© 2003-2005 Monash CTIE Introduction to IPv6 Protocols Australian Telecommunications CRC Next Generation Internet Program @ Centre for Telecommunications

© 2003-2005 Monash CTIE

Introduction to IPv6 Protocols

Australian Telecommunications CRCNext Generation Internet Program

@Centre for Telecommunications and Information

EngineeringMonash University

http://ctieware.eng.monash.edu.au/twiki/bin/view/Applprog

© 2003-2005 Monash CTIESlide 2

Hello, who are we?

Centre for Telecommunications and Information Engineering (CTIE):

Research centre within Monash University Part of ATcrc Next Generation Internet Program Have an IPv6 testbed running Developers of IPv6 Multimedia applications Implementers of IPv6 Mobility protocols Contributors to IETF Working Groups and standards on

Mobile-IP and IPv6 Diverse Research and Commercial Experience.


What we will present : Basics Addressing Routing Domain Name System IPv4 to IPv6 transition Security State of the Art Mobile IPv6


IPv6

Network layer protocol Node-to-node

information delivery across multiple links

Layer 3 in the OSI reference model

Physical layer

Application layer

Presentation layer

Session layer

Transport layer

Network layer

Link layer

OSI Reference Model


IPv6 Header

Simplified header compared to IPv4

VersionHeader Length

Type of Service

LengthIdentification

Flags

Time To Live

ProtocolSource Address (32

bits)Destination Address (32 bits)

Class of Service

Flow Label

Next Header

Payload Length

Source Address (128

bits)

Destination Address (128

bits)

Fragment OffsetHeader Checksum

Version

IPv4 IPv6

Hop Limit

32 bits


Extension Headers

Basic header simplified for ease of processing

Additional information carried in extension headers

Hop-by-hop options Routing header Fragment header Destination options header Authentication header (AH) Encrypted security payload (ESP)

header Next Header field says what type

of header follows E.g. Fragment Header, TCP, ICMP,

etc.

Basic Header

Next Hdr

Next Hdr

Next Hdr

Extension Header

Payload

Extension Header

Length

Length


ICMPv6

Same basic concept as ICMP (for IPv4) Error messages – e.g.:

Destination unreachable Packet too big Time exceeded Parameter problem

Information messages – e.g.: Echo request/reply Router solicitation/advertisement Multicast Listener Discovery (like IGMP for IPv4)


Progress: Basics Addressing Routing Domain Name System IPv4 to IPv6 transition Security State of the Art Mobile IPv6


Address space

128 bit addresses Massive address space to last for the foreseeable

future Default allocation is for all sites to receive 216=65536

subnets Ensures that it is possible to allocate a globally unique

address to every host so that end-to-end applications are possible


Address types

Unicast Anycast Multicast No more broadcast!


Representing IPv6 addresses

x:x:x:x:x:x:x:x e.g. 1234:5678:9abc:def0:1234:5678:9abc:def0

One string of zeros may be represented by “::” e.g. ff02:0:0:0:0:0:0:1 = ff02::1

Last 2 fields may be represented in IPv4 “dotted decimal” form

e.g. 0:0:0:0:0:ffff:192.168.0.1 or ::ffff:192.168.0.1 “[]” are used around the address for

representation in URLs http://[3ffe:a:b:c::1]:port/dir


Representing IPv6 addresses (cont)

No more netmasks Represented by a “/prefixlen” appended to the end of an

address where prefixlen indicates the number of bits in the address that make up the network address

Similar to classless address representation in IPv4 e.g.3ffe:a:b:1::1/64

Network part: 3ffe:a:b:1:: Host part (interface identifier): ::1


Address allocation

fe80::/10 - link-local fec0::/10 - site-local – now deprecated

fc00::/8 – ULA central fd00::/8 – ULA local

ff00::/8 – multicast 2000::/3 - globally aggregatable unicast

3ffe::/16 - 6bone 0000::/8 is reserved and contains addresses like

Unspecified address - :: Loopback address - ::1 IPv6 addresses with IPv4 addresses embedded in them


Unicast addressing

Associated with an interface rather than a node Several types of unicast addresses

Limited scope – link-local, ULA Globally aggregatable Transition – IPv4 compatible, IPv4 mapped


Multicast addressing

ffxy:: prefix x = flags

One flag currently defined Indicates whether the address is one assigned by the IANA

or a transient address y = scope

1 - host scope 2 - link scope 5 - site scope 8 - organization scope e - global scope


Multicast addressing (cont.)

suffix indicates group IANA has registered groups for particular uses

::1 - all hosts ::2 - all routers etc...

