Company Confidential 1 ICMPv6 Echo Replies for Teredo Clients draft-denis-icmpv6-generation-for-teredo-00 behave, IETF#75 Stockholm Teemu Savolainen.

Slides:



Advertisements
Similar presentations
Future Directions For IP Architectures Ipv6 Cs686 Sadik Gokhan Caglar.
Advertisements

IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.
IP Mobility Support Basic idea of IP mobility management
IPv6 Privacy Hannes Tschofenig, Tara Whalen. Agenda Privacy Threats Layering Addressing Policy Questionnaire.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.
Implementing IPv6 Module B 8: Implementing IPv6
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Limited address space The most visible and urgent problem with using IPv4 on the modern Internet is the rapid depletion of public addresses. Due to the.
CMPE 150- Introduction to Computer Networks 1 CMPE 150 Fall 2005 Lecture 25 Introduction to Computer Networks.
Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.
NAT/Firewall Traversal April NAT revisited – “port-translating NAT”
1 Improved DNS Server Selection for Multi-Homed Nodes draft-savolainen-mif-dns-server-selection-04 Teemu Savolainen (Nokia) Jun-ya Kato (NTT) MIF WG meeting.
1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.
NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.
1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.
Internet Command Message Protocol (ICMP) CS-431 Dick Steflik.
IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker
Controlling Traffic Offloading Using Neighbor Discovery Protocol IETF#80 Mif WG, 28-March-2011 draft-korhonen-mif-ra-offload-01 Jouni Korhonen Teemu Savolainen.
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
CCNA Introduction to Networking 5.0 Rick Graziani Cabrillo College
1 CMPT 471 Networking II ICMP © Janice Regan, 2012.
Network Layer4-1 NAT: Network Address Translation local network (e.g., home network) /24 rest of.
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
Lecture 3a Mobile IP 1. Outline How to support Internet mobility? – by Mobile IP. Our discussion will be based on IPv4 (the current version). 2.
Jan 29, 2008CS573: Network Protocols and Standards1 NAT, DHCP Autonomous System Network Protocols and Standards Winter
23-Support Protocols and Technologies Dr. John P. Abraham Professor UTPA.
Summary of Certification Process (part 1). IPv6 Client IPv6 packets inside IPv4 packets.
SOCKS Group: Challenger Member: Lichun Zhan. Agenda Introduction SOCKS v4 SOCKS v5 Summary Conclusion References Questions.
9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.
1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
1 NAT Network Address Translation Motivation for NAT To solve the insufficient problem of IP addresses IPv6 –All software and hardware need to be updated.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Basic Transition Mechanisms for IPv6 Hosts and Routers -RFC 4213 Kai-Po Yang
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 2 Module 8 TCP/IP Suite Error and Control Messages.
© 2002, Cisco Systems, Inc. All rights reserved..
Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.
© Jörg Liebeherr (modified by M. Veeraraghavan) 1 ICMP: A helper protocol to IP The Internet Control Message Protocol (ICMP) is the protocol used for error.
1 Network Layer Lecture 16 Imran Ahmed University of Management & Technology.
Module 10: How Middleboxes Impact Performance
1 An Error Reporting Mechanism (ICMP). 2 IP Semantics IP is best-effort Datagrams can be –Lost –Delayed –Duplicated –Delivered out of order –Corrupted.
1 Chapter 23 Internetworking Part 3 (Control Messages, Error Handling, ICMP)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Network Address Translation for IPv4 Routing And Switching.
1 Requirements for Internet Routers (Gateways) and Hosts Relates to Lab 3. (Supplement) Covers the compliance requirements of Internet routers and hosts.
ICMPv6 Error Message Types Informational Message Types.
An Address Management Mechanism for Blocking External Communications in IPv6 Networks 1.
1 © NOKIA FILENAMs.PPT/ DATE / NN Requirements for Firewall Configuration Protocol March 10 th, 2005 Gabor Bajko Franck Le Michael Paddon Trevor Plestid.
PAGE 1 A Firewall Control Protocol (FCON) draft-soliman-firewall-control-00 Hesham Soliman Greg Daley Suresh Krishnan
ITP 457 Network Security Networking Technologies III IP, Subnets & NAT.
Understanding IPv6 Slide: 1 Lesson 5 ICMPv6. Understanding IPv6 Slide: 2 Lesson Objectives Purpose of ICMPv6 and the structure of all ICMPv6 messages.
Network Layer IP Address.
CCNA4-1 Chapter 7-1 NAT Chapter 11 Routing and Switching (CCNA2)
1 Chapter 23 Internetworking Part 3 (Control Messages, Error Handling, ICMP)
HIP-Based NAT Traversal in P2P-Environments
Chapter 05 Exam Review CCNA Discovery 01 – Computer and Network Fundamentals Presented by: Phillip Place Cisco Academy Instructor Lake Michigan College.
NAT、DHCP、Firewall、FTP、Proxy
Module 3: Enabling Access to Internet Resources
IP Adressing in IPv4 By Kenneth Lundby.
Teemu Savolainen (Nokia) MIF WG IETF#75 28-July-2009
COMPUTER NETWORKS CS610 Lecture-33 Hammad Khalid Khan.
Running Multiple PLATs in 464XLAT
Stateless Source Address Mapping for ICMPv6 Packets
Chapter 2: Static Routing
Chapter 15. Internet Protocol
CS4470 Computer Networking Protocols
Chapter 11: Network Address Translation for IPv4
Lecture 4a Mobile IP 1.
Computer Networks Protocols
Presentation transcript:

Company Confidential 1 ICMPv6 Echo Replies for Teredo Clients draft-denis-icmpv6-generation-for-teredo-00 behave, IETF#75 Stockholm Teemu Savolainen / Nokia Rémi Denis-Courmont / Nokia

2 Teredo and ICMPv6 Teredo, as per RFC4380, uses return routing and ICMPv6 to discover the closest Teredo relay corresponding to any given peer Unanswered ICMPv6 Echo Requests make connection creation fail as Teredo client assumes peer is unreachable ICMPv6 Echo Request/Reply is assumed to work through Internet, if a peer is reachable

3 When ICMPv6 Echo Reply may be missing Two scenarios are identified when ICMPv6 Echo Replies may be missing 1.Protocol translation ICMPv4 is routinely firewalled, even if the host (server) is otherwise reachable. It is assumed that ICMPv6 is firewalled less, especially between Teredo client and protocol translator A protocol translator translates ICMPv6 into ICMPv4 – from less firewalled into more firewalled domain - and by so doing contributes to problem creation 2.IPv6 Firewall IPv6 firewall may be configured to block ICMPv6 messages, thus blocking reachability tests and making Teredo client assume peer is unreachable This can be the case even if IPv6 firewall would let UDP/TCP through

4 Illustration of related network setups 1.Protocol translator translating between two domains: IPv6 Internet or network Teredo relay NAT64 IPv4 Internet or network Host using Teredo over IPv4 Peer not replying to ICMPv4 2.IPv6 firewall blocking ICMPv6: IPv6 Internet or network Teredo relay IPv6 Firewall IPv6 Internet or network Host using Teredo over IPv4 Peer FW blocking ICMPv6

5 Possible remedies Host address selection rule: If destination has both A and AAAA records (and especially if AAAA is synthesized!), prefer (private) IPv4 source addresses over Teredo Host Teredo implementation change: Modify Teredo host to continue connecting even in case of missing ICMPv6 Echo Reply – but a new route discovery mechanism would be needed Middlebox change: 1.Protocol Translator: Generate ICMPv6 Echo Replies if it is detected that ICMPv6 Echo Replies are not received for Teredo-originated (2001:0000::/32) ICMPv6 Echo Requests 2.IPv6 firewall: Generate ICMPv6 Echo Replies for Teredo originated requests, if by policy firewall would allow other (TCP/UDP) traffic flow trough, or simply let ICMPv6 pass Note! Assuming middlebox is on the reverse path as well

6 Questions Are the made assumptions valid? Is the problem real (even if corner-case)? Should there be a fix specified? How to proceed with I-D (Informational, PS, include in NAT64 work, in behave WG, individual submission)?