Slides
Transcription
Slides
IPv6 Extension Headers on the Public Internet Study Mehdi Kouhen, Ecole Polytechnique (Paris), [email protected] February 2016 Introduction Extension Headers are not only for “extensions” to IPv6 EHs are important for core IPv6 functionality, like fragmentation According to the specifications (RFCs 2460 and 7045), “extension headers are not examined or processed by any node along a packet's delivery path” (with the exception of Hop-by-Hop Header) However, experience and preliminary research show that packets containing Extension Headers are often dropped before reaching their destination How much ? Where ? Why ? © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Introduction draft-gont-v6ops-ipv6-ehs-in-real-world About 20-40% of packets with Ext Hdr are dropped over the Internet Packets are dropped by the destination AS: ➜ An organization is free to firewall its own network ➜ May be OK Packets are dropped in transit ➜ Against spec : legitimate packets may not reach destination Source: Paul Townsend, Flickr ➜ Problem © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Previous Extension Headers Research by Others IETF-88, Nov-2013, fgont-iepg-ietf88-ipv6-frag-and-eh.pdf “Fragmentation and Extension Header Support in the IPv6 Internet” Single origin, destination = Alexa top web sites (883 unique addr) Ext header size: 8 bytes and 1024 bytes Failure rate: 45% IETF-89, with Tim Chown: 60% packet drops IETF-90, Jul-2014, iepg-ietf90-ipv6-ehs-in-the-real-world-v2.0.pdf “IPv6 Extension Headers in the Real World v2.0” Origin: RIPE Atlas probes, destination = Alexa again Ext header size: 8, 256, 512 and 1024 bytes Failure rate: between 60% and 90% © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Issues with Previous Experiments Destination: big web sites (Alexa) It is expected that destination drops what is unexpected Outdated by 9 months in early 2015 Not testing about Routing Header (for segment routing) Not matching other empirical tests © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Methodology of our study 1. 2. Determine a set of IPv6 addresses to test : From Alexa’s Top 1 Million list From IPv6 BGP-advertised prefixes TCP Traceroute without EHs : 3. TCP Traceroute with EHs: 4. Send v6 packets with TCP payload to port 80 of the destination with varying TTL => Routers in the path answer with ICMPv6 Time Exceeded Same thing but adding an Extension Header before the TCP payload Analysing the traceroutes © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Methodology of our research : Step 1) Determining a set of IPv6 addresses to test From Alexa’s Top 1 Million list : Take those that have a AAAA record … with a reachable IPv6 address in the AAAA record From BGP-advertised IPv6 prefixes Address = [prefix]::1 Doesn’t exist ? No problem, we are supposed to reach the AS -> Enough © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Methodology of our research May 2015 : 2) TCP Traceroute without EHs Send v6 packets with TCP payload to port 80 of the destination, using scapy With varying TTL : from 2 to 30 (enough) At the same time (performance reasons) Routers in the path answer with ICMPv6 Time Exceeded when TTL=0 We have the path ! Thanks to Sander Steffann for providing the VM © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Methodology of our research May 2015 : 3) TCP Traceroute with EHs Exactly the same methodology, But with Extension Headers between IPv6 Header and TCP payload EH set : EHs blocked by our ISP (so no result) : Destination Option Header 16, 256, 512 bytes Hop-by-Hop Header 256, 512 bytes Hop-by-Hop Header 16 bytes Routing Header type 0 (deprecated) DO 16B + HbH 16B Routing Header type 4 (expected for SR) Fragment Header Normal and Atomic © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Methodology of our study : Analysing the traceroutes Alexa’s : Success if packet reaches the address in the AAAA record BGP : Success if normal traceroute reaches destination AS traceroute with EH reaches last responding router in normal traceroute Last responding router : M => Dropping router : M+1 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Methodology of our study : Analysing the traceroutes Is it a problem ? Depends where it was dropped ! If dropped by the destination organization (host or same AS): Not a problem ! If dropped in transit: not cool… Where is the dropping node ? If IP corresponds to some major IXPs, we look up the corresponding ASN by knowing the addressing logic, or in a database Otherwise, MaxMind ASN lookup © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Results and analysis Drop rates depend on the Extension Header D.O. 16B © 2016 Cisco and/or its affiliates. All rights reserved. HbH 16B For Alexa Cisco Public 12 Transit Drop rates 60 50 40 30 20 10 Alexa BGP 0 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Things Keeps Improving Though • Current research by Polytechnique Paris and Cisco (Eric Vyncke) • More encouraging results • But still (lots of) room for improvement • Still work on how routers should handle Ehs : [draft-baker-6man-hbh-header-handling] • http://btv6.vyncke.org/exthdr/index.php?ds=bgp&t=fh © 2016 Cisco and/or its affiliates. All rights reserved. (work in progress!) Cisco Public 14 Thank you. Best of DNS AAAA records : Hall of Shame 192:192:168:168:1:1:1:1 1:1:1:1:1:1:1:1 a03:6f00:1::bce1:108c ::ffff:205.217.188.3 ::ce98:c108:0:0:d598:c108 6:2001:67c:2070::112 6718:5c99:: 64:ff9c::36fe:8e4a 64:ff9b::ca98:e052 6489:d5ae:656c:6c75:74:61:2800:0 616e:6261:6e6b:2e6e:6574:2e69:6e00:100 3ffe:3218:6::ca76:42d7 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 16