ipv6: the ins and outs -...
TRANSCRIPT
About Me
• Co-founder and CTO of BSD Perimeter LLC – Corporate arm of pfSense project
• 15 years’ IT experience • Former IT Manager at public accounting firm
Overview
• IPv6 Overview • The need for IPv6 • IPv6-Enabled Technologies • Migration concerns and paths • Configuring IPv6 on routers • Configuring IPv6 on Windows • Configuring IPv6 on firewalls • Questions & Answers
Credits
Thanks to the following for sharing ideas and real world experience.
• Seth Mos • Bjoern Zeeb
IPv6 Overview
• Next generation of the Internet Protocol - IPng • First standard in 1995 – RFC 1883 • What happened to IPv5?
New Terminology
• Stateless autoconfiguration • Dual stack • Neighbor Discovery Protocol • Native IPv6
IPv6 Overview
• “IPv6 is expected to replace the current … IPv4 for nearly all Internet traffic by 2008.” – PC World July 1, 2003
• August 2011 – less than 0.01% percent of all Internet traffic is IPv6
• But – the time has really come now
IPv6 Overview – Current Usage
http://asert.arbornetworks.com/2011/04/six-months-six-providers-and-ipv6/
IPv6 Overview – Current Usage
IPv6 – ~10 GB/month 8.3% of traffic
IPv4 – ~110 GB/month 91.7% of traffic
The Need for IPv6
• Larger address space – IPv4 has 232 addresses – ~4.3 billion – IPv6 has 2128 addresses - ~340 undecillion
• 340,282,366,920,938,463,463,374,607,431,768,211,456
– Final IPv4 space assigned by IANA to RIRs in February 2011
– Complete IPv4 exhaustion worldwide by 2014-2015 at latest
IPv6 IP assignments
• Most common IPv4 subnet /24 (255.255.255.0) – 254 hosts
• Typical recommended IPv6 subnet a /64 – 18,446,744,073,709,551,616 IPs
• Recommended assignment for business a /48 – 65536 /64 subnets
IPv6 IP assignments
• Private addressing – RFC 1918 in IPv4 – Unique Local Addresses (ULA) in IPv6
• RFC 4193 • fc00::/7 • Must randomly generate subnet
– Not necessary
• NAT a thing of the past (to some extent)
Barriers to Adoption
• Lack of ISP support • Lack of CPE support • Problems with broken clients • Lacking knowledge
Connectivity Options
• Native IPv6 connectivity • Tunneling – Tunnelbroker.net, many others – Performance considerations
Google – 35-40 ms IPv4, 90 ms tunneled IPv6 Facebook – 50 ms IPv4, 120 ms tunneled IPv6
IPv6 and Firewalls
• Understand the capabilities of your firewall – Lesser security than IPv4?
• Don’t necessarily trust your vendor’s answer
• Upgrade as needed • Understand the vendor-specific configuration for
IPv6 • Configure interconnect with ISP (usually /64, may
be /120) • Subnet LAN-side addresses and configure LAN-
side IP
IPv6 and Routers
• WAN-focused • Router support – All features you’re using covered? – Performance equivalent or close?
• Provider support
Interoperability Concerns
• Large number of proposed interoperability solutions – 14 current, 3 drafts, several deprecated – Mostly applicable at the carrier/ISP level
• Dual stack typical for business networks • Proxy servers
Fun with hexidecimal addressing
www.v6.facebook.com [2620:0:1cfe:face:b00c::3]
9 128 ms 129 ms 131 ms 2620:0:1cff:dead:beef::85
10 129 ms 129 ms 128 ms 2620:0:1cff:dead:beef::10
IPv6 and Windows XP/2003
• Supported, not installed by default • No DHCPv6 support • Install and enable IPv6 • Statically address servers
IPv6 and Windows 7/2008
• Enabled by default • Bring up a router/firewall issuing router
advertisements and *poof* - you have IPv6 • Statically address servers • Configure and enable a DHCPv6 server
IPv6 Security Challenges
• Same stuff, different layer 3 protocol • Same attacks, new methods – NDP exhaustion attacks – Router Advertisement spoofing
• Lesser or absent support in existing security products – Firewalls, IDS/IPS, SIM/SIEM, vulnerability scanners,
switches • Commonly used “IP blacklists” as we know them
and similar IP-based controls impossible with IPv6
IPv6 Security Challenges
• Changes in vulnerability assessment techniques • Changes in black hat techniques for
compromising hosts
Preparing for IPv6 Deployment
• Update/create network inventory – Client and server operating systems – Firewalls, VPNs, switches, routers, NAS, etc. – Outside hosted solutions • Web hosting • Email hosting • Anti-spam
Biggest “Gotchas” Encountered
• Adding AAAA records causing connectivity failures for some hosts.
• Adding AAAA records causing some applications to break
Immediate Action Items
• Staff training • Evaluate current hardware and software
compatibility • Contact ISP(s) and WAN providers regarding
support • Contact outsourced providers (web hosting,
SaaS, etc.) regarding support • Setup test environment
When to Deploy IPv6
• Native or equivalent connectivity available • All services, applications and hardware tested
and validated • Staff up to speed
When will IPv4 go away?
• Ideally want to get back to one protocol • IPv4 will live on for a very long time • Impossible to say