Mitigating sampling error when measuring internet client IPv6 capabilities

Despite the predicted exhaustion of unallocated IPv4 addresses be- tween 2012 and 2014, it remains unclear how many current clients can use its successor, IPv6, to access the Internet. We propose a refinement of previous measurement studies that mitigates intrin- sic measurement biases, and demonstrate a novel web-based tech- nique using Google ads to perform IPv6 capability testing on a wider range of clients. After applying our sampling error reduction, we find that 6% of world-wide connections are from IPv6-capable clients, but only 1–2% of connections preferred IPv6 in dual-stack (dual-stack failure rates less than 1%). Except for an uptick around IPv6-day 2011 these proportions were relatively constant, while the percentage of connections with IPv6-capable DNS resolvers has in- creased to nearly 60%. The percentage of connections from clients with native IPv6 using happy eyeballs has risen to over 20

Analysis of IPv6 through Implementation of Transition Technologies and Security attacks

IPv6 provides more address space, improved address design, and greater security than IPv4. Different transition mechanisms can be used to migrate from IPv4 to IPv6 which includes dual stack networks, tunnels and translation technologies. Within all of this, network security is an essential element and therefore requires special attention. This paper analyses two transition technologies which are dual stack and tunnel. Both technologies are implemented using Cisco Packet Tracer and GNS3. This work will also analyse the security issues of IPv6 to outline the most common vulnerabilities and security issues during the transition. Finally, the authors will design and implement the dual stack, automatic and manual tunnelling transition mechanisms using Riverbed Modeler simulation tool to analyse the performance and compare with the native IPv4 and IPv6 networks

IPv6 : prospects and problems : a technical and management investigation into the deployment of IPv6

Masteroppgave i informasjons- og kommunikasjonsteknologi 2003 - Høgskolen i Agder, GrimstadIPv4 has been used for over twenty years, and will most likely be used in many years ahead. However, we are now experiencing that the IPv4 address space is running out, resulting in restrictions on who will be able to get these types of addresses assigned to them. Methods such as Network Address Translator (NAT) have been developed and implemented in order to save the IPv4 address space. It is said that this is not a good enough solution, as such techniques introduce new problems at the same time solving some. A new version of the Internet Protocol, IPv6, has been developed and is likely to replace IPv4. IPv6 has been developed to solve the address problem, but also new features are designed to supposedly enhance network traffic. In our thesis we give an overview of the problems with IPv4. This includes the limited address space and the limited quality of service. Further we present the features of IPv6 that are meant to solve these problems and add new possibilities. These are: New address format, the IPv6 header and Extension headers to mention some. Further we have investigated and here present how the transition from IPv4 to IPv6 is expected to take place, followed by a thorough description of the transition mechanisms. One of the original intentions on the development of IPv6 was that IPv4 and IPv6 have to be able to coexist for a long period of time. Transition mechanisms have therefore been designed to make this possible. There are three main types of mechanisms: - Tunnelling - Translation - Dual-stack. Each of these mechanisms requires different configuration and implementations in hosts and network. Technical research on transition mechanisms states that these are not good enough for all IPv6/IPv4 scenarios and need improvements in order to make IPv4 and IPv6 coexist smoothly. There are a lot of transition mechanisms that are agreed upon as being good for general use and then there are transition mechanisms that are good for certain scenarios and not for others. Some scenarios still lack a good translation mechanism. As a result of this, IPv6 networks are being built separately from IPv4 networks. In Asia commercial IPv6 networks are offered, while the process is slower in other parts of the world. The reasons for not building IPv6 networks are many, and not agreed upon. Some believe it is because of economical restrictions, while others claim it is technical reasons and that it exists far too few applications supporting IPv6. The number of IPv6 enabled applications is growing. Large companies like; Microsoft Corporation, Cisco Systems Inc, Apple Computers Inc., Sun Microsystems Inc and various versions of Linux include support for IPv6. The deployment of IPv6 is expected to happen at different times in different parts of the world. We have investigated the status of IPv6 globally and in Norway. The main results are that the roll-out has reached the furthest in Asia where commercial IPv6 networks already are offered. The activity in Norway is still small, but growing. It was desired to run an experiment in order to prove or disprove some of the information we gathered on how IPv6 interoperates with IPv4, but because of limitations in the network at Heriot-Watt University we were not able to do this. Instead we have focused on a project by Telenor R&D; “IPv6 migration of unmanaged networks-The Tromsø IPv6 Pilot”. We also gathered some information from people working at Norwegian ISPs in order to address some of the aspects of the upgrading

