IPv4 address exhaustion and IPv6 Glen Turner 2008-12-09 AARNet - - PowerPoint PPT Presentation

aarnet

Australia's Academic and Research Network

Glen Turner

2008-12-09 AARNet staff meeting

IPv4 address exhaustion and IPv6

IPv6 policy

Going forward, we seek to support IPv6 to the same extent as we support IPv4. Exceptions require the approval of the CEO.

Rationale: Projects should make the extra effort to implement IPv6 now, at our own pace, rather than leave AARNet with a overhang of work to be done in 2010, at the pace of our most demanding customer.

Where is AARNet?

• Native IPv6 service to our customers

– Not-for-profit education and research, health,

cultural institutions

• IPv6 broker

– A best effort service to the greater community,

especially developers

• Low deployment by customers

– Didn't used to matter: by definition research has low

initial usage

– Slowly becoming a strategic issue, and we're trying

various approaches to see what will fix that

What next?

• Promote IPv6 to management
• Educate technologists
• Move IPv6 broker to a production service
• Move most of our public services to IPv6

When will IPv4 be exhausted?

See ipv4.potaroo.net

When will IPv6 be deployed?

• No country has more than 1% of its hosts

running IPv6

• So, some considerable time after 2012
• Conclusion: IPv6 ― the Plan A for IPv4 address

exhaustion ― has already failed

Why did IPv6 fail?

• Laying blame

– Vendors: no product, they say no demand from

ISPs

– ISPs: no service, they saw no product and no

demand from users

– Users: no demand, bit hard to demand a non-

existent service

• Lying vendors: “IPv6 support” isn't
• The emergence of ineffective lobbyists from ITU

committees

• Government with severely burned fingers

Why is IPv6 still failing?

36% Cost, time, business case 23% Vendor support, back-office 18% Knowledge, education 17% User demand 17% Upstream transit 14% Dual-stack interoperability 4% Multihoming 2% Allocation policy 2% Performance

So what is Plan B?

There is no Plan B

Uh oh, so what is likely?

B.1 Under utilised addresses will be sold B.2 ISPs will run network address translation B.3 Some ISPs will offer IPv6

aarnet

Australia's Academic and Research Network

Internet in 2012

Typical ISP's customer

• Carrier-class NAT for IPv4

– Potential for services lock in and other “walled

garden' anti-competitive practices

• IPv6 with global addressing available from

enlightened ISPs

– Allowing the customer to escape any walled garden

Typical AARNet customer

• AARNet has a small number of large customers
• So we can provide one IPv4 address per

customer

– Use that address for globally-accessible services – And use that address to NAT traffic into their

network

– No need to ask AARNet for support of peculiar

protocols: the NAT module is the customer's concern

aarnet

Australia's Academic and Research Network

• B1. Market for IPv4

addresses

Who owns addresses?

• In the beginning they were allocated to sites

– Unsustainable routing table growth, as one entry

per site in core routers

– “Portable” between ISPs

• Regional Internet registries allocate to ISPs,

who allocate to customers' sites

– One entry per ISP in core routers – “Non-portable” between ISPs

Checking address allocation

$ whois 129.127.0.0/16 inetnum: 129.127.0.0 - 129.127.255.255 netname: ADELAIDE descr: University of Adelaide country: AU admin-c: LC457-AP tech-c: LC457-AP tech-c: SB248-AP status: ALLOCATED PORTABLE remarks: This object was transferred from ARIN database remarks: on 11 December 2002 mnt-by: APNIC-HM changed: hm-changed@apnic.net 20021211 changed: hm-changed@apnic.net 20040926 changed: hm-changed@apnic.net 20041214 source: APNIC

mnt-by and portable addresses

• Who can make changes?
• The people in the mnt-by field
• A lot of our members have insecure records

Contracts and non-portable

• Non-portable addresses do not belong to the

site

• But site's have a significant investment in their

allocated addressing

• The ISP could remove this allocation and

assign it to another use

– No need for the ISP to do this – Until they run out of addresses themselves

• Future contracts with ISPs need to spell out

addressing more specifically

Trading addresses

• When originally allocated, the regional routing

registries explicitly said that IP addresses would not be tradeable

• They're changing their mind, and the routing

registries will eventually act as a registry for address ownership rather than address allocation

• Addresses will be worth money

– Some of our customers will sell – We may need to buy addresses – Our contracts need to be more explicit on this issue

aarnet

Australia's Academic and Research Network

• B2. Network address

translation Technology

How does NAT work?

• Inspect outgoing traffic

– Collect (src_addr, src_port, dst_addr, dst_port)

• Re-write src_addr to my exterior interface, find

an unused source port on my exterior interface and re-write src_port to that

• Record these addresses and ports in the

expectation table

(10.1.1.1, 10000, 202.158.201.38, 80) (150.101.30.33, 20000, 202.158.201.38, 80) (150.101.30.33, 20000, 10.1.1.1, 10000, 202.158.201.38, 80)

How does NAT work?

