IPv6 Network Security

Topics Introduction Comparison with IPv4 Header format Extension headers Neighbour discovery Transition from IPv4 to IPv6 ICMPv6 IPv6 addresses Address Autoconfiguration IP Security Network Security

About IPv6 Internetworking Protocol version 6, IPng IPv6 was developed because about 1992 it became clear that at the rate that the Internet was growing the world would soon be out of IPv4 numbers The experimental deployment of IPv6 started in 1995 IPv6 was designed to work alongside IPv4 on all network devices. This is often called the “Dual Stack” because devices have both an IPv4 Protocol Stack and an IPv6 Protocol Stack 128-bit address written in 8 hex quads It supports 2128 (about 3.4×1038) addresses Network Security

IPv4 deficiencies Address depletion No support for real-time audio and video transmission No encryption and authentication of data Network Security

IPv6 advantages over IPv4 Large address space Better header format Stateless and stateful address auto-configuration Built-in security New options Extensibility Support for real-time audio and video

IPv4 Vs IPv6 Network Security

Reasons for delay in adoption Classless addressing Use of DHCP Network Address Translation Network Security

IPv6 datagram Base Header Network Security

IPV4 and IPV6 Header Network Security

IPV4 Vs IPV6 Packet Header Network Security

IPv6 Extension Headers Network Security

IPv6 Extension Headers Hop-by-Hop Options header Source routing When the source needs to pass info to all routers visited by the datagram. Source routing Combines the concepts of strict and loose source route options of IPv4. Fragmentation Source is required to fragment if size of datagram is larger that the MTU of network. Only original source can fragment. Network Security

Extension Headers contd… Authentication header (AH) Validates the message sender and ensures integrity of data. Encrypted security payload (ESP) Provides confidentiality and guards against eavesdropping. Destination Options Used when source needs to pass info to the destination only. Intermediate routers are not permitted access. Network Security

IPv4 options and IPv6 extension headers Network Security

Transition from IPv4 to IPv6 Network Security

Dual Stack A station must run IPv4 and IPv6 simultaneously until all the Internet uses IPv6 To determine which version to use when sending a packet to a destination, the source host queries the DNS If the DNS returns an IPv4 address, the source host sends an IPv4 packet If the DNS returns an IPv6 address, the source host sends an IPv6 packet Network Security

Tunneling a strategy used when two computers using IPv6 want to communicate with each other and the packet must pass through a region that uses IPv4 So the IPv6 packet is encapsulated in an IPv4 packet when it enters the region, and it leaves its capsule when it exits the region. Network Security

Header Translation necessary when the majority of the Internet has moved to IPv6 but some systems still use IPv4 the sender wants to use IPv6, but the receiver does not understand IPv6 the header format must be totally changed through header translation header of the IPv6 packet is converted to an IPv4 header uses the mapped address and some rules to translate an IPv6 address to an IPv4 address Network Security

ICMPv6 Internet Control Message Protocol Combines ICMPv4, ARP and IGMP Message – oriented It uses messages to report errors Like version 4, ICMPv6 reports errors, handles group memberships, updates specific router and host tables, and checks the viability of a host. ICMPv6 forms an error packet which is then encapsulated in an IP datagram Network Security

ICMPv6 messages Error messages Informational messages Destination unreachable, packet too big, time exceeded, parameter problems Informational messages Echo request & reply message Neighbour discovery messages Route solicitation & advertisement message Neighbour solicitation & advertisement message Group membership messages Membership query & report message Network Security

ND messages Mainly used by: Router-solicitation message Hosts to find routers in the neighbourhood Nodes to find the link layer addresses of neighbours Nodes to find IPv6 addresses of the neighbour Router-solicitation message Router-advertisement message Neighbour-solicitation message Neighbour-advertisement message Network Security

IPv6 addressing Unicast address Anycast address Multicast address IPv6 doesn’t implement broadcast address Broadcasts are replaced by multicasts and anycasts However, a multicast to address ff02::1 would result in a transmission to all nodes within the same local link, which is similar to IPv4 multicast to address 224.0.0.1. Network Security

Unicast & Anycast Address format Unicast (one-to-one) and anycast (one-to-one-of-many) addresses are typically composed of two logical parts: a 64-bit network prefix used for routing, and a 64-bit host part used to identify a host within the network. The network prefix is 1111 110 0/1 followed by a 40-bit random number. The 16 bits of the subnet identifier field are available to the network administrator to define subnets within the given network. The 64-bit interface identifier is either automatically generated from the interface's MAC address obtained from a DHCPv6 server randomly, or assigned manually. Network Security

Multicast Address format The prefix holds the binary value 1111 1111 for any multicast address. Flag field defines the group address as either permanent or transient. Scope field defines the scope of the group address. Network Security

IPv6 notation An IPv6 address is represented as eight groups of four hexadecimal digits, each group representing 16 bits (two octets). The groups are separated by a colon (:). A typical example of an IPv6 address follows: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 The hexadecimal digits are case-insensitive. Network Security

Compressing Zeros A contiguous sequence of 16-bit blocks set to 0 in the colon hexadecimal format can be compressed to “::”, known as double-colon For example, the link-local address of FE80:0:0:0:2AA:FF:FE9A:4CA2 can be compressed to FE80::2AA:FF:FE9A:4CA2 Zero compression can only be used once in a given address Network Security

Address Autoconfiguration Host has an ability to automatically configure itself, even without the use of a stateful configuration protocol such as DHCPv6 Types of Autoconfiguration: Stateless: Configuration of addresses is based on the receipt of Router Advertisement messages Stateful: Configuration is based on DHCPv6 to obtain addresses and other configuration options. A host will use a stateful address configuration protocol when there are no routers present on the local link. Network Security

Autoconfiguration process Host first creates a link local address for itself The host then tests to see if this link local address is unique and not used by other hosts If the uniqueness of the link local address is passed, the host stores this address as its link-local address, but it still needs a global unicast address Network Security

IP Security IPSec is a collection of protocols designed by IETF to provide security for a packet at the network layer It helps create authenticated and confidential packets for the IP layer Two modes: Transport does not protect the IP header; it only protects the information coming from the transport layer Tunnel protects the original IP header Network Security

IPSec modes Network Security

IPSec Protocols AH and ESP Authentication Header designed to authenticate the source host and to ensure the integrity of the payload carried in the IP packet uses a hash function and a symmetric key to create a message digest; the digest is inserted in the authentication header Network Security

AH Protocol in transport mode Network Security

What is Message Digest? The electronic equivalent of the document and fingerprint pair is the message and message digest pair To preserve the integrity of a message, the message is passed through an algorithm called a hash function. The hash function creates a compressed image of the message that can be used as a fingerprint. The message digest needs to be kept secret. SHA-1 (Secure Hash Algorithm 1) Network Security

Encapsulating Security Payload (ESP) The AH Protocol does not provide privacy, only source authentication and data integrity ESP adds a header and trailer ESP's authentication data are added at the end of the packet ESP does whatever AH does with additional functionality (privacy) Network Security

ESP Protocol in transport mode Network Security

IPSec services Network Security

Things to study IPv4 packet, ICMPv4 DHCPv6, ICMPv6 IPv6 Routing Internet Key Exchange for IPSec QoS support for IPv6 API for IPv6 Network Security