Report from IETF 89 in London - DNS, DHCP and IPv6

1,951 views

Published on

The IETF, Internet Engineering Task Force, those that are working on new Internet Standards, met in London in March 2014.

In this webinar, Carsten Strotmann from the Men & Mice Services team reports fresh from the IETF meeting. This session distills interesting developments from the DNS, DHCP and IPv6 working groups.

What can be expected:

DNS

-DNS transport encryption
-Special Names in DNS
-Simplifying DNSSEC key trust anchor exchange between child and parent
- EDNS option updates
-Passive DNS
-DNSSEC Validator Requirements
-DNS cookies

DNSSEC/DANE

-Using DANE to Associate OpenPGP public keys with email addresses
- IPSec and DNSSEC/DANE
- DANE Security for MX and SRV records
- DANE and smtp

IPv6

-Reducing Multicast in IPv6 Neighbor Discovery
-IPv6 Operational Guidelines for Data centers
-Recommendations of Using Unique Local Addresses
-DHCPv6/SLAAC Interaction Operational Guidance
-Sunsetting IPv4

DHCP

-DHCPv6 Load Balancing and Failover
-DHCP stateless reconfiguration
-Dynamic Allocation of Shared IPv4 Addresses
-Customizing DHCP Configuration on the Basis of Network Topology

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,951
On SlideShare
0
From Embeds
0
Number of Embeds
293
Actions
Shares
0
Downloads
43
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Report from IETF 89 in London - DNS, DHCP and IPv6

