Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Abstract ......................................................................................................................................................... 2 Introduction to IPv4 IPv6 Protocol ............................................................................................................. 2 Lack of IP addresses .................................................................................................................................. 2 Performance-handling .............................................................................................................................. 2 Automatic address assignment ................................................................................................................. 2 Technical Procedure/ Discussion .................................................................................................................. 3 Dual stack mechanisms (DSM) .................................................................................................................. 3 Tunneling mechanisms ............................................................................................................................. 3 I. II. Direct configuration ...................................................................................................................... 4 Coding configuration..................................................................................................................... 4
Translation mechanisms ........................................................................................................................... 5 I. II. III. IV. Header conversion ........................................................................................................................ 5 NAT-PT .......................................................................................................................................... 5 Address mapping ...................................................................................................................... 5 Socks.......................................................................................................................................... 5
The IPv6 to IPv4 Threat overview ................................................................................................................. 6 IPv6 and IPv4 Threat Issues and Observations ......................................................................................... 7 The security issues in IPv6 tunneling ........................................................................................................ 8 Recommendations for a network administrator when deploying an IPv6 in IPv4 network..................... 8 Current and future innovations from research on the IPv6 threats. ........................................................ 9 References .................................................................................................................................................. 10
Abstract
There have been statements around the technological world that the new version of the IP protocol, the world known IPv6, is the answer to the numerous problems that raised due to the mass expansion of the internet and the computers around the world. Despite the above statement, there is a mandatory co-existence of the IPv4 and IPv6 protocols, till all the internet is transformed to work with IPv6 in total. Up to that point of time, where IPv6 will take place globally, there are being deployed many techniques, methods, and technologies that allow the existence and cooperation between the two protocols. The purpose of these is to make the transition between IPv4 data packets to IPv6 more manageable and feasible by the infrastructure of the internet, and the ITs around the world.
Lack of IP addresses
The rise of technology created home devices like smart phones, tablets and etc that can connect to the internet through IP addresses. That means that more IP addresses have to be given to each of those devices but simultaneously they are being dropped off. Space is decreasing because of the limited sub netting there is in order for the IPv4 protocol to work.
Performance-handling
Due to applications that demand higher quality in transmission over the IP addresses and the higher layers, the IPv4 protocol cannot sync to and therefore it gives unexpected results.
The new and improved protocol the IPv6, has filled all the gaps that IPv4 created such as lack of addresses because sub netting is not required any more. It is only matter of time that this protocol will be deployed all over the world as it is more powerful, more secure and more synchronized to our age.
Tunneling mechanisms
The tunneling mechanism is the opposite mechanism of the dual stack mechanism but they support each other because in order for this mechanism to work the routers or host must be only dual stack. This mechanism is used for communication of IPv6 protocol over IPv4 network and vice-versa. It is base on the encapsulation of the IPv66 packets of the address that combine into the IPv4 address and are transmitted over the IPv6 network.
II. Coding configuration The Direct configuration is divided also in two subcategories: I. Configured tunneling mechanism. Each endpoint of the tunnel of the IPv4 address refers to the opposite. The IPV6 packets are encapsulated to the IPv4 packets. The destination address of the IPv4 packets has been shown in the creation of the tunnel interface, and the source address is the IPv4 address of the other interface. Routers build point to point connections over the IPv4 network and these are transmitted on the IPv6 packets. It is a cost-effective mechanism without the use of separate physical links. Tunnel broker mechanism. This mechanism provides IPv6 communications that are isolated from any IPv6 network. It provides sharp connection to the IPv6 network with low cost. The functionality is made by assigning and Ipv6 address to the dual stack host and then it returns a client configuration information. Tunnel broker entity and the tunnel broker server are the components of this mechanism. The first one is used for the registration of the user and the activation to the IPv6 network. The latter one is an IPvX router connected to both networks. This mechanisms clients are remote users, and can offer a high scalability and can support larger number of remote users. Users utilizing NAT mechanism also have a limitation in support. At last the tunnel broker mechanism aims more at short-term native IPv6 connectivity. The tunnel broker mechanism supports three types of mechanisms: Automatic tunneling mechanism 6to4 transition mechanism 6over4 mechanism
II.
I. II. III.
Automatic tunneling mechanism This mechanism utilizes a software module to the hosts. It is a pseudo-interface which encapsulates IPv6 packets in IPv4 packets and forwards them over the IPv4 interface. The requirement of the mechanism is the use of globally routable IPv4 addresses. With this type of mechanism we can achieve end-to-end communication with remote hosts and the IPv6 network. 6to4 transition mechanism The 6to4 is an address assignment, router-to-router, host-to-router, and router-to-host automatic tunneling mechanism that is meant to provide connectivity between IPv6 sites and hosts across the IPv4 internet, Figure 1.
Figure 1 6over4 mechanism The 6over4 mechanism allows remote IPv6 hosts, located on a physical link with no directly connected IPv6 router on it, to use IPv4 multicast domain as a virtual local link in order to communicate with other IPv6 hosts, Figure 2.
Figure2
Translation mechanisms
Translation mechanism as its own name says it is a communication way between different protocols such as IPv4/IPv6. It is applied in network infrastructures that use one protocol for example IPv4 and services that use IPv6 and it can get communication between them. The most known translation mechanisms are: I. II. III. IV. Header conversion NAT-PT Address mapping Socks
i.
