Title: 1%20of%2057
1IPv6Thanks for stopping by
- Bill Cheswick
- ches_at_lumeta.com
- http//www.lumeta.com
2(No Transcript)
3The Internet was engineered in the early 1980s,
and before
- A research project, with a lot of flaws
- Nobody thought it would succeed as it has
- Astonishing that the engineering choices have
lasted so long, through so many orders of
magnitude of growth - Relatively little tweaking
- DNS, BGP, CIDR addressing, TCP slow start, a few
new ICMP messages
4One of the choices address size
- 4 billion addresses (232) seemed like enough in
1982 - At Morris worm (nov 1988), estimated to be 6,000
hosts on the Internet (SWAG) - In Bell Labs, I counted 1,330
- ATT acquired a class A network (12.0.0.0/8) when
Mark Horton just asked for it
5Fun with a class A (/8) network
- We couldnt figure out how to use it
- Sub and sub-sub netmasking not well supported
- The Cray had no trouble using it
- IP-opaque firewall wouldnt allow us to use it
internally and externally - Steve Bellovin and I wondered how this empty
address space was faring on the Internet - We built the first packet telescope
6Packet telescopes
7How do you make a packet telescope?
- Announce the network on the Internet
- Tell the router to forward all packets of that
net to a non-existent Ethernet address
(010203040506) - The router doesnt care that no-one is listening
to the packets - Then listen with tcpdump, ethereal, etc.
8What we found
- Backscatter from dying hosts
- Misconfigured routers, etc.
- 15 25 MB per day of traffic
- Steve wrote the paper There Be Dragons based on
the results.
9Backscatter
- Some attacks on hosts require that tables be
full, or the host be to busy to respond - Flood it with spoofed packets having random
return addresses - Or chosen to be ATT, because the phone company
is evil - The (dying) host will emit some responses to the
spoofed address, and we can see some of them
10Packet telescopes are used by a number of
researchers today
- They cover a lot of address space
- The address spaces covered are kept secret
- Some are large, obvious spaces
- Others are mixed in with normal space
- More on this later
11Brief history of Internet addressing1993
- Careless allocation seemed to be dooming us
- My ASCII floor number in our class B network
135.104.x.0/16 - Address space was filling up
- Routers we limited by memory holding all the
routes on the Internet
12Simple solution in 1993 more address bits
- Painful, but not too bad
- Would have gone into microsoftwin 95 was in the
future - IETF had several proposals to change the IP
packet format to add more address space - and do a lot of other stuff, too, unfortunately
- As long as you are going to change every IP
stack, lets get something done - Politics!
130.0.0.0
255.255.255.255
14Class D and E networks multicast
1510.0.0.0/8
RFC 1918 space
16127.0.0.0/8
17In 1993, IPv6 was 3 years away
18But the emergency hasnt come yet, at least in
the US
- RFC 1918, private address space, is used
extensively - Companies were using IP-blocking firewalls,
making their own address space - At one bank 50 states -gt 50 class A networks
- Class A/B/C network sizes replaced with CIDR
blocks 209.123.16.96/28 - ARIN/RIPE/APNIC became very restrictive about
handing out addresses
191999
202000
212001
222002
232005
24IPv6 still 3 years away?
25ipv6.research.microsoft.com. 15M IN AAAA
131.107.65.121 ipv6.research.microsoft.com.
15M IN AAAA 2002836b4179836b4179
26(No Transcript)
27IPv6 deployment
- Widely deployed in the Far East, and in the new
cell phones - Europe is getting on board
- US Government mandate for 2005
- But what does IPv6 capable really mean?
- None of the three ISPs I am connected to at home
or work offer raw IPv6 feeds
28IPv6 transition
- 6bone deprecated
- IPv6 is available through IPv4/IPv6 tunnel
brokers - www.hexago.com formerly freenet6.net
- Easy to set up on Unix hosts, then it Just Works
- In Windows XP for developers
- IPv4/IPv6 NAT boxes?
- Lumeta? We are working on it
29IPv6
30IPv4 vs. IPv6 address space
Class A
/8
/16
Class B (street value, 1MM?)
/24
Class C
China /32
soldier /48
link /64
31IPv6 address space
- /48s seem to be freely available
- Each US soldier will have one
- One for each home
- Easy to hide hosts in that space
- Hard to administer hosts in that space
- Some interesting cryptographic and IP hopping
applications come to mind.
32soldier /48
- Host portion is 80 bits
- Enough for four whole Internets-worth of
addresses for each cell in the soldiers body - Future nanotech really-intranet?
- Roughly enough to assign an IP address to each
molecule in one of the soldiers bullets
33IPv6 technical aspects
- Addresses arent as bad as you might think
- 20015bfe161 (easy to grep!)
