IPv6: Why "next year" is now

746 views
679 views

Published on

Watch the full OnDemand Webcast: http://bit.ly/IPv6NextYear

IPv6 has been on almost every IT team's list to implement "next year" for the past 10 years. Two trends have recently converged to make this the year to implement IPv6: vendor support has been getting better, and available IPv4 addresses have been getting rarer. Currently all new PCs ship with IPv6 enabled by default, and the global pool of IPv4 numbers at IANA is empty. Deployment of IPv6 has been getting easier thanks to strategies like dual-stack, NAT, and tunneling, but those strategies will start to get more difficult as allocating IPv4 addresses becomes harder and security concerns increase on IPv6. Right now it’s the easiest it’s ever been to roll out IPv6, and may be the easiest it will ever be. Now is the time to stop deferring IPv6 deployment.

This webinar will focus on how WildPackets OmniPeek network analyzer provides Expert analysis, visibility, and insight for IPv6 as you begin the transition.

What we’ll cover:

IPv6 addressing, address format, SLAAC auto-addressing, and DHCPv6
ICMPv6, including neighbor discovery (previously ARP) and router discovery
Interoperability between IPv4 and IPv6 via tunnels and NAT
DNS over IPv6
What you will learn:

Common deployment pains, how to identify them, how to fix them
Security considerations for IPv6
How to find and control IPv6 on your network

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
746
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
50
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

