Uploaded on

Issues with large scale address sharing - ISOC

Issues with large scale address sharing - ISOC

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
752
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
12
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Large-scale address sharing issues ‘There must be some way out of here,’ said the joker to the thief. Bob Dylan Mat Ford Irish IPv6 Summit 2010, Dublin 1
  • 2. Address sharing @ @ @ ISP Internet 2010-05-19 Irish IPv6 Summit 2010 2
  • 3. Large-scale address sharing @ ISP Internet 2010-05-19 Irish IPv6 Summit 2010 3
  • 4. Address Sharing • Current practice: give a unique IPv4 public address to each subscriber – this address can be shared into the residential/office LAN through a NAPT device (in the CPE) • With IPv4 free-pool allocation completion this is no longer possible for new subscribers – Scalability of RFC1918 space also creating problems • A possible solution: allocate the same IPv4 public address to several subscribers at the same time – this is what we call large-scale address sharing 2010-05-19 Irish IPv6 Summit 2010 4
  • 5. Port multiplexing • Q: How is it possible to differentiate between multiple subscribers all sharing a single address? • A: Use the transport layer port field to multiplex 2010-05-19 Irish IPv6 Summit 2010 5
  • 6. Background • Long-tail of subscribers requiring >median number of ports Source: http://www.wand.net.nz/~salcock/someisp/flow_counting/result_page.html 2010-05-19 Irish IPv6 Summit 2010 6
  • 7. 30 ports Slide credit: Shin Miyakawa 2010-05-19 Irish IPv6 Summit 2010 7
  • 8. 20 ports Slide credit: Shin Miyakawa 2010-05-19 Irish IPv6 Summit 2010 8
  • 9. 15 ports Slide credit: Shin Miyakawa 2010-05-19 Irish IPv6 Summit 2010 9
  • 10. 5 ports Slide credit: Shin Miyakawa 2010-05-19 Irish IPv6 Summit 2010 10
  • 11. It’s your problem now • Introduction of large-scale address sharing creates potentially serious issues for third parties: – Some applications will fail to operate – Reverse DNS will be affected – Inbound ICMP will fail in many cases – Amplification of security issues – Service usage monitoring and abuse logging will be impacted – Penalty boxes will no longer work – Spam blacklisting will be affected – Geo-location and geo-proximity mechanisms will be impacted – Load balancing algorithms may be impacted – Authentication mechanisms may be impacted – Traceability of network usage and abusage will be affected 2010-05-19 Irish IPv6 Summit 2010 11
  • 12. Impact on applications • Breaks applications that – Establish inbound communications – Carry address and/or port information in their payload – Use fixed ports – Do not use any port (ICMP) – Assume uniqueness of source address – Explicitly prohibit concurrent connections from identical addresses 2010-05-19 Irish IPv6 Summit 2010 12
  • 13. ICMP • ICMP is problematic for address sharing mechanisms as it does not carry any port information • Responses to outbound ICMP can be handled relatively easily • Inbound ICMP sourced off-net will not be routable • ICMP attacks – Malicious user could send Packet Too Big reducing the MTU down to 68 octets – Value will be cached by server for all subscribers sharing the IP of the malicious user – Could lead to a DoS condition for the server and the NAT 2010-05-19 Irish IPv6 Summit 2010 13
  • 14. Geo-proximity, geo-location • Conforming with regional content licensing restrictions • Targeting advertising • Customising content • Emergency services • Shared addressing may reduce level of confidence and location granularity • Application performance may be affected in the presence of highly centralised CGN 2010-05-19 Irish IPv6 Summit 2010 14
  • 15. Tracking service usage • Monitoring unique users of a service no longer possible by simply counting connections from discrete IP addresses • CPE NAT complicates this today, large-scale address sharing will make it a more widespread and severe issue • In general, all elements that monitor usage or abusage in the chain between a service provider that has deployed address sharing and a content provider will need to be upgraded to take account of the port value in addition to IP addresses 2010-05-19 Irish IPv6 Summit 2010 15
  • 16. Traceability • Address sharing solutions must record and store all mappings they create – Potentially very large volume of data – Pre-allocating groups of ports mitigates – Trade-offs between • size of pre-allocated groups • ratio of public addresses to subscribers • Impact on logging requirements • Port randomisation security • Need for timestamping and accurate timekeeping – Densely populated CGN could mean even small amounts of clock skew result in misidentification of subscribers – Alternatively SPs start logging destinations, giving rise to privacy concerns, 2010-05-19 Irish IPv6 Summit 2010 16
  • 17. Security-related issues • Port randomisation • Abuse logging, penalty boxes – Need to log source port as well as source address • Spam • IPsec • Authentication 2010-05-19 Irish IPv6 Summit 2010 17
  • 18. Load balancing • Deterministic algorithms based on IP addresses may see sudden imbalances in load as address sharing is enabled • Growth of address sharing will require re-evaluation of load balancing algorithm designs 2010-05-19 Irish IPv6 Summit 2010 18
  • 19. Other issues • Fragmentation • Multicast • Mobile-IP • Single Point of Failure • Reverse DNS – Reverse DNS strings no longer sufficient to identify a discrete subscriber 2010-05-19 Irish IPv6 Summit 2010 19
  • 20. Conclusions • Large-scale address sharing will make many existing address sharing issues more severe and more widespread • Large-scale address sharing will also create new technical and business issues • Third-parties, content providers, LEAs, will be impacted • IPv6 is the only way to avoid this 2010-05-19 Irish IPv6 Summit 2010 20