IPv6

IPv6 - -

1 0 6 IPv6 8 1 6OA R I2 0

P SMarch 12, 2018

Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved.

version 1.0

IPv6 Summit in SAPPORO 2018

IPv6

IPv4O R1I IPv6O R1I A 2IPv6O R1I IPv4O R1I 8

IPv4O R1I0IPv6O R1I0 P IO R1IIPv4 6 O R1I S

Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved.

IPv6 ≠ IPv6

2/34

IPv6

Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved.

IPv6• S0 128DoS n• P 8• IPv6 128 0• IPv6 6 6• IPv6 6 t 6• O 0O 6• R 0 SA P 128 v

IPv6• IR 128• 0 i 128• u 8 6m

3/34

IPv6

Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved.

IPv6• S0 128DoS n• P 8• IPv6 128 0• IPv6 6 6• IPv6 6 t 6• O 0O 6• R 0 SA P 128 v

IPv6• IR 128• 0 i 128• u 8 6m

4/34

DoSP R X

IPv6I X I IPv4 T P R nIPv4 D u v D Dt D BA

Type 0 I IPO T6 v0 P R X RH06 2007 6

v P Rmv I I SX

2 1 0 Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved.

X

i8

X

i8

5/34

DoSx

RFC 5095ORH0F v RFC 8200E CiA [ Rp F

iA [ SvP S Type 0 S SORouting TypeOSp F

Type 2 e[iIPOrm

- 1 77 8 1 0 Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved.

Routing Type

0 A]iA Orm C [RFC 5095][RFC 8200]

1 Nimrod routing systemm 2009-05-06C

2 Type 2 Routing Header: MIPv6Orm A 1 slytC [RFC 6275]

3 RPL (Routing Protocol for Low-Power and Lossy Networks) Source Route Header [RFC6554]

4-252 un

253 0 64 94 748 20 3

254 0 64 94 748 20 3

255 mI

https://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xhtml#ipv6-parameters-3

Routing Type 2017.11

6/34

2RFC 5722R O A t v OPS n O 2IPv4

2atomic fragment 2RFC 6946M =0 R =0 2 8

8 i Aum1 2RFC 7112

IPv6 v O I OPS n 1

Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved.

0 6

7/34

i mI 8 O n

ICMP 0 1S IR

P I 2 8 A nRFC 8200 6

Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved. 8/34

IPv6P 0R 1fec0::/102IPv4A i VPN vNAPT 8 → RFC 3879A

uRDNSS I well-known 0S

draft-ietf-ipv6-dns-discovery A 1Expired2Windows 8.1 A n 1fec0:0:0:ffff::1, 2, 32IPv6 RDNSS t n

ULA1Unique Local IPv6 Unicast Address2 1RFC 419320 0 P 0 1fc00::/72

m I 1NAPT 2ULA 6ACL 1 0 A bogon O 2

Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved. 9/34

IPv6IPv6 PNAT/NAPT

IPv4 NAPT PNAT66 uA I t PLinux ip6tables t 8 VMware

NPTv6 u RFC 629686 IS S R1 1u n

IETF NPTv6 I m

i6 SI v

Ingress SPI8NAT O n P I

2 1 0 Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved. 10/34

IPv6IPv6 2

IPv6 vt IIDMAC 1Modified EUI-64 RFC 4861

R 8 Im v iSMAC v P RiS i RFC 4941v 2 R 8 n

n P 6iS P 1Semantically Opaque RFC 7217

R PIID 2 m vR AIID8 O 8 A

macOS Linux P0 Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved.

RFC 8064 IID

R n bit IID: S 2 128 - n bit

IPv6 vt IID = 64 bit8u n = 64

11/34

IPv6IPv6 Iu

v I”0” u 1MAY22001:0db8:cafe:0000:0000:0000:0000:0101 2001:db8:cafe:0:0:0:0:101

”0” 1 P”::” u 1MAY22001:db8:cafe:0:0:0:0:101 2001:db8:cafe::101

8 R

I i Pn t

Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved.

u I /m II

2001:db8:0:0:1:0:0:1 :: u2001:0db8:0:0:1:0:0:1 I0Iu 62001:db8::1:0:0:1 I0 I AOI2001:db8:0:0:1::12001:db8::0:1:0:0:1 1 S:: u2001:DB8:0:0:1::1 0m

