ski Monitoring Ipv6 Toku
31
Transcript of ski Monitoring Ipv6 Toku
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 1/31
Tomáš Podermański, [email protected] Matěj Grégr , [email protected]
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 2/31
• Brand new autoconfiguration mechanisms
– Router advertisement (M/O flags) – DHCPv6 uses DUID that does not contain MAC address of NIC
• Privacy extensions
– IPv6 addresses are created randomly by hosts
• Different platforms support different techniques – Windows XP - SLAAC
– Windows Vista/7 – SLAAC + DHCPv6
– MAC OS, iOS - SLAAC only (expect Lion – released 06/2011)
– Linux, BSD, … – depends on distribution
• You have to use both mechanisms in real network
– DHCPv6 server, Advertises on router
– + DHCP(v4)
IPv6 - autoconfiguration
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 3/31
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 4/31
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 5/31
Host identification in IP(v4) and IPv6
• How it works in IPv4
– DHCP(v4) – based on MAC address
– Direct relation between MAC address, IP address, host
– IP address is pretty stable (one host can lease same IPaddress for long time)
– Usually only one IP(v4) is assigned
• Can authentication through 802.1x help ?
– Not directly, there is no relation between L2
authentication and IPv6 address• Can DHCPv6 only environment help ?
– Not at all there is no relation between DUID and MACaddress
• An host has usually more IP address
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 6/31
Traffic for a single host
• Filter definition for nfdump (one host)
• Ho to get accounting information for top n hosts ?• Who the address XX:YY::AA:BB belongs to ?
nfdump -R -6 . "
host 2001:67c:1220:e000:1d90:c54c:7183:2771 or
host 2001:67c:1220:e000:1d76:8ea4:1433:3a06 or
host 2001:67c:1220:e000:f8c7:b911:607e:ded3 or
host 2001:67c:1220:e000:fc24:ab74:10cc:a6b7 or
host 2001:67c:1220:e000:b9:bc89:32f3:36b8:e14e orhost 2001:67c:1220:e000:8c8b:37f0:9ecc:fc51 or
host 2001:67c:1220:e000:61ff:16c0:3d52:366”
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 7/31
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 8/31
Extended flow record
• Basic flow record
– key fields: src/dst addess, src/dst port
– non-key fields: bytes, pkts
• Extended flow record
– MAC address : neighbor cache (NC), arp table
IP address MAC address
NC, ARP
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 9/31
Extended flow record
• Basic flow record
– key fields: src/dst addess, src/dst port
– non-key fields: bytes, pkts
• Extended flow record
– MAC address : neighbor cache (NC), arp table – Switch port: forwarding database (FDB)
IP address MAC address Switch port
NC, ARPFDB
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 10/31
Extended flow record
• Basic flow record
– key fields: src/dst addess, src/dst port
– non-key fields: bytes, pkts
• Extended flow record
– MAC address : neighbor cache (NC), arp table – Switch port: forwarding database (FDB)
– Login : radius server
IP address MAC address Switch port Login ID
NC, ARPFDB
radius
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 11/31
Where to get proper information
• Mapping IPv6/IPv4 address <-> MAC address
– neighbor cache, ARP table
– passive probes at local networks (ndwatch, arpwatch)
– SNMP MIB database on routers
• ipv6NetToMediaTable, ipNetToPhysicalTable
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 12/31
Where to get proper information
• Mapping IPv6/IPv4 address <-> MAC address
– neighbor cache, ARP table
– passive probes at local networks (ndwatch, arpwatch)
– SNMP MIB database on routers
• ipv6NetToMediaTable, ipNetToPhysicalTable
• Mapping MAC address – switch port
– SNMP MIB database on switches
• RFC 4188: BRIDGE-MIB
• RFC 4363: Q-BRIDGE MIB (dot1dTpFdbTable)
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 13/31
Where to get proper information
• Mapping IPv6/IPv4 address <-> MAC address
– neighbor cache, ARP table
– passive probes at local networks (ndwatch, arpwatch)
– SNMP MIB database on routers
• ipv6NetToMediaTable, ipNetToPhysicalTable
• Mapping MAC address – switch port
– SNMP MIB database on switches
• RFC 4188: BRIDGE-MIB
• RFC 4363: Q-BRIDGE MIB (dot1dTpFdbTable)
• Mapping MAC address – user identity
– radius server – 802.1x (authentication data)
– external source (DB, DHCP server, … )
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 14/31
Architecture of the system
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 15/31
Architecture of the system
• netflow/ipfix exports• flowmon probes
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 16/31
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 17/31
Architecture of the system
• nfdump toolsethttp://nfdump.sourceforge.net/
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 18/31
netflow collector
NetFlov9
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 19/31
Architecture of the system
• Network AdministrationVisualized (NAV)http://metanav.uninett.no/
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 20/31
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 21/31
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 22/31
Architecture of the system
• Network AdministrationVisualized (NAV)http://metanav.uninett.no/
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 23/31
collecting NC, ARPradius data
radius servers
SNMP
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 24/31
Architecture of the system
• Home made nftool• User ID mapped to mplstags
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 25/31
Architecture of nftool
• Periodical process
– Obtain data from NAV database (PostgreSQL)
– Update information in nfdump files
flow data(flat files)
nftoolflow data
(updated flat files)
NAV DB
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 26/31
Architektura DR systému
• CLI interface – nfdump
A f l f
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 27/31
A few examples of usage
• Traffic belonging to host with MAC 58:1f:aa:82:39:6c
• Aggregated traffic for each MAC
• Aggregated traffic for each user
• All traffic belonging to user with ID 183
nfdump -R . "mac 58:1f:aa:82:39:6c"
nfdump -R . -a -A insrcmac,outsrcmac "(mpls label1
183 or mpls label2 183 )”
nfdump -R . -a -A insrcmac,outsrcmac
nfdump -R . -a -A mpls1,mpls2
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 28/31
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 29/31
P bl t l
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 30/31
Problems to solve
• Extension of nfdump
– Not “raping” mpls fields for user identification – Pathes for nfdump ?
• NAV : some parts written in java
–developers are working on moving to python
8/3/2019 ski Monitoring Ipv6 Toku
http://slidepdf.com/reader/full/ski-monitoring-ipv6-toku 31/31
![[3] rpp ski vii 1 & 2](https://static.fdocuments.pl/doc/165x107/5872f2f41a28ab8c718b4eaf/3-rpp-ski-vii-1-2.jpg)
