Download pdf - IPv6: Why "next year" is now

www.wildpackets.com © WildPackets, Inc.

Jim MacLeod

Product Manager

WildPackets

[email protected]

Follow me @shewfig

IPv6

“Next Year” is Now!

Show us your tweets! Use today’s webinar hashtag:

#wp_ipv6 with any questions, comments, or feedback.

Follow us @wildpackets

© WildPackets, Inc.

Agenda

• Primer ‒ Address types

‒ Address format

‒ Address resolution

• Issues ‒ Implementation

‒ Interoperability

‒ Security

• WildPackets

2


Primer: IPv6 Addressing


Address Lexical Conventions

• 128 bits of hexadecimal ‒ IPv4 had 32 bits in dotted-decimal

• Separated by colons ‒ 8 groups of 16 bits

‒ 8 bits = “octet”

‒ 16 bits = “sedectet” or “hexadectet”

• Shortcuts ‒ Leading zeros can be omitted

• 2001:0db8::/32 same as 2001:db8::/32

‒ Multiple consecutive zeros written as “::” • 2001:db8:0:0:0:0:0:1 same as 2001:db8::1

‒ Localhost is ::1, default route is ::/0

4


Address Sections

• Sections ‒ Network

• RIR-assigned or local

‒ Subnet • Subnetting within org/site

‒ Host • 64-bit interface identifier

• Example ‒ 2001:db8::/32

• 32 bit prefix, 32 bits of subnet, 64 bits of interface ID

• 32 bits of subnet =~ entire size of IPv4, each with 64 bits of host

‒ 2001:db8:de30::/48 • 48 bits of prefix, 16 bits of subnet, 64 bits of interface ID

• 16 bits of subnet =~ class B IPv4 address block

5


Address Types

• Unicast ‒ “Normal” address

• Local ‒ Link-Local: not-routable, subnet only

‒ ULA (Unique Local Addresses): private address

• Multicast ‒ Multiple scopes from host-internal to Internet-wide

• NO explicit Broadcast ‒ Implemented as local-scope multicast

‒ Several specific multicast addresses defined and used • All Routers, All DHCP servers, etc…

6


Local Addresses

• Link-Local: non-routable, subnet only ‒ Defined as fe80::/10. In practice, fe80::/64

‒ Nodes auto-generate address for each interface

‒ On-box, append interface ID to address (e.g. %eth0)

• Similar in concept to 169.254.0.0/16 ‒ Auto-defined, unique per subnet

• Why? ‒ Bootstrap addressing: no “naked” protocols like ARP

‒ Used by ICMPv6 Neighbor Discovery (“ARPv6”)

‒ Used by DHCPv6, no need for broadcast

• Impact ‒ Every IPv6 interface will have at least 2 addresses

7


Unique Local Addresses (ULA)

• Routable private address space ‒ fd00::/8, plus 40 “random” bits -> fdx:y:z:://48

‒ Like 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16

• Can be used to create isolated networks ‒ Potentially routable among connected systems

‒ Non-routable across the Internet

• Potential uses ‒ Lab networks

‒ Air-gapped networks

‒ Pilot projects

• NOT intended for use with NAT ‒ NAT was a work-around on IP, IPv6 is the solution

8


Subnetting Review

• Q: Does 2001::/32 contain 2001:db8::/32? ‒ 2001::/32

• 2001:0:0:0:0:0:0:0 – 2001:0:ffff:ffff:ffff:ffff:ffff:ffff

‒ 2001:db8::/32 • 2001:db8:0:0:0:0:0:0 – 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff

‒ A: no, the 2nd sedectet is different

• Q: How large is fe80::/10 ? ‒ fe80::/16 – febf::/16

‒ 64 /16 blocks, 4B /32 blocks, 18 quadrillion /64 blocks

9


Address “Magic Numbers”

• Node ‒ ::1/128 – localhost

‒ ::/0 – default route (like 0.0.0.0/0)

• Local ‒ fe80::/10 – Link-local

‒ fc::/7 – ULA • Likely deployment: fd::/8

• Global ‒ 2001:db8::/32 – “Example” addresses

‒ 2001::/32 – Teredo

‒ 2001:678::/29 – Provider-independent (Multihomed end-users)

‒ 2001:7f8::/29 – Internet Exchange Points (ISP interconnect)

10


IP to IPv6 “Magic Numbers”

• ::ffff:0:0/96 – IPv4-mapped IPv6 ‒ server socket-level compliance for application compatibility

‒ Can be written ::ffff:0:0:a.b.c.d

• ::ffff:0:0:0/96 – Stateless IP/ICMP Translation (SIIT) ‒ To allow an IPv6 client to connect to IPv4 hosts

