From fca59bea770346cf1c1f9b0e00cb48a61b44a8f3 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Sun, 25 Oct 2015 21:00:20 +0100 Subject: import of old now defunct presentation slides svn repo --- 2005/ipv6-astaro2005/astaro-topics | 41 ++++ 2005/ipv6-astaro2005/ipv6-astaro2005.mgp | 345 +++++++++++++++++++++++++++++++ 2005/ipv6-astaro2005/ipv6-astaro2005.pdf | Bin 0 -> 28539 bytes 2005/ipv6-astaro2005/topics | 114 ++++++++++ 4 files changed, 500 insertions(+) create mode 100644 2005/ipv6-astaro2005/astaro-topics create mode 100644 2005/ipv6-astaro2005/ipv6-astaro2005.mgp create mode 100644 2005/ipv6-astaro2005/ipv6-astaro2005.pdf create mode 100644 2005/ipv6-astaro2005/topics (limited to '2005/ipv6-astaro2005') diff --git a/2005/ipv6-astaro2005/astaro-topics b/2005/ipv6-astaro2005/astaro-topics new file mode 100644 index 0000000..310deca --- /dev/null +++ b/2005/ipv6-astaro2005/astaro-topics @@ -0,0 +1,41 @@ +Details of stateless autoconfiguration + address space is split in two 64bit halves + upper 64bit are used to specify a particular network segment + lower 64bit are used for individual nodes in one segment + lower 64bit are generated from 48bit mac address with 'fffe' in the middle + potential problem: privacy + +DNS and IPv6 + forward resolval (hostname -> address) + ipv4 uses 'IN A' record + ipv6 uses 'IN AAAA' record + a particular hostname can have A and AAAA records + reverse resolval + uses .ip6.arpa. suffix + uses hexadecimal instead of decimal notation: + 4.4.0.0.0.0.0.0.0.8.7.0.1.0.0.2.ip6.arpa. + portable applications under *BSD/Linux do round-robin between all records, with a preference of ipv6 for the first try. + +BSD Sockets API and IPv6 + struct in_addr has become in6_addr + new API's like getaddrinfo() instead of gethostbyname() support _both_ ipv4 and ipv6 + apart from that, everything is the same. + +configuration under linux + router/gateway + runs radvd or zebra for sending router advertisements + client + just has to load 'ipv6' module and configure an interface up + recevies prefix-advertisement(s) and auto-configures address accordingly + +IPv6 specific security issues + packet filter has to explicitly allow neighbour discovery, since it's inside ipv6/icmpv6 + special attention to option headers + most sites won't want routing or hop-by-hop options + neighbour cache DoS: + compare with existing neighbour cache issues in large (/16) networks + in ipv6, the standard is /64 for every segment (!) + + one advantage: port scanning of whole networks way more difficult :) + + diff --git a/2005/ipv6-astaro2005/ipv6-astaro2005.mgp b/2005/ipv6-astaro2005/ipv6-astaro2005.mgp new file mode 100644 index 0000000..50654d6 --- /dev/null +++ b/2005/ipv6-astaro2005/ipv6-astaro2005.mgp @@ -0,0 +1,345 @@ +%include "default.mgp" +%default 1 bgrad +%deffont "typewriter" tfont "MONOTYPE.TTF" +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +%nodefault +%back "blue" + +%center +%size 8 + + + +IPv6 Introduction + + +%center +%size 4 +by + +Harald Welte + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +IPv6 Introduction +What? Why? + + What is IPv6? + + Successor of currently used IP Version 4 + Specified 1995 in RFC 2460 + + Why? + + Address space in IPv4 too small + Routing tables too large + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +IPv6 Introduction +Advantages + + Advantages + stateless autoconfiguration + multicast obligatory + IPsec obligatory + Mobile IP + + Address renumbering + Multihoming + Multiple address scopes + smaller routing tables through aggregatable allocation + + simplified l3 header + 64bit aligned + no checksum (l4 or l2) + no fragmentation at router + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +IPv6 Introduction +Disadvantages + + Disadvantages + Not widely deployed yet + In most cases access only possible using manual tunnel + OS support not ideal in most cases + W2k: IPv6 available from MS + Windows