Development of a communication environment between IPv6 and IPv4

The aim of this paper is to present the design, specification, implementation and testing of a demonstration environment for examining a genuinely new communication technique. This technique ensures that 3G mobile networks can communicate with legacy Internet phones. More than one levels of the TCP/IP protocol family are necessary for the communication, so we had to develop device drivers and user level applications too. The different levels require various development techniques and tools, whose efficiently combined usage is emphasized

Investigation into performance of IPV4 and IPV6 transition mechanisms and distributed NAT-PT implementation

Master'sMASTER OF SCIENC

ENAT-PT: An Enhanced NAT-PT Model

NAT-PT would allow IPv4 nodes to communicate with IPv6 nodes transparently by translating the IPv6 address into a registered V4 address. However, NAT-PT would fall flat when the pool of V4 addresses is exhausted. NAPT-PT multiplexes the registered address’ ports and will allow for a maximum of 63K outbound TCP and 63K UDP sessions per IPv4 address, but it is unidirectional. We present in this paper a novel solution ENAT-PT（an enhanced NAT-PT），which will allow for a great number of inbound sessions by using a single V4 address. By using ENAT-PT, we can visit V6 networks from a V4 network with a small address pool

Extending the Functionality of the Realm Gateway

The promise of 5G and Internet of Things (IoT) expects the coming years to witness substantial growth of connected devices. This increase in the number of connected devices further aggravates the IPv4 address exhaustion problem. Network Address Translation (NAT) is a widely known solution to cater to the issue of IPv4 address depletion but it poses an issue of reachability. Since Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTPS) application layer protocols play a vital role in the communication of the mobile devices and IoT devices, the NAT reachability problem needs to be addressed particularly for these protocols. Realm Gateway (RGW) is a solution proposed to overcome the NAT traversal issue. It acts as a Destination NAT (DNAT) for inbound connections initiated towards the private hosts while acting as a Source NAT (SNAT) for the connections in the outbound direction. The DNAT functionality of RGW is based on a circular pool algorithm that relies on the Domain Name System (DNS) queries sent by the client to maintain the correct connection state. However, an additional reverse proxy is needed with RGW for dealing with HTTP and HTTPS connections. In this thesis, a custom Application Layer Gateway (ALG) is designed to enable end-to-end communication between the public clients and private web servers over HTTP and HTTPS. The ALG replaces the reverse proxy used in the original RGW software. Our solution uses a custom parser-lexer for the hostname detection and routing of the traffic to the correct back-end web server. Furthermore, we integrated the RGW with a policy management system called Security Policy Management (SPM) for storing and retrieving the policies of RGW. We analyzed the impact of the new extensions on the performance of RGW in terms of scalability and computational overhead. Our analysis shows that ALG's performance is directly dependent on the hardware specification of the system. ALG has an advantage over the reverse proxy as it does not require the private keys of the back-end servers for forwarding the encrypted HTTPS traffic. Therefore, using a system with powerful processing capabilities improves the performance of RGW as ALG outperforms the NGINX reverse proxy used in the original RGW solution

Private Realm Gateway

IPv4-osoitteiden loppuminen on ollut maailmanlaajuinen huoli jo viimeisen kahden vuosikymmenen ajan. Lisääntynyt käyttäjien ja palvelujen lukumäärä on kuluttanut jo lähes kaikki mahdolliset osoitteet. Useita ratkaisuja on esitetty ongelman ratkaisemiseksi. Aikajärjestyksessä nämä ovat luokaton reititys (CIDR), osoitteenmuunnos (NAT) ja uusi versio IP protokollasta, IPv6. Osoitteenmuunnoksen käyttöönottaminen jakoi alueet yksityisiin ja julkisiin. NAT laitteet sallivat yksityisen verkon käyttäjien kommunikoida julkisen verkon käyttäjien kanssa jaetun IP osoitteen välityksellä. NAT toimii myös yksinkertaisena palomuurina estäen sisääntulevan liikenteen ja siten aiheuttaen ongelmia saavutettavuuden kanssa. Useista ratkaisuista huolimatta, yksikään ratkaisu ei ole täysin ongelmaton. Tässä työssä esitellään ratkaisu osoitteenmuutoksen aiheuttamaan saavutettavuusongelmaan. Ratkaisu on nimeltään Yksityisen Alueen Yhdyskäytävä (PRGW). Ratkaisun pääkomponentti on nimeltään kiertävä (renkaanmuotoinen) osoitevaranto joka käyttää rajoitettua määrää julkisia osoitteita mahdollistaen päästä-päähän kommunikoinnin useimmille sovelluksille. Loput sovellukset tarvitsevat sovellustason yhdyskäytävän tai välipalvelimen liitettävyyden luomiseksi. Prototyypin arviointi todistaa teorian ja toteutuksen toimivan erittäin hyvin. Yksityisen alueen yhdyskäytävä tarjoaa mekanismit saavutettavuuden ratkaisemiseksi ja samalla edistää ratkaisua osoitteiden loppumiseen.The IPv4 address exhaustion has been a global concern for the last two decades. The increased number of connected users and services has depleted almost entirely the addresses available. There have been several attempts to solve this problem. Chronologically they are Classless Inter-Domain Routing (CIDR), Network Address Translation (NAT) and a new version of the IP protocol, IPv6. The adoption of NAT introduced the separation of private and public realms. NAT devices allow the hosts located in the private realm to connect with hosts or services in the public realm by sharing a public IP address. NAT also provides the foremost kind of firewall blocking incoming connections towards the private realms and introducing the reachability problem. Although several alternatives have been developed to overcome this issue, none of them are exempt of drawbacks. This thesis introduces a new concept that solves the reachability problem introduced by NAT. The solution is called Private Realm Gateway (PRGW). The main component is called Circular Pool and it uses a limited number of public IP addresses to enable end-to-end communication to most applications. Other applications require the use of Application Layer Gateway (ALG) or proxy servers to grant connectivity. The evaluation of the prototype proves the concept and the implementation highly successful. The Private Realm Gateway provides mechanisms to overcome the reachability problem and also contributes to the solution of the address exhaustion problem

