• Like
Uploaded on

Real-world IPv6 WiFi scenarios presented at PLNOG 2012. In addition, information is included around why IPv6 is important and the top drivers for Enterprises to deploy it.

Real-world IPv6 WiFi scenarios presented at PLNOG 2012. In addition, information is included around why IPv6 is important and the top drivers for Enterprises to deploy it.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to like this
No Downloads

Views

Total Views
1,817
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
86
Comments
2
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. IPv6 WiFi ExperiencesAndrew YourtchenkoTechnical Leaderayourtch@cisco.comPresented at PLNOG 2012© 2012 Cisco and/or its affiliates. All rights reserved. 1
  • 2. IPv6 deployment © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
  • 3. © 2012 Cisco and/or its affiliates. All rights reserved. 3
  • 4. 6lab.cisco.com/statsInternet Transit Content Users© 2012 Cisco and/or its affiliates. All rights reserved. 4
  • 5. IPv6 IPv4 CGN© 2012 Cisco and/or its affiliates. All rights reserved. 5
  • 6. CGN Only 6rd + CGN 2011 2013 2015 2011 2013 2015© 2012 Cisco and/or its affiliates. All rights reserved. 6
  • 7. © 2012 Cisco and/or its affiliates. All rights reserved. 7
  • 8. ?*F+,# Your Phone has it! E+48+,6F5G# &H#IF4*#4,+#J.G##8,5-+,6#K# D4)84*+# <+-5=+>?9#@AB?<C# 7+)8.,#9*,4*+:;# 2/.34/5641.)# ()*+,)+*#+-./01.)# !"# $"# %!"# %$"# &!"# &$"# !"#© 2012 Cisco and/or its affiliates. All rights reserved. 8
  • 9. Practice: IPv6 devices on wireless © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
  • 10. © 2012 Cisco and/or its affiliates. All rights reserved. 10
  • 11. © 2012 Cisco and/or its affiliates. All rights reserved. 11
  • 12. Dualstack-capable: 47.5% -> 77.5% IPv6-using: 80.6% -> 87.3%© 2012 Cisco and/or its affiliates. All rights reserved. 12
  • 13. With such level of support inclients, you can not ignore IPv6even if you do not provide it © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
  • 14. © 2012 Cisco and/or its affiliates. All rights reserved. 14
  • 15. •  Attacker tricks victim into accepting him as default router •  Based on rogue Router Advertisements •  The most frequent threat by non-malicious user  B A C RA Src = C’s link-local address Dst = All-nodes Data = router lifetime, autoconfig flag Options = subnet prefix, slla RA Src = B’s link-local address Dst = All-nodes Data = router lifetime=0 Node A sending off- link traffic to C© 2012 Cisco and/or its affiliates. All rights reserved. 15
  • 16. •  Attacker spoofs Router Advertisement with false on-link prefix •  Victim generates IP address with this prefix •  Access router drops outgoing packets from victim (ingress filtering) •  Incoming packets cant reach victim  A C B Src = B’s link-local address Deprecates X::A RA Dst = All-nodes Options = prefix X Preferred lifetime = 0 Computes BAD::A Src = B’s link-local address and DAD it RA Dst = All-nodes Options = prefix BAD, Preferred lifetime Node A sourcing off-link traffic to B with BAD::A B filters out BAD::A© 2012 Cisco and/or its affiliates. All rights reserved. 16
  • 17. •  Attacker can claim victims IP address  A B C NSDst = Solicited-node multicast address of BQuery = what is B’s link-layer address? Src = B or any C’s IF address Dst = A NA Data = B Option = link-layer address of C© 2012 Cisco and/or its affiliates. All rights reserved. 17
  • 18. •  Attacker hacks any victims DAD attempts •  Victim cant configure IP address and cant communicate  A C Src = UNSPEC Dst = Solicited-node multicast address of A Data = A Query = Does anybody use A already? NS Src = any C’s IF address NA “it’s mine !” Dst = A Data = A Option = link-layer address of C© 2012 Cisco and/or its affiliates. All rights reserved. 18
  • 19. IPv6 802.11 IPv6 VLAN Ethernet CAPWAP Tunnel IPv6 RA 802.11Router Advertisement RA From Client DroppedGuard at the Access Point (Local and FlexConnect modes)DHCPv6 Server DHCPv6 AdvertisementGuard Blocked at the Controller.Undesired IPv6 IPv6 Source GuardAddresses/Prefix Drops Undesired Packets at Controller© 2012 Cisco and/or its affiliates. All rights reserved. 19
  • 20. Up to 8 IPv6 Addresses are Tracked per Client.•  Support for many IPv6 addresses per client is necessary because: Clients can have multiple address types per interface Clients can be assigned addresses via multiple methods such as SLAAC and DHCPv6 Most clients automatically generate a temporary address in addition to assigned addresses.© 2012 Cisco and/or its affiliates. All rights reserved. 20
  • 21. •  You want them as short as possible Only 8 slots in the table, new address each re-association, IPv6 blackhole if not short enough •  You want them as long as possible Less ND chatter More temp address stability© 2012 Cisco and/or its affiliates. All rights reserved. 21