XP: IPv6 included + Linux has support, but not 100% RFC compliant + *BSD: full support (KAME) + Solaris 8/9/10: full support + Application support not ideal in most cases + Biggest problem: squid + supported: bind8/9, apache, openssh, xinetd, rsync, exim, zmailer, sendmail, qmail, inn-2.4(CVS), zebra, mozilla + Conclusion: Circular dependencies + no application support without OS support + no good OS support without applications + no wide deployment without applications + no applications without deployment + no deployment without applications + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +IPv6 Introduction +Deployment + + Experimental (6bone) + Experimental 6bone (3ffe::) has been active since 1995. + Uses slightly different Addressing Architecture (RFC2471) + Phased out on 06/06/2006 + No new pTLA assignments starting from 2005 + + Production (2001::) + Initial TLA's and sub-TLA's assigned in Sept 2000 + Mostly used in education+research + Some commercial ISP's in .de are offering production prefixes + + Why isn't IPv6 widely used yet? + No immediate need in Europe / North America + Big deployment cost at ISP's (Training, Routers, ..) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +IPv6 Introduction +Technical: Address Space + + IP Version 6 Addressing Architecture (RFC2373) + Format prefix, variable length + 001: RFC2374 addresses, 1/8 of address space + 0000 001: Reserved for NSAP (1/128) + 0000 010: Reserved for IPX (1/128) + 1111 1110 10: link-local unicast addresses (1/1024) + 1111 1110 11: site-local unicast addresses (1/1024) + 1111 1111 flgs scop: multicast addresses + flgs (0: well-known, 1:transient) + scop (0: reserved, 1: node-local, 2: link-local, 5: site-local, 8: organization-local, e: global scope, f: reserved) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +IPv6 Introduction +Technical: Address Space + + Aggregatable Global Unicast Address Format (RFC2374) + 3bit FP (format prefix = 001) + 13bit TLA ID - Top-Level Aggregation ID + 13bit Sub-TLA - Sub-TLA Aggergation ID + 19bit NLA - Next-Level Aggregation ID + 16bit SLA - Site-Level Aggregation ID + 64bit Interface ID - derived from 48bit ethernet MAC + Initial subTLA-Assignments + 2001:0000::/29 - 2001:01f8::/29 IANA + 2001:0200::/29 - 2001:03f8::/29 APNIC + 2001:0400::/29 - 2001:05f8::/29 ARIN + 2001:0600::/29 - 2001:07f8::/29 RIPE + loopback ::1 + unspecified: ::0 + embedded ipv4 + IPv4-compatible address: 0::xxxx:xxxx + IPv6-mapped IPv4 (IPv4 only node): 0::ffff:xxxx:xxxx + anycast + allocated from unicast addresses + only subnet-router anycast address predefined (prefix::0000) + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +IPv6 Introduction +Technical: Header + +%font "typewriter" +%size 3 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |Version| Traffic Class | Flow Label | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Payload Length | Next Header | Hop Limit | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Source Address + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Destination Address + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +%font "standard" + 4bit Version: 6 + 8bit Traffic Class + 20bit Flow Label + 16bit Payload Length (incl. extension hdrs) + 8bit next header (same values like IPv4, RFC1700 et seq.) + 8bit hop limit (TTL) + 128bit source address + 128bit dest address + extension headers: + hop-by-hop options + routing + fragment + destination options + IPsec (AH/ESP) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +IPv6 Introduction +Technical: Layer 2 <-> Address mapping + + + Ethernet: No more ARP, everything within ICMPv6 + No Broadcast, everything built using multicast. + + all-nodes multicast address ff02::1 + all-routers multicast address ff02::2 + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +IPv6 Introduction +Technical: Address Configuration + + + router discovery + routers periodically send