Junos OS Security Configuration Guide

This preface provides the following guidelines for using the Junos OS Security Configuration Guide: • J Series and SRX Series Documentation and Release Notes on page xli • Objectives on page xlii • Audience on page xlii • Supported Routing Platforms on page xlii • Document Conventions on page xlii • Documentation Feedback on page xliv • Requesting Technical Support on page xliv Juniper Networks supports a technical book program to publish books by Juniper Networks engineers and subject matter experts with book publishers around the world. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration using the Junos operating system (Junos OS) and Juniper Networks devices. In addition, the Juniper Networks Technical Library, published in conjunction with O'Reilly Media, explores improving network security, reliability, and availability using Junos OS configuration techniques. All the books are for sale at technical bookstores and book outlets around the world. The current list can be viewed at http://www.juniper.net/books .Junos OS for SRX Series Services Gateways integrates the world-class network security and routing capabilities of Juniper Networks. Junos OS includes a wide range of packet-based filtering, class-of-service (CoS) classifiers, and traffic-shaping features as well as a rich, extensive set of flow-based security features including policies, screens, network address translation (NAT), and other flow-based services. Traffic that enters and exits services gateway is processed according to features you configure, such as packet filters, security policies, and screens. For example, the software can determine: • Whether the packet is allowed into the device • Which firewall screens to apply to the packet • The route the packet takes to reach its destination • Which CoS to apply to the packet, if any • Whether to apply NAT to translate the packet’s IP address • Whether the packet requires an Application Layer Gateway (ALG

Asiakasreunakytkennän testausalustan kehitys

Customer Edge Switching (CES) and Realm Gateway (RGW) are technologies designed to solve core challenges of the modern Internet. Challenges include the ever increasing amount of devices connected to the Internet and risks created by malicious parties. CES and RGW leverage existing technologies like Domain Name System (DNS). Software testing is critical for ensuring correctness of software. It aims to ensure that products and protocols operate correctly. Testing also aims to find any critical vulnerabilities in the products. Fuzz testing is a field of software testing allowing automatic iteration of unexpected inputs. In this thesis work we evaluate two CES versions in performance, in susceptibility of Denial of Service (DoS) and in weaknesses related to use of DNS. Performance is an important metric for switches. Denial of Service is a very common attack vector and use of DNS in new ways requires critical evaluation. The performance of the old version was sufficient. Some clear issues were found. The version was vulnerable against DoS. Oversights in DNS operation were found. The new version shows improvement over the old one. We also evaluated suitability of expanding Robot Framework for fuzz testing Customer Edge Traversal Protocol (CETP). We conclude that the use of the Framework was not the best approach. We also developed a new testing framework using Robot Framework for the new version of CES.Customer Edge Switching (CES) asiakasreunakytkentä ja Realm Gateway (RGW) alueen yhdyskäytävä tarjoavat ratkaisuja modernin Internetin ydinongelmiin. Ydinongelmiin kuuluvat kytkettyjen laitteiden määrän jatkuva kasvu ja pahantahtoisten tahojen luomat riskit. CES ja RGW hyödyntävät olemassa olevia tekniikoita kuten nimipalvelua (DNS). Ohjelmistojen oikeellisuuden varmistuksessa testaus on välttämätöntä. Sen tavoitteena on varmistaa tuotteiden ja protokollien oikea toiminnallisuus. Testaus myös yrittää löytää kriittiset haavoittuvuudet ohjelmistoissa. Sumea testaus on ohjelmistotestauksen alue, joka mahdollistaa odottamattomien syötteiden automaattisen läpikäynnin. Tässä työssä arvioimme kahden CES version suorituskykyä, palvelunestohyökkäyksien sietoa ja nimipalvelun käyttöön liittyviä heikkouksia. Suorituskyky on tärkeä mittari kytkimille. Palvelunesto on erittäin yleinen hyökkäystapa ja nimipalvelun uudenlainen käyttö vaatii kriittistä arviointia. Vanhan version suorituskyky oli riittävä. Joitain selviä ongelmia löydettiin. Versio oli haavoittuvainen palvelunestohyökkäyksille. Löysimme epätarkkuuksia nimipalveluiden toiminnassa. Uusi versio vaikuttaa paremmalta kuin vanha versio. Arvioimme työssä myös Robot Framework testausalustan laajentamisen soveltuvuutta Customer Edge Traversal Protocol (CETP) asiakasreunalävistysprotokollan sumeaan testaukseen. Toteamme, ettei alustan käyttö ollut paras lähestymistapa. Esitämme myös työmme Robot Framework alustaa hyödyntävän testausalustan kehityksessä nykyiselle CES versiolle. Kehitimme myös uuden testausalustan uudelle CES versiolle hyödyntäen Robot Frameworkia