Using an example from RFC 3513: If the “NTP servers group” is assigned a permanent

group ID of 0x101 then ff01::101 means “all NTP servers on the same node as the

sender” ff02::101 means “all NTP servers on the same link as the

sender” ff05::101 means “all NTP servers on the same site as the

sender” ff0e::101 means “all NTP servers on the Internet”


Solicited Nodes Multicast Address

FF02:0:0:0:0:1:FFXX:XXXX where XXXXXX is the low order 24 bits of the Interface

Identifier of a unicast address Nodes MUST join the solicited nodes multicast

address group for each unicast address configured

Facilitates location of nodes Example:

Unicast: 3ffe:0db8::fedc:ba98:7654:3210 Solicited nodes multicast: ff02::1:ff54:3210


Interface Identifiers

Manually configured EUI-64

Formed from MAC address of interface RFC-3041 temporary addresses

Randomly generated interface identifiers Provides some level of privacy

Prefix Interface Identifier

Address


Address configuration

Stateful DHCPv6 - RFC 3315 Clients use scoped multicast to reach servers and relays May provide information in addition to addresses – e.g.

DNS address Stateless

Routers send periodic advertisements May also be solicited

Hosts use information in advertisements to create valid addresses


Router Advertisement

RAs are sent periodically and in response to Router Solicitations

Contains link prefix, lifetime, MTU, etc. Hosts construct addresses by appending their

interface identifier to the prefix advertised by the router

This address then needs to be tested to ensure uniqueness


Duplicate Address Detection

Multicast is used to assist in detection of conflicting addresses

Packets are sent to the solicited nodes multicast address

The packet essentially asks if anyone is already using this address

If another node responds, the interface either shuts down or tries another address

The nature of the multicast address ensures that a host that is using the tested address must be listening, but most other hosts won't be.


Duplicate Address Detection

Is anyone using address “X”?

I am.


Link Address Resolution

Uses the same packet types as DAD Equivalent of ARP in IPv4 Neighbour Solicitation message is sent to the

solicited nodes multicast address (rather than broadcast as in IPv4).

Host with the destination IP address responds with a Neighbour Advertisement that includes its link layer address.


Link Address Resolution

Who’s using address “X”?

I am.

My Link layer address is “xxx”


Neighbour Unreachability Detection

Hosts maintain a cache of devices they have communicated with recently.

The table indicates the reachability state of each host.

Neighbour solicitation/advertisement messages are used to probe devices to confirm reachability

Not done when it can be confirmed by other information such as TCP three-way handshake

Also not initiated just because a device hasn't been heard for some time.

Old entries removed


IPv6 MTU & PATH MTU Discovery

Maximum Transmission Unit (MTU) IPv6 MTU minimum 1280 bytes (vs. IPv4 68 bytes) IPv6 fragmentation end-to-end

Routers don’t fragment IPv6 packets - end nodes do it. Path MTU discovery not mandatory Routers may reply with ICMPv6 ‘Packet too big’

and drop if packet exceeds router/link MTU.


IPv6 MTU & PATH MTU Discovery

MTU 1500 MTU 1480 MTU 1280

1500 byte packet

Packet too big – MTU = 1480

1480 byte packet

ICMPv6 Packet too big – MTU = 1280

1280 byte packet

Successful packet

delivery


Summary

Huge address space Hosts can autoconfigure their own addresses Scoping allows for some clever use of multicast Neighbour Discovery replaces ARP for address

resolution Also introduces new functionality of Stateless address

autoconfiguration, DAD, NUD, PMTU discovery




Packet switched networks

Internet is a packet switched network Each packet contains full addressing information

Simple headers for IPv6 Routing is the process of working out how to send

a packet to its destination


Routing

All nodes examine the destination address of arriving packets

Hosts either accept or discard Routers may also forward packets to another node

Packets for “on-link” destinations may be delivered directly Other packets must be forwarded to a “next-hop” router

