570 likes | 680 Views
IPv6: Thanks for stopping by. Bill Cheswick ches@lumeta.com http://www.lumeta.com. The Internet was engineered in the early 1980s, and before. A research project, with a lot of flaws Nobody thought it would succeed as it has
E N D
IPv6:Thanks for stopping by Bill Cheswick ches@lumeta.com http://www.lumeta.com Pondering Perimeters: DOE
The Internet was engineered in the early 1980s, and before • A research project, with a lot of flaws • Nobody thought it would succeed as it has • Astonishing that the engineering choices have lasted so long, through so many orders of magnitude of growth • Relatively little tweaking: • DNS, BGP, CIDR addressing, TCP slow start, a few new ICMP messages Pondering Perimeters: DOE
One of the choices: address size • 4 billion addresses (232) seemed like enough in 1982 • At Morris worm (nov 1988), estimated to be 6,000 hosts on the Internet (SWAG) • In Bell Labs, I counted 1,330 • AT&T acquired a class A network (12.0.0.0/8) when Mark Horton just asked for it Pondering Perimeters: DOE
Fun with a class A (/8) network • We couldn’t figure out how to use it • Sub and sub-sub netmasking not well supported • The Cray had no trouble using it • IP-opaque firewall wouldn’t allow us to use it internally and externally • Steve Bellovin and I wondered how this empty address space was faring on the Internet • We built the first packet telescope Pondering Perimeters: DOE
Packet telescopes Pondering Perimeters: DOE
How do you make a packet telescope? • Announce the network on the Internet • Tell the router to forward all packets of that net to a non-existent Ethernet address (01:02:03:04:05:06) • The router doesn’t care that no-one is listening to the packets • Then listen with tcpdump, ethereal, etc. Pondering Perimeters: DOE
What we found • Backscatter from dying hosts • Misconfigured routers, etc. • 15 – 25 MB per day of traffic • Steve wrote the paper “There Be Dragons” based on the results. Pondering Perimeters: DOE
Backscatter • Some attacks on hosts require that tables be full, or the host be to busy to respond • Flood it with spoofed packets having random return addresses • Or chosen to be AT&T, because the phone company is evil • The (dying) host will emit some responses to the spoofed address, and we can see some of them Pondering Perimeters: DOE
Packet telescopes are used by a number of researchers today • They cover a lot of address space • The address spaces covered are kept secret • Some are large, obvious spaces • Others are mixed in with normal space • More on this later Pondering Perimeters: DOE
Brief history of Internet addressing1993 • Careless allocation seemed to be dooming us • My ASCII floor number in our class B network 135.104.x.0/16 • Address space was filling up • Routers we limited by memory holding all the routes on the Internet Pondering Perimeters: DOE
Simple solution in 1993: more address bits • Painful, but not too bad • Would have gone into microsoft…win 95 was in the future • IETF had several proposals to change the IP packet format to add more address space • … and do a lot of other stuff, too, unfortunately • As long as you are going to change every IP stack, let’s get something done • Politics! Pondering Perimeters: DOE
0.0.0.0 Pondering Perimeters: DOE 255.255.255.255
Class D and E networks: multicast Pondering Perimeters: DOE
10.0.0.0/8 RFC 1918 space Pondering Perimeters: DOE
127.0.0.0/8 Pondering Perimeters: DOE