router advertisements + hosts can send router solicitation to explicitly request RADV + + prefix discovery + router includes prefix(es) in ICMPv6 router advertisements + other nodes receive prefix advertisements and derive their final address from prefix + EUI64 of MAC address + + neighbour discovery + machines can discover it's neighbours without advertising router + + +%page +IPv6 Introduction +How to get connected + + In case of static IPv4 address + SIT (ipv6-in-ipv4) tunnel possible + http://www.join.uni-muenster.de/ + + In case of dynamic IPv4 address + ppp (ipv6 over ppp) tunnel (pptp, l2tp) possible + sitctrl (linux <-> linux) + atncp (*NIX), http://www.dhis.org/atncp/ + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +IPv6 Introduction +Stateless Autoconfiguration + + + Address space is split in two 64bit halves + Upper 64bit '2001:780:44:1100:' used to specify a network segment (/64) + Lower 64bit '204:61ff:fe5c:74b9' used to specify node within segment + Lower 64bit are generated from 48bit mac address with 'fffe' in the middle + Potential Problem: Privacy + IETF Solution: RFC3041 "Privacy Extension" + uses additional 'alias' IPv6 adresses that are created randomly and only valid for hours/days + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +IPv6 Introduction +DNS and IPv6 + + Forward resolval (hostname->address) + IPv4 uses "IN A" record + IPv6 uses "IN AAAA" record + A particular hostname can have both A and AAAA + + Reverse resolval (address->hostname) + Uses ".ip6.arpa." suffix + Uses hexadecimal instead of decimal notation + 4.4.0.0.0.0.0.0.0.8.7.0.1.0.0.2.ip6.arpa. + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +IPv6 Introduction +BSD Sockets API and IPv6 + + new structures + in_addr has become in6_addr + sockaddr_in has become sockaddr_in6 + new API's like getaddrinfo are compatible with ipv6 and ipv4 + portable applications use sockaddrr_storage and don't make assumptions about it's size + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +IPv6 Introduction +Configuration under Linux + + Router/Gateway + Runs radvd or zebra for for sending router advertisements + + Client + Just has to load "ipv6" module and configure interface up + Receives prefix-advertisements(s) and autoconfigures address + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +IPv6 Introduction +IPv6 option headers + + New concept of option header + Any number of option headers between l3 and l4 header + With one exception only processed ad sender and receiver + + Defined option headers + Hop-by-hop options (processed by every node) + Destination options + Routing header + Fragment header + Authentication (AH) + Encapsulating Security Payload (ESP) + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +IPv6 Introduction +IPv6 specific security issues + + hop-by-hop options header + should be filtered out at typical internet gateway + routing header + should be filtered out like IPv4 loose source / record route + ICMPv6 + has to be allowed for neighbour discovery to work + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +IPv6 Introduction +IPv6 specific security issues + +iptables -> ip6tables changes + matching of ah/esp + not by -p ! + matching of fragments + not by -f ! + no connection tracking in mainline kernel yet + existing ip6_conntrack patchces (deprecated) + code duplication + no interaction between ip_conntrack/ip6_conntrack + existing nf_conntrack patches + one code base to rule them all + ipv4 and ipv6 plugins + l3 independent tcp and udp modules independent + l3 independent helpers + BUT: no NAT as of now :( + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +IPv6 Introduction +Further Reading + + http://www.ipv6-net.org/ (deutsches IPv6 forum) + http://www.6bone.net/ (ipv6 testing backbone) + http://www.freenet6.net/ (free tunnel broker) + http://hs247.com/ (list of tunnel brokers) + + http://www.bieringer.de/ (ipv6 for