  1. 1. ©!Men!&!Mice!!http://menandmice,com! IETF!89!Review 12.!March!2014 1Monday 17 March 14
  2. 2. ©!Men!&!Mice!!http://menandmice,com! IETF •The!Internet!Engineering!Task!Force!(IETF)!is!a!large! open!international!community!of!network!designers,! operators,!vendors,!and!researchers!concerned!with! the!evolution!of!the!Internet!architecture!and!the! smooth!operation!of!the!Internet.!It!is!open!to!any! interested!individual.!The!IETF!Mission!Statement!is! documented!in!RFC!3935. • http://www.ietf.org/about/ 2Monday 17 March 14
  3. 3. ©!Men!&!Mice!!http://menandmice,com! Agenda • IETF!89!in!London! • DNS • DNSSEC!/!DANE • DHCP • IPv6 • the!following!information!is!an!excerpt!of!the!IETF!working!group! activities • for!a!full!overview!of!all!activities!at!IETF!89,!see! https://datatracker.ietf.org/meeting/89/materials.html 3Monday 17 March 14
  4. 4. ©!Men!&!Mice!!http://menandmice,com! DNS 4Monday 17 March 14
  5. 5. ©!Men!&!Mice!!http://menandmice,com! published!new!RFCs!since!last!IETF RFC Title Category 6950 Architectural Considerations on Application Features in the DNS Informational 7043 Resource Records for EUI-48 and EUI-64 Addresses in the DNS Informational 7050 Discovery of the IPv6 Prefix Used for IPv6 Address Synthesis Standards Track 7129 Authenticated Denial of Existence in the DNS Informational 5Monday 17 March 14
  6. 6. ©!Men!&!Mice!!http://menandmice,com! DNSE!BoF •Confidentiality!and!Privacy!in!DNS •DNS!traffic!reveals!a!lot!of!information!about!a!user •IETF!has!a!plan!to!harden!all!Internet!protocols!agains! pervasive!monitoring •DNS!is!no!exception 6Monday 17 March 14
  7. 7. ©!Men!&!Mice!!http://menandmice,com! DNSE!BoF • the!problem!statement!has!been!presented!and!discussed • some!proposed!solutions!have!been!presented • DTLS!(TLS!for!UDP,!RFC!6347) • DNScrypt/DNScurve • CGA-TSIG • Confidential!DNS • t-DNS!(StartTLS!for!TCP!DNS) • discussion!continues!on!the!mailing!lists!(DNSOP)!about!possible!solutions!and! their!operational!impact 7Monday 17 March 14
  8. 8. ©!Men!&!Mice!!http://menandmice,com! DNSOP •Revived!documents: •Initializing!a!DNS!Resolver!with!Priming!Queries! (draft-ietf-dnsop-resolver-priming) •the!initial!queries!a!DNS!resolver!is!supposed!to!emit!to! initialize!its!cache!with!a!current!NS!RRSet!for!the!root!zone!as! well!as!the!necessary!address!information. • the!“root-hints”!file!and!how!DNS!caching!server!use!it • how!long-running!DNS!servers!update!the!root-hint!information 8Monday 17 March 14
  9. 9. ©!Men!&!Mice!!http://menandmice,com! DNSOP •Revived!documents: • DNSSEC!Key!Timing!Considerations! (draft-ietf-dnsop-dnssec-key-timing) • Explains!the!relationships!between!the!parameters!used!in!a! DNSSEC!key!rollover • important!for!implementers!of!DNSSEC!key-rollover!automation! software • and!DNS!administrators!that!plan!manual!DNSSEC!key!rollover 9Monday 17 March 14
  10. 10. ©!Men!&!Mice!!http://menandmice,com! Special!Names •RFC!6761!“Special-Use!Domain!Names”!defines!a! registry!of!domain!names!that!are!“special-use”! domain!names •“.local”!for!multicast-DNS!and!local!service!discovery! 10Monday 17 March 14
  11. 11. ©!Men!&!Mice!!http://menandmice,com! Special!Names •“Special-Use!Domain!Names!of!Peer-to-Peer!Systems”! (draft-grothoff-iesg-special-use-p2p-names) • proposes!to!add!new!names!to!the!special-names!registry:!".gnu",! ".zkey",!".onion",!".exit",!".i2p",!and!!!".bit" • TOR • GNUnet • i2p • Namecoin 11Monday 17 March 14
