1 / 37

IPv6

IPv6. Topics. Introduction Comparison with IPv4 Header format Extension headers Neighbour discovery Transition from IPv4 to IPv6 ICMPv6 IPv6 addresses Address Autoconfiguration IP Security. About IPv6. Internetworking Protocol version 6, IPng

richard-rivers
Download Presentation

IPv6

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPv6 Network Security

  2. Topics • Introduction • Comparison with IPv4 • Header format • Extension headers • Neighbour discovery • Transition from IPv4 to IPv6 • ICMPv6 • IPv6 addresses • Address Autoconfiguration • IP Security Network Security

  3. About IPv6 • Internetworking Protocol version 6, IPng • IPv6 was developed because about 1992 it became clear that at the rate that the Internet was growing the world would soon be out of IPv4 numbers • The experimental deployment of IPv6 started in 1995 • IPv6 was designed to work alongside IPv4 on all network devices. This is often called the “Dual Stack” because devices have both an IPv4 Protocol Stack and an IPv6 Protocol Stack • 128-bit address written in 8 hex quads • It supports 2128 (about 3.4×1038) addresses Network Security

  4. IPv4 deficiencies • Address depletion • No support for real-time audio and video transmission • No encryption and authentication of data Network Security

  5. IPv6 advantages over IPv4 • Large address space • Better header format • Stateless and stateful address auto-configuration • Built-in security • New options • Extensibility • Support for real-time audio and video

  6. IPv4 Vs IPv6 Network Security

  7. Reasons for delay in adoption • Classless addressing • Use of DHCP • Network Address Translation Network Security

  8. IPv6 datagram Base Header Network Security

  9. IPV4 and IPV6 Header Network Security

  10. IPV4 Vs IPV6 Packet Header Network Security

  11. IPv6 Extension Headers Network Security

  12. IPv6 Extension Headers • Hop-by-Hop Options header • When the source needs to pass info to all routers visited by the datagram. • Source routing • Combines the concepts of strict and loose source route options of IPv4. • Fragmentation • Source is required to fragment if size of datagram is larger that the MTU of network. • Only original source can fragment. Network Security

  13. Extension Headers contd… • Authentication header (AH) • Validates the message sender and ensures integrity of data. • Encrypted security payload (ESP) • Provides confidentiality and guards against eavesdropping. • Destination Options • Used when source needs to pass info to the destination only. • Intermediate routers are not permitted access. Network Security

  14. IPv4 options and IPv6 extension headers Network Security

  15. Transition from IPv4 to IPv6 Network Security

  16. Dual Stack • A station must run IPv4 and IPv6 simultaneously until all the Internet uses IPv6 • To determine which version to use when sending a packet to a destination, the source host queries the DNS • If the DNS returns an IPv4 address, the source host sends an IPv4 packet • If the DNS returns an IPv6 address, the source host sends an IPv6 packet Network Security

  17. Tunneling • a strategy used when two computers using IPv6 want to communicate with each other and the packet must pass through a region that uses IPv4 • So the IPv6 packet is encapsulated in an IPv4 packet when it enters the region, and it leaves its capsule when it exits the region. Network Security

  18. Header Translation • necessary when the majority of the Internet has moved to IPv6 but some systems still use IPv4 • the sender wants to use IPv6, but the receiver does not understand IPv6 • the header format must be totally changed through header translation • header of the IPv6 packet is converted to an IPv4 header • uses the mapped address and some rules to translate an IPv6 address to an IPv4 address Network Security

  19. ICMPv6 • Internet Control Message Protocol • Combines ICMPv4, ARP and IGMP • Message – oriented • It uses messages to report errors • Like version 4, ICMPv6 reports errors, handles group memberships, updates specific router and host tables, and checks the viability of a host. • ICMPv6 forms an error packet which is then encapsulated in an IP datagram Network Security

  20. ICMPv6 messages • Error messages • Destination unreachable, packet too big, time exceeded, parameter problems • Informational messages • Echo request & reply message • Neighbour discovery messages • Route solicitation & advertisement message • Neighbour solicitation & advertisement message • Group membership messages • Membership query & report message Network Security

