IPv6: a new security challenge

Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2011O Protocolo de Internet versão 6 (IPv6) foi desenvolvido com o intuito de resolver alguns dos problemas não endereçados pelo seu antecessor, o Protocolo de Internet versão 4 (IPv4), nomeadamente questões relacionadas com segurança e com o espaço de endereçamento disponível. São muitos os que na última década têm desenvolvido estudos sobre os investimentos necessários à sua adoção e sobre qual o momento certo para que o mesmo seja adotado por todos os players no mercado. Recentemente, o problema da extinção de endereçamentos públicos a ser disponibilizado pelas diversas Region Internet registry – RIRs - despertou o conjunto de entidades envolvidas para que se agilizasse o processo de migração do IPv4 para o IPv6. Ao contrário do IPv4, esta nova versão considera a segurança como um objetivo fundamental na sua implementação, nesse sentido é recomendado o uso do protocolo IPsec ao nível da camada de rede. No entanto, e devido à imaturidade do protocolo e à complexidade que este período de transição comporta, existem inúmeras implicações de segurança que devem ser consideradas neste período de migração. O objetivo principal deste trabalho é definir um conjunto de boas práticas no âmbito da segurança na implementação do IPv6 que possa ser utilizado pelos administradores de redes de dados e pelas equipas de segurança dos diversos players no mercado. Nesta fase de transição, é de todo útil e conveniente contribuir de forma eficiente na interpretação dos pontos fortes deste novo protocolo assim como nas vulnerabilidades a ele associadas.IPv6 was developed to address the exhaustion of IPv4 addresses, but has not yet seen global deployment. Recent trends are now finally changing this picture and IPv6 is expected to take off soon. Contrary to the original, this new version of the Internet Protocol has security as a design goal, for example with its mandatory support for network layer security. However, due to the immaturity of the protocol and the complexity of the transition period, there are several security implications that have to be considered when deploying IPv6. In this project, our goal is to define a set of best practices for IPv6 Security that could be used by IT staff and network administrators within an Internet Service Provider. To this end, an assessment of some of the available security techniques for IPv6 will be made by means of a set of laboratory experiments using real equipment from an Internet Service Provider in Portugal. As the transition for IPv6 seems inevitable this work can help ISPs in understanding the threats that exist in IPv6 networks and some of the prophylactic measures available, by offering recommendations to protect internal as well as customers’ networks

ARE SUITABLE FOR ANY PURPOSE, EVEN IF THAT PURPOSE IS KNOWN TO

The Broadband Forum is a non-profit corporation organized to create guidelines for broadband network system development and deployment. This Broadband Forum Technical Report has been approved by members of the Forum. This Broadband Forum Technical Report is not binding on the Broadband Forum, any of its members, or any developer or service provider. Thi

Efficient IPv6 Neighbor Discovery in Wireless Environment

As the address space of IPv4 is being depleted with the development of IoT (Internet Of Things), there is an increasing need for permanent transition to the IPv6 protocol as soon as possible. Nowadays, many 3GPP (3rd Generation Partnership Project) Networks have implemented or will implement IPv6 in the near future for Internet access. These networks will also use NDP (Neighbor Discovery Protocol), which is the IPv6 tailored version of ARP (Address Resolution Protocol). The protocol is responsible for address auto-configuration, maintaining lists of all neighbors connected to a network, verifying if they are still reachable, managing prefixes and duplicate address detection. The protocol is defined in RFC 4861 and although it works fine for wired connected devices, it has been proven highly inefficient in terms of battery lifetime saving, when wireless networks came to the market and its use increased tremendously. This thesis work is a continuation of a previous master thesis and complements the work done previously by showing how the solutions suggested in the new draft can be implemented at the router and host side and practically confirms the previous results of the theoretical analysis through simulation scenarios of sleep and wake-up of the nodes, performed in OMNeT++. Subsequently, the scalability of the system as a whole was analyzed with a simulation model containing a range of hosts from 1 to 100, and shows it can operate efficiently on a larger scale, reducing multicast messaging by almost 100%, presumably saving their battery power.The introduction and rise of Internet of Things (IoT), and the use of more and more wireless devices in the communication between users, has depleted the available addresses of IPv4. The introduction of the new IPv6 protocol solves the address depletion problem, but on the other hand, many of the existing protocols have to be redesigned. This thesis is based on RFC 4861’s NDP (Neighbor Discovery Protocol for IPv6 Networks, the equivalent protocol of ARP (Address Resolution Protocol) for IPv4 Networks. Like ARP, NDP is used in all Networks, wired or wireless, and it’s main feature is to check and update periodically the state of the Network, provide L2 addresses to hosts in the same Network and verify their reachability. While wired devices experience no issues regarding power supply, as they are constantly hooked to a power source and rarely experience network failures, wireless devices have limited power, as they rely on battery lifetime. This is also the case of machines running NDP - the protocol relies on periodic exchange of multicast ICMPv6 (Internet Control Message Protocol version 6) control messages, creating unnecessary traffic overhead in the Network, as all hosts in a Network would receive those messages, regardless if they are meant for them or not. As a general working mode of a battery operated device, one enters predefined sleeping cycles (stand-by), which are designed by each manufacturer in different ways. Therefore, multicast signaling inside Networks disrupt those sleeping cycles, causing increased battery consumption, as a result of more required processing power and more consumed bandwidth. RFC 6775, together with [3], propose updates to NDP, which would solve the problems mentioned above. The major update is that each host can update the router about its state, by sending unicast messages, without involving the other hosts in the Network. The router, instead of sending periodic control messages to every host, it sends control messages to each host separately in specific time intervals. Only when a major change occurs in the Network, for instance an addition of a new host, or when a host leaves the Network, multicast messages are sent to every host to update their state. Together with the establishment of unicast signaling, a new method of address registration is introduced in the documents cited above, called Address Registration Option. This registration method is fully compatible with the two standard mechanism which provide the L3 addresses to hosts - Stateless Address Autoconfiguration (SLAAC) and Dynamic Host Configuration Protocol (DHCP). The previous thesis work took the first steps in implementing the proposed protocol changes, by investigating functions inside RADVD - the Router Advertisement Daemon, run on all routers and responsible for sending the multicast periodic control messages to the hosts (Router Advertisements). A full implementation of the proposed changes require covering both sides of the Network, i.e Host and Router. While RADVD is handling the Router side, the implementation at the Host side needs to be done inside the Linux Kernel. In this thesis work, the RADVD implementation was completed and possible implementation methods were shown inside the Linux Kernel. Due to the overall complexity of the Linux Kernel, while the proposed code could cover most aspects from RFC 6775, it wasn’t possible to test it, in order to conclude how much workload is left. Simulations took place to compare the two protocols and verify, in what extend these proposed changes can potentially improve battery lifetime. So, sleep and wake up scenario was tested in same time intervals in order to observe Network traffic. The goal was to have a decrease in control messages in the case where the suggested changes were applied. Different number of hosts were selected to see if these changes can be applied to larger network. In both cases, the best case scenario was tested and parameters which would normally hinder network performance were neglected. This decision was made to reduce the complexity of the Network as well. The results of the simulations indicated that there could be a decrease in control messages and the Network seems stable and scalable as number of host increases