  12. 12. ©!Men!&!Mice!!http://menandmice,com! Special!Names •“The!ALT!Special!Use!Top!Level!Domain”! (draft-wkumari-dnsop-alt-tld-00) •proposes!a!single!“.ALT”!(alternate)!TLD!for!special!names •this!TLD!can!be!“blacklisted”!in!DNS!caching!server! software!to!prevent!leakage!of!these!names!into!the! “normal”!Internet!DNS!(Root-Name!Server!System) 12Monday 17 March 14
  13. 13. ©!Men!&!Mice!!http://menandmice,com! DNS!cookies •Domain!Name!System!(DNS)!Cookies! (draft-eastlake-dnsext-cookies) •DNS!cookies!are!intended!to!provide!significant!but!limited! protection!against!certain!attacks!by!off-path!attackers.! •These!attacks!include!denial-of-service,!cache!poisoning!and! answer!forgery. •cookies!are!some!random!data!identifying!a!DNS!server,! send!inside!the!EDNS0!“OPT”!record 13Monday 17 March 14
  14. 14. ©!Men!&!Mice!!http://menandmice,com! DNS!cookies www.example.com IN A? Authoritative DNS Caching/Resolving DNS Attacker 14Monday 17 March 14
  15. 15. ©!Men!&!Mice!!http://menandmice,com! DNS!cookies www.example.com IN A? www.example.com IN A? + Resolver cookie in OPT Auth DNS server stores resolver cookie 15Monday 17 March 14
  16. 16. ©!Men!&!Mice!!http://menandmice,com! DNS!cookies www.example.com IN A? www.example.com IN A? + Resolver cookie in OPT Auth DNS server stores resolver cookie www.example.com IN A 192.0.2.1 + server cookie in OPT Cache DNS server stores auth-server cookie 16Monday 17 March 14
  17. 17. ©!Men!&!Mice!!http://menandmice,com! DNS!cookies www.example.com IN A? www.example.com IN A? + Resolver cookie in OPT Auth DNS server stores resolver cookie www.example.com IN A 192.0.2.1 + server cookie in OPT Cache DNS server stores server cookie www.example.com IN A 192.0.2.1 17Monday 17 March 14
  18. 18. ©!Men!&!Mice!!http://menandmice,com! DNS!cookies www.example.com IN AAAA? + Resolver cookie in OPT Auth DNS server has resolver cookie www.example.com IN AAAA 2001:db8::1 Cache DNS server has server cookie Attacker sends forged DNS data 18Monday 17 March 14
  19. 19. ©!Men!&!Mice!!http://menandmice,com! DNS!cookies www.example.com IN AAAA? + Resolver cookie in OPT Auth DNS server has resolver cookie www.example.com IN AAAA 2001:db8::1 Cache DNS server has server cookie Attacker sends forged DNS data 18Monday 17 March 14
  20. 20. ©!Men!&!Mice!!http://menandmice,com! DNS!cookies •a!prototype!of!DNS!cookies!(Source!Identity!Token)! has!been!implemented!in!BIND!9.10 • not!the!same,!but!similar!to!the!IETF-draft •Beta!1!of!BIND!9.10!is!now!available •as!there!is!no!RFC!standard,!it!uses!an!experimental!private! EDNS0!OPT!option!code!(65001) 19Monday 17 March 14
  21. 21. ©!Men!&!Mice!!http://menandmice,com! getdnsapi •NLnetLabs,!Verisign!and!No!Mountain!Software!released!a! new!client!DNS!resolver!library!under!an!open!source!BSD! license •based!on!an!original!specification!from!Paul!Hoffman! (vpnc.org) •Download!and!information:!https://getdnsapi.net •Support!for!DNSSEC,!DANE!(TLSA),!new!record!types,!SRV! record!handling 20Monday 17 March 14
  22. 22. ©!Men!&!Mice!!http://menandmice,com! getdnsapi • Platforms!as!of!IETF!89!! • RHEL/CentOS • MacOS • Soon!to!by!available: • FreeBSD! • iOS!(now!rough!but!usable)!! • In!view: • Windows,!Android 21Monday 17 March 14
