Professional Documents
Culture Documents
Keith OBrien
Distinguished Engineer Cisco kobrien@cisco.com
Specializes in large scale IP routing, network security and incident response within ISP and enterprise networks. Working with major US based ISPs on their transition to an IPv6 network Adjunct professor of Computer Science at NYUs Polytechnic Institute - Graduate Studies Visiting Professor of Electrical and Computer Engineering at the United States Coast Guard Academy BSEE Lafayette College, MS Stevens Institute of Technology CCIE, CISSP, SANS GIAC http://keithobrien.org Twitter: @keitheobrien
Cisco Confidential
Technology Intro
Comparison to IPv4 Addressing ICMPv6 and Neighbor Discovery DHCPv6 and DNS
IPv6 Security
Cisco Confidential
Cisco Confidential
Cisco Confidential
More Devices
Nearly 15B Connections
Source: Cisco Visual Networking Index (VNI) Global IP Traffic Forecast, 20102015
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
IETF IPv6 WG began in early 90s, to solve addressing growth issues, but
CIDR, NAT,were developed
IP is everywhere
Data, voice, audio and video integration is a reality
Cisco Confidential
http://www.bgpexpert.com/ianaglobalpool2.php
http://www.potaroo.net/tools/ipv4/rir.jpg
Cisco Confidential
Service Segment Mobile Now When do you run out of IPv4 addresses?
Devices are already being actively deployed with IPv6 addresses
Enterprise Varies
NAT is already being used at peering points where run out has occurred
Wireline
Now
A combination of NAT and IPv6 enabled CPE are being deployed
When is most of the content available on IPv6 network? What is the device/CPE refresh frequency?
Growing rapidly
Cisco Confidential
June 6, 2012
Network equipment vendors, ISPs and content providers are coming together on
D-Link
Internode Time Warner Cable NASA
Facebook
KDDI Yahoo Sprint
Free Telecom
Limelight Netflix
Google
Bing AOL
http://www.worldipv6launch.org/
Cisco Confidential
10
Cisco Confidential
11
Cisco Confidential
12
Service
Addressing Range IP Provisioning Security Mobility Quality-of-Service Multicast
IPv4
32-bit, Network Address Translation DHCP IPSec Mobile IP Differentiated Service, Integrated Service IGMP/PIM/MBGP
IPv6
128-bit, Multiple Scopes SLAAC, Renumbering, DHCP IPSec Mandated, Works End-to-End
Cisco Confidential
13
IPv4 Header
Version IHL Identification Type of Service Total Length Version Flags Fragment Offset Traffic Class
IPv6 Header
Flow Label
Time to Live
Protocol
Header Checksum
Payload Length
Next Header
Hop Limit
Source Address
Legend
Destination Address
Cisco Confidential
14
Flow 6
Hop
Flow 43
Hop
Flow 43
Hop
Source
Source 17
Source 60 6
Routing Header
Cisco Confidential
15
Header Type -
Header Code
2
3 4 5 6 7 8 9 Upper Layer Upper Layer Upper Layer
Hop-by-Hop Options
Dest Options (with Routing options) Routing Header Fragment Header Authentication Header ESP Header Destination Options Mobility Header No Next Header TCP UDP ICMPv6
0
60 43 44 51 50 60 135 59 6 17 58
Cisco Confidential
16
Cisco Confidential
17
= 79,228,162,514,264,337,593,543,950,336 times the number of possible IPv4 Addresses (79 trillion trillion)
Cisco Confidential
18
Segmented into 8 groups of four HEX characters (called HEXtets) Separated by a colon (:)
