Secured communication through NAT-PT

This thesis deals with the study of Network Address Translation-Protocol Translation (NAT-PT), its limitations, and the way of avoiding the drawbacks of the protocol. NAT-PT is a transition mechanism for establishing communication between an IPv6 network and legacy systems. RFC 2766 describes the semantics of this mechanism. However, the proposed mechanism as described by RFC 2766 has a number of serious drawbacks that are of primary concern to its users. Due to these limitations, this mechanism is not widely accepted by the Internet community. Some of the most critical limitations of the proposed NAT-PT have been identified as end-to-end security, scalability, DoS attacks, etc. NAT-PT does not allow network layer and, in some cases application layer end-to-end security. As a result, the use of NAT-PT increases the threats to the existing vulnerable network security. The current study addresses the security related drawbacks of the existing NAT-PT model, and proposes a modified NAT-PT model. The modified model is able to establish secured communication between IPv6 and IPv4 as well as to correct other problems that may arise from the use of the existing NAT-PT. In addition, the current study also outlines a formal validation of the NAT-PT model with a model checker tool SPIN, which is a very powerful validation tool for distributed system

Secure SIP between IPv4 endpoints and IPv6 endpoints

The Internet Protocol version 6 (IPv6) is designed to replace the current version IPv4. However, there will continue to be a demand for IPv4-based end users to access IPv6-based services, and vice versa. Some transition mechanisms are necessary to make IPv6 and IPv4 compatible. Network Address Translation--Protocol Translation (NAT-PT) can provide protocol translation at the network layer. The Session Initiation Protocol (SIP) is an application layer control protocol that can initiate, modify and terminate interactive communication sessions between end users. When SIP is used with NAT-PT, a special Application Level Gateway (ALG) is required to handle the translation of the addresses inside the SIP messages. This thesis introduces an implementation of a SIP-ALG. The SIP-ALG is responsible for translating IPv6 addresses in a SIP packet into the corresponding IPv4 addresses, and vice versa, relying on the functionalities of NAT-PT as the packet traverses across the boundary between IPv6 and IPv4. In addition, this thesis describes and models a SIP end-to-end security solution between IPv4 end points and IPv6 end points, given that involvement of the SIP-ALG seems to be in conflict with the primary requirements of the end-to-end security. The proposed mechanism lets a SIP endpoint authorize a security proxy server to encrypt the SIP bodies on behalf of the end point. The security proxy will discover the capabilities of the receiving party and encrypt the SIP bodies for the other SIP security proxy server in the receiving domain. IP address translation must be done before the encryption at the sending security proxy or after the decryption at the receiving security proxy

IMPLEMENTASI INTERKONEKSI SIP USER AGENT IPV6 DAN IPV4 DENGAN METODA TRANSLASI PROTOKOL PADA JARINGAN VOIP

ABSTRAKSI: Sebagaimana IP versi 6 (IPv6) telah mendapat dukungan luas, akan terdapat suatu periode transisi di mana host yang menggunakan IP versi 4 (IPv4) akan berkeinginan membentuk sesi dengan host yang menggunakan IPv6 ataupun sebaliknya. Begitu juga yang terjadi pada aplikasi VoIP (Voice over Internet Protocol) yang mana telah dimungkinkan untuk dapat berlangsung pada kedua versi IP tersebut. Dari beberapa banyak metode transisi antara IPv6 dan IPv4 yang memungkinkan, metode efisien yang disarankan untuk itu yakni metode Translasi Protokol (Protocol Translation). Hal itu didasarkan pada kekurangan dan kelebihan dari masing-masing protokol serta realita jaringan yang telah terimplementasi sekarang ini. Dalam tugas akhir ini didesain suatu sistem translator yang disebut “Border Router” untuk aplikasi VoIP dengan standar SIP (Session Initiation Protocol) yang meliputi sub-sistem NAT-PT (Network Address Translation – Protocol Translation) dan ALG (Application Layer Gateway) sehingga SIP User Agent IPv6 dapat menghubungi SIP User Agent IPv4 dan sebaliknya, serta menjelaskan proses yang terjadi sehingga kedua host dengan protokol yang berbeda tersebut dapat saling berkomunikasi. Pembangunan sistem interkoneksi SIP tersebut dilakukan tanpa memodifikasi software pada masing-masing endpoint. Sehingga investasi yang telah dilakukan terhadap perangkat dan sistem yang lama (jaringan SIPv4) dapat tetap digunakan sebagaimana mestinya.Kata Kunci : -ABSTRACT: As IP version 6 (IPv6) gains acceptance, there will be a period of transition during which host using IP version 4 (IPv4) will wish to establish session with host using IPv6 or vice versa. So also that happened at VoIP (Voice over Internet Protocol) application which have been enabled to work both of the IP version. From many conducive transition method between IPv6 and IPv4, the efficient method which suggested for that namely Protocol Translation method. That thing is based on excess and insuffiency from each protocol and also network reality which have been implemented at this time. In this final project, it was designed translator system called “Border Router” for VoIP application with SIP (Session Initiation Protocol) standard that covering subsystems, like NAT-PT (Network Address Translation - Protocol Translation) and ALG (Application Layer Gateway), that allow SIP User Agent IPv6 to call SIP User Agent IPv4 and vice versa, and also explain process that happened at both of host with the different protocol can communicate each other. Development of the SIP interconnection system is conducted without modifying software at each endpoint. So that investment which have been done to peripheral and past system (SIPv4 network) earn remain to be used properly.Keyword:

PROTOKÓŁ IPv6 - CHARAKTERYSTYKA I PROPONOWANE METODY WDROŻENIA W ISTNIEJĄCYCH SIECIACH IPv4 KORZYSTAJĄCYCH Z ROUTERÓW CISCO

The article constitutes an introduction to IPv6 protocol and is a review of the existing approaches to ensure the coexistence of IPv6 and IPv4, on the example of homogeneous Cisco network infrastructure. In the first paragraph, the IPv6 protocol has been characterized and compared to the IPv4. Then, concepts connected with IPv6 addressing have been described. As the main part, it has been discussed methods to provide the coexistence of the two IP protocols. It has been characterized the primary option which is the dual stack, two types of both point to point and multipoint tunnels and finally - address translation NAT-PT.Artykuł stanowi wprowadzenie do protokołu IPv6 oraz jest przeglądem istniejących podejść dla zapewnienia współistnienia IPv6 i IPv4, na przykładzie homogenicznej infrastruktury sieciowej Cisco. W pierwszym rozdziale scharakteryzowano protokół IPv6 i porównano go z IPv4. Następnie opracowano koncepcje związane z adresowaniem IPv6. W głównej części opisano metody do zapewnienia koegzystencji dwóch protokołów IP. Scharakteryzowano podstawową opcję jaką jest podwójny stos, po dwa rodzaje tunelowania punkt-punkt i punkt-wielopunkt oraz w końcu translację adresów NAT-PT

Piloto IPv6 numa rede Wi-Fi

A implementação em grande escala do protocolo IPv6 nas redes de computadores tem vindo sucessivamente a ser protelada no tempo, devido a diversos factores. Entre os principais, destaca-se o facto de os servi ̧cos continuarem a ser disponibilizados quase exclusivamente em IPv4, retirando ao utilizador final as principais vantagens da utilização nativa da pilha protocolar IPv6 nos postos de trabalho. Grande parte das estratégias actuais de migração para o protocolo IPv6 passa pela coexistência de ambas as pilhas protocolares. Uma abordagem alternativa passa pela conversão de protocolos de forma a permitir aos utilizadores utilizarem IPV6 nativo, mesmo quando contactam servi ̧cos em IPv4. Para o efeito, é utilizado NAT-PT (Network Address Translation – Protocol Translation) que, além de fazer a tradução de endereços , faz também a adaptação protocolar entre as pilhas protocolares IPv6 (a jusante) e IPv4 (a montante). O presente trabalho descreve os resultados dos testes de conectividade realizados para avaliar a viabilidade da utilização de uma única da pilha protocolar IPv6 para endereçamento de clientes no cenário de uma rede Wi-Fi.info:eu-repo/semantics/publishedVersio

Case Study - IPv6 based building automation solution integration into an IPv4 Network Service Provider infrastructure

The case study presents a case study describing an Internet Protocol (IP) version 6 (v6) introduction to an IPv4 Internet Service Provider (ISP) network infrastructure. The case study driver is an ISP willing to introduce a new “killer” service related to Internet of Things (IoT) style building automation. The provider and cooperation of third party companies specialized in building automation will provide the service. The ISP has to deliver the network access layer and to accommodate the building automation solution traffic throughout its network infrastructure. The third party companies are system integrators and building automation solution vendors. IPv6 is suitable for such solutions due to the following reasons. The operator can’t accommodate large number of IPv4 embedded devices in its current network due to the lack of address space and the fact that many of those will need clear 2 way IP communication channel. The Authors propose a strategy for IPv6 introduction into operator infrastructure based on the current network architecture present service portfolio and several transition mechanisms. The strategy has been applied in laboratory with setup close enough to the current operator’s network. The criterion for a successful experiment is full two-way IPv6 application layer connectivity between the IPv6 server and the IPv6 Internet of Things (IoT) cloud

Peer-to-Peer Communication Across Network Address Translators

Network Address Translation (NAT) causes well-known difficulties for peer-to-peer (P2P) communication, since the peers involved may not be reachable at any globally valid IP address. Several NAT traversal techniques are known, but their documentation is slim, and data about their robustness or relative merits is slimmer. This paper documents and analyzes one of the simplest but most robust and practical NAT traversal techniques, commonly known as "hole punching." Hole punching is moderately well-understood for UDP communication, but we show how it can be reliably used to set up peer-to-peer TCP streams as well. After gathering data on the reliability of this technique on a wide variety of deployed NATs, we find that about 82% of the NATs tested support hole punching for UDP, and about 64% support hole punching for TCP streams. As NAT vendors become increasingly conscious of the needs of important P2P applications such as Voice over IP and online gaming protocols, support for hole punching is likely to increase in the future.Comment: 8 figures, 1 tabl