linux) + http://www.linux-ipv6.org/ (improved ipv6 for linux) + http://www.kame.net/ (ipv6 for *BSD) + http://www.join.uni-muenster.de/ (ipv6 at DFN/WiN) + + http://www.gnumonks.org/ (slides of this presentation) + + And of course, all relevant RFC's + diff --git a/2005/ipv6-astaro2005/ipv6-astaro2005.pdf b/2005/ipv6-astaro2005/ipv6-astaro2005.pdf new file mode 100644 index 0000000..f663f99 Binary files /dev/null and b/2005/ipv6-astaro2005/ipv6-astaro2005.pdf differ diff --git a/2005/ipv6-astaro2005/topics b/2005/ipv6-astaro2005/topics new file mode 100644 index 0000000..da33a44 --- /dev/null +++ b/2005/ipv6-astaro2005/topics @@ -0,0 +1,114 @@ +What is IPv6? + Successor of currently used IP Version 4 + Specified 1995 in RFC? 2460 +Why? + Address space in IPv4 too small + +Advantages? + stateless autoconfiguration + multicast obligatorisch + IPsec obligatorisch + Mobile IP + QoS ? + + Address Renumbering? + Multihoming? + AddressScopes? + smaller routing tables through G + + simplified l3 header + 64bit aligned + no checksum (l4 or l2) + no fragmentation at router + +Disadvantages + Not widely deployed yet + In most cases access only possible using manual tunnel + OS support not ideal in most cases + W2k? + Linux has support, but no IPsec in official tree -> USAGI + *BSD: full support (KAME + Application support not ideal in most cases + not supported: + supported: bind8/9, apache + +Deployment + Experimental 6bone (3ffe::) has been active since 199x. + Uses slightly different Addressing Architecture (RFC2471) + +Why isn't it widely used yet? + No immediate need in Europe / North America + Big deployment cost at ISP's (Training, Routers, ..) + +Technical: Address Space + IP Version 6 Addressing Architecture (RFC2373) + Format prefix, variable length + 001: RFC2374 addresses, 1/8 of address space + 0000 001: Reserved for NSAP (1/128) + 0000 010: Reserved for IPX (1/128) + 1111 1110 10: link-local unicast addresses (1/1024) + 1111 1110 11: site-local unicast addresses (1/1024) + 1111 1111: multicast addresses + 1111 1111 flgs scop + flgs (0: well-known, 1:transient) + scop (0: reserved, 1: node-local, 2: link-local, 5: site-local, 8: organization-local, e: global scope, f: reserved) + Aggregatable Global Unicast Address Format (RFC2374) + 3bit FP (format prefix = 001) + 13bit TLA ID - Top-Level Aggregation ID + 13bit Sub-TLA - Sub-TLA Aggergation ID + 19bit NLA - Next-Level Aggregation ID + 16bit SLA - Site-Level Aggregation ID + 64bit Interface ID - derived from 48bit ethernet MAC + + 2001:0000::/29 - 2001:01f8::/29 IANA + 2001:0200::/29 - 2001:03f8::/29 APNIC + 2001:0400::/29 - 2001:05f8::/29 ARIN + 2001:0600::/29 - 2001:07f8::/29 RIPE + loopback + ::1 + unspecified: + ::0 + embedded ipv4 + IPv4-compatible address: 0::xxxx:xxxx + IPv4-mapped IPv4 (IPv4 only node): 0::ffff:xxxx:xxxx + anycast + allocated from unicast addresses + only subnet-router anycast address predefined (prefix::0000) + + +Technical: Header + + 4bit Version: 6 + 8bit Traffic Class + 20bit Flow Label + 16bit Payload Length (incl. extension hdrs) + 8bit next header (same values like IPv4, RF1700 et seq.) + 8bit hop limit (TTL) + 128bit source address + 128bit dest address + + extension headers: + hop-by-hop options + routing + fragment + destination options + authentication + encapsulating security payload + +Technical: Layer 2 <-> Address mapping + Ethernet: No more ARP, everything within ICMPv6 + No Broadcast, everything built using multicast. + + all-nodes multicast address ff02::1 + all-routers multicast address ff02::2 + + +Technical: Address Configuration + router discovery + routers periodically send router advertisements + hosts can send router solicitation to explicitly request RADV + prefix discovery + router includes prefix(es) in ICMPv6 router advertisements + other nodes receive prefix advertisements and derive their final address from prefix + EUI64 of MAC address + + -- cgit v1.2.3