Contents

Abstract ......................................................................................................................................................... 2 Introduction to IPv4 IPv6 Protocol ............................................................................................................. 2 Lack of IP addresses .................................................................................................................................. 2 Performance-handling .............................................................................................................................. 2 Automatic address assignment ................................................................................................................. 2 Technical Procedure/ Discussion .................................................................................................................. 3 Dual stack mechanisms (DSM) .................................................................................................................. 3 Tunneling mechanisms ............................................................................................................................. 3 I. II. Direct configuration ...................................................................................................................... 4 Coding configuration..................................................................................................................... 4

Translation mechanisms ........................................................................................................................... 5 I. II. III. IV. Header conversion ........................................................................................................................ 5 NAT-PT .......................................................................................................................................... 5 Address mapping ...................................................................................................................... 5 Socks.......................................................................................................................................... 5

The IPv6 to IPv4 Threat overview ................................................................................................................. 6 IPv6 and IPv4 Threat Issues and Observations ......................................................................................... 7 The security issues in IPv6 tunneling ........................................................................................................ 8 Recommendations for a network administrator when deploying an IPv6 in IPv4 network..................... 8 Current and future innovations from research on the IPv6 threats. ........................................................ 9 References .................................................................................................................................................. 10

Abstract
There have been statements around the technological world that the new version of the IP protocol, the world known IPv6, is the answer to the numerous problems that raised due to the mass expansion of the internet and the computers around the world. Despite the above statement, there is a mandatory co-existence of the IPv4 and IPv6 protocols, till all the internet is transformed to work with IPv6 in total. Up to that point of time, where IPv6 will take place globally, there are being deployed many techniques, methods, and technologies that allow the existence and cooperation between the two protocols. The purpose of these is to make the transition between IPv4 data packets to IPv6 more manageable and feasible by the infrastructure of the internet, and the ITs around the world.

Introduction to IPv4 IPv6 Protocol

This projects aim is to apply our research skills on finding information on technical sections for the topic of IPv4 to IPv6 Protocol and Tunnel Discovery. IPv4 protocol is a wide ranged word in all the world and known almost from every person that uses an internet connection. It is the first protocol that was used to define IP addresses to hosts with the technical aid of subnet masks. Every machine networked nowadays uses IPv4 protocol but that was not enough. Since technology has been evolving day by day our society has applied network connectivity to almost every circuit-based machine that uses an operating system. Below there are some reasons why IPv4 is fading out and why there is a need to build a new and improved protocol.

Lack of IP addresses
The rise of technology created home devices like smart phones, tablets and etc that can connect to the internet through IP addresses. That means that more IP addresses have to be given to each of those devices but simultaneously they are being dropped off. Space is decreasing because of the limited sub netting there is in order for the IPv4 protocol to work.

Performance-handling
Due to applications that demand higher quality in transmission over the IP addresses and the higher layers, the IPv4 protocol cannot sync to and therefore it gives unexpected results.

Automatic address assignment

In the past and even now, in order to get full connectivity to the internet via IPv4, an expert or someone that had knowledge on computers should come into someones home/office to set the parameters. As a new technological era has come people want to connect every computer and electronic device they have and can achieve this by following simplified steps, as easy as they connect their mobile phones.

The new and improved protocol the IPv6, has filled all the gaps that IPv4 created such as lack of addresses because sub netting is not required any more. It is only matter of time that this protocol will be deployed all over the world as it is more powerful, more secure and more synchronized to our age.

Technical Procedure/ Discussion

The most widely known transition mechanisms for co-operation between IPv4 and IPv6 are: dual stack mechanisms tunneling mechanisms, and translation mechanisms.

