Global Internet is not ready for IPv6 only
Cisco support NAT64 above ASR Series
User bandwidth management is way to complex
464 XLAT does not support general WiFi routers
Existing server system support
Operation & Security Policy
We have almost 50k active Customer and planning for 500k
Overhead cost of deployment (NAT64 & DNS64)
6. Things we had to Calculate
Global Internet is not ready for IPv6 only
Cisco support NAT64 above ASR Series
User bandwidth management is way to complex
464 XLAT does not support general WiFi routers
Existing server system support
Operation & Security Policy
We have almost 50k active Customer and planning for 500k
Overhead cost of deployment (NAT64 & DNS64)
7. Things that we come-up with
Existing Bandwidth Manager & Spam firewall Support Dual-Stack
Linux and Windows based system support IPv6 by-default
Host based IDS and Firewall supports IPv6
As an ISP we need to go with NAT64 & DNS64
Dual-Stack for Infrastructure & IPv6 Only for end user
DNS64 will managed by BIND & CentOS 6
11. Myths - My network is IPv4 only
Reality – All the OS have IPV6 activated by default
12. Myths - IPv6 is too new to be attacked
Reality – Same things with Different Name and tactics.
Attacks Tools
Reconnaissance Alive6, Nmap
Amplification Smurf6, Rsmurf6
DHCPv6 Spoofing flood_dhcpc6, fake_dhcps6
DAD Spoofing, Redirect Spoofing Dos-new-ipv6, redir6
13. Outcome of Myths
IPv6 is not more or less secure than IPv4
Knowledge of associated protocols is the best security measures
Mindset change is required
15. Protocol to be considered before
deployment
ICMPv6 NDP
DNS64DHCPv6
16. DNS Server – What we had
Authoritative
Recursive DNS
Software resources Hardware resources
CentOS 5 32 bit Core – 2
RAM – 4 GB
HDD – Sata 7.2k RPM
bind-utils-9.3.4-10.P1.el5
ypbind-1.19-11.el5
bind-libs-9.3.4-10.P1.el5
17. DNS Server - What we have Faced
OS version is about to obsolete
Resource utilization was about to fill up
Log search was not administration friendly
18. DNS Server - What we have done
Upgraded the OS to CentOS 6 64bit
Divided the Authoritative & Recursive in to TWO server
Deployed the DNS system with CHROOT
Calculate the session of Recursive DNS system
Deployed the Recursive server with IP Anycast
Configured the Recursive log based on search criteria
19. DNS Server - What we have done
Software Resources Hardware Resources
CentOS 6.9 64 bit CPU Core – 4 with 2 Socket
RAM – 8 GB DDR4
HDD – Sata SAS 15k RPM
bind-libs-9.8.2-0.62.rc1.el6_9.5.x86_64
bind-sdb-9.8.2-0.62.rc1.el6_9.5.x86_64
rpcbind-0.2.0-13.el6_9.1.x86_64
bind-dyndb-ldap-2.3-8.el6.x86_64
bind-9.8.2-0.62.rc1.el6_9.5.x86_64
bind-devel-9.8.2-0.62.rc1.el6_9.5.x86_64
bind-chroot-9.8.2-0.62.rc1.el6_9.5.x86_64
bind-utils-9.8.2-0.62.rc1.el6_9.5.x86_64
iptables-1.4.7-16.el6.x86_64
iptables-ipv6-1.4.7-16.el6.x86_64
21. DNS64 Server
With the New System - what we have
We have configure the DNS64 at the Recursive system
Forget to tune the Kernel and Iptables
Forget to Calculate the Log volume
22. DNS64 Server
What we have faced
Session per second was 4k/second
Increased to 5k/second
Query response was slower/ Some of the users are not getting response
Hard disk about to filled up with the log stored
For every query there are 2 separate line for IPv4 & Ipv6
24. DNS64 Server
Action that we have taken
We are having almost 4GB of log file in one hour
Configured the log rotation based on file size
Then we have decided to move all the log to the central server after
every one hour
25. DNS64 Server
Performance tuning
Checked the System –
# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 262144
Changed it –
# sysctl -w net.netfilter.nf_conntrack_max=524288
26. DNS64 Server
Security tuning
Configuration is for sysctl.conf file
1. To stop IPv6 routing advertisement –
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
2. TO Stop ICMPv6 redirect –
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
27. DNS64 server
1. To stop DAD related attack–
net.ipv6.conf.all.accept_dad = 0
net.ipv6.conf.default.accept_dad = 0
net.ipv6.conf.enp0s8.accept_dad = 0
net.ipv6.conf.all.dad_transmits = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.enp0s8.dad_transmits = 0
28. DNS64 server
Security tuning
Configuration is for IP6TABLES
#!/bin/bash
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -I INPUT 1 -d ff02::1 -j DROP
ip6tables -I INPUT 2 -i eth1 -m ipv6header --header dst --soft -j DROP
ip6tables -I INPUT 3 -i eth1 -m ipv6header --header hop --soft -j DROP
ip6tables -I INPUT 4 -i eth1 -m ipv6header --header route --soft -j DROP
ip6tables -I INPUT 5 -i eth1 -m ipv6header --header frag --soft -j DROP
ip6tables -I INPUT 6 -i eth1 -m ipv6header --header auth --soft -j DROP
ip6tables -I INPUT 7 -i eth1 -m ipv6header --header esp --soft -j DROP
ip6tables -I INPUT 8 -i eth1 -m ipv6header --header none --soft -j DROP
29. DO’s and Don’t
IPv6 is moving faster, you can’t walk slow
Keep updated with knowledge
NO IPv6 Only thoughts for Infrastructure
Make a inventory of existing system
List of Necessaries that you Need NOT that you Want