Automatic Tunnels and Relays

About This Presentation

Title:

Automatic Tunnels and Relays

Description:

Automatic Tunnels and Relays. Bill Cerveny. Outline. Reasons for IPv6 ... Relays use process-switching, which impact performance and limit potential DoS attacks ... – PowerPoint PPT presentation

Number of Views:65

Avg rating:3.0/5.0

Slides: 43

Provided by: billce

Category:

more less

Transcript and Presenter's Notes

Title: Automatic Tunnels and Relays

1
Automatic Tunnels and Relays

Bill Cerveny

2
Outline

Reasons for IPv6 in IPv4 Tunnels
General IPv6 Tunnel Types
6to4 Tunnel Implementation Scenarios
6to4 Security Issues

3
Possible Reasons for IPv6 in IPv4 Tunnels

Networks in the path between an IPv6-capable host
and WAN dont support IPv4/IPv6 dual-stack
environment
Local network support organizations dont support
dual-stack environment

4
Configured Tunnels

Configured tunnels connect IPv4/IPv6 dual-stack
hosts or networks to larger IPv6 networks.
Local network administrators arrange for a tunnel
between IPv6 networks across IPv4-only networks.
This was default dual-stack architecture on
Abilene until 2002 and there are still some
configured tunnels supported by the Abilene NOC

5
Automatic IPv6 in IPv4 tunnel

A dual-stack host or network automatically
creates tunnel across a IPv4-only network
Tunnel Types
6to4 Most commonly deployed automatic tunnel
format.
ISATAP Intranet automatic tunnel format not
designed for public networks
Toredo Promising, but still in early discussions
in IETF

6
6to4 Tunnel IPv4 Packet Format

0 1 2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2 3 4 5 6 7 8 9 0 1
----------------------
----------
Version IHL Type of Service
Total Length
----------------------
----------
Identification Flags
Fragment Offset
----------------------
----------
Time to Live Protocol 41
Header Checksum
----------------------
----------
Source Address
----------------------
----------
Destination Address
----------------------
----------
Options
Padding
----------------------
----------
IPv6 header and payload ...
/
---------------------------------------
--------
Source RFC3056, Connection of IPv6 Domains via
IPv4 Clouds

7
IPv6 Address Format in 6to4
For example, a Windows XP system with IPv4
address 207.75.164.119 would have a 6to4 IPv6
address of 2002cf4ba477cf4ba477
8
6to4 Implementation Scenarios (1 of 2)

Both host A and host B are on IPv4-only networks
and both are capable of IPv6 6to4 tunneling

IPv4/IPv6 dual-stack Internet
IPv4
IPv6
IPv4-only LAN
IPv4-only LAN
Host A 192.168.15.1/24 2002c0a80f011
Host B 192.168.17.1/24 2002c0a811011
9
6to4 Implementation Scenarios (1 of 2)

Both host A and host B are on IPv4-only networks
and both are capable of IPv6 6to4 tunneling

IPv4/IPv6 dual-stack Internet
IPv4
IPv6
Host A creates IPv6 packet with destination
address 2002c0a811011 and encapsulates it in
IPv4 packet with destination address 192.168.17.1
IPv4-only LAN
IPv4-only LAN
Host A 192.168.15.1/24 2002c0a80f011
Host B 192.168.17.1/24 2002c0a811011
10
6to4 Implementation Scenarios (1 of 2)

Both host A and host B are on IPv4-only networks
and both are capable of IPv6 6to4 tunneling

IPv4/IPv6 dual-stack Internet
IPv4
IPv6
IPv4-only LAN
IPv4-only LAN
Host A 192.168.15.1/24 2002c0a80f011
Host B 192.168.17.1/24 2002c0a811011
11
6to4 Implementation Scenarios (1 of 2)

Both host A and host B are on IPv4-only networks
and both are capable of IPv6 6to4 tunneling

IPv4/IPv6 dual-stack Internet
IPv4
IPv6
IPv4-only LAN
IPv4-only LAN
Host A 192.168.15.1/24 2002c0a80f011
Host B 192.168.17.1/24 2002c0a811011
12
6to4 Implementation Scenarios (1 of 2)

Both host A and host B are on IPv4-only networks
and both are capable of IPv6 6to4 tunneling

