ipv6 router

8/19/2019 IPv6 Router

1/30

Linux as an IPv6 dual stack FirewallLinux as an IPv6 dual stack Firewall

Presented By: Stuart [email protected]

http://www.actusa.nethttp://www.stuartsheldon.org

mailto:[email protected]://www.actusa.net/http://www.stuartsheldon.org/http://www.stuartsheldon.org/http://www.actusa.net/mailto:[email protected]


2/30

IPv6IPv6

2001:0DB8:0000:0000:021C:C0FF:FEE2:888A

● Address forat: !ight "6 #it hexadecial groups separated #$ %:%s

● &otal of "'( #its of address space availa#le

● ')"'( or *+, -illion -illion -illion -illion addresses

● iniu network si0e /6+ 1"( -illion -illion devices2

● 3upports

● 4nicast Addresses

●

ulticast Addresses● An$cast Addresses


3/30

ore IPv6ore IPv6

● Also 3upports● Auto 5lient 5onfiguration 1etwork 7iscover$2

● 8outer 7iscover$ / Advertising

●

7uplicate Address 7etection● 7oes ot 3upport

● etwork -roadcasts

●

etwork Address &ranslation● Longer netasks then /6+

● Packet Fragentation


4/30

A#out AddressesA#out Addresses

● Address 3hortcuts

● ',,":,7-(:,,,,:,,,,:,,,,:,,,,:,,,,:,,,"

● 8eoving groups of %,% 9 ',,":,7-(::,,,"

● 8eoving leading %,% 9 ',,":7-(::"


5/30


● Link Local Addresses

● !ver$ IPv6 interface ust have one

● nl$ used on local LA.

● ever routed

● ultiple interfaces can have the sae link9local

address● ;hen attaching to a link9local address $ou ust

specif$ the interface $ou want to go out on


6/30


● Autoatic Address Forat 1!4I96+2

●


7/30

IPv6 Address &$pesIPv6 Address &$pes

● Link9local unicast: F!(,::/",

● Blo#al unicast: ',,,::/*

● Local IPv6 Addresses: F5,,::/?

● ulticast: FF,,::/(

● Loop#ack Address: ::"/"'(

●

IPv+ apped: ::FFFF:"C'."6(.".",,● 8outer An$cast:


8/30

IPv6 Privac$IPv6 Privac$

● 8F5 +C+" 9 8andoi0es client IPv6 Blo#aladdresses to aintain client privac$.

● n #$ default in ;indows

● ff #$ default in Linux

● ;indows uses rando addresses for auto

configuration.


9/30

IPv6 &unneling !tc...IPv6 &unneling !tc...

● &oredo E Autoatic IPv6 &unneling 1',,"::/*'2● n #$ default in older ;indows releases

● Allows for glo#al routing #ehind A& 1-A72

● 6in+ &unneling E Point9to9point IPv6 &unneling.● Allows point9to9point tunneling of IPv6 data #etween

network endpoints via IPv+

● 6to+ &unneling E etwork &unneling 1',,'::/"62● Allows for auto tunneling #etween IPv6 networks