Packet travels hop-by-hop until it reaches its destination


Routing (cont)

Example (IPv6)

traceroute to munnari.oz.au (2001:388:c02:4000::1:21) from 3ffe:8001:12:fc:203:47ff:fe31:51b1, 30 hops max, 16 byte packets 1 3ffe:8001:12:fc::3 (3ffe:8001:12:fc::3) 0.396 ms 0.305 ms 0.307 ms 2 3ffe:8000:ffff:1012::100 (3ffe:8000:ffff:1012::100) 51.953 ms * 39.798 ms 3 vbns-trumpet.hay.vbns.net (3ffe:28ff:ffff:3::100) 251.758 ms 245.323 ms 251.982 ms 4 cs-v6-atm0-2.dng.vbns.net (3ffe:28ff:ffff:3::) 299.732 ms 314.289 ms * 5 iplsng-vbns.abilene.ucaid.edu (2001:468:ff:12c1::1) 404.823 ms 365.734 ms 372.79 ms 6 6plains-iplsng.abilene.ucaid.edu (2001:468:ff:121d::2) 393.285 ms 346.691 ms 359.758 ms 7 sit1.ipv6.broadway.aarnet.net.au (2001:388::1) 559.186 ms 550.964 ms 622.729 ms 8 2001:388:0:11::2 (2001:388:0:11::2) 670.786 ms 542.702 ms 542.287 ms 9 2001:388:c02:4000::1:21 (2001:388:c02:4000::1:21) 560.391 ms 530.628 ms 559.938 ms


Routing (cont)

A router may have many interfaces and/or neighbours

How does the router know where to send a packet?

Routing table


Routing tables

Contains information about how to get a packet “closer” to its destination

Destination prefix Next hop router Outgoing interface Metric

Routing table is consulted for longest matching prefix

Packet is forwarded using the information in the routing table entry with the longest matching prefix


Prefix matching

Example

Simplified routing table

Prefix Next Hop Interface

3ffe:0db8:5000::/36 3ffe:0db8:1000::2 eth0

3ffe:0db8:5400::/40 3ffe:0db8:1001::2 eth1

- Packet arrives with destination address: 3ffe:0db8:5401::1

- Matches both routing table entries but second entry is a longer match (40 bits) so the packet is forwarded out interface eth1


Static vs. Dynamic

How is the routing table constructed? Routing table entries may be made by hand

Static routes Not scalable

Most routing table entries calculated automatically

Dynamic routes Routers exchange information with one another

Routing protocols


The Internet

“Network of networks” Not practical for every host (or even router) to have a

routing table entry for every other host/router in the Internet

To make routing tables practical, we need entries that refer to multiple hosts

E.g. Default route: 0::/0 3ffe:0db8:1000::2 eth0 “0::/0” will always match and will always be the shortest

match This single entry covers every host that we don’t already

have another entry for


Aggregation

As a network of networks, the Internet is divided into administrative regions called “Autonomous Systems” (AS)

Generally all of the routing information from within an AS can be summarized into a single routing table entry

E.g. Acme Computers have many networks: 3ffe:0db8:1001:(a,b,c,etc.)::/64

Devices outside the Acme Computer AS only need to know how to reach: 3ffe:0db8:1001::/48

InternetAS

AS

AS

AS


Aggregation (cont)

Devices outside of Acme have a single routing entry for all Acme networks

InternetAcme

AS

AS

AS

3ffe:0db8:1001:a::/64

3ffe:0db8:1001:b::/64

3ffe:0db8:1001:c::/64

3ffe:0db8:1001:d::/64

3ffe:0db8:1001::/48 via route X3ffe:0db8:1001::/48

via route Y

3ffe:0db8:1001::/48 via route Z


Aggregation (cont)

So far same as IPv4 IPv6 takes aggregation

further Strict hierarchy for

address allocation IP address allocation is

always a subset of providers address space

E.g. The entire set of hosts beneath the top level provider can be summarized with a single routing table entry