Header conversion is a converter.It converts IPv4 headers to IPv6 ones and vice-versa. It is similar to the NAT protocol. This is a fast converting mechanism but it is limited due to non usage upon the application layer.
ii.
NAT-PT (Network Address Translation-Protocol Translation) engages communication between IPv6 hosts and applications and IPv4 ones. The host that makes the translation keeps a group of addresses that are dynamically assigned to IPv6 hosts and a session is modified for two hosts that support different protocol. It supports header and address translation. Its implementation is simple but it does not support end-to-end security procedures and demands extra IPv4 space. Address mapping refers to one-to-one communication between IPv6 destination and IPv4 source addresses and vice-versa. Socks is a gateway mechanism created to specified socks server that relays TCP or UDP sessions between two different hosts with different protocols. It is a unidirectional mechanism and used for connection of IPv4 to Ipv6 networks and vice-versa. Its disadvantage is that connections must lie behind the Sock server.
iii.
iv.
Figure 3
Threat modeling is crucial to be carried on by a Network designer in order to develop an efficient security model which protects our network against certain threats and manage the related assumptions
related to where the threat came from, what was the cause of intrusion, how the threat reached our internal network, etc.
Figure 4 General Threat categories for IPv6 tunneling. Due to some transition issues automatic tunneling is susceptible to packet forgery and DOS attacks. These two types of threats mentioned above are the same as in IPv4, but the IPv6 tunneling technologies increase the number of paths of exploitation. When a network designer deploys automatic tunneling or Configured tunneling, the tunneling overlays are considered non broadcast multi-access networks to IPv6, so as a result this deployment should be considered in the network security design. Defense trace back efforts of an attack can be defeated by using non secure IPv6 to IPv4 and translation and relay techniques. One methodology to discover and list all the attacks on a system is known as attack tree. The attacks are represented in a tree structure, the attack goals as root nodes and the different sub goals as their leaf nodes. The problems are identified when IPv6 is tunneled over IPv4 encapsulated in UDP as UDP is mostly allowed to pass through NAT and Firewalls. As a result of this, an attacker is allowed by the security design itself to punch holes within the security infrastructure. In order to avoid such 7
exploitation the tunneled traffic should be used with caution or even completely blocked. Perimeter firewalls should block all inbound and outbound IPv4 protocol 41 traffic, in order to provide ingress and egress filtering of IPv6 tunneled traffic. Specific of IPv6 Tunneling Deployment All traffic from the internet should be split up into its corresponding protocols. By this it is meant that all traffic from an ISP router and Edge Router splits up into IPv4 protocol and IPv6 protocol which get filtered by the corresponding in turn stateful firewalls, and then can be injected in the internal network. Any network designer shall be aware of the fact that 6to4 mechanism does not support source address filtering, that TEREDO punches holes into a NAT device and finally that any tunneling mechanism is prone to spoofing.
Broker traffic, which is IPv6 tunneled using IPv4 Header having IP protocol set to 41, it is suggested to filter all this traffic as this will prevent IPv6 traffic from being tunneled within the IPv4. However, tunnels can be set up over UDP, HTTP port and so on, to carefully detect and monitor all the traffic for instances of IPv6 traffic, using an IDS. Another step for a network administrator to take care of through each stage of deployment of an IPv6 network is the use of a 6 to 4 static tunneling, as it is a tunneling technology that is used to provide IPv6 connectivity between IPv6 sites and hosts across the IPv4 internet.
References
[1] Dr.Manjaiah.D.H. Hanumanthappa.J.,2009, IPv6 an IPv4 Threat reviews with Automatic Tunneling and Configuration Tunneling Considerations Transitional Model: -A case Study for University of Mysore Network-, (IJCSIS) International journal of Computer Science and Information Security,Vol.3,No.1. [2] C.Bouras,A.Karaliotas,P.Ganos,(2003),The deployment of IPv6 in an IPv4 world and transition strategies,Internet Research, Vol.13 ISS:2 pp.86-93. [3] L.Colliti,Giuseppe Di Battista, M.Patrignani, IEEE Transactions on network and service management, No.1, April 2004. [4] E.Nordmark,R.Gilligan,Transition Mechanisms for IPv6 Hosts and Routers, RFC 2893,August 2000. [5] P.Savola,C.Patel,Security Considerations for 6to4,RFC 3964, December 2004. [6] R.Graveman,M.Parthasarathy,P.Savola,H.Tschofenig, Using IPsec to Secure IPv6-in-IPv4 Tunnels, RFC 4891,May 2007. [7] S.Krishnan,D.Thaler,J.Hoagland,Security Concerns with IP Tunneling, RFC 6169,April 2011. [8] E.Davies,S.Krishnan,P.Savola,IPv6 Transition/Coexistence Security Considerations,RFC 4942,September 2007. [9] R.Graveman,M.Parthasarathy,P.Savola,H.Tschofenig,Using IPsec to Secure IPv6-in-IPv4 Tunnels,RFC 4891, May 2007. [10]A.Durand,P.Fasano,I.Guardini,D.Lento,IPv6 Tunnel Broker,RFC 3053, January 2001. [11]S.Deering,R.Hinden,Internet Protocol, Version 6(IPv6), http://tools.ietf.org/html/draft-ietfipngwg-ipv6-spec-v2-01.txt, November 21,1997.
10
11