Mat Ford - ISOC

Large-scale address sharing issues ‘There must be some way out of here,’ said the joker to the thief. Bob Dylan Mat Ford Irish IPv6 Summit 2010, Dublin 1

Address sharing @ @ @ ISP Internet 2010-05-19 Irish IPv6 Summit 2010 2

Large-scale address sharing @ ISP Internet 2010-05-19 Irish IPv6 Summit 2010 3

Address Sharing • Current practice: give a unique IPv4 public address to each subscriber – this address can be shared into the residential/office LAN through a NAPT device (in the CPE) • With IPv4 free-pool allocation completion this is no longer possible for new subscribers – Scalability of RFC1918 space also creating problems • A possible solution: allocate the same IPv4 public address to several subscribers at the same time – this is what we call large-scale address sharing 2010-05-19 Irish IPv6 Summit 2010 4

Port multiplexing • Q: How is it possible to differentiate between multiple subscribers all sharing a single address? • A: Use the transport layer port field to multiplex 2010-05-19 Irish IPv6 Summit 2010 5

Background • Long-tail of subscribers requiring >median number of ports Source: http://www.wand.net.nz/~salcock/someisp/flow_counting/result_page.html 2010-05-19 Irish IPv6 Summit 2010 6

30 ports Slide credit: Shin Miyakawa 2010-05-19 Irish IPv6 Summit 2010 7

It’s your problem now • Introduction of large-scale address sharing creates potentially serious issues for third parties: – Some applications will fail to operate – Reverse DNS will be affected – Inbound ICMP will fail in many cases – Amplification of security issues – Service usage monitoring and abuse logging will be impacted – Penalty boxes will no longer work – Spam blacklisting will be affected – Geo-location and geo-proximity mechanisms will be impacted – Load balancing algorithms may be impacted – Authentication mechanisms may be impacted – Traceability of network usage and abusage will be affected 2010-05-19 Irish IPv6 Summit 2010 11

Impact on applications • Breaks applications that – Establish inbound communications – Carry address and/or port information in their payload – Use fixed ports – Do not use any port (ICMP) – Assume uniqueness of source address – Explicitly prohibit concurrent connections from identical addresses 2010-05-19 Irish IPv6 Summit 2010 12

ICMP • ICMP is problematic for address sharing mechanisms as it does not carry any port information • Responses to outbound ICMP can be handled relatively easily • Inbound ICMP sourced off-net will not be routable • ICMP attacks – Malicious user could send Packet Too Big reducing the MTU down to 68 octets – Value will be cached by server for all subscribers sharing the IP of the malicious user – Could lead to a DoS condition for the server and the NAT 2010-05-19 Irish IPv6 Summit 2010 13

Geo-proximity, geo-location • Conforming with regional content licensing restrictions • Targeting advertising • Customising content • Emergency services • Shared addressing may reduce level of confidence and location granularity • Application performance may be affected in the presence of highly centralised CGN 2010-05-19 Irish IPv6 Summit 2010 14

Tracking service usage • Monitoring unique users of a service no longer possible by simply counting connections from discrete IP addresses • CPE NAT complicates this today, large-scale address sharing will make it a more widespread and severe issue • In general, all elements that monitor usage or abusage in the chain between a service provider that has deployed address sharing and a content provider will need to be upgraded to take account of the port value in addition to IP addresses 2010-05-19 Irish IPv6 Summit 2010 15

Traceability • Address sharing solutions must record and store all mappings they create – Potentially very large volume of data – Pre-allocating groups of ports mitigates – Trade-offs between • size of pre-allocated groups • ratio of public addresses to subscribers • Impact on logging requirements • Port randomisation security • Need for timestamping and accurate timekeeping – Densely populated CGN could mean even small amounts of clock skew result in misidentification of subscribers – Alternatively SPs start logging destinations, giving rise to privacy concerns, 2010-05-19 Irish IPv6 Summit 2010 16

Security-related issues • Port randomisation • Abuse logging, penalty boxes – Need to log source port as well as source address • Spam • IPsec • Authentication 2010-05-19 Irish IPv6 Summit 2010 17

Load balancing • Deterministic algorithms based on IP addresses may see sudden imbalances in load as address sharing is enabled • Growth of address sharing will require re-evaluation of load balancing algorithm designs 2010-05-19 Irish IPv6 Summit 2010 18

Other issues • Fragmentation • Multicast • Mobile-IP • Single Point of Failure • Reverse DNS – Reverse DNS strings no longer sufficient to identify a discrete subscriber 2010-05-19 Irish IPv6 Summit 2010 19

Conclusions • Large-scale address sharing will make many existing address sharing issues more severe and more widespread • Large-scale address sharing will also create new technical and business issues • Third-parties, content providers, LEAs, will be impacted • IPv6 is the only way to avoid this 2010-05-19 Irish IPv6 Summit 2010 20

Mat Ford - ISOC

by IPv6 Summit 2010 on May 21, 2010

Accessibility

Upload Details

Usage Rights

1 Embed 13

Statistics

Mat Ford - ISOC — Presentation Transcript