Embed Size (px)
Citation preview
Ch 6: IPv6 Deployment
Last modified 11-7-12
Topics
• 6.3 Transition Mechanisms
• 6.4 Dual Stack IPv4/IPv6 Environments
• 6.5 Tunneling
6.3 Transition Mechanisms
• IPv6 is not backwards-compatible with IPv4• So while both protocols are in use, we need
transition mechanisms to connect them• Three types of transition mechanisms
– Dual Stack– Tunneling– Translation
Early Stages
• Islands of IPv6 Connected via IPv4
Middle Stages
• Core is IPv6 or Dual-Stack– Some tunnels are no longer needed– Translation mechanisms will be needed to
allow legacy IPv4 devices to access IPv6 services
Last Stage
• Most equipment and services are IPv6-only– Only isolated islands of IPv4 legacy services
remain– IPv4 tunnels over IPv6– Translation devices allow IPv6-only devices to
access IPv4 services
6.4 Dual Stack IPv4/IPv6 Environments
• Each host uses both IPv4 and IPv6
• Reduces need for tunnels
6.4.1 Deployment of a Dual Stack Environment
• Consider the following issues– Shared infrastructure
• Must route and switch both IPv4 & IPv6
– Need for more resources• Details on next slide
– Application protocol preference
Need for more resources
• Each protocol stack must share the available network bandwidth• Routers need to:
– Maintain forwarding tables for both IPv4 and IPv6– Run routing protocols for both protocols– Implement packet filtering for both protocols– Provide for congestion control for both protocols– Handle special cases (IPv4 Router Alerts and IPv6 Hop-by-Hop
Options) for both– Forward packets for both protocols.
• Hosts must devote resources to both protocol stacks (for example, processing, memory, and network infrastructure traffic)
• Administrative and security staff must maintain concurrent environments as well
Applications in a Dual-Stack Environment
• Some applications are IPv4-only
• Some are IPv6-only
• Some are dual-stack
• DNS record order can be used to control preference for A or AAAA records on each resource– IPv6 should be first when possible (preferred)
6.4.2 Addressing in a Dual Stack Environment
• If you use static addresses, you must provide both IPv4 and IPv6 addresses
• If you use DHCP, you must provide both a DHCPv4 and DHCPv6 server
6.4.3 Security Implications of a Dual Stack Environment
• Each dual-stack node is exposed to the vulnerabilities of both IPv4 and IPv6
• Security Details– Consistent security policy for both IPv4 & IPv6– Account for new IPv6 functionality
• Mobility• Stateless address autoconfiguration• Neighbor discovery• Privacy addresses• End-to-end encryption with IPsec
Security Details (continued)
• Unexpected tunneling between hosts may violate security policies
• Organizations must upgrade– Intrusion detection or intrusion prevention
systems– Firewalls– Monitoring, logging, and auditing
• to provide IPv6 protection equivalent to what was available for IPv4.
Security Details (continued)
• If tunneled packets are allowed to enter the network, the firewall or IDS/IPS system must be able to perform deep packet inspection.
• The performance of security systems may degrade when handling IPv6 (when using the same resources compared to IPv4)
6.5 Tunneling
Configured v. Automatic Tunnels
• Configured tunnels– Require system administrators to configure
the endpoints of the tunnel
• Automatic tunnels– The nodes configure the endpoints
themselves
Configured Tunnels
• SIT = 6in4, uses protocol 41– Hurricane Electric Tunnel Broker– Sixxs
• Freenet6 can use many different tunnel types
Tunnels Bypassing Firewalls
iClicker Questions
Which of these upgrades is not needed to convert a router from IPv4 to dual-stack?
A.Two routing tables
B.Two routing protocols
C.Twice as many network interfaces
D.Two Access Control Lists
E.Two congestion control mechanisms
Which protocol does not need to be changed to move from IPv4 to dual-stack?
A.DHCP
B.DNS
C.RIP
D.Ethernet
E.ICMP
Which devices do not need to be upgraded to convert from IPv4 to dual-stack?
A.Firewalls
B.Intrusion Detection Systems
C.Routers
D.Switches
E.Servers
Which of these features does not create new security risks when moving from IPv4 to dual-stack?
A.Broadcast packets
B.Mobility
C.Neighbor discovery
D.SLAAC
E.Tunnels
Which of these features allows unauthorized traffic to bypass firewalls?
