260 likes | 559 Views
IPv6 Transition Mechanisms, their Security and Management. Georgios Koutepas National Technical University of Athens, Greece 6DISS Workshop March 5 2006 . Transition to IPv6. Not an after-thought but designed to be part of the new protocol since the beginning
E N D
IPv6 Transition Mechanisms,their Security and Management Georgios Koutepas National Technical University of Athens, Greece 6DISS Workshop March 5 2006
Transition to IPv6 • Not an after-thought but designed to be part of the new protocol since the beginning • Overview of transition requirements: • Gradual site transition: a site may have only some of its systems supporting IPv6 • Minimum transition requirements: a site can support IPv6 just by offering DNS services without any upgrade in the rest of the infrastructure • IP address compatibility: the v4 addresses can be converted to "corresponding" v6 addresses, allowing the system to operate in both environments • Ease of installation: Operating Systems should support IPv6 straightforwardly, without need for software upgrades. • The answer: SIT (Simple Internet Transition) mechanisms included in IPv6
IPv6 Transition Mechanisms • SIT offers a scheme for: • The conversion of IPv4 addresses to IPv6 • Dual stack OS operation • Tunnelling mechanisms via the encapsulation of v6 packets within v4 when passing over v4 clouds (and vise-versa) • The Result: • Dual Stack mechanisms • Translation Mechanisms • Tunnelling Mechanisms
Translation Mechanisms • NAT-PT (Network Address Translation - Protocol Translation) • Potential problems • Services based on protocol specific header info cannot be supported end-to-end • "Classic" NAT security issues • Others • BIS (Bump in the Stack) - At the Transport Layer • BIA (Bump in the API) - At the Application Layer
Tunnelling Mechanisms • How they work: • Encapsulation of IPv6 packets within IPv4 packets and vice versa …Which means it can also be used for IPv4 connections over IPv6 native networks • Protocol in the IPv4 header: 41 • The tunnel's end point performs the necessary operations on the protocol 41 IPv4 packets: • Reconnection of fragmented packets • Packet forwarding in the IPv6 network • Hop limit (equivalent to IPv4 TTL) reduction by 1: The tunnel is "transparent" to IPv6 • Nodes performing the (en/de)capsulation operation have to be dual stack
Types of tunnelling Based on the way we find the tunnel's other end: • (Pre)configured tunnel end-points • Automatic. Tunnel end-point may be derived from: • 6to4 address • IPv4 compatible IPv6 destination address
Automatic Tunneling Mechanisms:Tunnel Brokers • The simplest way to IPv6 for single users (i.e. using dialup, ADSL, etc.) • May create security problems OR opositely protocol 41 may be banned by the sys-admins for security reasons • Operation • The user connects to a special web server (in the IPv4 network); makes tunnel application • The server assigns an IPv6 address, creates a DNS entry, informs the Tunnel Server, and sends a configuration script to the user • The user runs the script, installs the IPv6-over-IPv4 tunnel and onnects to the Tunnel Server that routs the packets to the native IPv6 network
Automatic Tunneling Mechanisms:6over4 • Deprecated... • "Multicast tunnelling" • Single IPv6 hosts use the IPv4 Multicast Network to connect between them or the native IPv6 network via a 6over4 router (usually a 6to4 router) • The result is IPv6 hosts directly connected, even using IPv6 Link Local addresses (derived fromtheir IPv4 addresses)! • Also supports IPv6 multicast etc. • 6over4 requires IPv4 Multicast support, which does not exist widely.