• 64:ff9b::/96 – “Well-Known” Prefix ‒ NAT64 address translation, connect IPv6 island to IPv4

• 2002::/16 – 6to4 translation ‒ To connect IPv6 islands via IPv4

• Over time, these should all go away ‒ Dual stack makes all of these unnecessary

11


Address Resolution


Resolving Addresses

• ICMPv6 Neighbor Discovery Protocol (NDP) ‒ Replaces ARP

‒ Runs over IPv6, not over DLC/Ethernet

‒ Uses Link-local addresses

• Neighbor solicitation ‒ Unicast fe80::/10 source (unique to interface)

‒ Link-local multicast destination at both L2 and L3

‒ last 24 bits of multicast are last 24 bits of target address • Allows quick validation on receiver node: keep/discard

• Neighbor Announcement ‒ Response is unicast-unicast

13


NDP in Action

14

Search for 2001:db8:2::4

• L2 address (MAC)

• OUI is IPv6 multicast prefix (33:33:FF)

• Least significant 24 bits of target address (00:00:04)

• L3 address – targeted multicast

• Local-scope IPv6 multicast (ff02)

• Least significant 48 bits

• Header is ::1:ff

• Same least-significant bits (00:00:04)

Implication: IPv6 is optimized to reduce broadcast at both L2 and L3

• Frame is delivered to all nodes in broadcast domain

• Frame is quickly rejected by NIC except on target node


Getting an Address

• Static ‒ All parameters configured by hand

• Dynamic ‒ Node bootstrap includes Router Discovery

‒ Similar to Neighbor Discovery

‒ Destination is link-local “all routers” address

• Router Advertisement includes flags to use either: ‒ Stateless Address Autoconfiguration (SLAAC)

‒ DHCPv6

15


SLAAC

• Network info from Router

• Node portion of address ‒ Use MAC, insert “ff:fe” in the middle

‒ Alternatively use Privacy Extensions • Pseudo-random instead of extended MAC

• Implications ‒ Track IPv6 nodes by MAC

• Good for network management, bad for privacy

‒ Addresses distributed nearly randomly in subnet

16


DHCPv6

• Controlled by Router Advertisement ‒ Managed Address flag – get address from DHCPv6

‒ Other Stateful Config flag • Generate address using SLAAC

• Get other configs from DHCP

• Similar to DHCP in IPv4

• Link-local multicast for DHCP ‒ ff02:1::2 – all DHCP servers and relays

‒ ff02:1:3 – all DHCP servers

• Implications ‒ Managed IPv6 addresses

‒ Potential point of failure

17


IPv6 Issues

18


Implementation Issues

• Two address scopes

• Packet size issues

• DNS

• Global routing

19


Two Address Scopes

• Every interface on a node has at least 2 addresses ‒ Link-local (fe80::)

‒ Unicast

• Data uses unicast address ‒ Just like IPv4 address

• Net administrative protocols may use link-local ‒ NDP

‒ DHCP

‒ Sometime other ICMPv6

20


What’s Going On Here?

21

How many data frames are there? What protocol?

What’s going on in packets 2-3? 4-5? 8-9?

NDP for 2001:db8:2::4, ::253, and ::253 again

3 Data frames: 1, 6, 10. HTTP.


Tracking What’s Going On

22

Use Horizontal Split to show Nodes on left, Packets on right


Packet Size

• Minimum MTU raised from 576 to 1280 ‒ Not a problem for anything modern

• Longer header, less room for data ‒ IPv6 header 20+ bytes longer than IP

‒ TCP MSS reduced by 20 bytes

‒ Some applications may be hard-coded to 1460

• No router fragmentation allowed in IPv6 ‒ Node must fragment own datagrams

• Overhead in transit = Oversized packet ‒ MPLS and similar ok, internal to network, use Jumbo frames

‒ IPSec across the Internet, no Jumbos allowed

‒ Oversized packets will be discarded

23


Packet Size – How to fix

• Path MTU Discovery ‒ Inline during transmission

• MTU violation reported by ICMPv6 ‒ “Packet Too Big” from router, e.g. VPN ingress

• ICMPv6 MUST be allowed ‒ ICMP in IPv4 sometimes blocked for security reasons

‒ Will cause black holes in IPv6 if blocked

24


DNS

• Same protocol, New record type: AAAA ‒ Can resolve IPv6 addresses over IPv4

‒ Default behavior on Windows: DNS over IPv4, even for AAAA

• Host-driven choice: ‒ Explicit resolution of IPv4 A or IPv6 AAAA

‒ Multiple packets each way

• Server-driven choice: ‒ Single generic query from client

‒ DNS responses vary by implementation

‒ Google does reverse lookup on client

‒ Many DNS servers return both A and AAAA

• Single query, dual response most common

25


Routing

• BGP tables are huge on IPv4, what about IPv6?

