Presentation is loading. Please wait.

Presentation is loading. Please wait.

Technology Updates in IPv6 SUZUKI, Shinsuke Hitachi, Ltd. / KAME Project

Published byDallin Thames Modified over 10 years ago

Similar presentations

Presentation on theme: "Technology Updates in IPv6 SUZUKI, Shinsuke Hitachi, Ltd. / KAME Project"— Presentation transcript:

1 Technology Updates in IPv6 SUZUKI, Shinsuke Hitachi, Ltd. / KAME Project suz@crl.hitachi.co.jp

2 Copyright(c)2003 All rights reserved, Hitachi, Ltd.2 Abstract zIPv6-related issues in IETF yCore Protocol issues yRouting Protocol issues yDNS-related issues yTransition Mechanisim issues ySecurity-related issues

3 Copyright(c)2003 All rights reserved, Hitachi, Ltd.3 Core Protocol Issues zSite-Local Address zPrefix Delegation zFlow-Label zRouter Renumbering z(Mobile-IPv6 is covered in later presentation)

4 Copyright(c)2003 All rights reserved, Hitachi, Ltd.4 Site-local Address (Overview) zSite-local address spec. has two distinct characteristics yPrivate use is allowed, like 192.168.0.0/16 ySite-Border Router has to distinguish addresses in different sites xe.g. FEC0::1%site1 and FEC0::1%site2 are different zIssues ySite-local addresses are often duplicated among networks xe.g. When multiple networks are merged together, and both networks use fec0:1:2::/48 ySite-Border-Router is a serious headache xfor implementors, standardization, and operation.

5 Copyright(c)2003 All rights reserved, Hitachi, Ltd.5 Site-local Address (Proposal) z“Deprecate Site-local” and introduce a new solution yRemove ‘Site-Border’, but keep localness and uniqueness zGlobal-Unique Local Address (FC00::/7)  Locally used unique address xguarantees 40-bit uniqueness  not allowed to redistribute to the Internet ySplit into two parts xFC00::/8=Centrally assigned by some registries (TBD) xFD00::/8=Locally assigned without any registries 1111 110MD5-hashSLAInterface-ID0/1 7 bit40 bit 16 bit 64 bit

6 Copyright(c)2003 All rights reserved, Hitachi, Ltd.6 Remaining Issues in FC00::/7 zIt may lead to an IPv6-NAT introduction? ySimultaneous use of global address and FC00::/7 is better zSource address selection yLongest-match algorithm (RFC3484) is sufficient zDNS server yTwo-face DNS server is necessary, like IPv4 private address handling. zWell-known site-local address? ye.g. DNS server address (FEC0:0:0:FFFF::1) yGlobal-unique local address is not suitable xSince it varies by networks yUse of FEC0::/10 needs further consideration, even after site-local address deprecation zWho manages the ‘registry’? z40-bit uniqueness is enough?

7 Copyright(c)2003 All rights reserved, Hitachi, Ltd.7 Prefix Delegation (Overview) zPlug & Play for (esp.) SOHO Routers zUse some protocol to automatically delegate prefix from upstream router to downstream routers PC SOHO Router Delegates prefix automatically (normally /48) ISP Router Plug and Play by RA (/64) Choose a prefix (/64) for PC segment

8 Copyright(c)2003 All rights reserved, Hitachi, Ltd.8 Prefix Delegation (Status) zStandardization almost finished yConcept and requirement are approved in IPv6 WG. yVarious protocols are proposed, but DHCPv6-based one seems to be the winner xDoes not distribute IPv6 addresses in DHCPv6 xJust uses DHCPv6 protocol framework to distribute IPv6 prefixes xDistributes other information (e.g. DNS server) as well zLots of Implementations ygone through lots of Interoperability testing xTAHI, Connectathon, IPv6 Showcase, DHCPv6-Interop zISPs have already started PD service in Japan

9 Copyright(c)2003 All rights reserved, Hitachi, Ltd.9 IPv6 Flow Label zIssue yIPv6 architecture defines a flow-label field in IPv6 header, but its usage is not explicitly defined. zStatus yFramework is approved in WG. xSender determines Flow Label by some means xIntermediate routers don't overwrite Flow Label xReceiver handles the packet appropriately according to the Flow Label field value. yHow to use this framework?  Up to the controlling protocols, like RSVP etc.

