B u i l d i n g I P v 6 i n t o y o u r s c h o o l ' s n e t w o r k A I S I C T M a n a g e m e n t a n d L e a d e r s h i p C o n f e r e n c e C a n b e r r a 2 0 1 5 - 0 5 - 0 6 G l e n T u r n e r aar net Australia's Academic and Research Network
T h i s w o r k s h o p 1)The technology of IPv6 2)The process of IPv6 deployment 3)A discussion about managing the building of IPv6 in schools 4)Q&A
T h e t e c h n o l o g y o f I P v 6 IPv4
I P v 4 f o r m a t
L o n g e s t - m a t c h f o r w a r d i n g ● Take the destination address from the packet ● Look up the address in a forwarding table of (prefix, prefix length, next hop address, next hop interface) ● Taking the matching prefix with the longest prefix-length
I P f o r w a r d i n g
L e t ' s l o o k a t t h e f o r w a r d i n g t a b l e ● Router> show ip route Router> show ip cef linux$ route -n linux$ ip route show C:\> route print C:\> netsh interface ipv6 show route PS C:\> Get-NetRoute ● Windows has three ways of networking commands – BSD commands – netsh commands – PowerShell cmdlets in Windows 2012R2, 8.1 ● No one command works on all platforms
L i n k - l a y e r a l s o h a s a n e x t - h o p ● ARP request Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Source: e0:f8:47:42:79:c2 (e0:f8:47:42:79:c2) Type: ARP (0x0806) Address Resolution Protocol (request) Hardware type: Ethernet (1) Protocol type: IP (0x0800) Hardware size: 6 Protocol size: 4 Opcode: request (1) Sender MAC address: e0:f8:47:42:79:c2 Sender IP address: 192.168.255.69 Target MAC address: 00:00:00:00:00:00 Target IP address: 192.168.255.254 ● ARP request Destination: e0:f8:47:42:79:c2 (e0:f8:47:42:79:c2) Source: b8:27:eb:f1:71:fc (b8:27:eb:f1:71:fc) Type: ARP (0x0806) Address Resolution Protocol (reply) Hardware type: Ethernet (1) Protocol type: IP (0x0800) Hardware size: 6 Protocol size: 4 Opcode: reply (2) Sender MAC address: b8:27:eb:f1:71:fc Sender IP address: 192.168.255.254 Target MAC address: e0:f8:47:42:79:c2 Target IP address: 192.168.255.69
L e t ' s l o o k a t t h e A R P t a b l e ● Router> show arp linux$ arp -s linux$ ip neigh show C:\> arp -a C:\> netsh interface ipv4 show neighbors PS C:\> Get-NetNeighbor
W h y t h i s d e s i g n ? ● Stateless – No records are kept: if we forward one packet or one million packets the same amount of memory is used for forwarding: one record per route ● ARP is soft-state, we can re-do it any time ● The forwarding table allows forwarding and routing to be done independently – Forwarding is moving packets from a ingress to egress interface – Routing is placing entries in the forwarding table – In IP routers are just ordinary user-space programs – Compare with ethernet transparent bridging
T h e t e c h n o l o g y o f I P v 6 IPv4 in 2015
N A T – o u t g o i n g t r a ffjc ● Inspect outgoing traffic – Collect ( src_addr , src_port , dst_addr , dst_port ) ● Re-write src_addr to my exterior interface, find an unused source port on my exterior interface and re-write src_port to that ● Record these addresses and ports in the expectation table (150.101.30.33, 20000, (10.1.1.1, 10000, 202.158.201.38, 80) 202.158.201.38, 80) (150.101.30.33, 20000, 10.1.1.1, 10000, 202.158.201.38, 80)
N A T i n c o m i n g t r a ffjc ● Inspect incoming traffic ● Is the incoming ( src_addr , src_port , dst_addr , dst_port ) in the expectation table? ● Re-write the dst_addr and dst_port to the original values in the table (202.158.201.33, 80 (202.158.201.38, 80 150.101.30.33, 20000) 10.1.1.1, 10000) (150.101.30.33, 20000, 10.1.1.1, 10000, 202.158.201.38, 80)
N A T h a s b e n e fj t s ● Deep packet inspection – A necessary part of NAT – But a DPI firewall can also work without altering the data passing through it, and is more robust when doing so ● Address re-numbering – The disconnect between exterior and interior address allows easy change of exterior address
N A T i s s t a t e f u l ● One record per connection, aka “state” – Router memory is proportional to usage ● about 6,000 flows per gigabit – Except when the traffic has lots of flows ● Port scanning ● DNS ● “Unused” records are timed out – Internet of Things device has to turn on the WLAN interface to send a “keepalive packet” – Over 50% of battery use for small embedded devices ● Rebooting the device flushes all state – Arrgh, all my web banking just broke