IPv6: Why "next year" is now

  1. 1. IPv6 “Next Year” is Now!Jim MacLeod Show us your tweets! Use today’s webinar hashtag:Product ManagerWildPackets #wp_ipv6jmacleod@wildpackets.com with any questions, comments, or feedback.Follow me @shewfig Follow us @wildpackets © WildPackets, Inc. www.wildpackets.com
  2. 2. Agenda• Primer ‒ Address types ‒ Address format ‒ Address resolution• Issues ‒ Implementation ‒ Interoperability ‒ Security• WildPackets © WildPackets, Inc. 2
  3. 3. Primer: IPv6 Addressing © WildPackets, Inc. www.wildpackets.com
  4. 4. Address Lexical Conventions• 128 bits of hexadecimal ‒ IPv4 had 32 bits in dotted-decimal• Separated by colons ‒ 8 groups of 16 bits ‒ 8 bits = “octet” ‒ 16 bits = “sedectet” or “hexadectet”• Shortcuts ‒ Leading zeros can be omitted • 2001:0db8::/32 same as 2001:db8::/32 ‒ Multiple consecutive zeros written as “::” • 2001:db8:0:0:0:0:0:1 same as 2001:db8::1 ‒ Localhost is ::1, default route is ::/0 © WildPackets, Inc. 4
  5. 5. Address Sections• Sections ‒ Network • RIR-assigned or local ‒ Subnet • Subnetting within org/site ‒ Host • 64-bit interface identifier• Example ‒ 2001:db8::/32 • 32 bit prefix, 32 bits of subnet, 64 bits of interface ID • 32 bits of subnet =~ entire size of IPv4, each with 64 bits of host ‒ 2001:db8:de30::/48 • 48 bits of prefix, 16 bits of subnet, 64 bits of interface ID • 16 bits of subnet =~ class B IPv4 address block © WildPackets, Inc. 5
  6. 6. Address Types• Unicast ‒ “Normal” address• Local ‒ Link-Local: not-routable, subnet only ‒ ULA (Unique Local Addresses): private address• Multicast ‒ Multiple scopes from host-internal to Internet-wide• NO explicit Broadcast ‒ Implemented as local-scope multicast ‒ Several specific multicast addresses defined and used • All Routers, All DHCP servers, etc… © WildPackets, Inc. 6
  7. 7. Local Addresses• Link-Local: non-routable, subnet only ‒ Defined as fe80::/10. In practice, fe80::/64 ‒ Nodes auto-generate address for each interface ‒ On-box, append interface ID to address (e.g. %eth0)• Similar in concept to 169.254.0.0/16 ‒ Auto-defined, unique per subnet• Why? ‒ Bootstrap addressing: no “naked” protocols like ARP ‒ Used by ICMPv6 Neighbor Discovery (“ARPv6”) ‒ Used by DHCPv6, no need for broadcast• Impact ‒ Every IPv6 interface will have at least 2 addresses © WildPackets, Inc. 7
  8. 8. Unique Local Addresses (ULA)• Routable private address space ‒ fd00::/8, plus 40 “random” bits -> fdx:y:z:://48 ‒ Like 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16• Can be used to create isolated networks ‒ Potentially routable among connected systems ‒ Non-routable across the Internet• Potential uses ‒ Lab networks ‒ Air-gapped networks ‒ Pilot projects• NOT intended for use with NAT ‒ NAT was a work-around on IP, IPv6 is the solution © WildPackets, Inc. 8
  9. 9. Subnetting Review• Q: Does 2001::/32 contain 2001:db8::/32? ‒ 2001::/32 • 2001:0:0:0:0:0:0:0 – 2001:0:ffff:ffff:ffff:ffff:ffff:ffff ‒ 2001:db8::/32 • 2001:db8:0:0:0:0:0:0 – 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff ‒ A: no, the 2nd sedectet is different• Q: How large is fe80::/10 ? ‒ fe80::/16 – febf::/16 ‒ 64 /16 blocks, 4B /32 blocks, 18 quadrillion /64 blocks © WildPackets, Inc. 9
  10. 10. Address “Magic Numbers”• Node ‒ ::1/128 – localhost ‒ ::/0 – default route (like 0.0.0.0/0)• Local ‒ fe80::/10 – Link-local ‒ fc::/7 – ULA • Likely deployment: fd::/8• Global ‒ 2001:db8::/32 – “Example” addresses ‒ 2001::/32 – Teredo ‒ 2001:678::/29 – Provider-independent (Multihomed end-users) ‒ 2001:7f8::/29 – Internet Exchange Points (ISP interconnect) © WildPackets, Inc. 10
  11. 11. IP to IPv6 “Magic Numbers”• ::ffff:0:0/96 – IPv4-mapped IPv6 ‒ server socket-level compliance for application compatibility ‒ Can be written ::ffff:0:0:a.b.c.d• ::ffff:0:0:0/96 – Stateless IP/ICMP Translation (SIIT) ‒ To allow an IPv6 client to connect to IPv4 hosts• 64:ff9b::/96 – “Well-Known” Prefix ‒ NAT64 address translation, connect IPv6 island to IPv4• 2002::/16 – 6to4 translation ‒ To connect IPv6 islands via IPv4• Over time, these should all go away ‒ Dual stack makes all of these unnecessary © WildPackets, Inc. 11
  12. 12. Address Resolution © WildPackets, Inc. www.wildpackets.com
