INTERNET PROTOCOL, VERSION 6

(IPV6)

Presenter: Ngo Duy Kien && Pham Van Ke
Date: 07-05-2014
1
AGENDA
Motivation
IPv6 Address
Auto-Configuration
IPv6 package format - functionalities
ICMPv6
Security
Mobility
IPv4-IPv6 transition
Retrospective/ QA Session
AGENDA
Motivation
IPv6 Address
Auto-Configuration
IPv6 package format - functionalities
ICMPv6
Security
Mobility
IPv4-IPv6 transition
Retrospective/ QA Session
FAMOUS LAST WORDS
"I think there is a world market for maybe five
computers.
Thomas Watson, chairman of IBM, 1943
"640K ought to be enough for anybody."
Bill Gates, 1981
"32 bits should be enough address space for
Internet"
Vint Cerf, 1977 (Honorary Chairman of IPv6 Forum 2000)
INTER PROTOCOL VERSION 4
Limitation of IPv4
Address Shortage issue
Inconvenient System Management
No Native Mobility Support
No QoS guarantee
Security issue
00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Version Total Length
Identification
Time to Live
Source Address
Data ...
IHL Type of Service
Fragment Offset Flags
Protocol Header Checksum
Destination Address
Options Padding
00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Version Total Length
Identification
Time to Live
Source Address
Data ...
IHL Type of Service
Fragment Offset Flags
Protocol Header Checksum
Destination Address
Options Padding
IPv4 Problems:
Lack of class B IPv4 address space => CIDR addressing
Circa 1,800 active Autonomous Systems
Inject nearly 43,000 Routable Prefixes
Inadequate address aggregation
Ballooning BGP databases, and Router memory exhaustion
Increased forwarding table look up time
Ubiquitous but simplistic

IPv4 Problems:
CIDR allowed to survive the first big crisis (92-95), but will it
be able to survive next years growth (xDSL, mobile terminals,
etc)?
NAT attempt to translate addresses, without changing the
application but it does not really work.

Global Internet
Private addresses
NAT
A
10.0.1.2
B
203.64.88.1
203.64.105.1
10.0.1.254
NAT obstacles
Breaks the End-to-End Paradigm for Security, QoS
Kills the performance with intermediate Application Level
Gateway (FTP, DNS, H.323, or SIP) and increases the delay
Hidden Costs (i.e. keep consistency in the DNS, routers, ALG
etc., Require network experts)
Difficult to scale when more hosts are added and when
allocating from a DHCP server pool with global addresses
breaks the always connected mode
Operators cannot use the standard off shelf network
equipment scalability and performance analysis
Increased vulnerability to DOS attacks

So, We definitely need IPv6!!!!
IPV6 MOTIVATION
The enormous growth of Internet.
The Address space is running out
in IPv4 (32 bits).
Routing tables are exploding.
The lack of security at the
network layer
Device Control Smart Homes
High Performance Networks
IP Based Cellular Systems
Connect everything over IP
Several years of networking with
TCP/IP had brought lessons and
knowledge
Lack of Mobility support
New Applications such as Real
Time Multimedia.
Networked Entertainment - your
TV will be an Internet host
More Scalable Solution is needed
AGENDA
Motivation
IPv6 Address
Auto-Configuration
IPv6 package format - functionalities
ICMPv6
Security
Mobility
IPv4-IPv6 transition
Retrospective/ QA Session
IPV6 ADDRESS
128 bits long. Fixed size
2
128
= 3.410
38
addresses => 6.6510
23
addresses
per m
2
of earth surface
If assigned at the rate of 10
6
/s, it would take 20
years
Allows multiple interfaces per host
Allows multiple addresses per interface


IPV6 ADDRESS
Allows unicast, multicast, anycast
Allows provider based, site-local, link-local
85% of the space is unassigned

COLON-HEX NOTATION
Dot-Decimal: 203.64.105.100
Colon-Hex:
FEDC:0000:0000:0000:3243:0000:0000:ABCD
Can skip leading zeros of each word
Can skip one sequence of zero words, e.g.,
FEDC::3243:0000:0000:ABCD
The "::" can only appear once in an address
The "::" can also be used to compress the leading and/or
trailing zeros in an address
Can leave the last 32 bits in dot-decimal,
e.g., ::203.64.105.100
Can specify a prefix by /length, e.g., 2345:BA23:7::/40

IPV6 PREFIX ALLOCATION
Global
IPV6 ADDRESSING MODEL
Addresses are assigned to interfaces
No change from IPv4 Model
Interface can have multiple addresses

Addresses have scope
Link Local
Site Local
Global

Addresses have lifetime
Valid and Preferred lifetime
Site-Local Link-Local
LOCAL-USE ADDRESS
Link Local: Not forwarded outside the link,
FE80::xxx


Site Local: Not forwarded outside the site,
FEC0::xxx

1111 1110 10 0 Interface ID
10 n 118-n bits
1111 1110 11 0 Subnet ID Interface ID
bits n 10 m 118-n-m
MULTICAST ADDRESS