3ffe:0db8::/32

3ffe:0db8:2500:/40

3ffe:0db8:2501:/48

3ffe:0db8:2600:/40

3ffe:0db8:2502:/48

3ffe:0db8:2601:/48

3ffe:0db8:2602:/48

Large provider

Small providers

Individual sites


Threats to Aggregation

Provider independent addressing Multihoming

Connecting to the Internet through multiple providers Not yet standardized One of the big hurdles in the way of IPv6 deployment


Routing Protocols

Two types of routing protocols Interior, Exterior

Exterior routing protocols are used to exchange information between ASs

BGP-4+ Interior routing protocols exchange information

with other routers under the same administrative control

RIPng, OSPFv3


Exterior Protocols

Communicate with other systems Control routing table sizes Manage policy Use bandwidth efficiently


Interior Protocols

Independent of protocols used in other ASs Convey complete routing information with an AS

Some protocols allow summarization within an AS OSPF areas

Propagate change rapidly


Routing Information Protocol – Next Generation (RIPng)

Interior gateway protocol Based on RIP (IPv4) Distance vector algorithm

Limited to networks with no more than 15 hops Routing decisions take into account fixed metrics

(usually 1)


Route table

Each router maintains a route table Each entry in the table contains:

prefix of destination metric

equal to sum of metrics along each hop to the destination network

IPv6 address of next hop a flag to indicate recent changes have taken place various timers associated with route


Request/response packets

UDP used to carry messages Packet format

route tag used to separate RIPng routes for network being managed, from those of an external RIPng process that have been imported into the network

Responses may be in response to a request packet or may be sent periodically without solicitation

Responses contain lists of route table entries for the sender

May contain complete or partial tables


Split horizon

Don't advertise routes learned from an interface out that interface

Poisoned-reverse Do advertise routes learned from an interface out that

interface, but set metric to infinity so that they appear to be unreachable


Major Differences from RIP

RIP includes a "next hop" entry in each routing table entry (RTE)

Due to the length of IPv6 addresses, RIPng defines a special RTE that contains a next-hop address that applies to all following RTEs until another next-hop RTE is included


Open Shortest Path First (OSPF)

Another interior gateway protocol Link state algorithm Version 3 supports IPv6


Areas

Large ASs may be broken up into “Areas” Helps control the amount of traffic used to

propagate information


Designated routers

Uses an election process to pick one router on each link to be “in charge”


Flooding

Link state information is propagated by flooding the entire network

Contrast with RIP where information about entire network is passed only to neighbours

Link State Advertisements (LSAs) are stored by routers in a “link-state database”

Dijkstra’s algorithm used on this database to calculate the shortest path tree and populate the routing table


Differences from OSPFv2 (IPv4)

Protocol processing done per-link rather than per-subnet

Single links may have multiple IPv6 subnets and devices on the same link that don't share a subnet may still communicate directly

IP addresses are no longer used in OSPF packets packets carry topology information in the form of router

IDs (which are 32-bit values like IPv4 addresses and are sometimes represented that way)

Flooding scope added to LSAs Link, Area and AS scope


Differences from OSPFv2 (IPv4) (cont)

Support for multiple instances of OSPF per link Link-local addresses used for communication

between routers where possible Special multicast addresses

AllSPFRouters: ff02::5 AllDRouters: ff02::6

Authentication removed from protocol specification

OSPF now relies on the IP Authentication Header and IP Encapsulating Security Payload features of IPv6 to secure the integrity of routing exchanges


Border Gateway Protocol (BGP)

Exterior gateway protocol that allows routing information to be exchanged between autonomous systems (ASs) sufficient to determine reachability and eliminate routing loops.


BGP Peers

Information is exchanged between pairs of routers called BGP peers

Information carried using TCP Small “keep alive” packets keep the TCP session

from timing out.


