IPv6 Transition Mechanisms, their Security and Management

1
IPv6 Transition Mechanisms,their Security and
Management

• Georgios Koutepas
• National Technical University of Athens, Greece
• 6DISS Workshop
• March 5 2006

2
Transition to IPv6

• Not an after-thought but designed to be part of
  the new protocol since the beginning
• Overview of transition requirements
• Gradual site transition a site may have only
  some of its systems supporting IPv6
• Minimum transition requirements a site can
  support IPv6 just by offering DNS services
  without any upgrade in the rest of the
  infrastructure
• IP address compatibility the v4 addresses can be
  converted to "corresponding" v6 addresses,
  allowing the system to operate in both
  environments
• Ease of installation Operating Systems should
  support IPv6 straightforwardly, without need for
  software upgrades.
• The answer SIT (Simple Internet Transition)
  mechanisms included in IPv6

3
IPv6 Transition Mechanisms

• SIT offers a scheme for
• The conversion of IPv4 addresses to IPv6
• Dual stack OS operation
• Tunnelling mechanisms via the encapsulation of v6
  packets within v4 when passing over v4 clouds
  (and vise-versa)
• The Result
• Dual Stack mechanisms
• Translation Mechanisms
• Tunnelling Mechanisms

4
Dual Stack mechanisms
5
Translation Mechanisms

• NAT-PT (Network Address Translation - Protocol
  Translation)
• Potential problems
• Services based on protocol specific header info
  cannot be supported end-to-end
• "Classic" NAT security issues
• Others
• BIS (Bump in the Stack) - At the Transport Layer
• BIA (Bump in the API) - At the Application Layer

6
Tunnelling Mechanisms

• How they work
• Encapsulation of IPv6 packets within IPv4 packets
  and vice versa
• Which means it can also be used for IPv4
  connections over IPv6 native networks
• Protocol in the IPv4 header 41
• The tunnel's end point performs the necessary
  operations on the protocol 41 IPv4 packets
• Reconnection of fragmented packets
• Packet forwarding in the IPv6 network
• Hop limit (equivalent to IPv4 TTL) reduction by
  1 The tunnel is "transparent" to IPv6
• Nodes performing the (en/de)capsulation operation
  have to be dual stack

7
Types of tunnelling

• Based on the way we find the tunnel's other end
• (Pre)configured tunnel end-points
• Automatic. Tunnel end-point may be derived from
• 6to4 address
• IPv4 compatible IPv6 destination address

8
Automatic Tunneling Mechanisms Tunnel Brokers

• The simplest way to IPv6 for single users (i.e.
  using dialup, ADSL, etc.)
• May create security problems OR opositely
  protocol 41 may be banned by the sys-admins for
  security reasons
• Operation
• The user connects to a special web server (in the
  IPv4 network) makes tunnel application
• The server assigns an IPv6 address, creates a DNS
  entry, informs the Tunnel Server, and sends a
  configuration script to the user
• The user runs the script, installs the
  IPv6-over-IPv4 tunnel and onnects to the Tunnel
  Server that routs the packets to the native IPv6
  network

9
Automatic Tunneling Mechanisms 6over4

• Deprecated...
• "Multicast tunnelling"
• Single IPv6 hosts use the IPv4 Multicast Network
  to connect between them or the native IPv6
  network via a 6over4 router (usually a 6to4
  router)
• The result is IPv6 hosts directly connected, even
  using IPv6 Link Local addresses (derived
  fromtheir IPv4 addresses)!
• Also supports IPv6 multicast etc.
• 6over4 requires IPv4 Multicast support, which
  does not exist widely.

10
Automatic Tunneling Mechanisms ISATAP

• Intra Site automatic Tunnel Addressing Protocol
• Also uses the IPv4 infrastructure but without the
  need for Multicast
• Can operate under v4 NAT
• Operation
• The node (A.B.C.D)v4 gets the (FE805EFEABCD)v6
  Link Local address
• Using DNSv4 queries for the name ISATAP a
  Potential Router List (PRL) is created (the
  Router usually is a 6to4 system)
• A Router Solicitation message is sent the answer
  (Router-Advertisement message) gives the prefix
  for creating the universal IPv6 address
• ISATAP router-to-node communication using the
  last 4 bytes of the destination address
• Node-to-router IPv6 network via the ISATAP router

11
Automatic Tunneling Mechanisms Teredo

• Useful for hosts behind NAT
• Encapsulates the IPv6 packets within UDP v4
  packets to bypass the problem of NAT in many
  cases restricting protocol 41 (IP encapsulated)
  packets
• The encapsulation takes place at the
  communicating node itself rather than at a border
  router (like it happens in 6to4)
• The Teredo-relay then forwards the packets to the
  native IPv6 network
• Issues
• Complex implementation
• Can operate only with specific NAT types
• Limited number of Teredo-relays available in the
  Internet
• Used only there is no other available solution