  23. 23. ©!Men!&!Mice!!http://menandmice,com! getdnsapi •Language!bindings •Python •Objective-C •Java •JavaScript!(NodeJS) 22Monday 17 March 14
  24. 24. ©!Men!&!Mice!!http://menandmice,com! DANE 23Monday 17 March 14
  25. 25. ©!Men!&!Mice!!http://menandmice,com! published!new!RFCs!since!last!IETF No!DANE!related!RFC!documents!have!been published!since!the!last!IETF 24Monday 17 March 14
  26. 26. ©!Men!&!Mice!!http://menandmice,com! DANE •DANE!utilizes!DNSSEC!to!provide!opportunistic! (without!manual!configuration)!encryption!with!our! without!Certification!Authorities!(CAs) •there!is!much!interest!in!the!DANE!work!from!other!IETF! working!groups!and!application!developers 25Monday 17 March 14
  27. 27. ©!Men!&!Mice!!http://menandmice,com! DANE!in!Web-Browser • RFC!6698!-!The!DNS-Based! Authentication!of!Named!Entities! (DANE)!Transport!Layer!Security! (TLS)!Protocol:!TLSA • Plugin!for!Firefox,!Opera,!Chrome! and!Internet!Exporer!available! https://www.dnssec-validator.cz/ • Internet!sites!start!using!TLSA,!for! example https://packages.debian.org 26Monday 17 March 14
  28. 28. ©!Men!&!Mice!!http://menandmice,com! SMTP!TLSA!in!Postfix •using!TLS!(Transport!Layer!Security,!formerly!known!as! SSL)!with!SMTP!(E-Mail!delivery)!has!many!issues •certificate!validation!is!not!mandatory!(and!often!not! possible) •Plaintext!is!the!default,!TLS!is!optional • “Men!in!the!Middle”!attacker!can!force!plain-text!connections! through!a!downgrade!attack!(remove!“STARTTLS”!command! from!conversation) 27Monday 17 March 14
  29. 29. ©!Men!&!Mice!!http://menandmice,com! SMTP!TLSA •DANE!specifies!the!use!of!the!TLSA!resource!record!for! SMTP •can!make!TLS!connections!mandatory!between!servers!that! support!TLS •TLSA!resource!record!holds!a!hash!of!the!server!certificate shell> dig mx tidelock.de +short 10 ns3.tidelock.de. shell> dig _25._tcp.ns3.tidelock.de. tlsa +short 3 0 1 76AD75E4F300C2BACBDC9363A337A533F3B3C15CAAFED4E0010D5DD3 52B83935 28Monday 17 March 14
  30. 30. ©!Men!&!Mice!!http://menandmice,com! TLSA!in!Postfix •the!Postfix!Mail-Server!2.11!implements!DANE!TLSA!for!SMTP • Viktor!Dukhovni!from!the!Postfix!team!presented!on!the! challenges!of!implementing!TLSA!checking!in!applications • DANE!implementation!in!software!can!be!very!complicated!(easy!to!get! wrong) • should!be!handled!by!a!toolkit!(OpenSSL,!GnuTLS,!NSS!...) •Postfix!author!Wietse!Venema!presented!the!Postfix!TLSA! implementation!during!FOSDEM!2014!(1!February!2014) 29Monday 17 March 14
  31. 31. ©!Men!&!Mice!!http://menandmice,com! more!DANE!work •DANE!for!SIP!(VoIP) •DANE!for!SRV!records! (for!Jabber/XMPP!and!other!protocols!using!SRV- Records) •as!of!March!2014,!58!Jabber!Server!already!use!DANE!and! DNSSEC!(!https://xmpp.net/reports.php#dnssecdane ) 30Monday 17 March 14
  32. 32. ©!Men!&!Mice!!http://menandmice,com! more!DANE!work •OpenPGP!keys!in!DNS • today,!OpenPGP!key!are!stored!in!central!“key-server”,!such!as! hks://pgp.mit.edu • “Using!DANE!to!Associate!OpenPGP!public!keys!with!email! addresses”!(draft-wouters-dane-openpgp)!proposes!to!store! OpenPGP!keys!in!DNS!(DNSSEC!secured) 31Monday 17 March 14
  33. 33. ©!Men!&!Mice!!http://menandmice,com! more!DANE!work •OpenPGP!keys!in!DNS • the!owner-name!of!the!OPENPGPKEY!Record!is!the!SHA224!hash! of!the!user!portion!of!an!E-Mail!address • the!user!part!of!an!E-Mail!address!can!contain!characters!illegal! in!DNS!names! • Example!(for!paul@nohats.ca) shell> echo -n "paul" | openssl dgst -sha224 ab16de0656382d91838914109ab89a0a4e04321550a1a20ace7a8b66 SHA224! hash!of!the! username 32Monday 17 March 14