  21. ND messages • Mainly used by: • Hosts to find routers in the neighbourhood • Nodes to find the link layer addresses of neighbours • Nodes to find IPv6 addresses of the neighbour • Router-solicitation message • Router-advertisement message • Neighbour-solicitation message • Neighbour-advertisement message Network Security

  22. IPv6 addressing • Unicast address • Anycast address • Multicast address • IPv6 doesn’t implement broadcast address • Broadcasts are replaced by multicasts and anycasts • However, a multicast to address ff02::1 would result in a transmission to all nodes within the same local link, which is similar to IPv4 multicast to address 224.0.0.1. Network Security

  23. Unicast & Anycast Address format • Unicast (one-to-one) and anycast (one-to-one-of-many) addresses are typically composed of two logical parts: a 64-bit network prefix used for routing, and a 64-bit host part used to identify a host within the network. • The network prefix is 1111 110 0/1 followed by a 40-bit random number. The 16 bits of the subnet identifier field are available to the network administrator to define subnets within the given network. The 64-bit interface identifier is either automatically generated from the interface's MAC address obtained from a DHCPv6 server randomly, or assigned manually. Network Security

  24. Multicast Address format • The prefix holds the binary value 1111 1111 for any multicast address. Flag field defines the group address as either permanent or transient. Scope field defines the scope of the group address. Network Security

  25. IPv6 notation • An IPv6 address is represented as eight groups of four hexadecimal digits, each group representing 16 bits (two octets). • The groups are separated by a colon (:). • A typical example of an IPv6 address follows: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 • The hexadecimal digits are case-insensitive. Network Security

  26. Compressing Zeros • A contiguous sequence of 16-bit blocks set to 0 in the colon hexadecimal format can be compressed to “::”, known as double-colon • For example, the link-local address of FE80:0:0:0:2AA:FF:FE9A:4CA2 can be compressed to FE80::2AA:FF:FE9A:4CA2 • Zero compression can only be used once in a given address Network Security

  27. Address Autoconfiguration • Host has an ability to automatically configure itself, even without the use of a stateful configuration protocol such as DHCPv6 • Types of Autoconfiguration: • Stateless: Configuration of addresses is based on the receipt of Router Advertisement messages • Stateful: Configuration is based on DHCPv6 to obtain addresses and other configuration options. A host will use a stateful address configuration protocol when there are no routers present on the local link. Network Security

  28. Autoconfiguration process • Host first creates a link local address for itself • The host then tests to see if this link local address is unique and not used by other hosts • If the uniqueness of the link local address is passed, the host stores this address as its link-local address, but it still needs a global unicast address Network Security

  29. IP Security • IPSec is a collection of protocols designed by IETF to provide security for a packet at the network layer • It helps create authenticated and confidential packets for the IP layer • Two modes: • Transport • does not protect the IP header; it only protects the information coming from the transport layer • Tunnel • protects the original IP header Network Security

  30. IPSec modes Network Security

  31. IPSec Protocols • AH and ESP • Authentication Header • designed to authenticate the source host and to ensure the integrity of the payload carried in the IP packet • uses a hash function and a symmetric key to create a message digest; the digest is inserted in the authentication header Network Security

  32. AH Protocol in transport mode Network Security

  33. What is Message Digest? • The electronic equivalent of the document and fingerprint pair is the message and message digest pair • To preserve the integrity of a message, the message is passed through an algorithm called a hash function. • The hash function creates a compressed image of the message that can be used as a fingerprint. • The message digest needs to be kept secret. • SHA-1 (Secure Hash Algorithm 1) Network Security

  34. Encapsulating Security Payload (ESP) • The AH Protocol does not provide privacy, only source authentication and data integrity • ESP adds a header and trailer • ESP's authentication data are added at the end of the packet • ESP does whatever AH does with additional functionality (privacy) Network Security

  35. ESP Protocol in transport mode Network Security

  36. IPSec services Network Security

  37. Things to study • IPv4 packet, ICMPv4 • DHCPv6, ICMPv6 • IPv6 Routing • Internet Key Exchange for IPSec • QoS support for IPv6 • API for IPv6 Network Security

More Related