In 1993, IPv6 was 3 years away (C2 in ’92?) Pondering Perimeters: DOE
But the emergency hasn’t come yet, at least in the US • RFC 1918, private address space, is used extensively • Companies were using IP-blocking firewalls, making their own address space • At one bank: 50 states -> 50 class A networks • Class A/B/C network sizes replaced with CIDR blocks: 209.123.16.96/28 • ARIN/RIPE/APNIC became very restrictive about handing out addresses Pondering Perimeters: DOE
1999 Pondering Perimeters: DOE
2000 Pondering Perimeters: DOE
2001 Pondering Perimeters: DOE
2002 Pondering Perimeters: DOE
2005 Pondering Perimeters: DOE
IPv6: still 3 years away? Depends Pondering Perimeters: DOE
ipv6.research.microsoft.com. 15M IN AAAA ::131.107.65.121 ipv6.research.microsoft.com. 15M IN AAAA 2002:836b:4179::836b:4179 Pondering Perimeters: DOE
IPv6 deployment • Widely deployed in the Far East, and in the new cell phones • Europe is getting on board • US Government mandate for 2005 • But what does “IPv6 capable” really mean? • None of the three ISPs I am connected to at home or work offer raw IPv6 feeds Pondering Perimeters: DOE
IPv6 transition • 6bone: deprecated • IPv6 is available through IPv4/IPv6 tunnel brokers • www.hexago.com formerly freenet6.net • Easy to set up on Unix hosts, then it Just Works • In Windows XP for developers • IPv4/IPv6 NAT boxes? • Lumeta? We are working on it Pondering Perimeters: DOE
IPv6 Some details Pondering Perimeters: DOE
IPv4 vs. IPv6 address space Class A /8 /16 Class B (street value, $1MM?) /24 Class C China /32 soldier /48 link /64 Pondering Perimeters: DOE
IPv6 address space • /48s seem to be freely available: • Each US soldier will have one • One for each home • Easy to hide hosts in that space • Hard to administer hosts in that space • Some interesting cryptographic and “IP hopping” applications come to mind. Pondering Perimeters: DOE
soldier /48 • Host portion is 80 bits • Enough for four whole Internets-worth of addresses for each cell in the soldier’s body • Future nanotech really-intranet? • Roughly enough to assign an IP address to each molecule in one of the soldier’s bullets Pondering Perimeters: DOE
IPv6 technical aspects • Addresses aren’t as bad as you might think: • 2001:5bfe:16::1 (easy to grep!) • Address format changes logfile processing • Math not easy for processing IPv6 addresses • The “socket dance” must be rewritten • It’s much cleaner now • Not a big deal, but requires changes to every Internet legacy programs Pondering Perimeters: DOE
IPv6 dead ends • Google-based research will lead you down recently abandoned dead ends • A6 came and went, AAAA is what to use • Link level addressing is deprecated • The 6bone is dying, don’t go there • Use of bottom 128 – 48 = 80 bits not really settled Pondering Perimeters: DOE
Conversion issues • IPv4-only hardware • Not available in • Some routers, wireless base stations, hubs, etc. • Programmers have to relearn the “socket dance” • Address format changes logfile processing • Have to replicate a whole new set of firewall rules Pondering Perimeters: DOE
IPv6 pending problems • chicken-and-egg startup • DNS entries too small to hold all the root AAAA records • Asset management? Pondering Perimeters: DOE
Reasons to go to IPv6 • Address space stops being a problem • Because the government policy says so • There could be useful IPv6-only sites • Early adopters (i.e. China) can restrict access to the IPv4 world • Perhaps worm spreads might be slowed • See below Pondering Perimeters: DOE
