Upload
men-and-mice
View
550
Download
1
Embed Size (px)
DESCRIPTION
The IETF, Internet Engineering Task Force, those that are working on new Internet Standards, met in London in March 2014. In this webinar, Carsten Strotmann from the Men & Mice Services team reports fresh from the IETF meeting. This session distills interesting developments from the DNS, DHCP and IPv6 working groups. What can be expected: DNS -DNS transport encryption -Special Names in DNS -Simplifying DNSSEC key trust anchor exchange between child and parent - EDNS option updates -Passive DNS -DNSSEC Validator Requirements -DNS cookies DNSSEC/DANE -Using DANE to Associate OpenPGP public keys with email addresses - IPSec and DNSSEC/DANE - DANE Security for MX and SRV records - DANE and smtp IPv6 -Reducing Multicast in IPv6 Neighbor Discovery -IPv6 Operational Guidelines for Data centers -Recommendations of Using Unique Local Addresses -DHCPv6/SLAAC Interaction Operational Guidance -Sunsetting IPv4 DHCP -DHCPv6 Load Balancing and Failover -DHCP stateless reconfiguration -Dynamic Allocation of Shared IPv4 Addresses -Customizing DHCP Configuration on the Basis of Network Topology
Citation preview
©!Men!&!Mice!!http://menandmice,com!
IETF!89!Review
12.!March!2014
1Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
IETF
•The!Internet!Engineering!Task!Force!(IETF)!is!a!large!open!international!community!of!network!designers,!operators,!vendors,!and!researchers!concerned!with!the!evolution!of!the!Internet!architecture!and!the!smooth!operation!of!the!Internet.!It!is!open!to!any!interested!individual.!The!IETF!Mission!Statement!is!documented!in!RFC!3935.
•http://www.ietf.org/about/
2Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
Agenda
• IETF!89!in!London!
• DNS
• DNSSEC!/!DANE
• DHCP
• IPv6
• the!following!information!is!an!excerpt!of!the!IETF!working!group!activities
• for!a!full!overview!of!all!activities!at!IETF!89,!see!https://datatracker.ietf.org/meeting/89/materials.html
3Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
DNS
4Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
published!new!RFCs!since!last!IETF
RFC Title Category
6950Architectural Considerations on Application Features in the
DNSInformational
7043Resource Records for EUI-48 and EUI-64 Addresses in the
DNSInformational
7050Discovery of the IPv6 Prefix Used for IPv6 Address
SynthesisStandards Track
7129 Authenticated Denial of Existence in the DNS Informational
5Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
DNSE!BoF
•Confidentiality!and!Privacy!in!DNS
•DNS!traffic!reveals!a!lot!of!information!about!a!user
•IETF!has!a!plan!to!harden!all!Internet!protocols!agains!pervasive!monitoring
•DNS!is!no!exception
6Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
DNSE!BoF
• the!problem!statement!has!been!presented!and!discussed
• some!proposed!solutions!have!been!presented
• DTLS!(TLS!for!UDP,!RFC!6347)
• DNScrypt/DNScurve
• CGA-TSIG
• Confidential!DNS
• t-DNS!(StartTLS!for!TCP!DNS)
• discussion!continues!on!the!mailing!lists!(DNSOP)!about!possible!solutions!and!their!operational!impact
7Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
DNSOP
•Revived!documents:
• Initializing!a!DNS!Resolver!with!Priming!Queries!(draft-ietf-dnsop-resolver-priming)
• the!initial!queries!a!DNS!resolver!is!supposed!to!emit!to!initialize!its!cache!with!a!current!NS!RRSet!for!the!root!zone!as!well!as!the!necessary!address!information.
• the!“root-hints”!file!and!how!DNS!caching!server!use!it
• how!long-running!DNS!servers!update!the!root-hint!information
8Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
DNSOP
•Revived!documents:
• DNSSEC!Key!Timing!Considerations!(draft-ietf-dnsop-dnssec-key-timing)
• Explains!the!relationships!between!the!parameters!used!in!a!DNSSEC!key!rollover
• important!for!implementers!of!DNSSEC!key-rollover!automation!software
• and!DNS!administrators!that!plan!manual!DNSSEC!key!rollover
9Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
Special!Names
•RFC!6761!“Special-Use!Domain!Names”!defines!a!registry!of!domain!names!that!are!“special-use”!domain!names
•“.local”!for!multicast-DNS!and!local!service!discovery!
10Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
Special!Names
•“Special-Use!Domain!Names!of!Peer-to-Peer!Systems”!(draft-grothoff-iesg-special-use-p2p-names)
• proposes!to!add!new!names!to!the!special-names!registry:!".gnu",!".zkey",!".onion",!".exit",!".i2p",!and!!!".bit"
• TOR
• GNUnet
• i2p
• Namecoin
11Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
Special!Names
•“The!ALT!Special!Use!Top!Level!Domain”!(draft-wkumari-dnsop-alt-tld-00)
•proposes!a!single!“.ALT”!(alternate)!TLD!for!special!names
•this!TLD!can!be!“blacklisted”!in!DNS!caching!server!software!to!prevent!leakage!of!these!names!into!the!“normal”!Internet!DNS!(Root-Name!Server!System)
12Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
DNS!cookies
•Domain!Name!System!(DNS)!Cookies!(draft-eastlake-dnsext-cookies)
•DNS!cookies!are!intended!to!provide!significant!but!limited!protection!against!certain!attacks!by!off-path!attackers.!
•These!attacks!include!denial-of-service,!cache!poisoning!and!answer!forgery.
•cookies!are!some!random!data!identifying!a!DNS!server,!send!inside!the!EDNS0!“OPT”!record
13Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
DNS!cookies
www.example.com IN A?
Authoritative DNS
Caching/Resolving DNS
Attacker
14Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
DNS!cookies
www.example.com IN A?
www.example.com IN A?+ Resolver cookie in OPT
Auth DNS server storesresolver cookie
15Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
DNS!cookies
www.example.com IN A?
www.example.com IN A?+ Resolver cookie in OPT
Auth DNS server storesresolver cookie
www.example.com IN A 192.0.2.1+ server cookie in OPT
Cache DNS server storesauth-server cookie
16Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
DNS!cookies
www.example.com IN A?
www.example.com IN A?+ Resolver cookie in OPT
Auth DNS server storesresolver cookie
www.example.com IN A 192.0.2.1+ server cookie in OPT
Cache DNS server storesserver cookie
www.example.com IN A 192.0.2.1
17Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
DNS!cookies
www.example.com IN AAAA?+ Resolver cookie in OPT
Auth DNS server hasresolver cookie
www.example.com IN AAAA 2001:db8::1Cache DNS server hasserver cookie
Attacker sendsforged DNS data
18Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
DNS!cookies
www.example.com IN AAAA?+ Resolver cookie in OPT
Auth DNS server hasresolver cookie
www.example.com IN AAAA 2001:db8::1Cache DNS server hasserver cookie
Attacker sendsforged DNS data
18Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
DNS!cookies
•a!prototype!of!DNS!cookies!(Source!Identity!Token)!has!been!implemented!in!BIND!9.10
• not!the!same,!but!similar!to!the!IETF-draft
•Beta!1!of!BIND!9.10!is!now!available
•as!there!is!no!RFC!standard,!it!uses!an!experimental!private!EDNS0!OPT!option!code!(65001)
19Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
getdnsapi
•NLnetLabs,!Verisign!and!No!Mountain!Software!released!a!new!client!DNS!resolver!library!under!an!open!source!BSD!license
•based!on!an!original!specification!from!Paul!Hoffman!(vpnc.org)
•Download!and!information:!https://getdnsapi.net
•Support!for!DNSSEC,!DANE!(TLSA),!new!record!types,!SRV!record!handling
20Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
getdnsapi
• Platforms!as!of!IETF!89!!
• RHEL/CentOS
• MacOS
• Soon!to!by!available:
• FreeBSD!
• iOS!(now!rough!but!usable)!!
• In!view:
• Windows,!Android
21Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
getdnsapi
•Language!bindings
•Python
•Objective-C
•Java
•JavaScript!(NodeJS)
22Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
DANE
23Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
published!new!RFCs!since!last!IETF
No!DANE!related!RFC!documents!have!beenpublished!since!the!last!IETF
24Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
DANE
•DANE!utilizes!DNSSEC!to!provide!opportunistic!(without!manual!configuration)!encryption!with!our!without!Certification!Authorities!(CAs)
•there!is!much!interest!in!the!DANE!work!from!other!IETF!working!groups!and!application!developers
25Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
DANE!in!Web-Browser
• RFC!6698!-!The!DNS-Based!Authentication!of!Named!Entities!(DANE)!Transport!Layer!Security!(TLS)!Protocol:!TLSA
• Plugin!for!Firefox,!Opera,!Chrome!and!Internet!Exporer!available!https://www.dnssec-validator.cz/
• Internet!sites!start!using!TLSA,!for!example
https://packages.debian.org
26Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
SMTP!TLSA!in!Postfix
•using!TLS!(Transport!Layer!Security,!formerly!known!as!SSL)!with!SMTP!(E-Mail!delivery)!has!many!issues
•certificate!validation!is!not!mandatory!(and!often!not!possible)
•Plaintext!is!the!default,!TLS!is!optional
• “Men!in!the!Middle”!attacker!can!force!plain-text!connections!through!a!downgrade!attack!(remove!“STARTTLS”!command!from!conversation)
27Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
SMTP!TLSA
•DANE!specifies!the!use!of!the!TLSA!resource!record!for!SMTP
•can!make!TLS!connections!mandatory!between!servers!that!support!TLS
•TLSA!resource!record!holds!a!hash!of!the!server!certificateshell> dig mx tidelock.de +short10 ns3.tidelock.de.