• Inspect incoming traffic
• Is the incoming (src_addr, src_port, dst_addr,

dst_port) in the expectation table?

• Re-write the dst_addr and dst_port to the
• riginal values in the table

(202.158.201.38, 80 10.1.1.1, 10000) (202.158.201.33, 80 150.101.30.33, 20000) (150.101.30.33, 20000, 10.1.1.1, 10000, 202.158.201.38, 80)

Wrinkles with NAT

• Some protocols embed IPv4 addresses

– These need to be rewritten too – May be complex (and thus dangerous) to do in the

forwarding plane

• eg: SNMP uses ASN.1 encoding
• Some protocols embed forthcoming connection

information

• FTP, Cisco Skinny, a lot of multimedia

– These wrinkles are handled by “NAT modules”

• inspect the traffic, add entries to the expectation table
• Result: non-standard protocols have poor NAT

support

Benefits of NAT

• Has lead to the widespread deployment of

stateful, deep packet inspection firewalls

– Although coding inspection for NAT and firewall can

require choices, so NAT is not the best choice of DPI firewall

• Which is why defence runs real addresses
• NAT requires DPI, DPI doesn't require NAT
• Reduced the rate of IPv4 address exhaustion,

delaying the crisis until now

Problems with NAT

• Complex

– Forwarding plane moves from ASIC to CPU

• Jitter and complexity attacks

– Some packets need a lot more work than others

• Exploits of code with errors

– Complex code, so errors certain

• Huge amounts of state

– Abundant opportunity for resource exhaustion

• Timeouts

– Some traffic simply isn't suitable: low-power

devices, sensors, episodic multimedia

Implications

• The edge of the customer is no longer globally

reachable

– as it is no longer a globally-unique address

• The customer cannot run web servers, e-mail,

etc

Implications

• So to continue as things are, ISPs will need to

allocate an increasingly-scarce IPv4 address to the customer's network edge

• The ISP will charge for this

– Since the ISP themselves will need to pay for

addresses

• The worst-case figure I've seen from an

educated industry participant is $1,000pa

– But no one really knows

Security implications

• Globally-reachable IPv4 addresses will become

increasing scarce

• But in demand by the “finding each other”

applications

• Our customers have a lot of these addresses
• Our customers become a hot spot of network

abuse

• ISPs don't run intrusion detection, opportunity

for AARNet here

Design implications

• Increased complexity and storage of NAT is

exploitable

– A less robust Internet

• Latency will increase

– These will be expensive boxes, so there will be only

a few in a ISP's network

– Gamers will love IPv6

• There is no end-to-end visibility

No end-to-end visibility

• We're sort of used to that: sharing photos on

Flickr rather than on a home router

• Real IPv4 addresses are already special

– Skype supernode – Who wants to volunteer to run a real IPv4 address

in a NAT world?

• Some applications work better when all

participants are reachable

– peer-to-peer protocols – large videoconferencing

The “walled garden”

• Telcos maximise profits by charging users the

value of the service, not the cost of provision

– This is why ISD phone calls used to be charged for

at outrageous rates, even though costs are <$0.01/ min

– It's why telcos try to do exclusive content deals

• In interests of other vendors to team with the

telco rather than with the customer

• The customer-built Internet broke this

– Telco customers built it, so their interests ruled – Telcos reduced to being low-rent packet shifters

The return of the walled garden?

• Potential for Evil ISPs to move the Internet from

a low-rent transport to a walled garden where the only services available are those selected by the ISP

• eg:

– SIP is the protocol used for phone calls – Let's not run the NAT module for SIP and friends – Customers will need to use our voice service – No other voice service can be easily accessed (and

doing so is arguably “hacking”)

– Evil ISP charges VoIP packets at higher rate than

• ther packets

aarnet

Australia's Academic and Research Network

• B3. IPv6

What is IPv6?

• A new protocol which fixes the problems with

IPv4, so:

• Larger addresses
• Automated configuration

– No manual configuration or central servers

• Secure communications
• Removal of poor ideas

So why deploy

• “Finding each other” applications

– Peer-to-peer networks – Videoconferencing

• Simple old-fashioned Internet

– Why does the web server on my laptop stop

working when I use the home network?

– Why can't I directly ssh to my laptop when on my

home network?

• Avoiding latency of NAT gateways

– Gamers

So why deploy?

