Analysis of security impact of making mShield an IPv4 to IPv6 converter box

info:eu-repo/semantics/acceptedVersio

Device discovery and context registration in static context header compression networks

Due to the limited bandwidth of Low-Power Wide-Area Networks (LPWAN), the application layer is currently often tied straight above the link layer, limiting the evolution of sensor networks distributed over a large area. Consequently, the highly efficient Static Context Header Compression (SCHC) standard was introduced, where devices can compress the IPv6 and upper layer protocols down to a single byte. This approach, however, assumes that every compression context is distributed before deployment, again limiting the evolution of such networks. Therefore, this paper presents two context registration mechanisms leveraging on the SCHC adaptation layer. This is done by analyzing current registration solutions in order to find limitations and optimizations with regard to very constrained networks. Both solutions and the current State-of-The-Art (SoTA) are evaluated in a Lightweight Machine to Machine (LwM2M) environment. In such situation, both developed solutions decrease the energy consumption already after 25 transmissions, compared with the current SoTA. Furthermore, simulations show that Long Range (LoRa) devices still have a 80% chance to successfully complete the registration flow in a network with a 50% Packet Error Ratio. Briefly, the work presented in this paper delivers bootstrapping tools to constrained, SCHC-enabled networks while still being able to reduce energy consumption

Operating System Response to Router Advertisement Packet in IPv6.

With growth of internet IPv4 address will run out soon. So the need of new IP protocol is indispensable. IPv6 with 128-bit address space is developed and maintain the support of IPv4 protocols with some upgrades such as BGP, OSPF and ICMP. ICMP protocol used for error reporting, neighbor discovering and other functions for diagnosis, ICMP version 6 has new types of packets to perform function similar to address resolution protocol ARP called Neighbor Discovery Protocol NDP. NDP is responsible for address auto configuration of nodes and neighbor discovery. It define new packets for the purposes of router solicitation, router advertisement and others discovery functions

IETF standardization in the field of the Internet of Things (IoT): a survey

Smart embedded objects will become an important part of what is called the Internet of Things. However, the integration of embedded devices into the Internet introduces several challenges, since many of the existing Internet technologies and protocols were not designed for this class of devices. In the past few years, there have been many efforts to enable the extension of Internet technologies to constrained devices. Initially, this resulted in proprietary protocols and architectures. Later, the integration of constrained devices into the Internet was embraced by IETF, moving towards standardized IP-based protocols. In this paper, we will briefly review the history of integrating constrained devices into the Internet, followed by an extensive overview of IETF standardization work in the 6LoWPAN, ROLL and CoRE working groups. This is complemented with a broad overview of related research results that illustrate how this work can be extended or used to tackle other problems and with a discussion on open issues and challenges. As such the aim of this paper is twofold: apart from giving readers solid insights in IETF standardization work on the Internet of Things, it also aims to encourage readers to further explore the world of Internet-connected objects, pointing to future research opportunities

In the IP of the Beholder: Strategies for Active IPv6 Topology Discovery

Existing methods for active topology discovery within the IPv6 Internet largely mirror those of IPv4. In light of the large and sparsely populated address space, in conjunction with aggressive ICMPv6 rate limiting by routers, this work develops a different approach to Internet-wide IPv6 topology mapping. We adopt randomized probing techniques in order to distribute probing load, minimize the effects of rate limiting, and probe at higher rates. Second, we extensively analyze the efficiency and efficacy of various IPv6 hitlists and target generation methods when used for topology discovery, and synthesize new target lists based on our empirical results to provide both breadth (coverage across networks) and depth (to find potential subnetting). Employing our probing strategy, we discover more than 1.3M IPv6 router interface addresses from a single vantage point. Finally, we share our prober implementation, synthesized target lists, and discovered IPv6 topology results