  13. 13. Resolving Addresses• ICMPv6 Neighbor Discovery Protocol (NDP) ‒ Replaces ARP ‒ Runs over IPv6, not over DLC/Ethernet ‒ Uses Link-local addresses• Neighbor solicitation ‒ Unicast fe80::/10 source (unique to interface) ‒ Link-local multicast destination at both L2 and L3 ‒ last 24 bits of multicast are last 24 bits of target address • Allows quick validation on receiver node: keep/discard• Neighbor Announcement ‒ Response is unicast-unicast © WildPackets, Inc. 13
  14. 14. NDP in ActionSearch for 2001:db8:2::4• L2 address (MAC) • OUI is IPv6 multicast prefix (33:33:FF) • Least significant 24 bits of target address (00:00:04)• L3 address – targeted multicast • Local-scope IPv6 multicast (ff02) • Least significant 48 bits • Header is ::1:ff • Same least-significant bits (00:00:04)Implication: IPv6 is optimized to reduce broadcast at both L2 and L3• Frame is delivered to all nodes in broadcast domain• Frame is quickly rejected by NIC except on target node © WildPackets, Inc. 14
  15. 15. Getting an Address• Static ‒ All parameters configured by hand• Dynamic ‒ Node bootstrap includes Router Discovery ‒ Similar to Neighbor Discovery ‒ Destination is link-local “all routers” address• Router Advertisement includes flags to use either: ‒ Stateless Address Autoconfiguration (SLAAC) ‒ DHCPv6 © WildPackets, Inc. 15
  16. 16. SLAAC• Network info from Router• Node portion of address ‒ Use MAC, insert “ff:fe” in the middle ‒ Alternatively use Privacy Extensions • Pseudo-random instead of extended MAC• Implications ‒ Track IPv6 nodes by MAC • Good for network management, bad for privacy ‒ Addresses distributed nearly randomly in subnet © WildPackets, Inc. 16
  17. 17. DHCPv6• Controlled by Router Advertisement ‒ Managed Address flag – get address from DHCPv6 ‒ Other Stateful Config flag • Generate address using SLAAC • Get other configs from DHCP• Similar to DHCP in IPv4• Link-local multicast for DHCP ‒ ff02:1::2 – all DHCP servers and relays ‒ ff02:1:3 – all DHCP servers• Implications ‒ Managed IPv6 addresses ‒ Potential point of failure © WildPackets, Inc. 17
  18. 18. IPv6 Issues © WildPackets, Inc. www.wildpackets.com 18
  19. 19. Implementation Issues• Two address scopes• Packet size issues• DNS• Global routing © WildPackets, Inc. 19
  20. 20. Two Address Scopes• Every interface on a node has at least 2 addresses ‒ Link-local (fe80::) ‒ Unicast• Data uses unicast address ‒ Just like IPv4 address• Net administrative protocols may use link-local ‒ NDP ‒ DHCP ‒ Sometime other ICMPv6 © WildPackets, Inc. 20
  21. 21. What’s Going On Here?How many data frames are there? What protocol? 3 Data frames: 1, 6, 10. HTTP.What’s going on in packets 2-3? 4-5? 8-9? NDP for 2001:db8:2::4, ::253, and ::253 again © WildPackets, Inc. 21
  22. 22. Tracking What’s Going OnUse Horizontal Split to show Nodes on left, Packets on right © WildPackets, Inc. 22
  23. 23. Packet Size• Minimum MTU raised from 576 to 1280 ‒ Not a problem for anything modern• Longer header, less room for data ‒ IPv6 header 20+ bytes longer than IP ‒ TCP MSS reduced by 20 bytes ‒ Some applications may be hard-coded to 1460• No router fragmentation allowed in IPv6 ‒ Node must fragment own datagrams• Overhead in transit = Oversized packet ‒ MPLS and similar ok, internal to network, use Jumbo frames ‒ IPSec across the Internet, no Jumbos allowed ‒ Oversized packets will be discarded © WildPackets, Inc. 23
  24. 24. Packet Size – How to fix• Path MTU Discovery ‒ Inline during transmission• MTU violation reported by ICMPv6 ‒ “Packet Too Big” from router, e.g. VPN ingress• ICMPv6 MUST be allowed ‒ ICMP in IPv4 sometimes blocked for security reasons ‒ Will cause black holes in IPv6 if blocked © WildPackets, Inc. 24
  25. 25. DNS• Same protocol, New record type: AAAA ‒ Can resolve IPv6 addresses over IPv4 ‒ Default behavior on Windows: DNS over IPv4, even for AAAA• Host-driven choice: ‒ Explicit resolution of IPv4 A or IPv6 AAAA ‒ Multiple packets each way• Server-driven choice: ‒ Single generic query from client ‒ DNS responses vary by implementation ‒ Google does reverse lookup on client ‒ Many DNS servers return both A and AAAA• Single query, dual response most common © WildPackets, Inc. 25
  26. 26. Routing• BGP tables are huge on IPv4, what about IPv6?• Solution: aggregation via allocation ‒ Fully hierarchical • IANA global  RIR regional  LIR local • LIR can be ISP, university, large company, etc. • Allows much better aggregation ‒ Special allocation for small multihomed blocks • 2001:678::/29 • Minimum allocation /48• Hardware-based forwarding ‒ Anecdotal evidence IPv6 slow on current equipment ‒ Future devices will be optimized for IPv6, not IPv4 ‒ IPv6: no checksum, no router fragmentation  faster routing © WildPackets, Inc. 26