12/34

IPv6nv Iu I1MUST2 1RFC 59522

t ”0” I8“::” I8

I81 0 S1hextet2 ”::”

2001:db8::1:1:1:1:1 NG 2001:db8:0:1:1:1:1:1

R i I8 1MUST2

v v m 6IO O IP S P

PostgreSQL I R 0 S P A

Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved.

hextet ( / 16 I-D RFC

13/34

i 0 i i DoSR i i mn A I 0

NDP P DoSIPv4 v 6 /30 t AIPv6 /127 t v 1RFC 36272

S 0 O 0P 8

/127 S 0 O 0P 1RFC 61642i 0 i /127 t A

Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved.

IPv4 /30 IPv6 /127192.168.0.0 0 2001:db8::0 S 0 O 0P192.168.0.1 0 2001:db8::1 0192.168.0.2 0 0192.168.0.3 0 P

2001:db8::/64

2001:db8::1

2001:db8::2

2001:db8::3~ 2001:db8::ffff:ffff:ffff:ffff

u

14/34

NDP 6NDP

NDP 5 S

2 1 0 Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved.

Pu7ARP 8

O R IP A P 7MAC 8O R t

7SLAAC8

7DAD8 IP 7RFC 5227 IPv4 8

IP

n I P

7RS Router Solicitation8 133 m 3 i

7RA router Advertisement8 134 v 3 P

7NS Neighbor Solicitation8 135 6 3 P u

7NA Neighbor Advertisement8 136 3 IP vP v 7IPv4 P A 8

15/34

NDP0 I A

I u 1SLAAC2A

Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved.

0 A

0 B

MACI 1NS2v AMACI 1 S 2

6

1NA2R0P I 0 6i

8A

v

0 A

0R

0I

O 0I

DAD DAD

1NS26 I A m6

0R 1RS2n 0R S 1ff02::22 v

0R 1RA2n 0 S 1ff02::12 v

O 0 I t

1NS26 I A m6

1 6 I t2

u

16/34

RAuO 1 6 NDP

6 6 S S R8t 0 8 v R

IPv4 ARPA R 0S R IRA RFC 6104

6 O2S i Im 0 n 8 vRAI n A P1O 8 v

Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved.

RA1 1

17/34

RAu RA S 1

SEND SEcure Neighbor DiscoveryNDP vn DoS n 2 A 8A 2 m A8 8

IEEE802.1XS 8

NDP R NDPMon

2 O P 22 I 2

A 2 mu RA rafixd

u RA i RA 6Router Lifetime=0 2 t

0 Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved. 18/34

6 0 6 8 9RA8 m

t RFC 41916AmAt high” iA 6

RA-Guard RFC 61056 AmL2 ION RAAIngressRR S Pm D RA-Guard nA

R S P OPAm u 6RD-GuardA A RFC 71136

2 1 0 Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved.

v

RFC 6980 RA-Guard m

19/34

NDP 6 DoSm n 1NA2 Am R I 1ARP 2

IP O uDAD 6 8 IP O t

S O 6 0 v

DHCP 0 iNDP i

Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved.

NA DAD NADAD

DAD

IPv6 0P

2001:db8:0:1::1

IPv6 P 02001:db8:0:1::/64

ND

0

20/34

NA 1 RAm A 2

NDP S

DHCPv6-shield1RFC 76102DHCPv6 0 6 v

RA-GuardA L2 P I

u ND/RA 0 1RFC 658320

IPv6 8 nNDP R

I i OO t

Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved.

m

m

21/34

IPv6

Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved.

IPv6• S0 128DoS n• P 8• IPv6 128 0• IPv6 6 6• IPv6 6 t 6• O 0O 6• R 0 SA P 128 v

IPv6• IR 128• 0 i 128• u 8 6m

22/34

IPv6 over IPv4P RIPv6 vIPv6n IPv4 1R P 8 t

P R AIPv4 A 6 u

IPv6 I A 2 RAP R A 8 um

6to40Teredo

Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved.