Analysis of security impact of making mShield an IPv4 to IPv6 converter box

info:eu-repo/semantics/acceptedVersio

So you've got IPv6 address space. Can you defend it?

Internet Protocol version 6 (IPv6) is the successor of Internet Protocol version 4 (IPv4). IPv6 will become the next standard networking protocol on the Internet. It brings with it a great increase in address space, changes to network operations, and new network security concerns. In this thesis we examine IPv6 from a security perspective. The security of IPv6 is important to all protocols that use IPv6 on the Internet. The goal of this thesis is to introduce the reader to existing IPv6 security challenges, demonstrate how IPv6 changes network security and show how IPv6 is being improved.Master i InformatikkMAMN-INFINF39

Analysis of IPv6 through Implementation of Transition Technologies and Security attacks

IPv6 provides more address space, improved address design, and greater security than IPv4. Different transition mechanisms can be used to migrate from IPv4 to IPv6 which includes dual stack networks, tunnels and translation technologies. Within all of this, network security is an essential element and therefore requires special attention. This paper analyses two transition technologies which are dual stack and tunnel. Both technologies are implemented using Cisco Packet Tracer and GNS3. This work will also analyse the security issues of IPv6 to outline the most common vulnerabilities and security issues during the transition. Finally, the authors will design and implement the dual stack, automatic and manual tunnelling transition mechanisms using Riverbed Modeler simulation tool to analyse the performance and compare with the native IPv4 and IPv6 networks

Enhancing The Quality Of Service In Mobile Networks Based On Nemo Basic Support Protocol

To fulfil the need for an uninterrupted Internet access along with the move in mobile networks as an alternative to the end-host mobility, the IETF NEMO working group was created to extend basic end-host mobility support in Mobile IPv6 (MIPv6). This group standardizes NEMO Basic Support Protocol (NEMO BS) to support network mobility. However, the handover latency in NEMO BS is high and the nested tunnels’ problem in the nested NEMO networks is not considered in the main specification of this protocol. Issues affecting the provision of QoS guarantees during the handoff process in NEMO BS are the handover latency, the disruption time, and the handoff failure and the packet loss

A network mobility management architecture for a heteregeneous network environment

