Reverse Proxies as Enterprise IPv6 Entry Points by Patrick Chang at gogoNET LIVE! 3 IPv6 Conference
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Reverse Proxies as Enterprise IPv6 Entry Points by Patrick Chang at gogoNET LIVE! 3 IPv6 Conference

on

  • 791 views

gogo6 IPv6 Video Series. Event, presentation and speaker details below: ...

gogo6 IPv6 Video Series. Event, presentation and speaker details below:

EVENT
gogoNET LIVE! 3: Enterprise wide Migration. http://gogonetlive.com
November 12 – 14, 2012 at San Jose State University, California
Agenda: http://gogonetlive.com/4105/gogonetlive3-agenda.asp

PRESENTATION
Reverse Proxies as Enterprise IPv6 Entry Points
Abstract: http://www.gogo6.com/profiles/blogs/my-presentation-at-gogonet-live-3?xg_source=activity
Presentation video: http://www.gogo6.com/video/reverse-proxies-as-enterprise-ipv6-entry-points-by-patrick-chang
Interview video: http://www.gogo6.com/video/interview-with-patrick-chang-at-gogonet-live-3-ipv6-conference

SPEAKER
Patrick Chang - Senior Regional Architect, F5
Bio/Profile: http://www.gogo6.com/profile/PatrickChang

MORE
Learn more about IPv6 on the gogoNET social network
http://www.gogo6.com
Get free IPv6 connectivity with Freenet6
http://www.gogo6.com/Freenet6
Subscribe to the gogo6 IPv6 Channel on YouTube
http://www.youtube.com/subscription_center?add_user=gogo6videos
Follow gogo6 on Twitter
http://twitter.com/gogo6inc
Like gogo6 on Facebook
http://www.facebook.com/pages/IPv6-products-community-and-services-gogo6/161626696777

Statistics

Views

Total Views
791
Views on SlideShare
791
Embed Views
0

Actions

Likes
1
Downloads
5
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Reverse Proxies as Enterprise IPv6 Entry Points by Patrick Chang at gogoNET LIVE! 3 IPv6 Conference Presentation Transcript

  • 1. 1Implementing IPv6 Services with aReverse ProxyPresented by: Patrick ChangNovember 2012 APPLE RUNS BETTER WITH F5
  • 2. 2 Existing IPv4 Service IPv4 Proxy Load Balancer IPv4 DB ServersIPv4 Clients IPv4 App Servers
  • 3. 3 IPv4 Data Flow!   Load balancer is a reverse proxy –  Presents external facing IPv4 Service –  Connects to internal IPv4 resources!   Incoming traffic –  Target is IPv4 address on reverse proxy –  Reverse proxy terminates connection –  Reverse proxy opens new connection to back end IPv4 resources!   Return traffic –  Server responses go back to reverse proxy –  Reverse proxy manipulates IP headers of response –  Reverse proxy sends response back to IPv4 clients
  • 4. 4 Adding IPv6 IPv6 DB Servers IPv6 App Servers IPv6 ProxyIPv6 Clients IPv4 Proxy Load Balancer IPv4 DB Servers IPv4 Clients IPv4 App Servers
  • 5. 5 IPv6 Data Flow!   Load balancer is a reverse proxy –  Presents external facing IPv6 Service –  Connects to existing internal IPv4 resources –  Capable of connecting to new internal IPv6 resources!   Incoming traffic –  Target is IPv6 address on reverse proxy –  Reverse proxy terminates connection –  Reverse proxy opens new connection to existing IPv4 resources!   Return traffic –  Server responses go back to reverse proxy –  Reverse proxy manipulates IP headers of response –  Reverse proxy sends response back to IPv6 clients
  • 6. 6 Single and Dual Stack!   Separate IPv6 FQDN (Single Stack) –  IPv4 FQDN -> A query = IP, AAAA record = NXDomain –  IPv6 FQDN -> A query = NXDomain, AAAA record = IP!   Same IPv6 and IPv4 FQDN (Dual Stack) –  A query = IPv4 address –  AAAA Query = IPv6 address!   Recent OSs send AAAA query, then A query –  Client on IPv6 only -> IPv6 response = it works –  Client on IPv4 and IPv6 -> IPv6 response = it works –  Client on IPv4 only -> IPv6 response = broken!   Possible Fixes –  LDNS Whitelist –  AAAA from IPv4 LDNS = NXDomain
  • 7. 7
  • 8. 8 OSI Implications!   IP (v4 and v6) = Network Layer!   TCP, UDP = Transport Layer –  4 > 3 –  Unaffected by IPv6!   SSL = Presentation Layer –  6 > 3 –  Unaffected by IPv6!   Compression = Presentation Layer –  6 > 3 –  Unaffected by IPv6
  • 9. 9 Application Layer!   HTTP, SMTP, Client – Server = Application Layer –  7 > 3 –  Unaffected by IPv6????!   IPv6 client -> IPv4 service –  Reverse proxy must open connection to IPv4 service from IPv4 address –  Does application require real client IP?!   HTTP over IPv6 -> IPv4 service –  X-Forwarded-For •  Web server configuration logs X-Forwarded-For •  Can log analyzer parse IPv6 addresses?
  • 10. 10 Possible Workarounds!   Change application –  Custom IP stack in reverse proxy –  4X IPinIP encapsulation –  Mapped source IP –  Router with static routes –  Custom IP stack in app servers –  4X IPinIP unencapsulation!   Log separately –  Reverse proxy inserts custom request ID –  Reverse proxy logs IPv6 and custom request ID –  Reverse proxy opens IPv4 connection from “magic” IP –  Application logs “magic” IP and custom request ID –  Log analyzer maps real IP via custom request ID!   Upgrade log analysis system
  • 11. 11EVERYTHING RUNS BETTER WITH F5