SlideShare uma empresa Scribd logo

An IXP Perspective on IPv6 Neighbor Discovery

Transferir como PPT, PDF
Russell Heilling
Russell Heilling

A presentation about IPv6 Neighbor discovery given at LINX88 meeting.

Tecnologia
1 de 22
IPv6 Neighbor Discovery An IXP Perspective Russell Heilling Senior Network Engineer russell@linx.net @xchewtoyx
Or
We all understand ARP, right? • Messages carried directly on Ethernet EtherType 0x806 • Device sends broadcast request Who has x.x.x.x? • Receivers check target against local addresses • If it matches they send a unicast reply • Result is cached All nodes on the network need to process all ARP Requests. High levels of ARP and you are going to have a bad day.
• Defined in http://tools.ietf.org/html/rfc4861 • Messages are carried within ICMPv6 • Includes: • Router and prefix discovery • Address resolution and neighbor unreachability detection • Redirect function • Address resolution is most relevant from IXP perspective IPv6 Neighbor Discovery
Router and prefix discovery • The main point on RD: “Don’t do it on the exchange” • We have seen an increase in the number of members sending RAs • Please check your config and make sure you have it disabled • We are improving our instrumentation and will be getting more proactive • This is an MoU violation, and will result in a chase
• Analogous to ARP query message “I know your IP, what’s your MAC?” • ICMPv6 Type 135, Code 0. • Can be sent unicast to refresh neighbor cache • Can be multicast to discover uncached neighbors • Uses last 24-bits of target address to construct multicast destination Target: 2001:7f8:4::1553:2 Destination: ff02::1:ff53:2 Group MAC: 33:33:ff:53:00:02 • RFC recommends no more than 1 solicitation per second per target • Unicast solicitation used to refresh stale entry before removing 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Code | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + + | | + Target Address + | | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options ... +-+-+-+-+-+-+-+-+-+-+-+- Neighbor Solicitation
Neighbor Advertisement • Analogous to ARP reply message • ICMPv6 Type 136, Code 0. • R, S & O flags to indicate advertisement type R & O flags outside scope here • Can be sent unsolicited [S=0] (like gratuitous ARP) In which case uses all nodes multicast address • IP source can be any address on same interface as target 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Code | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |R|S|O| Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + + | | + Target Address + | | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options ... +-+-+-+-+-+-+-+-+-+-+-+-
Broadcast, Unknown, Multicast
Unknown unicast • VPLS is just a virtual switch – still needs to learn MAC addresses • Ports going down immediately flush database entries causing short bursts of flooding while MAC is relearnt • Unidirectional flows can result in longer term flooding if the destination ages out of the database • Stale routes can direct traffic to unknown macs leading to extended flooding • ARP can flush fdb entries on XOS (bug) • We are investigating ways to better mitigate.
So why use multicast if it goes everywhere? • A well designed NIC will filter in hardware • ARP queries go to a single (broadcast) destination and will always need to be punted up the stack • Neighbor solicitations are distributed over a large number of multicast groups. Most of them can be filtered out in hardware
More on NIC Filtering • Ideally a NIC would have enough filter space for all subscribed groups • Reality is that space is limited • Different cards take different approaches • Fallback to promiscuous mode • Promiscuous for all multicast • Hash the group address, accept any groups that hash to same value • Caveat emptor. Know your hardware limits.
[linx-ops] LINX London Juniper LAN weirdness • Nov 19th 2014 22:28 – Massive increase in non-unicast traffic • Investigation shows member with fibre issue • 2x10GE LAG, one link bouncing • Member router not happy, sending massive numbers of neighbor solicitations • Maxed out at around 3kp/s • Caused instability for a number of other members
[linx-ops] LINX London Juniper LAN weirdness • “IXPWatch” is good at spotting this for ARP • Turns out not so good for IPv6 NS • IPv6 NS stats were added to report easily • Detection and alerting still has room for improvement
A note on addressing on LINX peering LANs • LINX recommended IPv6 Address: 2001:7f8:4:{LAN}::{ASN}:1/64 • LAN administered by LINX • ASN converted to hex, not BCD • Examples: LINX (5459) on Juniper LAN 2001:7f8:4::1553:1 LINX (8714) on IXCardiff 2001:7f8:4:4::220a:1
So how does that work with Neighbor Solicitations? • LINX recommended IPv6 Address 2001:7f8:4:{LAN}::{ASN}:1/64 • Solicited nodes multicast address 33:33:ff:{A}:00:01 • A is the low order octet of the ASN • 5th byte is almost always zero • 550+ unique member ASNs share 229 last octets • Most group addresses match at least 2 members • Some as high as 7 • Still much better than ARP
How busy is IPv6? Hmmm. Wrong scale.
How busy is IPv6? • Around 0.7% of traffic on Juniper LAN • Follows very similar diurnal pattern to IPv4 • Not just BGP and monitoring – real traffic
How does ARP vs NS look? wat? There are more neighbor solicitations than ARP requests on the Juniper LAN
How do the distributions compare? • Median interval between repeated ARP requests is 8s • Median for NS is only 4s • ARP intervals more distributed • NS has strong peaks at 1s, 3-5s • Smaller peak at approx 60s
ND may attempt to be more efficient than ARP, but it sure seems chatty • Repeat offenders? Maybe… Top 5% of senders account for 34% of requests* • Down neighbors? strong peak at 1s suggests retries about 80% of destinations down • I think we have a winner… * Based on analysis of peak hour flooded traffic What is causing the difference?
Could we / Should we do something? • Obvious reaction might be to suggest higher RETRANS_TIMER value • Before jumping to that conclusion we should ask “Does it matter that there is more ND than ARP?” • NS Addressing makes it easier for nodes to cope • Extending timer also makes unreachability detection slower
An IXP Perspective on IPv6 Neighbor Discovery

