IPv6 WiFi Experiences

1 © 2012 Cisco and/or its affiliates. All rights reserved.

IPv6 WiFi Experiences

Andrew Yourtchenko Technical Leader

[email protected]

Presented at PLNOG 2012

2 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

IPv6 deployment

© 2012 Cisco and/or its affiliates. All rights reserved. 3

4 © 2012 Cisco and/or its affiliates. All rights reserved.

6lab.cisco.com/stats

Internet Transit

Content

Users


CGN

IPv4

IPv6


2011 2013 2015

CGN Only

2011 2013 2015

6rd + CGN



!"# $"# %!"# %$"# &!"# &$"# '!"#

()*+,)+*#+-./01.)#

2/.34/5641.)#

7+)8.,#9*,4*+:;#

<+-5=+>?9#@AB?<C#

D4)84*+#

E+48+,6F5G#

?*F+,#

&H#I

F4*#4

,+#J.G

#'#8,5-

+,6#K

#

Your Phone has it!


Practice: IPv6 devices on wireless




Dualstack-capable: 47.5% -> 77.5% IPv6-using: 80.6% -> 87.3%


With such level of support in clients, you can not ignore IPv6 even if you do not provide it



Node A sending off-link traffic to C

•  Attacker tricks victim into accepting him as default router •  Based on rogue Router Advertisements •  The most frequent threat by non-malicious user

Src = C’s link-local address Dst = All-nodes Data = router lifetime, autoconfig flag Options = subnet prefix, slla

RA

B

Src = B’s link-local address Dst = All-nodes Data = router lifetime=0

RA

C A


C

•  Attacker spoofs Router Advertisement with false on-link prefix •  Victim generates IP address with this prefix •  Access router drops outgoing packets from victim (ingress filtering) •  Incoming packets can't reach victim

Node A sourcing off-link traffic to B with BAD::A

Src = B’s link-local address Dst = All-nodes Options = prefix BAD, Preferred lifetime

RA

B

B filters out BAD::A

Computes BAD::A and DAD it

Src = B’s link-local address Dst = All-nodes Options = prefix X Preferred lifetime = 0

RA

Deprecates X::A

A


•  Attacker can claim victim's IP address

B

NS Dst = Solicited-node multicast address of B Query = what is B’s link-layer address?

Src = B or any C’s IF address Dst = A Data = B Option = link-layer address of C

NA

A C


•  Attacker hacks any victim's DAD attempts •  Victim can't configure IP address and can't communicate

Src = UNSPEC Dst = Solicited-node multicast address of A Data = A Query = Does anybody use A already? NS

Src = any C’s IF address Dst = A Data = A Option = link-layer address of C

NA “it’s mine !”

C A


IPv6 VLAN

Ethernet

IPv6 802.11

CAPWAP Tunnel

Router Advertisement Guard

RA From Client Dropped at the Access Point (Local and FlexConnect modes)

Undesired IPv6 Addresses/Prefix

IPv6 Source Guard Drops Undesired Packets at Controller

DHCPv6 Server Guard

DHCPv6 Advertisement Blocked at the Controller.

IPv6 RA 802.11


•  Support for many IPv6 addresses per client is necessary because: Clients can have multiple address types per interface Clients can be assigned addresses via multiple methods such as SLAAC and

DHCPv6 Most clients automatically generate a temporary address in addition to assigned

addresses.

Up to 8 IPv6 Addresses are

Tracked per Client.


•  You want them as short as possible Only 8 slots in the table, new address each re-association, IPv6 blackhole if not short enough

•  You want them as long as possible Less ND chatter More temp address stability


FHS binding table size (8)

FHS timeouts

Prefix lifetimes

SSID reconnection

(volatility)

Device wakeups

Avoid blackholing

ND chatter, address stability


•  Experimental value for conference environment ~ 30 minutes. => 30 minutes prefix lifetime ……

Works but very very chatty

•  FHS binding table management logic changes to accommodate for clients’ behavior (7.3 should have these changes)

•  With 7.2 – use stateful DHCPv6


Meanwhile, you need to continue to provide IPv4 as well…


Type “example.com” and press Enter

GET / HTTP/1.1 Host: example.com

A? “example.com”

connect 192.0.43.10

AAAA? “example.com”

Connect 2001:500:88:200::10


Can we go IPv6-only ?