Network Portion
Interface ID
gggg:gggg:gggg: ssss:xxxx:xxxx:xxxx:xxxx
Global Routing Prefix n <= 48 bits Subnet ID 64 n bits Host
2001:0000:0000: 00A1:0000:0000:0000:1E2A
Full Format
2001:0:0: A1::1E2A
2010 Cisco and/or its affiliates. All rights reserved.
Abbreviated Format
Cisco Confidential
20
2001:db80:1200::/48 2001:db8:12::/48
Cisco Confidential
21
Cisco Confidential
22
IANA 2001::/3
Cisco Confidential
24
Cisco Confidential
25
48 bit MAC address to 64 bits by inserting FFFE into the middle 16 bits
To make sure that the
chosen address is from a unique Ethernet MAC address, the universal/local (u bit) is set to 1 for global scope and 0 for local scope
Where U=
02
90
27
FF
FE
17
FC
0F
Cisco Confidential
26
Global
Unique Local
Link Local
Cisco Confidential
27
Link Local
Unicast Address of a single interface. One-to-one delivery to single interface Multicast Address of a set of interfaces. One-to-many delivery to all interfaces in the set Anycast Address of a set of interfaces. One-to-one-of-many delivery to a single interface in the set that is closest No more broadcast addresses
Cisco Confidential
29
Address Type Link Local Unique Local Global Unicast Auto-Config 6to4 Solicited Node Multicast All Nodes Multicast
Comment Required on all interfaces Valid only within an Administrative Domain Globally routed prefix Used for 2002:: 6to4 tunnelling Neighbour Discovery and Duplicate Detection (DAD) For ICMPv6 messages
Cisco Confidential
30
Address FF01::1
Scope Node-Local
FF01::2
FF02::1 FF02::2 FF02::5 FF02::6 FF02::1:FFXX:XXXX
Node-Local
Link-Local Link-Local Link-Local Link-Local Link-Local
All Routers
All Nodes All Routers OSPFv3 Routers OSPFv3 DR Routers Solicited-Node
http://www.iana.org/assignments/ipv6-multicast-addresses
Cisco Confidential
32
R1#show ipv6 interface e0 Ethernet0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::200:CFF:FE3A:8B18 No global unicast address is configured Joined group address(es): All Nodes FF02::1 All Routers FF02::2 Solicited Node Multicast Address FF02::1:FF3A:8B18 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses. R1#
Cisco Confidential
33
Cisco Confidential
40
Function
Address Assignment Address Resolution Router Discovery Name Resolution
IPv4
DHCPv4 ARP, RARP ICMP Router Discovery DNSv4
IPv6
DHCPv6, SLAAC, Reconfiguration NS, NA RS, RA DNSv6
Cisco Confidential
41
Cisco Confidential
42
Replaces ARP, ICMP (redirects, router discovery) Reachability of neighbors Hosts use it to discover routers, auto configuration
of addresses
Duplicate Address Detection (DAD)
Cisco Confidential
43
Cisco Confidential
44
A
NS NA
Neighbour Solicitation ICMP Type IPv6 Source IPv6 Destination Data Query 135 A Unicast B Solicited Node Multicast FE80:: address of A What is B link layer address? Neighbour Advertisment ICMP Type IPv6 Source IPv6 Destination Data 136 B Unicast A Unicast FE80:: address of B, MAC Address
Cisco Confidential
45
RS
RA
Router Solicitation ICMP Type IPv6 Source IPv6 Destination Query 133 A Link Local (FE80::1) All Routers Multicast (FF02::2) Please send RA
Router Advertisement ICMP Type IPv6 Source IPv6 Destination Data 134 A Link Local (FE80::2) All Nodes Multicast (FF02::1) Options, subnet prefix, lifetime, autoconfig flag
Router solicitations (RS) are sent by booting nodes to request RAs for
multicast address
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Generating a link-local address, Generating global addresses via stateless address autoconfiguration Duplicate Address Detection procedure to verify the uniqueness of the addresses on a link
MAC 00:2c:04:00:fe:56
A 1
RS
R1 2001:db8:face::/64 2
RA
3
DAD
Host Autoconfigured Address comprises Prefix Received + Link-Layer Address if DAD check passes 2001:db8:face::22c:4ff:fe00:fe56
Router Advertisement (RA) Ethernet DA/SA Prefix Information Default Router Router R2 / Host A 2001:db8:face::/64 Router R1
Cisco Confidential
47
Cisco Confidential
48
IPv4
IPv6
Hostname to IP address
A record:
www.abc.test. A 192.168.30.1
AAAA record:
www.abc.test AAAA 2001:db8:C18:1::2
IP address to hostname
PTR record:
1.30.168.192.in-addr.arpa. PTR www.abc.test.