10 Copyright(c)2003 All rights reserved, Hitachi, Ltd.10 Router Renumbering zOverview yRouter Renumbering protocol is defined, but is it really practical? xIf not so, what is the right procedure for manual renumbering? zStatus yDoes not seem practical; it cannot change embedded prefixes. xDNS record Even with A6, you have to reconfigure some record manually. A6 does not work if a prefix is referred to by other DNS domains (e.g. www.tcpdump.org refers to KAME’s IPv6 address) xPacket Filter, IPv4/v6 Translator xServer info in Application Installer (e.g. NetBSD), URL yDo you really have to ‘renumber’ on some flag-day? xUnlike IPv4, you can use old prefix and new prefix in the same time

11 Copyright(c)2003 All rights reserved, Hitachi, Ltd.11 Routing Protocol Issues zGeneral comment zBGP4+ issue zIS-ISv6 issues zMultihome

12 Copyright(c)2003 All rights reserved, Hitachi, Ltd.12 Routing Protocol Issues (General Comment) zAlmost all of the routing protocol supports IPv6, except for the obsolete ones.  RIP  RIPng, OSPF  OSPFv3, (ISIS), BGP  BGP4+  IGMPv2  MLDv1, IGMPv3  MLDv2, (PIM-SM/DM)  DVMRP, MSDP  no protocol) zIPv6-specific issues are rare: yMost of the routing protocol problem is version- independent x if there is a problem in XXX for IPv6, it is also a problem in XXX for IPv4.

13 Copyright(c)2003 All rights reserved, Hitachi, Ltd.13 BGP4+ issue zLink-local BGP4+ peering yIPv6 nexthop in BGP4+ spec yWhat should be included in Global Nexthop field in case of link-local BGP4+ peering? xUnspecified address(::) or linklocal address xBGP4+ implementations should obey the ‘IETF principle’ Send in either manner, but accept both cases Global Nexthop (Optional) link-local Nexthop (if the peer is directly connected together)

14 Copyright(c)2003 All rights reserved, Hitachi, Ltd.14 IS-ISv6 issues zIPv6-over-IPv4 tunnel in ISIS-Topology database? yIS-IS protocol handshake has to be done in OSI packet (not IPv4 nor IPv6) xIS-IS protocol mandates GRE tunnel yAll the IPv6-over-IPv4 tunnel has to shift to GRE tunnel? (at least router-router tunnel) zWhat if IPv4 and IPv6 network topologies are different? yIS-IS protocol assumes network topology is same among protocols yM-ISIS (Multi-topology ISIS) is proposed

15 Copyright(c)2003 All rights reserved, Hitachi, Ltd.15 Multihome zOverview yWhen a site wants to have multiple upstream ISPs, what should it do? y1. Obtain their own IPv6 prefix and do E-BGP routing xAS number & BGP operation is mandatory y2. Receives a prefix from each ISP, and use proper prefix according to destination xSource address selection on Host xNexthop selection based on source address (and destination) xHow to renumber when upstream ISP changes zStatus yBeing discussed in IETF Multi6 WG, but still no concensus...

16 Copyright(c)2003 All rights reserved, Hitachi, Ltd.16 DNS-related Issues zDNS Server Discovery zAAAA vs A6 zip6.int vs ip6.arpa zPTR record usage

17 Copyright(c)2003 All rights reserved, Hitachi, Ltd.17 DNS Server Discovery (Overview) zIPv6 address is automatically configured, but other information still needs manual configuration. ye.g. DNS server, NTP server,... zEspecially DNS server autoconfiguration is important in IPv6, considering the length of IPv6 address. y(recursive) DNS server address yDNS domain search path yHostname registration

