IPv4 address exhaustion and IPv6 Glen Turner 2008-11-21 AIS IT - - PowerPoint PPT Presentation

aarnet

Australia's Academic and Research Network

Glen Turner

2008-11-21 AIS IT managers' meeting

IPv4 address exhaustion and IPv6

IPv4 address format

• Internet protocol v4 addresses are 32 bits long
• They are divided into three parts
• The parts are of variable length so that none of

the few 32 bits are wasted

Network Sub-network Hosts

IPv4 address exhaustion

• The pool of new IPv4 network addresses is
• emptying. It will empty in 2012

See ipv4.potaroo.net

What is likely to happen?

• Underutilised addresses will be sold
• ISPs will run network address translation
• Some ISPs will offer IPv6

aarnet

Australia's Academic and Research Network

Market for IPv4 addresses

Rationale for a market

• Even after 2011, ISPs need IPv4 addresses
• Current address allocations are under-used by

sites they have been allocated to

• So ISPs could encourage assignees who can

easily give up their allocations to give their allocations to the ISP, who can use the addresses more efficiently

• “encourage” = pay cash

Who owns addresses?

• In the beginning they were allocated to sites

– Unsustainable routing table growth, as one entry

per site in core routers

– “Portable” between ISPs

• Regional internet registries allocate to ISPs,

who allocate to customers' sites

– One entry per ISP in core routers – “Non-portable” between ISPs

Checking address allocation

$ whois 129.127.0.0/16 inetnum: 129.127.0.0 - 129.127.255.255 netname: ADELAIDE descr: University of Adelaide country: AU admin-c: LC457-AP tech-c: LC457-AP tech-c: SB248-AP status: ALLOCATED PORTABLE remarks: This object was transferred from ARIN database remarks: on 11 December 2002 mnt-by: APNIC-HM changed: hm-changed@apnic.net 20021211 changed: hm-changed@apnic.net 20040926 changed: hm-changed@apnic.net 20041214 source: APNIC

mnt-by and portable addresses

• Who can make changes?
• The people in the mnt-by field
• If this is not correct or updates using that

maintainer are not secure then your address allocation can be altered without your agreement

• You can – and should – protect your maintainer

record by requiring a password for changes or, better still, requiring a GPG signature

Contracts and non-portable

• Non-portable addresses do not belong to the

site

• But site's have a significant investment in their

allocated addressing

• The ISP could remove this allocation and

assign it to another use

– No need for the ISP to do this – Until they run out of addresses themselves

• Future contracts with ISPs need to spell out

addressing more specifically

Trading addresses

• When originally allocated, the regional routing

registries explicitly said that IP addresses would not be tradeable

• They're changing their mind, and the routing

registries will eventually act as a registry for address ownership rather than address allocation

• Addresses will be worth money

– You may be wish to sell all or part of your

addresses and move to NAT

– You may need to buy addresses if you need a

public address

aarnet

Australia's Academic and Research Network

Network address translation Technology

How does NAT work?

• Inspect outgoing traffic

– Collect (src_addr, src_port, dst_addr, dst_port)

• Re-write src_addr to my exterior interface, find

an unused source port on my exterior interface and re-write src_port to that

• Record these addresses and ports in the

expectation table

(10.1.1.1, 10000, 202.158.201.38, 80) (150.101.30.33, 20000, 202.158.201.38, 80) (150.101.30.33, 20000, 10.1.1.1, 10000, 202.158.201.38, 80)

How does NAT work?

• Inspect incoming traffic
• Is the incoming (src_addr, src_port, dst_addr,

dst_port) in the expectation table?

• Re-write the dst_addr and dst_port to the
• riginal values in the table

(202.158.201.38, 80 10.1.1.1, 10000) (202.158.201.33, 80 150.101.30.33, 20000) (150.101.30.33, 20000, 10.1.1.1, 10000, 202.158.201.38, 80)

Wrinkles with NAT

• Some protocols embed IPv4 addresses

– These need to be rewritten too – May be complex and thus dangerous to do in the

forwarding plane

• eg: SNMP uses ASN.1 encoding
• Some protocols embed forthcoming connection

information

• FTP, Cisco Skinny, a lot of multimedia
• These wrinkles are handled by “NAT modules”