  27. 27. Interoperability Issues• Network versus Application• 6-4 failback © WildPackets, Inc. 27
  28. 28. Network versus Application• Different protocols ‒ IPv4 and IPv6 don’t interact on the wire ‒ Lots of transition mechanisms • Unclear whether will ever be used• Applications may have issues ‒ Socket level APIs “should” be compatible ‒ Greatest challenges: • Legacy applications • Custom / homegrown applications• Solution: keep using IPv4 for incompatible apps ‒ Enabling IPv6 doesn’t disable IPv4 © WildPackets, Inc. 28
  29. 29. 6-4 Fallback• Most visible IPv6 issue when using the Web!• Primary issue: 6 or 4? ‒ DNS AAAA or A record? ‒ Old method: try IPv6 first, wait for timeout • Windows: 20s. MacOS: 75s. Linux: 75-180s.• Impact on Web ‒ Web pages cross-link locations (average of 8 sites/page!) ‒ Will IPv6 pages contain IPv4 content? • Pages already load slowly, add MULTIPLE 20s+ delays…• Great research ‒ Geoff Huston at APNIC, “Bemused Eyeballs” ‒ Prior research from NTT, presented at NANOG39, 2007 © WildPackets, Inc. 29
  30. 30. 6-4 Fallback Solution• “Happy Eyeballs” – dual stack fastest first ‒ Proposed by Dan Wing, Andrew Yourtchenko at Cisco ‒ Resolve both IPv4 and IPv6 addresses ‒ TCP SYN connect to both at once ‒ Use first to connect, RST other socket• Solution: Switch browsers! ‒ Chrome: 300ms (aggressive IPv6 timeout) ‒ Firefox: instant (Happy Eyeballs) ‒ Safari on MacOS: 270ms (aggressive RTT-based timer)• Potential work-arounds on Enterprise networks ‒ Local DNS server tweaks – but probably insufficient ‒ Gateway proxy – but maybe not fast enough © WildPackets, Inc. 30
  31. 31. Security Issues• Addresses• Enforcement © WildPackets, Inc. 31
  32. 32. IPv6 Address Security Issues• All routable addresses are global ‒ Can we feel safe without NAT? ‒ Remember: NAT is a security placebo (with side-effects)• Address spacing ‒ 64 bits dedicated to host = 18 x 10^18 nodes per network • “Impossible” to scan that range, can nodes “hide”? ‒ Enterprise network management • Cross-layer view: MAC, IP/IPv6, name, etc. • Even “stealth” hosts must use switches• Secure Neighbor Discovery (SEND) ‒ Uses public/private keys to validate ND (“ARPv6”) ‒ Doesn’t need PKI, but no standard method to list public keys © WildPackets, Inc. 32
  33. 33. IPv6 Security Enforcement Issues• DPI / layer 7 application security scanning ‒ IPv6 header different than IPv4 ‒ IPv6 header longer than IPv4 • Changes offset for upper layers • Biggest impact on hardware-based devices ‒ Transition and Interoperability Issues • Multiple different tunnel standards • Multiple different translation standards• Teredo – IPv6 over IPv4 w/ NAT traversal ‒ Node gets IPv6 address directly on Internet ‒ Bypass network firewall controls• There have already been IPv6 DoS attacks © WildPackets, Inc. 33
  34. 34. Company Overview © WildPackets, Inc. www.wildpackets.com
  35. 35. Corporate Background• Experts in network monitoring, analysis, and troubleshooting ‒ Founded: 1990 / Headquarters: Walnut Creek, CA ‒ Offices throughout the US, EMEA, and APAC• Our customers are leading edge organizations ‒ Mid-market, and enterprise lines of business ‒ Financial, manufacturing, ISPs, major federal agencies, state and local governments, and universities ‒ Over 7,000 customers / 60+ countries / 80% of Fortune 1,000• Award-winning solutions that improve network performance ‒ Internet Telephony, Network Magazine, Network Computing Awards ‒ United States Patent 5,787,253 issued July 28, 1998 • Different approach to maintaining availability of network services © WildPackets, Inc.
  36. 36. Real-World Deployments Education Financial GovernmentHealth Care / Retail Telecom Technology © WildPackets, Inc.
  37. 37. Product Line Overview © WildPackets, Inc. www.wildpackets.com
  38. 38. Product Line Overview OmniPeek/CompassEnterprise Packet Capture, Decode and Analysis • 10/100/1000 Ethernet, Wireless, WAN, 10G • Portable capture and OmniEngine console • VoIP analysis and call playback Omnipliance / TimeLine Distributed Enterprise Network Forensics • Packet capture and real-time analysis • Stream-to-disk for forensics analysis • Integrated OmniAdapter network analysis cards WatchPoint Centralized Enterprise Network Monitoring Appliance • Aggregation and graphical display of network data • WildPackets OmniEngines • NetFlow and sFlow © WildPackets, Inc.
