ipv6-+781)/7=38(9...ipv6 9 ipv6 google 2018 3 5
TRANSCRIPT
IPv6-+781)/7=38(9
������*<.=403�� IPv62)5:*6<3���
NTT 403;=,�������
�
��'��!&##"%�"$�!���� ������
IPv6������ ���������
Copyright©2017 NTT corp. All Rights Reserved. 1
IPv6�� �
�
• �����IPv4��������������IPv6������������
Copyright©2017 NTT corp. All Rights Reserved. 2
IPv4� "�����
Copyright©2017 NTT corp. All Rights Reserved. 3
�����������$
�����������$
��'�
�����������$
�����������$
http://www.potaroo.net/tools/ipv4/��#�����%2018.3.5&
��'���������!#�
IPv63�� �
��
• �!"2FIPv437>C:��$+���FIPv6��2�%+**./)5G
• 2017�4F��"2IPv6"2�,1A8B:=ED01.-�
• IPv6����+(8D;E?<=��(015G• ������#+FIPv69E@:6��"2' • ���ISP3IPv6��+&�
Copyright©2017 NTT corp. All Rights Reserved. 4
Internet Draft
Proposed Standard
Internet Standard
Informational
Best Current Practice
Experimental
Historic
IPv6���������������
RFC��
Standard Track
Copyright©2017 NTT corp. All Rights Reserved. 5
IETF�� �������
Internet Standard RFC��RFC(8,169)�112��
IPv6���� ����������
Copyright©2017 NTT corp. All Rights Reserved. 6
• IPv6 ������ ���• STD0086: Internet Protocol, Version 6 (IPv6) Specification (RFC
8200)
• STD0087: Path MTU Discovery for IP version 6 (RFC 8201)
• STD0088: DNS Extensions to Support IP Version 6 (RFC3596)
• STD0089: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification (RFC4443)
��#()!�IPv6��
Copyright©2017 NTT corp. All Rights Reserved. 7
�����36�IPv6�� "*$+'%&��������� ���������
�����ISP�IPv6�������� ��
Copyright©2017 NTT corp. All Rights Reserved. 8
1K
http://v6pc.jp/jp/spread/ipv6spread_03.phtml��������2018.3.5�
% %% % '% ',,
' '%
% ,%
' % %
,
',
'%
%% % ,
% ',% %% ,
, % '
%
''1
2.12
'13.
03
'13.
06
'13.
09
'13.
12
'14.
03
'14.
06
'14.
09
'14.
12
'15.
03
'15.
06
'15.
09
'15.
12
'16.
03
'16.
06
'16.
09
'16.
12
'17.
03
'17.
06
'17.
09
'17.
12
. 824 5 .00 4 734 44 49 164 5 4
IPv6����� �
������������
9
IPv6���https://stats.labs.apnic.net/ipv6/
Google ����������https://www.google.com/intl/ja/ipv6/statistics.html
2018�3�5��
����
• ������-IPv6���• �&*#%�)-PC• $!#(*���+'* �,
• "�%�'#�IPv6������ �����������
Copyright©2017 NTT corp. All Rights Reserved. 10
IPv6����������
Copyright©2017 NTT corp. All Rights Reserved. 11
IPv6518:6/��'��
• ��(IPv6���)• ��(A9@3?�����+%��!&IPv6$���#�,
• :>2=@0;.7<4(���&��
• IPv6�����-,*�&%"#
Copyright©2017 NTT corp. All Rights Reserved. 12Windows XP'�
����#��������!*����#����&%()'$����
�� &%()'$��������"*������ ���
IPv6���������������
Copyright©2017 NTT corp. All Rights Reserved. 13
�����������CVE ������2017.11 13��
0
10
20
30
40
50
60
70
IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4
2001200120022002200320032004200420052005200620062007200720082008200920092010201020112011201220122013201320142014201520152016201620172017
LOW MIDIUM HIGH
IPv6������ -���-
Copyright©2017 NTT corp. All Rights Reserved. 14
IPv6��� %#)*&!