– inspect the traffic, add entries to the expectation

table

Problems with NAT

• Complex

– Forwarding plane moves from ASIC to CPU

• Jitter and complexity attacks

– Some packets need a lot more work than others

• Exploits of code with errors

– Complex code, so errors certain

• Huge amounts of state

– Abundant opportunity for resource exhaustion

• Timeouts

– Some traffic simply isn't suitable: low-power

devices, sensors, episodic multimedia

Benefits of NAT

• Has lead to the widespread deployment of

stateful, deep packet inspection firewalls

– Although coding inspection for NAT and firewall can

require choices, so NAT is not the best choice of DPI firewall

• Which is why defence runs real addresses
• Reduced the rate of IPv4 address exhaustion,

delaying the crisis until now

aarnet

Australia's Academic and Research Network

Network address translation Economics

“Carrier-class NAT”

• If ISPs run out of addresses, they can use

network address translation

Implications

• The edge of the customer is no longer globally

reachable

– as it is no longer a globally-unique address

• The customer cannot run web servers, e-mail,

etc

• But schools like to have their resources hosted
• n-site

– That's where the users are

• But also like to have their resources accessed

across the Internet

Implications

• So to continue as things are, ISPs will need to

allocate an increasingly-scarce IPv4 address to the school's network edge

• The ISP will charge the school for this

– Since the ISP themselves will need to pay for

addresses

• The worst-case figure I've seen from an

educated industry participant is $1,000pa

– But no one really knows

Design implications

• Increased complexity and storage of NAT is

expoitable

– A less robust Internet

• Latency will increase

– These will be expensive boxes, so there will be only

a few in a ISP's network

– Gamers will love IPv6

• There is no end-to-end visibility

No end-to-end visibility

• We're sort of used to that: sharing photos on

Flickr rather than on a home router

• Real IPv4 addresses are already special

– Skype supernode – Who wants to volunteer to run a real IPv4 address

in a NAT world?

• Some applications work better when all

participants are reachable

– peer-to-peer protocols – large videoconferencing

The “walled garden”

• Telcos maximise profits by charging users the

value of the service, not the cost of provision

– This is why ISD phone calls used to be charged for

at outrageous rates, even though costs are <$0.01/ min

– It's why telcos try to do exclusive content deals

• In interests of other vendors to team with the

telco rather than with the customer

• The customer-built Internet broke this

– Telco customers built it, so their interests ruled – Telcos reduced to being low-rent packet shifters

The return of the walled garden?

• Potential for Evil ISPs to move the Internet from

a low-rent transport to a walled garden where the only services available are those selected by the ISP

• eg:

– SIP is the protocol used for phone calls – Let's not run the NAT module for SIP and friends – Customers will need to use our voice service – No other voice service can be easily accessed (and

doing so is arguably “hacking”)

– Evil ISP charges VoIP packets at higher rate than

• ther packets

aarnet

Australia's Academic and Research Network

IPv6

Where is AARNet?

• Native IPv6 service to our customers

– Not-for-profit education and research, health,

cultural institutions

• IPv6 broker

– A best effort service to the greater community,

especially developers

• Low deployment by customers

– Didn't used to matter: by definition research has low

initial usage

– Slowly becoming a strategic issue, and we're trying

various approaches to see what will fix that

aarnet

Australia's Academic and Research Network

IPv6 Technology

IPv6's design goals

• In short, fix the problems with IPv4, so:
• Larger addresses
• Automated configuration

– No manual configuration or central servers

• Secure communications
• Remove poor ideas

Larger addresses

• Larger, 128 bits
• Plenty of addressing allowed a waste/simplicty

trade-off

• So fixed network, subnet, and host boundaries

are seen by sites

– 48 bits

Network

– 16 bits

Subnetwork

– 64 bits

Host

Larger addresses, subnetworking

• 16 bits of subnetwork address
• Small sites will treat this as 216 (~65,000)

subnets

• Complex sites will use about 4 bits to identify

campuses and 12 bits for subnets within that campus

Textual representation

• Each 16 bits is in hexadecimal and separated

from the next using “:”

– 2001:388:1:2020:200:e2ff:fea5:80ff – Unlike most hex, leading zeroes are dropped

• The left-most run of zero-valued groups can be

abbreviated as “::”

– Makes sense for describing

• Subnets

2001:388:1:2020:200::/64

• Routers addresses

2001:388:1:2020:200::1/64

• Subnets described using prefix-length rather

than a subnet bitmask

Automated configuration

• The router advertises the subnet address (the

top 64 bits) into the subnet

• The host takes the interface MAC address and

uses it in the bottom 64 bits

– If the link layer uses more or less than 64 bits then

there is a link layer-specific formula

– In particular, ethernet addresses have some bytes

inserted into the middle of its 48 bit MAC address

Stateless DHCP

• How are DNS and NTP servers found?
• Use DHCP
• But this DHCP doesn't need to record address

allocations, it simply needs to hand out information based upon the requestor's address

