IPv6: a new security challenge

Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2011O Protocolo de Internet versão 6 (IPv6) foi desenvolvido com o intuito de resolver alguns dos problemas não endereçados pelo seu antecessor, o Protocolo de Internet versão 4 (IPv4), nomeadamente questões relacionadas com segurança e com o espaço de endereçamento disponível. São muitos os que na última década têm desenvolvido estudos sobre os investimentos necessários à sua adoção e sobre qual o momento certo para que o mesmo seja adotado por todos os players no mercado. Recentemente, o problema da extinção de endereçamentos públicos a ser disponibilizado pelas diversas Region Internet registry – RIRs - despertou o conjunto de entidades envolvidas para que se agilizasse o processo de migração do IPv4 para o IPv6. Ao contrário do IPv4, esta nova versão considera a segurança como um objetivo fundamental na sua implementação, nesse sentido é recomendado o uso do protocolo IPsec ao nível da camada de rede. No entanto, e devido à imaturidade do protocolo e à complexidade que este período de transição comporta, existem inúmeras implicações de segurança que devem ser consideradas neste período de migração. O objetivo principal deste trabalho é definir um conjunto de boas práticas no âmbito da segurança na implementação do IPv6 que possa ser utilizado pelos administradores de redes de dados e pelas equipas de segurança dos diversos players no mercado. Nesta fase de transição, é de todo útil e conveniente contribuir de forma eficiente na interpretação dos pontos fortes deste novo protocolo assim como nas vulnerabilidades a ele associadas.IPv6 was developed to address the exhaustion of IPv4 addresses, but has not yet seen global deployment. Recent trends are now finally changing this picture and IPv6 is expected to take off soon. Contrary to the original, this new version of the Internet Protocol has security as a design goal, for example with its mandatory support for network layer security. However, due to the immaturity of the protocol and the complexity of the transition period, there are several security implications that have to be considered when deploying IPv6. In this project, our goal is to define a set of best practices for IPv6 Security that could be used by IT staff and network administrators within an Internet Service Provider. To this end, an assessment of some of the available security techniques for IPv6 will be made by means of a set of laboratory experiments using real equipment from an Internet Service Provider in Portugal. As the transition for IPv6 seems inevitable this work can help ISPs in understanding the threats that exist in IPv6 networks and some of the prophylactic measures available, by offering recommendations to protect internal as well as customers’ networks

Traffic engineering in multihomed sites

It is expected that IPv6 multihomed sites will obtain as many global prefixes as direct providers they have, so traffic engineering techniques currently used in IPv4 multihomed sites is no longer suitable. However, traffic engineering is required for several reasons, and in particular, for being able to properly support multimedia communications. In this paper we present a framework for traffic engineering in IPv6 multihomed sites with multiple global prefixes. Within this framework, we have included several tools such as DNS record manipulation and proper configuration of the policy table defined in RFC 3484. To provide automation in the management of traffic engineering, we analyzed the usage of two mechanisms to configure the policy table.This work has been partly supported by the European Union under the E-Next Project FP6-506869 and by the OPTINET6 project TIC-2003-09042-C03-01.Publicad

STATEFUL METHOD FOR ACCESS POINT DISCOVERY OF WIRELESS LOCAL AREA NETWORK CONTROLLER

Access points (APs) for a wireless local area network (WLAN) can discover a wireless LAN controller (WLC) address (in order to establish a management session with the WLC) through a variety of mechanisms, such as Dynamic Host Configuration Protocol (DHCP) option 43 mechanisms, Domain Name System (DNS) server mechanisms, and Layer 2 (L2) broadcast discovery mechanisms. The DHCP discovery mechanism is the most commonly used mechanism for WLC discovery but is a laborious and manual task that may be prone to errors. Techniques proposed herein provide an easy to use, stateful, and reliable mechanism through which an AP can discover a WLC by leveraging a DHCP relay agent that can forward DHCP packets between clients and servers. The techniques involve various functionalities including, but not limited to, a stateful process that can be used to measure reachability and latency to each configured WLC Internet Protocol (IP) address, the creation of an updated priority list of WLC IP addresses based on network latency, and the inline insertion of the list of WLC IP addresses in the DHCP exchange between a server and AP

Mobile Access to the Internet

In this paper various aspects of mobile access to Internet are discussed. We mention general Internet protocols and mobile enhancements and also future models that will be used in near future

Descoberta de serviços independentes do acesso para redes heterogéneas

Mestrado em Engenharia de Computadores e TelemáticaA recente proliferação de nós móveis com múltiplas interfaces sem fios e a constituição de ambientes heterogéneos possibilitaram a criação de cenários complexos onde os operadores de rede necessitam de disponibilizar conectividade para diferentes tipos de redes de acesso. Assim, a norma IEEE 802.21 foi especificada de forma a facilitar e optimizar os procedimentos de handover entre diferentes tecnologias de acesso sem perda de conectividade. Para cumprir o seu propósito, a norma disponibiliza serviços chamados Media Independent Handover e que permitem o controlo e a obtenção de informação de diferentes ligações. A configuração estática destes serviços por parte do nó móvel torna-se ineficiente devido aos múltiplos cenários possíveis. Desta forma, o nó móvel deve descobrir nós da rede que providenciem serviços de mobilidade e as suas capacidade de uma forma dinâmica. Nesta dissertação, um conjunto de mecanismos para descoberta de serviços de handover independentes do acesso são analisados, implementados e avaliados em termos de duração e quantidade de informação trocada. Um novo mecanismo de descoberta de entidades locais é também proposto e avaliado, demonstrando que a sua utilização aumenta o desempenho e requer a troca de menos quantidade de informação.The recent proliferation of mobile nodes with multiple wireless interfaces, in addition to the creation of heterogeneous environments, created complex scenarios where network operators need to provide connectivity for di erent kinds of access networks. Therefore, the IEEE 802.21 standard has been speci ed to facilitate and optimize handover procedures between di erent access technologies in a seamless way. To ful l its purpose, it provides Media Independent Handover services which allow the control and gathering of information from di erent links. The static con guration of these services by the MN becomes ine cient due to the amount of possible scenarios. Thus, the MN must discover the network-supporting nodes and their capabilities in a dynamic way. In this work, a series of proposed Media Independent Handover discovery procedures are analyzed, implemented and evaluated in terms of duration and amount of exchanged information. In addition, a novel discovery procedure for local entities is proposed and evaluated, showing that its deployment increases the performance and requires less information exchanged

Implementation of IPv6

On 14 September 2012 last block of IPv4 has been allocated from the Regional Internet Register (RIR) across the Europe, Middle East and Asia. In addition, the demand of further addresses, security and efficient routing across Internet has been increasing every day. Hence, to provide the abundant IP addresses and also to overcome the shortcoming of IPv4, IETF developed a new protocol IPv6. IPv6 overcome the limitations of IPv4 and integrate advance feature. These advanced improvements include larger address space, more efficient addressing and routing, auto-configuration, security, and QOS. The main objective of this project was to implement IPv6 network in Cisco laboratory of Rovaniemi University of Applied Sciences (RAMK). Cisco 2800 and 1700 Series routers, 3500 series Cisco Catalyst Switches, Microsoft Server 2012, Windows 7, Windows 8 and finally Mac OS X were used during implementation process. This project covers the implementation of IPv6, DHCPv6, DNS, Routing Protocols EIGRP, and Security. The goal of the project was to implement IPv6 to existing IPv4 network without affecting the running services. Furthermore, this project was implementation in Local Area Network (LAN) only