N A T r o u t e s c a n ' t b e a s y m m e t r i c FAIL ● Fully redundant network, but no traffic :-(
W h o m e v e r c o n t r o l s t h e N A T , w i n s ● Carrier-grade NAT is NAT by a ISP ● This can lead to anti-competitive market – The ISP chooses who can run a server – The ISP can choose not to take action, and thus block some traffic which might disadvantage the ISPm such as SIP ● How do new services get developed in the first place? ● How do we teach students how to write services
N A T i s i n s a n e l y c o m p l e x ● From Introduction to iptables
L e t ' s l o o k a t t h e N A T t a b l e ● Router> show nat translation linux$ conntrack -L C:\> netsh routing ip nat show PS C:\> Get-NetNATSession ● conntrack is in the conntrack-tools package ● NAT is often bundled only in “value-added” product lines
T h e t e c h n o l o g y o f I P v 6
I P v 6 r e t u r n s I P t o t h e 1 9 8 0 ' s I P ● Plenty of addressing – Cheap, easy ● End-to-end visibility of addresses – No address shortage, so let's IP forward rather than NAT '80s hair optional
I n t h e ' 8 0 s h a i r I P h a d p r o b l e m s ● Not enough addresses – 252 hosts a subnet – 255 subnets per university – One address per interface ● No automatic configuration – Even Novell's IPX and Apple's EtherTalk had that! ● No privacy ● No QoS model which scaled ● No resource discovery – Even Banyan VINES and EtherTalk...
I P v 6 = I P v 4 + b u g fj x e s ● Lots of addressing – Address more networks and hosts ● Can address every host ever made ● A school can have 64000 subnets, a home 16. – But also to trade off address space for features ● Stateless automatic address configuration ● IPsec for secure communication ● DiffServ for QoS ● Link-local addresses and mDNS for local resource discovery
T h i n k i n g a b o u t p r o t o c o l s ● Formats – On the wire: drawings are best – Textual representations ● Procedures – State diagrams ● Look at real traffic using a sniffing and pretty- printing tool like Wireshark ● Look at the data structures your computer has from this real traffic – Interfaces, tables, log messages
F o r m a t s o f a d d r e s s e s T h e t e c h n o l o g y o f I P v 6
F o r m a t s – a d d r e s s e s a r e l a r g e r ● 128 bits ● Divided into network , subnet and host portions, via a prefix-length, exactly as for IPv4 ● Schools will most commonly be allocated a /48
A d d r e s s f o r m a t – t e x t u a l ● IPv6 addresses are written in hexadecimal, base 16 (0, 1, …, 9, a, b, …, f) 20010388000100000000000000000003 ● Add a colon between each 16-bit word 2001:0388:0001:0000:0000:0000:0000:0003 ● Remove leading zeros from each word 2001:0388:1:0:0:0:0:3 ● Replace longest run of zero words with :: 2001:388:1::3 ● It is conventional to add the prefix length 2001:388:1::3/128 ● For link-local addresses, add the related interface so they become unique fe80::e2f8:47ff:fe42:79c2%eth0
T h a t ' s i m p r e s s i v e , s o r t o f ● A lot of work has been done to make the addresses convenient to type ● Especially for lots of zeros, so there's a hint for numbering your network infrastructure ● The cost is that IPv4 addresses are not regular – Write a regular expression which captures all IPv6 addresses. Compare with [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ ● Modifying programs isn't just a matter of increasing sizes – IPv6 addresses are unique in not being regular, so lots of programs won't handle them
A p p l i c a t i o n s a n d t e x t u a l a d d r e s s e s ● URLs containing IPv6 addresses http://[2001:388:4000:4001:ba27:ebff:fed3:9fa1]/ ● Some commands have a -6 flag ssh -6 2001:388:4000:4001:ba27:ebff:fed3:9fa1 ● Some commands have 6 variants ping6 2001:388:4000:4001:ba27:ebff:fed3:9fa1 ● Sometimes you just can't win - URLs containing IPv6 addresses [http://\[2001\:388\:4000\:4001\:ba27\:ebff\:fed3\:9fa1\]/] ● And your phone's autocorrect will helpfully change ba27 to back
Recommend
More recommend