18 Copyright(c)2003 All rights reserved, Hitachi, Ltd.18 DNS Server Discovery (Status) zStill under discussion in DNSOP WG zRoughly three solutions are proposed: yAnycast solution yRA-based solution y(stateless) DHCPv6-based solution PCRouter Have an anycast address (FEC0:0:0:FFFF::1~3) DNS-Server PCRouter DNS server addr =the anycast addr(s) Sends RA with a new NDP option PCRouter DHCPv6 Reply with DNS Server option DHCPv6 Information-Request with Rapid-Commit option DNS server addr =addr(s) in the new NDP option DNS server addr =addr(s) in the DNS server option Sends RS

19 Copyright(c)2003 All rights reserved, Hitachi, Ltd.19 DNS Server Discovery (Issues) 1. How to update the DNS server address when it changes? 2. What happens when a different server advertises a different DNS server address? 3. Should it allow dynamic DNS registration? 4. How about other information? (e.g. NTP server, SIP server …) Anycast RA DHCPv6 4321 Anycast Mechanisms solves it (no address change) Use the Dynamic DNS update (out of scope, seems like using a special DNS record) Use the Dynamic DNS update Use the existing DHCPv6 option DHCPv6 handshake prevents it DHCPv6 Reconfig message Use a DNS server lifetime? Use a DNS server preference? -Use the Dynamic DNS update. - Handle within it

20 Copyright(c)2003 All rights reserved, Hitachi, Ltd.20 AAAA vs A6 zOverview yTwo kinds of DNS records are configured xAAAA: a simple extension of A-record xA6: DNS record supporting router-renumbering yBut A6 is not deployed, because of its complexity zStatus yIETF decision xAAAA : for normal IPv6 operation xA6: for further experimental study

21 Copyright(c)2003 All rights reserved, Hitachi, Ltd.21 ip6.int vs ip6.arpa zOverview yIPv6 PTR record had used “ip6.int” as its domain name. y“ip6.int” was registered later as an international TLD. zStatus y“ip6.arpa” is proposed x2001::/16 uses ip6.arpa (and ip6.int for the time being) x3ffe::/16 still uses only “ip6.int” (owing to a administrative reason), but “ip6.arpa” introduction is planned.

22 Copyright(c)2003 All rights reserved, Hitachi, Ltd.22 PTR record usage zSome protocol (implementation) requires PTR- record lookup for authentication yIf there is a PTR record for the source address of the client, then it is authenticated zIs it really practical in IPv6 world? yNot all the IPv6 addresses are available from PTR record xLink-local address xMost of IPv6 addresses generated by stateless autoconfiguration xPrivacy address extension yIf they just wanted to look up name from address, ICMP- node-information-query is available.

23 Copyright(c)2003 All rights reserved, Hitachi, Ltd.23 Transition Mechanism Issues zTransition Mechanisms zTransition Mechanism Issues z(Detailed transition scenario is discussed in later presentation)

24 Copyright(c)2003 All rights reserved, Hitachi, Ltd.24 Transition Mechanisms zMany kinds of Mechanisms yTunnel-based xTunnel Session Protocol (DTCP, Freenet6 etc), 6to4, ISATAP, Teredo, DSTM yTranslator-based xNAT-PT, SIIT, FAITH yProxy-based xApplication-level Gateway (HTTP proxy, SMTP gateway etc)

25 Copyright(c)2003 All rights reserved, Hitachi, Ltd.25 Transition Mechanism Issues zThere is no perfect mechanism yTunnel-based xIPv6 network topology  IPv4 network topology xIPv4 address is necessary i.e. IPv4 address shortage problem remains unsolved xCannot go through NAT (Teredo is the only exception, but it’s too complex…) yTranslator-based xIn general, IPv4 to IPv6 tranlation is difficult. xNot works for the applications embedding IP address in their payload. (e.g. FTP, SIP) yProxy-based xWorks only on the specific protocol zAre they really easier than simple dual-stack network?

26 Copyright(c)2003 All rights reserved, Hitachi, Ltd.26 Security-related Issues zSecuring Neighbor Discovery zPrivacy Address Extension zIPv6 Firewall Architecture

27 Copyright(c)2003 All rights reserved, Hitachi, Ltd.27 Securing Neighbor Discovery zOverview yPlug & Play can lead to an improper network use by xwrong NDP cache by NA spoofing xwrong RA announcement by RA spoofing zStatus yCGA(Cryptographically-Generated Address) xUse a specially-authenticated link-local address in NDP-related handshake. xdiscussed in SEND WG yL2 authentication xPAP/CHAP (for PPP), 802.1x (for Ethernet) etc yIPv6 over IPv4 tunnel xNot a perfect answer xIf IPv4 network use is permitted (politically), IPv6 does not introduce any additional security-risk.