Developing an Advanced IPv6 Evasion Attack Detection Framework

Internet Protocol Version 6 (IPv6) is the most recent generation of Internet protocol. The transition from the current Internet Version 4 (IPv4) to IPv6 raised new issues and the most crucial issue is security vulnerabilities. Most vulnerabilities are common between IPv4 and IPv6, e.g. Evasion attack, Distributed Denial of Service (DDOS) and Fragmentation attack. According to the IPv6 RFC (Request for Comment) recommendations, there are potential attacks against various Operating Systems. Discrepancies between the behaviour of several Operating Systems can lead to Intrusion Detection System (IDS) evasion, Firewall evasion, Operating System fingerprint, Network Mapping, DoS/DDoS attack and Remote code execution attack. We investigated some of the security issues on IPv6 by reviewing existing solutions and methods and performed tests on two open source Network Intrusion Detection Systems (NIDSs) which are Snort and Suricata against some of IPv6 evasions and attack methods. The results show that both NIDSs are unable to detect most of the methods that are used to evade detection. This thesis presents a detection framework specifically developed for IPv6 network to detect evasion, insertion and DoS attacks when using IPv6 Extension Headers and Fragmentation. We implemented the proposed theoretical solution into a proposed framework for evaluation tests. To develop the framework, “dpkt” module is employed to capture and decode the packet. During the development phase, a bug on the module used to parse/decode packets has been found and a patch provided for the module to decode the IPv6 packet correctly. The standard unpack function included in the “ip6” section of the “dpkt” package follows extension headers which means following its parsing, one has no access to all the extension headers in their original order. By defining, a new field called all_extension_headers and adding each header to it before it is moved along allows us to have access to all the extension headers while keeping the original parse speed of the framework virtually untouched. The extra memory footprint from this is also negligible as it will be a linear fraction of the size of the whole set of packet. By decoding the packet, extracting data from packet and evaluating the data with user-defined value, the proposed framework is able to detect IPv6 Evasion, Insertion and DoS attacks. The proposed framework consists of four layers. The first layer captures the network traffic and passes it to second layer for packet decoding which is the most important part of the detection process. It is because, if NIDS could not decode and extract the packet content, it would not be able to pass correct information into the Detection Engine process for detection. Once the packet has been decoded by the decoding process, the decoded packet will be sent to the third layer which is the brain of the proposed solution to make a decision by evaluating the information with the defined value to see whether the packet is threatened or not. This layer is called the Detection Engine. Once the packet(s) has been examined by detection processes, the result will be sent to output layer. If the packet matches with a type or signature that system admin chose, it raises an alarm and automatically logs all details of the packet and saves it for system admin for further investigation. We evaluated the proposed framework and its subsequent process via numerous experiments. The results of these conclude that the proposed framework, called NOPO framework, is able to offer better detection in terms of accuracy, with a more accurate packet decoding process, and reduced resources usage compared to both exciting NIDs

