Vous êtes sur la page 1sur 31

Tom Podermaski, tpoder@cis.vutbr.cz Matj Grgr, igregr@fit.vutbr.

cz

IPv6 - autoconfiguration
Brand new autoconfiguration mechanisms
Router advertisement (M/O flags) DHCPv6 uses DUID that does not contain MAC address of NIC

Privacy extensions
IPv6 addresses are created randomly by hosts

Different platforms support different techniques


Windows XP - SLAAC

Windows Vista/7 SLAAC + DHCPv6 MAC OS, iOS - SLAAC only (expect Lion released 06/2011) Linux, BSD, depends on distribution

You have to use both mechanisms in real network


DHCPv6 server, Advertises on router + DHCP(v4)

Host identification in IP(v4) and IPv6


How it works in IPv4
DHCP(v4) based on MAC address Direct relation between MAC address, IP address, host IP address is pretty stable (one host can lease same IP address for long time) Usually only one IP(v4) is assigned

Can authentication through 802.1x help ?


Not directly, there is no relation between L2 authentication and IPv6 address

Can DHCPv6 only environment help ?


Not at all there is no relation between DUID and MAC address

An host has usually more IP address

Traffic for a single host


Filter definition for nfdump (one host)
nfdump -R -6 . " host 2001:67c:1220:e000:1d90:c54c:7183:2771 or host 2001:67c:1220:e000:1d76:8ea4:1433:3a06 or host 2001:67c:1220:e000:f8c7:b911:607e:ded3 or host 2001:67c:1220:e000:fc24:ab74:10cc:a6b7 or host 2001:67c:1220:e000:b9:bc89:32f3:36b8:e14e or host 2001:67c:1220:e000:8c8b:37f0:9ecc:fc51 or host 2001:67c:1220:e000:61ff:16c0:3d52:366

Ho to get accounting information for top n hosts ? Who the address XX:YY::AA:BB belongs to ?

Extended flow record


Basic flow record
key fields: src/dst addess, src/dst port non-key fields: bytes, pkts

IP address

Extended flow record


Basic flow record
key fields: src/dst addess, src/dst port non-key fields: bytes, pkts

Extended flow record


MAC address : neighbor cache (NC), arp table

NC, ARP

IP address

MAC address

Extended flow record


Basic flow record
key fields: src/dst addess, src/dst port non-key fields: bytes, pkts

Extended flow record


MAC address : neighbor cache (NC), arp table Switch port: forwarding database (FDB)

NC, ARP

FDB

IP address

MAC address

Switch port

Extended flow record


Basic flow record
key fields: src/dst addess, src/dst port non-key fields: bytes, pkts

Extended flow record


MAC address : neighbor cache (NC), arp table Switch port: forwarding database (FDB) Login : radius server
radius NC, ARP FDB

IP address

MAC address

Switch port

Login ID

Where to get proper information


Mapping IPv6/IPv4 address <-> MAC address
neighbor cache, ARP table passive probes at local networks (ndwatch, arpwatch) SNMP MIB database on routers
ipv6NetToMediaTable, ipNetToPhysicalTable

Where to get proper information


Mapping IPv6/IPv4 address <-> MAC address
neighbor cache, ARP table passive probes at local networks (ndwatch, arpwatch) SNMP MIB database on routers
ipv6NetToMediaTable, ipNetToPhysicalTable

Mapping MAC address switch port


SNMP MIB database on switches
RFC 4188: BRIDGE-MIB RFC 4363: Q-BRIDGE MIB (dot1dTpFdbTable)

Where to get proper information


Mapping IPv6/IPv4 address <-> MAC address
neighbor cache, ARP table passive probes at local networks (ndwatch, arpwatch) SNMP MIB database on routers
ipv6NetToMediaTable, ipNetToPhysicalTable

Mapping MAC address switch port


SNMP MIB database on switches
RFC 4188: BRIDGE-MIB RFC 4363: Q-BRIDGE MIB (dot1dTpFdbTable)

Mapping MAC address user identity


radius server 802.1x (authentication data) external source (DB, DHCP server, )

Architecture of the system

Architecture of the system


netflow/ipfix exports flowmon probes

Architecture of the system

nfdump toolset http://nfdump.sourceforge.net/

netflow collector

NetFlov9

Architecture of the system


Network Administration Visualized (NAV) http://metanav.uninett.no/

Architecture of the system


Network Administration Visualized (NAV) http://metanav.uninett.no/

SNMP

collecting NC, ARP radius data

radius servers

Architecture of the system


Home made nftool User ID mapped to mpls tags

Architecture of nftool
Periodical process
Obtain data from NAV database (PostgreSQL) Update information in nfdump files

NAV DB

flow data (flat files)

nftool

flow data (updated flat files)

Architektura DR systmu
CLI interface nfdump

A few examples of usage


Traffic belonging to host with MAC 58:1f:aa:82:39:6c
nfdump -R . "mac 58:1f:aa:82:39:6c"

Aggregated traffic for each MAC


nfdump -R . -a -A insrcmac,outsrcmac

Aggregated traffic for each user


nfdump -R . -a -A mpls1,mpls2

All traffic belonging to user with ID 183


nfdump -R . -a -A insrcmac,outsrcmac "(mpls label1 183 or mpls label2 183 )

Problems to solve
Extension of nfdump
Not raping mpls fields for user identification Pathes for nfdump ?

NAV : some parts written in java


developers are working on moving to python

Vous aimerez peut-être aussi