Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Core network / Backbone
• Existing network• Capabilities• Size of network• Routing Architecture
• Future design• Simple• Manageable
btnog5 [email protected] 4
Label switching Backbone
• Segment Routing• MPLS
• Single stack in the core to carry payloads • Dual stack PE
Label Core
btnog5 [email protected] 5
Dual Stack Backbone
• IPv4 and IPv6
• Each router has both routing information• Simple model
IP Core
btnog5 [email protected] 6
Access Network
• Leased line• Dual Stack
• PPPoE• IPCP for IPv4• RA/IPv6CP and DHCP-PD for IPv6
• Mobile• IPV4V6• NAT64
btnog5 [email protected] 7
Leased line
• Usually use static route• Be careful about routing loop
• Or BGP• Point-to-point link addressing• Linklocal only• Global /64• Global /127
ISP Edge Router
2001:db8::/48
2001:db8:100::/64
default2001:db8::/48To null0
btnog5 [email protected] 8
Leased line: customer router
• Someone needs to configure it• Managed or customers’ owned
• Internal needs• Dynamic routing• RA• DHCPv6 PD• Packet filtering
btnog5 [email protected] 9
PPPoE WAN address
• CPE generates IPv6 linklocal address during IPV6CP negotiation• BRAS might send RA, then CPE can have an IPv6
global address on its WAN interface
BRASCPEIPCP (IPv4 address)
IPv6CP (IPv6 linklocal address)RA (WAN IPv6 global address)
btnog5 [email protected] 10
PPPoE DHCP-PD
• CPE requests a prefix by DHCP with IA-PD option
• BRAS send back a prefix information
BRASCPE
DHCPv6 request w/ IA-PD
DHCP-PD (e.g.2001:db8:100::/56)
btnog5 [email protected] 11
PPPoE LAN
• CPE use the prefix on its LAN• Usually the first /64 of the prefix• RA and/or DHCPv6 stateful / stateless
BRASCPE
DHCP-PD (e.g.2001:db8:100::/56)RA / DHCPv6(e.g.2001:db8:100::/64)
btnog5 [email protected] 12
PPPoE: Customer router
• IPv6 PPPoE support• Replace / Upgrade issue
• Internal needs• RA• DHCPv6• Packet filtering
btnog5 [email protected] 13
Care for default
• Broadband user has no expertise whatsoever in Internet engineering• Typical residential• small-office network administrator
• Extra care should be used in the design of baseline operation modes for unconfigured devices• Most people never change its default configuration
btnog5 [email protected] 14
RFC6092: Simple Security
• Simple Security mode• total 50 recommendations• It’s not that simple L
• Transparent mode• forwards all unsolicited flows• no filtering is applied
btnog5 [email protected] 15
I-D: Balanced Security
• An example of security model which Swisscom has deployed• Threats model• denial of service by packet flooding• denial of service by ND cache exhaution• denial of service by service request• unauthorized use of services• exploiting a vulnerability in the host• trojanized host can communicate via a covert channell
btnog5 [email protected] 16
Balanced Security Policy
• Reject Bogon• uRPF check for all traffic
• Protect Weak Services• filtering a limited set of layer-4 destination
• Openness• allow all unsolicited packet with rate limiting
• All requirements of [RFC6092] except REC-11, REC-18 and REC-33 must be supported
btnog5 [email protected] 17
Drop inbound
Transport Port Descriptiontcp 22 SSHtcp 23 Telnettcp 80 HTTPtcp 3389 Microsoft RDPtcp 5900 VNC RDP
btnog5 [email protected] 18
Drop Inbound and OutboundTransport Port Descriptiontcp/udp 88 Kerberos
tcp 111 SUN RPC
tcp 135 MS RPC
tcp 139 NetBIOS
tcp 445 SMB Domain Server
tcp 513 Remote Login
tcp 514 Remote Shell
tcp 548 Apple Filing Protocol over TPC
tcp 631 Internet Printing Protocol
udp 1900 Simple Service Discovery Protocol
tcp 2869 Simple Service Discovery Protocol
udp 3702 Web Services Dynamic Discovery
udp 5353 Multicast DNS
udp 5355 LLC Mcast Name Resolutionbtnog5 [email protected] 19
Packet Filtering is not Perfect
• These filtering probably stop several unauthorized accesses• by port blocking
• Other infection sources that can’t be stopped• malware fetched by inside hosts• e-mail attached file
• We need to convince consumers to use up to date patches and anti-virus
btnog5 [email protected] 20
LTE / Mobile network
• PDP/PDN type• Dualstack• IPv4v6
• IPv6 only• IPv6
• IPv4 only• IPv4
PGW
btnog5 [email protected] 21
Smartphones (iOS)
• Carrier profile• Includes APN settings• Need to ask Apple to make a change
• A configuration Profile can overwrite carrier profile• https://support.apple.com/apple-configurator
<key>DefaultProtocolMask</key><integer>3</integer><key>AllowedProtocolMask</key><integer>3</integer>
btnog5 [email protected] 22
Android
• Default APN Profile are shipped within OS• apns-full-conf.xml• Based on developers’ knowledge• Sometimes it’s not configurable
• Mobile operators intentionally hide the setting
• Android developers can update it• It takes time to roll out
btnog5 [email protected] 23
Other Scenario
• IPv4 over IPv6• ISP provides IPv6 connectivity, and provides IPv4 as an
additional service over IPv6. A client is dual stacked• 464XLAT• DS-Lite
• Translation• ISP provides IPv6 connectivity, and have an IPv4-IPv6
translation service to provide an access to IPv4 world. A client is IPv6 only• NAT64
btnog5 [email protected] 24