IPv6 and DNS. Secure64



Similar documents
IPv6 and DNS. Secure64

Secure64. Use cases for DNS64/NAT64

Use Domain Name System and IP Version 6

Reverse DNS considerations for IPv6

464XLAT: Breaking Free of IPv4. APRICOT 2014

464XLAT: Breaking Free of IPv4. T-Mobile.com NANOG 61 June 2014

IPv6 support in the DNS

About the Technical Reviewers

APNIC IPv6 Deployment

DOMAIN NAME SECURITY EXTENSIONS

464XLAT in mobile networks

IPv6 Support in the DNS. Workshop Name Workshop Location, Date

IPv4 and IPv6 Integration. Formation IPv6 Workshop Location, Date

dnsperf DNS Performance Tool Manual

DNS Conformance Test Specification For Client

Domain Name System :49:44 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl 28 Feb 2013 Stichting NLnet Labs

VDE Tagung Mobilkommunikation 2014, Osnabruck

Recommendations for dealing with fragmentation in DNS(SEC)

NANOG DNS BoF. DNS DNSSEC IPv6 Tuesday, February 1, 2011 NATIONAL ENGINEERING & TECHNICAL OPERATIONS

Internet Engineering Task Force. Intended status: Experimental Expires: September 6, 2012 March 5, 2012

DNS at NLnet Labs. Matthijs Mekking

IPV6 SERVICES DEPLOYMENT

Linux as an IPv6 dual stack Firewall

Networking Domain Name System

Enterprise Architecture Office Resource Document Design Note - Domain Name System (DNS)

SIIT-DC: IPv4 Service Continuity for IPv6 Data Centres. Tore Anderson Redpill Linpro AS RIPE69, London, November 2014

SIIT-DC: IPv4 Service Continuity for IPv6 Data Centres. Tore Anderson Redpill Linpro AS 8th Belgian IPv6 Council, Bruxelles, November 2015

SIIT-DC: Stateless IP/ICMP Translation for IPv6 Data Centre Environments & SIIT-DC: Dual Translation Mode

Deployment Guide A10 Networks/Infoblox Joint DNS64 and NAT64 Solution

IPV6 FRAGMENTATION. The Case For Deprecation. Ron Bonica NANOG58

IPv6-Only. Now? Sites. Deutscher IPv6 Kongress June 6/7, 2013 Fr ankfur t /Ger many. Holger.Zuleger@hznet.de

How do I get to

Firewalls und IPv6 worauf Sie achten müssen!

Joe Davies. Principal Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group June 1, 2011

Updates to Understanding IPv6

Firewalls. Pehr Söderman KTH-CSC

IPv6-only hosts in a dual stack environnment

Domain Name System (DNS) Fundamentals

IPv6 in Axis Video Products

Status of IPv6 Rollout at Swisscom. Martin Gysi, public

Description: Objective: Attending students will learn:

Load Balancing. Final Network Exam LSNAT. Sommaire. How works a "traditional" NAT? Un article de Le wiki des TPs RSM.

LAN TCP/IP and DHCP Setup

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Defending against DNS reflection amplification attacks

Ecdysis: Open-Source DNS64 and NAT64

IPv6 Trace Analysis using Wireshark Nalini Elkins, CEO Inside Products, Inc.

Debugging With Netalyzr

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

DEPLOYMENT GUIDE Version 1.1. DNS Traffic Management using the BIG-IP Local Traffic Manager

ISP Systems Design. ISP Workshops. Last updated 24 April 2013

Chapter 4 Customizing Your Network Settings

DEPLOYMENT GUIDE Version 1.4. Configuring IP Address Sharing in a Large Scale Network: DNS64/NAT64

Networking Domain Name System

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

Real World IPv6 Migration Solutions. Asoka De Saram Sr. Director of Systems Engineering, A10 Networks

Firewall Firewall August, 2003

Understand Names Resolution

IPv4/IPv6 Transition Using DNS64/NAT64: Deployment Issues

IPv6 Troubleshooting for Helpdesks

Campus IPv6 connection Campus IPv6 deployment

ZyWALL USG ZLD 3.0 Support Notes

Project 4: IP over DNS Due: 11:59 PM, Dec 14, 2015

CSC574 - Computer and Network Security Module: Firewalls

Presented by Greg Lindsay Technical Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group April 7, 2010


Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs

NAT Tutorial. Dan Wing, IETF78, Maastricht July 25, 2010

DNS and DHCP. 14 October 2008 University of Reading

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Technical Support Information Belkin internal use only

Enabling NAT and Routing in DGW v2.0 June 6, 2012

Network Infrastructure Under Siege

Building a Linux IPv6 DNS Server

Multi-Homing Security Gateway

Operational Problems in IPv6: Fallback and DNS issues

Public-Root Name Server Operational Requirements

IPv4 and IPv6: Connecting NAT-PT to Network Address Pool

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

An Architecture View of Softbank

8.2 The Internet Protocol

The secret life of a DNS query. Igor Sviridov <sia@nest.org>

DNS Resolving using nslookup

IPv6.marceln.org.

Basic IPv6 WAN and LAN Configuration

Domain Name System (DNS) Session-1: Fundamentals. Ayitey Bulley

Windows 7 Resource Kit

Discovering IPv6 with Wireshark. presented by Rolf Leutert

Guideline for setting up a functional VPN

Transcription:

IPv6 and DNS Secure64

About me Stephan Lagerholm Director and Founder of TXv6TF. Secure64 Software Corp. Sponsor of the event. Agenda: DNS and IPv6 basics DNS64 (RFC 6147) 464XLAT (RFC 6877) Heuristic discovery of DNS64 prefix (RFC 7050) Reverse Delegation and IPv6 (draft-howard-isp-ip6rdns-06) IPv6 and small packets Denial of Service attacks over IPv6 (a future look into what will come) 1

Before we begin as always Deployment is minimal, Texas Universities: 4/107 (4/107, 1/107) Texas AM Sam Houston State University University of Houston University of Texas of the Permian Basin Texas Corporations: 3/30 (2/30, 0/30) AT&T Texas Instrument Baker Hughes Texas Counties: 3/233 (1/233, 2/233) Brewster, Kerr and Angelina county. 2

DNS and IPv6 LAN Internet Recursive DNS Authority DNS One A and one AAAA query Client prefers IPv6 over IPv4 Twice the load on the DNS 3

History of DNS and IPv6 Some attempts did not work that very well: A6 records (use AAAA instead) Ip6.int (use ip6.arpa instead) NAT-PT (use NAT64 instead) 4

Independent queries (default config) AAAA query over IPv4 A query over IPv4 AAAA query over IPv6 A query over IPv6 Recursive DNS AAAA query over IPv4 A query over IPv4 AAAA query over IPv6 A query over IPv6 A recursive DNS server will typically favor the fastest responding server based on RTT 5

Filter-AAAA-on-v4-transport AAAA query over IPv4 A query over IPv4 AAAA query over IPv6 A query over IPv6 Recursive DNS AAAA query over IPv4 A query over IPv4 AAAA query over IPv6 A query over IPv6 Unless the client can prove that he speaks IPv6 we are not going to send him to IPv6 sites. This setup is becoming increasingly rare. 6

DNS64 Moves a network directly to IPv6 without having to deploy dual stack Is one of many transition technologies to IPv6 Allow IPv6 only clients to access IPv4 only content Defined in RFC Requires both DNS64 and NAT64 devices deloyed in the network to work There are issues with IPv4 literals Can be combined with Dual Stack or other standards. 7

NAT64 / DNS64 Under The Hood Client DNS64 Authoritative DNS www.ipv4only.com ` Q AAAA? Q AAAA? EMPTY Q A? R = 2001:db8:101::c000:201 NAT64 R = 192.0.2.1 Webserver 2001:db8:101::c000:201 192.0.2.1 2001:db8:101::c000:201 192.0.2.1 8

DNS64 (RFC 6147) AAAA query over IPv4 A query over IPv4 AAAA query over IPv6 A query over IPv6 Recursive DNS AAAA query over IPv4 A query over IPv4 AAAA query over IPv6 A query over IPv6 9

