Documente Academic
Documente Profesional
Documente Cultură
History of IP protocol
From the middle of the 1990s the Internet was largely used by universities, high tech industries and the government, but the Internet increasingly interests commercial companies and will be used by a large number of individuals and systems all expressing different needs.
Under these circumstances IPv6 (also called IPng for new generation IP) should offer more flexibility and efficiency, solving a whole range of new problems and never have a lack of addresses.
Objectives of IPv6
Support billions of computers by releasing itself from the inefficiency of space for current IP addresses, Reduce the size of routing tables
by
IPv6 protocol
IPv6 protocol responds reasonably to the prescribed objectives. It retains the best functions from IPv4, while removing or minimising the worst and adding new ones when necessary. In general, IPv6 is not compatible with IPv4, but is compatible with all other Internet protocols including TCP, UDP, ICMP, IGMP, OSPF, BGP and DNS; sometimes slight modifications are required (in particular when working with long addresses).
The major innovation in IPv6 is the use of longer addresses than with IPv4. They are coded over 16 bytes. IPv4 makes it possible to address 2^32=4,29.10^9 addresses while IPv6 makes it possible to address 2^128=3,4.10^38 addresses. The major improvement in IPv6 is the simplification of datagram headers. The basic IPv6 datagram header only contains 7 fields (as opposed to 14 for IPv4). This change enables routers to process datagrams faster and improves their overall speed.
The third improvement consists of offering more flexibility with options. This change is essential with the new header, since compulsory fields in the old version have now become optional.
In addition, the way in which options are represented is different; it enables routers to simply ignore options which are not intended for them. This function speeds up datagram processing times.
Furthermore, IPv6 provides greater security.
Authentication and confidentiality constitute the major security functions in the IPv6 protocol. Finally, greater attention than in the past has been paid to the type of services. Although the Type of services field in the IPv4 datagram is only rarely used, the expected increase in multimedia traffic in the future requires that an interest be taken in it.
Datagram headers
The Version field is always equal to 4 bits for IPv6. During the transition period from IPv4 to IPv6, routers must look at this field to know what type of datagram they are routing. The Traffic class field (coded over 8 bits) is used to distinguish the sources which must benefit from the flow control of others
The Flow label field contains a unique number chosen by the source which aims to facilitate the work of the routers and allow the implementation of quality of service functions such as RSVP (Resource reSerVation setup Protocol). This indicator can be considered as a marker for a context in the router. The router can then conduct particular processing: choice of a route, processing of information in "real time", etc. The Payload length field of two bytes contains only the size of the payload, without taking into account the length of the header. For packets where the data size would be greater than 65,536 this field is worth 0 and the jumbogram option of the "hop by hop" extension is used. The Next header field has a function similar to the protocol field in the IPv4 packet: Quite simply it identifies the next header (in the same IPv6 datagram). It can be a protocol (from a higher layer ICMP, UDP, TCP, etc.) or an extension.
The Hop limit field replaces the "TTL" (Time-to-Live) field in IPv4. Its value (over 8 bits) is decremented with each node crossed. If this value reaches 0 while the IPv6 packet crosses a router, it will be rejected and an ICMPv6 error message issued. Source address and Destination address fields. After many discussions, it was decided that fixed length addresses equal to 16 bytes was the best compromise. The first bits of the address - the prefix - define the type of address. The addresses beginning with 8 zeros are reserved, in particular for IPv4 addresses
The extension header mechanism was developed to satisfy the need to specify options more efficiently than in the past.
IPv6 header
fragmentation header
authentication header encrypted security payload header
The hop by hop option header must be processed by each node crossed by the packet. where it will be noted that the option field can vary in length. Consequently, its length must be specified in hdr ext len. Each option must begin with an 8-bit field which specifies the type, followed by an 8-bit field for length.
Routing header
The routing header is used by a source to list the set of nodes that a packet must cross before reaching its destination. It is identified by a next header value of 43 in the immediately preceding header.
The Routing Type field can be used to specify more than one variant for this header. For each type, different data will be entered in the typespecific data field.
Format is the same as that of the hop by hop extension header, This is the only extension header that can appear twice in the same packet, though in two different positions.
If it is placed before the routing header, it will be processed by the first node appearing in the IPv6 header's Destination field. In all other cases, it will be visible only at the ends. For the moment, only two padding options have been specified in order to pad out packets to a multiple of 64 bytes in length
Fragmentation header
If a datagram must be sent whose payload exceeds the size permitted for the link concerned by the MTU value, IPv6 enables the source station to fragment the packet. Using the fragmentation header permits the destination to reassemble the packet correctly. The fragmentable part consists of the rest of the packet, and is divided into blocks, or fragments, each of which is a multiple of 8 octets long. Each fragment is preceded by the updated unfragmentable part
Authentication header
The Authentication Header (AH) is designed to guarantee the authenticity and integrity of the packet in which it is placed, or in other words to check whether this packet was changed en route or was generated by someone who is not authorized to access the resource involved. By contrast, the Encrypted Security Payload header (ESP) provides a mechanism for handling data in such a way that they can be read only at the end of the route.
In both cases, source and destination must agree on the secret key and algorithm to be used, and on the values to be assigned to the latter's parameters. Together, this information forms a Security Association, or SA, identified by the SPI (security parameter index) field along with the source and destination addresses.
There are two possible choices: transport mode and tunnel mode. In the first case, only the IPv6 packet payload is encrypted. If a higher degree of security is required, it is possible to use the tunnel mode, where the entire packet is encrypted and then encapsulated in another packet. In this way, it is visible only at the ends, which makes for higher encryption effectiveness but also increases overhead.
Security in Ipv6
Confidentiality The property that stored or transmitted information cannot be read or altered by an unauthorized party Integrity The property that any alteration of transmitted or stored information can be detected
Solutions
Description of security requirements and mechanisms on the network layer Security element for encryption. Security element for authentication. Concrete cryptographic algorithms for encryption and authentication. Definition of Security policy and Security associations between partners. IPSEC key management ISAKMP - Internet Security Association and Key Management Protocol
Authentication in IPv6
Next Header
Not to exceed 232 to prevent replay. Re-negotiation should occur It is know that packets may arrive out of order
A cryptographically secure checksum over the payload and possibly other fields
Authentication in IPv6
Encryption in IPv6
Trailer
Contains Optional authentication information to protect the encrypted data and the sequence number Padding (for 64 bit alignment) Next Header value (in the encrypted packet)
IPv6 specification contains one encryption algorithm that must be supported by every implementation
Encryption in IPv6
Encryption in IPv6
SSH
S/MIME, PGP lack of public key infrastructure lack of vendor/IPv6 adoption