Reasons not to go to IPv6 • Unnecessary expense for corporations using private address space • Unsupported by most cheap devices • Cable modems, base stations, etc. • Not really there yet: some standards unsettled Pondering Perimeters: DOE
Who are the early adopters? • China and japan • Didn’t receive very large initial IPv4 allocations • Nascent industries • IP for cell phones • US government, supposedly Pondering Perimeters: DOE
IPv6 is still three years away • From general acceptance • There are more than a thousand out there right now • IPv4 has nearly 200,000 Pondering Perimeters: DOE
Some IPv6 web sites • www.ipv6.org • www.ipv6forum.com • vendors • www.hexago.com • Free IPv6 brokering Pondering Perimeters: DOE
More on the Telescopes Watching today’s evil Pondering Perimeters: DOE
How do you make a packet telescope? Part 2. • Choose some unused IP addresses • Near other address spaces is more likely to get hit • Have a host publish permanent arp entries for each address: • arp 209.123.16.100 01:02:03:04:05:06 pub • The router doesn’t care that nobody is listening • Then listen with tcpdump, ethereal, etc. Pondering Perimeters: DOE
Internet background radiation • 209.123.16.100/30: a packet telescope with four addresses • 6 probes per hour per address • Results vary depending on who is “next door” to you in Internet addressing (i.e. shares an ISP) Pondering Perimeters: DOE
first half of Thursday 4 addresses residential/commercial network (nac.net) Nothing in DNS or web about these addresses No windows PCs here Thursday, 4 addresses, res./com. network (nac.net) Pondering Perimeters: DOE
Traffic by hour b:/var/tmp$ cut -d: -f1 x | sort | uniq -c | awk '{x = ""; for (i=1; i<=$1; i++) {x = x "="}; print $2, $1, x}‘ 00 67 =================================================================== 01 30 ============================== 02 37 ===================================== 03 47 =============================================== 04 42 ========================================== 05 42 ========================================== 06 54 ====================================================== 07 28 ============================ 08 46 ============================================== 09 37 ===================================== 10 18 ================== Pondering Perimeters: DOE
Attack distribution by address 209.123.16.100 111 209.123.16.101 95 209.123.16.102 114 209.123.16.103 127 Pondering Perimeters: DOE
07:04:28.194878 IP 209.137.140.29.4908 > 209.123.16.103.135: S 3234716732:3234716732(0) win 16 07:07:34.165401 IP 209.11.240.115.4470 > 209.123.16.103.445: S 2381400493:2381400493(0) win 16 07:15:17.085918 IP 209.7.49.222.2681 > 209.123.16.101.135: S 2806496091:2806496091(0) win 1638 07:17:48.786333 IP 209.137.231.71.1825 > 209.123.16.103.135: S 1479393988:1479393988(0) win 87 07:18:51.474861 IP 219.145.170.26.3178 > 209.123.16.103.1434: UDP, length: 376 07:23:32.286715 IP 209.239.14.76.3293 > 209.123.16.100.135: S 269840468:269840468(0) win 64240 07:24:50.831650 IP 200.27.150.160.1078 > 209.123.16.100.1434: UDP, length: 376 07:25:04.705014 IP 209.77.237.109.1977 > 209.123.16.103.135: S 2766732623:2766732623(0) win 64 07:26:57.976816 IP 211.175.182.185.6000 > 209.123.16.100.1433: S 1132396544:1132396544(0) win 07:26:57.980013 IP 211.175.182.185.6000 > 209.123.16.103.1433: S 974782464:974782464(0) win 16 07:26:57.984673 IP 211.175.182.185.6000 > 209.123.16.102.1433: S 2010251264:2010251264(0) win 07:26:57.988127 