Automatic Tunneling Mechanisms:ISATAP • Intra Site automatic Tunnel Addressing Protocol • Also uses the IPv4 infrastructure but without the need for Multicast • Can operate under v4 NAT • Operation: • The node (A.B.C.D)v4 gets the (FE80::5EFE:AB:CD)v6 Link Local address • Using DNSv4 queries for the name ISATAP a Potential Router List (PRL) is created (the Router usually is a 6to4 system) • A Router Solicitation message is sent; the answer (Router-Advertisement message) gives the prefix for creating the universal IPv6 address • ISATAP router-to-node communication: using the last 4 bytes of the destination address • Node-to-router IPv6 network: via the ISATAP router
Automatic Tunneling Mechanisms:Teredo • Useful for hosts behind NAT • Encapsulates the IPv6 packets within UDP v4 packets to bypass the problem of NAT in many cases restricting protocol 41 (IP encapsulated) packets • The encapsulation takes place at the communicating node itself rather than at a border router (like it happens in 6to4) • The Teredo-relay then forwards the packets to the native IPv6 network • Issues: • Complex implementation • Can operate only with specific NAT types • Limited number of Teredo-relays available in the Internet • Used only there is no other available solution…
Automatic Tunneling Mechanisms:6to4 Overview • Connects isolated IPv6 "clouds" • Only the border routers need to implement the 6to4 functionality (and need to be dual stack too…) • Any site with single unicast IPv4 address can transmit to the IPv6 network using the 2002::/16 prefix • Many available relays to the IPv6 network, easy to find by (IPv4) anycast addressing (from 192.88.99.0 - RFC 3068) • The most widely used mechanism, thanks to its minimum requirements and ease of implementation it is preferred to other automatic tunneling methods and configured tunnels • However cannot be used behind NAT because it requires an available universal IPv4 address
6to4 usage scenaria (1)6to4 host to 6to4 host • Native v6 communication and routing (RIPng)
6to4 usage scenaria (2)Between two 6to4 sites • Useful for sites without native IPv6 ISP support • Within the 6to4 sites the hosts use IPv6 natively • Router advertisements and stateless address autoconfiguration • DNSv6 host records - The other site can know about the hosts it needs to communicate with • Non-local IPv6 addresses are sent to the default (6to4) router • The IPv4 address within the 6to4 destination IPv6 address is used as the tunnel termination point
6to4 usage scenaria (3)Between a 6to4 site and a native IPv6 network • Connection to the native IPv6 network through a 6to4 Relay Router (an IPv6 router with a 6to4 "Pseudo-interface") • Usage of the Relay Router's IPv4 address or the Anycast Address • 6to4 host to a native IPv6 host • The 6to4 host uses DNS to find the destination host • The 6to4 router forwards (via IPv4) the packet to the "next-hop", the closest 6to4 relay router • The IPv6 router forward the packet to its final destination • Native IPv6 host to a 6to4 host • The 6to4 relay router advertises the 2002::/16 prefix within the IPv6 network • A v6 host will use this information to send its packet to the corresponding IPv6 router and further to the 6to4 "pseudo-interface" via which (by the IPv4 network) the packet reaches the 6to4 network and its final destination
6to4 usage scenaria (3)Between a 6to4 site and a native IPv6 network
6to4 Securityor what can go wrong… • Vulnerabilities • 6to4 routers must accept packets from ALL 6to4 relay routers • It's not possible to know if the relay router is "Trusted" or even existent • 6to4 relay routershave to accept packets from 6to4 routers and native IPv6 hosts without any checks • Threats • DoS/DDoS against 6to4 components may result in unavailability • 6to4 routers/relay routers may be used or "reflected" DDoS attacks • "Service theft": unauthorized usage of relay router services • Local IPv4 broadcast attacks • Neighbor Discovery attacks • "Sanity Checks" necessary!
6to4 Security …an attack scenario • Reflected DoS Attack • It is supposed that bandwidth and processing power limitations can prevent a large scale attack…
Securing 6to4 components • 6to4 routers • Check for correspondence between the IPv4 part of the packets and the 2002::/16 IPv6 encapsulated part • Implement "Sanity Checks" • IPv4: Do not allow strange (e.g. loopback) private, multicast, etc. addresses to be encapsulated • IPv6: Reject "wrong" addresses, like link local, multicast, etc. • Prevent routing of packets to other 6to4 sites via 6to4 relay routers • Reject packets coming from another 6to4 site via a relay router
Securing 6to4 components (2) • 6to4 relay routers • Reject IPv4 packets from 6to4 routers that don't have matching IPv4 src address (V4ADDR) and equivalent 6to4 src address (2002:V4ADR) in the encapsulated IPv6 packet • Reject protocol 41 (IPv4) packets without destination address 192.88.99.1 • Deny packets to the IPv6 network without a universal IPv6 address • Reject packets from 6to4 routers to 6to4 addresses • Ingress Filtering and Access Control Lists for the IPv6 part!
A General Transition Roadmapfor an enterprise or educational network Phase 1 • Network Design • Define Wide and Local network segments • Define “special” areas (due to requirements and operations)- VLANs, DMZs etc. • Define management entities and their areas of responsibility • Network management information flow • Security requirements: • For users and applications • For the network itself (protection of the management information, protection of network devices, security of management procedures) • Plan the steps to transition to the new protocol. Examine the possibility of deploying transition mechanisms (for communications between IPv6 areas within anIPv4network and vise-versa)
A General Transition Roadmap (2) Phase 2 • Implementation of a mixedIPv4/IPv6 environment • Gradual transition of non-critical systems to IPv6 • Allows the evaluation of the operation and stability of the network devices and non-critical systems under IPv6 • Develops the transition procedures • Disseminates the usages of transition mechanisms(tunnels, gateways, etc.)for communications between exclusiveIPv6 areas Phase 3 • Transition of all systems to IPv6 • Exclusive usage of IPv6 in the network • Maintaining transition mechanisms for legacy systems and contacts with IPv4 networks