Network mobility management enables mobility of personal area networks and vehicular networks across heterogeneous access networks using a Mobile Router. This dissertation presents a network mobility management architecture for minimizing the impact of handoffs on the communications of nodes in the mobile network. The architecture addresses mobility in legacy networks without infrastructure support, but can also exploit infrastructure support for improved handoff performance. Further, the proposed architecture increases the efficiency of communications of nodes in the mobile network with counter parts in the fixed network through the use of caching and route optimization. The performance and costs of the proposed architecture are evaluated through empirical and numerical analysis. The analysis shows the feasibility of the architecture in the networks of today and in those of the near future.Verkkojen liikkuuvudenhallinta mahdollistaa henkilökohtaisten ja ajoneuvoihin asennettujen verkkojen liikkuvuuden heterogeenisessä verkkoympäristössä käyttäen liikkuvaa reititintä. Tämä väitöskirja esittää uuden arkkitehtuurin verkkojen liikkuvuudenhallintaan, joka minimoi verkonvaihdon vaikutuksen päätelaitteiden yhteyksiin. Vanhoissa verkoissa, joiden infrastruktuuri ei tue verkkojen liikkuvuutta, verkonvaihdos täytyy hallita liikkuvassa reitittimessa. Standardoitu verkkojen liikkuvuudenhallintaprotokolla NEMO mahdollistaa tämän käyttäen ankkurisolmua kiinteässä verkossa pakettien toimittamiseen päätelaitteiden kommunikaatiokumppaneilta liikkuvalle reitittimelle. NEMO:ssa verkonvaihdos aiheuttaa käynnissä olevien yhteyksien keskeytymisen yli sekunnin mittaiseksi ajaksi, aiheuttaen merkittävää häiriötä viestintäsovelluksille. Esitetyssä arkkitehtuurissa verkonvaihdon vaikutus minimoidaan varustamalla liikkuva reititin kahdella radiolla. Käyttäen kahta radiota liikkuva reititin pystyy suorittamaan verkonvaihdon keskeyttämättä päätelaitteiden yhteyksiä, mikäli verkonvaihtoon on riittävästi aikaa. Käytettävissa oleva aika riippuu liikkuvan reitittimen nopeudesta ja radioverkon rakenteesta. Arkkitehtuuri osaa myös hyödyntää infrastruktuurin tukea saumattomaan verkonvaihtoon. Verkkoinfrastruktuurin tuki nopeuttaa verkonvaihdosprosessia, kasvattaenmaksimaalista verkonvaihdos tahtia. Tällöin liikkuva reitin voi käyttää lyhyen kantaman radioverkkoja, joiden solun säde on yli 80m, ajonopeuksilla 90m/s asti ilman, että verkonvaihdos keskeyttää päätelaitteiden yhteyksiä. Lisäksi ehdotettu arkkitehtuuri tehostaa kommunikaatiota käyttäen cache-palvelimia liikkuvassa ja kiinteässä verkossa ja optimoitua reititystä liikkuvien päätelaitteiden ja kiinteässä verkossa olevien kommunikaatiosolmujen välillä. Cache-palvelinarkkitehtuuri hyödyntää vapaita radioresursseja liikkuvan verkon cache-palvelimen välimuistin päivittämiseen. Heterogeenisessä verkkoympäristossä cache-palvelimen päivitys suoritetaan lyhyen kantaman laajakaistaisia radioverkkoja käyttäen. Liikkuvan reitittimen siirtyessä laajakaistaisen radioverkon peitealueen ulkopuolelle päätelaitteille palvellaan sisältöä, kuten www sivuja tai videota cache-palvelimelta, säästäen laajemman kantaman radioverkon rajoitetumpia resursseja. Arkkitehtuurissa käytetään optimoitua reititystä päätelaitteiden ja niiden kommunikaatiokumppaneiden välillä. Optimoitu reititysmekanismi vähentää liikkuvuudenhallintaan käytettyjen protokollien langattoman verkon resurssien kulutusta. Lisäksi optimoitu reititysmekanismi tehostaa pakettien reititystä käyttäen suorinta reittiä kommunikaatiosolmujen välillä. Esitetyn arkkitehtuurin suorituskyky arvioidaan empiirisen ja numeerisen analyysin avulla. Analyysi arvioi arkkitehtuurin suorituskykyä ja vertaa sitä aikaisemmin ehdotettuihin ratkaisuihin ja osoittaa arkkitehtuurin soveltuvan nykyisiin ja lähitulevaisuuden langattomiin verkkoihin.reviewe

IPv6-kotiverkon liittäminen Internetin nimipalveluun

Current home networks are very simple containing only a few devices. As the number of devices connected to the home network increases, there is no reasonable way for a user to access devices using only IP addresses. Due to the exponential growth of devices connected to the Internet, the addresses of the current IP version are however soon to be depleted. A new IP version has already been implemented in the Internet, containing a very large amount of addresses compared to the current IP version. Addresses in the new IP address version are also much longer and more complicated. Therefore it is not reasonable to try to use IP addresses alone to access devices anymore. The previous facts force to implement a name service to the home network. Name service is quite similar to that used in the Internet, although the home network version should be much more automatic and user friendly. This means that users do not have to type IP addresses anymore to be able to access services, but they can use meaningful names like in the Internet. The first objective of the thesis is to examine methods to implement as automated name service as possible to the home network. Second objective is to examine connecting the home network name service to the Internet name service. Accomplishing this allows users to access services at home from the Internet. This has to be made in a secure manner to protect the integrity and authenticity of the user information. A live experiment of the thesis concentrates to the second objective of the thesis by establishing the connection and transferring the name service information between home network and the Internet name service. The study and the live experiments indicate that there is still work to be done before the two objectives can be fully accomplished. At the moment there is no convenient way to automatically name devices at home. Connecting to the Internet name service involves also quite a lot of effort, thus requiring more than basic computing skills from the user