  34. 34. ©!Men!&!Mice!!http://menandmice,com! more!DANE!work • OpenPGP!keys!in!DNS • Example!(for!paul@nohats.ca) shell> dig -t TYPE65280 ab16de0656382d91838914109ab89a0a4e04321550a1a20ace7a8b66._openpgpkey.nohats.ca +m ; <<>> DiG 9.9.4-P2 <<>> -t TYPE65280 ab16de0656382d91838914109ab89a0a4e04321550a1a20ace7a8b66._openpgpkey.nohats.ca +m ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24851 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ab16de0656382d91838914109ab89a0a4e04321550a1a20ace7a8b66._openpgpkey.nohats.ca. IN TYPE65280 ;; ANSWER SECTION: ab16de0656382d91838914109ab89a0a4e04321550a1a20ace7a8b66._openpgpkey.nohats.ca. 2822 IN TYPE65280 # 2527 ( 99010D033F7B0C3D00000107FF686BB69E18ACD31C38 0005F186CCF2BC9697CB87FDD4C5CD5DA994CB7E0958 7B57910637B89C9BC9FE697509798FA9BDFB638978F4 92F10999C3A595F6EF1BEE01BACE1C9F636D33B632D2 [...] 4356D7E7E6DF1AAF09075505380D20C3164276 ) ;; Query time: 6 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Mar 11 17:22:21 CET 2014 ;; MSG SIZE rcvd: 2646 OpenPGP! Key (Base64) DNSSEC! secured! private!record!type! for!experimental! new!protocols 33Monday 17 March 14
  35. 35. ©!Men!&!Mice!!http://menandmice,com! more!DANE!work •OpenPGP!keys!in!DNS • “milter”!plugin!for!postfix!and!sendmail: https://github.com/letoams/openpgpkey-milter/ • “hash-slinger”!tool!to!create!and!verify!“openpgpkey”!records: https://github.com/letoams/hash-slinger • also!available!in!Fedora!Linux shell> yum install hash-slinger 34Monday 17 March 14
  36. 36. ©!Men!&!Mice!!http://menandmice,com! IPSEC!in!DNS • opportunistic!(automatic!and!authenticated)!IPSec!VPN!tunnel!between!client! and!server • client!looks!up!the!server!public!key!in!DNS shell> dig ipseckey nohats.ca +m ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31467 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;nohats.ca. IN IPSECKEY ;; ANSWER SECTION: nohats.ca. 3591 IN IPSECKEY ( 10 0 2 . AQPl2UGDJvDff4BiJWFZoSuYrerisFXZdD6M+QPDtpuH i4rNmW+jqNGzF7k4orsggHyaglXSN2llTb0dTCwBamX8 [...] dVbEHKz2sWdESIA2YNVqtPirkdYA0MeyO8SwYgMvlmg3 E8JcNBbcndEZidrlfINzFs2GmugvNHHHX6a7CPACNU0o E2mzXeDY3FUW2F2XvERTnQPpU9zl ) ;; AUTHORITY SECTION: [....] ;; ADDITIONAL SECTION: [....] ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Mar 11 17:41:17 CET 2014 ;; MSG SIZE rcvd: 590 35Monday 17 March 14
  37. 37. ©!Men!&!Mice!!http://menandmice,com! IPSEC!Keys!in!DNS •implemented!in!“libreswan”!(Linux) https://github.com/libreswan •IPSECKEY!record!type!is!specified!in!RFC!4025! “A!Method!for!Storing!IPsec!Keying!Material!in!DNS” •IPSECKEYs!for!IP-Address!initiated!connections!can!be! stored!in!reverse!(in-addr.arpa!and!ip6.arpa)! zones. 36Monday 17 March 14
  38. 38. ©!Men!&!Mice!!http://menandmice,com! dbounds!BoF •dbounds!=!Domain!Boundaries •Browsers!and!other!software!(e.g.!DMARC)!relies!on! knowledge!of!administrative!delegation!boundaries!in! DNS •the!public-suffix!list!provides!this!information http://www.publicsuffix.org/ 37Monday 17 March 14