• Some countries will move to IPv6

– IPv4 addresses will be expensive – Language groups tend to pass traffic within

themselves

• Risk mitigation

– When you decide you want one of the above, that is

not the time to be starting the work

– A risk mitigation rollout has a different nature – Opportunistic: IPv6 purchasing requirements to

build a foundation; done when installing new equipment, contracting ISPs, etc

Larger addresses

• Larger, 128 bits
• Plenty of addressing allowed a waste/simplicity

trade-off

• So fixed network, subnet, and host boundaries

are seen by sites

– 48 bits

Network

– 16 bits

Subnetwork, maybe 4 bits for campus and 12 bits for subnet

– 64 bits

Host

Textual representation

• Each 16 bits is in hexadecimal and separated

from the next using “:”

– 2001:388:1:2020:200:e2ff:fea5:80ff – Unlike most hex, leading zeroes are dropped

• The left-most run of zero-valued groups can be

abbreviated as “::”

– Makes sense for describing

• Subnets

2001:388:1:2020:200::/64

• Routers addresses

2001:388:1:2020:200::1/64

• Subnets described using prefix-length rather

than a subnet bitmask

Automated configuration

• The router advertises the subnet address (the

top 64 bits) into the subnet

• The host takes the interface MAC address and

uses it in the bottom 64 bits

– If the link layer uses more or less than 64 bits then

there is a link layer-specific formula

– In particular, Ethernet addresses have some bytes

inserted into the middle of its 48 bit MAC address

Stateless DHCP

• How are DNS and NTP servers found?
• Use DHCP
• But this DHCP doesn't need to record address

allocations, it simply needs to hand out information based upon the requestor's address

– Technically, state is information which changes

between current and future events, thus “stateless DHCP”

• Simple and fast

Secure communications

• IPsec
• Like most good ideas in IPv6, it has been

backported to IPv4

• An authentication header to provide integrity

and prevent address spoofing

• An encapsulating security payload to provide

privacy and prevent replay

• Like most encryption, the key handling is more

complex than the protocol itself

Remove poor ideas

• IPv4 packet fragmentation

– Could be totally removed if links simply sent back

the size of packets they support

• Routers don't need to fragment
• Hosts don't need to guess, thus using a smaller packet

size than needed

– Blocking ICMP6 packets is a really poor idea

• Identifier

– Does do anything of value

• Small packets

– 64KB is looking too small for fast links

Remove poor ideas

• Simplify option handling
• Single default route

– The host listens to Router Advertisements and can

select the best of them, but use the next best upon a failure

– IPv4 hack is VRRP

• Assumption of a single IP address per interface

– Interfaces hold multiple IPv6 addresses

Domain name service

• IPv4 addresses have a A record

www.example.edu.au. IN A 203.21.37.18

• IPv6 addresses have a AAAA record

www.example.edu.au. IN AAAA 2001:388:1:2020:200:0:0:ff01

• These are only records, so

– a IPv4-speaking DNS server can deliver AAAA

records

– a IPv6-speaking DNS server can deliver A records

• Windows Xp can also talk to IPv4-speaking

DNS servers

DNS and typing

• I don't want to type all of those addresses, I'll

never get them right, and they change when MAC addresses change

– When Ethernet cards are changed

• Use dynamic DNS for the average machine

DNS zone design

• Have a top-level zone, put all and only public

services into here, secure it with DNSSEC

– ….example.edu.au – All of the entries can be walked, but that's fine since

they are public

• Have a zone for other fixed records
• Have a zone for dynamic records, site-based

zones make a lot of reliability sense

– ….rhodes.example.edu.au – the name follows the host, even if the host moves to

another site

aarnet

Australia's Academic and Research Network

A few things we've learned

Security

• Hosts

– Not all firewall products understand IPv6, even

when the host is running IPv6. You can guess the OS.

• Routers

– It's a second protocol

• ipv6 routing

line vty 0 4 ip access-group VTY-LIST ip access-group VTY-LIST6

• The real problem is support in corporate

firewalls

– And upgrade plans for those firewalls

Monitoring

• How a connection works:

– Do I have a global address on default route

interface?

– Yes, look up DNS name using AAAA

• Present, use that IPv6 address
• Absent, try to look up the A record

– No, try to look up the A record – Got a AAAA, try for IPv6 connection

Got a A, try for IPv4 connection

• What happens if we have a black hole on IPv6?

– IPv6 traffic dies, IPv4-based monitoring system

says all well

Reality of corporate networks

• Inadequate

– Configuration control – Monitoring – Change control – Lab scenarios

• Firewalls are the new voodoo

– Configuration changes induce fear – IPv6 changes the sense of firewall rules: match

against lower /64

• ::1 to ::ff Network
• ::ff00 to ::ffff Servers
• ::1234:1234:1243:1234 Autoconfed MAC

Training

• University computer science courses rarely

show students an IPv6 address

• TAFE ditto
• Vendor training (MSCE, RHCE) ditto

aarnet

Australia's Academic and Research Network

Glen Turner

glen.turner@aarnet.edu.au

IPv4 address exhaustion and IPv6

www.gdt.id.au/~gdt/presentations