Dual stack mechanisms (DSM)

The Dual stack mechanism uses both IPv4 and IPv6 protocol in order to communicate. In order to make it work every host that tries to communicate with the other must keep both stacks on the internet interface. It enables then an end to end communication between the two protocols. It uses dynamic tunnel interfacing combined with temporary IPv4 address from a DHCPv6 server. This mechanism is based on DHCPv6 server because it can transform an IPv4 address temporary to an IPv6 but only for IPv4 host communication. The IPv4 packets are encapsulated to the IPv6 packets of the address and float to the IPv6 network in order to pass the interconnection to the IPv4 network. The only issue that this kind of mechanism has is the demand of a domain name service (DNS). In order to use an IPv4 and IPv6 address the host must request it from the DNS and the DNS has to be fully equipped with libraries that can handle both of this records. It is observed that the DNS conflict affects the network performance. The advantages of this mechanism is that because it is bi-directional (meaning that can initialize from IPv4 to IPv6 and backwards) make it better from other mechanisms that can only run from IPv6 to IPv4. It is recommended for use on small and medium network areas that already use DHCP and share IP addresses from a DNS. The disadvantage is that can only work if the DHCPv6 server is available and a secure process has not been found yet.

Tunneling mechanisms
The tunneling mechanism is the opposite mechanism of the dual stack mechanism but they support each other because in order for this mechanism to work the routers or host must be only dual stack. This mechanism is used for communication of IPv6 protocol over IPv4 network and vice-versa. It is base on the encapsulation of the IPv66 packets of the address that combine into the IPv4 address and are transmitted over the IPv6 network.

The tunneling mechanism is divided in two main categories: I. Direct configuration

II. Coding configuration The Direct configuration is divided also in two subcategories: I. Configured tunneling mechanism. Each endpoint of the tunnel of the IPv4 address refers to the opposite. The IPV6 packets are encapsulated to the IPv4 packets. The destination address of the IPv4 packets has been shown in the creation of the tunnel interface, and the source address is the IPv4 address of the other interface. Routers build point to point connections over the IPv4 network and these are transmitted on the IPv6 packets. It is a cost-effective mechanism without the use of separate physical links. Tunnel broker mechanism. This mechanism provides IPv6 communications that are isolated from any IPv6 network. It provides sharp connection to the IPv6 network with low cost. The functionality is made by assigning and Ipv6 address to the dual stack host and then it returns a client configuration information. Tunnel broker entity and the tunnel broker server are the components of this mechanism. The first one is used for the registration of the user and the activation to the IPv6 network. The latter one is an IPvX router connected to both networks. This mechanisms clients are remote users, and can offer a high scalability and can support larger number of remote users. Users utilizing NAT mechanism also have a limitation in support. At last the tunnel broker mechanism aims more at short-term native IPv6 connectivity. The tunnel broker mechanism supports three types of mechanisms: Automatic tunneling mechanism 6to4 transition mechanism 6over4 mechanism

II.

I. II. III.

Automatic tunneling mechanism This mechanism utilizes a software module to the hosts. It is a pseudo-interface which encapsulates IPv6 packets in IPv4 packets and forwards them over the IPv4 interface. The requirement of the mechanism is the use of globally routable IPv4 addresses. With this type of mechanism we can achieve end-to-end communication with remote hosts and the IPv6 network. 6to4 transition mechanism The 6to4 is an address assignment, router-to-router, host-to-router, and router-to-host automatic tunneling mechanism that is meant to provide connectivity between IPv6 sites and hosts across the IPv4 internet, Figure 1.

Figure 1 6over4 mechanism The 6over4 mechanism allows remote IPv6 hosts, located on a physical link with no directly connected IPv6 router on it, to use IPv4 multicast domain as a virtual local link in order to communicate with other IPv6 hosts, Figure 2.

Figure2

Translation mechanisms
Translation mechanism as its own name says it is a communication way between different protocols such as IPv4/IPv6. It is applied in network infrastructures that use one protocol for example IPv4 and services that use IPv6 and it can get communication between them. The most known translation mechanisms are: I. II. III. IV. Header conversion NAT-PT Address mapping Socks

i.

Header conversion is a converter.It converts IPv4 headers to IPv6 ones and vice-versa. It is similar to the NAT protocol. This is a fast converting mechanism but it is limited due to non usage upon the application layer.

ii.

