ipv6-+781)/7=38(9 · • ipv6 • std0086: internet protocol, version 6 (ipv6) specification (rfc...

IPv6-+781)/7=38(9

������*<.=403�� IPv62)5:*6<3���

NTT 403;=,�������

�

��'��!&##"%�"$�!���� ������

IPv6������ ���������

Copyright©2017 NTT corp. All Rights Reserved. 1

IPv6�� �

�

• �����IPv4��������������IPv6������������

Copyright©2017 NTT corp. All Rights Reserved. 2

IPv4� "�����

Copyright©2017 NTT corp. All Rights Reserved. 3

�����������$

�����������$

��'�

�����������$

�����������$

http://www.potaroo.net/tools/ipv4/��#�����%2018.3.5&

��'���������!#�

IPv63�� �

��

• �!"2FIPv437>C:��$+���FIPv6��2�%+**./)5G

• 2017�4F��"2IPv6"2�,1A8B:=ED01.-�

• IPv6����+(8D;E?<=��(015G• ������#+FIPv69E@:6��"2' • ���ISP3IPv6��+&�

Copyright©2017 NTT corp. All Rights Reserved. 4

Internet Draft

Proposed Standard

Internet Standard

Informational

Best Current Practice

Experimental

Historic

IPv6���������������

RFC��

Standard Track

Copyright©2017 NTT corp. All Rights Reserved. 5

IETF�� �������

Internet Standard RFC��RFC(8,169)�112��

IPv6���� ����������

Copyright©2017 NTT corp. All Rights Reserved. 6

• IPv6 ������ ���• STD0086: Internet Protocol, Version 6 (IPv6) Specification (RFC

8200)

• STD0087: Path MTU Discovery for IP version 6 (RFC 8201)

• STD0088: DNS Extensions to Support IP Version 6 (RFC3596)

• STD0089: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification (RFC4443)

��#()!�IPv6��

Copyright©2017 NTT corp. All Rights Reserved. 7

�����36�IPv6�� "*$+'%&��������� ���������

�����ISP�IPv6�������� ��

Copyright©2017 NTT corp. All Rights Reserved. 8

1K

http://v6pc.jp/jp/spread/ipv6spread_03.phtml��������2018.3.5�

% %% % '% ',,

' '%

% ,%

' % %

,

',

'%

%% % ,

% ',% %% ,

, % '

%

''1

2.12

'13.

03

'13.

06

'13.

09

'13.

12

'14.

03

'14.

06

'14.

09

'14.

12

'15.

03

'15.

06

'15.

09

'15.

12

'16.

03

'16.

06

'16.

09

'16.

12

'17.

03

'17.

06

'17.

09

'17.

12

. 824 5 .00 4 734 44 49 164 5 4

IPv6����� �

������������

9

IPv6���https://stats.labs.apnic.net/ipv6/

Google ����������https://www.google.com/intl/ja/ipv6/statistics.html

2018�3�5��

����

• ������-IPv6���• �&*#%�)-PC• $!#(*���+'* �,

• "�%�'#�IPv6������ �����������

Copyright©2017 NTT corp. All Rights Reserved. 10

IPv6����������

Copyright©2017 NTT corp. All Rights Reserved. 11

IPv6518:6/��'��

• ��(IPv6���)• ��(A9@3?�����+%��!&IPv6$���#�,

• :>2=@0;.7<4(���&��

• IPv6�����-,*�&%"#

Copyright©2017 NTT corp. All Rights Reserved. 12Windows XP'�

����#��������!*����#����&%()'$����

�� &%()'$��������"*������ ���

IPv6���������������

Copyright©2017 NTT corp. All Rights Reserved. 13

�����������CVE ������2017.11 13��

0

10

20

30

40

50

60

70

IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4

2001200120022002200320032004200420052005200620062007200720082008200920092010201020112011201220122013201320142014201520152016201620172017

LOW MIDIUM HIGH

IPv6������ -���-

Copyright©2017 NTT corp. All Rights Reserved. 14

IPv6��� %#)*&!