A.Multicast
B.Mobility
C.Neighbor discovery
D.SLAAC
E.Tunnels
Automatic Tunneling Mechanisms
• 6over4 – requires IPv4 multicast, rarely used
• 6to4 and 6rd – requires public IPv4 addresses, widely implemented
• ISATAP – does not work across NAT• Teredo - UDP encapsulation intended
for tunneling through IPv4 NATs
6.5.4 6over4 Protocol
• Old and simple
• Relies on IPv4 multicast
• Has not been widely deployed
• Hosts use their IPv4 address as an Interface ID
6over4 Example
• Network: 2001:5c0:1000:b::/64• Gateway: 2001:5c0:1000:b::1• Host Addresses:
– IPv4 (dotted-decimal): 192.168.1.101– IPv4 (hex): c0 a8 1 65– Public IPv6: 2001:5c0:1000:b::c0a8:165– Link-Local IPv6: fe80::c0a8:165
6.5.5 6to4 and 6rd Protocols
• 6to4– Allows IPv6 sites to connect to one another
over an IPv4 network– IPv4 address is embedded in IPv6 prefix– Useful when your ISP does not offer an IPv6
prefix
6rd (Rapid Deployment)
• Allows IPv4 ISPs to offer IPv6 to customers quickly and easily
• Uses the same system as 6to4, but with the provider’s IPv6 prefix
6.5.5.1 Using 6to4 and 6rd
• Each 6to4 border router needs a public IPv4 address: w.x.y.z
• The IPv6 network connected to that router uses the IPv6 prefix 2002:w.x.y.z/48– Example: CCSF uses: 147.144.0.1– In hexadecimal: 93 90 0 1– Our 6to4 IPv6 prefix is:2002:9390:1::/48
6to4 Relays
• Each 6to4 domain must have at least one relay router
• Relay router has an (IPv4) anycast address: 192.88.99.1
6.5.6 Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
• ISATAP allows isolated IPv6 hosts within a site running IPv4 to construct an automatic IPv6-in-IPv4 tunnel
• Does not use IPv4 multicast, as required with 6over4
• All hosts using ISATAP must be dual stack IPv4/IPv6
• ISATAP hosts communicate by tunneling IPv6 packets over IPv4 using protocol 41
IPv4 Packet Header
Protocol Numbers
• 6 TCP
• 17 UDP
• 41 IPv6 (encapsulation)
Protocol 41 is Blocked by Most Home Routers
ISATAP Addresses
• A host with an IPv4 address w.x.y.z performs autoconfiguration with interface ID = ::0:5EFE:w.x.y.z.
ISATAP Limitations
• All IPv6 hosts run dual stack IPv4/IPv6 with support for ISATAP
• Each ISATAP host must know at least one dual stack IPv4/IPv6 router
• All traffic is constrained to a single administrative domain
• There is no need for IPv4 NAT traversal
6.5.7 Teredo Protocol
• Tunneling IPv6 over UDP through Network Address Translations (NATs)
• Developed by Microsoft
• Has a high overhead
• Detects NAT, then starts with a UDP packet sent from inside the NAT
• A Teredo server listens to UDP port 3544
Teredo Addresses
• IPv6 addresses for Teredo clients are comprised of the following five parts:– Prefix: the 32-bit Teredo service prefix 2001:0000::/32– Server IPv4: the 32-bit IPv4 address of a Teredo server– Flags: 16 bits set to 8000 for cone NATs and 0000
otherwise– Port: The Teredo client’s 16-bit UDP port number,
inverted bit by bit– Client IPv4: The Teredo client’s 32-bit IPv4 address
(behind the NAT), inverted bit by bit
Figure 6-5. Teredo Address• +-------------+-------------+-------+------+-------------+ • | Prefix | Server IPv4 | Flags | Port | Client IPv4 |• +-------------+-------------+-------+------+-------------+
To Disable Them
• From http://www.cellstream.com/intranet/networking-and-computing-tips-and-tricks/249-disabling-ipv6-communications.html
iClicker Questions
Which of these techniques works through Network Address Translation?
A.6over4
B.6to4 or 6rd
C.ISATAP
D.Teredo
E.More than one of the above
Which of these techniques requires IPv4 multicast?
A.6over4
B.6to4 or 6rd
C.ISATAP
D.Teredo
E.More than one of the above
Which of these techniques was developed by Microsoft?
A.6over4
B.6to4 or 6rd
C.ISATAP
D.Teredo
E.More than one of the above
Which of these techniques embeds an IPv4 address inside an IPv6 address?
A.6over4
B.6to4 or 6rd
C.ISATAP
D.Teredo
E.More than one of the above
Which of these techniques embeds a layer 4 port number inside an IPv6 address?
A.6over4
B.6to4 or 6rd
C.ISATAP
D.Teredo
E.More than one of the above
Which of these techniques uses relays at 192.88.99.1?
A.6over4
B.6to4 or 6rd
C.ISATAP
D.Teredo
E.More than one of the above