IPv6 : prospects and problems : a technical and management investigation into the deployment of IPv6

Masteroppgave i informasjons- og kommunikasjonsteknologi 2003 - Høgskolen i Agder, GrimstadIPv4 has been used for over twenty years, and will most likely be used in many years ahead. However, we are now experiencing that the IPv4 address space is running out, resulting in restrictions on who will be able to get these types of addresses assigned to them. Methods such as Network Address Translator (NAT) have been developed and implemented in order to save the IPv4 address space. It is said that this is not a good enough solution, as such techniques introduce new problems at the same time solving some. A new version of the Internet Protocol, IPv6, has been developed and is likely to replace IPv4. IPv6 has been developed to solve the address problem, but also new features are designed to supposedly enhance network traffic. In our thesis we give an overview of the problems with IPv4. This includes the limited address space and the limited quality of service. Further we present the features of IPv6 that are meant to solve these problems and add new possibilities. These are: New address format, the IPv6 header and Extension headers to mention some. Further we have investigated and here present how the transition from IPv4 to IPv6 is expected to take place, followed by a thorough description of the transition mechanisms. One of the original intentions on the development of IPv6 was that IPv4 and IPv6 have to be able to coexist for a long period of time. Transition mechanisms have therefore been designed to make this possible. There are three main types of mechanisms: - Tunnelling - Translation - Dual-stack. Each of these mechanisms requires different configuration and implementations in hosts and network. Technical research on transition mechanisms states that these are not good enough for all IPv6/IPv4 scenarios and need improvements in order to make IPv4 and IPv6 coexist smoothly. There are a lot of transition mechanisms that are agreed upon as being good for general use and then there are transition mechanisms that are good for certain scenarios and not for others. Some scenarios still lack a good translation mechanism. As a result of this, IPv6 networks are being built separately from IPv4 networks. In Asia commercial IPv6 networks are offered, while the process is slower in other parts of the world. The reasons for not building IPv6 networks are many, and not agreed upon. Some believe it is because of economical restrictions, while others claim it is technical reasons and that it exists far too few applications supporting IPv6. The number of IPv6 enabled applications is growing. Large companies like; Microsoft Corporation, Cisco Systems Inc, Apple Computers Inc., Sun Microsystems Inc and various versions of Linux include support for IPv6. The deployment of IPv6 is expected to happen at different times in different parts of the world. We have investigated the status of IPv6 globally and in Norway. The main results are that the roll-out has reached the furthest in Asia where commercial IPv6 networks already are offered. The activity in Norway is still small, but growing. It was desired to run an experiment in order to prove or disprove some of the information we gathered on how IPv6 interoperates with IPv4, but because of limitations in the network at Heriot-Watt University we were not able to do this. Instead we have focused on a project by Telenor R&D; “IPv6 migration of unmanaged networks-The Tromsø IPv6 Pilot”. We also gathered some information from people working at Norwegian ISPs in order to address some of the aspects of the upgrading

Implementação de mecanismos de transição e coexistência dos protocolos IPV4-IPV6 nos centros de computação de alto desempenho suportados pelas redes acadêmicas

El presente documento pretende contextualizar al lector sobre algunos de los mecanismos que existen para la transición de IPv4-IPv6 y evidencia algunos aspectos que se deben tener en cuenta al momento de evaluar e implementar algunos de ellos, específicamente en centros de computación de alto desempeño y en redes académicas para el apoyo de proyectos de investigación. También se pretende mostrar la implementación y soporte de IPv6 en plataformas tecnológicas e-learningThis document aims to contextualize the reader about some of the mechanisms that currently exist for IPv4-IPv6 transition and evidence some aspects that must be taken into account when evaluating and implementing some of them, specifically in centers of high performance computing and academic networks to support research projects. It also aims to show the implementation and support of IPv6 in e-learning technology platforms.Este documento tem como objetivo contextualizar o leitor sobre alguns dos mecanismos que existem para a transição do IPv4 para o IPv6 e evidenciar alguns aspectos que devem ser considerados na avaliação e implementação de qualquer um deles, especificamente nos centros de computação de alto desempenho e redes acadêmicas para apoiar projetos de pesquisa.  Ainda se pretende mostrar a implementação e o suporte de IPv6 em plataformas tecnológicas e-learning