BGP routes

Contains “Network Layer Reachability Information” (NLRI) plus “path attributes”

Next Hop AS path

Routing decisions may be based on the attributes Policies are used to determine which routes are

sent to a peer and which routes will be accepted


Updates

Entire routing table exchanged when peering first established

Because TCP is used, only changes need to be transmitted after that

Efficient use of bandwidth (compared to IGPs) Routes may added, deleted or modified Routing loops are avoided by examining the AS

path


Supporting IPv6

BGP-4+ contains extensions for supporting network protocols other than IPv4

Very little required in order to support IPv6 BGP Identifier is still an IPv4 address

IPv6-only routers still need an IPv4 address to run BGP New attribute defined that carries both the IPv6

NLRI as well as the next hop Next hop attribute is not used (v4 only)




DNS - Domain Name System DNS translates “fully qualified domain names” like:

www.ctie.monash.edu.au Into IP addresses like:

130.194.137.141 or 2001:388:608c:fc:205:5dff:fe00:9e3a

DNS servers hold records associating names to IP numbers Applications use DNS Client (resolver) to access the

records Each DNS entry contains multiple record types (RR) and

information No modification required to support IPv6 addresses

in the DNS system Newer DNS software supports both IPv4 and IPv6

access


DNS: Resource Records (RR)

RR: A records for IPv4 address AAAA record for IPv6 address A6 not used much anymore = alternative IPv6

address record Example DNS record lookup:

dig helen.ctie.monash.edu.au any;; QUERY SECTION: helen.ctie.monash.edu.au, type = ANY, class

= IN;; ANSWER SECTION:helen.ctie.monash.edu.au. 12H IN A 130.194.252.35helen.ctie.monash.edu.au. 12H IN AAAA

2001:388:608c:fc:205:5dff:fe00:9d30;; AUTHORITY SECTION:monash.edu.au. 12H IN NS

netslave1.cc.monash.edu.au.


DNS: IPv6 & Software Support DNS name server software

IPv4 queries can get IPv6 addresses from existing name servers

BIND v9 (on unix/linux/MacOSX) has native IPv6 access MS Windows DNS (winNT,2K,XP) - IPv4 query only!

Client (resolver) apps: Nslookup (MS Windows, Unix, MacOSX) - IPv4 queries DIG - IPv4 and IPv6 versions Proxy software exists for native IPv6 DNS lookup to IPv4

name servers


DNS: Reverse lookup

NOT all DNS name servers support reverse lookup of IPv6 addresses

Dig -x <IP address> Automatically checks in_addr.arpa or ip6.arpa

Examples Dig -x 10.1.1.10 looks up 10.1.1.10.in-addr.arpa. Dig -x 3ffe:4567:12:fc:205:5dff:defd:abc looks up \

[x3FFE4567001200FC02055DFFDEFD0ABC/128].ip6.arpa.




IPv4 to IPv6 Transition

Strategies and mechanisms: The problem:

IPv4 to IPv6 transition is gradual IPv6 devices need to communicate to IPv4 IPv6 needs to communicate over IPv4 links

The solutions: Dual Stack (IPv4, IPv6) Routers and workstations Tunnels Protocol Translations and Application specific gateways RFC2893 Transition Mechanisms for IPv6 Hosts and Routers


Dual Stack

Dual Stack (IPv4, IPv6) Routers and workstations Application doesn’t really need to know what the

transport is. Can communicate to both IPv4 and IPv6

EthernetIPv6 (type 0x86DD)

IPv4 (type 0x0800)

TCP,UDPApplication


Dual Stack (cont)

Applications on dual stack hosts: For applications that only support IPv4 - use IPv4

only For applications that support IPv6:

If DNS lookup of destination resolves address to IPv4 destination, use IPv4

If DNS resolves address to IPv6 destination use IPv6 Routers – send traffic based on IP type, and

routing rules


IPv4-mapped addresses

IPv4 Mapped addresses --> IPv6 node to IPv4 node

Used by IPv6 applications for internal representation of IPv4 addresses

IPv6 node communicates directly (via dual stack) to IPv4 address

80 bits 0, 16 bits 1, 32 bits of IPv4 address on the end

0:0:0:0:0:FFFF:192.17.1.42 ::FFFF:192.17.1.42 ::FFFF:c0a7:abcd


IPv4 compatible addresses

IPv4 compatible addresses represent an IPv6 node without having a real IPv6 address

IPv6 node communicates directly (via dual stack) to IPv4 addresses

96 bits 0, 32 bits of IPv4 address on the end 0:0:0:0:0:0:192.17.1.42 ::192.17.1.42 ::c0a7:abcd

Used by tunneling protocols like 6to4 Can’t use IPv6 stateless address autoconfiguration

– requires preconfigured IPv4 address for node.


