Why a new security mechanisms model is necessary?

Similar presentations

Ads by Google