28 Copyright(c)2003 All rights reserved, Hitachi, Ltd.28 Privacy Address Extension zOverview yNormally IPv6 interface-ID constructed by EUI-64 using MAC address xSource address in IPv6 packet tells who sends the packet yPrivacy Address Extension xuse random interface-ID zStatus yStandardized and implemented xRFC3041 xWindows-XP enabled it by default zIssues yDNS reverse PTR record? yHow to accept connection from outside? xhostname to address mapping? yDoes it really provides enough “privacy”?

29 Copyright(c)2003 All rights reserved, Hitachi, Ltd.29 IPv6 Firewall Architecture zIPv4-like firewall does not coexist with ‘End-to-End principle’ (esp. IPsec) yLayer-3/4 Packet Filter xHow to protect or permit End-to-End IPsec communication? yApplication-level Gateway xIt terminates End-to-End communication yPersonal Firewall xCan it torelate with DoS attack? zFirewall architecture needs update in IPv6 era. yThere are some ‘IPv6-firewall’ products or solutions, but most of them just support IPv6 in their legacy firewall.

Download ppt "Technology Updates in IPv6 SUZUKI, Shinsuke Hitachi, Ltd. / KAME Project"

Similar presentations

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.
Introduction to IPv6 Network & Application Passakon Prathombutr Next Generation Internet (NGI) National Electronics and Computer Technology Center.

Introduction to IPv6 Network & Application Passakon Prathombutr Next Generation Internet (NGI) National Electronics and Computer Technology Center.
IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.

IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.
IPv6 Introduction What is IPv6 Purpose of IPv6 (Why we need it)Purpose of IPv6 IPv6 Addressing Architecture IPv6 Header ICMP v6 Neighbor Discovery (ND)

IPv6 Introduction What is IPv6 Purpose of IPv6 (Why we need it)Purpose of IPv6 IPv6 Addressing Architecture IPv6 Header ICMP v6 Neighbor Discovery (ND)
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Auto Configuration and Mobility Options in IPv6 By: Hitu Malhotra and Sue Scheckermann.

Auto Configuration and Mobility Options in IPv6 By: Hitu Malhotra and Sue Scheckermann.
IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.

IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.
1 IPv6. 2 Problem: 32-bit address space will be completely allocated by 2008. Solution: Design a new IP with a larger address space, called the IP version.

1 IPv6. 2 Problem: 32-bit address space will be completely allocated by Solution: Design a new IP with a larger address space, called the IP version.
IPv6 Victor T. Norman.

IPv6 Victor T. Norman.
Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.

Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v2.0—2-1 IPv6 Operations Defining and Configuring Neighbor Discovery.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v2.0—2-1 IPv6 Operations Defining and Configuring Neighbor Discovery.
Implementing IPv6 Module B 8: Implementing IPv6

Implementing IPv6 Module B 8: Implementing IPv6
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Transitioning to IPv6.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Transitioning to IPv6.
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.

IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.
Network Localized Mobility Management using DHCP

Network Localized Mobility Management using DHCP
IP Version 6 (IPv6) Dr. Adil Yousif. Why IPv6?  Deficiency of IPv4  Address space exhaustion  New types of service  Integration  Multicast  Quality.

IP Version 6 (IPv6) Dr. Adil Yousif. Why IPv6?  Deficiency of IPv4  Address space exhaustion  New types of service  Integration  Multicast  Quality.
IPv6 Address Provisioning In IPv6 world there are three provisioning aspects wich are independent of whether the IPv6 node is a Host or CE router: IPv6.

IPv6 Address Provisioning In IPv6 world there are three provisioning aspects wich are independent of whether the IPv6 node is a Host or CE router: IPv6.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.

Similar presentations

Ads by Google