ski monitoring ipv6 toku
TRANSCRIPT
![Page 1: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/1.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 1/31
Tomáš Podermański, [email protected] Matěj Grégr , [email protected]
![Page 2: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/2.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 2/31
• Brand new autoconfiguration mechanisms
– Router advertisement (M/O flags) – DHCPv6 uses DUID that does not contain MAC address of NIC
• Privacy extensions
– IPv6 addresses are created randomly by hosts
• Different platforms support different techniques – Windows XP - SLAAC
– Windows Vista/7 – SLAAC + DHCPv6
– MAC OS, iOS - SLAAC only (expect Lion – released 06/2011)
– Linux, BSD, … – depends on distribution
• You have to use both mechanisms in real network
– DHCPv6 server, Advertises on router
– + DHCP(v4)
IPv6 - autoconfiguration
![Page 3: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/3.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 3/31
![Page 4: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/4.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 4/31
![Page 5: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/5.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 5/31
Host identification in IP(v4) and IPv6
• How it works in IPv4
– DHCP(v4) – based on MAC address
– Direct relation between MAC address, IP address, host
– IP address is pretty stable (one host can lease same IPaddress for long time)
– Usually only one IP(v4) is assigned
• Can authentication through 802.1x help ?
– Not directly, there is no relation between L2
authentication and IPv6 address• Can DHCPv6 only environment help ?
– Not at all there is no relation between DUID and MACaddress
• An host has usually more IP address
![Page 6: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/6.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 6/31
Traffic for a single host
• Filter definition for nfdump (one host)
• Ho to get accounting information for top n hosts ?• Who the address XX:YY::AA:BB belongs to ?
nfdump -R -6 . "
host 2001:67c:1220:e000:1d90:c54c:7183:2771 or
host 2001:67c:1220:e000:1d76:8ea4:1433:3a06 or
host 2001:67c:1220:e000:f8c7:b911:607e:ded3 or
host 2001:67c:1220:e000:fc24:ab74:10cc:a6b7 or
host 2001:67c:1220:e000:b9:bc89:32f3:36b8:e14e orhost 2001:67c:1220:e000:8c8b:37f0:9ecc:fc51 or
host 2001:67c:1220:e000:61ff:16c0:3d52:366”
![Page 7: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/7.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 7/31
![Page 8: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/8.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 8/31
Extended flow record
• Basic flow record
– key fields: src/dst addess, src/dst port
– non-key fields: bytes, pkts
• Extended flow record
– MAC address : neighbor cache (NC), arp table
IP address MAC address
NC, ARP
![Page 9: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/9.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 9/31
Extended flow record
• Basic flow record
– key fields: src/dst addess, src/dst port
– non-key fields: bytes, pkts
• Extended flow record
– MAC address : neighbor cache (NC), arp table – Switch port: forwarding database (FDB)
IP address MAC address Switch port
NC, ARPFDB
![Page 10: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/10.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 10/31
Extended flow record
• Basic flow record
– key fields: src/dst addess, src/dst port
– non-key fields: bytes, pkts
• Extended flow record
– MAC address : neighbor cache (NC), arp table – Switch port: forwarding database (FDB)
– Login : radius server
IP address MAC address Switch port Login ID
NC, ARPFDB
radius
![Page 11: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/11.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 11/31
Where to get proper information
• Mapping IPv6/IPv4 address <-> MAC address
– neighbor cache, ARP table
– passive probes at local networks (ndwatch, arpwatch)
– SNMP MIB database on routers
• ipv6NetToMediaTable, ipNetToPhysicalTable
![Page 12: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/12.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 12/31
Where to get proper information
• Mapping IPv6/IPv4 address <-> MAC address
– neighbor cache, ARP table
– passive probes at local networks (ndwatch, arpwatch)
– SNMP MIB database on routers
• ipv6NetToMediaTable, ipNetToPhysicalTable
• Mapping MAC address – switch port
– SNMP MIB database on switches
• RFC 4188: BRIDGE-MIB
• RFC 4363: Q-BRIDGE MIB (dot1dTpFdbTable)
![Page 13: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/13.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 13/31
Where to get proper information
• Mapping IPv6/IPv4 address <-> MAC address
– neighbor cache, ARP table
– passive probes at local networks (ndwatch, arpwatch)
– SNMP MIB database on routers
• ipv6NetToMediaTable, ipNetToPhysicalTable
• Mapping MAC address – switch port
– SNMP MIB database on switches
• RFC 4188: BRIDGE-MIB
• RFC 4363: Q-BRIDGE MIB (dot1dTpFdbTable)
• Mapping MAC address – user identity
– radius server – 802.1x (authentication data)
– external source (DB, DHCP server, … )
![Page 14: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/14.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 14/31
Architecture of the system
![Page 15: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/15.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 15/31
Architecture of the system
• netflow/ipfix exports• flowmon probes
![Page 16: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/16.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 16/31
![Page 17: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/17.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 17/31
Architecture of the system
• nfdump toolsethttp://nfdump.sourceforge.net/
![Page 18: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/18.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 18/31
netflow collector
NetFlov9
![Page 19: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/19.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 19/31
Architecture of the system
• Network AdministrationVisualized (NAV)http://metanav.uninett.no/
![Page 20: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/20.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 20/31
![Page 21: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/21.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 21/31
![Page 22: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/22.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 22/31
Architecture of the system
• Network AdministrationVisualized (NAV)http://metanav.uninett.no/
![Page 23: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/23.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 23/31
collecting NC, ARPradius data
radius servers
SNMP
![Page 24: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/24.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 24/31
Architecture of the system
• Home made nftool• User ID mapped to mplstags
![Page 25: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/25.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 25/31
Architecture of nftool
• Periodical process
– Obtain data from NAV database (PostgreSQL)
– Update information in nfdump files
flow data(flat files)
nftoolflow data
(updated flat files)
NAV DB
![Page 26: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/26.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 26/31
Architektura DR systému
• CLI interface – nfdump
A f l f
![Page 27: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/27.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 27/31
A few examples of usage
• Traffic belonging to host with MAC 58:1f:aa:82:39:6c
• Aggregated traffic for each MAC
• Aggregated traffic for each user
• All traffic belonging to user with ID 183
nfdump -R . "mac 58:1f:aa:82:39:6c"
nfdump -R . -a -A insrcmac,outsrcmac "(mpls label1
183 or mpls label2 183 )”
nfdump -R . -a -A insrcmac,outsrcmac
nfdump -R . -a -A mpls1,mpls2
![Page 28: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/28.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 28/31
![Page 29: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/29.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 29/31
P bl t l
![Page 30: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/30.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 30/31
Problems to solve
• Extension of nfdump
– Not “raping” mpls fields for user identification – Pathes for nfdump ?
• NAV : some parts written in java
–developers are working on moving to python
![Page 31: ski Monitoring Ipv6 Toku](https://reader031.vdocuments.us/reader031/viewer/2022021200/577d21ce1a28ab4e1e95eea5/html5/thumbnails/31.jpg)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 31/31