Stateless Source Address Mapping for ICMPv6 Packets

Slides:

Advertisements

Similar presentations

TCP/IP Protocol Suite 1 Chapter 27 Upon completion you will be able to: Next Generation: IPv6 and ICMPv6 Understand the shortcomings of IPv4 Know the IPv6.

Advertisements

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.

1 IPv6. 2 Problem: 32-bit address space will be completely allocated by Solution: Design a new IP with a larger address space, called the IP version.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.

Addressing the Network IPv4

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.

IPv6 Network Security.

2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

思科网络技术学院理事会. 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

Week 5: Internet Protocol Continue to discuss Ethernet and ARP –MTU –Ethernet and ARP packet format IP: Internet Protocol –Datagram format –IPv4 addressing.

IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker

1 Chapter Overview IP (v4) Address IPv6. 2 IPv4 Addresses Internet Protocol (IP) is the only network layer protocol with its own addressing system and.

Types of Addresses in IPv4 Network Range

1 26-Aug-15 Addressing the network using IPv4 Lecture # 2 Engr. Orland G. Basas Prepared by: Engr. Orland G. Basas IT Lecturer.

1 26-Aug-15 S Ward Abingdon and Witney College CCNA Exploration Semester 1 Addressing the network IPv4 CCNA Exploration Semester 1 Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

Guide to TCP/IP, Third Edition

7 IPv6: transition and security challenges Selected Topics in Information Security – Bazara Barry.

1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 IPv6 Introduction to Networks & Routing and Switching Essentials.

Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.

Addressing IP v4 W.Lilakiatsakun. Anatomy of IPv4 (1) Dotted Decimal Address Network Address Host Address.

Internet Protocols (chapter 18) CSE 3213 Fall 2011.

19.1 Chapter 19 Network Layer: Logical Addressing Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

RFC 3964 Security Considerations for 6to4 Speaker: Chungyi Wang Adviser: Quincy Wu Date:

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Network Address Translation for IPv4 Routing And Switching.

ICMPv6 Error Message Types Informational Message Types.

Chapter 27 IPv6 Protocol.

CSE5803 Advanced Internet Protocols and Applications (13) Introduction Existing IP (v4) was developed in late 1970’s, when computer memory was about.

Chapter 8: IP Addressing

+ Lecture#4 IPV6 Addressing Asma AlOsaimi. + Topics IPv4 Issues IPv6 Address Representation IPv6 Types.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the network IPv4 CCNA Exploration Semester 1 – Chapter 6.

Submitted to: Submitted by: Mrs. Kavita Taneja Jasleen kaur (lect.) Hitaishi verma MMICT & BM MCA 4 th sem.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

Network Layer IP Address.

CCNA4-1 Chapter 7-1 NAT Chapter 11 Routing and Switching (CCNA2)

Presentation on ip spoofing BY

1 CMPT 471 Networking II Multicasting © Janice Regan,

Chapter 05 Exam Review CCNA Discovery 01 – Computer and Network Fundamentals Presented by: Phillip Place Cisco Academy Instructor Lake Michigan College.

IP: Addressing, ARP, Routing

IPv6 101 pre-GDB - IPv6 workshop 7th of June 2016 edoardo

CIS 116 IPv6 Fundamentals 2 – Primer Rick Graziani Cabrillo College

Next Generation: Internet Protocol, Version 6 (IPv6) RFC 2460

Computer Communication and Networking

Instructor Materials Chapter 9: NAT for IPv4

Routing and Switching Essentials v6.0

Introduction to Networking

NET302 Lecture#3 IPV4 Addressing Asma AlOsaimi.

Byungchul Park ICMP & ICMPv DPNM Lab. Byungchul Park

Lecture#5 IPV6 Addressing

Chapter 7: IP Addressing

Chapter 5 Working with IP Addresses

Management Issues in ICMP (Internet Control Message Protocol)

Instructor Materials Chapter 9: NAT for IPv4

Lecture#3 IPV4 Addressing Net 302- Asma AlOsaimi.

Lecture#5 :IPV6 Adressing

Chapter 15. Internet Protocol

Delivering the Data.

Chapter 11: Network Address Translation for IPv4

Lecture#3-IPV4 Addressing

Presentation transcript:

Stateless Source Address Mapping for ICMPv6 Packets X. Li, C. Bao, D. Wing, R. Vaithianathan, G. Huston 2011-11-12

Introduction Normal traffic: ICMP: XLAT H4 H6 R6 R4 Non-IPv4-translatable address 1.1.1.1 2001:db8::2.2.2.2 2001:db8::1 IPv4-translatable address Normal traffic: dst=1.1.1.1 srct=2.2.2.2 dst=2001:db8::1.1.1.1 src=2001:db8::2.2.2.2 ICMPv6 PTB ICMP PTB ICMP: dst=2001:db8::1.1.1.1 src=2001:db8::1 dst=1.1.1.1 srct=???? RFC6145: The IPv6 addresses in the ICMPv6 header may not be IPv4-translatable addresses. … A mechanism by which the translator can instead do stateless translation is left for future work.

