Chapter IPv6

History of IP protocol

From the middle of the 1990s the Internet was largely used by universities, high tech industries and the government, but the Internet increasingly interests commercial companies and will be used by a large number of individuals and systems all expressing different needs.

Under these circumstances IPv6 (also called IPng for new generation IP) should offer more flexibility and efficiency, solving a whole range of new problems and never have a lack of addresses.

Objectives of IPv6

Support billions of computers by releasing itself from the inefficiency of space for current IP addresses, Reduce the size of routing tables

Simplify the protocol to enable routers to route datagrams more quickly,

Provide better security (authentication and confidentiality) than the current IP protocol, Pay more attention to the type of service and particularly the services associated to real time traffic,

Objectives of Ipv6 cont...

Facilitate multi-destination broadcasting making it possible to specify the range,

by

Allow a computer to move without changing its address,

Allow future development of the protocol,

Provide the old and new protocol with a peaceful coexistence

IPv6 protocol

IPv6 protocol responds reasonably to the prescribed objectives. It retains the best functions from IPv4, while removing or minimising the worst and adding new ones when necessary. In general, IPv6 is not compatible with IPv4, but is compatible with all other Internet protocols including TCP, UDP, ICMP, IGMP, OSPF, BGP and DNS; sometimes slight modifications are required (in particular when working with long addresses).

The main functions of IPv6

The major innovation in IPv6 is the use of longer addresses than with IPv4. They are coded over 16 bytes. IPv4 makes it possible to address 2^32=4,29.10^9 addresses while IPv6 makes it possible to address 2^128=3,4.10^38 addresses. The major improvement in IPv6 is the simplification of datagram headers. The basic IPv6 datagram header only contains 7 fields (as opposed to 14 for IPv4). This change enables routers to process datagrams faster and improves their overall speed.

The main functions of Ipv6 cont...

The third improvement consists of offering more flexibility with options. This change is essential with the new header, since compulsory fields in the old version have now become optional.

In addition, the way in which options are represented is different; it enables routers to simply ignore options which are not intended for them. This function speeds up datagram processing times.
Furthermore, IPv6 provides greater security.

The main functions of Ipv6 cont...

Authentication and confidentiality constitute the major security functions in the IPv6 protocol. Finally, greater attention than in the past has been paid to the type of services. Although the Type of services field in the IPv4 datagram is only rarely used, the expected increase in multimedia traffic in the future requires that an interest be taken in it.

Datagram headers

The Version field is always equal to 4 bits for IPv6. During the transition period from IPv4 to IPv6, routers must look at this field to know what type of datagram they are routing. The Traffic class field (coded over 8 bits) is used to distinguish the sources which must benefit from the flow control of others

Datagram headers cont...

The Flow label field contains a unique number chosen by the source which aims to facilitate the work of the routers and allow the implementation of quality of service functions such as RSVP (Resource reSerVation setup Protocol). This indicator can be considered as a marker for a context in the router. The router can then conduct particular processing: choice of a route, processing of information in "real time", etc. The Payload length field of two bytes contains only the size of the payload, without taking into account the length of the header. For packets where the data size would be greater than 65,536 this field is worth 0 and the jumbogram option of the "hop by hop" extension is used. The Next header field has a function similar to the protocol field in the IPv4 packet: Quite simply it identifies the next header (in the same IPv6 datagram). It can be a protocol (from a higher layer ICMP, UDP, TCP, etc.) or an extension.

Datagram headers cont...

The Hop limit field replaces the "TTL" (Time-to-Live) field in IPv4. Its value (over 8 bits) is decremented with each node crossed. If this value reaches 0 while the IPv6 packet crosses a router, it will be rejected and an ICMPv6 error message issued. Source address and Destination address fields. After many discussions, it was decided that fixed length addresses equal to 16 bytes was the best compromise. The first bits of the address - the prefix - define the type of address. The addresses beginning with 8 zeros are reserved, in particular for IPv4 addresses

Options and Extensions in headers

The extension header mechanism was developed to satisfy the need to specify options more efficiently than in the past.
IPv6 header

hop by hop option header

destination option header routing header

fragmentation header
authentication header encrypted security payload header

destination option header

upper layer header

Hop by hop option header

The hop by hop option header must be processed by each node crossed by the packet. where it will be noted that the option field can vary in length. Consequently, its length must be specified in hdr ext len. Each option must begin with an 8-bit field which specifies the type, followed by an 8-bit field for length.