Journal of Telecommunications and Information Technology, 2011, nr 2

kwartalni

IP Mobility in Wireless Operator Networks

Wireless network access is gaining increased heterogeneity in terms of the types of IP capable access technologies. The access network heterogeneity is an outcome of incremental and evolutionary approach of building new infrastructure. The recent success of multi-radio terminals drives both building a new infrastructure and implicit deployment of heterogeneous access networks. Typically there is no economical reason to replace the existing infrastructure when building a new one. The gradual migration phase usually takes several years. IP-based mobility across different access networks may involve both horizontal and vertical handovers. Depending on the networking environment, the mobile terminal may be attached to the network through multiple access technologies. Consequently, the terminal may send and receive packets through multiple networks simultaneously. This dissertation addresses the introduction of IP Mobility paradigm into the existing mobile operator network infrastructure that have not originally been designed for multi-access and IP Mobility. We propose a model for the future wireless networking and roaming architecture that does not require revolutionary technology changes and can be deployed without unnecessary complexity. The model proposes a clear separation of operator roles: (i) access operator, (ii) service operator, and (iii) inter-connection and roaming provider. The separation allows each type of an operator to have their own development path and business models without artificial bindings with each other. We also propose minimum requirements for the new model. We present the state of the art of IP Mobility. We also present results of standardization efforts in IP-based wireless architectures. Finally, we present experimentation results of IP-level mobility in various wireless operator deployments.Erilaiset langattomat verkkoyhteydet lisääntyvät Internet-kykyisten teknologioiden muodossa. Lukuisten eri teknologioiden päällekkäinen käyttö johtuu vähitellen ja tarpeen mukaan rakennetusta verkkoinfrastruktuurista. Useita radioteknologioita (kuten WLAN, GSM ja UMTS) sisältävien päätelaitteiden (kuten älypuhelimet ja kannettavat tietokoneet) viimeaikainen kaupallinen menestys edesauttaa uuden verkkoinfrastruktuurin rakentamista, sekä mahdollisesti johtaa verkkoteknologioiden kirjon lisääntymiseen. Olemassa olevaa verkkoinfrastruktuuria ei kaupallisista syistä kannata korvata uudella teknologialla yhdellä kertaa, vaan vaiheittainen siirtymävaihe kestää tyypillisesti useita vuosia. Internet-kykyiset päätelaitteet voivat liikkua joko saman verkkoteknologian sisällä tai eri verkkoteknologioiden välillä. Verkkoympäristöstä riippuen liikkuvat päätelaitteet voivat liittyä verkkoon useiden verkkoyhteyksien kautta. Näin ollen päätelaite voi lähettää ja vastaanottaa tietoliikennepaketteja yhtäaikaisesti lukuisia verkkoja pitkin. Tämä väitöskirja käsittelee Internet-teknologioiden liikkuvuutta ja näiden teknologioiden tuomista olemassa oleviin langattomien verkko-operaattorien verkkoinfrastruktuureihin. Käsiteltäviä verkkoinfrastruktuureita ei alun perin ole suunniteltu Internet-teknologian liikkuvuuden ja monien yhtäaikaisten yhteyksien ehdoilla. Tässä työssä ehdotetaan tulevaisuuden langattomien verkkojen arkkitehtuurimallia ja ratkaisuja verkkovierailujen toteuttamiseksi. Ehdotettu arkkitehtuuri voidaan toteuttaa ilman mittavia teknologisia mullistuksia. Mallin mukaisessa ehdotuksessa verkko-operaattorin roolit jaetaan selkeästi (i) verkko-operaattoriin, (ii) palveluoperaattoriin ja (iii) yhteys- sekä verkkovierailuoperaattoriin. Roolijako mahdollistaa sen, että kukin operaattorityyppi voi kehittyä itsenäisesti, ja että teennäiset verkkoteknologiasidonnaisuudet poistuvat palveluiden tuottamisessa. Työssä esitetään myös alustava vaatimuslista ehdotetulle mallille, esimerkiksi yhteysoperaattorien laatuvaatimukset. Väitöskirja esittelee myös liikkuvien Internet-teknologioiden viimeisimmän kehityksen. Työssä näytetään lisäksi standardointituloksia Internet-kykyisissä langattomissa arkkitehtuureissa

Middleware de comunicações para a internet móvel futura

Doutoramento em Informática (MAP-I)A evolução constante em novas tecnologias que providenciam suporte à forma como os nossos dispositivos se ligam, bem como a forma como utilizamos diferentes capacidades e serviços on-line, criou um conjunto sem precedentes de novos desafios que motivam o desenvolvimento de uma recente área de investigação, denominada de Internet Futura. Nesta nova área de investigação, novos aspectos arquiteturais estão ser desenvolvidos, os quais, através da re-estruturação de componentes nucleares subjacentesa que compõem a Internet, progride-a de uma forma capaz de não são fazer face a estes novos desafios, mas também de a preparar para os desafios de amanhã. Aspectos chave pertencendo a este conjunto de desafios são os ambientes de rede heterogéneos compostos por diferentes tipos de redes de acesso, a cada vez maior mudança do tráfego peer-to-peer (P2P) como o tipo de tráfego mais utilizado na Internet, a orquestração de cenários da Internet das Coisas (IoT) que exploram mecanismos de interação Maquinaa-Maquina (M2M), e a utilização de mechanismos centrados na informação (ICN). Esta tese apresenta uma nova arquitetura capaz de simultaneamente fazer face a estes desafios, evoluindo os procedimentos de conectividade e entidades envolvidas, através da adição de uma camada de middleware, que age como um mecanismo de gestão de controlo avançado. Este mecanismo de gestão de controlo aproxima as entidades de alto nível (tais como serviços, aplicações, entidades de gestão de mobilidade, operações de encaminhamento, etc.) com as componentes das camadas de baixo nível (por exemplo, camadas de ligação, sensores e atuadores), permitindo uma otimização conjunta dos procedimentos de ligação subjacentes. Os resultados obtidos não só sublinham a flexibilidade dos mecanismos que compoem a arquitetura, mas também a sua capacidade de providenciar aumentos de performance quando comparados com outras soluÇÕes de funcionamento especÍfico, enquanto permite um maior leque de cenáios e aplicações.The constant evolution in new technologies that support the way our devices are able to connect, as well the way we use available on-line services and capabilities, has created a set of unprecedented new challenges that motivated the development of a recent research trend known as the Future Internet. In this research trend, new architectural aspects are being developed which, through the restructure of underlying core aspects composing the Internet, reshapes it in a way capable of not only facing these new challenges, but also preparing it to tackle tomorrow’s new set of complex issues. Key aspects belonging to this set of challenges are heterogeneous networking environments composed by di↵erent kinds of wireless access networks, the evergrowing change from peer-to-peer (P2P) to video as the most used kind of traffic in the Internet, the orchestration of Internet of Things (IoT) scenarios exploiting Machine-to-Machine (M2M) interactions, and the usage of Information-Centric Networking (ICN). This thesis presents a novel framework able to simultaneous tackle these challenges, empowering connectivity procedures and entities with a middleware acting as an advanced control management mechanism. This control management mechanism brings together both high-level entities (such as application services, mobility management entities, routing operations, etc.) with the lower layer components (e.g., link layers, sensor devices, actuators), allowing for a joint optimization of the underlying connectivity and operational procedures. Results highlight not only the flexibility of the mechanisms composing the framework, but also their ability in providing performance increases when compared with other specific purpose solutions, while allowing a wider range of scenarios and deployment possibilities