PTR record:
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0. 8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test.
Cisco Confidential
49
192.168.0.3
www.example.org = * ?
IPv4 DNS Server
IPv4 IPv6
IPv6 2001:db8:1::1
Can query the DNS for IPv4 and/or IPv6 records (A) or (AAAA) records
Chooses one address and, for example, connects to the IPv6 address
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
IPv6 address of canonical name returned Standard query response CNAME ipv6.l.google.com AAAA 2404:6800:8004::68
Hosts prefers IPv6 address (configurable) ICMP Echo request (Unknown (0x00)) v6
Cisco Confidential
51
Manual Assignment
Statically configured by human operator
Cisco Confidential
53
and O bits) Use SLAAC only, Use DHCPv6 stateful, Use SLAAC and DHCPv6 for other options A 1
RA Router 1 (DHCPv6 Relay) 2001:db8:face::/64
DHCP Server
2
Send DHCP Solicit to FF02::1:2 (All DHCP Relays)
3
2001:db8:face::1/64, DNS1, DNS2, NTP
Router Advertisement (RA) A bit (Address config flag) M bit (Managed address configuration flag) O bit (Other configuration flag) Set to 0 - Do not use SLAAC for host config Set to 1 - Use DHCPv6 for host IPv6 address Set to 1 - Use DHCPv6 for additional info (DNS, NTP)
Cisco Confidential
54
RA message contain flags that indicate address allocation combination (A, M and O bits) Use SLAAC only, Use DHCPv6 stateful, Use SLAAC and DHCPv6 for other options
2001:db8:face::22c:4ff:fe00:fe56
A 1
RA
DHCP Server
3
Send DHCP Solicit to FF02::1:2 for options only
2001:db8:face::/64
4
DNS1, DNS2, NTP
Router Advertisement (RA) A bit (Address config flag) On-link Prefix M bit (Managed address configuration flag) O bit (Other configuration flag) Set to 1 - Use SLAAC for host address config 2001:db8:face::/64 Set to 0 - Do not use DHCPv6 for IPv6 address Set to 1 - Use DHCPv6 for additional info (DNS, NTP)
Cisco Confidential
55
Cisco Confidential
56
Cisco Confidential
57
PE CE
PE
CE
IPv6
Some or all interfaces in cloud dual configured
All P + PE routers are capable of IPv4+IPv6 support Two IGPs supporting IPv4 and IPv6 Memory considerations for larger routing tables Native IPv6 multicast support All IPv6 traffic routed in global space Good for content distribution and global services (Internet)
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
CE
PE
PE
CE
IPv6
ipv6 unicast-routing interface Ethernet0 ip address 192.168.99.1 255.255.255.0 ipv6 address 2001:db8:213:1::1/64
Cisco Confidential
59
Application
IPv6-Enabled Application
TCP
UDP
TCP
UDP
IPv4
IPv6
IPv4
IPv6
0x0800
0x86dd
0x0800
0x86dd
Frame Protocol ID
application preference
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
GRE
Manual 6to4 DMVPN ISATAP MPLS Manual MPLS 6PE
Cisco Confidential
61
IPv4
Dual-Stack Router2
IPv6 Network
IPv4: 192.168.30.1 IPv6: 2001:db8:800:1::2
router1# interface Tunnel0 ipv6 enable ipv6 address 2001:db8:c18:1::3/128 tunnel source 192.168.99.1 tunnel destination 192.168.30.1 tunnel mode gre ipv6
router2# interface Tunnel0 ipv6 enable ipv6 address 2001:db8:c18:1::2/128 tunnel source 192.168.30.1 tunnel destination 192.168.99.1 tunnel mode gre ipv6
Cisco Confidential
62
Dual-Stack Router1
IPv6 network
IPv4
Dual-Stack Router2
IPv6 network
router1# interface Tunnel0 ipv6 enable ipv6 address2001:db8:c18:1::3/127 tunnel source 192.168.99.1 tunnel destination 192.168.30.1 tunnel mode ipv6ip
router2# interface Tunnel0 ipv6 enable ipv6 address 2001:db8:c18:1::2/127 tunnel source 192.168.30.1 tunnel destination 192.168.99.1 tunnel mode ipv6ip
Cisco Confidential
63
IPv6 Packet
IPv6 Network 200.15.15.1 (e0/0)
IPv6 Packet
IPv4 Header
IPv6 Packet
IPv6 Network 200.11.11.1 (e0/0)
IPv6 2002:c80f:0f01 CE