  39. 39. ©!Men!&!Mice!!http://menandmice,com! dbounds!BoF • Example!from!the!public!suffix!list *.uk *.sch.uk !bl.uk !british-library.uk !mod.uk !national-library-scotland.uk !nic.uk !parliament.uk ... • Discussion!in!the!BoF:!is!DNS!better!suited!to!hold!this!information!than!a!plain! list? • the!plain!list!needs!to!“guess”!administrative!boundaries,!whereas!domain!owner!can! specify!these!boundaries!in!their!DNS!zone • no!decisions!so!far,!discussion!will!continue!on!the!mailing-list(s) 38Monday 17 March 14
  40. 40. ©!Men!&!Mice!!http://menandmice,com! DHCP 39Monday 17 March 14
  41. 41. ©!Men!&!Mice!!http://menandmice,com! published!new!RFCs!since!last!IETF RFC Title Category 7031 DHCPv6 Failover Requirements Informal 7037 RADIUS Option for the DHCPv6 Relay Agent Standards Track 7078 Distributing Address Selection Policy Using DHCPv6 Standards Track 7083 Modification to Default Values of SOL_MAX_RT and INF_MAX_RT Standards Track 40Monday 17 March 14
  42. 42. ©!Men!&!Mice!!http://menandmice,com! Customizing!DHCP!Configuration!on! the!Basis!of!Network!Topology •BCP-Document!“draft-ietf-dhc-topo-conf“ •documents!how!DHCP!clients,!DHCP!relay-agents!and! DHCP!server!interact • DHCP!server!can!select!options!to!send!to!the!client!based!on! the!network!location!of!the!client • covers!both!IPv4!and!IPv6 41Monday 17 March 14
  43. 43. ©!Men!&!Mice!!http://menandmice,com! RFC!3315bis •the!original!DHCPv6!RFC!3315!is!now!over!10!years! old •more!operational!experience!exists!in!the!IETF!since!the! time!the!RFC!was!written •some!parts!of!the!RFC!need!clarification •merge!in!references!and!updates!from!other!RFCs!since! 3315 42Monday 17 March 14
  44. 44. ©!Men!&!Mice!!http://menandmice,com! dhcpv6bis •Bug!tracker!and!mailing!list http://wiki.tools.ietf.org/group/dhcpv6bis/ •github!repository!with!the!new!document https://github.com/dhcwg/rfc3315bis •if!you!have!feedback!or!questions!on!DHCPv6bis,! please!contribute 43Monday 17 March 14
  45. 45. ©!Men!&!Mice!!http://menandmice,com! DHCPv6!failover!design •The!DHCPv6!failover!design!document!has!been! submitted!to!the!IESG!after!last!IETF!meeting •came!back!and!will!now!be!split!into!two!documents • failover!design • failover!protocol!specification 44Monday 17 March 14
  46. 46. ©!Men!&!Mice!!http://menandmice,com! DHC!Load!Balancing!Algorithm!for! DHCPv6 •“draft-ietf-dhc-dhcpv6-load-balancing”!describes!a! load-balancing!algorithm!for!DHCPv6!server,!where! the!servers!do!not!need!to!exchange!information •!This!algorithm!is!an!extension!of!an!already!defined!and! proven!algorithm!used!for!DHCPv4,!as!described!in!RFC! 3074.! 45Monday 17 March 14
  47. 47. ©!Men!&!Mice!!http://menandmice,com! Registering!self-generated!IPv6! Addresses!in!DNS!using!DHCPv6 •Document!“draft-ietf-dhc-addr-registration” •clients!that!use!self-generated!IPv6!addresses!(SLAAC,! CGA,!privacy!addresses)!send!a!request!to!the!DHCP! server!to!add!their!AAAA!forward!mapping!and!PTR!reverse! mapping!into!DNS •only!the!DHCPv6!server!require!to!have!update! permissions!on!the!DNS!server,!not!all!clients 46Monday 17 March 14
  48. 48. ©!Men!&!Mice!!http://menandmice,com! DHCPv4!over!DHCPv6!Transport •running!two!network!protocols!site-by-site!(IPv4!and! IPv6)!is!expensive!(double!work) •network!operators!try!to!remove!IPv4!as!much!as!possible! (access!networks,!backbone!networks,!datacenter!networks) •client!machines!often!still!require!IPv4 •draft-ietf-dhc-dhcpv4-over-dhcpv6!defines!options!so! that!DHCPv4!requests!can!be!send!inside!DHCPv6! messages 47Monday 17 March 14