Recomendados

PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIAPNIC
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling RootsAPNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
OARC 26: Who's asking
OARC 26: Who's askingOARC 26: Who's asking
OARC 26: Who's askingAPNIC
 
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateVNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateAPNIC
 
APRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationAPRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationTom Paseka
 
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operatorsAPNIC
 
A Practical Guide to (Correctly) Troubleshooting with Traceroute
A Practical Guide to (Correctly) Troubleshooting with TracerouteA Practical Guide to (Correctly) Troubleshooting with Traceroute
A Practical Guide to (Correctly) Troubleshooting with TracerouteRichard Steenbergen
 

Recomendados

PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIAPNIC
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling RootsAPNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
OARC 26: Who's asking
OARC 26: Who's askingOARC 26: Who's asking
OARC 26: Who's askingAPNIC
 
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateVNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateAPNIC
 
APRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationAPRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationTom Paseka
 
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operatorsAPNIC
 
A Practical Guide to (Correctly) Troubleshooting with Traceroute
A Practical Guide to (Correctly) Troubleshooting with TracerouteA Practical Guide to (Correctly) Troubleshooting with Traceroute
A Practical Guide to (Correctly) Troubleshooting with TracerouteRichard Steenbergen
 
I Pv6 Enabling Menog 0.4
I Pv6 Enabling Menog 0.4I Pv6 Enabling Menog 0.4
I Pv6 Enabling Menog 0.4Hussein Elmenshawy
 
IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73APNIC
 
IPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteIPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteAPNIC
 
mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing APNIC
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyAPNIC
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKIAPNIC
 
OARC 26: Scoring the Root Server System
OARC 26: Scoring the Root Server SystemOARC 26: Scoring the Root Server System
OARC 26: Scoring the Root Server SystemAPNIC
 
Scripting on Routers - NANOG 47
Scripting on Routers - NANOG 47Scripting on Routers - NANOG 47
Scripting on Routers - NANOG 47Richard Steenbergen
 
RIPE 78: A review of the KSK Roll
RIPE 78: A review of the KSK RollRIPE 78: A review of the KSK Roll
RIPE 78: A review of the KSK RollAPNIC
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096APNIC
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS OpennessAPNIC
 
BGP filtering best practice
BGP filtering best practiceBGP filtering best practice
BGP filtering best practiceJimmy Lim
 
Network interview questions
Network interview questionsNetwork interview questions
Network interview questionsrajasekar1712
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsBangladesh Network Operators Group
 
Measuring the end user
Measuring the end userMeasuring the end user
Measuring the end userAPNIC
 
Campus networking
Campus networkingCampus networking
Campus networkingJisc
 
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemUsing ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemAPNIC
 
IPv6 deployment at APNIC
IPv6 deployment at APNICIPv6 deployment at APNIC
IPv6 deployment at APNICAPNIC
 
NZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityNZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityAPNIC
 
Zombie DNS
Zombie DNSZombie DNS
Zombie DNSAPNIC
 
I Pv6 Nd
I Pv6 NdI Pv6 Nd
I Pv6 NdRam Dutt Shukla
 
Neighbor discoverydhcp
Neighbor discoverydhcpNeighbor discoverydhcp
Neighbor discoverydhcpFred Bovy
 

