IPv6 delivery model to end customers

Mikael Abrahamsson swmike at swm.pp.se
Sat Feb 7 07:45:00 UTC 2009

I didn't know where to jump in in the current discussion and what I wanted 
to discuss was quite general, so I thought I'd create a new thread 

So, anyone saying IPv6 is ready for prime-time whereever IPv4 is used, has 
a very simplified view of the world. Yes, IPv6 works in the classic routed 
network model where everything is statically set up (often manually), for 
example with an ISP run CPE and static/dynamic routing and a fixed /48 
issued for that customer and SWIPed. Then it's easy to delegate 
reverse-DNS etc to the customer DNS.

Now, take for instance the residential LAN case. There are several models 
on how to do this, but they all (that I know of) reside around the fact 
that each customer gets one or more globally routed IP address via DHCP, 
and security against spoofing and "man in the middle"-attacks is either 
done via forced-forwarding in the L2 device the customer connects to, or 
it's done via setting L3 accesslists learnt via DHCP snooping that inspect 
L2-packets in that same device. Often both is done, and also things like 
"ARP inspection", rogue dhcp server protection, MAC-rewrite etc is used. 
These are essential security mechanisms because customers should be 
protected from each other when it comes to these types of L2 attacks. 
Tracability (who had what IP at what time) is done via DHCP option82 and 
logging of this information. So, the L2 devices closest to the customer 
does a lot of "magic". All of these mechanisms were developed in the first 
half of the last decade.

Now, with IPv6 this model changes drastically. The proposed mechanisms for 
IP number handout etc, is RA and DHCPv6. How does that fit into the model 
above? It doesn't, and the L2 devices surely won't "sniff" it and enforce 
security measures mentioned above.

My ideal model would be to replace the above mentioned L2 device with a 
small and simple L3 device (L3 switch) with very small TCAM (TCAM size 6-8 
times port number should be enough), where this device uses link-local 
with the CPEs (would require all customers to actually have a router at 
home), hands out prefixes via DHCPv6-PD, inserts route towards customer 
link-local address, provisions anti-spoofing ACLs on that port, logs what 
prefix was given out to each port at what time, and off we go. (Rationale 
for link-local only is to have only customer devices in "Customer IP 
space" and only ISP infrastructure in that IP-space. This is equivalent to 
"ip unnumbered" in IPv4 in my view.) I have pitched this idea in the IETF 
v6ops list and it's now included in a draft that lists different models of 
IPv6 delivery.

As far as I know, this IPv6 L3 device doesn't exist (in the pricerange 
needed for massive residential roll-out anyhow).

So, in the meantime, to get IPv6 to the end customers I see two ways 
(because they need to fit into the IPv4 security model mentioned above). 
We have either 6to4 tunneling (Cisco 7600 does this very well and code for 
Linux CPEs exist already), or we try to fit IPv6 into the IPv4 security 
model. Current recommendation from the swedish "city networks association" 
(they consists mostly of entities running LANs to residential, I believe 
there are approx 400-500k ports of that in Sweden at this time) is that if 
you don't know if your network is secure against IPv6, block it at the 
ethertype level (I'll come back to the security risks later).

So, how can we fit current IPv6 into the IPv4 security model? We can't. 
Current L2 devices won't do any of the IPv6 security stuff needed, and 
just turning on RA/DHCPv6 would make it work from a "let's move 
packets"-aspect, but it wouldn't be secure (perhaps in some 
forced-forwarding cases there might be a possibility of doing it securely, 
but what devices will log what customer had what IP at what time when it's 
done via RA?).

So, what is the security problem with IPv6 in an IPv4 network? Well, 
imagine an IPv4 network where security is done via ARP inspection, DHCP 
snooping and L3 ACLs. Now, insert rogue customer who announces itself via 
RA/DHCPv6 and says it's also DNS. Vista machines will get itself an IPv6 
address via RA, ask for DNS-server via DHCPv6, so if the rogue customer 
can do some NAT-PT like functionality, they are now man in the middle for 
all the IPv4 traffic (because between the customers it's IPv6 and the L2 
device doesn't know anything about that). I don't know if this has 
actually been done, but I see no theoretical problem with it, if someone 
can come up with something, please do tell.

So, my view on IPv6 is that I would love to roll it out to all residential 
customers, but unfortunately all the development done for IPv4 security 
has gone unnoticed by the people developing IPv6 and now it's behind and 
needs to catch up, or pitch a different model and then get vendors to 
develop products that do this.

In the mean time, we do (and I encourage everybody else to do the same) 
support 6to4 and Teredo, plus we do IPv6 native in the core and peering 
where possible plus we give IPv6 to customers where we're able to securely 
(mostly transit customers and corporate customers with IPv6 capable CPEs).

Mikael Abrahamsson    email: swmike at swm.pp.se

More information about the NANOG mailing list