Technology Updates in IPv6

Technology Updates in IPv6
SUZUKI, Shinsuke
Hitachi, Ltd. / KAME Project
suz@crl.hitachi.co.jp

Copyright(c)2003 All rights
reserved, Hitachi, Ltd. 2
Abstract
IPv6-related issues in IETF
Core Protocol issues
Routing Protocol issues
DNS-related issues
Transition Mechanisim issues
Security-related issues

Core Protocol Issues
Site-Local Address
Prefix Delegation
Flow-Label
Router Renumbering
(Mobile-IPv6 is covered in later
presentation)

Site-local Address (Overview)
Site-local address spec. has two distinct
characteristics
Private use is allowed, like 192.168.0.0/16
Site-Border Router has to distinguish addresses in
different sites
e.g. FEC0::1%site1 and FEC0::1%site2 are different
Issues
Site-local addresses are often duplicated among
networks
e.g. When multiple networks are merged together, and both
networks use fec0:1:2::/48
Site-Border-Router is a serious headache
for implementors, standardization, and operation.

Site-local Address (Proposal)
 “Deprecate Site-local” and introduce a new solution
Remove ‘Site-Border’, but keep localness and uniqueness
 Global-Unique Local Address (FC00::/7)
Locally used unique address
guarantees 40-bit uniqueness
not allowed to redistribute to the Internet
Split into two parts
FC00::/8=Centrally assigned by some registries (TBD)
FD00::/8=Locally assigned without any registries
1111 110 MD5-hash SLA Interface-ID0/1
7 bit 40 bit 16 bit 64 bit

Remaining Issues in FC00::/7
 It may lead to an IPv6-NAT introduction?
Simultaneous use of global address and FC00::/7 is better
 Source address selection
Longest-match algorithm (RFC3484) is sufficient
 DNS server
Two-face DNS server is necessary, like IPv4 private address
handling.
 Well-known site-local address?
e.g. DNS server address (FEC0:0:0:FFFF::1)
Global-unique local address is not suitable
Since it varies by networks
Use of FEC0::/10 needs further consideration, even after site-local
address deprecation
 Who manages the ‘registry’?
 40-bit uniqueness is enough?

Prefix Delegation (Overview)
Plug & Play for (esp.) SOHO Routers
Use some protocol to automatically delegate
prefix from upstream router to downstream
routers
PC SOHO
Router
Delegates prefix
automatically (normally /48)
ISP
Router
Plug and Play
by RA (/64)
Choose a prefix (/64) for PC segment

Prefix Delegation (Status)
Standardization almost finished
Concept and requirement are approved in IPv6 WG.
Various protocols are proposed, but DHCPv6-based one
seems to be the winner
Does not distribute IPv6 addresses in DHCPv6
Just uses DHCPv6 protocol framework to distribute IPv6 prefixes
Distributes other information (e.g. DNS server) as well
Lots of Implementations
gone through lots of Interoperability testing
TAHI, Connectathon, IPv6 Showcase, DHCPv6-Interop
ISPs have already started PD service in Japan

IPv6 Flow Label
Issue
IPv6 architecture defines a flow-label field in
IPv6 header, but its usage is not explicitly
defined.
Status
Framework is approved in WG.
Sender determines Flow Label by some means
Intermediate routers don't overwrite Flow Label
Receiver handles the packet appropriately according
to the Flow Label field value.
How to use this framework?
Up to the controlling protocols, like RSVP etc.

