The Security Flag in the IPv4 Header

Firewalls, packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. We define a security flag in the IPv4 header as a means of distinguishing the two cases

The Impact of IPv6 on Penetration Testing

In this paper we discuss the impact the use of IPv6 has on remote penetration testing of servers and web applications. Several modifications to the penetration testing process are proposed to accommodate IPv6. Among these modifications are ways of performing fragmentation attacks, host discovery and brute-force protection. We also propose new checks for IPv6-specific vulnerabilities, such as bypassing firewalls using extension headers and reaching internal hosts through available transition mechanisms. The changes to the penetration testing process proposed in this paper can be used by security companies to make their penetration testing process applicable to IPv6 targets

FAIR: Forwarding Accountability for Internet Reputability

This paper presents FAIR, a forwarding accountability mechanism that incentivizes ISPs to apply stricter security policies to their customers. The Autonomous System (AS) of the receiver specifies a traffic profile that the sender AS must adhere to. Transit ASes on the path mark packets. In case of traffic profile violations, the marked packets are used as a proof of misbehavior. FAIR introduces low bandwidth overhead and requires no per-packet and no per-flow state for forwarding. We describe integration with IP and demonstrate a software switch running on commodity hardware that can switch packets at a line rate of 120 Gbps, and can forward 140M minimum-sized packets per second, limited by the hardware I/O subsystem. Moreover, this paper proposes a "suspicious bit" for packet headers - an application that builds on top of FAIR's proofs of misbehavior and flags packets to warn other entities in the network.Comment: 16 pages, 12 figure

Analisis Penggunaan IPSec pada Tunnel IPv6 over IPv4 terhadap Serangan IP Spoofing

ABSTRAKSI: Pada tunnel IPv6 over IPv4 masih bisa terjadi spoofing. Seorang penyerang mengirim paket ke alamat tertentu dengan alamat yang dipalsukan melewati sistem tersebut atau bahkan memang salah satu node dari sistem tersebut yang dituju. Alamat IPv4 yang digunakan untuk spoofing merupakan salah satu dari ujung-ujung tunnel. Tunnel IPv6 over IPv4 menggunakan dua jenis IP, IPv4 dan IPv6, yang header IPv6 beserta payloadnya akan dibungkus dengan header IPv4 sehingga bisa melewati infrastruktur IPv4. Untuk mengurangi dampak dari serangan spoofing tersebut direkomendasikan penggunaan protokol keamanan yang beroperasi di level IP, yaitu IP Security (IPSec). Ada dua protokol yang bisa digunakan. Protokol tersebut adalah Authentication Header (AH) dan Encapsulating Security Payload (ESP). Setiap protokol tersebut bisa menggunakan mode transport atau mode tunnel. Menurut RFC4891, mode transport akan melindungi paket yang didefinisikan dengan (alamat IPv4 sumber, alamat IPv4 tujuan, protokol=41), sedangkan mode tunnel melindungi paket yang didefinisikan (alamat IPv6 sumber, alamat IPv6 tujuan). Penggunaan mode transport direkomendasikan karena protokol 41 masih ada. Protokol tersebut merupakan penanda bahwa paket yang dibawa adalah paket IPv6.Skenario tunneling yang digunakan adalah host-to-host. Sistem utama yang dibangun ada dua, yaitu tunnel tanpa IPSec dan tunnel dengan IPSec. Masing-masing sistem akan dikirimi dengan sejumlah paket spoofing yang kemudian akan diamati jumlah paket yang diproses oleh korban maupun node lain yang terkena akibatnya (tersangka). Selain itu, akan diamati pula utilitas yang diakibatkan oleh paket spoofing yang dikirimkan tersebut pada kedua host. Pada sistem yang menerapkan IPSec akan dilakukan pengujian tentang pengaruh umur hidup IPSec terhadap paket yang diproses oleh keduanya pula beserta utilitasnya.Setelah itu, hasil dari sistem yang tidak menggunakan IPSec akan dibandingkan dengan hasil dari sistem yang menerapkan IPSec kemudian didapat kesimpulan bahwa paket yang diproses pada sistem dengan IPSec jauh lebih sedikit daripada sistem yang tanpa IPSec. Sebelum menerapkan IPSec, korban memproses paket sebanyak tiga kali jumlah paket spoofing yang dikirim (paket dengan flag SYN, SYN/ACK, dan RST), sedangkan tersangka memproses dua kalinya (paket dengan flag SYN/ACK dan RST). Setelah menerapkan IPsec, hanya korban saja yang menerima paket dengan flag SYN dari penyerang yang kemudian paket tersebut tidak akan diproses lagi dengan mengirim SYN/ACK ke tersangka. Hal ini disebabkan paket spoofing yang masuk ditolak di level IPSec. Utilitas yang diakibatkan oleh paket spoofing tersebut juga mengalami penurunan karena tidak ada paket yang diproses. Umur hidup IPSec tidak terlalu berpengaruh pada paket yang diproses maupun utilitas yang dihasilkan oleh paket spoofing tersebut. Hal ini juga disebabkan oleh paket spoofing yang ditolak di level IPSec sehingga tidak ada paket yang diproses lagi.Kata Kunci : IPv6-over-IPv4, tunnel, spoofing, IPv4, IPv6, level IP, IPSec, AH,ABSTRACT: On the IPv6 over IPv4 tunnel can still occur spoofing. An attacker sends a packet to an address with a forged address that pass through system or one of all nodes of system is a victim. IPv4 address of tunnel endpoint is used by attacker into spoofing packet. IPv6 over IPv4 tunnel uses two types of IP, that’s IPv4 and IPv6. IPv6 header and its payload will be encapsulated with IPv4 header so that it can pass through IPv4 infrastructure. IP Security (IPSec) is recommended to reduce spoofing attack that operate in IP layer. There are two security protocols that can be used. That protocols are Authentication Header (AH) and Encapsulating Security Payload (ESP). Each protocol can use transport mode or tunne model. According RFC4891, transport mode will protect the packet defined by (source IPv4 address, destination IPv4 address, protocol=41), while mode tunnel will protect the packet defined by (source IPv6 address, destination IPv6 address). Using mode transport is recommended because protocol 41 is still exist. That protocol is identity of IPv6 packet that brought by IPv4 packet.It uses host-to-host scenario. There are two main system that is built, tunnel without IPsec and tunnel with IPsec. Each system will be sent a number of spoofing packets and then packet processed will be observed by the victim and other affected node (the suspect). In addition, utility of CPU that caused by spoofing packets will be observed on both host. On system with IPSec will be tested about the influence of IPSec lifetime to spoofing packets that processed by both host and its utility.After that, result of system without IPSec will be compared with system that used IPSec. The packet that processed by system with IPSec is less than system without IPSec. Before applying IPSec, victim processes packet three times the amount of spoofing packets that sent by attacker (packet with SYN, SYN/ACK, and RST flag), while suspect processes packet twice (packet with SYN/ACK and RST flag). After implementing IPSec, only victim who receives packet with SYN flag from attacker and then that packet will not be processesd again by sending SYN/ACK to suspect. This is due to the incoming spoofing packet rejected at the IPSec level. Utility that caused by spoofing packet is also decreased because there is no packet processed. IPSec lifetime is not influential to packet processed and utility caused spoofing packet. It is also caused by spoofing packet that dropped in the IPSec level so that there is no packet processed.Keyword: IPv6-over-IPv4, tunnel, spoofing, IPv4, IPv6, IP layer, IPSec, AH