• IPv6���� ����� -• � ��("+'�,�������,IPv4���• ��,�%#)*&!(*$��,IPv4�IPv6�������

Copyright©2017 NTT corp. All Rights Reserved. 15

���')����$%��

Copyright©2017 NTT corp. All Rights Reserved. 16

#�� ��)& �)"�����$%������

LAN��

�) (�)"���

� &)�

��)��!���#�&�

IPv6� IPv4

• � �%��"$A�2.784)�!���#��AIPv6�IPv4!��• ICMPv6� ICMP �6'*(+,>9!���• ND ?Neighbor Discovery@ � ARP �LAN���• (5:1��A�� �IPv6(5:1���

• 8</;>-9(5:1!��• � �%(5:1!��

• 9>3=9>4)<0 �&%2.784)�9>3���

Copyright©2017 NTT corp. All Rights Reserved. 17

��������

Copyright©2017 NTT corp. All Rights Reserved. 18

IPv61#%5C7:8;<HG2��

• IPv4/���0�"�3�'*$KICMPv62���1��• IPv6.3K��1��0�6�)(B>MTU��IPMTUD:

Path MTU DiscoveryJ 1 ICMPv66��&-!5L• IPv4.2ICMP2C9G?EF=14+-3K���

• IPv62�2�,. 5K���DA@�2 !

Copyright©2017 NTT corp. All Rights Reserved. 19

IP�+"&(��5,0!.3'4$/36

• IP��7��� ��7�����+"&(���5MTU: Maximum Transmission Unit6�� ������• IPv4��7 ����+"&(�����

Copyright©2017 NTT corp. All Rights Reserved. 20

MTU 1500 MTU 1500MTU 1492 (1454)

-24)*3)14%

PPPoE

�� WWW#4*

IPv4����+"&(��

IPv6���"+%MTU�

• IPv6�������������.���-&,%*,)���.• +$'(�-�� � ��MTU����.+%MTU�������#�!".

Copyright©2017 NTT corp. All Rights Reserved. 21

IPv6� ��MTU��

• ��MTU����ICMPv6���

Copyright©2017 NTT corp. All Rights Reserved. 22

MTU 1500MTU 1454

PPPoE

WWW���1500

MTU 1500

ICMP ������ (MTU=1454)

MTU 1280 MTU 1500

�� ����������

1454

ICMP ������ (MTU=1280) 1280

<6MTU�

• <6MTU���(���%�$J���<6MTU>C71?IE��� • BI4'J���#�!*J�%�"!*$����&%+• 568@�&)J

• ��%�AIE��+K3I;'Jping&�� +K• 3I;&'Jssh�#'G20H#�+• =.0E�!��-�+9/F1:D# ls +$�(+�$�"!J���,�*&����$%+K

Copyright©2017 NTT corp. All Rights Reserved. 23

ICMPv63&/0��

Copyright©2017 NTT corp. All Rights Reserved. 24

2B)<A 0=4!/%%=* 4@B=7>

8"@B1� �6/-��C58D 9/5��

� 1?*

� 1?*

1 8 16 24 31

,"5 'B1 .#/%(:

;/+B)�

IPv66/-

ICMPv66/-

,"5�8bit• 0�127�$=B��• 128�255�����'B1�8bit�EType���������

#�����&%���ICMPv6#�% �

• ICMP Error Message'type 0*127(• Destination Unreachable'type 1(• Packet Too Big'type 2(• Time Exceeded'type 3(• Parameter Problem'type 4(

• ICMP Informational Message'type 128*255(• Echo Request'type 128(• Echo Reply'type 129(• Router Solicitation'type 133(• Router Advertisement'type 134(• Neighbor Solicitation'type 135(• Neighbor Advertisement'type 136(• Redirect Message (type137)

Copyright©2017 NTT corp. All Rights Reserved. 25

"�MTU����������)Type 2�ICMPv6$!�&������ ����

L;><?ATR�-1ICMPv6L=RF��

• ,9�06W��1ICMPv62��)+84&• Destination Unreachable(Type 1)

• TCP�%F>O<?I*85-��-&/#(.%:$7/#

• IPv431LATRKHC%�'/8

• Time ExceededUtype 3V• TCP�%F>O<?I*85-��-&/#(.%:$7/#

• Traceroute6 %����

• Parameter ProblemUtype 4V• ����%�0/8U@QT1��%:$7/#V• JCEINHGF>M� U�!� �V.��"�BMDPS� U�!� �V �

Copyright©2017 NTT corp. All Rights Reserved. 26

ICMPv6�ICMP

Copyright©2017 NTT corp. All Rights Reserved. 27

�� ICMP �� ICMP6

0 Echo Reply 129 Echo Reply

3 Destination Unreachable 1 Destination Unreachable

4 Source Quench

5 Redirect 137 Redirect

8 Echo Request 128 Echo Request

9 Router Advertisement 134 Router Advertisement

10 Router Solicitation 133 Router Solicitation

11 Time Exceed 3 Time Exceed

12 Parameter Problem 4 Parameter Problem

13 Timestamp

2 Packet too Big

��� ICMP�ICMPv6���

*$MTU����3#0)���

• #0)�*$MTU�� �• #0) ������1���-0%�+!-%������������2

Copyright©2017 NTT corp. All Rights Reserved. 28

MTU 1454

PPPoE

WWW#0)1500

MTU 1500

ICMP *"&'�� (MTU=1454)

MTU 1500

,.0()/(-0%

1454

1#%$&(96��<��3,+���

• IPv6�:27-)6������"�������:���3,+��� �!�� ;

• 40%6IP�:IPsec���3,+"��

Copyright©2017 NTT corp. All Rights Reserved. 29

Hop-by-Hop Options headerDestination Options header (*1)Routing headerFragment headerAuthentication headerEncapsulating Security Payload headerDestination Options header (*2)Upper-layer header

IPv6�3,+

IPv6��3,+

Payload

*1 Routing header �5*-�!�/9.���*2 '8./9.����

��������%$

Copyright©2017 NTT corp. All Rights Reserved. 30

��"�%� $�%�� ����

�����

� ����

�����

#%��$����

��"�%� $�%�

� ����

�!��$����

#%��$����

��"�%� $�%�

��!��$�������

��������#%��$�

���������!��$�

����������

����������

��������#%��$�

����������

2%(&)*86��2'6-���

• IPv6��;���#����;2'6-��$���#����#<

• �=• IPsec$���#�"� ;AH, ESP���• 25+4701,/0$���"�;��3/. ��!�9DNS ���:

Copyright©2017 NTT corp. All Rights Reserved. 31

��'"!���%�"#������

• �'"!������%�"#�+�) *$"#��&�( ��������,

Copyright©2017 NTT corp. All Rights Reserved. 32

DestinationOption

Hop-by-hop option Fragment

Web servers 10.91% 39.03% 28.26%

Mail servers 11.54% 45.45% 35.68%

Name servers 21.33% 54.12% 55.23%

RFC7872 ��

Alexa's Top 1M Sites Dataset: Packet Drop Rate for Different Destination Types That Were Dropped in a Different AS

�� �5:� NHG:�=�(

• �� �5S� NHG@7)�)<-+:��,"A5(>T&Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extension Headers&

• https://tools.ietf.org/html/draft-ietf-opsec-ipv6-eh-filtering

• � NHG/69S�0?>�(�SMBQF13�:�%�@��• �U IPsec EH (Protocol Number = 50)

• Specific Security Implications• ��9�2>DoS:��614��0?>���'=

• Operational and Interoperability Impact if Blocked• IPsec :��,��8.8>

• Advice• �#DEIO5*'SEHLCHJ;!2<-

Copyright©2017 NTT corp. All Rights Reserved. 33

KPMJ�$R

LAN��

Copyright©2017 NTT corp. All Rights Reserved. 34

LAN��

• IPv6�IPv4"�� ��"��#.IPv6"��� (ND: Neighbor Discovery)• ND!��'*),-+(��#��• Insider!%'�����.�������'���&$��

Copyright©2017 NTT corp. All Rights Reserved. 35

����� �����������

������

Copyright©2017 NTT corp. All Rights Reserved. 36

@P[I��

• @P[H^Ga36:)5@P[I��?.<*b7cJEWYNA��5#.<,4UB^O• Y^F\`DZ@P[I5:<!�• TXBRH5#.< &

• B^KSC`IIDaIIDb5��.<�• QMO]`FIEV^��• @P[I�"+ (/8cIEV^7�%02�>=<+c����9����5:;c$���

• IPv66@P[H^G@`ENFLV?��-c�_��5'1/@P[I��9c@P[I����?��

Copyright©2017 NTT corp. All Rights Reserved. 37

�������������� ���

�����

Copyright©2017 NTT corp. All Rights Reserved. 38

��$?B4+B/7B05>

• DoS�#%')%!�F��=@BA�*�( "���G

Copyright©2017 NTT corp. All Rights Reserved. 39

������������������ �

�������������������� �

,A4B<.B2X ,A4B<.B2Y

����F���D���$;168*��G �$CPU,3<8-.+#&(�E

;168��#��DASIC#&(��:B9-.+E

�=@BA*�(C

�?CFE/�4�

• �?CFE.0I��-�=8;<6�&-#• ACL�+I>7B:'5

• �?CFE/CPU/��6 �'5)1I�=8;</CF<A@;<�6��• ��-OSPFL6=8;<.34��-����6&(5,#*) �$"5J����/��6�'5%,2��J

• �,-5�=8;</�!1. �?D<9BK���?D<9BGOSPFv3, BGP�H, NDP, ICMP.2. ��?D<9BK SSH, SNMP, IPfix,�3. ��=8;<

Copyright©2017 NTT corp. All Rights Reserved. 40

�X_TO]�"

�+f#-�VNSTbOSPFv3, BGP!c, NDP, ICMP�X^a`,&.�?8Bd�]aQJ`QWKaP?�WI]Q>��G)�7F5;G��

• \`M_aL]HU^P� 3E?dOSPFg6VNST b�YSR��89cdRIPngVNSTbUDPZaT 521c G';7

• BGP?�$�� 3E?BGPVNSTbTCPZaT179cG';7• 7A9?ICMPVNSTG*�b/07FC?d]aQ?J`QWKaP�?

C?c

�f• IPsec G��68 OSPFg3G';75;@��%bACL:@dIPsec? AHD

ESP��YSRG(1:4=2ce• ��=2VNSTCd^aT\[ST7A4e<? �>7F3@d�X

^a`?CPU?�%>��

Copyright©2017 NTT corp. All Rights Reserved. 41

"�LSHAQ�!

�(Z SSH, SNMP, syslog, NTP �QUE=TEK>UC4��K<QE3��:&�.9,0:��

• �-/)9LSHAQ�4XQUE�4J@FH:%0.V�ZSSH:�-/)9� 35XTCP4MUH22:'�X�:%0.W

• D?OPG<MPB3 $-2)��;IRC4J@FH:%0.V�ZNOC4;IRC��*84SSH:%0.X W

�Z��2)J@FH7XRUHPNFH.6+Y14��3.9*5X�LRUT4CPU4�#3��

Copyright©2017 NTT corp. All Rights Reserved. 42

��_SZ\��

�,p��aikjEI�"N�+F?M-/aikjl[kWaikjmI_SZ\�p

• _SZ\6 7?8D-/��@nICMP_SZ\0 eZVkTN#�?M• Hop-by-hop��bZXI�"• hkWI�*H��?M!�I�" l��bZXYQkj61?8D^k]PQOE�"E7G4%m

• <IL5G_SZ\H�>DJnik\gdZ\��I�JG4o

�p• ik\gdZ\N?MFn_UMTU�'H�+G�"6)Cn_UMTU`fZRckhN$#=AM(�63Mo

• ik\gdZ\Jn��B;EG9n��lICMP�&%mK�+l��". n_SZ\����N2:mo

Copyright©2017 NTT corp. All Rights Reserved. 43

�����(&12+%

������(&12+%�#���"�!� 6�� �6��#��"���"

1. ��(Neighbor)/.$#���"2. .$��35+%4'$*0,5-#�"3. ���/%3)#���"

Copyright©2017 NTT corp. All Rights Reserved. 44

,0/HE>*)

• #+��>.(<("M,0GIFJHEK;>/�� • ,0GIFJHEK>*)• MD5A HMACD��7L#+��D��8C�=��D*)• OSPFv3M IPsecD��%95LIPsec>�'?OSPFv3�=?�1:?<2

• IPsec5�4<2OSPFv3�'>��=?�-��5�(• ��#$=BC�'>�=��JAH>�2!K• ESPD�36;:L#+� &�@���%

Copyright©2017 NTT corp. All Rights Reserved. 45

-!��03("1%!'/)3*���

• OSPFv3��4IPsec ����� 5• IPv6��4IPsec �����6• ���4 �����4,3+#$!2&.*#$!����������������5