  49. 49. ©!Men!&!Mice!!http://menandmice,com! DHCPv4!over!DHCPv6!Transport •Tsinghua!University!has!implemented!DHCPv4!over! DHCPv6!on!top!of!BIND!10!1.1.0!DHCP • https://github.com/gnocuil/DHCPv4oDHCPv6 • Site!note:!BIND!10!1.2.0!beta!1!has!been!released!last!week:! http://ftp.isc.org/isc/bind10/1.2.0beta1/ •“Provisioning!IPv4!Configuration!Over!IPv6!Only! Networks”!(draft-ietf-dhc-v4configuration)!discussed!the! various!options!available!to!send!IPv4!configuration!over! IPv6!only!networks 48Monday 17 March 14
  50. 50. ©!Men!&!Mice!!http://menandmice,com! Secure!DHCPv6!with!Public!Key •DHCPv6!is!more!powerful!than!DHCPv4 •for!some!functions,!authentication!and!integrity!checks!are! requested!(like!server-reconfigure!message!to!clients) •‘draft-jiang-dhc-sedhcpv6’!specifies!an!protocol!extension! to!secure!the!DHCPv6!communication!between!client,! relay-agent!and!server!via!public/private!key!pairs. •The!authority!of!the!sender!may!depend!on!either!pre- configuration!mechanism!or!a!Public!Key!Infrastructure. 49Monday 17 March 14
  51. 51. ©!Men!&!Mice!!http://menandmice,com! IPv6 50Monday 17 March 14
  52. 52. ©!Men!&!Mice!!http://menandmice,com! published!new!RFCs!since!last!IETF RFC Title Category 7045 Transmission and Processing of IPv6 Extension Headers Standards Track 7048 Neighbor Unreachability Detection Is Too Impatient Standards Track 7050 Discovery of the IPv6 Prefix Used for IPv6 Address Synthesis Standards Track 7059 A Comparison of IPv6-over-IPv4 Tunnel Mechanisms Informational 7094 Architectural Considerations of IP Anycast Informational 7136 Significance of IPv6 Interface Identifiers Standards Track 7112 Implications of Oversized IPv6 Header Chains Standards Track 7123 Security Implications of IPv6 on IPv4 Networks Informational 51Monday 17 March 14
  53. 53. ©!Men!&!Mice!!http://menandmice,com! Stable!IPv6!Interface!Identifiers •the!current!IPv6!standards!mandate!that!Interface-ID!of! Statless-Address-Auto-Configuration!(SLAAC)! addresses!are!generated!from!the!hardware-address! (MAC-Address)!of!the!Interface 2001:db8:100:0:28c:f5ff:fe05:4235 Prefix Interface-ID 52Monday 17 March 14
  54. 54. ©!Men!&!Mice!!http://menandmice,com! Stable!IPv6!Interface!Identifiers • the!draft!“Privacy!Considerations!for!IPv6!Address!Generation! Mechanisms” (draft-ietf-6man-ipv6-address-generation-privacy)!discusses!privacy! and!security!considerations!for!several!IPv6!address!generation! mechanisms • correlation!of!activities!over!time • location!tracking • address!scanning • device-specific!vulnerability!exploitation 53Monday 17 March 14
  55. 55. ©!Men!&!Mice!!http://menandmice,com! Stable!IPv6!Interface!Identifiers •The!IETF!draft!“A!Method!for!Generating!Semantically! Opaque!Interface!Identifiers!with!IPv6!Stateless! Address!Auto-Configuration!(SLAAC)” (draft-ietf-6man-stable-privacy-addresses)!describes!a! way!to!generate!Interface!IDs!for!IPv6!addresses!that! are •unique!and!stable!for!each!network •but!change!for!every!network!the!host!visits 54Monday 17 March 14
  56. 56. ©!Men!&!Mice!!http://menandmice,com! Why!“/64”? • IPv6!subnets!are,!with!the!exception!of!loopback!and!point-to-point! connections,!of!size!/64 • RFC!7136!states!that!"For!all!unicast!addresses,!except!those!that!start!with!the! binary!value!000,!Interface!IDs!are!required!to!be!64!bits!long." • “Analysis!of!the!64-bit!Boundary!in!IPv6!Addressing” (draft-carpenter-6man-why64)!discusses • why!the!“/64”!size!was!chosen • why!network!administrators!ask!for!other!subnet!sizes!(prefixes!longer!than!/64) • what!will!break!if!IPv6!is!configured!with!subnet!sizes!other!than!“/64” 55Monday 17 March 14
