Embed Size (px)
Citation preview
Have you tried our v6onlySSID here?
Let’s do some quick checks
More checks• v6-onlyhostcanSSHtov4-onlymachine:
$ ssh awal@64:ff9b::192.168.51.160awal@64:ff9b::192.168.51.160's password:Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-87-generic x86_64)Last login: Thu Apr 11 16:12:24 2019 from 192.168.34.49$
What is anIPv6-Only network?
• Notdual-stack• UsersgetonlyIPv6networkparameters(i.e.Address,Prefix,GatewayandDNS)• localgatewayroutesonlyIPv6,noIPv4• MostroutersandinfrastructurehaveonlyIPv6addresses• IPv4isofferedtousersasaservice,overIPv6• ProtocoltranslationsrequiredforIPv4onlydestinations
Why goingv6-only?
• OperationalSimplicity- Singlestackinfrastructure
• Avoidsdoingredundanttasks:- 2xACLs/firewallrules- 2xmonitoringtargets- 2xplaceswhereerrorscanoccur
• DoingNATthatactuallygetssmallerdaybyday(NAT64)- SolvingcurrentIPv4issues- GettingridofexpensiveCGNAT
• Enhancedsecurity- Reductionofattacksurface
Building blocks
• Addressdistribution- SLAAC/DHCPv6
• NAT64(RFC6144-6146)- SupportedbyOEMs- Serverbasedtools:Jool,Tayga etc.
• DNS64(RFC6147)- IncludedinBind9- GooglepublicDNS64
• SupportofIPv6atend-userdevice- Noadditionalconfigurationisrequired
Topology consideration(It’s not a mandatoryin-line thing) Router
Router
Router(SLAAC)
NAT64+
DNS64NAT64
RouterDHCPv6
DNS64
v6+v4
v6
Internet Internet
v6+v4
v6
v4
v6
v6v6
v6
v6 v6
Tools used for our v6only network
• Oneboxdiditall- UbuntuServer16.04LTS
• Addressdistribution- SLAACwithRADVD
• NAT64- Jool 4.0.0- NAT64prefix:64:ff9b::/96
• DNS64- Bind9
• WirelessAP- MikroTik
v6+v4
v6
Ubuntu Server with radvd, jool
and bind9
Internet
Interface config(Ubuntu 16.04)
• /etc/network/interface
# Dual-stack WAN Interfaceauto enp1s0iface enp1s0 inet static
address 192.168.1.254netmask 255.255.254.0gateway 192.168.0.1
iface enp1s0 inet6 staticautoconf 0accept_ra 0address 2400:ca00:3000:10::2netmask 64gateway 2400:ca00:3000:10::1
# IPv6-only LAN Interfaceauto enp2s0iface enp2s0 inet6 static
address 2400:ca00:3000:15::1netmask 64
GW config(radvd + routing)
• /etc/radvd.conf
interface enp2s0{MinRtrAdvInterval 3;MaxRtrAdvInterval 4;AdvSendAdvert on;AdvManagedFlag off;prefix 2400:ca00:3000:15::/64
{AdvValidLifetime 14300;AdvPreferredLifetime 14200;};
RDNSS 2400:ca00:3000:15::1 {};
};
• Eanble routing
sysctl -w net.ipv4.conf.all.forwarding=1sysctl -w net.ipv6.conf.all.forwarding=1
NAT64 config(jool-4.0.0)
• Startjool:
/sbin/modprobe jool
• MapIPv6poolwithdefinedinstance:jool instance add "nat64" --iptables \--pool6 64:ff9b::/96
• Addmanglerules:ip6tables -t mangle -A PREROUTING \–d 64:ff9b::/96 -j JOOL --instance "nat64"
iptables -t mangle -A PREROUTING \–d 192.168.1.254 -p tcp --dport 1126:65535 \-j JOOL --instance "nat64”
iptables -t mangle -A PREROUTING \-d 192.168.1.254 -p udp --dport 1126:65535 \-j JOOL --instance "nat64”
iptables -t mangle -A PREROUTING \-d 192.168.1.154 -p icmp -j JOOL \--instance "nat64"
DNS64 config(bind9)
• /etc/bind/named.conf.options
options {......listen-on-v6 { any; };allow-query {2400:ca00:3000::/48; };recursion yes;dns64 64:ff9b::/96 {
clients { any; };mapped { any; };exclude {0::/3; 2001:db8::/32;};};
};
NAT64 tuning options
• Limitlocalportrangestoaddmoreportstotranslation:
echo 1025 1125 > /proc/sys/net/ipv4/ip_local_port_range
• MTU,FragmentationandPMTUDissue:
echo 2 > /proc/sys/net/ipv4/tcp_mtu_probing
QUESTIONS?
