Date post: | 30-Dec-2015 |
Category: |
Documents |
Upload: | richard-rivers |
View: | 30 times |
Download: | 1 times |
Network Security
IPv6
Topics
Introduction Comparison with IPv4 Header format Extension headers Neighbour discovery Transition from IPv4 to IPv6 ICMPv6 IPv6 addresses Address Autoconfiguration IP Security
Network Security
Network Security
About IPv6
Internetworking Protocol version 6, IPng IPv6 was developed because about 1992 it became clear
that at the rate that the Internet was growing the world would soon be out of IPv4 numbers
The experimental deployment of IPv6 started in 1995 IPv6 was designed to work alongside IPv4 on all network
devices. This is often called the “Dual Stack” because devices have both an IPv4 Protocol Stack and an IPv6 Protocol Stack
128-bit address written in 8 hex quads It supports 2128 (about 3.4×1038) addresses
IPv4 deficiencies
Address depletion No support for real-time audio and video
transmission No encryption and authentication of data
Network Security
IPv6 advantages over IPv4
Large address space Better header format Stateless and stateful address auto-
configuration Built-in security New options Extensibility Support for real-time audio and video
IPv4 Vs IPv6
Network Security
Reasons for delay in adoption
Classless addressing Use of DHCP Network Address Translation
Network Security
IPv6 datagram Base Header
Network Security
IPV4 and IPV6 Header
Network Security
IPV4 Vs IPV6 Packet Header
Network Security
IPv6 Extension Headers
Network Security
IPv6 Extension Headers
Hop-by-Hop Options header When the source needs to pass info to all routers
visited by the datagram.
Source routing Combines the concepts of strict and loose source
route options of IPv4.
Fragmentation Source is required to fragment if size of datagram
is larger that the MTU of network. Only original source can fragment.
Network Security
Extension Headers contd…
Authentication header (AH) Validates the message sender and ensures
integrity of data.
Encrypted security payload (ESP) Provides confidentiality and guards against
eavesdropping.
Destination Options Used when source needs to pass info to the
destination only. Intermediate routers are not permitted access.
Network Security
IPv4 options and IPv6 extension headers
Network Security
Transition from IPv4 to IPv6
Network Security
Dual Stack
A station must run IPv4 and IPv6 simultaneously until all the Internet uses IPv6
To determine which version to use when sending a packet to a destination, the source host queries the DNS
If the DNS returns an IPv4 address, the source host sends an IPv4 packet
If the DNS returns an IPv6 address, the source host sends an IPv6 packet
Network Security
Tunneling
a strategy used when two computers using IPv6 want to communicate with each other and the packet must pass through a region that uses IPv4
So the IPv6 packet is encapsulated in an IPv4 packet when it enters the region, and it leaves its capsule when it exits the region.
Network Security
Header Translation
necessary when the majority of the Internet has moved to IPv6 but some systems still use IPv4
the sender wants to use IPv6, but the receiver does not understand IPv6
the header format must be totally changed through header translation
header of the IPv6 packet is converted to an IPv4 header uses the mapped address and some rules to translate an IPv6
address to an IPv4 address
Network Security
ICMPv6
Internet Control Message Protocol Combines ICMPv4, ARP and IGMP Message – oriented
It uses messages to report errors
Like version 4, ICMPv6 reports errors, handles group memberships, updates specific router and host tables, and checks the viability of a host.
ICMPv6 forms an error packet which is then encapsulated in an IP datagram
Network Security
ICMPv6 messages
Error messages Destination unreachable, packet too big, time
exceeded, parameter problems
Informational messages Echo request & reply message
Neighbour discovery messages Route solicitation & advertisement message Neighbour solicitation & advertisement message
Group membership messages Membership query & report message
Network Security
ND messages
Mainly used by: Hosts to find routers in the neighbourhood Nodes to find the link layer addresses of
neighbours Nodes to find IPv6 addresses of the neighbour
Router-solicitation message Router-advertisement message Neighbour-solicitation message Neighbour-advertisement message
Network Security
IPv6 addressing
Unicast address Anycast address Multicast address IPv6 doesn’t implement broadcast address
Broadcasts are replaced by multicasts and anycasts However, a multicast to address ff02::1 would result in a
transmission to all nodes within the same local link, which is similar to IPv4 multicast to address 224.0.0.1.