– Technically, state is information which changes

between current and future events, thus “stateless DHCP”

• Simple and fast

Stateful DHCP

• You can also do an IPv6 version of traditional

DHCP

• But this isn't the best idea
• The Router Advertisement tells the host which

technique to use to obtain an address

Secure communications

• IPsec
• Like most good ideas in IPv6, it has been

backported to IPv4

• An authentication header to provide integrity

and prevent address spoofing

• An encapsulating security payload to provide

privacy and prevent replay

• Like most encryption, the key handling is more

complex than the protocol itself

Remove poor ideas

• IPv4 packet fragmentation

– Could be totally removed if links simply sent back

the size of packets they support

• Routers don't need to fragment
• Hosts don't need to guess, thus using a smaller packet

size than needed

– Blocking ICMP6 packets is a really poor idea

• Identifier

– Does do anything of value

• Small packets

– 64KB is looking too small for fast links

Remove poor ideas

• Simplify option handling
• Single default route

– The host listens to Router Advertisements and can

select the best of them, but use the next best upon a failure

– IPv4 hack is VRRP

• Assumption of a single IP address per interface

– Interfaces hold multiple IPv6 addresses

Well-known addresses

• Anycast has been a popular technique for

delivering DNS forwarding to IPv4 clients

– Used by all major ISPs

• Anycast could be used for DNS forwarders

listening on IPv6 addresses, and having the same address for all forwarders would reduce configuration (even stateless DHCP isn't needed)

• When deploying IPv6 services, use the well-

known address if one has been defined

Service addresses

• The abundance of IPv6 addresses allows a

better distinction between services and the machine they are hosted upon

– yoyo.example.edu.au

2001:388:1:2020:200:e2ff:fea5:80ff/64

– www.example.edu.au

2001:388:1:2020:200:0:0:ff01/128

• So the machine yoyo is the one used for

machine-related tasks (such as backups) and the service www is the one used to deliver the service

Domain name service

• IPv4 addresses have a A record

www.example.edu.au. IN A 203.21.37.18

• IPv6 addresses have a AAAA record

www.example.edu.au. IN AAAA 2001:388:1:2020:200:0:0:ff01

• These are only records, so

– a IPv4-speaking DNS server can deliver AAAA

records

– a IPv6-speaking DNS server can deliver A records

• Windows Xp can also talk to IPv4-speaking

DNS servers

DNS and typing

• I don't want to type all of those addresses, I'll

never get them right, and they change when MAC addresses change

– When ethernet cards are changed

• Use dynamic DNS for the average machine

DNS zone design

• Have a top-level zone, put all and only public

services into here, secure it with DNSSEC

– ….example.edu.au – All of the entries can be walked, but that's fine since

they are public

• Have a zone for other fixed records
• Have a zone for dynamic records, site-based

zones make a lot of reliability sense

– ….rhodes.example.edu.au – the name follows the host, even if the host moves to

another site

Where is AARNet?

• Native IPv6 service to our customers

– Not-for-profit education and research, health,

cultural institutions

• IPv6 broker

– A best effort service to the greater community,

especially developers

• DNS on IPv6

– But education.au not ready yet

Where is AARnet

• Low deployment by customers
• Didn't used to matter: by definition research has

low initial usage

• Slowly becoming a strategic issue, and we're

trying various approaches to see what will fix that

aarnet

Australia's Academic and Research Network

IPv6 Status

IPv6 deployment has failed

• It should already be finished: we're running out
• f IPv4 addresses and IPv6 won't be available

everywhere

• Failure a result of a vicious circle involving

ISPs, customers, vendors plus a notorious historical regulatory failure inhibiting a regulatory response

• So now carrier-class NAT is required for ISPs

to provide internet service to new customers

So why deploy

• “Finding each other” applications

– Peer-to-peer networks – Videoconferencing

• Simple old-fashioned Internet

– Why does the web server on my laptop stop

working when I use the home network?

– Why can't I directly ssh to my laptop when on my

home network?

• Avoiding latency of NAT gateways

– Gamers

So why deploy?

