Upload
cisco-devnet
View
136
Download
1
Embed Size (px)
Citation preview
Developing Better Applications with IPv6
Andrew Yourtchenko
Technical Leader
@ayourtch
• IPv6 is the new normal
• IPv6 in your apps
• IPv6-only: now what ?
• Curse And Blessing Of Many Addresses
• Conclusion
Agenda
100% YoY growth – now 10% worldwide
• Jan 2012: 0.5%
• Jan 2013: 1%
• Jan 2014: 2.5%
• Jan 2015: 5%
• Jan 2016: 10%
4
Per-Country Users: 6lab.cisco.com
5Which country is leading ?
Worldipv6launch.org: IPv6 Is The New Normal
6
IPv6 In Your Apps
7
C and POSIX
8
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
int
getaddrinfo(const char *hostname, const char *servname,
const struct addrinfo *hints, struct addrinfo **res);
void
freeaddrinfo(struct addrinfo *ai);
The getaddrinfo() function is defined by the IEEE Std 1003.1-2004
(``POSIX.1'') specification and documented in RFC 3493, ``Basic Socket Interface Extensions for IPv6''.
Hints For Name Resolution
9
struct addrinfo {
int ai_flags; /* input flags */
int ai_family; /* protocol family for socket */
int ai_socktype; /* socket type */
int ai_protocol; /* protocol for socket */
socklen_t ai_addrlen; /* length of socket-address */
struct sockaddr *ai_addr; /* socket-address for socket */
char *ai_canonname; /* canonical name for service location */
struct addrinfo *ai_next; /* pointer to next in list */
};
Some Interesting Values of ai_flags
• AI_ADDRCONFIG
• Only return IPv4 addresses if IPv4 is present on interface
• AI_NUMERICHOST
• The argument is a numeric address, do not attempt DNS resolution
• AI_PASSIVE
• Allow for a listening socket: IN*ADDR_ANY if hostname is NULL
• AI_V4MAPPED
• Return IPv4 addresses as IPv4-mapped IPv6
10
IPv4-mapped addresses: ::ffff:x.x.x.x
• Described in RFC4038.
• Includes application examples!
• Never seen on the wire !!!
• Represent IPv4 space in IPv6
• IPv4 on the wire, IPv6 in the socket API calls
• Convenient mechanism of collapsing IPv4+IPv6
• Logging, etc.
11
Tight Coupling of Addrinfo With Socket Open
12
getaddrinfo("www.kame.net", "http", &hints, &res0);
for (res = res0; res; res = res->ai_next) {
s = socket(res->ai_family,res->ai_socktype,res->ai_protocol);
if (s < 0) { cause = "socket”; continue; }
if (connect(s, res->ai_addr, res->ai_addrlen) < 0) {
cause = "connect”; close(s); s = -1;
continue;
}
break; /* okay we got one */
}
If “lookup” and “connect” are separate => problem
Sequential Connect
13
struct addrinfo hints, *res, *res0;
int error;
int s;
const char *cause = NULL;
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
error = getaddrinfo("www.kame.net", "http", &hints, &res0);
if (error) {
errx(1, "%s", gai_strerror(error));
/*NOTREACHED*/
}
s = -1;
for (res = res0; res; res = res->ai_next) {
s = socket(res->ai_family, res->ai_socktype,
res->ai_protocol);
if (s < 0) {
cause = "socket";
continue;
}
if (connect(s, res->ai_addr, res->ai_addrlen) < 0) {
cause = "connect";
close(s);
s = -1;
continue;
}
break; /* okay we got one */
}
if (s < 0) {
err(1, "%s", cause);
/*NOTREACHED*/
}
freeaddrinfo(res0);
hints.ai_family = PF_UNSPEC;
getaddrinfo("www.kame.net",
"http", &hints, &res0);
for(res=res0;res;res=res->ai_next)
{
s = socket(res->ai_family,
res->ai_socktype,
res->ai_protocol);
connect(s, res->ai_addr,
res->ai_addrlen)
Questions Unanswered With Basic API
• Near-simultaneous open ? (RFC6555)
• Might need your own higher-layer library
• Source address selection (if different prefixes)
• Might need to bind sockets explicitly
• More discussion at BRKIP6-2100 tomorrow at 14:30 .. 16:00
• M303 room, CityCube Level 3
14
iOS Networking Frameworks
15
iOS: Supporting NAT64+DNS64
16
https://developer.apple.com/library/prerelease/ios/documentation/NetworkingInternetWeb/Conceptual/NetworkingOverview/UnderstandingandPre
paringfortheIPv6Transition/UnderstandingandPreparingfortheIPv6Transition.html
Mandatory for the new apps in AppStore !
Have A Mac OS X El Capitan? Have IPv6-Only Network!
17
Alt-Click
OS X El Capitan as access gateway
18
CiscoLive IPv6-only network
• Why ?
• Test how app/net will work when the sun hasset on IPv4!
• SSID: “CL-NAT64”
• WPA2-PSK
• Key: “cl-nat64”
• Stateless DHCPv6 + RDNSS
• Feedback/questions:
• Twitter #CLNAT64
• Or direct @ayourtch
19
IPv6-only… Now What ?
20
Security: Rogue NTP Servers
21
http://netpatterns.blogspot.be/2016/01/the-rising-sophistication-of-network.html?m=1
IPv6
x.pool.ntp.org.You
Shodan scanner
NTP
scan
What about temporary addresses ?
• No use since all services listen on them
• Stay around for "too long"
22
Can we avoid needing a firewall for this case ?
• Use per-application IPv6 addresses
• Needs changes
• Route a /64 to the physical device
• Needs changes
• Discard address at short intervals
• Needs changes
• Run application in a container with a different address
• Possible today – but needs manual provisioning !
23
Curse And Blessing Of Many Addresses
24
Source Address Selection: RFC6724 (nee RFC3484)
• Candidate set of addresses
• From egress interface
• Sorted list
• 7 rules
• Prefer same address
• Prefer appropriate scope
• Avoid deprecated addresses
• Prefer outgoing interface
• Prefer matching label
• Prefer temporary addresses
• Use longest matching prefix
25
Network Administration
• IPv4: "1 device = 1 address"
• Address first, hostname second
• "Push" model: assign and control
• Requirement for DHCPv6
push vs. pull approach
• IPv6: "1 device = many addresses"
• Hostname first, address second
• "Pull" model: call home
• Independent of address assignment
26
A /64 per host…
• Allows "IPv4-style" approach: one prefix per device
• Gives the freedom to applications about lower 64 bits.
• Similar to 3GPP
• Already used for Comcast Community WiFi
• Internet Draft
• https://tools.ietf.org/html/draft-ietf-v6ops-unique-ipv6-prefix-per-host-00
27
Conclusion
28
Takeaways
• IPv6 is the new normal
• Use high-level APIs
• When can't - treat IPv4 as part of IPv6 space
• IPv6-centric approach enables new possibilities
• Want to discuss more ? Let's meet at BRKIP6-2100 !
29
Thank you