IPv6 TransitionMatsuzaki ‘maz’ Yoshinobu

<maz@iij.ad.jp>

btnog5 maz@iij.ad.jp 1

Transition

• Deploy• Co-exist• Transition• IPv4 sunset

IPv4IPv6

btnog5 maz@iij.ad.jp 2

Networks

AS/ISP 2 AS/ISP 1

Backbone

Backbone

maz@iij.ad.jpbtnog5 3

Core network / Backbone

• Existing network• Capabilities• Size of network• Routing Architecture

• Future design• Simple• Manageable

btnog5 maz@iij.ad.jp 4

Label switching Backbone

• Segment Routing• MPLS

• Single stack in the core to carry payloads • Dual stack PE

Label Core

btnog5 maz@iij.ad.jp 5

Dual Stack Backbone

• IPv4 and IPv6

• Each router has both routing information• Simple model

IP Core

btnog5 maz@iij.ad.jp 6

Access Network

• Leased line• Dual Stack

• PPPoE• IPCP for IPv4• RA/IPv6CP and DHCP-PD for IPv6

• Mobile• IPV4V6• NAT64

btnog5 maz@iij.ad.jp 7

Leased line

• Usually use static route• Be careful about routing loop

• Or BGP• Point-to-point link addressing• Linklocal only• Global /64• Global /127

ISP Edge Router

2001:db8::/48

2001:db8:100::/64

default2001:db8::/48To null0

btnog5 maz@iij.ad.jp 8

Leased line: customer router

• Someone needs to configure it• Managed or customers’ owned

• Internal needs• Dynamic routing• RA• DHCPv6 PD• Packet filtering

btnog5 maz@iij.ad.jp 9

PPPoE WAN address

• CPE generates IPv6 linklocal address during IPV6CP negotiation• BRAS might send RA, then CPE can have an IPv6

global address on its WAN interface

BRASCPEIPCP (IPv4 address)

IPv6CP (IPv6 linklocal address)RA (WAN IPv6 global address)

btnog5 maz@iij.ad.jp 10

PPPoE DHCP-PD

• CPE requests a prefix by DHCP with IA-PD option

• BRAS send back a prefix information

BRASCPE

DHCPv6 request w/ IA-PD

DHCP-PD (e.g.2001:db8:100::/56)

btnog5 maz@iij.ad.jp 11

PPPoE LAN

• CPE use the prefix on its LAN• Usually the first /64 of the prefix• RA and/or DHCPv6 stateful / stateless

BRASCPE

DHCP-PD (e.g.2001:db8:100::/56)RA / DHCPv6(e.g.2001:db8:100::/64)

btnog5 maz@iij.ad.jp 12

PPPoE: Customer router

• IPv6 PPPoE support• Replace / Upgrade issue

• Internal needs• RA• DHCPv6• Packet filtering

btnog5 maz@iij.ad.jp 13

Care for default

• Broadband user has no expertise whatsoever in Internet engineering• Typical residential• small-office network administrator

• Extra care should be used in the design of baseline operation modes for unconfigured devices• Most people never change its default configuration

btnog5 maz@iij.ad.jp 14

RFC6092: Simple Security

• Simple Security mode• total 50 recommendations• It’s not that simple L

• Transparent mode• forwards all unsolicited flows• no filtering is applied

btnog5 maz@iij.ad.jp 15

I-D: Balanced Security

• An example of security model which Swisscom has deployed• Threats model• denial of service by packet flooding• denial of service by ND cache exhaution• denial of service by service request• unauthorized use of services• exploiting a vulnerability in the host• trojanized host can communicate via a covert channell

btnog5 maz@iij.ad.jp 16

Balanced Security Policy

• Reject Bogon• uRPF check for all traffic

• Protect Weak Services• filtering a limited set of layer-4 destination

• Openness• allow all unsolicited packet with rate limiting

• All requirements of [RFC6092] except REC-11, REC-18 and REC-33 must be supported

btnog5 maz@iij.ad.jp 17

Drop inbound

Transport Port Descriptiontcp 22 SSHtcp 23 Telnettcp 80 HTTPtcp 3389 Microsoft RDPtcp 5900 VNC RDP

btnog5 maz@iij.ad.jp 18

Drop Inbound and OutboundTransport Port Descriptiontcp/udp 88 Kerberos

tcp 111 SUN RPC

tcp 135 MS RPC

tcp 139 NetBIOS

tcp 445 SMB Domain Server

tcp 513 Remote Login

tcp 514 Remote Shell

tcp 548 Apple Filing Protocol over TPC

tcp 631 Internet Printing Protocol

udp 1900 Simple Service Discovery Protocol

tcp 2869 Simple Service Discovery Protocol

udp 3702 Web Services Dynamic Discovery

udp 5353 Multicast DNS

udp 5355 LLC Mcast Name Resolutionbtnog5 maz@iij.ad.jp 19

Packet Filtering is not Perfect

• These filtering probably stop several unauthorized accesses• by port blocking

• Other infection sources that can’t be stopped• malware fetched by inside hosts• e-mail attached file

• We need to convince consumers to use up to date patches and anti-virus

btnog5 maz@iij.ad.jp 20

LTE / Mobile network

• PDP/PDN type• Dualstack• IPv4v6

• IPv6 only• IPv6

• IPv4 only• IPv4

PGW

btnog5 maz@iij.ad.jp 21

Smartphones (iOS)

• Carrier profile• Includes APN settings• Need to ask Apple to make a change

• A configuration Profile can overwrite carrier profile• https://support.apple.com/apple-configurator

<key>DefaultProtocolMask</key><integer>3</integer><key>AllowedProtocolMask</key><integer>3</integer>

btnog5 maz@iij.ad.jp 22

Android

• Default APN Profile are shipped within OS• apns-full-conf.xml• Based on developers’ knowledge• Sometimes it’s not configurable

• Mobile operators intentionally hide the setting

• Android developers can update it• It takes time to roll out

btnog5 maz@iij.ad.jp 23

Other Scenario

• IPv4 over IPv6• ISP provides IPv6 connectivity, and provides IPv4 as an

additional service over IPv6. A client is dual stacked• 464XLAT• DS-Lite

• Translation• ISP provides IPv6 connectivity, and have an IPv4-IPv6

translation service to provide an access to IPv4 world. A client is IPv6 only• NAT64

btnog5 maz@iij.ad.jp 24