shell> dig _25._tcp.ns3.tidelock.de. tlsa +short3 0 1 76AD75E4F300C2BACBDC9363A337A533F3B3C15CAAFED4E0010D5DD3 52B83935
28Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
TLSA!in!Postfix
•the!Postfix!Mail-Server!2.11!implements!DANE!TLSA!for!SMTP
• Viktor!Dukhovni!from!the!Postfix!team!presented!on!the!challenges!of!implementing!TLSA!checking!in!applications
• DANE!implementation!in!software!can!be!very!complicated!(easy!to!get!wrong)
• should!be!handled!by!a!toolkit!(OpenSSL,!GnuTLS,!NSS!...)
•Postfix!author!Wietse!Venema!presented!the!Postfix!TLSA!implementation!during!FOSDEM!2014!(1!February!2014)
29Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
more!DANE!work
•DANE!for!SIP!(VoIP)
•DANE!for!SRV!records!(for!Jabber/XMPP!and!other!protocols!using!SRV-Records)
•as!of!March!2014,!58!Jabber!Server!already!use!DANE!and!DNSSEC!(!https://xmpp.net/reports.php#dnssecdane )
30Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
more!DANE!work
•OpenPGP!keys!in!DNS
• today,!OpenPGP!key!are!stored!in!central!“key-server”,!such!as!hks://pgp.mit.edu
• “Using!DANE!to!Associate!OpenPGP!public!keys!with!email!addresses”!(draft-wouters-dane-openpgp)!proposes!to!store!OpenPGP!keys!in!DNS!(DNSSEC!secured)
31Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
more!DANE!work
•OpenPGP!keys!in!DNS
• the!owner-name!of!the!OPENPGPKEY!Record!is!the!SHA224!hash!of!the!user!portion!of!an!E-Mail!address
• the!user!part!of!an!E-Mail!address!can!contain!characters!illegal!in!DNS!names!
• Example!([email protected])shell> echo -n "paul" | openssl dgst -sha224 ab16de0656382d91838914109ab89a0a4e04321550a1a20ace7a8b66
SHA224!hash!of!the!username
32Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
more!DANE!work
• OpenPGP!keys!in!DNS
• Example!([email protected])shell> dig -t TYPE65280 ab16de0656382d91838914109ab89a0a4e04321550a1a20ace7a8b66._openpgpkey.nohats.ca +m ; <<>> DiG 9.9.4-P2 <<>> -t TYPE65280 ab16de0656382d91838914109ab89a0a4e04321550a1a20ace7a8b66._openpgpkey.nohats.ca +m;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24851;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;ab16de0656382d91838914109ab89a0a4e04321550a1a20ace7a8b66._openpgpkey.nohats.ca. IN TYPE65280
;; ANSWER SECTION:ab16de0656382d91838914109ab89a0a4e04321550a1a20ace7a8b66._openpgpkey.nohats.ca. 2822 IN TYPE65280 \# 2527 ( 99010D033F7B0C3D00000107FF686BB69E18ACD31C38 0005F186CCF2BC9697CB87FDD4C5CD5DA994CB7E0958 7B57910637B89C9BC9FE697509798FA9BDFB638978F4 92F10999C3A595F6EF1BEE01BACE1C9F636D33B632D2 [...] 4356D7E7E6DF1AAF09075505380D20C3164276 )
;; Query time: 6 msec;; SERVER: 127.0.0.1#53(127.0.0.1);; WHEN: Tue Mar 11 17:22:21 CET 2014;; MSG SIZE rcvd: 2646
OpenPGP!Key
(Base64)
DNSSEC!secured!
