Network Security IPv6. Topics Introduction Comparison with IPv4 Header format Extension headers Neighbour discovery Transition from IPv4 to.

Network Security

IPv6

Topics

Introduction Comparison with IPv4 Header format Extension headers Neighbour discovery Transition from IPv4 to IPv6 ICMPv6 IPv6 addresses Address Autoconfiguration IP Security

Network Security

Network Security

About IPv6

Internetworking Protocol version 6, IPng IPv6 was developed because about 1992 it became clear

that at the rate that the Internet was growing the world would soon be out of IPv4 numbers

The experimental deployment of IPv6 started in 1995 IPv6 was designed to work alongside IPv4 on all network

devices. This is often called the “Dual Stack” because devices have both an IPv4 Protocol Stack and an IPv6 Protocol Stack

128-bit address written in 8 hex quads It supports 2128 (about 3.4×1038) addresses

IPv4 deficiencies

Address depletion No support for real-time audio and video

transmission No encryption and authentication of data

Network Security

IPv6 advantages over IPv4

Large address space Better header format Stateless and stateful address auto-

configuration Built-in security New options Extensibility Support for real-time audio and video

IPv4 Vs IPv6

Network Security

Reasons for delay in adoption

Classless addressing Use of DHCP Network Address Translation

Network Security

IPv6 datagram Base Header

Network Security

IPV4 and IPV6 Header

Network Security

IPV4 Vs IPV6 Packet Header

Network Security

IPv6 Extension Headers

Network Security

IPv6 Extension Headers

Hop-by-Hop Options header When the source needs to pass info to all routers

visited by the datagram.

Source routing Combines the concepts of strict and loose source

route options of IPv4.

Fragmentation Source is required to fragment if size of datagram

is larger that the MTU of network. Only original source can fragment.

Network Security

Extension Headers contd…

Authentication header (AH) Validates the message sender and ensures

integrity of data.

Encrypted security payload (ESP) Provides confidentiality and guards against

eavesdropping.

Destination Options Used when source needs to pass info to the

destination only. Intermediate routers are not permitted access.

Network Security

IPv4 options and IPv6 extension headers

Network Security

Transition from IPv4 to IPv6

Network Security

Dual Stack

A station must run IPv4 and IPv6 simultaneously until all the Internet uses IPv6

To determine which version to use when sending a packet to a destination, the source host queries the DNS

If the DNS returns an IPv4 address, the source host sends an IPv4 packet

If the DNS returns an IPv6 address, the source host sends an IPv6 packet

Network Security

Tunneling

a strategy used when two computers using IPv6 want to communicate with each other and the packet must pass through a region that uses IPv4

So the IPv6 packet is encapsulated in an IPv4 packet when it enters the region, and it leaves its capsule when it exits the region.

Network Security

Header Translation

necessary when the majority of the Internet has moved to IPv6 but some systems still use IPv4

the sender wants to use IPv6, but the receiver does not understand IPv6

the header format must be totally changed through header translation

header of the IPv6 packet is converted to an IPv4 header uses the mapped address and some rules to translate an IPv6

address to an IPv4 address

Network Security

ICMPv6

Internet Control Message Protocol Combines ICMPv4, ARP and IGMP Message – oriented

It uses messages to report errors

Like version 4, ICMPv6 reports errors, handles group memberships, updates specific router and host tables, and checks the viability of a host.

ICMPv6 forms an error packet which is then encapsulated in an IP datagram

Network Security

ICMPv6 messages

Error messages Destination unreachable, packet too big, time

exceeded, parameter problems

Informational messages Echo request & reply message

Neighbour discovery messages Route solicitation & advertisement message Neighbour solicitation & advertisement message

Group membership messages Membership query & report message

Network Security

ND messages

Mainly used by: Hosts to find routers in the neighbourhood Nodes to find the link layer addresses of

neighbours Nodes to find IPv6 addresses of the neighbour

Router-solicitation message Router-advertisement message Neighbour-solicitation message Neighbour-advertisement message

Network Security

IPv6 addressing

Unicast address Anycast address Multicast address IPv6 doesn’t implement broadcast address

Broadcasts are replaced by multicasts and anycasts However, a multicast to address ff02::1 would result in a

transmission to all nodes within the same local link, which is similar to IPv4 multicast to address 224.0.0.1.