Mais conteúdo relacionado

Mais procurados

IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73APNIC
 
IPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteIPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteAPNIC
 
mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing APNIC
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyAPNIC
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKIAPNIC
 
OARC 26: Scoring the Root Server System
OARC 26: Scoring the Root Server SystemOARC 26: Scoring the Root Server System
OARC 26: Scoring the Root Server SystemAPNIC
 
RIPE 78: A review of the KSK Roll
RIPE 78: A review of the KSK RollRIPE 78: A review of the KSK Roll
RIPE 78: A review of the KSK RollAPNIC
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096APNIC
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS OpennessAPNIC
 
BGP filtering best practice
BGP filtering best practiceBGP filtering best practice
BGP filtering best practiceJimmy Lim
 
Network interview questions
Network interview questionsNetwork interview questions
Network interview questionsrajasekar1712
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsBangladesh Network Operators Group
 
Measuring the end user
Measuring the end userMeasuring the end user
Measuring the end userAPNIC
 
Campus networking
Campus networkingCampus networking
Campus networkingJisc
 
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemUsing ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemAPNIC
 
IPv6 deployment at APNIC
IPv6 deployment at APNICIPv6 deployment at APNIC
IPv6 deployment at APNICAPNIC
 
NZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityNZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityAPNIC
 
Zombie DNS
Zombie DNSZombie DNS
Zombie DNSAPNIC
 

Mais procurados (20)

I Pv6 Enabling Menog 0.4
I Pv6 Enabling Menog 0.4I Pv6 Enabling Menog 0.4
I Pv6 Enabling Menog 0.4
 
IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73
 
IPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteIPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental Website
 
mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKI
 
OARC 26: Scoring the Root Server System
OARC 26: Scoring the Root Server SystemOARC 26: Scoring the Root Server System
OARC 26: Scoring the Root Server System
 
Scripting on Routers - NANOG 47
Scripting on Routers - NANOG 47Scripting on Routers - NANOG 47
Scripting on Routers - NANOG 47
 
RIPE 78: A review of the KSK Roll
RIPE 78: A review of the KSK RollRIPE 78: A review of the KSK Roll
RIPE 78: A review of the KSK Roll
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS Openness
 
BGP filtering best practice
BGP filtering best practiceBGP filtering best practice
BGP filtering best practice
 
Network interview questions
Network interview questionsNetwork interview questions
Network interview questions
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for Operators
 
Measuring the end user
Measuring the end userMeasuring the end user
Measuring the end user
 
Campus networking
Campus networkingCampus networking
Campus networking
 
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemUsing ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
 
IPv6 deployment at APNIC
IPv6 deployment at APNICIPv6 deployment at APNIC
IPv6 deployment at APNIC
 
NZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityNZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)Security
 
Zombie DNS
Zombie DNSZombie DNS
Zombie DNS
 

Destaque

Neighbor discoverydhcp
Neighbor discoverydhcpNeighbor discoverydhcp
Neighbor discoverydhcpFred Bovy
 
IPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryIPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryHeba_a
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatDigicomp Academy AG
 
2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShare2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShareSlideShare
 
What to Upload to SlideShare
What to Upload to SlideShareWhat to Upload to SlideShare
What to Upload to SlideShareSlideShare
 
How to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksHow to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksSlideShare
 
Getting Started With SlideShare
Getting Started With SlideShareGetting Started With SlideShare
Getting Started With SlideShareSlideShare
 

Destaque (11)

I Pv6 Nd
I Pv6 NdI Pv6 Nd
I Pv6 Nd
 
Neighbor discoverydhcp
Neighbor discoverydhcpNeighbor discoverydhcp
Neighbor discoverydhcp
 
IPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryIPv6 - Neighbour Discovery
IPv6 - Neighbour Discovery
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
 
10 ipv6
10 ipv610 ipv6
10 ipv6
 
cours DHCP IPv4 et IPv6
cours DHCP IPv4 et IPv6cours DHCP IPv4 et IPv6
cours DHCP IPv4 et IPv6
 
IPv6
IPv6IPv6
IPv6
 
2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShare2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShare
 
What to Upload to SlideShare
What to Upload to SlideShareWhat to Upload to SlideShare
What to Upload to SlideShare
 
How to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksHow to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & Tricks
 
Getting Started With SlideShare
Getting Started With SlideShareGetting Started With SlideShare
Getting Started With SlideShare
 

Semelhante a An IXP Perspective on IPv6 Neighbor Discovery

How You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from NowHow You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from Nowjulievreeland
 
Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73APNIC
 
Building day 2 upload Building the Internet of Things with Thingsquare and ...
Building day 2 upload Building the Internet of Things with Thingsquare and ...Building day 2 upload Building the Internet of Things with Thingsquare and ...
Building day 2 upload Building the Internet of Things with Thingsquare and ...Adam Dunkels
 
Part 10 : Routing in IP networks and interdomain routing with BGP
Part 10 : Routing in IP networks and interdomain routing with BGPPart 10 : Routing in IP networks and interdomain routing with BGP
Part 10 : Routing in IP networks and interdomain routing with BGPOlivier Bonaventure
 
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn FortinetDigicomp Academy AG
 
IPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoIPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoDigicomp Academy AG
 
A very good introduction to IPv6
A very good introduction to IPv6A very good introduction to IPv6
A very good introduction to IPv6Syed Arshad
 
Apnic-Training-IPv6_workshop
Apnic-Training-IPv6_workshopApnic-Training-IPv6_workshop
Apnic-Training-IPv6_workshopNguyen Minh Thu
 
Traffic locality
Traffic localityTraffic locality
Traffic localityAPNIC
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferenceCengage Learning
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
5. transistion mechanisum 1
5. transistion mechanisum 15. transistion mechanisum 1
5. transistion mechanisum 1rajataro
 
IPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-onIPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-onAPNIC
 
IPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesIPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesDon Anto
 

Semelhante a An IXP Perspective on IPv6 Neighbor Discovery (20)

How You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from NowHow You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from Now
 
Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73
 
Wrou01
Wrou01Wrou01
Wrou01
 
Building day 2 upload Building the Internet of Things with Thingsquare and ...
Building day 2 upload Building the Internet of Things with Thingsquare and ...Building day 2 upload Building the Internet of Things with Thingsquare and ...
Building day 2 upload Building the Internet of Things with Thingsquare and ...
 
Part 10 : Routing in IP networks and interdomain routing with BGP
Part 10 : Routing in IP networks and interdomain routing with BGPPart 10 : Routing in IP networks and interdomain routing with BGP
Part 10 : Routing in IP networks and interdomain routing with BGP
 
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
 
IPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoIPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live Demo
 
Day 20.i pv6 lab
Day 20.i pv6 labDay 20.i pv6 lab
Day 20.i pv6 lab
 
A very good introduction to IPv6
A very good introduction to IPv6A very good introduction to IPv6
A very good introduction to IPv6
 
6421 b Module-04
6421 b Module-046421 b Module-04
6421 b Module-04
 
10 routing-bgp
10 routing-bgp10 routing-bgp
10 routing-bgp
 
Apnic-Training-IPv6_workshop
Apnic-Training-IPv6_workshopApnic-Training-IPv6_workshop
Apnic-Training-IPv6_workshop
 
Traffic locality
Traffic localityTraffic locality
Traffic locality
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
An IPv6 Primer
An IPv6 PrimerAn IPv6 Primer
An IPv6 Primer
 
5. transistion mechanisum 1
5. transistion mechanisum 15. transistion mechanisum 1
5. transistion mechanisum 1
 
Ipv6
Ipv6Ipv6
Ipv6
 
IPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-onIPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-on
 
IPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesIPv6 Fundamentals & Securities
IPv6 Fundamentals & Securities
 

Último

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Último (20)