  57. 57. ©!Men!&!Mice!!http://menandmice,com! Unknown!IPv6!Extension!header •“middle-boxes”!(Firewalls,!Intrusion!Detection!Systems,! specialized!Router)!cannot!parse!the!Extension-Header! chain,!as!they!cannot!“jump-over”!unknown!extensions •this!was!on-purpose!in!the!original!IPv6!specifications,!as! the!core!of!the!network!should!be!“dumb”,!just!forwarding! packets,!not!inspecting!them • however!in!reality!today,!IPv6!traffic!often!is!dropped!because!of! middle-boxes!that!cannot!check!the!header!chain 56Monday 17 March 14
  58. 58. ©!Men!&!Mice!!http://menandmice,com! Unknown!IPv6!Extension!header IPv6 header next=43 (routing) Routing header next=123 (??) TCP payload Destination Option header next=6 (tcp) Unknown header next=60 (dest option) unknown size Middle-box! cannot!find!TCP! port! information 57Monday 17 March 14
  59. 59. ©!Men!&!Mice!!http://menandmice,com! Unknown!IPv6!Extension!header •the!draft!“IPv6!Universal!Extension!Header” (draft-gont-6man-ipv6-universal-extension-header) proposes!an!universal!extension!header!containing!just! one!header-type-identifier!and!an!8bit!sub-type!field,! which!allows!for!256!extension!header!sub-types •it!proposes!to!close!the!registry!for!new!IPv6!extension! headers •new!header-functions!would!be!implemented!as!sub-types!of! the!“universal-extension-header” 58Monday 17 March 14
  60. 60. ©!Men!&!Mice!!http://menandmice,com! SLAAC!and!DHCPv6 • DHCPv6/SLAAC!Address!Configuration!Interaction!Problem!Statement!( draft-ietf-v6ops-dhcpv6-slaac-problem) • DHCPv6/SLAAC!Interaction!Operational!Guidance!Considerations! (draft-liu-v6ops-dhcpv6-slaac-guidance) • Guidance!for!DHCPv6-only!Deployment • Guidance!for!SLAAC-only!Deployment • Guidance!for!DHCPv6/SLAAC!Co-exist!Deployment • DHCPv6/SLAAC!Interaction!Implementation!Guidance!(draft-liu-6man- dhcpv6-slaac-implementation-guide) 59Monday 17 March 14
  61. 61. ©!Men!&!Mice!!http://menandmice,com! Unique!Local!Addresses!(ULA) •“Recommendations!of!Using!Unique!Local!Addresses” (draft-ietf-v6ops-ula-usage-recommendations) •lists!use-cases!of!ULA!and!documents!possible!drawbacks • use!of!ULA!in!isolated!networks • use!of!ULA!together!with!Globally!Unique!Addresses!(GUA) 60Monday 17 March 14
  62. 62. ©!Men!&!Mice!!http://menandmice,com! Design!Choices!for!IPv6!Networks •“draft-ietf-v6ops-design-choices” •Mix!IPv4!and!IPv6!on!the!Same!Link? •Links!with!Only!Link-Local!Addresses? •Link-Local!Next-Hop!in!a!Static!Route? •Choice!of!IGP!(OSPF!vs.!IS-IS)! 61Monday 17 March 14
  63. 63. ©!Men!&!Mice!!http://menandmice,com! Reducing!multicast!in!IPv6 •Multicast!can!be!expensive!in!terms!of!energy!consumption! on!certain!link-layer!technologies! (e.g.!W-LAN) • IPv6!neighborhood!discovery!relies!heavily!on!link-local!multicast • other!protocols!like!multicast-dns!can!create!equally!or!more!multicast! traffic • the!IETF!6ops!and!6man!working-groups!discuss!options!to! replace!the!use!of!multicast!in!these!networks!with!alternatives! (unicast) 62Monday 17 March 14
  64. 64. ©!Men!&!Mice!!http://menandmice,com! Q/A ? Slides,!Links,!Recording!and!errata!will!be!posted!@ https://www.menandmice.com/resources/educational-resources/webinars/ 63Monday 17 March 14

×