PE
PE CE
IPv6 2002:c80b:0b01
P 2002:c80f:0f01:100::1
P 2002:c80b:0b01:100::1
Automatic tunnel method using 2002:IPv4::/48 IPv6 range IPv4 embedded in IPv6 format eg. 2002:c80f:0f01:: = 200.15.15.1 No impact on existing IPv4 or MPLS Core (IPv6 unaware) Tunnel endpoints have to be IPv6 and IPv4 aware (Dual stack) Transition technology not for long term use No multicast support, Static Routing Intrinsic linkage between destination IPv6 Subnet and IPv4 gateway interface IPv4 Gateway = Tunnel End point
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
IPv6 Packet
IPv6 Network 200.15.15.1 (e0/0)
IPv6 Packet
IPv4 Header
IPv6 2002:c80f:0f01 CE
PE
6 to 4 Tunnel
PE
IPv6 Relay
Cisco Confidential
66
Cisco Confidential
67
research Stonesoft released 163 new Advanced Evasion Techniques 12 of those are IPv6-specific
Private security researchers are also putting additional focus on
Infrastructure 220 page report Security Assessment of the Internet Protocol version 6 (IPv6)
Cisco Confidential
68
Cisco Confidential
69
Industry as a whole has far less experience with IPv6 vs IPv4 IPv6 implementations have not been proven over time Security tools such as firewalls, IDS have varying levels of IPv6
support. Even when it is claimed to be supported that level of support varies widely
IPv6 brings added complexity which is the enemy of security Network engineers and security operations staff are not fully
trained on IPv6
Cisco Confidential
70
Cisco Confidential
71
IPv6 networks
2128
6.5 Billion
Cisco Confidential
72
Public servers will still need to be DNS reachable Increased deployment and reliance on Dynamic DNS
Attacker FF05::1:3
2001:db8:3::70
http://www.iana.org/assignments/ipv6-multicast-addresses/
Cisco Confidential
74
Bittorrent will expose IPv6 peers Look in web server log files for IPv6 address. Convince the target
Cisco Confidential
75
ICMPv6 echo/response Send invalid ICMPv6 options and nodes will be forced to reply Use Traceroute6 Look for well know IPv4 addresses which are linked to IPv6 (e.g.
Teredo)
Neighbor discovery cache for already compromised hosts
root@bt:~# alive6 -s 1 eth1 Alive: 2001:470:67b9:1:234:36ff:fe9c:3132 Alive: 2001:470:67b9:1:21d:29ff:fef9:bc06 Alive: 2001:470:67b9:1:22f:29ff:fe61:1ea1 Alive: 2001:470:67b9:1:259:29ff:fe40:e19a Alive: 2001:470:67b9:1:231:ebff:fef7:f140 Alive: fe80::ebff:d4ff:fedd:c572 Alive: 2001:470:67b9:1:b917:c2ff:fed9:6b1b Alive: 2001:470:67b9:1:993:cbff:fea3:1733 Alive: 2001:470:67b9:1:675:dfff:fede:4875 Alive: 2001:470:67b9:1:b67d:caff:fe1b:c7a7 Alive: 2001:470:67b9:1:b78f:cbff:fee9:fd7f Found 11 systems alive
root@bt:~# ip -6 neigh show 2001:470:67b9:1:7273:cbff:fee9:ddf3 dev eth1 lladdr 70:73:cb:e9:dd:f3 DELAY 2001:470:67b9:1:224:36ff:fe9c:ff56 dev eth1 lladdr 00:24:36:9c:ff:56 DELAY 2001:470:67b9:1:216:cbff:fea3:dd44 dev eth1 lladdr 00:16:cb:a3:dd:44 DELAY 2001:470:67b9:1:223:dfff:fede:1122 dev eth1 lladdr 00:23:df:de:11:22 DELAY fe80::223:ebff:fedd:1298 dev eth1 lladdr 00:23:eb:dd:12:98 DELAY 2001:470:67b9:1:ba17:c2ff:fed9:11ed dev eth1 lladdr b8:17:c2:d9:11:ed DELAY 2001:470:67b9:1:5a55:caff:fe1b:dfee dev eth1 lladdr 58:55:ca:1b:df:ee DELAY
Cisco Confidential
76
/23 2001
/32
/48
/64 Interface ID
Recommendation: Use Privacy Extensions for External Communication but not for Internal Networks (Troubleshooting and Attack Trace Back)
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77
Do a AXFR if DNS is misconfigured If DNSSEC is being used try NSEC walk*. NSEC3 records make
Cisco Confidential
78
Cisco Confidential
79
Your host:
IPv4 is protected by your favorite personal firewall... IPv6 is enabled by default (Vista, Linux, Mac OS/X, ...)
