Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practical IPv6 Filtering

Published byΤηθύς Μαγγίνας Modified over 5 years ago

Similar presentations

Presentation on theme: "Practical IPv6 Filtering"— Presentation transcript:

1 Practical IPv6 Filtering
Ben Eater

2 IPv4/IPv6 Feature Parity
Features and tools will lag Vendors need to figure out what will be useful before committing engineering resources Not everything published in an RFC will get implemented Early adopters like DREN are instrumental in guiding this process Once basic IPv6 forwarding is implemented, most other features can be easily added Filtering (and features that rely on it) presents additional challenges

3 Filtering IPv6 Filtering is required to implement many security mechanisms Simple accept/discard actions Selecting traffic to monitor/log/count/mirror Rate limiting Policy route, QoS handling, others… Filtering IPv6 traffic presents some challenges.

4 Filtering IPv6 in Software
Pros Very easy to do Cons Lack of predictable performance Impossible to use in high-bandwidth applications Lack of headroom can allow attacks to exhaust limited CPU resources even in lower bandwidth applications

5 Filtering IPv6 in Hardware
Pros Predictable performance Performance under load (or during an attack) Cons Most (but not all) existing equipment will need totally new hardware to support IPv6 State of the art in hardware-based filtering evolved with IPv4 in mind.

6 IPv4 Filtering Assumptions
To filter on any field in the L3/L4 header: Look at a fixed offset into the packet Match based on the bits you find at that offset This model breaks in the presence of IP options Most (all?) network operators drop all IP-option packets anyway

7 IPv6 Filtering IPv6 uses extension headers
An arbitrary number of extension headers can be chained together Header fields are no longer always in the same place Hardware filtering technology designed for IPv4 can’t cope

8 So what can current HW do?
The IP header is always in the same place Source address Destination address Class of service Flow label Packet length Next header

9 So what can current HW do?
If there are no other extension headers TCP, UDP, ICMP, ESP, AH, etc. header will be next These headers are now in a predictable location If there are other extension headers There is no way to find the TCP, UDP, or ICMP header. What do we do? Permit the packet Drop the packet

10 Extension Headers Hop-by-Hop Options Header Routing Header
Used for router alert. Specified as an IP option in IPv4 Not widely used in IPv4 Routing Header Used for source routing

11 Extension Headers Fragment Header Destination Options Header
IPv6 fragmentation is only done by the sending node Sender really should use PMTU discovery Effective PMTU discovery obviates fragmentation Destination Options Header Only defined option is padding the packet to a 64-bit boundary

12 Drop packets with Extension Headers?
IPv4 IP-Options packets Require extra processing by routers Can’t be filtered in hardware None of the defined options are widely used Most network operators simply drop them IPv6 Extension headers Doomed to a similar fate?

13 Practical filtering of IPv6
Near Term Network operators will drop all packets with extension headers Normal filtering is possible Longer Term A “killer app” would be required to rejuvenate interest in using extension headers Barring this, I don’t see how extensive effort would be expended to support extension headers

14 Thank you! eater@juniper.net

Download ppt "Practical IPv6 Filtering"

Similar presentations

1 Features of IPv6 Larger Address Extended Address Hierarchy Flexible Header Format Improved Options Provision For Protocol Extension Support for Auto-configuration.

1 Features of IPv6 Larger Address Extended Address Hierarchy Flexible Header Format Improved Options Provision For Protocol Extension Support for Auto-configuration.
Netprog: IPv61 IPv6 Refs: Chapter 10, Appendix A.

Netprog: IPv61 IPv6 Refs: Chapter 10, Appendix A.
The Future of TCP/IP Always evolving: –New computer and communication technologies More powerful PCs, portables, PDAs ATM, packet-radio, fiber optic, satellite,

The Future of TCP/IP Always evolving: –New computer and communication technologies More powerful PCs, portables, PDAs ATM, packet-radio, fiber optic, satellite,
EE 545 – BOGAZICI UNIVERSITY. Agenda Introduction to IP What happened IPv5 Disadvantages of IPv4 IPv6 Overview Benefits of IPv6 over IPv4 Questions -

EE 545 – BOGAZICI UNIVERSITY. Agenda Introduction to IP What happened IPv5 Disadvantages of IPv4 IPv6 Overview Benefits of IPv6 over IPv4 Questions -
IPv6. Major goals 1.support billions of hosts, even with inefficient address space allocation. 2.reduce the size of the routing tables. 3.simplify the.

IPv6. Major goals 1.support billions of hosts, even with inefficient address space allocation. 2.reduce the size of the routing tables. 3.simplify the.
Socket Programming with IPv6. Why IPv6? Addressing and routing scalability Address space exhaustion Host autoconfiguration QoS of flow using flowlabel.

Socket Programming with IPv6. Why IPv6? Addressing and routing scalability Address space exhaustion Host autoconfiguration QoS of flow using flowlabel.
IPv6 Tutorial Module 1: IPv6 Protocol Structure Dan Campbell, President Millennia Systems, Inc.

IPv6 Tutorial Module 1: IPv6 Protocol Structure Dan Campbell, President Millennia Systems, Inc.
IPv4 - The Internet Protocol Version 4

IPv4 - The Internet Protocol Version 4
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College

2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College
OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.

OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.
1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.

1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.
1 IPv6 Packet Format. 2 Objectives IPv6 vs IPv4 IPv6 Packet Format IPv6 fields IPv6 and data-link technologies.

1 IPv6 Packet Format. 2 Objectives IPv6 vs IPv4 IPv6 Packet Format IPv6 fields IPv6 and data-link technologies.
IPv6 Header & Extensions Joe Zhao SW2 Great China R&D Center ZyXEL Communications, Inc.

IPv6 Header & Extensions Joe Zhao SW2 Great China R&D Center ZyXEL Communications, Inc.
Lesson 4 The IPv6 Header.

Lesson 4 The IPv6 Header.
IP-UDP-RTP Computer Networking (In Chap 3, 4, 7) 건국대학교 인터넷미디어공학부 임 창 훈.

IP-UDP-RTP Computer Networking (In Chap 3, 4, 7) 건국대학교 인터넷미디어공학부 임 창 훈.
IPv6 Fundamentals Chapter 2: IPv6 Protocol

IPv6 Fundamentals Chapter 2: IPv6 Protocol
1 IPv6 Refs: Chapter 10, Appendix A. 2 IPv6 availability Generally not part of O.S. Available in beta for many operating systems. 6-Bone is experimental.

1 IPv6 Refs: Chapter 10, Appendix A. 2 IPv6 availability Generally not part of O.S. Available in beta for many operating systems. 6-Bone is experimental.
Summary of Certification Process (part 1). IPv6 Client IPv6 packets inside IPv4 packets.

Summary of Certification Process (part 1). IPv6 Client IPv6 packets inside IPv4 packets.
MENU Implications of Securing Router Infrastructure NANOG 31 May 24, 2004 Ryan McDowell

MENU Implications of Securing Router Infrastructure NANOG 31 May 24, 2004 Ryan McDowell

Similar presentations

Ads by Google