  39. 39. OmniPeek Network Analyzer• OmniEngine Manager – Connect and configure distributed OmniEngines/Omnipliances• Comprehensive dashboards present network traffic in real-time – Vital statistics and graphs display trends on network and application performance – Visual peer-map shows conversations and protocols – Intuitive drill-down for root-cause analysis of performance bottlenecks• Visual Expert diagnosis speeds problem resolution – Packet and Payload visualizers provide business-centric views• Automated analytics and problem detection 24/7 – Easily create filters, triggers, scripting, advanced alarms and alerts © WildPackets, Inc.
  40. 40. Omnipliance Network Recorders• Captures and analyzes all network traffic 24x7 – Runs our OmniEngine software probe – Generates vital statistics on network and application performance – Intuitive root-cause analysis of performance bottlenecks• Expert analysis speeds problem resolution – Fault analysis, statistical analysis, and independent notification• Multiple Issue Digital Forensics – Real-time and post capture data mining for compliance and troubleshooting• Intelligent data transport – Network data analyzed locally – Detailed analysis passed to OmniPeek on demand – Summary statistics sent to WatchPoint for long term trending and reporting – Efficient use of network bandwidth• User-Extensible Platform – Plug-in architecture and SDK © WildPackets, Inc.
  41. 41. Omnipliance Network RecordersPrice/performance solutions for every application Portable Edge Core Ruggedized Small Networks Datacenter Workhorse Troubleshooting Remote Offices Easily Expandable Aluminum chassis / 17” LCD 1U rack mountable chassis 3U rack mountable chassis Quad-Core Xeon 2.5GHz Quad-Core Intel Xeon Two Quad-Core Intel Xeon X3460 2.80Ghz E5530 2.4Ghz 4GB RAM 4GB RAM 6GB RAM 2 PCI-E Slots 2 PCI-E Slots 4 PCI-E Slots 2 Built-in Ethernet Ports 2 Built-in Ethernet Ports 2 Built-in Ethernet Ports 500GB and 2.5TB SATA 1TB SATA storage capacity 2TB SATA storage capacity storage capacity © WildPackets, Inc.
  42. 42. TimeLine• Fastest network recording and real-time statistical display — simultaneously ‒ 11.7Gbps sustained capture with zero packet loss ‒ Network statistics display in TimeLine visualization format• Rapid, intuitive forensics search and retrieval ‒ Historical network traffic analysis and quick data rewinding ‒ Several pre-defined forensics search templates making searches easy and fast• A natural extension to the WildPackets product line• Turnkey bundled solution ‒ Appliance + OmniEngine, OmniAdapter, OmniPeek Connect © WildPackets, Inc.
  43. 43. TimeLineFor the most demanding network analysis tasks TimeLine 10g Network Forensics 3U rack mountable chassis Two Quad-Core Intel Xeon 5560 2.8Ghz 18GB RAM 4 PCI-E Slots 2 Built-in Ethernet Ports 8/16/32TB SATA storage capacity © WildPackets, Inc.
  44. 44. WatchPointCentralized Monitoring for Distributed Enterprise Networks • High-level, aggregated view of all network segments – Monitor per campus, per region, per country • Wide range of network data – NetFlow, sFlow, OmniFlow • Web-based, customizable network dashboards • Flexible detailed reports • Omnipliances must be configured for continuous capture © WildPackets, Inc.
  45. 45. WildPackets Key Differentiators• Visual Expert Intelligence with Intuitive Drill-down – Let computer do the hard work, and return results, real-time – Packet / Payload Visualizers are faster than packet-per-packet diagnostics – Experts and analytics can be memorized and automated• Automated Capture Analytics – Filters, triggers, scripting and advanced alarming system combine to provide automated network problem detection 24x7• Multiple Issue Network Forensics – Can be tracked by one or more people simultaneously – Real-time or post capture• User-Extensible Platform – Plug-in architecture and SDK• Aggregated Network Views and Reporting – NetFlow, sFlow, and OmniFlow © WildPackets, Inc.
  46. 46. Q&A Show us your tweets! Use today’s webinar hashtag: Follow us on SlideShare! Check out today’s slides on SlideShare #wp_ipv6 www.slideshare.net/wildpacketswith any questions, comments, or feedback. Follow us @wildpackets © WildPackets, Inc. www.wildpackets.com
  47. 47. Thank You!WildPackets, Inc.1340 Treat Boulevard, Suite 500Walnut Creek, CA 94597(925) 937-3200 © WildPackets, Inc. www.wildpackets.com

×