- Address format changes logfile processing
- Math not easy for processing IPv6 addresses
- The socket dance must be rewritten
- Its much cleaner now
- Not a big deal, but requires changes to every
Internet legacy programs
34IPv6 dead ends
- Google-based research will lead you down recently
abandoned dead ends - A6 came and went, AAAA is what to use
- Link level addressing is deprecated
- The 6bone is dying, dont go there
- Use of bottom 128 48 80 bits not really
settled
35Conversion issues
- IPv4-only hardware
- Not available in
- Some routers, wireless base stations, hubs, etc.
- Programmers have to relearn the socket dance
- Address format changes logfile processing
- Have to replicate a whole new set of firewall
rules
36IPv6 pending problems
- chicken-and-egg startup
- DNS entries too small to hold all the root AAAA
records - Asset management?
37Reasons to go to IPv6
- Address space stops being a problem
- Because the government policy says so
- There could be useful IPv6-only sites
- Early adopters (i.e. China) can restrict access
to the IPv4 world - Perhaps worm spreads might be slowed
- See below
38Reasons not to go to IPv6
- Unnecessary expense for corporations using
private address space - Unsupported by most cheap devices
- Cable modems, base stations, etc.
- Not really there yet some standards unsettled
39Who are the early adopters?
- China and japan
- Didnt receive very large initial IPv4
allocations - Nascent industries
- IP for cell phones
- US government, supposedly
40IPv6 is still three years away
- From general acceptance
- There are more than a thousand out there right
now - IPv4 has nearly 200,000
41Some IPv6 web sites
- www.ipv6.org
- www.ipv6forum.com
- vendors
- www.hexago.com
- Free IPv6 brokering
42More on the Telescopes
43How do you make a packet telescope? Part 2.
- Choose some unused IP addresses
- Near other address spaces is more likely to get
hit - Have a host publish permanent arp entries for
each address - arp 209.123.16.100 010203040506 pub
- The router doesnt care that nobody is listening
- Then listen with tcpdump, ethereal, etc.
44Internet background radiation
- 209.123.16.100/30 a packet telescope with four
addresses - 6 probes per hour per address
- Results vary depending on who is next door to
you in Internet addressing (i.e. shares an ISP)
45Thursday, 4 addresses, res./com. network (nac.net)
- first half of Thursday
- 4 addresses
- residential/commercial network (nac.net)
- Nothing in DNS or web about these addresses
- No windows PCs here
46Traffic by hour
b/var/tmp cut -d -f1 x sort uniq -c awk
'x "" for (i1 ilt1 i) x x ""
print 2, 1, x 00 67
01 30
02 37
03 47
04
42 05
42 06
54
07 28 08 46
09
37 10 18
47Attack distribution by address
209.123.16.100 111 209.123.16.101
95 209.123.16.102 114 209.123.16.103 127
48070428.194878 IP 209.137.140.29.4908 gt
209.123.16.103.135 S 32347167323234716732(0)
win 16 070734.165401 IP 209.11.240.115.4470 gt
209.123.16.103.445 S 23814004932381400493(0)
win 16 071517.085918 IP 209.7.49.222.2681 gt
209.123.16.101.135 S 28064960912806496091(0)
win 1638 071748.786333 IP 209.137.231.71.1825 gt
209.123.16.103.135 S 14793939881479393988(0)
win 87 071851.474861 IP 219.145.170.26.3178 gt
209.123.16.103.1434 UDP, length
376 072332.286715 IP 209.239.14.76.3293 gt
209.123.16.100.135 S 269840468269840468(0) win
64240 072450.831650 IP 200.27.150.160.1078 gt
209.123.16.100.1434 UDP, length
376 072504.705014 IP 209.77.237.109.1977 gt
209.123.16.103.135 S 27667326232766732623(0)
win 64 072657.976816 IP 211.175.182.185.6000 gt
209.123.16.100.1433 S 11323965441132396544(0)
win 072657.980013 IP 211.175.182.185.6000 gt
209.123.16.103.1433 S 974782464974782464(0) win
16 072657.984673 IP 211.175.182.185.6000 gt
209.123.16.102.1433 S 20102512642010251264(0)
win 072657.988127 IP 211.175.182.185.6000 gt
209.123.16.101.1433 S 148832256148832256(0) win
16 073112.193510 IP 209.116.102.97.4415 gt
209.123.16.102.135 S 22431802102243180210(0)
win 64 073701.279847 IP 61.147.119.92.80 gt
209.123.16.103.15439 S 13945065621394506562(0)
ack 157 073823.276307 IP 209.11.240.139.3691 gt