1 i

HTTP, SMTP

O IS1

IPv4R P 1I

1 1Teredo

IPv6

23/34

mISATAP1 t 6 IPv6 2

86to41IPv4 i2 IPv6

6to4 2 2 S O A 8IPv4 i2 m I

6rd16to4 ISPt IPv6 nv6to4 2 ISPt

Teredo1IPv4 NAT 2 IPv6AWindowsA R A 8m 8Windows 10 6 IP 2

6 RFC 7123O Teredo 3544/udp

IPv6u 80 Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved. 24/34

2RFC 6724 IIPv4 86to4 I 6

u OS RFC 6724 α A I6to4 2RFC 7526

IPv6 O 8v S t6to4 1 1

UDP S P R 2RFC 6935n m n i

0 Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved.

Prefix Precedence Label::1/128 50 0::/0 40 12002::/16 30 2::/96 20 3::ffff:0:0/96 10 4

2RFC 3484

Prefix Precedence Label::1/128 50 0::/0 40 1::ffff:0:0/96 35 42002::/16 30 22001::/32 5 5fc00::/7 3 13::/96 1 3fec0::/10 1 113ffe::/16 1 12

IPv4

TeredoULAIPv4O 1

6bone

25/34

IPv4 IPv6 I IPv6 mv 2DNS64/NAT64 RFC 6146, RFC 6147IPv6P I i

NAT64 tIPv4 NAPT IPsec A 6TCP SYN R64 O un8 S

IPv4

DNS64 NAT64mA 64 ODoS 1 O O R 1

0 Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved. 26/34

DNS64/NAT64IPv6 2 8 6IPv4 IP

DNS64 6DNS IPv4 IP IPv6 IPNAT64 6 S IPv6 P IPv4 IP

DNS64/NAT64 IPv4 2 8

0 Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved.

IPv6 IPv4

IPv6

IPv4

NAT64

DNS

DNS64

DNS DNS

DNS IPv4DNS IPv6

DNS192.0.2.1 ⇒ 64:ff9b::c000:201

IPv6

IPv6

IPv4

IPv4

O164:ff9b::c000:201 ⇒ 192.0.2.11NAT64 IPv4 IP O1 A R IPv6 IP

1192.0.2.1 ⇒ 64:ff9b::c000:201

64 64:ff9b::/96DNS64/NAT64IPv4 IPv6well-known

27/34

IPv6 nSLAAC2 IPv6 nDHCPv62 IPv6 n

n n iA

RA RDNSS Recursive DNS Server P v RFC 8106

0 Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved.

SLAAC DHCPv6 DHCP

1 (1) 66 (2) 6 6

S 1 (1) 6O RDNSS 6 (3) 6

R RFC 4191 6 1 (1)

(1) IETF u 8 t draft-ietf-mif-dhcpv6-route-option (expired)(2) S I m (3) RDNSS P RFC 6106 -> 8106

28/34

SLAAC DHCPv6 RFC 4861

A (autonomous address-configuration) flag1IP Oi

=1 IP Oi 8 SLAAC S OO (other configuration) flag1

S O DHCPv6=1 O 2R ODHCPv6

M (managed address configuration) flag1SLAAC S O DHCPv6=1 O 2R DHCPv6 O flag t

0 Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved.

A flag O flag M flag

SLAAC 1 0 0 RDNSS DNS 2 Windows 10 Creators UpdateSLAAC+O 2R ODHCPv6 1 1 0 A OS AndroidO 2R DHCPv6 0 N/A 1 m S Ou vSLAAC+O 2R DHCPv6 1 N/A 1 SLAAC S O DHCPv6 S O n6