private!record!type!for!experimental!new!protocols
33Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
more!DANE!work
•OpenPGP!keys!in!DNS
• “milter”!plugin!for!postfix!and!sendmail:
https://github.com/letoams/openpgpkey-milter/
• “hash-slinger”!tool!to!create!and!verify!“openpgpkey”!records:https://github.com/letoams/hash-slinger
• also!available!in!Fedora!Linuxshell> yum install hash-slinger
34Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
IPSEC!in!DNS
• opportunistic!(automatic!and!authenticated)!IPSec!VPN!tunnel!between!client!and!server
• client!looks!up!the!server!public!key!in!DNSshell> dig ipseckey nohats.ca +m;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31467;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4;; QUESTION SECTION:;nohats.ca. IN IPSECKEY
;; ANSWER SECTION:nohats.ca. 3591 IN IPSECKEY ( 10 0 2 . AQPl2UGDJvDff4BiJWFZoSuYrerisFXZdD6M+QPDtpuH i4rNmW+jqNGzF7k4orsggHyaglXSN2llTb0dTCwBamX8 [...] dVbEHKz2sWdESIA2YNVqtPirkdYA0MeyO8SwYgMvlmg3 E8JcNBbcndEZidrlfINzFs2GmugvNHHHX6a7CPACNU0o E2mzXeDY3FUW2F2XvERTnQPpU9zl )
;; AUTHORITY SECTION:[....];; ADDITIONAL SECTION:[....]
;; Query time: 1 msec;; SERVER: 127.0.0.1#53(127.0.0.1);; WHEN: Tue Mar 11 17:41:17 CET 2014;; MSG SIZE rcvd: 590
35Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
IPSEC!Keys!in!DNS
•implemented!in!“libreswan”!(Linux)https://github.com/libreswan
•IPSECKEY!record!type!is!specified!in!RFC!4025!“A!Method!for!Storing!IPsec!Keying!Material!in!DNS”
•IPSECKEYs!for!IP-Address!initiated!connections!can!be!stored!in!reverse!(in-addr.arpa!and!ip6.arpa)!zones.
36Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
dbounds!BoF
•dbounds!=!Domain!Boundaries
•Browsers!and!other!software!(e.g.!DMARC)!relies!on!knowledge!of!administrative!delegation!boundaries!in!DNS
•the!public-suffix!list!provides!this!informationhttp://www.publicsuffix.org/
37Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
dbounds!BoF
• Example!from!the!public!suffix!list*.uk*.sch.uk!bl.uk!british-library.uk!mod.uk!national-library-scotland.uk!nic.uk!parliament.uk...
• Discussion!in!the!BoF:!is!DNS!better!suited!to!hold!this!information!than!a!plain!list?
• the!plain!list!needs!to!“guess”!administrative!boundaries,!whereas!domain!owner!can!specify!these!boundaries!in!their!DNS!zone
• no!decisions!so!far,!discussion!will!continue!on!the!mailing-list(s)
38Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
DHCP
39Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
published!new!RFCs!since!last!IETF
RFC Title Category
7031 DHCPv6 Failover Requirements Informal
7037 RADIUS Option for the DHCPv6 Relay AgentStandards
Track
7078 Distributing Address Selection Policy Using DHCPv6Standards
Track
7083Modification to Default Values of SOL_MAX_RT and
INF_MAX_RTStandards
Track
40Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
Customizing!DHCP!Configuration!on!the!Basis!of!Network!Topology
•BCP-Document!“draft-ietf-dhc-topo-conf“
•documents!how!DHCP!clients,!DHCP!relay-agents!and!DHCP!server!interact
• DHCP!server!can!select!options!to!send!to!the!client!based!on!the!network!location!of!the!client
• covers!both!IPv4!and!IPv6
41Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
RFC!3315bis
•the!original!DHCPv6!RFC!3315!is!now!over!10!years!old
•more!operational!experience!exists!in!the!IETF!since!the!time!the!RFC!was!written
•some!parts!of!the!RFC!need!clarification
•merge!in!references!and!updates!from!other!RFCs!since!3315
42Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
dhcpv6bis
•Bug!tracker!and!mailing!listhttp://wiki.tools.ietf.org/group/dhcpv6bis/
•github!repository!with!the!new!documenthttps://github.com/dhcwg/rfc3315bis
•if!you!have!feedback!or!questions!on!DHCPv6bis,!please!contribute
43Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
DHCPv6!failover!design
•The!DHCPv6!failover!design!document!has!been!submitted!to!the!IESG!after!last!IETF!meeting
•came!back!and!will!now!be!split!into!two!documents
• failover!design
• failover!protocol!specification
44Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
DHC!Load!Balancing!Algorithm!for!DHCPv6
•“draft-ietf-dhc-dhcpv6-load-balancing”!describes!a!load-balancing!algorithm!for!DHCPv6!server,!where!the!servers!do!not!need!to!exchange!information
•!This!algorithm!is!an!extension!of!an!already!defined!and!proven!algorithm!used!for!DHCPv4,!as!described!in!RFC!3074.!
45Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
Registering!self-generated!IPv6!Addresses!in!DNS!using!DHCPv6
•Document!“draft-ietf-dhc-addr-registration”
•clients!that!use!self-generated!IPv6!addresses!(SLAAC,!CGA,!privacy!addresses)!send!a!request!to!the!DHCP!server!to!add!their!AAAA!forward!mapping!and!PTR!reverse!mapping!into!DNS
•only!the!DHCPv6!server!require!to!have!update!permissions!on!the!DNS!server,!not!all!clients
46Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
DHCPv4!over!DHCPv6!Transport
•running!two!network!protocols!site-by-site!(IPv4!and!IPv6)!is!expensive!(double!work)
•network!operators!try!to!remove!IPv4!as!much!as!possible!(access!networks,!backbone!networks,!datacenter!networks)
•client!machines!often!still!require!IPv4
•draft-ietf-dhc-dhcpv4-over-dhcpv6!defines!options!so!that!DHCPv4!requests!can!be!send!inside!DHCPv6!messages
47Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
DHCPv4!over!DHCPv6!Transport
•Tsinghua!University!has!implemented!DHCPv4!over!DHCPv6!on!top!of!BIND!10!1.1.0!DHCP
• https://github.com/gnocuil/DHCPv4oDHCPv6
• Site!note:!BIND!10!1.2.0!beta!1!has!been!released!last!week:!http://ftp.isc.org/isc/bind10/1.2.0beta1/
•“Provisioning!IPv4!Configuration!Over!IPv6!Only!Networks”!(draft-ietf-dhc-v4configuration)!discussed!the!various!options!available!to!send!IPv4!configuration!over!IPv6!only!networks
48Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
Secure!DHCPv6!with!Public!Key
•DHCPv6!is!more!powerful!than!DHCPv4
• for!some!functions,!authentication!and!integrity!checks!are!requested!(like!server-reconfigure!message!to!clients)
•‘draft-jiang-dhc-sedhcpv6’!specifies!an!protocol!extension!to!secure!the!DHCPv6!communication!between!client,!relay-agent!and!server!via!public/private!key!pairs.
•The!authority!of!the!sender!may!depend!on!either!pre-configuration!mechanism!or!a!Public!Key!Infrastructure.
49Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
IPv6
50Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
published!new!RFCs!since!last!IETF
RFC Title Category
7045 Transmission and Processing of IPv6 Extension Headers Standards Track
7048 Neighbor Unreachability Detection Is Too Impatient Standards Track
7050 Discovery of the IPv6 Prefix Used for IPv6 Address Synthesis Standards Track
7059 A Comparison of IPv6-over-IPv4 Tunnel Mechanisms Informational
7094 Architectural Considerations of IP Anycast Informational
7136 Significance of IPv6 Interface Identifiers Standards Track
7112 Implications of Oversized IPv6 Header Chains Standards Track
7123 Security Implications of IPv6 on IPv4 Networks Informational
51Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
Stable!IPv6!Interface!Identifiers
•the!current!IPv6!standards!mandate!that!Interface-ID!of!Statless-Address-Auto-Configuration!(SLAAC)!addresses!are!generated!from!the!hardware-address!(MAC-Address)!of!the!Interface
2001:db8:100:0:28c:f5ff:fe05:4235
Prefix Interface-ID
52Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
Stable!IPv6!Interface!Identifiers
• the!draft!“Privacy!Considerations!for!IPv6!Address!Generation!Mechanisms”
(draft-ietf-6man-ipv6-address-generation-privacy)!discusses!privacy!and!security!considerations!for!several!IPv6!address!generation!mechanisms
• correlation!of!activities!over!time
• location!tracking
• address!scanning
• device-specific!vulnerability!exploitation
53Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
Stable!IPv6!Interface!Identifiers
•The!IETF!draft!“A!Method!for!Generating!Semantically!Opaque!Interface!Identifiers!with!IPv6!Stateless!Address!Auto-Configuration!(SLAAC)”(draft-ietf-6man-stable-privacy-addresses)!describes!a!way!to!generate!Interface!IDs!for!IPv6!addresses!that!are
•unique!and!stable!for!each!network
•but!change!for!every!network!the!host!visits
54Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
Why!“/64”?