NAT-PT (Network Address Translation-Protocol Translation) engages communication between IPv6 hosts and applications and IPv4 ones. The host that makes the translation keeps a group of addresses that are dynamically assigned to IPv6 hosts and a session is modified for two hosts that support different protocol. It supports header and address translation. Its implementation is simple but it does not support end-to-end security procedures and demands extra IPv4 space. Address mapping refers to one-to-one communication between IPv6 destination and IPv4 source addresses and vice-versa. Socks is a gateway mechanism created to specified socks server that relays TCP or UDP sessions between two different hosts with different protocols. It is a unidirectional mechanism and used for connection of IPv4 to Ipv6 networks and vice-versa. Its disadvantage is that connections must lie behind the Sock server.

iii.

iv.

The IPv6 to IPv4 Threat overview

Networks threats are mainly divided into two types. On the first scale we have the passive threats type and on the second scale we have the active threats type. In analysis of passive threats it can be indicated that the attacker is not orientated to modify any data, which situation makes it more difficult to detect the source of the attacker, whereas the active threats tend to modify any data or even create a false message, as seen in Figure 3.

Figure 3

Threat modeling is crucial to be carried on by a Network designer in order to develop an efficient security model which protects our network against certain threats and manage the related assumptions

related to where the threat came from, what was the cause of intrusion, how the threat reached our internal network, etc.

IPv6 and IPv4 Threat Issues and Observations

Regarding to the IPv6 tunneling technologies and firewalls, a network designer shall take into deep consideration IPv6 tunneling when defining security policies, due to the fact that unauthorized data may traverse the firewall in tunnels. The most common issue of this threat type is when using instant messaging (IM) and file sharing through TCP port 80 out of organizations with IPv4.

Figure 4 General Threat categories for IPv6 tunneling. Due to some transition issues automatic tunneling is susceptible to packet forgery and DOS attacks. These two types of threats mentioned above are the same as in IPv4, but the IPv6 tunneling technologies increase the number of paths of exploitation. When a network designer deploys automatic tunneling or Configured tunneling, the tunneling overlays are considered non broadcast multi-access networks to IPv6, so as a result this deployment should be considered in the network security design. Defense trace back efforts of an attack can be defeated by using non secure IPv6 to IPv4 and translation and relay techniques. One methodology to discover and list all the attacks on a system is known as attack tree. The attacks are represented in a tree structure, the attack goals as root nodes and the different sub goals as their leaf nodes. The problems are identified when IPv6 is tunneled over IPv4 encapsulated in UDP as UDP is mostly allowed to pass through NAT and Firewalls. As a result of this, an attacker is allowed by the security design itself to punch holes within the security infrastructure. In order to avoid such 7

exploitation the tunneled traffic should be used with caution or even completely blocked. Perimeter firewalls should block all inbound and outbound IPv4 protocol 41 traffic, in order to provide ingress and egress filtering of IPv6 tunneled traffic. Specific of IPv6 Tunneling Deployment All traffic from the internet should be split up into its corresponding protocols. By this it is meant that all traffic from an ISP router and Edge Router splits up into IPv4 protocol and IPv6 protocol which get filtered by the corresponding in turn stateful firewalls, and then can be injected in the internal network. Any network designer shall be aware of the fact that 6to4 mechanism does not support source address filtering, that TEREDO punches holes into a NAT device and finally that any tunneling mechanism is prone to spoofing.

The security issues in IPv6 tunneling

1. IPv4 networking code can make an attack on IPv6 node (network): The attackers in IPv4 networks can attack a 6to4 router end point by forwarding a spoofed encapsulated packet, therefore this makes it difficult to trace back the attack. 2. An attack can be made also by an IPv6 node to an IPv6 node(network) using a 6to4 relay end point and 6to4 router by sending an encapsulated spoofed packet. 3. We may have a reflect-DOS attack on a Destination Host. This can be achieved through the 6to4 (tunnel) router end point by sending encapsulated packets with the spoofed IPv6 address as the specific IPv6 node. 4. By sending an encapsulated IPv6 neighbor discovery message with a spoofed IPv6 link local address, the tunnel end point may be cheated and DOS attacked. 5. Spoofing in IPv4 with 6 to 4. Spoofed traffic can be injected into IPv6 from IPv4. The spoofed IPv4 address acts like an IPv4 source address, 6to4 any cast (192.88.99.1) acts like an IPv4 destination. The 2002::spoofed address acts like an IPv4 destination. 6. In the 6to4 mechanism, some packets with spoofed destination addresses and mapped to broadcast addresses of 6to4 or relay routers are sent directly to targets by the attackers in the IPv6 network. This also means that the 6to4 or relay routers can be attacked by these broadcast addresses. These six situations are some Security issues relating to IPv6 tunneling techniques.