Your network:
Does not run IPv6
Your assumption:
Im safe
Reality
You are not safe Attacker sends Router Advertisements
Cisco Confidential
80
Easy to check!
Look inside NetFlow records Protocol 41: IPv6 over IPv4 or 6to4 tunnels IPv4 address: 192.88.99.1 (6to4 anycast server) UDP 3544, the public part of Teredo, yet another tunnel
Cisco Confidential
81
Cisco Confidential
82
Router Advertisements contains: -Prefix to be used by hosts -Data-link layer address of the router -Miscellaneous options: MTU, DHCPv6 use,
RA w/o Any Authentication Gives Exactly Same Level of Security as DHCPv4 (None)
MITM
DoS
1. RS
2. RA
2. RA
Cisco Confidential
83
Devastating:
Denial of service: all traffic sent to a black hole Man in the Middle attack: attacker can intercept, listen, modify unprotected data
Also affects legacy IPv4-only network with IPv6-enabled hosts Most of the time from non-malicious users Requires layer-2 adjacency (some relief)
Cisco Confidential
84
Where
What
Increase legal router preference Disabling Stateless Address Autoconfiguration SeND Router Authorization
Cisco Confidential
85
Cisco Confidential
86
Each devices has a RSA key pair (no need for cert)
Ultra light check for validity Prevent spoofing a valid CGA address RSA Keys
Priv Pub
SHA-1
Signature
CGA Params
Subnet Prefix Interface Identifier
SeND Messages
2010 Cisco and/or its affiliates. All rights reserved.
Adding a X.509 certificate to RA Subject Name contains the list of authorized IPv6 prefixes
Trust Anchor
X.509 cert
X.509 cert
Router Advertisement Source Addr = CGA CGA param block (incl pub key) Signed
Cisco Confidential
88
Link-local scope multicast (RA, DHCP request, etc) sent only to the local
PVLAN
RA
BNG
PC (public V6 )
CPE
PVLAN
Cisco Confidential
89
switchport mode access ipv6 traffic-filter ACCESS_PORT in access-group mode prefer port
RA
RA RA RA
Cisco Confidential
90
host
Bridge RA
Switch selectively accepts or rejects RAs based on various criterias Can be ACL based, learning based or challenge (SeND) based. Hosts see only allowed RAs, and RAs with allowed content
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 91
Cisco Confidential
92
Cisco Confidential
93
Where
What
Routers & Hosts Routers & Hosts Switch (First Hop) Switch (First Hop)
configure static neighbor cache entries Use CryptoGraphic Addresses (SeND CGA) Host isolation Address watch
Glean addresses in NDP and DHCP Establish and enforce rules for address ownership
Cisco Confidential
94
Cisco Confidential
95
Remote
Remote router CPU/memory DoS attack if aggressive scanning Router will do Neighbor Discovery... And waste CPU and memory Local router DoS with NS/RS/
NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 NS: 2001:db8::3 NS: 2001:db8::2
NS: 2001:db8::1
2001:db8::/64
Cisco Confidential
96
Mainly an implementation issue Rate limiter on a global and per interface Prioritize renewal (PROBE) rather than new resolution
Maximum Neighbor cache entries per interface and per MAC address
Internet edge/presence: a target of choice Ingress ACL permitting traffic to specific statically configured (virtual) IPv6 addresses only
=> Allocate and configure a /64 but uses addresses fitting in a /120 in order to have a simple ingress ACL
Cisco Confidential
97
Built-in rate limiter but no option to tune it Since 15.1(3)T: ipv6 nd cache interface-limit Or IOS-XE 2.6: ipv6 nd resolution data limit
Cisco Confidential
98
Cisco Confidential
99