Tunnels

Tunnels - Encapsulation of IPv6 over IPv4 Manual point-to-point rfc2893 Auto - 6to4,Teredo, ISATAP addresses rfc2893

let IPv6 hosts or networks communicate over IPv4 without explicit tunnel setup

6bone - tunnel connected network - Brokers provide temporary links

3ffe:0db8::1/64

3ffe:0db8::2/64

192.168.1.10

192.168.10.2IPv6 in IPv4

IPv4


Tunnels - IPv6 in IPv4

IPv6 packet is encapsulated in an IPv4 packet

IPv4 header IPv4 payload

IPv6 header IPv6 payload


Tunnels - IPv6 in IPv4

IPv4 tunnel appears as a single hop to the IPv6 nodes

The MTU decreases by the IPv4 header size (20 bytes)

Tunnel types: Router-Router Node-Node Node-Router

Tunnel configuration - manual (mainly for point to point), automatic, tunnel broker (as per 6bone - for occasional use)


Automatic configuration of tunnels

Automatic Tunnel configuration - compatible addresses

A dual stack host connected to an IPv4 network may use an IPv4 compatible address to talk to IPv6 hosts through a gateway

This technique is no longer favoured

IPv6 in IPv4 tunnel

IPv4 network

IPv6 network

Dual stack router

Dual stack host

IPv6 hosts

::192.168.1.1


Automatic configuration of Tunnels - 6to4

Tunnel configuration 6to4 RFC3056 Connection of IPv6 domains via IPv4 clouds (6to4) supported by Microsoft implementation with a Microsoft

provided 6to4 endpoint. 2002:v4addr::/48 Made up of 6to4 prefix 2002::/16 (IANA assigned) and IPv4

address of interface E.g. 192.1.2.3 = c001:0203Results in the 6t04 prefix:2002:c001:203::/48

6to4 relay routers such as that provided by Microsoft provide transit capability between 6to4 domains and the native IPv6 internet


Automatic configuration of Tunnels - 6to4

2002:c0a8:0101::/48 2002:c0a8:6401::/48

192.168.1.1

192.168.100.1

IPv6 in IPv4 tunnel

IPv4 network IPv6 network


IPv4 to IPv6 Transition-Protocol Translation

NAT updated for IPv6 NAT-PT Protocol Translation additions for IPv6

variations Header field changes, meaning of fields change.

Application specific gateways SIIT DNS FTP protocol has addresses embedded in the messages -

need translation at the gateway device [NAT-PT specifies this].


NAT-PT and ALG’s

NAT-PT and NAPT-PT . Network Address Translation updated for IPv6

NAT-PT, NAPT-PT translate protocols (e.g.: ICMP) as well as addresses

They define Application Layer Gateways as well (nat-pt specifies FTP, DNS ALG’s as well as protocol translations)

E.g.: NAT-PT translates ICMPv6 ‘path too big’ message into IPv4 ICMP equivalent

Introduces single point of failure device in the network.

May not be possible for all ICMPv6 packets


NAT-PT and ALG’s

IPv6 Host IPv4 Host

IPv4 Internet

NAT-PT Router

ICMPv6 IPv4 ICMP


NAT-PT and NAPT-PT

NAT-PT Network Address Translation – Protocol Translation

NAPT-PT Network Address Port Translation-protocol translation

NAT-PT uses a pool of IPv4 addresses – allocates one per IPv6 address.

NAPT translates ports as well as addresses. This allows single IPv4 address to represent

multiple IPv6 addresses Stateful address/header translations as per SIIT


SIIT

RFC:2765 Stateless IP/ICMP Translation Algorithm (SIIT)

Allows IPv6 only nodes to communicate to IPv4 nodes

Uses boxes on network to do stateless translation of IP/ICMP

Translates packet headers from IPv4 to IPv6 mapped or translated addresses

Must generate appropriate header entries (e.g.: checksums) for protocol

Rewrites ICMP error message as they contain IP addresses embedded

Requires IPv4 allocation mechanism for the IPv6 node and also tunnel/routing configuration




Contents IPv4 and IPv6 Security Attacks against Internetworks IPv6 Security Issues. IPv6 Security features.