through IPv+ networks 1Liited Adoption2


10/30

Auto 5onfiguration vs. 75Pv6Auto 5onfiguration vs. 75Pv6

75Pv675Pv6

● Pros

● Address &racking

● Fixed Address Assignent

● 73 3erver Assignent

● 7$naic P&8 / AAAA 4pdates

● 5ons

●

5oplicated to ipleent● 5lient copati#ilit$ is ixed at

#est

Auto 5onfigurationAuto 5onfiguration

● Pros

● 3etup is less coplicated

●

Alost all clients supportedout of the #ox

● Less s$ste overhead

● 5ons

● o Address &racking


11/30

Address 7aeon PackagesAddress 7aeon Packages

● 75Pv6

● I35 75P93erver / 5lient

● ;ide 75P93erver /5lient

● Auto 5onfiguration

● Guagga

● 8outer Advertiseent 7aeon 18a7v72

● 873s7 15lient2


12/30

ur &arget 3etupur &arget 3etup

● 7e#ian 3Huee0e B4 Linux

●

6in+ &unnel fro &unnel -roker routing a /6+● Auto configuration using Guagga

● Firewall supplied #$ IP&a#les and IP6&a#les


13/30

ardwareardware


14/30


15/30


16/30


17/30

;hat ;ill -e odified;hat ;ill -e odified

● Add IPv6 &unnel to /etc/network/interfaces

● Add IPv6 8outed etwork to

/etc/network/interfaces● 5hange net.ipv6.conf.all.forwarding to %"%

● 5onfigure Guagga 7aeon for auto

configuration and change vt$sh %pager% settings


18/30


19/30


20/30

Guagga 3etupGuagga 3etup

touch /etc/quagga/zebra.conf

chown quagga: /etc/quagga/zebra.conf

echo 'export VTYSH_PAG!"#ore' $$ /etc/ba%h.ba%hrc

& /etc/quagga/(ae#on%


21/30

Guagga 3etup

reboot

&t)%hconfg ter#na*

nterface eth+no p&, n( %uppre%%-rap&, n( prefx +:01:(:2bc::/,0

ext

wrteext


22/30

;arning ;ill 8o#inson;arning ;ill 8o#inson

● Jou now have a full$functional IPv6 gatewa$

● &here is no firewall installed

what so ever

● All devices on $our networkthat can take advantage of

IPv6 auto configuration aresitting on the open Internet


23/30

345 6e ha&e an 7P&0 / 7P&, !outer5345 6e ha&e an 7P&0 / 7P&, !outer5

8ow 6hat98ow 6hat9


24/30

3iple IPv+ Firewall 3cript3iple IPv+ Firewall 3criptptab*e% -

ptab*e% - -t natptab*e% - -t #ang*eptab*e% -;ptab*e% -; -t natpta*be% -; -t #ang*e

ptab*e% -A 78P>PT

ptab*e% -A 78P>PTptab*e% -A 3!6A!? -p c#p -= A>>PTptab*e% -A 78P>PTptab*e% -A 78P>PT

ptab*e% -A 78P>PTptab*e% -A 78PPTptab*e% -A 3!6A!? -= ?!3P


25/30

Adding &o Jour FirewallAdding &o Jour Firewall

# IPv4 Clear Rules

ptab*e% -ptab*e% - -t natptab*e% - -t #ang*eptab*e% -;

ptab*e% -; -t natpta*be% -; -t #ang*e

# IPv6 Clear Rules

p,tab*e% -p,tab*e% - -t #ang*e

p,tab*e% -;p,tab*e% -; -t #ang*e


26/30


# Loopback and ICMP IPv4

ptab*e% -A 78P>PTptab*e% -A 78P>PTptab*e% -A 3!6A!? -p c#p -= A>>PT

# Loopback and ICMP IPv6

p,tab*e% -A 78P>PTp,tab*e% -A 78P>PTp,tab*e% -A 3!6A!? -p c#p&, - *o -= A>>PTp,tab*e% -A 78P>PTp,tab*e% -A 3!6A!? -p c#p&, - eth+ -= A>>PT

p,tab*e% -A 78P>PTp,tab*e% -A 3!6A!? -p c#p&, - tb,n0 -= A>>PT


27/30


# IPv4 Input Rulesptab*e% -A 78P>PTptab*e% -A 78P>PTptab*e% -A 78P>PT

ptab*e% -A 78PPTp,tab*e% -A 78P>PTp,tab*e% -A 78P>PTp,tab*e% -A 78P>PT

p,tab*e% -A 78P


28/30


# IPv4 Forwarding Rulesptab*e% -A 3!6A!? - eth+ -= A>>PTptab*e% -A 3!6A!? - eth -# %tate %tate STABC7SH?D!CAT? -= A>>PTptab*e% -A 3!6A!? -= ?!3P

# IPv6 Forwarding Rulesp,tab*e% -A 3!6A!? - eth+ -= A>>PTp,tab*e% -A 3!6A!? - tb,n0 -# %tate %tate STABC7SH?D!CAT? -= A>>PTp,tab*e% -A 3!6A!? -= ?!3P


29/30

8unning Pu#lic 3ervers8unning Pu#lic 3ervers

# IPv4 Web Services

ptab*e% -A P!!3>PT

ptab*e% -A P!!3>PT

# IPv6 Web Services

p,tab*e% -A 3!6A!? - tb,n0 -( +:01:c:2bc::,0/+2 I

-p tcp (port 2 -= A>>PTp,tab*e% -A 3!6A!? - tb,n0 -( +:01:c:2bc::,0/+2 I

-p tcp (port 00@ -= A>>PT


30/30

ue%ton%999ue%ton%999

ipv6 router

Documents