DNS64 Everybody Will Need It 100% Dual stack DNS64 IPv4 10% 0% IPv6 Time 10

DNS64 Design and functionality options Sticky clients Make sure a client goes to the same IPv4 server during the session. Mixed deployments using views The same DNS server must be able to handle different types of networks and different NAT64 gateways. Load balancing via DNS Coarse load balancing of NAT64 gateways High availability Take one NAT64 gateway out of rotation if it becomes unavailable. How to handle broken applications? 1. Stop using the broken applications. Works for Enterprise but not for Service Providers. 2. Continue using IPv6 but dual stack the entire network. Bad because you don t get the benefit of IPv6 only 3. 464XLAT 11

464XLAT (RFC 6877) 464XLAT is a way to handle broken websites. Can be used standalone or with DNS64. CLAT is a stateful translation v4-v6, PLAT is stateless v6-v4 Supported by Android, configured with plat_subnet 2001:db8:1:2:3:4:: ` Dual v6 v4 CLAT PLAT Could be one device 12

Heuristic discovery (RFC 7050) Heuristic discovery of DNS64 prefix (RFC 7050) Instead of having to configure the plat subnet manually, the handset can figure it out with some intelligent queries. Works in Andriod 4.3 using the plat_from_dns64_hostname ipv4only.arpa. domain is created, if you get a AAAA response back you know you are behind a DNS64 and can figure out the prefix. 13

Reverse IPv6 Delegation (draft-howard) Reverse delegation of just a single /64 would require 4 billion disks with 400 G of storage Feature (Service) parity between IPv4 and IPv6 Feature parity is hard for IPv6 reverse delegation. Traditionally they have been pre-generated in IPv4: 1.2.3.4.in-addr.arpa PTR client1.houston.provider.net. 2.2.3.4.in-addr.arpa PTR client2.houston.provider.net. 3.2.3.4.in-addr.arpa PTR client3.houston.provider.net. 4.2.3.4.in-addr.arpa PTR client4.houston.provider.net. Alternatives for IPv6 (draft-howard-isp-ip6rdns-06): Delegate DNS Not all customers can/will run DNS Dynamic DNS Scaling issues Wildcard not a perfect solution Synthetic IPv6 not widely implemented 14

Comparison of IETF draft options (draft-howard) Do Nothing Wildcards Dynamic DNS Synthesize # new servers 0 0 Many 0 Reverse record exists Reverse record matches forward record Works with DNSSEC Difficult Difficult DNS solutions need to evolve to simplify reverse IPv6 DNS 15

Synth Traditional method 1.2.3.4.in-addr.arpa d.b.8.1.0.0.2.ip6.arpa No service parity between v4 and v6 Spam filters, ssh, etc does not work Gigabytes of zone transfers, long startup time, large memory requirements client-1-2-3-4.example.com NXDOMAIN $GENERATE New method 1.2.3.4.in-addr.arpa d.b.8.1.0.0.2.ip6.arpa Service parity between v4 and v6 Minimal zone transfer, quick startup, low memory requirements client-1-2-3-4.example.com Client-d-b-8-1-v6.example.com S64-SYNTH 16

Packet Too Big issue in IPv6 Lack of intermediate fragmentation in IPv6 cause issues Correct processing of PTB packets is complex Packet Too big Response 1500 bytes Recursive resolver Response 1220 + 280 bytes Authoritative server 17

DNS network packets 512 1280 1500 4096 65535 Before EDNS0 Maximum packet size IPv6 minimum MTU Max Ethernet frame Max EDNS0 Bufsize typically supported Theoretical Max UDP DNS Packet size More switching to TCP More retransmissions due to lost packets DNS are small packets. A fancy algorithm does not pay off. Initial advertized bufsize=1440 for IPv4 and 1220 for IPv6 18

DOS attacks over IPv6 IPv4 defense against DOS attacks is to blacklist (block/drop/rate limit) the offending IPv4 address. With IPv6 each client will be given a very large set of IPv6 addresses. A sneaky attacker or Botnet controlled computer could traverse the large address space to avoid getting blacklisted without using the same source in 100+ years. Conclusion: Defenses against DOS attacks must be re-architectured in IPv6 to work on prefixes. DNS Response Rate Limiting defaults to IPv6 Prefix Length /56 19

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information