Router Renumbering
Overview
Router Renumbering protocol is defined, but is it really
practical?
If not so, what is the right procedure for manual renumbering?
Status
Does not seem practical; it cannot change embedded
prefixes.
DNS record
• Even with A6, you have to reconfigure some record manually.
• A6 does not work if a prefix is referred to by other DNS domains
(e.g. www.tcpdump.org refers to KAME’s IPv6 address)
Packet Filter, IPv4/v6 Translator
Server info in Application Installer (e.g. NetBSD), URL
Do you really have to ‘renumber’ on some flag-day?
Unlike IPv4, you can use old prefix and new prefix in the same
time

Routing Protocol Issues
General comment
BGP4+ issue
IS-ISv6 issues
Multihome

Routing Protocol Issues
(General Comment)
Almost all of the routing protocol supports
IPv6, except for the obsolete ones.
RIPRIPng, OSPFOSPFv3, (ISIS),
BGPBGP4+
IGMPv2MLDv1, IGMPv3MLDv2, (PIM-SM/DM)
DVMRP, MSDP(no protocol)
IPv6-specific issues are rare:
Most of the routing protocol problem is version-
independent
 if there is a problem in XXX for IPv6, it is also a problem in
XXX for IPv4.

BGP4+ issue
Link-local BGP4+ peering
IPv6 nexthop in BGP4+ spec
What should be included in Global Nexthop
field in case of link-local BGP4+ peering?
Unspecified address(::) or linklocal address
BGP4+ implementations should obey the ‘IETF
principle’
• Send in either manner, but accept both cases
Global Nexthop
(Optional) link-local Nexthop
(if the peer is directly connected together)

IS-ISv6 issues
IPv6-over-IPv4 tunnel in ISIS-Topology database?
IS-IS protocol handshake has to be done in OSI packet
(not IPv4 nor IPv6)
IS-IS protocol mandates GRE tunnel
All the IPv6-over-IPv4 tunnel has to shift to GRE
tunnel? (at least router-router tunnel)
What if IPv4 and IPv6 network topologies are
different?
IS-IS protocol assumes network topology is same
among protocols
M-ISIS (Multi-topology ISIS) is proposed

Multihome
Overview
When a site wants to have multiple upstream ISPs,
what should it do?
1. Obtain their own IPv6 prefix and do E-BGP routing
AS number & BGP operation is mandatory
2. Receives a prefix from each ISP, and use proper
prefix according to destination
Source address selection on Host
Nexthop selection based on source address (and destination)
How to renumber when upstream ISP changes
Status
Being discussed in IETF Multi6 WG, but still no
concensus...

DNS-related Issues
DNS Server Discovery
AAAA vs A6
ip6.int vs ip6.arpa
PTR record usage

DNS Server Discovery
(Overview)
IPv6 address is automatically configured, but
other information still needs manual
configuration.
e.g. DNS server, NTP server, ...
Especially DNS server autoconfiguration is
important in IPv6, considering the length of IPv6
address.
(recursive) DNS server address
DNS domain search path
Hostname registration

DNS Server Discovery (Status)
Still under discussion in DNSOP WG
Roughly three solutions are proposed:
Anycast solution
RA-based solution
(stateless) DHCPv6-based solution
PC Router
Have an anycast address
(FEC0:0:0:FFFF::1~3)
DNS-Server
PC Router
DNS server addr
=the anycast addr(s)
Sends RA with a
new NDP option
PC Router
DHCPv6 Reply with
DNS Server option
DHCPv6 Information-Request
with Rapid-Commit option
DNS server addr
=addr(s) in the
new NDP option
DNS server addr
=addr(s) in the
DNS server option
Sends RS

DNS Server Discovery (Issues)
1. How to update the DNS server address when it changes?
2. What happens when a different server advertises a different
DNS server address?
3. Should it allow dynamic DNS registration?
4. How about other information? (e.g. NTP server, SIP server …)
Anycast
RA
DHCPv6
4321
Anycast
Mechanisms
solves it
(no address
change)
Use the Dynamic
DNS update (out of scope,
seems like using
a special DNS
record)
Use the Dynamic
DNS update
Use the existing
DHCPv6 option
DHCPv6
handshake
prevents it
DHCPv6
Reconfig
message
Use a DNS
server lifetime?
Use a DNS
server
preference?
-Use the Dynamic
DNS update.
- Handle within it