• Solution: aggregation via allocation ‒ Fully hierarchical

• IANA global RIR regional LIR local

• LIR can be ISP, university, large company, etc.

• Allows much better aggregation

‒ Special allocation for small multihomed blocks • 2001:678::/29

• Minimum allocation /48

• Hardware-based forwarding ‒ Anecdotal evidence IPv6 slow on current equipment

‒ Future devices will be optimized for IPv6, not IPv4

‒ IPv6: no checksum, no router fragmentation faster routing

26


Interoperability Issues

• Network versus Application

• 6-4 failback

27


Network versus Application

• Different protocols ‒ IPv4 and IPv6 don’t interact on the wire

‒ Lots of transition mechanisms • Unclear whether will ever be used

• Applications may have issues ‒ Socket level APIs “should” be compatible

‒ Greatest challenges: • Legacy applications

• Custom / homegrown applications

• Solution: keep using IPv4 for incompatible apps ‒ Enabling IPv6 doesn’t disable IPv4

28


6-4 Fallback

• Most visible IPv6 issue when using the Web!

• Primary issue: 6 or 4? ‒ DNS AAAA or A record?

‒ Old method: try IPv6 first, wait for timeout • Windows: 20s. MacOS: 75s. Linux: 75-180s.

• Impact on Web ‒ Web pages cross-link locations (average of 8 sites/page!)

‒ Will IPv6 pages contain IPv4 content? • Pages already load slowly, add MULTIPLE 20s+ delays…

• Great research ‒ Geoff Huston at APNIC, “Bemused Eyeballs”

‒ Prior research from NTT, presented at NANOG39, 2007

29


6-4 Fallback Solution

• “Happy Eyeballs” – dual stack fastest first ‒ Proposed by Dan Wing, Andrew Yourtchenko at Cisco

‒ Resolve both IPv4 and IPv6 addresses

‒ TCP SYN connect to both at once

‒ Use first to connect, RST other socket

• Solution: Switch browsers! ‒ Chrome: 300ms (aggressive IPv6 timeout)

‒ Firefox: instant (Happy Eyeballs)

‒ Safari on MacOS: 270ms (aggressive RTT-based timer)

• Potential work-arounds on Enterprise networks ‒ Local DNS server tweaks – but probably insufficient

‒ Gateway proxy – but maybe not fast enough

30


Security Issues

• Addresses

• Enforcement

31


IPv6 Address Security Issues

• All routable addresses are global ‒ Can we feel safe without NAT?

‒ Remember: NAT is a security placebo (with side-effects)

• Address spacing ‒ 64 bits dedicated to host = 18 x 10^18 nodes per network

• “Impossible” to scan that range, can nodes “hide”?

‒ Enterprise network management • Cross-layer view: MAC, IP/IPv6, name, etc.

• Even “stealth” hosts must use switches

• Secure Neighbor Discovery (SEND) ‒ Uses public/private keys to validate ND (“ARPv6”)

‒ Doesn’t need PKI, but no standard method to list public keys

32


IPv6 Security Enforcement Issues

• DPI / layer 7 application security scanning ‒ IPv6 header different than IPv4

‒ IPv6 header longer than IPv4 • Changes offset for upper layers

• Biggest impact on hardware-based devices

‒ Transition and Interoperability Issues • Multiple different tunnel standards

• Multiple different translation standards

• Teredo – IPv6 over IPv4 w/ NAT traversal ‒ Node gets IPv6 address directly on Internet

‒ Bypass network firewall controls

• There have already been IPv6 DoS attacks

33


Company Overview


Corporate Background

• Experts in network monitoring, analysis, and troubleshooting

‒ Founded: 1990 / Headquarters: Walnut Creek, CA

‒ Offices throughout the US, EMEA, and APAC

• Our customers are leading edge organizations

‒ Mid-market, and enterprise lines of business

‒ Financial, manufacturing, ISPs, major federal agencies,

state and local governments, and universities

‒ Over 7,000 customers / 60+ countries / 80% of Fortune 1,000

• Award-winning solutions that improve network performance

‒ Internet Telephony, Network Magazine, Network Computing Awards

‒ United States Patent 5,787,253 issued July 28, 1998 • Different approach to maintaining availability of network services


