Improving Security Over Ipv6 Authentication Header Protocol using IP Traceback and TTL Devon Thomas, Alex Isaac, Majdi Alharthi, Ali Albatainah & Abdelshakour Abuzneid. Department of Computer Engineering, University of Bridgeport, CT. Abstract IP Traceback and Time-to-Live Conclusion: Introduction Proposed Solution: The proposed methods used in this research paper include the operations of combining IP traceback toolset with Time-to-Live calculation technique. Due to the fact that TTL is part of the hop limit field within the IPv6 header that implements the hop counting process, allows the analysis of tracing back through paths successful. The analysis of IP traceback is possible from the Ant algorithm. The process that takes place throughout the network is inspected by the method of the ant algorithm, which allows the shortest path to be found, which also verifies as the path of a legitimate request due to the fact that the shortest path is engulfed with the highest pheromone intensity. IP traceback is method in which the source of a packet is found through tracing the path from which the packet was sent. It is used for identifying source of attacks when implementing protection procedures over internet networks. Over many years IP traceback have been designed and tailored to suit the process of preventing DOS attacks and it has been found to be consistent in finding the source of IP spoofing. IP traceback by itself is just a tool used to trace paths, however when it is combined with the use of TTL it can not only trace the DOS spoofing location but detect it with Time-to-Live algorithm. IP Traceback example: The recent discovery of Internet Protocol Version 6 (IPv6) network attacks have been an interesting topic in the world of network security. Due to the fact IPv6 is still in the transition of being the main internet protocol, a lot research has been done however the implementation of it may take longer than most people thought. When it comes to being compared to its predecessor IPv4, it has all of the advantage. The lack of addresses in IPv4 is mainly the deciding factor in why the IPv6 is better. While the internet is currently based on IPv4 protocol, it can cause the progression of the internet to be hindered. IPv6 protocol has provided the capability to expand addresses for the development of more devices, simplification of address auto-configuration and authentication header format and privacy and authentication extensions. However as good as IPv6 sounds there still are security issues involving spoofing attacks that we resolve with a combination of algorithms, packet analyzers and simulation tools. IPV 6 UPDATE FROM IPV 4 – NEW HEADER FORMAT The first difference seen in the update from IPv4 to IPv6 is the header format. When IPv6 header was designed, a number of IPv4 header fields were either removed completely or replaced for better functionality. The address size of IPv6 is much larger than that of IPv4. They can be compared simply by IPv6 = 128 bit IP addresses to IPv4 = 32 bit IP addresses. The security “Option Field” in IPv4 header only addressed (DOD) specific requirements, whereas IPv6 security provided more efficient routing. IPv6 has been set to a fixed length of (40 bytes). For IPv6: The “Header Length” was replaced by “Fixed Length”. The “Total Length” was replaced by “Payload Length”. IPv4 “Segmentation Control” fields were moved into IPv6 “Fragmentation Extension Header”. IPv4 “Type of Service” is now known as IPv6 “Traffic Class” The Total Length” was replaced by “Payload Length” The “Time to Live” was replaced by “Hop Limit” The “Protocol” was replaced by “Next Header Type”. THIS document describes the use of IPv6 spoofing as a method of attacking a secure network with the purpose of gaining unauthorized access to private packets sent over the network. Internet communications between devices are routinely handled by routers which are protected by IPv6. The deployment of IPv6 to all enterprises will be here sooner than later. The security issue that is of main concern in this paper is called SPOOFING. Spoofing security attack can be performed in many different ways such as spoofing, Neighbor Solicitation (NS)/ Neighbor Advertisement (NA), Router Solicitation(RS)/Router Advertisement (RA) spoofing attack and IP spoofing – Denial-of-Service (DOS). In this paper we are going to focus on IP spoofing which is based on the act of attacker faking the identity of a legitimate user by replicating the users IP address and obtaining the intended packets sent to the user for the attackers self. It can be classified based on the direction of the attack in three different forms (Outgoing attack, Incoming attack and Internal attack). In principle the attacker is fooling (spoofing) a distant device in to believing that they are an authorized member of the network with no malicious intentions. One of the most well-known spoofing attacks is DOS which is usually launched on DNS servers and the Internet which are critical infrastructures Hop count Fig. 1 Hop count across a network. Mathematics: Ant Algorithm j = exploitation policy whereby the path with the highest visibility and most pheromone intensity. Random decision rule whereby any ant situated at node i will hop to the next random calculated node j. S = Fig.2 IP Traceback: Ant Algorithm Figure 2 shows the IP Trace back from Source to Destination using all possible paths and to get there. Example: Path: Src  2  5  Dst  = shortest path = most Pheromone Path: Src  1  4  7  Dst Path: Src  3  6  8  Dst Shortest path process is found by the mathematical equation along with the random decision rule. An IP spoofing attack occurs during the transmission and therefore the proposed solution of combining IP traceback technique using the Ant algorithm and Time-to-Live (TTL) which is already found in the IPv6 header is implemented. The calculated process counts the number of hops from the victims address back to the IP spoofing attack source in order to analyze whether it was the same path that the original was transmitted through. The resulted outcome depends on the conclusion of whether he forward hop count is the same as the reversed hop count. Once the hop counts are equal, the request qualifies as legitimate and the packet is received, however if the hop counts are not equal, the request is then said to be partially spoofed and therefore the packet is dropped and discarded. Graphical Description of Proposed Solution: The process in Fig.3 describe the steps in which an IPv6 packet is transmitted over a network using the encapsulated technique tunneling. An IP spoofing attack occurs during the transmission and therefore the proposed solution of combining IP traceback technique using the Ant algorithm and Time-to-Live (TTL) which is already found in the IPv6 header is implemented. The resulted outcome depends on the conclusion of whether he forward hop count is the same as the reversed hop count. Once the hop counts are equal, the request qualifies as legitimate and the packet is received, however if the hop counts are not equal, the request is then said to be partially spoofed and therefore the packet is dropped and discarded. Fig.3 Flow Table