Routing header

The routing header is used by a source to list the set of nodes that a packet must cross before reaching its destination. It is identified by a next header value of 43 in the immediately preceding header.
The Routing Type field can be used to specify more than one variant for this header. For each type, different data will be entered in the typespecific data field.

Destination option header

Format is the same as that of the hop by hop extension header, This is the only extension header that can appear twice in the same packet, though in two different positions.
If it is placed before the routing header, it will be processed by the first node appearing in the IPv6 header's Destination field. In all other cases, it will be visible only at the ends. For the moment, only two padding options have been specified in order to pad out packets to a multiple of 64 bytes in length

Fragmentation header
If a datagram must be sent whose payload exceeds the size permitted for the link concerned by the MTU value, IPv6 enables the source station to fragment the packet. Using the fragmentation header permits the destination to reassemble the packet correctly. The fragmentable part consists of the rest of the packet, and is divided into blocks, or fragments, each of which is a multiple of 8 octets long. Each fragment is preceded by the updated unfragmentable part

Authentication header

The Authentication Header (AH) is designed to guarantee the authenticity and integrity of the packet in which it is placed, or in other words to check whether this packet was changed en route or was generated by someone who is not authorized to access the resource involved. By contrast, the Encrypted Security Payload header (ESP) provides a mechanism for handling data in such a way that they can be read only at the end of the route.

In both cases, source and destination must agree on the secret key and algorithm to be used, and on the values to be assigned to the latter's parameters. Together, this information forms a Security Association, or SA, identified by the SPI (security parameter index) field along with the source and destination addresses.

Encrypted Security Payload header

There are two possible choices: transport mode and tunnel mode. In the first case, only the IPv6 packet payload is encrypted. If a higher degree of security is required, it is possible to use the tunnel mode, where the entire packet is encrypted and then encapsulated in another packet. In this way, it is visible only at the ends, which makes for higher encryption effectiveness but also increases overhead.

Security in Ipv6

Basic Security Requirements and Techniques

Confidentiality The property that stored or transmitted information cannot be read or altered by an unauthorized party Integrity The property that any alteration of transmitted or stored information can be detected

Solutions

Packet Filters and Firewalls

Filters traffic based on predefined rules

IP address port numbers virus patterns

May determine unusual behavior

The IPSEC framework

Contains 6 distinct elements

Description of security requirements and mechanisms on the network layer Security element for encryption. Security element for authentication. Concrete cryptographic algorithms for encryption and authentication. Definition of Security policy and Security associations between partners. IPSEC key management ISAKMP - Internet Security Association and Key Management Protocol

Authentication in IPv6

Next Header

Length of Payload in x32 bits

Reserved SPI - Indicates which checksum algorithm has been used Sequence Number - Prevents replay attacks

Not to exceed 232 to prevent replay. Re-negotiation should occur It is know that packets may arrive out of order

Authentication Data - variable length

A cryptographically secure checksum over the payload and possibly other fields

Authentication in IPv6

Header and Payload Authentication

Accomplished by creating a tunnel between 2 gateways

Gateway may be a router

May be a VPN implementation Wraps the original packet in a new packet

Applies checksum to entire packet

Encryption in IPv6

Trailer

Contains Optional authentication information to protect the encrypted data and the sequence number Padding (for 64 bit alignment) Next Header value (in the encrypted packet)

IPv6 specification contains one encryption algorithm that must be supported by every implementation

DES-CBC (Data Encryption Standard in Cipher Block Chaining Mode)

Other stronger algorithms may be negotiated using corresponding SA and SPI

Government export controls

Encryption in IPv6

Header and Payload encryption

Accomplished by creating a tunnel between 2 gateways

Gateway may be a router May be a VPN implementation

Wraps the original packet in a new packet

Applies checksum to entire packet

Encryption in IPv6

Combining Authentication and Encryption

It was originally intended to use both But increased IPv6 packet size was not good

Decided to included AH functionality in ESP

IPSEC may solve many issues on the Internet

FTP, Telnet, DNS, and SNMP

IPSEC tunnels break through firewalls or NAT Tunneled IPSEC traffic may contain malicious data QOS doesnt work in IPSEC Mobility issues Dynamic IP addresses cause IPSEC to fail

However other issues exist

IPv6 deployment slowed due to Ipv4 workarounds

NAT and CIDR SSL

SSH
S/MIME, PGP lack of public key infrastructure lack of vendor/IPv6 adoption

IPSEC deployment issues