IPv4/IPv6 dual-stack Internet
IPv4
IPv6
IPv4-only LAN
IPv4-only LAN
Host A 192.168.15.1/24 2002c0a80f011
Host B 192.168.17.1/24 2002c0a811011
13
6to4 Implementation Scenarios (1 of 2)

Both host A and host B are on IPv4-only networks
and both are capable of IPv6 6to4 tunneling

IPv4/IPv6 dual-stack Internet
IPv4
IPv6
IPv4-only LAN
IPv4-only LAN
Host A 192.168.15.1/24 2002c0a80f011
Host B 192.168.17.1/24 2002c0a811011
14
6to4 Implementation Scenarios (1 of 2)

Both host A and host B are on IPv4-only networks
and both are capable of IPv6 6to4 tunneling

IPv4/IPv6 dual-stack Internet
IPv4
IPv6
IPv4-only LAN
IPv4-only LAN
Host B decapsulates IPv6 packet from IPv4 packet
and processes IPv6 packet
Host A 192.168.15.1/24 2002c0a80f011
Host B 192.168.17.1/24 2002c0a811011
15
6to4 Implementation Scenarios (1 of
2)Observations

Encapsulated IPv6 packets travel IPv4 routing
path.
No tunneling equipment or IPv6 infrastructure
required between hosts

16
6to4 Implementation Scenarios (2 of 2)

Host A is on a native IPv6 network and host B is
on an IPv4-only network, but is itself capable of
IPv6 6to4 tunneling

IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
17
6to4 Implementation Scenarios (2 of 2)

Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling

IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host A creates IPv6 packet to 2002c0a811011
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
18
6to4 Implementation Scenarios (2 of 2)

Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling

IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
Relay router advertises IPv6 route 2002/16
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
19
6to4 Implementation Scenarios (2 of 2)

Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling

Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling

Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling

Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling

IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Relay router encapsulates IPv6 packet in IPv4
packet and sends IPv4 packet to dest. address
192.168.17.1
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
23
6to4 Implementation Scenarios (2 of 2)

Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling

Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling

Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling

Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling

IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host B decapsulates IPv6 packet from IPv4 packet
and processes IPv6 packet
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
27
6to4 Implementation Scenarios (2 of 2)Reverse
Direction

Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling

Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling

IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
Host B creates IPv6 packet with dest. addr.
2001468142025 and encapsulates it in IPv4
packet with dest. addr. 192.88.99.1
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
29
6to4 Implementation Scenarios (2 of 2)

Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling

IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
Relay router advertises anycast IPv4 route
192.88.99.0/24
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
30
6to4 Implementation Scenarios (2 of 2)Reverse
Direction

Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling

Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling

Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling

Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling

IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
Relay router decapsulates IPv6 packet and
forwards packet to IPv6 destination address
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
34
6to4 Implementation Scenarios (2 of 2)Reverse
Direction

Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling

Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling

Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling

Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling

IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host A processes IPv6 Packet
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
38
6to4 Implementation Scenarios (2 of
2)Observations

Asymmetric routes common
Placement of 6to4 relay routers can have
significant impact on 6to4 tunnel performance

39
Alternate 6to4 Scenario

An edge router could be utilitized instead of a
host computer for any of 6to4 tunnel endpoints.
Edge router can provide a /48 IPv6 subnet for
each IPv4 address

40
Alternate 6to4 Scenario
IPv4/IPv6 dual-stack WAN
IPv4-only dual-stack LAN
Edge Router with 6to4 tunnel IPv4 interface
address 192.168.17.1 IPv6 address block
2002C0A811011/48
IPv4/IPv6 dual-stack LAN
IPv4/IPv6 dual-stack LAN
Host A 192.168.15.1 200146814201500
Host B 192.168.17.5 2002c0a8110115
41
Supported 6to4 Environments

Client
Windows XP automatically enabled if IPv6 is
enabled
Linux, FreeBSD, MacOS X Supported by not
enabled by default
Server
Cisco IOS releases that support IPv6
Linux
FreeBSD

42
6to4 Security Issues

See
http//www.ietf.org/internet-drafts/draft-savola-v
6ops-6to4-security-02.txt
Recommends access lists
Relays use process-switching, which impact
performance and limit potential DoS attacks
A conclusion can be made that although 6to4
relays have security issues, they are not
significant. DoS attacks would appear to be as
easy using other network devices.