Copyright©2017 NTT corp. All Rights Reserved. 46

�$8K?OG

• �$K?OGMND9W��:#���U�&+<8�$=K?OG/1(8+W�&8�$68+V7;23%),W ��7IPv45�*�9��X�Y• �&�$:WCQTJO7�$���!6IPv6>IPF��=@HE4"50X

• ��6�$WIANA�48���$9-<6(S�.6(• JPIRR, RADB�=��/W�/(�$ANERWLPK?HBF�� ��8�$="50W�

• IPv648��K?OGY• ' IPv6 Router Setting Reference'• http://www.team-cymru.org/templates/all-templates.html#ipv6-router-

reference

Copyright©2017 NTT corp. All Rights Reserved. 47

����� �����������(IETF�����)

Copyright©2017 NTT corp. All Rights Reserved. 48

"�!)*���%���&' �����

���3��"�!)*�����IPv6��&' ������ �

1. ��"�!)*�2. �*$�%(#��"�!)*�3. ��"�!)*�

Copyright©2017 NTT corp. All Rights Reserved. 49

��c_aqsTB69I[Slm`N+�

• �0@C�*#B69I[Slm`N• fLOMPRsnB69IfNn\imXDvIPv4CimX7H���,• ��v�B"�<E8#w

• 0? &;>4IIPv6MboZK�0B�:A4• �!A IPv6MboZv�):J>4A4IPv6MboZ7HCdU_aK0B�JA4

• ICMPv6k_[sYK/�B%tPMTUDv ND(u• ��h_]K/�B% tESP, AHK.<v(u

• "w 2 h_]'�3?CfNn\C1v��gpaVnKfNn\;A4G5"�tTCP,UDP(u

• �!AIPv6h_]^QsrKF=dU_aKfNn\t��u• �-C$4WseZKfNn\

• Anti-spoofing ��vosamj_av��gosr����K��

Copyright©2017 NTT corp. All Rights Reserved. 50

��RNP[]H8*,>LGWYOC�

• �$8*,>LGWYOC• IPv450VYJ@#���• ��`IPv459��b

• �&��^ND: Neighbor Discovery)9�(• IPv6 in IPv4 P\RZ9�(• UKP9TADBEF]Z^S]MQZTADBEF]Z_9��

• IPv45IPv6@�8�23*=VYJ+")`IPv6IV]P7/`76

• �b• UKP4:`���9PX\KV]P8IPv4@�23(>-5+�(^RADIUS, TACACS+, SYSLOG76_aIPv68%!1>�;-?<��4 �.?>-5+'>a

Copyright©2017 NTT corp. All Rights Reserved. 51

�8+!-5*�$)%'68�����"�02&��

• BGP• BGP����"�02&��/�7'�;IPv4���<

• TCP"% 17��• TTL"�02&�9IPv6��.%-��:• -4,�%�!,�3#

• RTBH (Remote Triggered Black Hole Filtering)�IPv6��(4!������ �<

• 100::/64 (RFC6666)

Copyright©2017 NTT corp. All Rights Reserved. 52

947DF1%��*30>@5,��

• ���%I947DF1'�����• IPv6' %��&6:-2GPC,2=F7;.EI+<?-+E2�H#��%$!"�*

• IPv6����$�"(ITeredo�&IPv47E9A#�� *����)

• �'I@E1CF/A+8B2#����

Copyright©2017 NTT corp. All Rights Reserved. 53

"&� $#�����&$���)�� ��'�� �%!$������(�������������*

�QMOY[H6),?KGVWNB�!

• IPv6CZL[QMO97���*%>_ ��I[ODEC\RG: Residential Gateway]*%?�• RG2KGVWNB7��*��

• ��_=+��.@1&?UWJa• ��,"�7: �a IPv47 NAT3��`IPv67��2%? end-to-end"�*��5&

• In/Out SXF[TZ_$�8�R[P2_3&'�(�;%?`• Swisscom5428_SXF[TZ^αA��/1&?37-3

• �_In/OutF[TZ_TCP/UDP 7 well-knownU[O<_��.@?U[OA#0?

Copyright©2017 NTT corp. All Rights Reserved. 54

������������������������ �����

�,)$

• �������(%AIPv6%2/:<5-$�� ��• ��%.?3@746&A

• IPv6/IPv4����!#*• QUIC#"%�#6;?19@68>60=����+*• IoT#"A�#��� ���*

�'ATPO$�,��2/:<5-����!#*B

Copyright©2017 NTT corp. All Rights Reserved. 55