View
217
Download
1
Category
Preview:
Citation preview
Copyright 2016. Icontrol Networks.
Impact of IPv6 on Smart Home TechnologyApril 5, 2016
Copyright 2016. Icontrol Networks. 2
Introduction
Corey GatesCTO
Icontrol Networks, Inc.
Copyright 2016. Icontrol Networks. 3
RETAIL SOLUTIONS
TOP NORTH AMERICANCABLE PROVIDERS
WORLD’S LARGEST HOMESECURITY PROVIDERS
LEADING INTERNATIONAL SERVICE PROVIDERS
Connected Home Solutions Powered by Icontrol
Copyright 2016. Icontrol Networks. 4
Doesn’t IPv4 Just Work?
For Sale
iPhone 6 16g cracked screen works fine for sprint willing to trade for another sprint phone also
Source: varagesale.com, March 2016
Copyright 2016. Icontrol Networks. 5
IPv6 In Context
IPv4 address availability is in decline
Source: APNIC Labs, March 2016
Copyright 2016. Icontrol Networks. 6
IPv6 In Context
Number of devices dramatically increasing
Source: Business Insider Intelligence, 2015
Smart HomeDevicesIncludedHere
Copyright 2016. Icontrol Networks. 7
IPv6 In Context
Number of services increasing
Source: Forrester Research Inc., June 2015
Services RequiringInternet
Connectivity
Copyright 2016. Icontrol Networks. 8
IPv6 In Context
Source: Image from blog.apnic.net
IPv6 is needed to ensure pervasive Internet connectivity
Copyright 2016. Icontrol Networks. 9
Device Development and IPv6: Top Four Considerations
Copyright 2016. Icontrol Networks. 10
Device Development and IPv6: Top Four Considerations
Education
Copyright 2016. Icontrol Networks. 11
Device Development and IPv6: Top Four Considerations
Education Standards
Copyright 2016. Icontrol Networks. 12
Device Development and IPv6: Top Four Considerations
Education Standards
Security
Copyright 2016. Icontrol Networks. 13
Device Development and IPv6: Top Four Considerations
Education Standards
Security Fallback Plan
Copyright 2016. Icontrol Networks. 14
Education
Education Plan
Copyright 2016. Icontrol Networks. 15
Education
Education Plan
IPv6 Protocol
Copyright 2016. Icontrol Networks. 16
Education
Education Plan
IPv6 Protocol
struct in6_addr addr;
s = socket(AF_INET6, SOCK_STREAM, 0);
IPv6 APIs
Copyright 2016. Icontrol Networks. 17
IPv6 Protocol: Comparing IPv4 with IPv6
• IPv6 headers are focused on data needed for routing
Source: cisco.com CC-‐BY-‐SA-‐3.0, via Wikimedia Commons
Copyright 2016. Icontrol Networks. 18
IPv6 Protocol: Comparing IPv4 with IPv6
• IPv6 extension headers add flexibility, but also complexity
IPv6 Header TCP Header Data
Next Header
Ext Header
Next Header
Zero or more extension headers:• Fragments• Routing• Security• Mobility…
Copyright 2016. Icontrol Networks. 19
IPv6 Protocol: IPv6 vs. IPv4 Address Space
• Different address space means a different network
Source: cisco.com CC-‐BY-‐SA-‐3.0, via Wikimedia Commons
IPv4 Network
IPv6 Network
Device example.com
DNS: A record
DNS: AAAA record
Copyright 2016. Icontrol Networks. 20
IPv6 Protocol: Address Assignment
• Stateless Address Auto Configuration (SLAAC) vs. DHCPv6
Network prefix Interface Id
Global prefix Link-‐local prefix MAC-‐based Pseudo-‐random
SLAAC enables a node to obtain an IPv6 address in a decentralized mannerDHCPv6 enables a centralized address assignments
What about Default Router, DNS, NTP, etc.?
☛ Available through DHCPv6 or ICMPv6 Router Announcements
Copyright 2016. Icontrol Networks. 21
IPv6 Protocol: ICMPv6
• ICMPv6 – Control protocol for IPv6• Must be supported• Replaces ARP with ND over multicast• Assists with configuration, routing -‐more than ICMP did• Reducing fragmentation -‐ Path MTU
Source: cisco.com CC-‐BY-‐SA-‐3.0, via Wikimedia Commons
checksumtype code
message body
0-‐127 = error message128-‐255 = informational
Copyright 2016. Icontrol Networks. 22
IPv6 Protocol: Multicast
• Multicast• Must be supported• How to Broadcast? => Link-‐local multicast group• Multicast address format allows multiple scopes:
Source: RFC 7371, September 2014
11111111 flags scope net prefixrsvd plen group id
temporaryor
permanent
1=node-‐local2=link-‐local5=site-‐local8=organization-‐local14=global
0:0:0:0:0:1 = all nodes0:0:0:0:0:2 = all routers…
flgs2
Copyright 2016. Icontrol Networks. 23
IPv6 Protocol Education Summary
• New addressing scheme means a new network • DNS records are different
• Decentralized way to obtain addresses• Changes to well known protocols:
• ICMPv6 now critical• DHCPv6 less important and often not needed• ARP is not used
Copyright 2016. Icontrol Networks. 24
IPv6 APIs
IPv6 impacts various APIs• C,C++,C#,Go,Java,JS,Python,Ruby,Swift etc. are affected• New data structures or new interfaces introduced• Error handling may change
IPv6 impacts DNS lookup and processing• Service discovery• Fallback process (more on this later)
Copyright 2016. Icontrol Networks. 25
IPV4 to IPv6 Porting Example
struct sockaddr_in server;...server.sin_len = sizeof(server);server.sin_family = AF_INET;server.sin_addr.s_addr = INADDR_ANY;server.sin_port = 0;if (bind(sock, (struct sockaddr *) &server, sizeof(server)) <0) {...
struct sockaddr_in6 server;...server.sin6_len = sizeof(server);server.sin6_family = AF_INET6;server.sin6_addr = in6addr_any;server.sin6_port = 0;if (bind(sock, (struct sockaddr *) &server, sizeof(server)) <0) {...