29/34

OS m n1I-D ietf-v6ops-dhcpv6-slaac-problem2Windows 7

A=0, O=1, M=0 0 DHCPv6SS0

Windows 8.1, 10 DHCPv6A=0, O=0, M=0 DHCPv6 R 62017 P0 BUG6 IPv6I S0 i

Windows 10 Fall Creators Update (2017) BUG

Linux/macOS/iOSM=1 M=0 8 DHCPv6 OA=1, M=0 A=0, M=1 8 SLAAC A

Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved. 30/34

Android DHCPv6 tIPv6 i 1 n

Google 2RFC 7934DHCPv6 v 1 IPv6 1 n

1 1 IPv61 NAPT v

u 8 Android DHCPv6 t A 6

S 11S A

R P S m

/64 vO RA I/64 I 2RFC 8273

0 Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved. 31/34

IPv4 A OR v8 uIPv42 R S 1/241DHCPIPv62 P R or P R 1 S or OI

OI or IPv6 only + NAT64/DNS64IPv6 R P

DHCPv6IPv6 S UDID DHCPv4 m6UDID 3 AOS A

NDP OIPv6 S MAC S

NDP O or NDP MDPMon 6

P ni v 8 t

0 Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved. 32/34

IPv6 mIPv4 n m 8

RFC8 t8 AIPv6 2 6 S I-D ietf-opsec-v6

R 2RFC 82000RFC 8201 RFC8 2

Ov 81 u

P P2S u8 8

vP i I v

v u 8

Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved. 33/34

RFC/I-DRFC 3627 Use of /127 Prefix Length Between Routers Considered Harmful /127 1→ RFC 61642RFC 3879 Deprecating Site Local Addresses S 0RFC 4191 Default Router Preferences and More-Specific Routes RA 0RFC 4193 Unique Local IPv6 Unicast Addresses O 0 0 0 1ULA2RFC 4861 Neighbor Discovery for IP version 6 (IPv6) 1NDP2RFC 4941 Privacy Extensions for Stateless Address Autoconfiguration in IPv6 mRFC 5095 Deprecation of Type 0 Routing Headers in IPv6 Type 0 0 O 1RFC 82002RFC 5722 Handling of Overlapping IPv6 Fragments mO 1RFC 82002RFC 5952 A Recommendation for IPv6 Address Text Representation IPv6RFC 6104 Rogue IPv6 Router Advertisement Problem Statement RARFC 6105 IPv6 Router Advertisement Guard RA-Guard RA

RFC 6146 Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers NAT64RFC 6147 DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers DNS64RFC 6164 Using 127-Bit IPv6 Prefixes on Inter-Router Links /127 S 0 0 iRFC 6296 IPv6-to-IPv6 Network Prefix Translation IPv6 0 1NPTv62RFC 6583 Operational Neighbor Discovery Problems NDPRFC 6724 Default Address Selection for Internet Protocol Version 6 (IPv6) RnRFC 6946 Processing of IPv6 “Atomic” Fragments mO P 1RFC 82002RFC 6935 IPv6 and UDP Checksums for Tunneled Packets UDP n O I S 1RFC 82002RFC 6980 Security Implications of IPv6 Fragmentation with IPv6 Neighbor Discovery NDP mO PRFC 7112 Implications of Oversized IPv6 Header Chains I0 mO 1RFC 82002RFC 7113 Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard) RA-GuardRFC 7123 Security Implications of IPv6 on IPv4 Networks IPv4 0 IPv6 6 uRFC 7217 A Method for Generating Semantically Opaque Interface Identifiers with IPv6 Stateless Address Autoconfiguration Semantically Opaque IIDRFC 7526 Deprecating the Anycast Prefix for 6to4 Relay Routers 6to4RFC 7610 DHCPv6-Shield: Protecting against Rogue DHCPv6 Servers DHCPv6S0 DHCPv6-ShieldRFC 7934 Host Address Availability Recommendations IPv6RFC 8064 Recommendation on Stable IPv6 Interface Identifiers I0 IDv u ARFC 8106 IPv6 Router Advertisement Options for DNS Configuration RA RDNSS 8RFC 8200 Internet Protocol, Version 6 (IPv6) Specification IPv6 Internet StandardsRFC 8201 Path MTU Discovery for IP version 6 IPv6 MTU Internet StandardsRFC 8273 Unique IPv6 Prefix Per Host /64 uI-D ietf-v6ops-dhcpv6-slaac-problem: DHCPv6/SLAAC Interaction Problems on Address and DNS Configuration (expired) SLAAC DHCPv6 tI-D ietf-opsec-v6: Operational Security Considerations for IPv6 Networks (ver. 13) IPv6 0 n A

Copyright © 2018 Yoshiaki Kitaguchi, All rights reserved. 34/34