12
Automatic Tunneling Mechanisms 6to4 Overview

• Connects isolated IPv6 "clouds"
• Only the border routers need to implement the
  6to4 functionality (and need to be dual stack
  too)
• Any site with single unicast IPv4 address can
  transmit to the IPv6 network using the 2002/16
  prefix
• Many available relays to the IPv6 network, easy
  to find by (IPv4) anycast addressing (from
  192.88.99.0 - RFC 3068)
• The most widely used mechanism, thanks to its
  minimum requirements and ease of implementation
  it is preferred to other automatic tunneling
  methods and configured tunnels
• However cannot be used behind NAT because it
  requires an available universal IPv4 address

13
6to4 Architecture and Components
14
6to4 usage scenaria (1) 6to4 host to 6to4 host

• Native v6 communication and routing (RIPng)

15
6to4 usage scenaria (2) Between two 6to4 sites

• Useful for sites without native IPv6 ISP support
• Within the 6to4 sites the hosts use IPv6 natively
• Router advertisements and stateless address
  autoconfiguration
• DNSv6 host records - The other site can know
  about the hosts it needs to communicate with
• Non-local IPv6 addresses are sent to the default
  (6to4) router
• The IPv4 address within the 6to4 destination IPv6
  address is used as the tunnel termination point

16
6to4 usage scenaria (2) Between two 6to4 sites
17
6to4 usage scenaria (3) Between a 6to4 site and
a native IPv6 network

• Connection to the native IPv6 network through a
  6to4 Relay Router (an IPv6 router with a 6to4
  "Pseudo-interface")
• Usage of the Relay Router's IPv4 address or the
  Anycast Address
• 6to4 host to a native IPv6 host
• The 6to4 host uses DNS to find the destination
  host
• The 6to4 router forwards (via IPv4) the packet to
  the "next-hop", the closest 6to4 relay router
• The IPv6 router forward the packet to its final
  destination
• Native IPv6 host to a 6to4 host
• The 6to4 relay router advertises the 2002/16
  prefix within the IPv6 network
• A v6 host will use this information to send its
  packet to the corresponding IPv6 router and
  further to the 6to4 "pseudo-interface" via which
  (by the IPv4 network) the packet reaches the 6to4
  network and its final destination

18
6to4 usage scenaria (3) Between a 6to4 site and
a native IPv6 network
19
6to4 Securityor what can go wrong

• Vulnerabilities
• 6to4 routers must accept packets from ALL 6to4
  relay routers
• It's not possible to know if the relay router is
  "Trusted" or even existent
• 6to4 relay routers have to accept packets from
  6to4 routers and native IPv6 hosts without any
  checks
• Threats
• DoS/DDoS against 6to4 components may result in
  unavailability
• 6to4 routers/relay routers may be used or
  "reflected" DDoS attacks
• "Service theft" unauthorized usage of relay
  router services
• Local IPv4 broadcast attacks
• Neighbor Discovery attacks
• "Sanity Checks" necessary!

20
6to4 Security an attack scenario

• Reflected DoS Attack
• It is supposed that bandwidth and processing
  power limitations can prevent a large scale
  attack

21
Securing 6to4 components

• 6to4 routers
• Check for correspondence between the IPv4 part of
  the packets and the 2002/16 IPv6 encapsulated
  part
• Implement "Sanity Checks"
• IPv4 Do not allow strange (e.g. loopback)
  private, multicast, etc. addresses to be
  encapsulated
• IPv6 Reject "wrong" addresses, like link local,
  multicast, etc.
• Prevent routing of packets to other 6to4 sites
  via 6to4 relay routers
• Reject packets coming from another 6to4 site via
  a relay router

22
Securing 6to4 components (2)

• 6to4 relay routers
• Reject IPv4 packets from 6to4 routers that don't
  have matching IPv4 src address (V4ADDR) and
  equivalent 6to4 src address (2002V4ADR) in the
  encapsulated IPv6 packet
• Reject protocol 41 (IPv4) packets without
  destination address 192.88.99.1
• Deny packets to the IPv6 network without a
  universal IPv6 address
• Reject packets from 6to4 routers to 6to4
  addresses
• Ingress Filtering and Access Control Lists for
  the IPv6 part!

23
A General Transition Roadmapfor an enterprise or
educational network

• Phase 1
• Network Design
• Define Wide and Local network segments
• Define special areas (due to requirements and
  operations) - VLANs, DMZs etc.
• Define management entities and their areas of
  responsibility
• Network management information flow
• Security requirements
• For users and applications
• For the network itself (protection of the
  management information, protection of network
  devices, security of management procedures)
• Plan the steps to transition to the new protocol.
  Examine the possibility of deploying transition
  mechanisms (for communications between IPv6 areas
  within an IPv4 network and vise-versa)

24
A General Transition Roadmap (2)

• Phase 2
• Implementation of a mixed IPv4/IPv6 environment
• Gradual transition of non-critical systems to
  IPv6
• Allows the evaluation of the operation and
  stability of the network devices and non-critical
  systems under IPv6
• Develops the transition procedures
• Disseminates the usages of transition mechanisms
  (tunnels, gateways, etc.) for communications
  between exclusive IPv6 areas
• Phase 3
• Transition of all systems to IPv6
• Exclusive usage of IPv6 in the network
• Maintaining transition mechanisms for legacy
  systems and contacts with IPv4 networks

25
Any Questions ?