Presentation is loading. Please wait.

Presentation is loading. Please wait.

Stateless Source Address Mapping for ICMPv6 Packets

Published byMagdalen Lee Modified over 6 years ago

Similar presentations

Presentation on theme: "Stateless Source Address Mapping for ICMPv6 Packets"— Presentation transcript:

1 Stateless Source Address Mapping for ICMPv6 Packets
X. Li, C. Bao, D. Wing, R. Vaithianathan, G. Huston

2 Introduction Normal traffic: ICMP:
XLAT H4 H6 R6 R4 Non-IPv4-translatable address 2001:db8:: 2001:db8::1 IPv4-translatable address Normal traffic: dst= srct= dst=2001:db8:: src=2001:db8:: ICMPv6 PTB ICMP PTB ICMP: dst=2001:db8:: src=2001:db8::1 dst= srct=???? RFC6145: The IPv6 addresses in the ICMPv6 header may not be IPv4-translatable addresses. … A mechanism by which the translator can instead do stateless translation is left for future work.

3 Requirements (1) uRPF  cannot use RFC1918 addresses
Non-IPv4-translatable address 2001:db8::1 IPv4-translatable address 2001:db8:: H4 R4.1 R4 .2 XLAT R6 H6 ICMPv6 PTB ICMP PTB ICMP: dst=2001:db8:: src=2001:db8::1 dst= srct= uRPF  cannot use RFC1918 addresses IPv4 address depletion  hard to use public IPv4 addresses

4 Requirements (2) 7 IVI H4 H6 8 9 10 11 12 5 4 3 2 1 X IPv4 recipient of the ICMP message should be able to distinguish between different IPv6 ICMPv6 origination  needs a pool

5 Recommendation Recommend to drawing an IPv4 /24 prefix from the IANA Special Purpose Address Registry as a "Well-Known Prefix" for use by IPv4/IPv6 translators for the purpose of mapping otherwise untranslatable IPv6 source addresses of ICMPv6 messages to IPv4 ICMP messages. These addresses are for use As the source address of ICMP packets Not as a destination address for any packets

6 Mapping Algorithms When an IPv4 /24 prefix is allocated to represent the source address of ICMP, the least-significant byte can be generated using one of the following algorithms. Randomly Copy the "Hop Count" in the IPv6 header of the ICMPv6 Hashing of the IPv6 address The selection of the algorithm SHOULD be a configuration function in the IPv4/IPv6 translator. May not generate subnet identifier or broadcast addresses

7 Routing Considerations
As packets passing through the public network need to pass through conventional packet filters, including uRPF filters [RFC3704] The assigned address may be used in routing advertisements Such routing advertisements are non-exclusive and should be accepted from any originating AS in an anycast fashion

8 Security Considerations
The use of an address for source addresses in ICMP error packets is considered "safe" in so far as ICMP packets are not intended to generate responses directed to the source address. However it is possible to use this address as a means of gaining anonymity when launching a denial of service attacks by using this address as the source address for other forms of malicious traffic. Packet firewall filters should be configured discarding All non-ICMP packets that use the IANA-assigned /24 network as a source address All packets that use the IANA-assigned /24 network as a destination address.

9 IANA Considerations Prefix 192.70.192.0/24
Description: To be used in the context of generating an IPv4 source address for mapped ICMPv6 packets being passed through a stateless IPv4/IPv6 translator. Begin: End: Never Purpose: Stateless ICMPv6/ICMP translation Scope: Addresses from the assigned address prefix are intended to be used as source addresses and not as destination addresses in the context of the public network.

10 Additional discussions

11 Why not use RFC1918? draft-kirkham-private-ip-sp-cores-07 (Issues with Private IP Addressing in the Internet) discussed a similar situation Conservation of Address Space Effects on Traceroute Effects on Path MTU Discovery Unexpected interactions with some NAT implementations Interactions with edge anti-spoofing techniques Peering using loopbacks DNS Interaction Operational and Troubleshooting issues Security Considerations Which shows that RFC1918 will results in difficulties.

