Your SlideShare is downloading. ×
Mat Ford - ISOC
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Mat Ford - ISOC

767
views

Published on

Issues with large scale address sharing - ISOC

Issues with large scale address sharing - ISOC


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
767
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Large-scale address sharing issues ‘There must be some way out of here,’ said the joker to the thief. Bob Dylan Mat Ford Irish IPv6 Summit 2010, Dublin 1
  • 2. Address sharing @ @ @ ISP Internet 2010-05-19 Irish IPv6 Summit 2010 2
  • 3. Large-scale address sharing @ ISP Internet 2010-05-19 Irish IPv6 Summit 2010 3
  • 4. Address Sharing • Current practice: give a unique IPv4 public address to each subscriber – this address can be shared into the residential/office LAN through a NAPT device (in the CPE) • With IPv4 free-pool allocation completion this is no longer possible for new subscribers – Scalability of RFC1918 space also creating problems • A possible solution: allocate the same IPv4 public address to several subscribers at the same time – this is what we call large-scale address sharing 2010-05-19 Irish IPv6 Summit 2010 4
  • 5. Port multiplexing • Q: How is it possible to differentiate between multiple subscribers all sharing a single address? • A: Use the transport layer port field to multiplex 2010-05-19 Irish IPv6 Summit 2010 5
  • 6. Background • Long-tail of subscribers requiring >median number of ports Source: http://www.wand.net.nz/~salcock/someisp/flow_counting/result_page.html 2010-05-19 Irish IPv6 Summit 2010 6
  • 7. 30 ports Slide credit: Shin Miyakawa 2010-05-19 Irish IPv6 Summit 2010 7
  • 8. 20 ports Slide credit: Shin Miyakawa 2010-05-19 Irish IPv6 Summit 2010 8
  • 9. 15 ports Slide credit: Shin Miyakawa 2010-05-19 Irish IPv6 Summit 2010 9
  • 10. 5 ports Slide credit: Shin Miyakawa 2010-05-19 Irish IPv6 Summit 2010 10
  • 11. It’s your problem now • Introduction of large-scale address sharing creates potentially serious issues for third parties: – Some applications will fail to operate – Reverse DNS will be affected – Inbound ICMP will fail in many cases – Amplification of security issues – Service usage monitoring and abuse logging will be impacted – Penalty boxes will no longer work – Spam blacklisting will be affected – Geo-location and geo-proximity mechanisms will be impacted – Load balancing algorithms may be impacted – Authentication mechanisms may be impacted – Traceability of network usage and abusage will be affected 2010-05-19 Irish IPv6 Summit 2010 11
  • 12. Impact on applications • Breaks applications that – Establish inbound communications – Carry address and/or port information in their payload – Use fixed ports – Do not use any port (ICMP) – Assume uniqueness of source address – Explicitly prohibit concurrent connections from identical addresses 2010-05-19 Irish IPv6 Summit 2010 12
  • 13. ICMP • ICMP is problematic for address sharing mechanisms as it does not carry any port information • Responses to outbound ICMP can be handled relatively easily • Inbound ICMP sourced off-net will not be routable • ICMP attacks – Malicious user could send Packet Too Big reducing the MTU down to 68 octets – Value will be cached by server for all subscribers sharing the IP of the malicious user – Could lead to a DoS condition for the server and the NAT 2010-05-19 Irish IPv6 Summit 2010 13
  • 14. Geo-proximity, geo-location • Conforming with regional content licensing restrictions • Targeting advertising • Customising content • Emergency services • Shared addressing may reduce level of confidence and location granularity • Application performance may be affected in the presence of highly centralised CGN 2010-05-19 Irish IPv6 Summit 2010 14
  • 15. Tracking service usage • Monitoring unique users of a service no longer possible by simply counting connections from discrete IP addresses • CPE NAT complicates this today, large-scale address sharing will make it a more widespread and severe issue • In general, all elements that monitor usage or abusage in the chain between a service provider that has deployed address sharing and a content provider will need to be upgraded to take account of the port value in addition to IP addresses 2010-05-19 Irish IPv6 Summit 2010 15
  • 16. Traceability • Address sharing solutions must record and store all mappings they create – Potentially very large volume of data – Pre-allocating groups of ports mitigates – Trade-offs between • size of pre-allocated groups • ratio of public addresses to subscribers • Impact on logging requirements • Port randomisation security • Need for timestamping and accurate timekeeping – Densely populated CGN could mean even small amounts of clock skew result in misidentification of subscribers – Alternatively SPs start logging destinations, giving rise to privacy concerns, 2010-05-19 Irish IPv6 Summit 2010 16
  • 17. Security-related issues • Port randomisation • Abuse logging, penalty boxes – Need to log source port as well as source address • Spam • IPsec • Authentication 2010-05-19 Irish IPv6 Summit 2010 17
  • 18. Load balancing • Deterministic algorithms based on IP addresses may see sudden imbalances in load as address sharing is enabled • Growth of address sharing will require re-evaluation of load balancing algorithm designs 2010-05-19 Irish IPv6 Summit 2010 18
  • 19. Other issues • Fragmentation • Multicast • Mobile-IP • Single Point of Failure • Reverse DNS – Reverse DNS strings no longer sufficient to identify a discrete subscriber 2010-05-19 Irish IPv6 Summit 2010 19
  • 20. Conclusions • Large-scale address sharing will make many existing address sharing issues more severe and more widespread • Large-scale address sharing will also create new technical and business issues • Third-parties, content providers, LEAs, will be impacted • IPv6 is the only way to avoid this 2010-05-19 Irish IPv6 Summit 2010 20