Embedded Connectivity for the Internet of Things: the Necessity of IPv6? DSP Valley VeroTech Seminar, Leuven Wouter Cloetens, SoftAtHome

Transcription

1 Embedded Connectivity for the Internet of Things: the Necessity of IPv6? DSP Valley VeroTech Seminar, Leuven Wouter Cloetens, SoftAtHome 19/11/2013

2 SoftAtHome Provides an open, ubiquitous, carrier class software platform for the digital home; currently running on CPE residential gateways and set-top boxes Helps service providers to deliver advanced services in the digital home Considers IPv6 as strategic on its roadmap Shareholders: Orange, Etisalat, Sagemcom Sites: France: Nanterre Belgium: Wijgmaal UAE: Dubai

3 Embedded Software Development This is what a Livebox looks like to you:

4 Embedded Software Development This is what a Livebox looks like to me:

5 Development Environment All Linux: gateways, set-top boxes, build servers, developer PC's,... Mostly C, some C++, some scripting, HTML5, JavaScript A lot of open source software. Everything from low-level kernel programming to high-level logic An embedded programmer knows that sometimes the hardware may not yet be reliable...

6 IPv4 Address Exhaustion

7 IPv4 Address Exhaustion

8 What is wrong with IPv4? 232 addresses is not enough NAT (Network Address and Port Translation) breaks end-to-end design of Internet Carrier Grade NAT is coming and will break it even more things

9 IPv6: a new protocol Designed in 1998 TCP, UDP, are still the same 2128 addresses. 264 per link Multiple types of addresses: Link-Local Address always present, but not usable for everything Globally Unique Address better, more standard address assignment than IPv4 Unique Local Address usable when there is no route to the Internet DNS: AAAA records DHCP is dead. Long live DHCP!

10 IPv6 addresses IPv4 size 32 bits notation dotted-decimal prefix IPv6 128 bits hexadecimal 2001:0db8:0000:0000: 0000:0000:0000:0001 CIDR: / :0db8:1234::/64 smallest prefix /64

11 IPv6 protocol header Cisco

12 IPv6 notable improvements over IPv4 a lot of junk removed from header extension headers for optional features routers do not fragment; only endpoints minimum network MTU: 1280

13 IPv4 and IPv6 in your network IPv4 and IPv6 are different protocols In your network: Dual Stack Both IPv4 and IPv6 addresses IPv4 and IPv6 DNS hostnames Address assignment: SLAAC for hosts (EUI-64 and/or Privacy Extensions) Static addresses for a servers and routers Extra information: DHCPv6 Information-Request Or both: DHCPv6 address assignment (IA_NA)

14 Porting a network application to IPv6 Storing an address: 32 bits is not enough DNS lookup: getaddrinfo(), getnameinfo() Fall-back from IPv6 to IPv4 Text representation of IP addresses: Colon-separated hexadecimal instead of dotted decimal For comparison, sorting: normalise! These addresses are the same: 2001:5ABE:3609:34E6:0000:0000:0000: :5ABE:3609:34E6:: :5abe:3609:34e6::30 URL format:

15 IPv6 address types ::1/128 fe80::/64 loopback Link-Local Address EUI-64: fe80::120b:a8ff:fe5c:6017/64 MAC: 12:0b:a8: 5c:60:17 fc00::/7 ff00::/8 ::ffff:0:0/96 Unique Local Address multicast v4-mapped ::ffff: other Globally Unique Address 2a02:1800:100::44:2

16 IPv6: new complexities Multiple routers can coexist multiple GUA's Multiple addresses on the host Multiple addresses, IPv6 and IPv4 try them all, in which order? Firewall: Port forwarding is replaced by pinholing Education of firewall administrators: do not drop ICMP What happens if I put a router behind another router? How do I use get to my service at home by hostname? Homenet working group of IETF

17 Myth #1: IPv6 has security built in IPv6 automatically does IPSec No it doesn't. The RFC recommends that an IPv6 implementation should implement IPSec. Same configuration complexity for IPSec as IPv4: authentication, key exchange, rekeying,...

18 Myth #2: IPv6 is less secure than NAT Any IPv6 host can be addressed from the Internet. Inbound connections to NATed hosts are impossible because devices behind the NAT router cannot be addressed. unless if the attacker is in the middle of the connection unless if the attacker can spoof the IP address of a host on the Internet and guess a source port, maybe TCP sequence number Actually: inbound connections to LAN hosts are blocked by the router because it performs stateful packet inspection (SPI), and this works just as well for IPv6.

19 Xbox One P2P gaming demands end to end connectivity, and low latency Current solution: port forwarding (UPnP IGD) or STUN port forwarding no longer work with CGN's performing double NAT CGN's add latency Xbox One solution: IPv6 prefer native IPv6 (with IPSec) if all players have IPv6 - IPv6 firewalls should allow unsolicited inbound IPSec traffic use Teredo if there are players without native IPv6: - IPv4 UDP encapsulated IPv6 packet Microsoft

20 IPv6 and multicast There is no broadcast in IPv6! Multicast is extensively used: IPv4 IPv6 IP MAC ARP broadcast ND/NA multicast ICMPv6 router address, MTU, DNS DHCP broadcast RS/RA multicast ICMPv6 DNS, NTP,... DHCP broadcast DHCPv6 multicast UDP Network hardware/drivers must support many multicast link-layer addresses efficiently Layer 2 network protocols must handle multicast reliably. Wireless LAN (802.11): multicast from access points to clients is unreliable...

21 IPv4 and IPv6 in the access network Dual Stack Prefix delegation via DHCPv6 (IA_PD) Router management WAN address: numbered: - SLAAC - DHCPv6 address assignment or unnumbered: - no GUA needed on the WAN! Router LAN address is public But: Not all links support IPv6. Old ADSL DSLAM's, most 3G links...

22 IPv6 Rapid Deployment (6rd) IPv6 tunnelled in IPv4, configured via DHCPv4 IPv6 address contains IPv4 address 2012 Cisco

23 DS-Lite IPv4 tunnelled in IPv6 to CGN No more IPv4 address! 2012 Cisco

24 Mapping of Address and Port Encapsulation Mode (MAP-E) IPv4 tunnelled in IPv6, configured via DHCPv4 IPv6 address contains IPv4 address and port range 2012 Cisco

25 Address Family Translation NAT64: IPv6 translated to IPv4 by router DNS64: DNS returns AAAA records for A host 2012 Cisco

26 Internet Of Things M2M: the machines are taking over!

27

28

29 IPv6 and M2M IETF standard 6LowPAN for use on top of IEEE wireless protocol/radios IPv6 optimised for low power devices, and lossy, low-bitrate networks protocol header compression (IEEE MTU is 127 bytes!) automatic address assignment from IPv6 reduce use of multicast, support sleeping nodes support meshed network topology

30 IPv4 and IPv6 in the NOC Reverse proxies translating IPv6 to IPv4 Redpill Linpro

31 IPv4 and IPv6 in the NOC Reverse proxies translating IPv4 to IPv6: Stateless IP/ICMP Translation IPv6 only servers! IPv4 addresses translated to a small network subnet Redpill Linpro

32 The Future is Forever

33 81, avenue françois arago nanterre france This page intentionally left green.