• IPv6!subnets!are,!with!the!exception!of!loopback!and!point-to-point!connections,!of!size!/64
• RFC!7136!states!that!"For!all!unicast!addresses,!except!those!that!start!with!the!binary!value!000,!Interface!IDs!are!required!to!be!64!bits!long."
• “Analysis!of!the!64-bit!Boundary!in!IPv6!Addressing”(draft-carpenter-6man-why64)!discusses
• why!the!“/64”!size!was!chosen
• why!network!administrators!ask!for!other!subnet!sizes!(prefixes!longer!than!/64)
• what!will!break!if!IPv6!is!configured!with!subnet!sizes!other!than!“/64”
55Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
Unknown!IPv6!Extension!header
•“middle-boxes”!(Firewalls,!Intrusion!Detection!Systems,!specialized!Router)!cannot!parse!the!Extension-Header!chain,!as!they!cannot!“jump-over”!unknown!extensions
•this!was!on-purpose!in!the!original!IPv6!specifications,!as!the!core!of!the!network!should!be!“dumb”,!just!forwarding!packets,!not!inspecting!them
• however!in!reality!today,!IPv6!traffic!often!is!dropped!because!of!middle-boxes!that!cannot!check!the!header!chain
56Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
Unknown!IPv6!Extension!header
IPv6header
next=43 (routing)
Routing header
next=123 (??)TCP payload
Destination Option headernext=6 (tcp)
Unknown header
next=60 (dest option)
unknown size
Middle-box!cannot!find!TCP!
port!information
57Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
Unknown!IPv6!Extension!header
•the!draft!“IPv6!Universal!Extension!Header”(draft-gont-6man-ipv6-universal-extension-header)proposes!an!universal!extension!header!containing!just!one!header-type-identifier!and!an!8bit!sub-type!field,!which!allows!for!256!extension!header!sub-types
• it!proposes!to!close!the!registry!for!new!IPv6!extension!headers
•new!header-functions!would!be!implemented!as!sub-types!of!the!“universal-extension-header”
58Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
SLAAC!and!DHCPv6
• DHCPv6/SLAAC!Address!Configuration!Interaction!Problem!Statement!(draft-ietf-v6ops-dhcpv6-slaac-problem)
• DHCPv6/SLAAC!Interaction!Operational!Guidance!Considerations!(draft-liu-v6ops-dhcpv6-slaac-guidance)
• Guidance!for!DHCPv6-only!Deployment
• Guidance!for!SLAAC-only!Deployment
• Guidance!for!DHCPv6/SLAAC!Co-exist!Deployment
• DHCPv6/SLAAC!Interaction!Implementation!Guidance!(draft-liu-6man-dhcpv6-slaac-implementation-guide)
59Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
Unique!Local!Addresses!(ULA)
•“Recommendations!of!Using!Unique!Local!Addresses”(draft-ietf-v6ops-ula-usage-recommendations)
• lists!use-cases!of!ULA!and!documents!possible!drawbacks
• use!of!ULA!in!isolated!networks
• use!of!ULA!together!with!Globally!Unique!Addresses!(GUA)
60Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
Design!Choices!for!IPv6!Networks
•“draft-ietf-v6ops-design-choices”
•Mix!IPv4!and!IPv6!on!the!Same!Link?
•Links!with!Only!Link-Local!Addresses?
•Link-Local!Next-Hop!in!a!Static!Route?
•Choice!of!IGP!(OSPF!vs.!IS-IS)!
61Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
Reducing!multicast!in!IPv6
•Multicast!can!be!expensive!in!terms!of!energy!consumption!on!certain!link-layer!technologies!(e.g.!W-LAN)
• IPv6!neighborhood!discovery!relies!heavily!on!link-local!multicast
• other!protocols!like!multicast-dns!can!create!equally!or!more!multicast!traffic
• the!IETF!6ops!and!6man!working-groups!discuss!options!to!replace!the!use!of!multicast!in!these!networks!with!alternatives!(unicast)
62Monday 17 March 14
©!Men!&!Mice!!http://menandmice,com!
Q/A
?Slides,!Links,!Recording!and!errata!will!be!posted!@
https://www.menandmice.com/resources/educational-resources/webinars/
63Monday 17 March 14