5 research outputs found
Temporal and Spatial Classification of Active IPv6 Addresses
There is striking volume of World-Wide Web activity on IPv6 today. In early
2015, one large Content Distribution Network handles 50 billion IPv6 requests
per day from hundreds of millions of IPv6 client addresses; billions of unique
client addresses are observed per month. Address counts, however, obscure the
number of hosts with IPv6 connectivity to the global Internet. There are
numerous address assignment and subnetting options in use; privacy addresses
and dynamic subnet pools significantly inflate the number of active IPv6
addresses. As the IPv6 address space is vast, it is infeasible to
comprehensively probe every possible unicast IPv6 address. Thus, to survey the
characteristics of IPv6 addressing, we perform a year-long passive measurement
study, analyzing the IPv6 addresses gleaned from activity logs for all clients
accessing a global CDN.
The goal of our work is to develop flexible classification and measurement
methods for IPv6, motivated by the fact that its addresses are not merely more
numerous; they are different in kind. We introduce the notion of classifying
addresses and prefixes in two ways: (1) temporally, according to their
instances of activity to discern which addresses can be considered stable; (2)
spatially, according to the density or sparsity of aggregates in which active
addresses reside. We present measurement and classification results numerically
and visually that: provide details on IPv6 address use and structure in global
operation across the past year; establish the efficacy of our classification
methods; and demonstrate that such classification can clarify dimensions of the
Internet that otherwise appear quite blurred by current IPv6 addressing
practices
Addressless: A New Internet Server Model to Prevent Network Scanning
Eliminating unnecessary exposure is a principle of server security. The huge
IPv6 address space enhances security by making scanning infeasible, however,
with recent advances of IPv6 scanning technologies, network scanning is again
threatening server security. In this paper, we propose a new model named
addressless server, which separates the server into an entrance module and a
main service module, and assigns an IPv6 prefix instead of an IPv6 address to
the main service module. The entrance module generates a legitimate IPv6
address under this prefix by encrypting the client address, so that the client
can access the main server on a destination address that is different in each
connection. In this way, the model provides isolation to the main server,
prevents network scanning, and minimizes exposure. Moreover it provides a novel
framework that supports flexible load balancing, high-availability, and other
desirable features. The model is simple and does not require any modification
to the client or the network. We implement a prototype and experiments show
that our model can prevent the main server from being scanned at a slight
performance cost
Light Weight Cryptographic Address Generation Using System State Entropy Gathering for IPv6 Based MANETs
In IPv6 based MANETs, the neighbor discovery enables nodes to self-configure
and communicate with neighbor nodes through autoconfiguration. The Stateless
address autoconfiguration (SLAAC) has proven to face several security issues.
Even though the Secure Neighbor Discovery (SeND) uses Cryptographically
Generated Addresses (CGA) to address these issues, it creates other concerns
such as need for CA to authenticate hosts, exposure to CPU exhaustion attacks
and high computational intensity. These issues are major concern for MANETs as
it possesses limited bandwidth and processing power. The paper proposes
empirically strong Light Weight Cryptographic Address Generation (LW-CGA) using
entropy gathered from system states. Even the system users cannot monitor these
system states; hence LW-CGA provides high security with minimal computational
complexity and proves to be more suitable for MANETs. The LW-CGA and SeND are
implemented and tested to study the performances. The evaluation shows that
LW-CGA with good runtime throughput takes minimal address generation latency.Comment: 13 Page
An investigation into Off-Link IPv6 host enumeration search methods
This research investigated search methods for enumerating networked devices on off-link 64 bit Internet Protocol version 6 (IPv6) subnetworks. IPv6 host enumeration is an emerging research area involving strategies to enable detection of networked devices on IPv6 networks. Host enumeration is an integral component in vulnerability assessments (VAs), and can be used to strengthen the security profile of a system. Recently, host enumeration has been applied to Internet-wide VAs in an effort to detect devices that are vulnerable to specific threats. These host enumeration exercises rely on the fact that the existing Internet Protocol version 4 (IPv4) can be exhaustively enumerated in less than an hour. The same is not true for IPv6, which would take over 584,940 years to enumerate a single network. As such, research is required to determine appropriate host enumeration search methods for IPv6, given that the protocol is seeing increase global usage.
For this study, a survey of Internet resources was conducted to gather information about the nature of IPv6 usage in real-world scenarios. The collected survey data revealed patterns in the usage of IPv6 that influenced search techniques. The research tested the efficacy of various searching algorithms against IPv6 datasets through the use of simulation.
Multiple algorithms were devised to test different approaches to host enumeration against 64 bit IPv6 subnetworks. Of these, a novel adaptive heuristic search algorithm, a genetic algorithm and a stripe search algorithm were chosen to conduct off-link IPv6 host enumeration. The suitability of a linear algorithm, a Monte Carlo algorithm and a pattern heuristics algorithm were also tested for their suitability in searching off-link IPv6 networks. These algorithms were applied to two test IPv6 address datasets, one comprised of unique IPv6 data observed during the survey phase, and one comprised of unique IPv6 data generated using pseudorandom number generators. Searching against the two unique datasets was performed in order to determine appropriate strategies for off-link host enumeration under circumstances where networked devices were configured with addresses that represented real-word IPv6 addresses, and where device addresses were configured through some randomisation function.
Whilst the outcomes of this research support that an exhaustive enumeration of an IPv6 network is infeasible, it has been demonstrated that devices on IPv6 networks can be enumerated. In particular, it was identified that the linear search technique and the variants tested in this study (pattern search and stripe search), remained the most consistent means of enumerating an IPv6 network. Machine learning methods were also successfully applied to the problem. It was determined that the novel adaptive heuristic search algorithm was an appropriate candidate for search operations. The adaptive heuristic search algorithm successfully enumerated over 24% of the available devices on the dataset that was crafted from surveyed IPv6 address data. Moreover, it was confirmed that stochastic address generation can reduce the effectiveness of enumeration strategies, as all of the algorithms failed to enumerate more than 1% of hosts against a pseudorandomly generated dataset.
This research highlights a requirement for effective IPv6 host enumeration algorithms, and presents and validates appropriate methods. The methods presented in this thesis can help to influence the tools and utilities that are used to conduct host enumeration exercises
Independent Submission F. Gont Request for Comments: 7943 SI6 Networks / UTN-FRH Category: Informational A Method for Generating Semantically Opaque Interface Identifiers (IIDs) with the Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
Abstract This document describes a method for selecting IPv6 Interface Identifiers that can be employed by Dynamic Host Configuration Protocol for IPv6 (DHCPv6) servers when leasing non-temporary IPv6 addresses to DHCPv6 clients. This method is a DHCPv6 server-side algorithm that does not require any updates to the existing DHCPv6 specifications. The aforementioned method results in stable addresses within each subnet, even in the presence of multiple DHCPv6 servers or DHCPv6 server reinstallments. It is a DHCPv6 variant of the method specified in RFC 7217 for IPv6 Stateless Address Autoconfiguration