• IPv6���� ����� -• � ��("+'�,�������,IPv4���• ��,�%#)*&!(*$��,IPv4�IPv6�������
Copyright©2017 NTT corp. All Rights Reserved. 15
���')����$%��
Copyright©2017 NTT corp. All Rights Reserved. 16
#�� ��)& �)"�����$%������
LAN��
�) (�)"���
� &)�
��)��!���#�&�
IPv6� IPv4
• � �%��"$A�2.784)�!���#��AIPv6�IPv4!��• ICMPv6� ICMP �6'*(+,>9!���• ND ?Neighbor Discovery@ � ARP �LAN���• (5:1��A�� �IPv6(5:1���
• 8</;>-9(5:1!��• � �%(5:1!��
• 9>3=9>4)<0 �&%2.784)�9>3���
Copyright©2017 NTT corp. All Rights Reserved. 17
��������
Copyright©2017 NTT corp. All Rights Reserved. 18
IPv61#%5C7:8;<HG2��
• IPv4/���0�"�3�'*$KICMPv62���1��• IPv6.3K��1��0�6�)(B>MTU��IPMTUD:
Path MTU DiscoveryJ 1 ICMPv66��&-!5L• IPv4.2ICMP2C9G?EF=14+-3K���
• IPv62�2�,. 5K���DA@�2 !
Copyright©2017 NTT corp. All Rights Reserved. 19
IP�+"&(��5,0!.3'4$/36
• IP��7��� ��7�����+"&(���5MTU: Maximum Transmission Unit6�� ������• IPv4��7 ����+"&(�����
Copyright©2017 NTT corp. All Rights Reserved. 20
MTU 1500 MTU 1500MTU 1492 (1454)
-24)*3)14%
PPPoE
�� WWW#4*
IPv4����+"&(��
IPv6���"+%MTU�
• IPv6�������������.���-&,%*,)���.• +$'(�-�� � ��MTU����.+%MTU�������#�!".
Copyright©2017 NTT corp. All Rights Reserved. 21
IPv6� ��MTU��
• ��MTU����ICMPv6���
Copyright©2017 NTT corp. All Rights Reserved. 22
MTU 1500MTU 1454
PPPoE
WWW���1500
MTU 1500
ICMP ������ (MTU=1454)
MTU 1280 MTU 1500
�� ����������
1454
ICMP ������ (MTU=1280) 1280
<6MTU�
• <6MTU���(���%�$J���<6MTU>C71?IE��� • BI4'J���#�!*J�%�"!*$����&%+• 568@�&)J
• ��%�AIE��+K3I;'Jping&�� +K• 3I;&'Jssh�#'G20H#�+• =.0E�!��-�+9/F1:D# ls +$�(+�$�"!J���,�*&����$%+K
Copyright©2017 NTT corp. All Rights Reserved. 23
ICMPv63&/0��
Copyright©2017 NTT corp. All Rights Reserved. 24
2B)<A 0=4!/%%=* 4@B=7>
8"@B1� �6/-��C58D 9/5��
� 1?*
� 1?*
1 8 16 24 31
,"5 'B1 .#/%(:
;/+B)�
IPv66/-
ICMPv66/-
,"5�8bit• 0�127�$=B��• 128�255�����'B1�8bit�EType���������
#�����&%���ICMPv6#�% �
• ICMP Error Message'type 0*127(• Destination Unreachable'type 1(• Packet Too Big'type 2(• Time Exceeded'type 3(• Parameter Problem'type 4(
• ICMP Informational Message'type 128*255(• Echo Request'type 128(• Echo Reply'type 129(• Router Solicitation'type 133(• Router Advertisement'type 134(• Neighbor Solicitation'type 135(• Neighbor Advertisement'type 136(• Redirect Message (type137)
Copyright©2017 NTT corp. All Rights Reserved. 25
"�MTU����������)Type 2�ICMPv6$!�&������ ����
L;><?ATR�-1ICMPv6L=RF��
• ,9�06W��1ICMPv62��)+84&• Destination Unreachable(Type 1)
• TCP�%F>O<?I*85-��-&/#(.%:$7/#
• IPv431LATRKHC%�'/8
• Time ExceededUtype 3V• TCP�%F>O<?I*85-��-&/#(.%:$7/#
• Traceroute6 %����
• Parameter ProblemUtype 4V• ����%�0/8U@QT1��%:$7/#V• JCEINHGF>M� U�!� �V.��"�BMDPS� U�!� �V �
Copyright©2017 NTT corp. All Rights Reserved. 26
ICMPv6�ICMP
Copyright©2017 NTT corp. All Rights Reserved. 27
�� ICMP �� ICMP6
0 Echo Reply 129 Echo Reply
3 Destination Unreachable 1 Destination Unreachable
4 Source Quench
5 Redirect 137 Redirect
8 Echo Request 128 Echo Request
9 Router Advertisement 134 Router Advertisement
10 Router Solicitation 133 Router Solicitation
11 Time Exceed 3 Time Exceed
12 Parameter Problem 4 Parameter Problem
13 Timestamp
2 Packet too Big
��� ICMP�ICMPv6���
*$MTU����3#0)���
• #0)�*$MTU�� �• #0) ������1���-0%�+!-%������������2
Copyright©2017 NTT corp. All Rights Reserved. 28
MTU 1454
PPPoE
WWW#0)1500
MTU 1500
ICMP *"&'�� (MTU=1454)
MTU 1500
,.0()/(-0%
1454
1#%$&(96��<��3,+���
• IPv6�:27-)6������"�������:���3,+��� �!�� ;
• 40%6IP�:IPsec���3,+"��
Copyright©2017 NTT corp. All Rights Reserved. 29
Hop-by-Hop Options headerDestination Options header (*1)Routing headerFragment headerAuthentication headerEncapsulating Security Payload headerDestination Options header (*2)Upper-layer header
IPv6�3,+
IPv6��3,+
Payload
*1 Routing header �5*-�!�/9.���*2 '8./9.����
��������%$
Copyright©2017 NTT corp. All Rights Reserved. 30
��"�%� $�%�� ����
�����
� ����
�����
#%��$����
��"�%� $�%�
� ����
�!��$����
#%��$����
��"�%� $�%�
��!��$�������
��������#%��$�
���������!��$�
����������
����������
��������#%��$�
����������
2%(&)*86��2'6-���
• IPv6��;���#����;2'6-��$���#����#<
• �=• IPsec$���#�"� ;AH, ESP���• 25+4701,/0$���"�;��3/. ��!�9DNS ���:
Copyright©2017 NTT corp. All Rights Reserved. 31
��'"!���%�"#������
• �'"!������%�"#�+�) *$"#��&�( ��������,
Copyright©2017 NTT corp. All Rights Reserved. 32
DestinationOption
Hop-by-hop option Fragment
Web servers 10.91% 39.03% 28.26%
Mail servers 11.54% 45.45% 35.68%
Name servers 21.33% 54.12% 55.23%
RFC7872 ��
Alexa's Top 1M Sites Dataset: Packet Drop Rate for Different Destination Types That Were Dropped in a Different AS
�� �5:� NHG:�=�(
• �� �5S� NHG@7)�)<-+:��,"A5(>T&Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extension Headers&
• https://tools.ietf.org/html/draft-ietf-opsec-ipv6-eh-filtering
• � NHG/69S�0?>�(�SMBQF13�:�%�@��• �U IPsec EH (Protocol Number = 50)
• Specific Security Implications• ��9�2>DoS:��614��0?>���'=
• Operational and Interoperability Impact if Blocked• IPsec :��,��8.8>
• Advice• �#DEIO5*'SEHLCHJ;!2<-
Copyright©2017 NTT corp. All Rights Reserved. 33
KPMJ�$R
LAN��
Copyright©2017 NTT corp. All Rights Reserved. 34
LAN��
• IPv6�IPv4"�� ��"��#.IPv6"��� (ND: Neighbor Discovery)• ND!��'*),-+(��#��• Insider!%'�����.�������'���&$��
Copyright©2017 NTT corp. All Rights Reserved. 35
����� �����������
������
Copyright©2017 NTT corp. All Rights Reserved. 36
@P[I��
• @P[H^Ga36:)5@P[I��?.<*b7cJEWYNA��5#.<,4UB^O• Y^F\`DZ@P[I5:<!�• TXBRH5#.< &
• B^KSC`IIDaIIDb5��.<�• QMO]`FIEV^��• @P[I�"+ (/8cIEV^7�%02�>=<+c����9����5:;c$���
• IPv66@P[H^G@`ENFLV?��-c�_��5'1/@P[I��9c@P[I����?��
Copyright©2017 NTT corp. All Rights Reserved. 37
�������������� ���
�����
Copyright©2017 NTT corp. All Rights Reserved. 38
��$?B4+B/7B05>
• DoS�#%')%!�F��=@BA�*�( "���G
Copyright©2017 NTT corp. All Rights Reserved. 39
������������������ �
�������������������� �
,A4B<.B2X ,A4B<.B2Y
����F���D���$;168*��G �$CPU,3<8-.+#&(�E
;168��#��DASIC#&(��:B9-.+E
�=@BA*�(C
�?CFE/�4�
• �?CFE.0I��-�=8;<6�&-#• ACL�+I>7B:'5
• �?CFE/CPU/��6 �'5)1I�=8;</CF<A@;<�6��• ��-OSPFL6=8;<.34��-����6&(5,#*) �$"5J����/��6�'5%,2��J
• �,-5�=8;</�!1. �?D<9BK���?D<9BGOSPFv3, BGP�H, NDP, ICMP.2. ��?D<9BK SSH, SNMP, IPfix,�3. ��=8;<
Copyright©2017 NTT corp. All Rights Reserved. 40
�X_TO]�"
�+f#-�VNSTbOSPFv3, BGP!c, NDP, ICMP�X^a`,&.�?8Bd�]aQJ`QWKaP?�WI]Q>��G)�7F5;G��
• \`M_aL]HU^P� 3E?dOSPFg6VNST b�YSR��89cdRIPngVNSTbUDPZaT 521c G';7
• BGP?�$�� 3E?BGPVNSTbTCPZaT179cG';7• 7A9?ICMPVNSTG*�b/07FC?d]aQ?J`QWKaP�?
C?c
�f• IPsec G��68 OSPFg3G';75;@��%bACL:@dIPsec? AHD
ESP��YSRG(1:4=2ce• ��=2VNSTCd^aT\[ST7A4e<? �>7F3@d�X
^a`?CPU?�%>��
Copyright©2017 NTT corp. All Rights Reserved. 41
"�LSHAQ�!
�(Z SSH, SNMP, syslog, NTP �QUE=TEK>UC4��K<QE3��:&�.9,0:��
• �-/)9LSHAQ�4XQUE�4J@FH:%0.V�ZSSH:�-/)9� 35XTCP4MUH22:'�X�:%0.W
• D?OPG<MPB3 $-2)��;IRC4J@FH:%0.V�ZNOC4;IRC��*84SSH:%0.X W
�Z��2)[email protected]+Y14��3.9*5X�LRUT4CPU4�#3��
Copyright©2017 NTT corp. All Rights Reserved. 42
��_SZ\��
�,p��aikjEI�"N�+F?M-/aikjl[kWaikjmI_SZ\�p
• _SZ\6 7?8D-/��@nICMP_SZ\0 eZVkTN#�?M• Hop-by-hop��bZXI�"• hkWI�*H��?M!�I�" l��bZXYQkj61?8D^k]PQOE�"E7G4%m
• <IL5G_SZ\H�>DJnik\gdZ\��I�JG4o
�p• ik\gdZ\N?MFn_UMTU�'H�+G�"6)Cn_UMTU`fZRckhN$#=AM(�63Mo
• ik\gdZ\Jn��B;EG9n��lICMP�&%mK�+l��". n_SZ\����N2:mo
Copyright©2017 NTT corp. All Rights Reserved. 43
�����(&12+%
������(&12+%�#���"�!� 6�� �6��#��"���"
1. ��(Neighbor)/.$#���"2. .$��35+%4'$*0,5-#�"3. ���/%3)#���"
Copyright©2017 NTT corp. All Rights Reserved. 44
,0/HE>*)
• #+��>.(<("M,0GIFJHEK;>/�� • ,0GIFJHEK>*)• MD5A HMACD��7L#+��D��8C�=��D*)• OSPFv3M IPsecD��%95LIPsec>�'?OSPFv3�=?�1:?<2
• IPsec5�4<2OSPFv3�'>��=?�-��5�(• ��#$=BC�'>�=��JAH>�2!K• ESPD�36;:L#+� &�@���%
Copyright©2017 NTT corp. All Rights Reserved. 45
-!��03("1%!'/)3*���
• OSPFv3��4IPsec ����� 5• IPv6��4IPsec �����6• ���4 �����4,3+#$!2&.*#$!����������������5
Copyright©2017 NTT corp. All Rights Reserved. 46
�$8K?OG
• �$K?OGMND9W��:#���U�&+<8�$=K?OG/1(8+W�&8�$68+V7;23%),W ��7IPv45�*�9��X�Y• �&�$:WCQTJO7�$���!6IPv6>IPF��=@HE4"50X
• ��6�$WIANA�48���$9-<6(S�.6(• JPIRR, RADB�=��/W�/(�$ANERWLPK?HBF�� ��8�$="50W�
• IPv648��K?OGY• ' IPv6 Router Setting Reference'• http://www.team-cymru.org/templates/all-templates.html#ipv6-router-
reference
Copyright©2017 NTT corp. All Rights Reserved. 47
����� �����������(IETF�����)
Copyright©2017 NTT corp. All Rights Reserved. 48
"�!)*���%���&' �����
���3��"�!)*�����IPv6��&' ������ �
1. ��"�!)*�2. �*$�%(#��"�!)*�3. ��"�!)*�
Copyright©2017 NTT corp. All Rights Reserved. 49
��c_aqsTB69I[Slm`N+�
• �0@C�*#B69I[Slm`N• fLOMPRsnB69IfNn\imXDvIPv4CimX7H���,• ��v�B"�<E8#w
• 0? &;>4IIPv6MboZK�0B�:A4• �!A IPv6MboZv�):J>4A4IPv6MboZ7HCdU_aK0B�JA4
• ICMPv6k_[sYK/�B%tPMTUDv ND(u• ��h_]K/�B% tESP, AHK.<v(u
• "w 2 h_]'�3?CfNn\C1v��gpaVnKfNn\;A4G5"�tTCP,UDP(u
• �!AIPv6h_]^QsrKF=dU_aKfNn\t��u• �-C$4WseZKfNn\
• Anti-spoofing ��vosamj_av��gosr����K��
Copyright©2017 NTT corp. All Rights Reserved. 50
��RNP[]H8*,>LGWYOC�
• �$8*,>LGWYOC• IPv450VYJ@#���• ��`IPv459��b
• �&��^ND: Neighbor Discovery)9�(• IPv6 in IPv4 P\RZ9�(• UKP9TADBEF]Z^S]MQZTADBEF]Z_9��
• IPv45IPv6@�8�23*=VYJ+")`IPv6IV]P7/`76
• �b• UKP4:`���9PX\KV]P8IPv4@�23(>-5+�(^RADIUS, TACACS+, SYSLOG76_aIPv68%!1>�;-?<��4 �.?>-5+'>a
Copyright©2017 NTT corp. All Rights Reserved. 51
�8+!-5*�$)%'68�����"�02&��
• BGP• BGP����"�02&��/�7'�;IPv4���<
• TCP"% 17��• TTL"�02&�9IPv6��.%-��:• -4,�%�!,�3#
• RTBH (Remote Triggered Black Hole Filtering)�IPv6��(4!������ �<
• 100::/64 (RFC6666)
Copyright©2017 NTT corp. All Rights Reserved. 52
947DF1%��*30>@5,��
• ���%I947DF1'�����• IPv6' %��&6:-2GPC,2=F7;.EI+<?-+E2�H#��%$!"�*
• IPv6����$�"(ITeredo�&IPv47E9A#�� *����)
• �'I@E1CF/A+8B2#����
Copyright©2017 NTT corp. All Rights Reserved. 53
"&� $#�����&$���)�� ��'�� �%!$������(�������������*
�QMOY[H6),?KGVWNB�!
• IPv6CZL[QMO97���*%>_ ��I[ODEC\RG: Residential Gateway]*%?�• RG2KGVWNB7��*��
• ��_=+��.@1&?UWJa• ��,"�7: �a IPv47 NAT3��`IPv67��2%? end-to-end"�*��5&
• In/Out SXF[TZ_$�8�R[P2_3&'�(�;%?`• Swisscom5428_SXF[TZ^αA��/1&?37-3
• �_In/OutF[TZ_TCP/UDP 7 well-knownU[O<_��.@?U[OA#0?
Copyright©2017 NTT corp. All Rights Reserved. 54
������������������������ �����
�,)$
• �������(%AIPv6%2/:<5-$�� ��• ��%.?3@746&A
• IPv6/IPv4����!#*• QUIC#"%�#6;?19@68>60=����+*• IoT#"A�#��� ���*
�'ATPO$�,��2/:<5-����!#*B
Copyright©2017 NTT corp. All Rights Reserved. 55