T=0 => Permanent (well-known) multicast address,
T=1 => Transient
Scope: 1 Node-local, 2 Link-local, 5 Site-local,
8 Organization-local, E Global, F Reserved
Predefined: 1 => All nodes, 2 => Routers, 1:0 =>
DHCP Servers
0 0 0 T
1111 1111 Flags Scope Group ID
4bits 8bits 112bits 4bits
MULTICAST ADDRESS
Example: 43 => Network Time Protocol Servers
FF01::43 => All NTP servers on this node
FF02::43 => All NTP servers on this link
FF05::43 => All NTP servers in this site
FF08::43 => All NTP servers in this organization
FF0E::43 => All NTP servers in the Internet

0 bits 8 4 16
IPV4 HEADER
20 OCTETS+OPTIONS : 13 FIELDS, INCLUDE 3 FLAG BITS
31
Ver IHL Total Length
Identifier Flags Fragment Offset
32 bit Source Address
32 bit Destination Address
24
Service Type
Options and Padding
Time to Live Header Checksum Protocol
Removed Changed
IPV6 HEADER
40 OCTETS, 8 FIELDS
0 31
Version Class Flow Label
Payload Length Next Header Hop Limit
128 bit Source Address
128 bit Destination Address
4 12 24 16
Simplified IPv6 header format:
(Number of fields has been reduced from 12 to 8 )
ver
Prio Flow Label
Payload Length Next Header Hop Limit
Source Address
Destination Address
KEY IPV6 FEATURES
Redundant header options dropped:
Type of service
Flags
Identification
Fragmentation offset (IPv6 uses path MTU
discovery)
Header Checksum (most encapsulation procedures
include this function eg: IEEE 802 MAC, PPP Framing,
ATM adaption layer)
INTRODUCING IPV6
Some fields re-named:
length => payload
protocol type => next header
time to live => hop limit
One field revised:
Option mechanism (variable length field replaced by fixed
length extension header)
Two fields added:
Priority
Flow Label
AGENDA
Motivation
IPv6 Address
Auto-Configuration
IPv6 package format - functionalities
ICMPv6
Security
Mobility
IPv4-IPv6 transition
Retrospective/ QA Session
BRIEF OVERVIEW
There are two auto-configuration mechanisms in
IPv6:
Stateless: SLAAC (Stateless Address Auto-
Configuration), based on ICMPv6 messages (Router
Solicitation y Router Advertisement)
Stateful: DHCPv6
SLAAC is mandatory, while DHCPv6 is optional
In SLAAC, Router Advertisements communicate
configuration information such as:
IPv6 prefixes to use for autoconfiguration
IPv6 routes
Other configuration parameters (Hop Limit, MTU, etc.)
etc.
SECURITY CONSIDERATIONS
By forging Router Advertisements, an attacker can perform:
Denial of Service (DoS) attacks
Man in the Middle (MITM) attacks
Possible mitigation techniques:
Deploy SEND (SEcure Neighbor Discovery)
Monitor Neighbor Discovery traffic (e.g., with NDPMon)
Deploy Router Advertisement Guard (RA-Guard)
Restrict access to the local network
Unfortunately,
SEND is very difficult to deploy (it requires a PKI)
ND monitoring tools can be trivially evaded
RA-Guard can be trivially evaded
Not always is it possible to restrict access to the local network
Conclusion: the situation is not that different from that of IPv4
(actually, its a bit worse)
KEY IPV6 FEATURES
IPv6 Mandates Auto-Address Configuration:

IPv4 Configuration Process :
1) IPv4 Address
2) Default Gateway
3) Subnet Mask / Prefix Number
4) Domain Name Server and Domain Name
5) Solutions => Bootstrap (Static) & DHCP (Dynamic / Server
based
IPv6 Configuration Process:
1) Neighbor Discovery (stateless configuration)
2) DHCPv6 (statefull configuration)
KEY IPV6 FEATURES
Security:
IPv4 Security Problems:
1) Denial of service attack (BGP / RIP hijacking)
2) Address spoofing
3) Use of source routing defeats address authentication
IPv6 Security:
1) Mandated at the Kernel level => IPSEC
2) Authentication Header (Default to MD5)
3) Encryption ( Default to DES-CBC)
4) Security Parameter Index (Defines non-default security
association)
5) Repudiation features
KEY IPV6 FEATURES
IPv6 QoS Advantages:
QoS becoming an issue as real time services emerge:
1) Need for lower latency and jitter, but improved tolerance to
lost packets
2) Less emphasis on re-transmission of lost data
3) More emphasis on timing relationships (time-stamping)
24-bit Flow Label enables identification of traffic flows
Drop Priority field to manage conflicts
RSVP used by routers to deal with requests
WHAT IS THE REASON OF LACK OF
ADDRESSES


Mobile phone require IP addresses with GPRS and UMTS technologies
(a phone = at
least one address)
Need of addresses in Asia
Ambient network
Q&A