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

An IXP Perspective on IPv6 Neighbor Discovery

  • 1. IPv6 Neighbor Discovery An IXP Perspective Russell Heilling Senior Network Engineer russell@linx.net @xchewtoyx
  • 2. Or
  • 3. We all understand ARP, right? • Messages carried directly on Ethernet EtherType 0x806 • Device sends broadcast request Who has x.x.x.x? • Receivers check target against local addresses • If it matches they send a unicast reply • Result is cached All nodes on the network need to process all ARP Requests. High levels of ARP and you are going to have a bad day.
  • 4. • Defined in http://tools.ietf.org/html/rfc4861 • Messages are carried within ICMPv6 • Includes: • Router and prefix discovery • Address resolution and neighbor unreachability detection • Redirect function • Address resolution is most relevant from IXP perspective IPv6 Neighbor Discovery
  • 5. Router and prefix discovery • The main point on RD: “Don’t do it on the exchange” • We have seen an increase in the number of members sending RAs • Please check your config and make sure you have it disabled • We are improving our instrumentation and will be getting more proactive • This is an MoU violation, and will result in a chase
  • 6. • Analogous to ARP query message “I know your IP, what’s your MAC?” • ICMPv6 Type 135, Code 0. • Can be sent unicast to refresh neighbor cache • Can be multicast to discover uncached neighbors • Uses last 24-bits of target address to construct multicast destination Target: 2001:7f8:4::1553:2 Destination: ff02::1:ff53:2 Group MAC: 33:33:ff:53:00:02 • RFC recommends no more than 1 solicitation per second per target • Unicast solicitation used to refresh stale entry before removing 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Code | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + + | | + Target Address + | | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options ... +-+-+-+-+-+-+-+-+-+-+-+- Neighbor Solicitation
  • 7. Neighbor Advertisement • Analogous to ARP reply message • ICMPv6 Type 136, Code 0. • R, S & O flags to indicate advertisement type R & O flags outside scope here • Can be sent unsolicited [S=0] (like gratuitous ARP) In which case uses all nodes multicast address • IP source can be any address on same interface as target 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Code | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |R|S|O| Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + + | | + Target Address + | | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options ... +-+-+-+-+-+-+-+-+-+-+-+-
  • 9. Unknown unicast • VPLS is just a virtual switch – still needs to learn MAC addresses • Ports going down immediately flush database entries causing short bursts of flooding while MAC is relearnt • Unidirectional flows can result in longer term flooding if the destination ages out of the database • Stale routes can direct traffic to unknown macs leading to extended flooding • ARP can flush fdb entries on XOS (bug) • We are investigating ways to better mitigate.
  • 10. So why use multicast if it goes everywhere? • A well designed NIC will filter in hardware • ARP queries go to a single (broadcast) destination and will always need to be punted up the stack • Neighbor solicitations are distributed over a large number of multicast groups. Most of them can be filtered out in hardware
  • 11. More on NIC Filtering • Ideally a NIC would have enough filter space for all subscribed groups • Reality is that space is limited • Different cards take different approaches • Fallback to promiscuous mode • Promiscuous for all multicast • Hash the group address, accept any groups that hash to same value • Caveat emptor. Know your hardware limits.
  • 12. [linx-ops] LINX London Juniper LAN weirdness • Nov 19th 2014 22:28 – Massive increase in non-unicast traffic • Investigation shows member with fibre issue • 2x10GE LAG, one link bouncing • Member router not happy, sending massive numbers of neighbor solicitations • Maxed out at around 3kp/s • Caused instability for a number of other members
  • 13. [linx-ops] LINX London Juniper LAN weirdness • “IXPWatch” is good at spotting this for ARP • Turns out not so good for IPv6 NS • IPv6 NS stats were added to report easily • Detection and alerting still has room for improvement
  • 14. A note on addressing on LINX peering LANs • LINX recommended IPv6 Address: 2001:7f8:4:{LAN}::{ASN}:1/64 • LAN administered by LINX • ASN converted to hex, not BCD • Examples: LINX (5459) on Juniper LAN 2001:7f8:4::1553:1 LINX (8714) on IXCardiff 2001:7f8:4:4::220a:1
  • 15. So how does that work with Neighbor Solicitations? • LINX recommended IPv6 Address 2001:7f8:4:{LAN}::{ASN}:1/64 • Solicited nodes multicast address 33:33:ff:{A}:00:01 • A is the low order octet of the ASN • 5th byte is almost always zero • 550+ unique member ASNs share 229 last octets • Most group addresses match at least 2 members • Some as high as 7 • Still much better than ARP
  • 16. How busy is IPv6? Hmmm. Wrong scale.
  • 17. How busy is IPv6? • Around 0.7% of traffic on Juniper LAN • Follows very similar diurnal pattern to IPv4 • Not just BGP and monitoring – real traffic
  • 18. How does ARP vs NS look? wat? There are more neighbor solicitations than ARP requests on the Juniper LAN
  • 19. How do the distributions compare? • Median interval between repeated ARP requests is 8s • Median for NS is only 4s • ARP intervals more distributed • NS has strong peaks at 1s, 3-5s • Smaller peak at approx 60s
  • 20. ND may attempt to be more efficient than ARP, but it sure seems chatty • Repeat offenders? Maybe… Top 5% of senders account for 34% of requests* • Down neighbors? strong peak at 1s suggests retries about 80% of destinations down • I think we have a winner… * Based on analysis of peak hour flooded traffic What is causing the difference?
  • 21. Could we / Should we do something? • Obvious reaction might be to suggest higher RETRANS_TIMER value • Before jumping to that conclusion we should ask “Does it matter that there is more ND than ARP?” • NS Addressing makes it easier for nodes to cope • Extending timer also makes unreachability detection slower