12 How to handle the DDOS? When setting up the ACL correctly,
The network only allows ICMP packets using this block as the source address. No responses will be generated from any network device in the network. However, the ICMP packets using this block as the source address may target some hosts for DDOS attack. Does the anycast root server’s addresses have similar problem? The rate-limit configuration should be used.

13 It is not traceable Two cases:
The attacker is in IPv6 and behind a real IPv4/IPv6 translator Handled in the translator by rate-limiting The attacker is in IPv4 generating ICMP packets using the special block as the source

14 ISPs need to update their ACLs
This methods provides more control for the network administrator. We believe it is worth the effort for the transition If we can move forward, there will be enough time for ISPs to update the filters. No updating is required for “non-default-free” network. The operators still lack the experience of handling a "one-way" special purpose packet that is allowed to leave the link, never mind the AS. We should try.

15 Alternatives A privately assigned block of public IPv4 addresses from existing space, which can be shared between operators Similar to this Why not use a “global IPv4 unicast address” bound to the translator IPv4 address depletion problem makes it difficult

16 NAT and looking-glass Is the last hop on this side of the event horizon. just like if there were a firewall or a non-stateful icmp filter. The difference is it happens close to the end host in IPv4 firewall schema, but in stateless IPv4-IPv6 Schema, it maybe happen in somewhere IPv4-IPv6 edge of ISP ( in middle of end hosts). Adding publicly-accessible out-of-band "looking glass" web-server to the IPv6/IPv4 translator May not be easy.

17 To do Add recommendation for filtering to an appropriate list of ICMP types Allow ICMP type 3 - Destination Unreachable (inc PTB) Allow ICMP type 11 - Time Exceeded My Allow ICMP type 12 - Parameter Problem SHOULD NOT allow any of the various ICMP request messages Add recommendation for rate limiting of traffic from the prefix as additional countermeasure against abuse of this prefix Reverse DNS considerations Help mortal Internet users when they traceroute through an IPv6/v4 translator. 

Download ppt "Stateless Source Address Mapping for ICMPv6 Packets"

Similar presentations

TCP/IP Protocol Suite 1 Chapter 27 Upon completion you will be able to: Next Generation: IPv6 and ICMPv6 Understand the shortcomings of IPv4 Know the IPv6.

TCP/IP Protocol Suite 1 Chapter 27 Upon completion you will be able to: Next Generation: IPv6 and ICMPv6 Understand the shortcomings of IPv4 Know the IPv6.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.

IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.
1 IPv6. 2 Problem: 32-bit address space will be completely allocated by 2008. Solution: Design a new IP with a larger address space, called the IP version.

1 IPv6. 2 Problem: 32-bit address space will be completely allocated by Solution: Design a new IP with a larger address space, called the IP version.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.
Addressing the Network IPv4

Addressing the Network IPv4
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.

Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.
IPv6 Network Security.

IPv6 Network Security.
2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College

2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
思科网络技术学院理事会. 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

思科网络技术学院理事会. 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Week 5: Internet Protocol Continue to discuss Ethernet and ARP –MTU –Ethernet and ARP packet format IP: Internet Protocol –Datagram format –IPv4 addressing.

Week 5: Internet Protocol Continue to discuss Ethernet and ARP –MTU –Ethernet and ARP packet format IP: Internet Protocol –Datagram format –IPv4 addressing.
IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker 2008-11-17.

IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker
1 Chapter Overview IP (v4) Address IPv6. 2 IPv4 Addresses Internet Protocol (IP) is the only network layer protocol with its own addressing system and.

1 Chapter Overview IP (v4) Address IPv6. 2 IPv4 Addresses Internet Protocol (IP) is the only network layer protocol with its own addressing system and.
Types of Addresses in IPv4 Network Range

Types of Addresses in IPv4 Network Range

Similar presentations

Ads by Google