IPv4 and IPv6 Security Weaknesses of IPv4 security

Trust of received packet information (spoofing) Host-to-host security not widely available

IPv6 Security Inherits from IPv4 Packet service, can insert packets Ingress filtering will be incomplete Many of the IPv4 applications will be in IPv6 (email, web)

IPv6 Built with security in mind IPv6 aims to be 'no worse than IPv4' IP Security Protocols (All hosts support IPSec) New Internet applications specified with security in mind


Attacks against Internetworks

DoS attacks Attacks against resources (Server, Link, QoS)

Hijack Attacks Theft of service/QoS .

Impersonation Packet forgery

Man In the Middle Snooping Data Insertion/Deletion

Host Intrusion Worms and Viruses (Application Issue!) This may not get better under IPv6.


Attacks: Denial of Service

Attacker causes congestion on victim’s computer/network

Internet

Local Network

Attacker

Victim


Attacks: Service Theft

Attacker gains unauthorized access to network

Internet

Local Network

AttackerVictim


Attacks: Impersonation Attacker disguises itself

as another host to gain unauthorized access to services

Internet

Local Network

Attacker

Victim

Victim


Attacks: Man-in-the-Middle Man-in-the-middle attacker can

block, modify, replay or otherwise make use of intercepted packets

Internet

Local Network

Attacker

Victim

Victim


Attacks: Host Intrusion

Attacker gains unauthorized access to a remote host

Internet

Local Network

Attacker

Victim


IPv6 Security Issues

IPv6 Security issues. Data Confidentiality/Integrity Neighbour Discovery/ Autoconfiguration Network Access Control Mobile IPv6 Key Distribution Transition Mechanisms


IPv6 Security Features

IPv6 Security features. IPSec SEND (SEcuring Neighbour Discovery) AAAv6 Mobile IPv6 Return Routability


Security Features: IPSec(v6) IPSec

End-to-End Security Authentication Encryption Available in some IPv4 nodes, required in ALL IPv6 nodes.


Security Features: SEND SEcuring Neighbor Discovery: Provides a method for applying IPSec to Neighbor

Discovery Works in situations where IPSec typically wouldn't

(Chicken and Egg) Protects autoconfiguration messages from attackers

on the same link. Proves address ownership locally (Using CGA, ABK). In early stages of development Key Technology


Security Features: AAAv6

AAAv6 Protocols: Provide Authentication, Authorization and

Accounting Used on access networks Works with NAS, Wireless LAN (EAP), PANA, PPP,

Mobile IPv6 DIAMETER protocol (supercedes RADIUS) Can specify Authorization policy through

Attribute-Value-Pairs.


Security Features: AAAv6

Internet

Local Network

802.1X

PANA PPPAAA

Foreign

AAA Home

802.11b Access Point

Access Router


Security Issues: Key Distribution The Public Key Infrastructure (PKI) has been around for a

long time. Not many nodes have public keys (poor adoption). Many Key Exchange systems rely upon Public Key

availability. Shared keys don't work for generic peer-to-peer

communication. SEND relies upon Delegation Chains which establish trust

between peers using digital signatures. Cryptographically generated addresses take pessimistic

approach (no widely adopted PKI) If Keys are distributed, still need to replace/update

securely.


Security Issues: Transition Mechanisms Most IPv6 hosts will be 'dual stack' IPv4 systems will not have same security feature

set as IPv6 Double Handling of security policy (Mistakes

easier). Small chance of attacks through protocol

translation systems(IPSec may not work well, though).




Advocacy and Forums

More info: http://www.ipv6-taskforce.org/ ) International Task Forces (in the EC, Korea, India,

North America, Taiwan) have been set up to run summits and seminars promoting adoption and understanding of IPv6

The IETF (Internet Engineering Task Force) is finalizing standards for IPv6 extensions such as Mobility and Secure Neighbour Discovery.

The IPv6 Forum has released the "IPv6 Ready" logo, which can be used to indicate a product's compliance with IPv6 standards.