Requirements (1) uRPF  cannot use RFC1918 addresses Non-IPv4-translatable address 2001:db8::1 IPv4-translatable address 1.1.1.1 2001:db8::2.2.2.2 H4 R4.1 R4 .2 XLAT R6 H6 ICMPv6 PTB ICMP PTB ICMP: dst=2001:db8::1.1.1.1 src=2001:db8::1 dst=1.1.1.1 srct=10.0.0.1 uRPF  cannot use RFC1918 addresses IPv4 address depletion  hard to use public IPv4 addresses

Requirements (2) 7 IVI H4 H6 8 9 10 11 12 5 4 3 2 1 3.3.3.3 3.3.3.3 X 3.3.3.3 3.3.3.3 3.3.3.3 3.3.3.3 IPv4 recipient of the ICMP message should be able to distinguish between different IPv6 ICMPv6 origination  needs a pool

Recommendation Recommend to drawing an IPv4 /24 prefix from the IANA Special Purpose Address Registry as a "Well-Known Prefix" for use by IPv4/IPv6 translators for the purpose of mapping otherwise untranslatable IPv6 source addresses of ICMPv6 messages to IPv4 ICMP messages. These addresses are for use As the source address of ICMP packets Not as a destination address for any packets

Mapping Algorithms When an IPv4 /24 prefix is allocated to represent the source address of ICMP, the least-significant byte can be generated using one of the following algorithms. Randomly Copy the "Hop Count" in the IPv6 header of the ICMPv6 Hashing of the IPv6 address The selection of the algorithm SHOULD be a configuration function in the IPv4/IPv6 translator. May not generate subnet identifier or broadcast addresses

Routing Considerations As packets passing through the public network need to pass through conventional packet filters, including uRPF filters [RFC3704] The assigned address may be used in routing advertisements Such routing advertisements are non-exclusive and should be accepted from any originating AS in an anycast fashion

Security Considerations The use of an address for source addresses in ICMP error packets is considered "safe" in so far as ICMP packets are not intended to generate responses directed to the source address. However it is possible to use this address as a means of gaining anonymity when launching a denial of service attacks by using this address as the source address for other forms of malicious traffic. Packet firewall filters should be configured discarding All non-ICMP packets that use the IANA-assigned /24 network as a source address All packets that use the IANA-assigned /24 network as a destination address.

IANA Considerations Prefix 192.70.192.0/24 Description: To be used in the context of generating an IPv4 source address for mapped ICMPv6 packets being passed through a stateless IPv4/IPv6 translator. Begin: 2011-06-01 End: Never Purpose: Stateless ICMPv6/ICMP translation Scope: Addresses from the assigned address prefix are intended to be used as source addresses and not as destination addresses in the context of the public network.

Additional discussions

Why not use RFC1918? draft-kirkham-private-ip-sp-cores-07 (Issues with Private IP Addressing in the Internet) discussed a similar situation Conservation of Address Space Effects on Traceroute Effects on Path MTU Discovery Unexpected interactions with some NAT implementations Interactions with edge anti-spoofing techniques Peering using loopbacks DNS Interaction Operational and Troubleshooting issues Security Considerations Which shows that RFC1918 will results in difficulties.

How to handle the DDOS? When setting up the ACL correctly, The network only allows ICMP packets using this block as the source address. No responses will be generated from any network device in the network. However, the ICMP packets using this block as the source address may target some hosts for DDOS attack. Does the anycast root server’s addresses have similar problem? The rate-limit configuration should be used.

It is not traceable Two cases: The attacker is in IPv6 and behind a real IPv4/IPv6 translator Handled in the translator by rate-limiting The attacker is in IPv4 generating ICMP packets using the special block as the source

ISPs need to update their ACLs This methods provides more control for the network administrator. We believe it is worth the effort for the transition If we can move forward, there will be enough time for ISPs to update the filters. No updating is required for “non-default-free” network. The operators still lack the experience of handling a "one-way" special purpose packet that is allowed to leave the link, never mind the AS. We should try.

Alternatives A privately assigned block of public IPv4 addresses from existing space, which can be shared between operators Similar to this Why not use a “global IPv4 unicast address” bound to the translator IPv4 address depletion problem makes it difficult

NAT and looking-glass Is the last hop on this side of the event horizon. just like if there were a firewall or a non-stateful icmp filter. The difference is it happens close to the end host in IPv4 firewall schema, but in stateless IPv4-IPv6 Schema, it maybe happen in somewhere IPv4-IPv6 edge of ISP ( in middle of end hosts). Adding publicly-accessible out-of-band "looking glass" web-server to the IPv6/IPv4 translator May not be easy.

To do Add recommendation for filtering to an appropriate list of ICMP types Allow ICMP type 3 - Destination Unreachable (inc PTB) Allow ICMP type 11 - Time Exceeded My Allow ICMP type 12 - Parameter Problem SHOULD NOT allow any of the various ICMP request messages Add recommendation for rate limiting of traffic from the prefix as additional countermeasure against abuse of this prefix Reverse DNS considerations Help mortal Internet users when they traceroute through an IPv6/v4 translator.