• Some countries will move to IPv6

– IPv4 addresses will be expensive – Language groups tend to pass traffic within

themselves

• Risk mitigation

– When you decide you want one of the above, that is

not the time to be starting the work

– A risk mitigation rollout has a different nature – Opportunistic: IPv6 purchasing requirements to

build a foundation; done when installing new equipment, contracting ISPs, etc

aarnet

Australia's Academic and Research Network

Practicalities of staged deployment

• 1. Paperwork
• Allocate IPv6 prefix
• Develop addressing plan

– Lay IPv6 design over IPv4 design – There are 16 bits for subnetting, use the top 4 or so

for site aggregation, leaving about 12 for subnets per site

– Allocate a /64 per leaf subnet

• 2. Link to ISP
• Configure a IPv6 address and routing on

existing ISP link

– copying design from IPv4

• Static routing or BGP, depending upon site and

ISP requirements

• Create or inject interior default route

• 3. Activate IPv6 on backbone
• This brings the first problem: the poor quality of

IPv6 support on some firewalls and other middleboxes

• Don't use EUI-64, but be compatible

• 4. Establish networking servers
• Unless good reason otherwise use

autoconfiguration (EUI-64 addressing) with stateless DHCP

• Stateless DHCP provides DNS and NTP server

addresses

– These will be IPv4 addresses, because of Windows

Xp

• Use Dynamic DNS for the average host
• If you plan on IPv6-only devices then use an

anycast IPv6 server on the well-known addresses

• 5. Find a sucker early adopter
• Computing hobbyists, ourselves
• System administrators

• 6. Transition public-facing services
• Web, e-mail, …
• Issue: Microsoft Exchange 2003
• Decision: EUI-64 or fixed address in the /64

• 7. Transition the masses
• Issue: people how travel to other sites which

have IPv6 configured but no connectivity

• Issue: another round of fighting with

middlerubbish such as VPN servers and clients

• Issue: accounting

• 8. Transition inward-facing services
• Problem: disconnect between network

engineering and applications

– Upgrade cycle of interior applications – Convincing applications programmers that the work

is necessary, a hard task since they are being asked to learn something new

– Package upgrades

• Disruption
• Money

• 9. Finish the job
• Delegation using IPv6 to DNS servers

– Not available to edu.au

• Activate equivalent IPv6 features on switches

as used on IPv4

– To prevent address spoffing and so on

• Be careful not to deploy services which really
• nly make sense for IPv4

– VRRP

• Monitoring systems

Tunnel broker and opportunistic

• AARNet runs a tunnel broker: IPv6 connectivity

for testing purposes

– broker.aarnet.edu.au

• Use it in advance of native IPv6 connectivity to

– Gain experience with IPv6 – Test equipment and applications with IPv6

aarnet

Australia's Academic and Research Network

A few things we've learned

Security

• Hosts

– Not all firewall products understand IPv6, even

when the host is running IPv6. You can guess the OS.

• Routers

– It's a second protocol

• ipv6 routing

line vty 0 4 ip access-group VTY-LIST ip access-group VTY-LIST6

• The real problem is support in corporate

firewalls

– And upgrade plans for those firewalls

Monitoring

• How a connection works:

– Do I have a global address on default route

interface?

– Yes, look up DNS name using AAAA

• Present, use that IPv6 address
• Absent, try to look up the A record

– No, try to look up the A record – Got a AAAA, try for IPv6 connection

Got a A, try for IPv4 connection

• What happens if we have a black hole on IPv6?

– IPv6 traffic dies, IPv4-based monitoring system

says all well

Reality of corporate networks

• Inadequate

– Configuration control – Monitoring – Change control – Lab scenarios

• Firewalls are the new voodoo

– Configuration changes induce fear – IPv6 changes the sense of firewall rules: match

against lower /64

• ::1 to ::ff Network
• ::ff00 to ::ffff Servers
• ::1234:1234:1243:1234 Autoconfed MAC

Training

• University computer science courses never

show students an IPv6 address

• TAFE ditto
• Vendor training (MSCE, RHCE) ditto

aarnet

Australia's Academic and Research Network

Internet in 2012

Typical ISP's customer

• Carrier-class NAT for IPv4
• IPv6 with global addressing available from

enlightened ISPs

Typical AARNet customer

• AARNet has a small number of large customers
• So we can provide one IPv4 address per

customer

– Use that address for globally-accessible services – And use that address to NAT traffic into their

network

– No need to ask AARNet for support of peculiar

protocols: the NAT module is the customer's concern

• We already provide IPv6

– Use real IPv6 addresses – Protect them with a stateful firewall

aarnet

Australia's Academic and Research Network

Glen Turner

glen.turner@aarnet.edu.au

IPv4 address exhaustion and IPv6

www.gdt.id.au/~gdt/presentations