World-wide connectivity Advocacy won't help if the packets don't get

through! Academic Networks: Internet2 (US), GrangeNet

(AU), 6NET (EU), CERNET2 (China), etc. Commercial Networks:

NTT in Japan and elsewhere Telia and NTT have commercial offerings in

Europe. Uptake in USA is slow but gaining momentum.

Sprint, MCI, etc.


IPv6 Implementations (more info: http://www.ipv6.org/impl/ ) Looking at three Classes of implementations:

Host Implementations MobileIPv6 Router Implementations


Host Implementations Most vendor Unix: Solaris 8 +, AIX 4.3 +, etc. Linux - kernels 2.2 + include IPv6 (2.5+ full

IPSecv6) FreeBSD - includes KAME from 4.0 OpenBSD - includes KAME from 2.7 MS Windows - supported from XP onwards (some

API issues) Mac OS X (10.2 Jaguar onwards, some API

issues) Embedded Implementations from Wind River,

Elmic, etc.


Router Implementations

Available from major vendors including: Cisco IOS 12.2T + Juniper JUNOS 5.1 + Nortel


Network Applications

Server Applications Apache web server supports IPv6 Many other services do too, due to 'dual stack'

approach. Desktop Applications

Microsoft Internet Explorer Secure Shell (ssh) FTP, Telnet




Contents

IP Mobility Problem Statement Simple solutions

Mobile IPv4 Limitations

Mobile IPv6 Motivation Mobile IPv6 Handovers


Mobile Packets the Future? Trends towards packetisation of everything Easier to incorporate different data streams User control of usage models We don't know what the applications will be

(but we can take some guesses). Once we have IP connectivity, anything goes...


The Internet Mobility Challenge

IP address is not only a unique address, but tied to Network Topology

Movement of an IP device between networks relies on Layer 2 or Layer 3 context transfer.

When Layer 3 transfer occurs, IP address changes.

Higher layer protocols cannot handle IP address changes (e.g. TCP)

IP Mobility must hide or prevent IP address changes for higher protocol layers


Layer 2 mobility limitations Single Layer 3 broadcast domain All broadcasts go over wireless medium Handovers between networks problematic

Service Provider to Enterprise/Service Provider Heterogeneous handovers

Need to re-implement mobility for every Layer 2


Using DHCP for roaming

Dynamic Host Configuration Protocol Allows devices to get an address when visiting a

network. Available for IPv4 and IPv6. Existing sessions do not survive movement

across link boundaries Address management not required in IPv6

(Stateless Address Autoconfiguration) Provides additional information (DNS &etc)


Mobile IP

No geographic limitations No physical connection No modifications to other hosts or routers No modifications to IP addressing Secure Transparent to transport layer Assumptions

<1 change per second routing based only on destination address


Mobile IPv4

Home Address

Internet

Home Agent Foreign Agent

Mobile Node

Correspondent Node

Home Network

Foreign Network

Address Registration

Data

Tunnel


Mobile IPv6 Address Autoconfiguration

No Foreign Agents Optional Headers

Routing Header - replaces tunneling Home Address – overcomes ingress filtering Binding update and request

Host Binding Caches Route optimisation

IPSec Separate Security Specification Supports privacy


Mobile IPv6 System

Home Address

Internet

Home Agent

Mobile Node

Correspondent Node

Home Network

Foreign Network

Address Binding

Data

Data

Data

Address Registration


Care-of Address


Mobile IPv6 Handover

Home Address

Internet

Home Agent

Mobile Node

Correspondent Node

Home Network

Foreign Network 2 Care-of

Address 2

Mobile Node

Foreign Network 1

Care-of Address

1


Duplicate Address DetectionHome Binding

Update/Acknowledgment

Home Test

Care-of TestCorrespondent Binding Update


Mobile IPv6Benefits:1. Uses IPv6 Router

Discovery to detect movement

2. Uses IPv6 Address Autoconfiguration

3. Route Optimisation 4. Limited support

required in Access Network.

Complexities:1. Movement detection

granularity is low 2. Dead time related to

distance from HA3. Security for CN/HA

bindings4. Duplicate Address

Detection slow

© 2003-2005 Monash CTIE

Thank you

Documents

© 2003-2005 Monash CTIE Introduction to IPv6 Protocols Australian Telecommunications CRC Next Generation Internet Program @ Centre for Telecommunications