IPv4:
IPv6:
Copyright 2016. Icontrol Networks. 26
IPv6: Further Education
Learn about IPv6• Tutorials and primers
• Free tutorials on the web• Lots of primers and slideware available
• Technical training• Involve both managers and developers
Copyright 2016. Icontrol Networks. 27
Standards
Relevant IPv6 standards exist in multiple domains
• IPv6 related standards
Copyright 2016. Icontrol Networks. 28
Standards
Relevant IPv6 standards exist in multiple domains
• IPv6 related standards• IPv4 transition standards
Copyright 2016. Icontrol Networks. 29
Standards
Relevant IPv6 standards exist in multiple domains
• IPv6 related standards• IPv4 transition standards• Various communication standards related to IPv6
• Example: HTTPS (over TCP over TLS over IPv6)• Example: Thread (mapping IPv6 onto 802.15.4)• …
Copyright 2016. Icontrol Networks. 30
Security
Security must be considered from the start• New network layer -‐> time to re-‐examine security
Copyright 2016. Icontrol Networks. 31
Security
Security must be considered from the start• New network layer -‐> time to re-‐examine security
• ICMPv6 and multicast• IPv6 depends on ICMPv6 and multicast• Cannot just shut this down (no ARP!)
Copyright 2016. Icontrol Networks. 32
Security
Security must be considered from the start• New network layer -‐> time to re-‐examine security
• ICMPv6 and multicast• IPv6 depends on ICMPv6 and multicast• Cannot just shut this down (no ARP!)
• Dual stacks• Do not presume IPv6 is “off”• Need to audit and test both connectivity modes
Copyright 2016. Icontrol Networks. 33
Security
Security must be considered from the start• New network layer -‐> time to re-‐examine security
• ICMPv6 and multicast• IPv6 depends on ICMPv6 and multicast• Cannot just shut this down (no ARP!)
• Dual stacks• Do not presume IPv6 is “off”• Need to audit and test both connectivity modes
• Auto-‐configuration• May expose MAC address• “Privacy” addresses using pseudo-‐random ids
Copyright 2016. Icontrol Networks. 34
Security
• Multiple addresses• Very common in IPv6
Copyright 2016. Icontrol Networks. 35
Security
• Multiple addresses• Very common in IPv6
• Some things to watch out for• Buffer overflow issues
• Larger IP addresses• DNS results (glibc had getaddrinfo buffer overflow!)
• Packet Filtering• Fake RA and ND multicasts
• Fallback attacks• Downgrading of security protocols• Forcing IPv4 addresses
Copyright 2016. Icontrol Networks. 36
Fallback Plan
Is IPv4 alive and well?
By Dhatfield -‐ Own work, CC BY-‐SA 3.0, https://commons.wikimed ia.org/w/ index.php?cur id=4 27988 6
Copyright 2016. Icontrol Networks. 37
Fallback Plan
Is IPv4 alive and well?
By Dhatfield -‐ Own work, CC BY-‐SA 3.0, https://commons.wikimed ia.org/w/ index.php?cur id=4 27988 6
IPv4
Copyright 2016. Icontrol Networks. 38
Fallback Plan
Top ten networks by volume only average 39% IPv6
0%10%20%30%40%50%60%70%80%90%
100%
IPv6/Adoption
Source: Internet Society, March 2016
Copyright 2016. Icontrol Networks. 39
Fallback Plan
Dual Stack IPv4/IPv6• Service discovery
• Can IPv6 be used? Or only IPv4?
Copyright 2016. Icontrol Networks. 40
Fallback Plan
Dual Stack IPv4/IPv6• Service discovery
• Can IPv6 be used? Or only IPv4?• Network discovery
• Can IPv6 route to Internet services?
Copyright 2016. Icontrol Networks. 41
Fallback Plan
Dual Stack IPv4/IPv6• Service discovery
• Can IPv6 be used? Or only IPv4?• Network discovery
• Can IPv6 route to Internet services?• Security issues
• How to protect a system with multiple interfaces?
Copyright 2016. Icontrol Networks. 42
Fallback Plan
Dual Stack IPv4/IPv6• Service discovery
• Can IPv6 be used? Or only IPv4?• Network discovery
• Can IPv6 route to Internet services?• Security issues
• How to protect a system with multiple interfaces?• Usability issues
• Does the user need to know which network?• How will the UI expose this duality?
Copyright 2016. Icontrol Networks. 43
Four Considerations
Education Standards
Security Fallback Plan
Copyright 2016. Icontrol Networks. 44
Thanks
Questions?
Twitter:@CoreyCoreygates
Copyright 2016. Icontrol Networks.
Recommended