LAMP: Prompt Layer 7 Attack Mitigation with Programmable Data Planes

While there are various methods to detect application layer attacks or intrusion attempts on an individual end host, it is not efficient to provide all end hosts in the network with heavy-duty defense systems or software firewalls. In this work, we leverage a new concept of programmable data planes, to directly react on alerts raised by a victim and prevent further attacks on the whole network by blocking the attack at the network edge. We call our design LAMP, Layer 7 Attack Mitigation with Programmable data planes. We implemented LAMP using the P4 data plane programming language and evaluated its effectiveness and efficiency in the Behavioral Model (bmv2) environment

High-speed, in-band performance measurement instrumentation for next generation IP networks

Facilitating always-on instrumentation of Internet traffic for the purposes of performance measurement is crucial in order to enable accountability of resource usage and automated network control, management and optimisation. This has proven infeasible to date due to the lack of native measurement mechanisms that can form an integral part of the network‟s main forwarding operation. However, Internet Protocol version 6 (IPv6) specification enables the efficient encoding and processing of optional per-packet information as a native part of the network layer, and this constitutes a strong reason for IPv6 to be adopted as the ubiquitous next generation Internet transport. In this paper we present a very high-speed hardware implementation of in-line measurement, a truly native traffic instrumentation mechanism for the next generation Internet, which facilitates performance measurement of the actual data-carrying traffic at small timescales between two points in the network. This system is designed to operate as part of the routers' fast path and to incur an absolutely minimal impact on the network operation even while instrumenting traffic between the edges of very high capacity links. Our results show that the implementation can be easily accommodated by current FPGA technology, and real Internet traffic traces verify that the overhead incurred by instrumenting every packet over a 10 Gb/s operational backbone link carrying a typical workload is indeed negligible

Analysis of security impact of making mShield an IPv4 to IPv6 converter box

info:eu-repo/semantics/acceptedVersio

Operating System Response to Router Advertisement Packet in IPv6.

With growth of internet IPv4 address will run out soon. So the need of new IP protocol is indispensable. IPv6 with 128-bit address space is developed and maintain the support of IPv4 protocols with some upgrades such as BGP, OSPF and ICMP. ICMP protocol used for error reporting, neighbor discovering and other functions for diagnosis, ICMP version 6 has new types of packets to perform function similar to address resolution protocol ARP called Neighbor Discovery Protocol NDP. NDP is responsible for address auto configuration of nodes and neighbor discovery. It define new packets for the purposes of router solicitation, router advertisement and others discovery functions