IPv6: The Ins and Outs

Chris Buechler cmb@pfsense.org

About Me

•  Co-founder and CTO of BSD Perimeter LLC – Corporate arm of pfSense project

•  15 years’ IT experience •  Former IT Manager at public accounting firm

Overview

•  IPv6 Overview •  The need for IPv6 •  IPv6-Enabled Technologies •  Migration concerns and paths •  Configuring IPv6 on routers •  Configuring IPv6 on Windows •  Configuring IPv6 on firewalls •  Questions & Answers

Credits

Thanks to the following for sharing ideas and real world experience.

•  Seth Mos •  Bjoern Zeeb

IPv6 Overview

•  Next generation of the Internet Protocol - IPng •  First standard in 1995 – RFC 1883 •  What happened to IPv5?

New Terminology

•  Stateless autoconfiguration •  Dual stack •  Neighbor Discovery Protocol •  Native IPv6

IPv6 Overview

•  “IPv6 is expected to replace the current … IPv4 for nearly all Internet traffic by 2008.” – PC World July 1, 2003

•  August 2011 – less than 0.01% percent of all Internet traffic is IPv6

•  But – the time has really come now

IPv6 Overview – Current Usage

http://asert.arbornetworks.com/2011/04/six-months-six-providers-and-ipv6/

IPv6 Overview – Current Usage

IPv6 – 2.1 GB/day 1.3% of traffic

IPv4 – 151 GB/day 98.7% of traffic

IPv6 Overview – Current Usage

IPv6 – ~10 GB/month 8.3% of traffic

IPv4 – ~110 GB/month 91.7% of traffic

The Need for IPv6

•  Larger address space –  IPv4 has 232 addresses – ~4.3 billion –  IPv6 has 2128 addresses - ~340 undecillion

•  340,282,366,920,938,463,463,374,607,431,768,211,456

– Final IPv4 space assigned by IANA to RIRs in February 2011

– Complete IPv4 exhaustion worldwide by 2014-2015 at latest

The Need for IPv6

http://www.potaroo.net/tools/ipv4/plotend.png

IPv6 IP assignments

•  Most common IPv4 subnet /24 (255.255.255.0) – 254 hosts

•  Typical recommended IPv6 subnet a /64 – 18,446,744,073,709,551,616 IPs

•  Recommended assignment for business a /48 – 65536 /64 subnets

IPv6 IP assignments

•  Private addressing – RFC 1918 in IPv4 – Unique Local Addresses (ULA) in IPv6

•  RFC 4193 •  fc00::/7 •  Must randomly generate subnet

– Not necessary

•  NAT a thing of the past (to some extent)

Barriers to Adoption

•  Lack of ISP support •  Lack of CPE support •  Problems with broken clients •  Lacking knowledge

Connectivity Options

•  Native IPv6 connectivity •  Tunneling – Tunnelbroker.net, many others – Performance considerations

Google – 35-40 ms IPv4, 90 ms tunneled IPv6 Facebook – 50 ms IPv4, 120 ms tunneled IPv6

IPv6 and Firewalls

•  Understand the capabilities of your firewall –  Lesser security than IPv4?

•  Don’t necessarily trust your vendor’s answer

•  Upgrade as needed •  Understand the vendor-specific configuration for

IPv6 •  Configure interconnect with ISP (usually /64, may

be /120) •  Subnet LAN-side addresses and configure LAN-

side IP

IPv6 and Routers

•  WAN-focused •  Router support – All features you’re using covered? – Performance equivalent or close?

•  Provider support

Interoperability Concerns

•  Large number of proposed interoperability solutions – 14 current, 3 drafts, several deprecated – Mostly applicable at the carrier/ISP level

•  Dual stack typical for business networks •  Proxy servers

Fun with hexidecimal addressing

www.v6.facebook.com [2620:0:1cfe:face:b00c::3]

9 128 ms 129 ms 131 ms 2620:0:1cff:dead:beef::85

10 129 ms 129 ms 128 ms 2620:0:1cff:dead:beef::10

IPv6 and Windows XP/2003

•  Supported, not installed by default •  No DHCPv6 support •  Install and enable IPv6 •  Statically address servers

IPv6 and Windows 7/2008

•  Enabled by default •  Bring up a router/firewall issuing router

advertisements and *poof* - you have IPv6 •  Statically address servers •  Configure and enable a DHCPv6 server

IPv6 Security Challenges

•  Same stuff, different layer 3 protocol •  Same attacks, new methods – NDP exhaustion attacks –  Router Advertisement spoofing

•  Lesser or absent support in existing security products –  Firewalls, IDS/IPS, SIM/SIEM, vulnerability scanners,

switches •  Commonly used “IP blacklists” as we know them

and similar IP-based controls impossible with IPv6

IPv6 Security Challenges

•  Changes in vulnerability assessment techniques •  Changes in black hat techniques for

compromising hosts

Preparing for IPv6 Deployment

•  Update/create network inventory – Client and server operating systems – Firewalls, VPNs, switches, routers, NAS, etc. – Outside hosted solutions •  Web hosting •  Email hosting •  Anti-spam

Biggest “Gotchas” Encountered

•  Adding AAAA records causing connectivity failures for some hosts.

•  Adding AAAA records causing some applications to break

Immediate Action Items

•  Staff training •  Evaluate current hardware and software

compatibility •  Contact ISP(s) and WAN providers regarding

support •  Contact outsourced providers (web hosting,

SaaS, etc.) regarding support •  Setup test environment

When to Deploy IPv6

•  Native or equivalent connectivity available •  All services, applications and hardware tested

and validated •  Staff up to speed

When will IPv4 go away?

•  Ideally want to get back to one protocol •  IPv4 will live on for a very long time •  Impossible to say

Questions

Questions

Thank you for attending!

Contact: cmb@pfsense.org