1

Implementing IPv6 Services with a Reverse Proxy Presented by: Patrick Chang November 2012

A P P L E R U N S B E T T E R W I T H F 5

2

Existing IPv4 Service

Load Balancer

IPv4 App Servers

IPv4 Clients IPv4 DB Servers

IPv4 Proxy

3

IPv4 Data Flow

!   Load balancer is a reverse proxy –  Presents external facing IPv4 Service –  Connects to internal IPv4 resources

!   Incoming traffic –  Target is IPv4 address on reverse proxy –  Reverse proxy terminates connection –  Reverse proxy opens new connection to back end IPv4 resources

!   Return traffic –  Server responses go back to reverse proxy –  Reverse proxy manipulates IP headers of response –  Reverse proxy sends response back to IPv4 clients

4

Adding IPv6

Load Balancer

IPv4 App Servers

IPv4 Clients IPv4 DB Servers

IPv4 Proxy

IPv6 Clients IPv6 Proxy

IPv6 App Servers

IPv6 DB Servers

5

IPv6 Data Flow !   Load balancer is a reverse proxy

–  Presents external facing IPv6 Service –  Connects to existing internal IPv4 resources –  Capable of connecting to new internal IPv6 resources

!   Incoming traffic –  Target is IPv6 address on reverse proxy –  Reverse proxy terminates connection –  Reverse proxy opens new connection to existing IPv4 resources

!   Return traffic –  Server responses go back to reverse proxy –  Reverse proxy manipulates IP headers of response –  Reverse proxy sends response back to IPv6 clients

6

Single and Dual Stack !   Separate IPv6 FQDN (Single Stack)

–  IPv4 FQDN -> A query = IP, AAAA record = NXDomain –  IPv6 FQDN -> A query = NXDomain, AAAA record = IP

!   Same IPv6 and IPv4 FQDN (Dual Stack) –  A query = IPv4 address –  AAAA Query = IPv6 address

!   Recent OSs send AAAA query, then A query –  Client on IPv6 only -> IPv6 response = it works –  Client on IPv4 and IPv6 -> IPv6 response = it works –  Client on IPv4 only -> IPv6 response = broken

!   Possible Fixes –  LDNS Whitelist –  AAAA from IPv4 LDNS = NXDomain

7

8

OSI Implications

!   IP (v4 and v6) = Network Layer !   TCP, UDP = Transport Layer

–  4 > 3 –  Unaffected by IPv6

!   SSL = Presentation Layer –  6 > 3 –  Unaffected by IPv6

!   Compression = Presentation Layer –  6 > 3 –  Unaffected by IPv6

9

Application Layer

!   HTTP, SMTP, Client – Server = Application Layer –  7 > 3 –  Unaffected by IPv6????

!   IPv6 client -> IPv4 service –  Reverse proxy must open connection to IPv4 service from IPv4

address –  Does application require real client IP?

!   HTTP over IPv6 -> IPv4 service –  X-Forwarded-For

•  Web server configuration logs X-Forwarded-For •  Can log analyzer parse IPv6 addresses?

10

Possible Workarounds !   Change application

–  Custom IP stack in reverse proxy –  4X IPinIP encapsulation –  Mapped source IP –  Router with static routes –  Custom IP stack in app servers –  4X IPinIP unencapsulation

!   Log separately –  Reverse proxy inserts custom request ID –  Reverse proxy logs IPv6 and custom request ID –  Reverse proxy opens IPv4 connection from “magic” IP –  Application logs “magic” IP and custom request ID –  Log analyzer maps real IP via custom request ID

!   Upgrade log analysis system

11

E V E R Y T H I N G R U N S B E T T E R W I T H F 5