RFC allows for multiple and repeating extension headers. RFC 3128 is not applicable to IPv6; extension header can be
fragmented
Packets get increasing complex to parse
Original Packet IPv6 hdr Dest Option Dest Option TCP data
TCP
data
Cisco Confidential
100
filtering difficult
Potential DoS with poor IPv6 stack implementations More boundary conditions to exploit
101
headers and increasing the number of fragments to a point where the firewall can no longer reassemble
Filter out packets with specific combinations of Extension
Extension Headers
Cisco Confidential
102
Cisco Confidential
103
built in
=> an IPv4 attacker can inject traffic if spoofing on IPv4 and
IPv6 addresses
IPv6 ACLs Are Ineffective Since IPv4 & IPv6 Is Spoofed Tunnel Termination Forwards the Inner IPv6 Packet
IPv4
IPv6
IPv6 Network Public IPv4 Internet
IPv6 in IPv4 Tunnel
Tunnel Termination Tunnel Termination
IPv6 Network
Server A
2010 Cisco and/or its affiliates. All rights reserved.
Server B
Cisco Confidential 104
enterprise
This has implications on network segmentation and network discovery
6to4 relay
IPv6
Internet
ACL
tunnel
6to4 router
Cisco Confidential
106
Teredo navalis
A shipworm drilling holes in boat hulls Teredo Microsoftis
Cisco Confidential
107
IPv4 Intranet
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 108
Teredo threatsIPv6 Over UDP (port 3544) Internal users wants to get P2P over IPv6
Configure the Teredo tunnel (already enabled by default!) FW just sees IPv4 UDP traffic (may be on port 53) No more outbound control by FW
IPv6 Internet
IPv4 Internet Teredo Relay IPv4 Firewall
IPv4 Intranet
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 109
IPv6 Internet
IPv4 Internet Teredo Relay IPv4 Firewall
IPv4 Intranet
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 110
Cisco Confidential
111
Residential Broadband Service Case: CPE based Scenario 1 thru 5 And Future
IPv4 IPv4 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6
6RD CE
IPv4-Only IPv4-Only
6RD CE IPv4-Only
IPv4 Address Sharing IPv6 Internet Access
DualStack Dual-Stack
IPv4
CGN
6rd BR
CGN + 6rd
CGN
IPv4
IPv6 Internet
2010 Cisco and/or its affiliates. All rights reserved.
IPv4 Internet
Cisco Confidential
112
Public IPv4
Private IPv4
sufficient
With the advent of IPv6 and IPv4 address exhaustion you will
need more.
The following should be gathered:
IPv4 address (source and destination) IPv6 address if in use TCP/UDP ports (source and destination) Time
Cisco Confidential
113
Customer Router
IPv6 Internet
IPv6
IPv4+IPv6 host
IPv4 Internet
Subscriber Network
Internet
11 5
Cisco Confidential
115
11 6
Cisco Confidential
116
Servers currently keep only the remote IPv4 address in their log
Law Enforcement Agencies (LEA) can request any ISP to get the
With SP NAT, there will be 10,000 subscribers using this IPv4 address
11 7
Cisco Confidential
117
port
At 10:23:02 who was using the shared port 23944?
11 8
Cisco Confidential
118
Operator has expanding customer base, but does not have enough IPv4 addresses to service new customers. Business need is to be able to assign new users an IP address and give those new subscribers access to IPv4 Internet content as well as IPv6 internet content. Possible Scenarios 1.1 IPv6 address to subscriber with Carrier Grade NAT 1.2 Carrier Grade NAT with private v4 address 1.3 Dual stack private v4 and public v6 at customer. 1.4 Dual stack public v4 and public v6 at customer
Cisco Confidential
119
Thank you.