Network Security

Unicast & Anycast Address format

Unicast (one-to-one) and anycast (one-to-one-of-many) addresses are typically composed of two logical parts: a 64-bit network prefix used for routing, and a 64-bit host part used to identify a host within the network.

The network prefix is 1111 110 0/1 followed by a 40-bit random number. The 16 bits of the subnet identifier field are available to the network administrator to define subnets within the given network. The 64-bit interface identifier is either automatically generated from the interface's MAC address obtained from a DHCPv6 server randomly, or assigned manually.

Network Security

Multicast Address format

The prefix holds the binary value 1111 1111 for any multicast address. Flag field defines the group address as either permanent or transient. Scope field defines the scope of the group address.

Network Security

IPv6 notation

An IPv6 address is represented as eight groups of four hexadecimal digits, each group representing 16 bits (two octets).

The groups are separated by a colon (:). A typical example of an IPv6 address follows:

2001:0db8:85a3:0000:0000:8a2e:0370:7334 The hexadecimal digits are case-insensitive.

Network Security

Compressing Zeros

A contiguous sequence of 16-bit blocks set to 0 in the colon hexadecimal format can be compressed to “::”, known as double-colon

For example, the link-local address of FE80:0:0:0:2AA:FF:FE9A:4CA2 can be compressed to

FE80::2AA:FF:FE9A:4CA2

Zero compression can only be used once in a given address

Network Security

Address Autoconfiguration

Host has an ability to automatically configure itself, even without the use of a stateful configuration protocol such as DHCPv6

Types of Autoconfiguration: Stateless: Configuration of addresses is based on the

receipt of Router Advertisement messages

Stateful: Configuration is based on DHCPv6 to obtain addresses and other configuration options. A host will use a stateful address configuration protocol when there are no routers present on the local link.

Network Security

Autoconfiguration process

Host first creates a link local address for itself The host then tests to see if this link local

address is unique and not used by other hosts If the uniqueness of the link local address is

passed, the host stores this address as its link-local address, but it still needs a global unicast address

Network Security

IP Security

IPSec is a collection of protocols designed by IETF to provide security for a packet at the network layer

It helps create authenticated and confidential packets for the IP layer

Two modes: Transport

does not protect the IP header; it only protects the information coming from the transport layer

Tunnel protects the original IP header

Network Security

IPSec modes

Network Security

IPSec Protocols

AH and ESP Authentication Header

designed to authenticate the source host and to ensure the integrity of the payload carried in the IP packet

uses a hash function and a symmetric key to create a message digest; the digest is inserted in the authentication header

Network Security

AH Protocol in transport mode

Network Security

What is Message Digest?

The electronic equivalent of the document and fingerprint pair is the message and message digest pair

To preserve the integrity of a message, the message is passed through an algorithm called a hash function.

The hash function creates a compressed image of the message that can be used as a fingerprint.

The message digest needs to be kept secret. SHA-1 (Secure Hash Algorithm 1)

Network Security

Encapsulating Security Payload (ESP)

The AH Protocol does not provide privacy, only source authentication and data integrity

ESP adds a header and trailer ESP's authentication data are added at the end

of the packet ESP does whatever AH does with additional

functionality (privacy)

Network Security

ESP Protocol in transport mode

Network Security

IPSec services

Network Security

Things to study

IPv4 packet, ICMPv4 DHCPv6, ICMPv6 IPv6 Routing Internet Key Exchange for IPSec QoS support for IPv6 API for IPv6

Network Security