AAAA vs A6
Overview
Two kinds of DNS records are configured
AAAA: a simple extension of A-record
A6: DNS record supporting router-renumbering
But A6 is not deployed, because of its
complexity
Status
IETF decision
AAAA : for normal IPv6 operation
A6: for further experimental study

ip6.int vs ip6.arpa
Overview
IPv6 PTR record had used “ip6.int” as its
domain name.
“ip6.int” was registered later as an international
TLD.
Status
“ip6.arpa” is proposed
2001::/16 uses ip6.arpa (and ip6.int for the time
being)
3ffe::/16 still uses only “ip6.int” (owing to a
administrative reason), but “ip6.arpa” introduction is
planned.

PTR record usage
Some protocol (implementation) requires PTR-
record lookup for authentication
If there is a PTR record for the source address of the
client, then it is authenticated
Is it really practical in IPv6 world?
Not all the IPv6 addresses are available from PTR record
Link-local address
Most of IPv6 addresses generated by stateless autoconfiguration
Privacy address extension
If they just wanted to look up name from address, ICMP-
node-information-query is available.

Transition Mechanism Issues
Transition Mechanisms
Transition Mechanism Issues
(Detailed transition scenario is discussed
in later presentation)

Transition Mechanisms
Many kinds of Mechanisms
Tunnel-based
Tunnel Session Protocol (DTCP, Freenet6 etc),
6to4, ISATAP, Teredo, DSTM
Translator-based
NAT-PT, SIIT, FAITH
Proxy-based
Application-level Gateway (HTTP proxy, SMTP
gateway etc)

Transition Mechanism Issues
There is no perfect mechanism
Tunnel-based
IPv6 network topology  IPv4 network topology
IPv4 address is necessary
• i.e. IPv4 address shortage problem remains unsolved
Cannot go through NAT
• (Teredo is the only exception, but it’s too complex…)
Translator-based
In general, IPv4 to IPv6 tranlation is difficult.
Not works for the applications embedding IP address in their
payload. (e.g. FTP, SIP)
Proxy-based
Works only on the specific protocol
Are they really easier than simple dual-stack
network?

Security-related Issues
Securing Neighbor Discovery
Privacy Address Extension
IPv6 Firewall Architecture

Securing Neighbor Discovery
 Overview
Plug & Play can lead to an improper network use by
wrong NDP cache by NA spoofing
wrong RA announcement by RA spoofing
 Status
CGA(Cryptographically-Generated Address)
Use a specially-authenticated link-local address in NDP-related
handshake.
discussed in SEND WG
L2 authentication
PAP/CHAP (for PPP), 802.1x (for Ethernet) etc
IPv6 over IPv4 tunnel
Not a perfect answer
If IPv4 network use is permitted (politically), IPv6 does not introduce
any additional security-risk.

Privacy Address Extension
 Overview
Normally IPv6 interface-ID constructed by EUI-64 using MAC
address
Source address in IPv6 packet tells who sends the packet
Privacy Address Extension
use random interface-ID
 Status
Standardized and implemented
RFC3041
Windows-XP enabled it by default
 Issues
DNS reverse PTR record?
How to accept connection from outside?
hostname to address mapping?
Does it really provides enough “privacy”?

IPv6 Firewall Architecture
IPv4-like firewall does not coexist with ‘End-to-End
principle’ (esp. IPsec)
Layer-3/4 Packet Filter
How to protect or permit End-to-End IPsec communication?
Application-level Gateway
It terminates End-to-End communication
Personal Firewall
Can it torelate with DoS attack?
Firewall architecture needs update in IPv6 era.
There are some ‘IPv6-firewall’ products or solutions, but
most of them just support IPv6 in their legacy firewall.

Technology Updates in IPv6

More Related Content

What's hot (19)

Similar to Technology Updates in IPv6 (20)

More from Shinsuke SUZUKI (12)

Recently uploaded (20)

Technology Updates in IPv6