209.123.16.103.135 S 208658438208658438(0) win
6553 073933.883035 IP 209.11.240.139.4643 gt
209.123.16.102.135 S 25593566272559356627(0)
win 65 074133.970959 IP 209.11.240.139.1053 gt
209.123.16.100.135 S 12181415031218141503(0)
win 65 074619.098466 IP 209.123.117.250.3700 gt
209.123.16.101.445 S 24838895352483889535(0)
win 1 074622.092386 IP 209.123.117.250.3700 gt
209.123.16.101.445 S 24838895352483889535(0)
win 1 074648.374438 IP 209.123.117.250.4325 gt
209.123.16.103.445 S 25215760922521576092(0)
win 1 074651.363928 IP 209.123.117.250.4325 gt
209.123.16.103.445 S 25215760922521576092(0)
win 1 075145.253869 IP 209.7.49.222.4655 gt
209.123.16.101.135 S 140404696140404696(0) win
16384 075211.682851 IP 209.123.117.250.3593 gt
209.123.16.102.445 S 29444608732944460873(0)
win 1 075214.653648 IP 209.123.117.250.3593 gt
209.123.16.102.445 S 29444608732944460873(0)
win 1 075301.116268 IP 209.123.117.250.4668 gt
209.123.16.100.445 S 30093703383009370338(0)
win 1 075304.042178 IP 209.123.117.250.4668 gt
209.123.16.100.445 S 30093703383009370338(0)
win 1 075414.805373 IP 209.123.117.250.2398 gt
209.123.16.102.445 S 31056851143105685114(0)
win 1 075417.772847 IP 209.123.117.250.2398 gt
209.123.16.102.445 S 31056851143105685114(0)
win 1
49IP source address count
4 209.90.146.22 4 209.82.169.44 4
209.122.226.106 4 192.168.1.45 3
61.152.252.235 3 221.214.42.125 3
218.83.154.115 3 209.99.225.79 3
209.77.237.109 3 209.215.59.208 3
209.175.204.220 3 209.137.140.29 2
84.156.85.78 2 81.130.123.202 2
80.228.91.231 2 70.60.120.185 2
61.186.250.42 2 222.149.180.50 2
218.75.231.165 2 218.204.84.211 2
211.140.254.58 2 209.82.168.29 2
209.47.91.210 2 209.42.36.2
2 209.39.34.83 2 209.30.250.158 2
209.249.28.107 2 209.239.5.6
98 209.123.117.250 31 222.88.173.5 26
209.11.240.139 21 195.92.95.61 13
220.179.123.85 11 222.248.96.249 9
209.116.102.97 9 209.11.240.115 8
61.152.239.150 8 211.185.208.65 8
209.82.176.43 8 209.215.20.79 8
209.161.170.208 8 209.12.135.83 8
204.141.115.75 6 61.235.154.104 6
222.88.60.22 5 209.7.49.222 4 84.56.28.102
4 67.10.6.128 4 218.172.117.90 4
218.108.175.109 4 212.194.206.163 4
211.175.182.185
50Attack sources
36.dsli.com 43-176-82-209.g-net.net 56k.execulink.
com a.dns.kr adsl.alicedsl.de ariston.netcraft.com
biz.rr.com bumttx.swbell.net customer.vpls.net cy
dc.com.br d4.club-internet.fr dhcp.transact.bm dia
lup.rcn.com dip.t-dialin.net dns1.ntli.net dns1.xs
pedius.net dsl-xxx.arcor-ip.net dynamic.hinet.net
ev1s-xxx.ev1servers.net fbx.proxad.net guangzhou.g
d.cn
hosfio.org.ar hsia.telus.net in-addr.btopenworld.c
om jan.bellsouth.net jax.bellsouth.net jukebox.e-m
igrate.com k12.il.us kinc.cablerocket.net mesh.ad.
jp nosp3-xxx.i-55.com ns.cnmobile.net ns.uunet.ca
ns01.unicom-alaska.com ns1.apnic.net ns1.hzman.net
ns1.nac.net ns1.telehouse.com ns1.yipes.com nsf.a
lgx.net ocn.ne.jp odo.warpspeed.com
online.ln.cn prisoner.iana.org ptt.js.cn pubnet.ne
.kr res.rr.com rev.gaoland.net sdjnptt.net.cn snfc
21.pacbell.net sta.net.cn sunprairie.visionsystems
.tv tj.unn.no tor.primus.ca us.xo.net zjhzptt.net.
cn
51What are these packets, and where do they come
from?
- Infection packets from worms and viruses
- Bot nets searching for new potential victims
- Backscatter from hosts attacked with random
spoofed source addresses - The last cry of dying hosts
52Can IPv6 stop these kinds of attacks?
53Will this protect us from probing malware?
- A little, but the short answer is no
- Sniffing
- Routing tables
- 1
54Dangerous idea
- IP-address hopping as SOP
55link /64
- We are supposed to do special, host-specific
things with the bottom 64 bits - 12 bits Ethernet
- 1
- Nonsense! How about a separate IP address for
each conversation with the host - Every host is a network
- Spread-spectrum, or frequency-hopping
56This would break a lot of things
- Flows
- DHCP assumptions
- Arp tables in the local router. Oops.
- Dynamic ethernet address processing, no arp
tables - Corporate asset management is an unaddressed
problem, and an important need - Spooks care to where has that laptop connected
before?
57(No Transcript)