IPv6-only clients

Dualstack + IPv4 servers

IPv4

IPv6

Stateful NAT64

4:6

6:4


IPv6 Internet

IPv4 Internet

Stateful NAT64

4:6

6:4

Stateful NAT64 allows the hosts on the IPv6 network connect to the IPv4 network, by dedicating an IPv6 prefix which will represent the translated IPv4 Internet. This allows a twofold use: - IPv6-enable the internal IPv4-only services

- allow internal IPv6-only network to talk to IPv4 Internet


IPv6 Internet

IPv4-only servers

IPv4

72.163.4.161

IPv6

IPv6-only client

Gig0/0/1

1

s: [2607:f128:42:73::2]:37897

d: [2610:d0:1208:cafe::72.163.4.161]:80 Gig0/0/0

3

s: 153.17.16.82:1056

d: 72.163.4.161:80

2

asr1knat64-xtr#sh nat64 trans tcp 72.163.4.161:80 [2610:d0:1208:cafe::48a3:4a1]:80 153.16.17.82:1056 [2607:f128:42:73::2]:37897

4

s: 72.163.4.161:80

d: 153.17.16.82:1056

5

s: [2610:d0:1208:cafe::72.163.4.161]:80

d: [2607:f128:42:73::2]:37897


DNS64

DNS64 creates synthetic AAAA record for the host based on A record if no real AAAA record exists in DNS. This allows to automatically direct IPv6-only clients to the correct address within NAT64 prefix. This functionality is provided by bind since 9.8.0

CNR’s DNS server can also be used to perform the same function.

DNS

Authoritative nameserver for example.com

Prefix: 2610:d0:1208:cafe::1/96 0

AAAA ? Example.com

1

AAAA=2001:500:88:200::1

3

4

AAAA=2001:500:88:200::1

(*)DNS hierarchy traversal omitted for brevity

AAAA ? Example.com

2

(*)


DNS64 DNS

Prefix: 2610:d0:1208:cafe::1/96 0

AAAA ? Example.com

1

AAAA ? Example.com

2

No 3

A ? Example.com

4

A=192.0.43.10 5

AAAA = 2610:d0:1208:cafe::192.0.43.10

6

7

Authoritative nameserver for example.com


IPv6 hosts

IPv4 hosts

Stateful NAT64

4:6

6:4

nat64 prefix stateful 2610:d0:1208:cafe::/96 nat64 v4 pool NAT64GLOBAL 153.16.17.82 153.16.17.82 nat64 v6v4 list NAT64LIST pool NAT64GLOBAL overload nat64 logging translation flow-export v9 udp dest 192.168.0.2 9995 ipv6 access-list NAT64 permit ipv6 any 2610:d0:1208:cafe::/96

Gig0/0/0

Gig0/0/1

interface Gig0/0/1 nat64 enable interface Gig0/0/0 nat64 enable


•  Users complained about: Facetime, other video apps Most of the VPNs

85% 15%

•  What worked well: Everyday browsing Facebook


•  Proxy-arp on IPv4 by IPv6-unaware apps Standards behavior Solved by “fake” DHCPv4 address (e.g. from 100.64.0.0/16) + ACL on first router

•  Mobile clients are tricky Apps need testing in new versions iOS 6… DHCPv6 support…

•  However, the situation is slowly improving


If we still need some IPv4, can we minimize the headache ?


NAT

“NAT” in this presentation means “stateful translation”


2001:db8::/32 2001:db8:1::/48

2001:db8:2::/48

2001:db8:3::/48

2001:db8:4::/48

2001:db8:5::/48

Prefix(32) EA (16)

SN (16) IID (64)

128 bit IPv6 address

Prefix (24) (8)

IPv4 public addr

(8) Ports (8)

Public port range


2001:db8::/32 2001:db8:1::/48

2001:db8:2::/48

2001:db8:3::/48

2001:db8:4::/48

2001:db8:5::/48

NAT

NAT

NAT

NAT

NAT

NAT

NAT


• http://6lab.cisco.com/map • draft-ietf-softwire-map

http://tools.ietf.org/html/draft-ietf-softwire-map

Thank you.

Technology

IPv6 WiFi Experiences