IP 211.175.182.185.6000 > 209.123.16.101.1433: S 148832256:148832256(0) win 16 07:31:12.193510 IP 209.116.102.97.4415 > 209.123.16.102.135: S 2243180210:2243180210(0) win 64 07:37:01.279847 IP 61.147.119.92.80 > 209.123.16.103.15439: S 1394506562:1394506562(0) ack 157 07:38:23.276307 IP 209.11.240.139.3691 > 209.123.16.103.135: S 208658438:208658438(0) win 6553 07:39:33.883035 IP 209.11.240.139.4643 > 209.123.16.102.135: S 2559356627:2559356627(0) win 65 07:41:33.970959 IP 209.11.240.139.1053 > 209.123.16.100.135: S 1218141503:1218141503(0) win 65 07:46:19.098466 IP 209.123.117.250.3700 > 209.123.16.101.445: S 2483889535:2483889535(0) win 1 07:46:22.092386 IP 209.123.117.250.3700 > 209.123.16.101.445: S 2483889535:2483889535(0) win 1 07:46:48.374438 IP 209.123.117.250.4325 > 209.123.16.103.445: S 2521576092:2521576092(0) win 1 07:46:51.363928 IP 209.123.117.250.4325 > 209.123.16.103.445: S 2521576092:2521576092(0) win 1 07:51:45.253869 IP 209.7.49.222.4655 > 209.123.16.101.135: S 140404696:140404696(0) win 16384 07:52:11.682851 IP 209.123.117.250.3593 > 209.123.16.102.445: S 2944460873:2944460873(0) win 1 07:52:14.653648 IP 209.123.117.250.3593 > 209.123.16.102.445: S 2944460873:2944460873(0) win 1 07:53:01.116268 IP 209.123.117.250.4668 > 209.123.16.100.445: S 3009370338:3009370338(0) win 1 07:53:04.042178 IP 209.123.117.250.4668 > 209.123.16.100.445: S 3009370338:3009370338(0) win 1 07:54:14.805373 IP 209.123.117.250.2398 > 209.123.16.102.445: S 3105685114:3105685114(0) win 1 07:54:17.772847 IP 209.123.117.250.2398 > 209.123.16.102.445: S 3105685114:3105685114(0) win 1 Pondering Perimeters: DOE
IP source address count 4 209.90.146.22 4 209.82.169.44 4 209.122.226.106 4 192.168.1.45 3 61.152.252.235 3 221.214.42.125 3 218.83.154.115 3 209.99.225.79 3 209.77.237.109 3 209.215.59.208 3 209.175.204.220 3 209.137.140.29 2 84.156.85.78 2 81.130.123.202 2 80.228.91.231 2 70.60.120.185 2 61.186.250.42 2 222.149.180.50 2 218.75.231.165 2 218.204.84.211 2 211.140.254.58 2 209.82.168.29 2 209.47.91.210 2 209.42.36.2 2 209.39.34.83 2 209.30.250.158 2 209.249.28.107 2 209.239.5.6 98 209.123.117.250 31 222.88.173.5 26 209.11.240.139 21 195.92.95.61 13 220.179.123.85 11 222.248.96.249 9 209.116.102.97 9 209.11.240.115 8 61.152.239.150 8 211.185.208.65 8 209.82.176.43 8 209.215.20.79 8 209.161.170.208 8 209.12.135.83 8 204.141.115.75 6 61.235.154.104 6 222.88.60.22 5 209.7.49.222 4 84.56.28.102 4 67.10.6.128 4 218.172.117.90 4 218.108.175.109 4 212.194.206.163 4 211.175.182.185 Pondering Perimeters: DOE
Attack sources 36.dsli.com 43-176-82-209.g-net.net 56k.execulink.com a.dns.kr adsl.alicedsl.de ariston.netcraft.com biz.rr.com bumttx.swbell.net customer.vpls.net cydc.com.br d4.club-internet.fr dhcp.transact.bm dialup.rcn.com dip.t-dialin.net dns1.ntli.net dns1.xspedius.net dsl-xxx.arcor-ip.net dynamic.hinet.net ev1s-xxx.ev1servers.net fbx.proxad.net guangzhou.gd.cn hosfio.org.ar hsia.telus.net in-addr.btopenworld.com jan.bellsouth.net jax.bellsouth.net jukebox.e-migrate.com k12.il.us kinc.cablerocket.net mesh.ad.jp nosp3-xxx.i-55.com ns.cnmobile.net ns.uunet.ca ns01.unicom-alaska.com ns1.apnic.net ns1.hzman.net ns1.nac.net ns1.telehouse.com ns1.yipes.com nsf.algx.net ocn.ne.jp odo.warpspeed.com online.ln.cn prisoner.iana.org ptt.js.cn pubnet.ne.kr res.rr.com rev.gaoland.net sdjnptt.net.cn snfc21.pacbell.net sta.net.cn sunprairie.visionsystems.tv tj.unn.no tor.primus.ca us.xo.net zjhzptt.net.cn Pondering Perimeters: DOE