IPv6: a new security challenge

Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2011O Protocolo de Internet versão 6 (IPv6) foi desenvolvido com o intuito de resolver alguns dos problemas não endereçados pelo seu antecessor, o Protocolo de Internet versão 4 (IPv4), nomeadamente questões relacionadas com segurança e com o espaço de endereçamento disponível. São muitos os que na última década têm desenvolvido estudos sobre os investimentos necessários à sua adoção e sobre qual o momento certo para que o mesmo seja adotado por todos os players no mercado. Recentemente, o problema da extinção de endereçamentos públicos a ser disponibilizado pelas diversas Region Internet registry – RIRs - despertou o conjunto de entidades envolvidas para que se agilizasse o processo de migração do IPv4 para o IPv6. Ao contrário do IPv4, esta nova versão considera a segurança como um objetivo fundamental na sua implementação, nesse sentido é recomendado o uso do protocolo IPsec ao nível da camada de rede. No entanto, e devido à imaturidade do protocolo e à complexidade que este período de transição comporta, existem inúmeras implicações de segurança que devem ser consideradas neste período de migração. O objetivo principal deste trabalho é definir um conjunto de boas práticas no âmbito da segurança na implementação do IPv6 que possa ser utilizado pelos administradores de redes de dados e pelas equipas de segurança dos diversos players no mercado. Nesta fase de transição, é de todo útil e conveniente contribuir de forma eficiente na interpretação dos pontos fortes deste novo protocolo assim como nas vulnerabilidades a ele associadas.IPv6 was developed to address the exhaustion of IPv4 addresses, but has not yet seen global deployment. Recent trends are now finally changing this picture and IPv6 is expected to take off soon. Contrary to the original, this new version of the Internet Protocol has security as a design goal, for example with its mandatory support for network layer security. However, due to the immaturity of the protocol and the complexity of the transition period, there are several security implications that have to be considered when deploying IPv6. In this project, our goal is to define a set of best practices for IPv6 Security that could be used by IT staff and network administrators within an Internet Service Provider. To this end, an assessment of some of the available security techniques for IPv6 will be made by means of a set of laboratory experiments using real equipment from an Internet Service Provider in Portugal. As the transition for IPv6 seems inevitable this work can help ISPs in understanding the threats that exist in IPv6 networks and some of the prophylactic measures available, by offering recommendations to protect internal as well as customers’ networks

A New Model for Testing IPv6 Fragment Handling

Since the origins of the Internet, various vulnerabilities exploiting the IP fragmentation process have plagued IPv4 protocol, many leading to a wide range of attacks. IPv6 modified the handling of fragmentations and introduced a specific extension header, not solving the related problems, as proved by extensive literature. One of the primary sources of problems has been the overlapping fragments, which result in unexpected or malicious packets when reassembled. To overcome the problem related to fragmentation, the authors of RFC 5722 decided that IPv6 hosts MUST silently drop overlapping fragments. Since then, several studies have proposed methodologies to check if IPv6 hosts accept overlapping fragments and are still vulnerable to related attacks. However, some of the above methodologies have not been proven complete or need to be more accurate. In this paper we propose a novel model to check IPv6 fragmentation handling specifically suited for the reassembling strategies of modern operating systems. Previous models, indeed, considered OS reassembly policy as byte-based. However, nowadays, reassembly policies are fragment-based, making previous models inadequate. Our model leverages the commutative property of the checksum, simplifying the whole assessing process. Starting with this new model, we were able to better evaluate the RFC-5722 and RFC-9099 compliance of modern operating systems against fragmentation handling. Our results suggest that IPv6 fragmentation can still be considered a threat and that more effort is needed to solve related security issues

Testing and Evaluation of a DNS64/NAT64 System

Internet on kasvanut huimasti yli sen alkuperäisten kehittäjien villien unelmien. Aikoinaan, kun IP-protokollaa oltiin kehittämässä, ei kukaan voinut ennalta nähdä tilannetta, jossa globaali osoiteavaruus loppuisi jonakin päivänä. Kuitenkin tällä hetkellä ollaan saavuttamassa tilannetta, jossa osoitteet loppuvat ja koko maailma on ison haasteen edessä. Uusi versio IP:stä, versio 6, täytyy ottaa käyttöön ympäri maailman. Tässä uudessa versiossa on niin suuri globaali osoiteavaruus, että sen pitäisi riittää ihmiskunnan loppuun asti. Siirtyminen IPv4:stä IPv6:een on alkanut monta vuotta sitten, mutta vasta nyt se alkaa nopeutua. Tässä siirtymävaiheessa on monia ongelmia. Yksi suurimmista ongelmista on se, kuinka IPv4 ja IPv6 -laitteet saadaan muodostamaan yhteyksiä keskenään tämän tärkeän ja monivuotisen siirtymävaiheen aikana. Eräs ratkaisu tähän kysymykseen on DNS64/NAT64, joka on tutkimuksen ja testauksen kohteena tässä diplomityössä. Ilman DNS64/NAT64 -järjestelmää ja muita siirtymävaiheen tekniikoita ei uuteen IPv6:een voitaisi järkevästi siirtyä. Tässä diplomityössä on tutkittu DNS64/NAT64 -järjestelmän soveltuvuutta siirtymävaiheen teknologiaksi. Työ pitää sisällään kyseisen järjestelmän testausta, ongelmakohtien kartoitusta sekä parannusehdotuksia ja yleistä analysointia. Sivutuotteena varsinaisen järjestelmän testauksen lisäksi myös testauksessa käytetyn ohjelmiston laatu parani löydettyjen virheiden ja toteutettujen parannusehdotusten seurauksena. /Kir1