Network Security
Unicast & Anycast Address format
Unicast (one-to-one) and anycast (one-to-one-of-many) addresses are typically composed of two logical parts: a 64-bit network prefix used for routing, and a 64-bit host part used to identify a host within the network.
The network prefix is 1111 110 0/1 followed by a 40-bit random number. The 16 bits of the subnet identifier field are available to the network administrator to define subnets within the given network. The 64-bit interface identifier is either automatically generated from the interface's MAC address obtained from a DHCPv6 server randomly, or assigned manually.
Network Security
Multicast Address format
The prefix holds the binary value 1111 1111 for any multicast address. Flag field defines the group address as either permanent or transient. Scope field defines the scope of the group address.
Network Security
IPv6 notation
An IPv6 address is represented as eight groups of four hexadecimal digits, each group representing 16 bits (two octets).
The groups are separated by a colon (:). A typical example of an IPv6 address follows:
2001:0db8:85a3:0000:0000:8a2e:0370:7334 The hexadecimal digits are case-insensitive.
Network Security
Compressing Zeros
A contiguous sequence of 16-bit blocks set to 0 in the colon hexadecimal format can be compressed to “::”, known as double-colon
For example, the link-local address of FE80:0:0:0:2AA:FF:FE9A:4CA2 can be compressed to
FE80::2AA:FF:FE9A:4CA2
Zero compression can only be used once in a given address
Network Security
Address Autoconfiguration
Host has an ability to automatically configure itself, even without the use of a stateful configuration protocol such as DHCPv6
Types of Autoconfiguration: Stateless: Configuration of addresses is based on the
receipt of Router Advertisement messages
Stateful: Configuration is based on DHCPv6 to obtain addresses and other configuration options. A host will use a stateful address configuration protocol when there are no routers present on the local link.
Network Security
Autoconfiguration process
Host first creates a link local address for itself The host then tests to see if this link local
address is unique and not used by other hosts If the uniqueness of the link local address is
passed, the host stores this address as its link-local address, but it still needs a global unicast address
Network Security
IP Security
IPSec is a collection of protocols designed by IETF to provide security for a packet at the network layer
It helps create authenticated and confidential packets for the IP layer
Two modes: Transport
does not protect the IP header; it only protects the information coming from the transport layer
Tunnel protects the original IP header
Network Security
IPSec modes
Network Security
IPSec Protocols
AH and ESP Authentication Header
designed to authenticate the source host and to ensure the integrity of the payload carried in the IP packet
uses a hash function and a symmetric key to create a message digest; the digest is inserted in the authentication header
Network Security
AH Protocol in transport mode
Network Security
What is Message Digest?
The electronic equivalent of the document and fingerprint pair is the message and message digest pair
To preserve the integrity of a message, the message is passed through an algorithm called a hash function.
The hash function creates a compressed image of the message that can be used as a fingerprint.
The message digest needs to be kept secret. SHA-1 (Secure Hash Algorithm 1)
Network Security
Encapsulating Security Payload (ESP)
The AH Protocol does not provide privacy, only source authentication and data integrity
ESP adds a header and trailer ESP's authentication data are added at the end
of the packet ESP does whatever AH does with additional
functionality (privacy)
Network Security
ESP Protocol in transport mode
Network Security
IPSec services
Network Security
Things to study
IPv4 packet, ICMPv4 DHCPv6, ICMPv6 IPv6 Routing Internet Key Exchange for IPSec QoS support for IPv6 API for IPv6
Network Security