Junos Pulse Secure Access Service Administration Guide

This guide describes basic configuration procedures for Juniper Networks Secure Access Secure Access Service. This document was formerly titled Secure Access Administration Guide. This document is now part of the Junos Pulse documentation set. This guide is designed for network administrators who are configuring and maintaining a Juniper Networks Secure Access Service device. To use this guide, you need a broad understanding of networks in general and the Internet in particular, networking principles, and network configuration. Any detailed discussion of these concepts is beyond the scope of this guide.The Juniper Networks Secure Access Service enable you to give employees, partners, and customers secure and controlled access to your corporate data and applications including file servers, Web servers, native messaging and e-mail clients, hosted servers, and more from outside your trusted network using just a Web browser. Secure Access Service provide robust security by intermediating the data that flows between external users and your company’s internal resources. Users gain authenticated access to authorized resources through an extranet session hosted by the appliance. During intermediation, Secure Access Service receives secure requests from the external, authenticated users and then makes requests to the internal resources on behalf of those users. By intermediating content in this way, Secure Access Service eliminates the need to deploy extranet toolkits in a traditional DMZ or provision a remote access VPN for employees. To access the intuitive Secure Access Service home page, your employees, partners, and customers need only a Web browser that supports SSL and an Internet connection. This page provides the window from which your users can securely browse Web or file servers, use HTML-enabled enterprise applications, start the client/server application proxy, begin a Windows, Citrix, or Telnet/SSH terminal session, access corporate e-mail servers, start a secured layer 3 tunnel, or schedule or attend a secure online meeting

Investigating the IPv6 teredo tunnelling capability and performance of internet clients

The Teredo auto-tunnelling protocol allows IPv6 hosts behind IPv4 NATs to communicate with other IPv6 hosts. It is enabled by default on Windows Vista and Windows 7. But Windows clients are self-constrained: if their only IPv6 access is Teredo, they are unable to resolve host names to IPv6 addresses. We use web-based measurements to investigate the (latent) Teredo capability of Internet clients, and the delay introduced by Teredo. We compare this with native IPv6 and 6to4 tunnelling capability and delay. We find that only 6--7% of connections are from fully IPv6-capable clients, but an additional 15--16% of connections are from clients that would be IPv6-capable if Windows Teredo was not constrained. However, Teredo increases the median latency to fetch objects by 1--1.5 seconds compared to IPv4 or native IPv6, even with an optimally located Teredo relay. Furthermore, in many cases Teredo fails to establish a tunnel

Assessment criteria for information security in public administration (Julkri) : Recommendation and criteria

The Act on Information Management in Public Administration (906/2019) lays down obligations relating to information security measures that apply to information management units and authorities as well as to private individuals or corporations or to corporations subject to public law other than those serving as authorities insofar as they perform public administrative tasks. The Act also lays down provisions on a minimum level for information security measures and on an obligation for organisations to monitor the state of the data security of their operating environment and ensure the data security of their datasets and information systems over their entire lifecycle. Organisations shall determine the material risks related to data processing and scale their data security measures in accordance with a risk assessment. With respect to procurement, organisations shall ensure that appropriate data security measures have been implemented in the information system to be acquired. The recommendation issued by the Information Management Board describes the assessment criteria for information security in public administration (Julkri) and provides instructions for using them. The assessment criteria support the development and assessment of information security in public administration as a whole. The criteria can be used to assess the fulfilment of the information security requirements laid down in the Information Management Act, Security Classification Decree and partly also in the General Data Protection Regulation. The Information Management Board approved the collection of recommendations on 11 May 2022