ipv6 wifi experiences
DESCRIPTION
Real-world IPv6 WiFi scenarios presented at PLNOG 2012. In addition, information is included around why IPv6 is important and the top drivers for Enterprises to deploy it.TRANSCRIPT
1 © 2012 Cisco and/or its affiliates. All rights reserved.
IPv6 WiFi Experiences
Andrew Yourtchenko Technical Leader
Presented at PLNOG 2012
2 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6 deployment
© 2012 Cisco and/or its affiliates. All rights reserved. 3
4 © 2012 Cisco and/or its affiliates. All rights reserved.
6lab.cisco.com/stats
Internet Transit
Content
Users
© 2012 Cisco and/or its affiliates. All rights reserved. 5
CGN
IPv4
IPv6
© 2012 Cisco and/or its affiliates. All rights reserved. 6
2011 2013 2015
CGN Only
2011 2013 2015
6rd + CGN
© 2012 Cisco and/or its affiliates. All rights reserved. 7
© 2012 Cisco and/or its affiliates. All rights reserved. 8
!"# $"# %!"# %$"# &!"# &$"# '!"#
()*+,)+*#+-./01.)#
2/.34/5641.)#
7+)8.,#9*,4*+:;#
<+-5=+>?9#@AB?<C#
D4)84*+#
E+48+,6F5G#
?*F+,#
&H#I
F4*#4
,+#J.G
#'#8,5-
+,6#K
#
Your Phone has it!
9 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Practice: IPv6 devices on wireless
© 2012 Cisco and/or its affiliates. All rights reserved. 10
© 2012 Cisco and/or its affiliates. All rights reserved. 11
© 2012 Cisco and/or its affiliates. All rights reserved. 12
Dualstack-capable: 47.5% -> 77.5% IPv6-using: 80.6% -> 87.3%
13 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
With such level of support in clients, you can not ignore IPv6 even if you do not provide it
© 2012 Cisco and/or its affiliates. All rights reserved. 14
© 2012 Cisco and/or its affiliates. All rights reserved. 15
Node A sending off-link traffic to C
• Attacker tricks victim into accepting him as default router • Based on rogue Router Advertisements • The most frequent threat by non-malicious user
Src = C’s link-local address Dst = All-nodes Data = router lifetime, autoconfig flag Options = subnet prefix, slla
RA
B
Src = B’s link-local address Dst = All-nodes Data = router lifetime=0
RA
C A
© 2012 Cisco and/or its affiliates. All rights reserved. 16
C
• Attacker spoofs Router Advertisement with false on-link prefix • Victim generates IP address with this prefix • Access router drops outgoing packets from victim (ingress filtering) • Incoming packets can't reach victim
Node A sourcing off-link traffic to B with BAD::A
Src = B’s link-local address Dst = All-nodes Options = prefix BAD, Preferred lifetime
RA
B
B filters out BAD::A
Computes BAD::A and DAD it
Src = B’s link-local address Dst = All-nodes Options = prefix X Preferred lifetime = 0
RA
Deprecates X::A
A
© 2012 Cisco and/or its affiliates. All rights reserved. 17
• Attacker can claim victim's IP address
B
NS Dst = Solicited-node multicast address of B Query = what is B’s link-layer address?
Src = B or any C’s IF address Dst = A Data = B Option = link-layer address of C
NA
A C
© 2012 Cisco and/or its affiliates. All rights reserved. 18
• Attacker hacks any victim's DAD attempts • Victim can't configure IP address and can't communicate
Src = UNSPEC Dst = Solicited-node multicast address of A Data = A Query = Does anybody use A already? NS
Src = any C’s IF address Dst = A Data = A Option = link-layer address of C
NA “it’s mine !”
C A
© 2012 Cisco and/or its affiliates. All rights reserved. 19
IPv6 VLAN
Ethernet
IPv6 802.11
CAPWAP Tunnel
Router Advertisement Guard
RA From Client Dropped at the Access Point (Local and FlexConnect modes)
Undesired IPv6 Addresses/Prefix
IPv6 Source Guard Drops Undesired Packets at Controller
DHCPv6 Server Guard
DHCPv6 Advertisement Blocked at the Controller.
IPv6 RA 802.11
© 2012 Cisco and/or its affiliates. All rights reserved. 20
• Support for many IPv6 addresses per client is necessary because: Clients can have multiple address types per interface Clients can be assigned addresses via multiple methods such as SLAAC and
DHCPv6 Most clients automatically generate a temporary address in addition to assigned
addresses.
Up to 8 IPv6 Addresses are
Tracked per Client.
© 2012 Cisco and/or its affiliates. All rights reserved. 21
• You want them as short as possible Only 8 slots in the table, new address each re-association, IPv6 blackhole if not short enough
• You want them as long as possible Less ND chatter More temp address stability
© 2012 Cisco and/or its affiliates. All rights reserved. 22
FHS binding table size (8)
FHS timeouts
Prefix lifetimes
SSID reconnection
(volatility)
Device wakeups
Avoid blackholing
ND chatter, address stability
© 2012 Cisco and/or its affiliates. All rights reserved. 23
• Experimental value for conference environment ~ 30 minutes. => 30 minutes prefix lifetime ……
Works but very very chatty
• FHS binding table management logic changes to accommodate for clients’ behavior (7.3 should have these changes)
• With 7.2 – use stateful DHCPv6
24 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Meanwhile, you need to continue to provide IPv4 as well…
© 2012 Cisco and/or its affiliates. All rights reserved. 25
Type “example.com” and press Enter
GET / HTTP/1.1 Host: example.com
A? “example.com”
connect 192.0.43.10
AAAA? “example.com”
Connect 2001:500:88:200::10
26 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Can we go IPv6-only ?
