IPv6 Investigation: Progress to December 2015. IPv6 investigation areas Initial questions DNS Edge switches Core switches and routing iptables Linux routing.

Slides:



Advertisements
Similar presentations
Todd Tannenbaum Condor Team GCB Tutorial OGF 2007.
Advertisements

Lecture 10 Sharing Resources. Basics of File Sharing The core component of any server is its ability to share files. In fact, the Server service in all.
Virtual LANs.
IPv6 at NCAR 8/28/2002. Overview What is IPv6? What’s wrong with IPv4? Features of IPv6 IPv6 will soon be available at NCAR How to use IPv6.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
Static Routing Exercise. What will the exercise involve?  Unix network interface configuration  Cisco network interface configuration  Static routes.
Technical Aspects of Peering Session 4. Overview Peering checklist/requirements Peering step by step Peering arrangements and options Exercises.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
1 Basic Installation and GUI Tech Basic Installation and GUI : Objectives  Installing the Quadro  Configuring the Quadro  Installing IP phones.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing & Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing and Switching Essentials.
MPLS additions to RSVP Tunnel identification Tunnel parameter negotiation Routing policy distribution Routing debugging information Scalability improvements.
Instruction Counter Address [3..0] CLK Instruction ROM 0000: : : : : Inst [6..0] Control Unit.
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.
Chapter 27 Q and A Victor Norman IS333 Spring 2015.
Ch 8-3 Working with domains and Active Directory.
Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.
Campus IPv6 Deployment Phillip Deneault WPI Network Security Officer 1.
Chapter 4: Managing LAN Traffic
IPv6 Address autoconfiguration stateless & stateful.
IPv6 Autoconfiguration Stateless and Stateful. Copy... Rights This slide set is the ownership of the 6DISS project via its partners The Powerpoint version.
Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing & Switching.
0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.
1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.
Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 1 – Chapter 9 Ethernet Switch Configuration 1.
Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks BGP.
Local IPv6 Networking March 2000 Adelaide IETF Bob Hinden / Nokia.
1 TCP/IP Networking. 2 TCP/IP TCP/IP is the networking protocol suite most commonly used with UNIX, Windows, NT and most other OS’s. TCP/IP defines a.
Introduction to OSPF Nishal Goburdhan. Routing and Forwarding Routing is not the same as Forwarding Routing is the building of maps Each routing protocol.
APTLD Meeting APNIC’s Experience with IPv6 24 February 2009, Manila Arth Paulite – APNIC.
Cisco 3 - Switch Perrine. J Page 111/6/2015 Chapter 5 At which layer of the 3-layer design component would users with common interests be grouped? 1.Access.
Routing integrity in a world of Bandwidth on Demand Dave Wilson DW238-RIPE
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
Linux services troubleshooting. If you cannot connect to your service.. When you start service, check that it says ok (most services say that when starting.
W&L Page 1 CCNA CCNA Training 3.5 Describe IPv6 addresses Jose Luis Flores / Amel Walkinshaw Aug, 2015.
XWN740 X-Windows Configuring and Using Remote Access (Chapter 13: Pages )‏
S7C7 – Multilayer Switching Design and Configuration.
What do we need to standardise? Open discussion Led by Dave Thaler dnssd WG, IETF89, London, 3 rd March 2014.
W&L Page 1 CCNA CCNA Training 3.4 Describe the technological requirements for running IPv6 in conjunction with IPv4 Jose Luis Flores /
Chapter 4 Version 1 Virtual LANs. Introduction By default, switches forward broadcasts, this means that all segments connected to a switch are in one.
Welcome to Early Bird Class
+ Routing Concepts 1 st semester Objectives  Describe the primary functions and features of a router.  Explain how routers use information.
1 Objectives Discuss the basics of Dynamic Host Configuration Protocol (DHCP) Describe the components and processes of DHCP Install DHCP in a Windows Server.
CS 283Computer Networks Spring 2013 Instructor: Yuan Xue.
Source NAT Configuration Example Alcatel-Lucent Security Products Configuration Example Series.
Computer Networks 0110-IP Gergely Windisch
Deploy SDN-IP.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
CHAPTER 10: DHCP Routing & Switching. Objectives 10.0 Introduction 10.1 Dynamic Host Configuration Protocol v Dynamic Host Configuration Protocol.
Cisco Study Guide
Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.
Mobile IP THE 12 TH MEETING. Mobile IP  Incorporation of mobile users in the network.  Cellular system (e.g., GSM) started with mobility in mind. 
NAT (Network Address Translation)
Configuring DHCP Relay Configuration Example
IP Routing using Packet Tracer Simulator
How to pass Cisco Exam in first attempt?
CCENT Study Guide Chapter 12 Security.
IPv6 investigation within Informatics George Ross
Single-Area OSPF 1 Cisco Networking Academy program Routing Protocols
Chapter 4: Routing Concepts
XWN740 X-Windows Configuring and Using Remote Access
Chapter 10: DHCP Routing & Switching Chapter 10: DHCP
Introduction to Networking
IPv6 investigation within Informatics George Ross
IPv6 Investigation (preliminary!) gdmr, September 2015
Dynamic Routing and OSPF
IPv6: where we’re at and what next.
Presentation transcript:

IPv6 Investigation: Progress to December 2015

IPv6 investigation areas Initial questions DNS Edge switches Core switches and routing iptables Linux routing (DHCP is a followup project)

DNS Development meeting decided no need to link IPv4 and IPv6 address New tool written to make forward/reverse zone creation simpler rfe dns/inf6 Simple syntax, described in the file as well as in the final report Forward (inf.ed.ac.uk) zone is being populated Reverse zones are being created but haven’t been delegated to our NS yet

Edge switches RA parameters set per-VLAN RA enabled on switches doing IPv6 forwarding Disabled everywhere else (though configured where possible) RA-guard enabled on all untrusted ports Manager-addrs list can now take IPv6 addresses. Set by hand for now to avoid security holes. Will be done through the tools later. MLD-snooping to come

Core switches and routing core[012], atc[01], cs[01] are all now doing IPv6 routing. All have addresses on some carefully-chosen VLANs Speaking OSPFv3 (not authenticated) Inf-unit instructions written based on the first couple and debugged on the rest

iptables Component was mostly already there Existing rules audited for IPv6-safety, and new ones created where necessary All “generating” files (“g.*”) now test for IPv6 and adjust their output accordingly Rules are in. Not running everywhere yet, as turning them on will cause some IPv6 addresses to appear – it’s slightly too early for that yet.

Linux routing Using BIRD, as quagga doesn’t appear to do OSPFv3 areas  That may not actually be a problem if we speak BGP to the EdLAN routers Component written, and running on test routers Should support IPv4 too, though not tested yet SL6 only for now, with the component starting the daemons  But written with init and/or systemd in mind

Still To Do EdLAN  Routing protocols  ABRs  Turn it on! Extend testing to all managed machines Auditing tools Another blog article

Follow-on projects DHCP for IPv6  Too big a job to incorporate into an investigation  Not really an investigation any more anyway!  Spread the knowledge Self-managed machines  Depends on DHCP and audit tools

Implications 1 SL6 machines (mostly) have IPv6 disabled SL7 machines have IPv6 enabled  So any on a VLAN on which RA has been enabled (32, 33, 202, 216 so far) will acquire global IPv6 addresses  They may try to use these to speak to the outside  This won’t work until we have external routing going, but should be generally OK after that  /etc/gai.conf will need some tweaks to suit

Implications 2 If you want to advertise your machine over IPv6 then you will need to add a DNS entry for it  There is one DNS namespace with both IPv4 and IPv6 addresses merged together  Setting a static IPv6 address on a machine is currently inconvenient (MPU?) If there’s no IPv6 entry in our DNS then nothing outside will know to speak to an IPv6-enabled machine  Including any (SL7) which have autoconfigured as a result of seeing RA multicasts Once there is an IPv6 address added for a machine then it’s fair game for any service on that machine  You can’t pick and choose  Edge filter holes will be automatically created  Expect to see about 10% native IPv6

Implications 3 TEST your services with IPv6!  The outside world won’t distinguish between IPv4 and IPv6, and will expect both to Just Work Any local access controls should be reviewed to ensure they are IPv6-friendly  IPv4 and IPv6 may work independently  “ /16 = EdLAN” will be broken Beware of “old methods” which undo your IPv6 settings Once we enable IPv6 for self-managed machines, they will start to use it to speak to you too Once IPv6 is enabled on your machine, IPv4 and IPv6 have equal status so far as everyone else is concerned.

Bedtime reading … is linked from the project’s index page