Real-World Deployments

Education

Health Care / Retail

Financial

Telecom

Government

Technology

http://www.fbiband.com/

http://www.dea.gov/


Product Line Overview


OmniPeek/Compass Enterprise Packet Capture, Decode and Analysis

• 10/100/1000 Ethernet, Wireless, WAN, 10G

• Portable capture and OmniEngine console

• VoIP analysis and call playback

Omnipliance / TimeLine Distributed Enterprise Network Forensics

• Packet capture and real-time analysis

• Stream-to-disk for forensics analysis

• Integrated OmniAdapter network analysis cards

WatchPoint Centralized Enterprise Network Monitoring Appliance

• Aggregation and graphical display of network data

• WildPackets OmniEngines

• NetFlow and sFlow

Product Line Overview


OmniPeek Network Analyzer

• OmniEngine Manager

– Connect and configure distributed OmniEngines/Omnipliances

• Comprehensive dashboards present network traffic in real-time

– Vital statistics and graphs display trends on network and application

performance

– Visual peer-map shows conversations and protocols

– Intuitive drill-down for root-cause analysis of performance bottlenecks

• Visual Expert diagnosis speeds problem resolution

– Packet and Payload visualizers provide business-centric views

• Automated analytics and problem detection 24/7

– Easily create filters, triggers, scripting, advanced alarms and alerts


Omnipliance Network Recorders

• Captures and analyzes all network traffic 24x7

– Runs our OmniEngine software probe

– Generates vital statistics on network and application performance

– Intuitive root-cause analysis of performance bottlenecks

• Expert analysis speeds problem resolution

– Fault analysis, statistical analysis, and independent notification

• Multiple Issue Digital Forensics

– Real-time and post capture data mining for compliance and troubleshooting

• Intelligent data transport

– Network data analyzed locally

– Detailed analysis passed to OmniPeek on demand

– Summary statistics sent to WatchPoint for long term trending and reporting

– Efficient use of network bandwidth

• User-Extensible Platform

– Plug-in architecture and SDK


Omnipliance Network Recorders Price/performance solutions for every application

Portable Edge Core

Ruggedized

Troubleshooting

Small Networks

Remote Offices

Datacenter Workhorse

Easily Expandable

Aluminum chassis / 17” LCD 1U rack mountable chassis 3U rack mountable chassis

Quad-Core Xeon 2.5GHz Quad-Core Intel Xeon

X3460 2.80Ghz

Two Quad-Core Intel Xeon

E5530 2.4Ghz

4GB RAM 4GB RAM 6GB RAM

2 PCI-E Slots 2 PCI-E Slots 4 PCI-E Slots

2 Built-in Ethernet Ports 2 Built-in Ethernet Ports 2 Built-in Ethernet Ports

500GB and 2.5TB SATA

storage capacity

1TB SATA storage capacity 2TB SATA storage capacity


TimeLine

• Fastest network recording and real-time statistical

display — simultaneously ‒ 11.7Gbps sustained capture with zero packet loss

‒ Network statistics display in TimeLine visualization format

• Rapid, intuitive forensics search and retrieval ‒ Historical network traffic analysis and quick data rewinding

‒ Several pre-defined forensics search templates making

searches easy and fast

• A natural extension to the WildPackets product line

• Turnkey bundled solution ‒ Appliance + OmniEngine, OmniAdapter, OmniPeek Connect


TimeLine For the most demanding network analysis tasks

TimeLine

10g Network Forensics

3U rack mountable chassis

Two Quad-Core Intel Xeon 5560 2.8Ghz

18GB RAM

4 PCI-E Slots

2 Built-in Ethernet Ports

8/16/32TB SATA storage capacity


WatchPoint Centralized Monitoring for Distributed Enterprise Networks

• High-level, aggregated

view of all network

segments

– Monitor per campus, per

region, per country

• Wide range of network

data

– NetFlow, sFlow, OmniFlow

• Web-based, customizable

network dashboards

• Flexible detailed reports

• Omnipliances must be

configured for continuous

capture


WildPackets Key Differentiators

• Visual Expert Intelligence with Intuitive Drill-down

– Let computer do the hard work, and return results, real-time

– Packet / Payload Visualizers are faster than packet-per-packet diagnostics

– Experts and analytics can be memorized and automated

• Automated Capture Analytics

– Filters, triggers, scripting and advanced alarming system combine to provide

automated network problem detection 24x7

• Multiple Issue Network Forensics

– Can be tracked by one or more people simultaneously

– Real-time or post capture

• User-Extensible Platform

– Plug-in architecture and SDK

• Aggregated Network Views and Reporting

– NetFlow, sFlow, and OmniFlow


Q&A

Show us your tweets! Use today’s webinar hashtag:

#wp_ipv6 with any questions, comments, or feedback.

Follow us @wildpackets

Follow us on SlideShare! Check out today’s slides on SlideShare

www.slideshare.net/wildpackets


Thank You!

WildPackets, Inc.

1340 Treat Boulevard, Suite 500

Walnut Creek, CA 94597

(925) 937-3200