IPv6 and DNS. Secure64

IPv6 and DNS Secure64

About me Stephan Lagerholm Director and Founder of TXv6TF. Secure64 Software Corp. Sponsor of the event. AGENDA DNS and IPv6 basics IETF progress: DNS64 (RFC 6147) 464XLAT (RFC 6877) draft-savolainen-heuristic-nat64-discovery Reverse Delegation and IPv6 IPv6 and small packets Useful tools for IPv6 testing 1

Before we begin Deployment is minimal, Texas Universities: 4/107 (up from 1/107) Texas AM Sam Houston State University University of Houston University of Texas of the Permian Basin Texas Corporations: 2/30 (up from 0/30) AT&T Texas Instrument Texas Counties: 1/233 (down from 1/233) www.angelinacounty.net. 2620:0:50e0:3::31 www.co.kerr.tx.us 2001:470:1f11:bcd:21e:c9ff:feaf:68c8 2

DNS and IPv6 LAN Internet Recursive DNS Authority DNS One A and one AAAA query Client prefers IPv6 over IPv4 Twice the load on the DNS 3

Independent queries (default config) AAAA query over IPv4 A query over IPv4 AAAA query over IPv6 A query over IPv6 Recursive DNS AAAA query over IPv4 A query over IPv4 AAAA query over IPv6 A query over IPv6 A recursive DNS server will typically favor the fastest responding server based on RTT 4

Filter-AAAA-on-v4-transport AAAA query over IPv4 A query over IPv4 AAAA query over IPv6 A query over IPv6 Recursive DNS AAAA query over IPv4 A query over IPv4 AAAA query over IPv6 A query over IPv6 Unless the client can prove that he speaks IPv6 we are not going to send him to IPv6 sites. 5

DNS64 Moves a network directly to IPv6 without having to deploy dual stack Is one of many transition technologies to IPv6 Allow IPv6 only clients to access IPv4 only content Defined in RFC Requires both DNS64 and NAT64 devices deloyed in the network to work There are issues with IPv4 literals Can be combined with Dual Stack or other standards. 6

NAT64 / DNS64 Under The Hood Client DNS64 Authoritative DNS www.ipv4only.com ` Q AAAA? Q AAAA? EMPTY Q A? R = 2001:db8:101::c000:201 NAT64 R = 192.0.2.1 Webserver 2001:db8:101::c000:201 192.0.2.1 2001:db8:101::c000:201 192.0.2.1 7

DNS64 AAAA query over IPv4 A query over IPv4 AAAA query over IPv6 A query over IPv6 Recursive DNS AAAA query over IPv4 A query over IPv4 AAAA query over IPv6 A query over IPv6 8

DNS64 Everybody Will Need It 100% Dual stack DNS64 IPv4 10% 0% IPv6 Time 9

DNS64 Functionality Options Sticky clients Make sure a client goes to the same IPv4 server during the session. Mixed deployments using views The same DNS server must be able to handle different types of networks and different NAT64 gateways. Load balancing via DNS Coarse load balancing of NAT64 gateways High availability Take one NAT64 gateway out of rotation if it becomes unavailable. 10

Use case 1.5 The Future of NAT64/DNS64 How do we handle broken applications and websites? draft-ietf-behave-nat64-discovery-heuristic 464XLAT (RFC 6877) ` Dual v6 v4 CLAT PLAT 11

Packet Too Big issue in IPv6 (selecting an appropriate bufsize) Lack of fragmentation in IPv6 cause issues Correct processing of PTB packets is complex Query bufsize=1600 FW drop Response 1500 bytes Recursive resolver Packet Too big Response 1500 bytes Authoritative server 12

DNS network packets 512 1280 1500 4096 65535 Before EDNS0 Maximum packet size IPv6 minimum MTU Max Ethernet frame Max EDNS0 Bufsize typically supported Theoretical Max UDP DNS Packet size More switching to TCP More retransmissions due to lost packets DNS are small packets. A fancy algorithm does not pay off. Initial advertized bufsize=1440 for IPv4 and 1220 for IPv6 13

Reverse Delegation Issue All hosts on internet should have a reverse delegation (RFC) In reality, not always as easy as previous slide suggests In IPv4 service providers pre populate the entire reverse tree: adsl-70-250-178-4.dsl.rcsntx.swbell.net. IEFT draft lays out 4 alternatives: Do nothing Use wildcards Use dynamic DNS Synthesize records on the fly 14

Reverse IPv6 Delegation Reverse delegation of just a single /64 would require 4 billion disks with 400 G of storage Feature (Service) parity between IPv4 and IPv6 Feature parity is hard for IPv6 reverse delegation. Traditionally they have been pre-generated in IPv4: 1.2.3.4.in-addr.arpa PTR client1.houston.provider.net. 2.2.3.4.in-addr.arpa PTR client2.houston.provider.net. 3.2.3.4.in-addr.arpa PTR client3.houston.provider.net. 4.2.3.4.in-addr.arpa PTR client4.houston.provider.net. Alternatives for IPv6 (draft-howard-isp-ip6rdns-06): Delegate DNS Not all customers can/will run DNS Dynamic DNS Scaling issues Wildcard not a perfect solution Synthetic IPv6 not widely implemented 15

Comparison of IETF draft options Do Nothing Wildcard s Dynamic DNS Synthesize # new servers 0 0 Hundreds 0 Reverse record exists Reverse record matches forward record Works with DNSSEC Difficult Difficult DNS solutions need to evolve to simplify reverse IPv6 DNS 16

Synth Traditional method 1.2.3.4.in-addr.arpa d.b.8.1.0.0.2.ip6.arpa No service parity between v4 and v6 Spam filters, ssh, etc does not work Gigabytes of zone transfers, long startup time, large memory requirements client-1-2-3-4.example.com NXDOMAIN $GENERATE New method 1.2.3.4.in-addr.arpa d.b.8.1.0.0.2.ip6.arpa Service parity between v4 and v6 Minimal zone transfer, quick startup, low memory requirements client-1-2-3-4.example.com Client-d-b-8-1-v6.example.com S64-SYNTH 17

Testing IPv6, useful tools ISIC6 Stack Integrity Checker http://isic.sourceforge.net/ The standard DNS testing tools (Dig, Resperf, etc) All work over Ipv6 Scapy Packet Manipulation http://www.secdev.org/projects/scapy/ THC The Hackers Choice attack tools. http://thc.org/thc 18