reverse proxies as enterprise ipv6 entry points by patrick chang at gogonet live! 3 ipv6 conference
DESCRIPTION
gogo6 IPv6 Video Series. Event, presentation and speaker details below: EVENT gogoNET LIVE! 3: Enterprise wide Migration. http://gogonetlive.com November 12 – 14, 2012 at San Jose State University, California Agenda: http://gogonetlive.com/4105/gogonetlive3-agenda.asp PRESENTATION Reverse Proxies as Enterprise IPv6 Entry Points Abstract: http://www.gogo6.com/profiles/blogs/my-presentation-at-gogonet-live-3?xg_source=activity Presentation video: http://www.gogo6.com/video/reverse-proxies-as-enterprise-ipv6-entry-points-by-patrick-chang Interview video: http://www.gogo6.com/video/interview-with-patrick-chang-at-gogonet-live-3-ipv6-conference SPEAKER Patrick Chang - Senior Regional Architect, F5 Bio/Profile: http://www.gogo6.com/profile/PatrickChang MORE Learn more about IPv6 on the gogoNET social network http://www.gogo6.com Get free IPv6 connectivity with Freenet6 http://www.gogo6.com/Freenet6 Subscribe to the gogo6 IPv6 Channel on YouTube http://www.youtube.com/subscription_center?add_user=gogo6videos Follow gogo6 on Twitter http://twitter.com/gogo6inc Like gogo6 on Facebook http://www.facebook.com/pages/IPv6-products-community-and-services-gogo6/161626696777TRANSCRIPT
1
Implementing IPv6 Services with a Reverse Proxy Presented by: Patrick Chang November 2012
A P P L E R U N S B E T T E R W I T H F 5
2
Existing IPv4 Service
Load Balancer
IPv4 App Servers
IPv4 Clients IPv4 DB Servers
IPv4 Proxy
3
IPv4 Data Flow
! Load balancer is a reverse proxy – Presents external facing IPv4 Service – Connects to internal IPv4 resources
! Incoming traffic – Target is IPv4 address on reverse proxy – Reverse proxy terminates connection – Reverse proxy opens new connection to back end IPv4 resources
! Return traffic – Server responses go back to reverse proxy – Reverse proxy manipulates IP headers of response – Reverse proxy sends response back to IPv4 clients
4
Adding IPv6
Load Balancer
IPv4 App Servers
IPv4 Clients IPv4 DB Servers
IPv4 Proxy
IPv6 Clients IPv6 Proxy
IPv6 App Servers
IPv6 DB Servers
5
IPv6 Data Flow ! Load balancer is a reverse proxy
– Presents external facing IPv6 Service – Connects to existing internal IPv4 resources – Capable of connecting to new internal IPv6 resources
! Incoming traffic – Target is IPv6 address on reverse proxy – Reverse proxy terminates connection – Reverse proxy opens new connection to existing IPv4 resources
! Return traffic – Server responses go back to reverse proxy – Reverse proxy manipulates IP headers of response – Reverse proxy sends response back to IPv6 clients
6
Single and Dual Stack ! Separate IPv6 FQDN (Single Stack)
– IPv4 FQDN -> A query = IP, AAAA record = NXDomain – IPv6 FQDN -> A query = NXDomain, AAAA record = IP
! Same IPv6 and IPv4 FQDN (Dual Stack) – A query = IPv4 address – AAAA Query = IPv6 address
! Recent OSs send AAAA query, then A query – Client on IPv6 only -> IPv6 response = it works – Client on IPv4 and IPv6 -> IPv6 response = it works – Client on IPv4 only -> IPv6 response = broken
! Possible Fixes – LDNS Whitelist – AAAA from IPv4 LDNS = NXDomain
7
8
OSI Implications
! IP (v4 and v6) = Network Layer ! TCP, UDP = Transport Layer
– 4 > 3 – Unaffected by IPv6
! SSL = Presentation Layer – 6 > 3 – Unaffected by IPv6
! Compression = Presentation Layer – 6 > 3 – Unaffected by IPv6
9
Application Layer
! HTTP, SMTP, Client – Server = Application Layer – 7 > 3 – Unaffected by IPv6????
! IPv6 client -> IPv4 service – Reverse proxy must open connection to IPv4 service from IPv4
address – Does application require real client IP?
! HTTP over IPv6 -> IPv4 service – X-Forwarded-For
• Web server configuration logs X-Forwarded-For • Can log analyzer parse IPv6 addresses?
10
Possible Workarounds ! Change application
– Custom IP stack in reverse proxy – 4X IPinIP encapsulation – Mapped source IP – Router with static routes – Custom IP stack in app servers – 4X IPinIP unencapsulation
! Log separately – Reverse proxy inserts custom request ID – Reverse proxy logs IPv6 and custom request ID – Reverse proxy opens IPv4 connection from “magic” IP – Application logs “magic” IP and custom request ID – Log analyzer maps real IP via custom request ID
! Upgrade log analysis system
11
E V E R Y T H I N G R U N S B E T T E R W I T H F 5