  • 22. SSID FHS binding FHS reconnection table size (8) timeouts (volatility) Device Avoid wakeups blackholing Prefix lifetimes ND chatter, address stability© 2012 Cisco and/or its affiliates. All rights reserved. 22
  • 23. •  Experimental value for conference environment ~ 30 minutes. => 30 minutes prefix lifetime …… Works but very very chatty •  FHS binding table management logic changes to accommodate for clients’ behavior (7.3 should have these changes) •  With 7.2 – use stateful DHCPv6© 2012 Cisco and/or its affiliates. All rights reserved. 23
  • 24. Meanwhile, you need to continueto provide IPv4 as well… © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
  • 25. Type “example.com” and press Enter A? “example.com” AAAA? “example.com” Connect connect 192.0.43.10 2001:500:88:200::10 GET / HTTP/1.1 Host: example.com© 2012 Cisco and/or its affiliates. All rights reserved. 25
  • 26. Can we go IPv6-only ? © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
  • 27. IPv6IPv6-only Dualstack + clients Stateful NAT64 IPv4 servers 4:6 6:4 IPv4 © 2012 Cisco and/or its affiliates. All rights reserved. 27
  • 28. Stateful NAT64 allows the hosts on the IPv6 network connect to the IPv4 network, by dedicating an IPv6 prefix which will represent the translated IPv4 Internet. This allows a twofold use: - IPv6-enable the internal IPv4-only services - allow internal IPv6-only network to talk to IPv4 Internet Stateful NAT64 IPv6 Internet 4:6 6:4 IPv4 Internet© 2012 Cisco and/or its affiliates. All rights reserved. 28
  • 29. asr1knat64-xtr#sh nat64 trans tcp 72.163.4.161:80 [2610:d0:1208:cafe::48a3:4a1]:80 153.16.17.82:1056 [2607:f128:42:73::2]:37897 2 IPv6-only client IPv4-only servers s: [2610:d0:1208:cafe::72.163.4.161]:80 IPv6 s: 153.17.16.82:1056 d: [2607:f128:42:73::2]:37897 IPv6 Internet d: 72.163.4.161:80 5 1 372.163.4.161 s: [2607:f128:42:73::2]:37897 Gig0/0/1 4 d: [2610:d0:1208:cafe::72.163.4.161]:80 IPv4 Gig0/0/0 s: 72.163.4.161:80 d: 153.17.16.82:1056 © 2012 Cisco and/or its affiliates. All rights reserved. 29
  • 30. DNS64 creates synthetic AAAA record for the host based on A record if no real AAAA record exists in DNS. This allows to automatically direct IPv6-only clients to the correct address within NAT64 prefix. This functionality is provided by bind since 9.8.0 CNR’s DNS server can also be used to perform the same function. Authoritative 0 Prefix: 2610:d0:1208:cafe::1/96 (*) nameserver 2 for example.com AAAA ? DNS64 Example.com DNS 1 AAAA ? Example.com 3 AAAA=2001:500:88:200::1 4 AAAA=2001:500:88:200::1 (*)DNS hierarchy traversal omitted for brevity© 2012 Cisco and/or its affiliates. All rights reserved. 30
  • 31. Authoritative 0 Prefix: 2610:d0:1208:cafe::1/96 nameserver 2 for example.com AAAA ? DNS64 Example.com DNS 1 AAAA ? Example.com 3 No 4 A ? Example.com 7 5 AAAA = 2610:d0:1208:cafe::192.0.43.10 A=192.0.43.10 6© 2012 Cisco and/or its affiliates. All rights reserved. 31
  • 32. nat64 prefix stateful 2610:d0:1208:cafe::/96 nat64 v4 pool NAT64GLOBAL 153.16.17.82 153.16.17.82 nat64 v6v4 list NAT64LIST pool NAT64GLOBAL overload nat64 logging translation flow-export v9 udp dest 192.168.0.2 9995 ipv6 access-list NAT64 permit ipv6 any 2610:d0:1208:cafe::/96 Stateful NAT64 IPv6 hosts 4:6 6:4 Gig0/0/1 Gig0/0/0 IPv4 hosts interface Gig0/0/1 nat64 enable interface Gig0/0/0 nat64 enable© 2012 Cisco and/or its affiliates. All rights reserved. 32
  • 33. •  What worked well: •  Users complained about: Everyday browsing Facetime, other video apps Facebook  Most of the VPNs 85% 15%© 2012 Cisco and/or its affiliates. All rights reserved. 33
  • 34. •  Proxy-arp on IPv4 by IPv6-unaware apps Standards behavior Solved by “fake” DHCPv4 address (e.g. from 100.64.0.0/16) + ACL on first router •  Mobile clients are tricky Apps need testing in new versions iOS 6… DHCPv6 support… •  However, the situation is slowly improving© 2012 Cisco and/or its affiliates. All rights reserved. 34
  • 35. If we still need some IPv4, can weminimize the headache ? © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
  • 36. NAT “NAT” in this presentation means “stateful translation”© 2012 Cisco and/or its affiliates. All rights reserved. 36
  • 37. 2001:db8:1::/48 2001:db8::/32 2001:db8:2::/48 128 bit IPv6 address 2001:db8:3::/48 EA SN Prefix(32) (16) (16) IID (64) 2001:db8:4::/48 Ports 2001:db8:5::/48 Prefix (24) (8) (8) (8) IPv4 public addr Public port range© 2012 Cisco and/or its affiliates. All rights reserved. 37
  • 38. 2001:db8:1::/48 2001:db8::/32 NAT NAT 2001:db8:2::/48 NAT 2001:db8:3::/48 NAT 2001:db8:4::/48 NAT NAT 2001:db8:5::/48 NAT© 2012 Cisco and/or its affiliates. All rights reserved. 38
  • 39. •  http://6lab.cisco.com/map •  draft-ietf-softwire-map http://tools.ietf.org/html/draft-ietf-softwire-map© 2012 Cisco and/or its affiliates. All rights reserved. 39
  • 40. Thank you.