© 2012 Cisco and/or its affiliates. All rights reserved. 27
IPv6-only clients
Dualstack + IPv4 servers
IPv4
IPv6
Stateful NAT64
4:6
6:4
© 2012 Cisco and/or its affiliates. All rights reserved. 28
IPv6 Internet
IPv4 Internet
Stateful NAT64
4:6
6:4
Stateful NAT64 allows the hosts on the IPv6 network connect to the IPv4 network, by dedicating an IPv6 prefix which will represent the translated IPv4 Internet. This allows a twofold use: - IPv6-enable the internal IPv4-only services
- allow internal IPv6-only network to talk to IPv4 Internet
© 2012 Cisco and/or its affiliates. All rights reserved. 29
IPv6 Internet
IPv4-only servers
IPv4
72.163.4.161
IPv6
IPv6-only client
Gig0/0/1
1
s: [2607:f128:42:73::2]:37897
d: [2610:d0:1208:cafe::72.163.4.161]:80 Gig0/0/0
3
s: 153.17.16.82:1056
d: 72.163.4.161:80
2
asr1knat64-xtr#sh nat64 trans tcp 72.163.4.161:80 [2610:d0:1208:cafe::48a3:4a1]:80 153.16.17.82:1056 [2607:f128:42:73::2]:37897
4
s: 72.163.4.161:80
d: 153.17.16.82:1056
5
s: [2610:d0:1208:cafe::72.163.4.161]:80
d: [2607:f128:42:73::2]:37897
© 2012 Cisco and/or its affiliates. All rights reserved. 30
DNS64
DNS64 creates synthetic AAAA record for the host based on A record if no real AAAA record exists in DNS. This allows to automatically direct IPv6-only clients to the correct address within NAT64 prefix. This functionality is provided by bind since 9.8.0
CNR’s DNS server can also be used to perform the same function.
DNS
Authoritative nameserver for example.com
Prefix: 2610:d0:1208:cafe::1/96 0
AAAA ? Example.com
1
AAAA=2001:500:88:200::1
3
4
AAAA=2001:500:88:200::1
(*)DNS hierarchy traversal omitted for brevity
AAAA ? Example.com
2
(*)
© 2012 Cisco and/or its affiliates. All rights reserved. 31
DNS64 DNS
Prefix: 2610:d0:1208:cafe::1/96 0
AAAA ? Example.com
1
AAAA ? Example.com
2
No 3
A ? Example.com
4
A=192.0.43.10 5
AAAA = 2610:d0:1208:cafe::192.0.43.10
6
7
Authoritative nameserver for example.com
© 2012 Cisco and/or its affiliates. All rights reserved. 32
IPv6 hosts
IPv4 hosts
Stateful NAT64
4:6
6:4
nat64 prefix stateful 2610:d0:1208:cafe::/96 nat64 v4 pool NAT64GLOBAL 153.16.17.82 153.16.17.82 nat64 v6v4 list NAT64LIST pool NAT64GLOBAL overload nat64 logging translation flow-export v9 udp dest 192.168.0.2 9995 ipv6 access-list NAT64 permit ipv6 any 2610:d0:1208:cafe::/96
Gig0/0/0
Gig0/0/1
interface Gig0/0/1 nat64 enable interface Gig0/0/0 nat64 enable
© 2012 Cisco and/or its affiliates. All rights reserved. 33
• Users complained about: Facetime, other video apps Most of the VPNs
85% 15%
• What worked well: Everyday browsing Facebook
© 2012 Cisco and/or its affiliates. All rights reserved. 34
• Proxy-arp on IPv4 by IPv6-unaware apps Standards behavior Solved by “fake” DHCPv4 address (e.g. from 100.64.0.0/16) + ACL on first router
• Mobile clients are tricky Apps need testing in new versions iOS 6… DHCPv6 support…
• However, the situation is slowly improving
35 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
If we still need some IPv4, can we minimize the headache ?
© 2012 Cisco and/or its affiliates. All rights reserved. 36
NAT
“NAT” in this presentation means “stateful translation”
© 2012 Cisco and/or its affiliates. All rights reserved. 37
2001:db8::/32 2001:db8:1::/48
2001:db8:2::/48
2001:db8:3::/48
2001:db8:4::/48
2001:db8:5::/48
Prefix(32) EA (16)
SN (16) IID (64)
128 bit IPv6 address
Prefix (24) (8)
IPv4 public addr
(8) Ports (8)
Public port range
© 2012 Cisco and/or its affiliates. All rights reserved. 38
2001:db8::/32 2001:db8:1::/48
2001:db8:2::/48
2001:db8:3::/48
2001:db8:4::/48
2001:db8:5::/48
NAT
NAT
NAT
NAT
NAT
NAT
NAT
© 2012 Cisco and/or its affiliates. All rights reserved. 39
• http://6lab.cisco.com/map • draft-ietf-softwire-map
http://tools.ietf.org/html/draft-ietf-softwire-map
Thank you.