Recommendations for a network administrator when deploying an IPv6 in IPv4 network.

A network designer can easily limit these issues by investigating the source/destination addresses in the packets at each end point. In tunneling techniques is easier to avoid ingress packet filtering checks. An easy way to avoid the spoofed packets is to have the tunnel end points of the configuration tunnels fixed, so the IPsec takes control and exterminates the attacks. The deployment of Configuration tunneling is much more secure than the automatic tunneling mechanisms. A network administrator can use an IPv4 Header. To protect from 6to4, ISATAP, Tunnel 8

Broker traffic, which is IPv6 tunneled using IPv4 Header having IP protocol set to 41, it is suggested to filter all this traffic as this will prevent IPv6 traffic from being tunneled within the IPv4. However, tunnels can be set up over UDP, HTTP port and so on, to carefully detect and monitor all the traffic for instances of IPv6 traffic, using an IDS. Another step for a network administrator to take care of through each stage of deployment of an IPv6 network is the use of a 6 to 4 static tunneling, as it is a tunneling technology that is used to provide IPv6 connectivity between IPv6 sites and hosts across the IPv4 internet.

Current and future innovations from research on the IPv6 threats.

There are also being conducted many innovative researches to challenge the IPv6 threat issues. The first field of research is about improving the notion of the system identification within an organization. The second field of research focuses on transition mechanisms. Due to advanced deployment of IPv6, the IPv4 networks may also be separated by IPv6 ones. We are using now only few kinds of method like IPv4 configuration tunnel and DSTM, more research on IPv4 over IPv6 transition methods is necessary. The third field is the increased dependence on multicast addresses would raise some interesting implications with flooding attacks. The neighbor discovery is a new addition to IPv6 to replace ARP and RARP of IPv4 and also It is an essential component of a well-run IPv6 network. But it should be tested from a security point, as a question about whether a CPU of a device would be exhausted by processing information of IPv6 neighbor discovery.

References
[1] Dr.Manjaiah.D.H. Hanumanthappa.J.,2009, IPv6 an IPv4 Threat reviews with Automatic Tunneling and Configuration Tunneling Considerations Transitional Model: -A case Study for University of Mysore Network-, (IJCSIS) International journal of Computer Science and Information Security,Vol.3,No.1. [2] C.Bouras,A.Karaliotas,P.Ganos,(2003),The deployment of IPv6 in an IPv4 world and transition strategies,Internet Research, Vol.13 ISS:2 pp.86-93. [3] L.Colliti,Giuseppe Di Battista, M.Patrignani, IEEE Transactions on network and service management, No.1, April 2004. [4] E.Nordmark,R.Gilligan,Transition Mechanisms for IPv6 Hosts and Routers, RFC 2893,August 2000. [5] P.Savola,C.Patel,Security Considerations for 6to4,RFC 3964, December 2004. [6] R.Graveman,M.Parthasarathy,P.Savola,H.Tschofenig, Using IPsec to Secure IPv6-in-IPv4 Tunnels, RFC 4891,May 2007. [7] S.Krishnan,D.Thaler,J.Hoagland,Security Concerns with IP Tunneling, RFC 6169,April 2011. [8] E.Davies,S.Krishnan,P.Savola,IPv6 Transition/Coexistence Security Considerations,RFC 4942,September 2007. [9] R.Graveman,M.Parthasarathy,P.Savola,H.Tschofenig,Using IPsec to Secure IPv6-in-IPv4 Tunnels,RFC 4891, May 2007. [10]A.Durand,P.Fasano,I.Guardini,D.Lento,IPv6 Tunnel Broker,RFC 3053, January 2001. [11]S.Deering,R.Hinden,Internet Protocol, Version 6(IPv6), http://tools.ietf.org/html/draft-ietfipngwg-ipv6-spec-v2-01.txt, November 21,1997.

10

11