Study and report on the security provisions within the IP version 6 protocol and compare these to IP version 4. Study the relevant RFC standards and the current state of IPV6 implementation. Which security problems of IPV4 is IPV6 likely to resolve ? Report on your technical investigation and on the impact of any security issues on the likelyhood of IPV6 adoption. Suitable for 2 students willing to collaborate on condition they are willing to experiment with use of IPV6 between 2 different operating systems.
The current internet protocol which is IPV4, is beginning to reduce in address space and unable to support additional nodes and requirement of other applications. IPv4 is a protocol type that support about 2.000.000.000 addresses. Internet protocol version 6 (IPV6) is a new type of version that is used to replaced internet protocol version 4 (IPV6). This new protocol has some new features which includes
Compared to IPV6, IPV4 is not as powerfully and sophisticated as the new internet protocol IPV6 which as well is not compatible with IPV4
IPV4 is the first type of internet protocol that came into existence before the IPV6. The protocol has been into existence since the year 1981,
Internet protocol version 6 (IPV6) is a new type of version that is used to replaced internet protocol version 4 (IPV6)
HISTORY OF INTERNET PROTOCOL
The operation of IPV4 begins in 1970s which is approximately 30 years ago. When the protocol began its operation, initially it was not govern by any standard until 1981 when the RFC 791 that runs the protocol standard starts to issue the functionality of IPV4.
http://ipv6.com/articles/general/timeline-of-ipv6.htm
SECURITY CONCERN WITH INTERNET PROTOCOL 4 (IPV4)
IPv4 needs to be considered before the full explanation of IPV6, reason been that there are some security issues which IPv4 is having at the moment. Version 4 protocols is a system type of address used to identify end to end devices on the internet network.IPv4 has been into existence since for about thirty years now and it is the most common widely type of protocol used at present. Due to the fact that Many network uses IPV4 it has begun to provide problems in so many area like the shortage of the addressing in IPV4is growing fast which brings the introduction of IPV6. IPv6 was introduced to solve most of the issues that IPV4 has. The internet has widely used by millions of people continues to be visible making it not easy to provide any security support with IPV4 in certain areas like;
Denial of service
Distribution of malicious code
Man in the middle man
Shortage of address space
Fragmentation
Internet protocol spoofing
Connection hijacking
With the following reasons above, there have been ways in which IPV6 is designed to combat the security issues facing IPV4, which one of them is the introduction of IPSec that has helped the use of data encryption for easy communication also network translation address (NAT) and network address port translation (NAPT) were brought in to help the falling shortage of IPV4 address space
IPV6
Internet protocol version 6 (IPV6) is a new version of protocol which is gradually replacing IPV4. IPV6 does not create a connection before a section is been form, thereby making it difficult for the delivery of packet to be unreliable. Before any packet could be acknowledge it has to be done by a protocol called TCP, and this TCP is also responsible for the recovery of any packet which is been loss. TCP/IP as known is internet communication protocol which provides a reliable connection between two connected devices when the protocol facilities are in place. When IPV6 was introduced, the protocol came with a specification which was defined in RFC 2460. The define specification consist of different header format and an extension header together with the ways in which their rules are been processed. The packets in IPV6 consist of the following;
IP6 header -the header itself consist of the destination address, source address, and the hop limit
IPV6 payload
Below is a brief definition of the components of the header
The destination address is the final destination where the packet is going to
The source address is the initial starting point of the packet, while
The hop limit is the total number of segmented network through which the IPV6 packet is allowed to travel before a device will discard the packet, and the device used to discard the packet is the router.
The header in this protocol contains a least type of information which allows interaction between two different nodes on a network, while the extension header which is the second header type consist of extra decision making for either the host or a router which are used in receiving a packets. From a point of view it should be noted that IPV6packet can have one or more extension header when needed for any processing of packets which are like the extension header.
To start with, it should be noted that a router processes the header part of IPV6 by making sure that the network performance is excellent in terms of security and traffic control, for this to occur there is a mechanism which will be used to allow the processing of the header to perform is brilliant work, and this mechanism is in a mobility form. The mobility process that was employ is used to allow any mobile nodes to exchange their current address location by not losing any of their current location from where the nodes have linked up communication. Below are diagrams that illustrate the header of IPV6 and IPV4 for basic comparison purpose.
version
Traffic Class
Flow label
Payload length
Next header type
Hop limit
Source address
Destination address
IPV6 HEADER
IPV4 HEADER
IPV6 header size is doubled compared to the IPV4 header size, but the size of the address is four times (Blanchet. Pg. 46)
HEADER FIELDS IN IPV6 AND IPV4
Field
Size (in bits)
IPV4
IPV6
Version
4
IPV4 uses 4 bits
IPV6 uses 6
Length of header
4
Available in IPV4
Removed from IPV6
Type of service
8
Available in IPV4
Renamed to "traffic class"
Total length
16
Length of datagram
Payload length
Identification
16
Fragment ID
Extension header used in fragment
Flags
3
Fragmentation flags
Extension header used in fragment
Fragment offset
13
Pointer
Extension header used in fragment
Time to live
8
Each hop is decreased by one
Renamed to "hop limit"
Protocol
8
Transport protocol identification
Renamed to "next header"
Check sum
16
Header checksum
Removed in IPV6
Source address
32
IPV4 address
128 bits of IPV6 address
Destination address
32
IPV4 address
128 bits of IPV6 address
Source: Marc. B. (2004). Migrating to IPV6: a practical guide for mobile and fixed networks. New York. John Wiley & sons, page 45.
IPV6 FEATURES
Being a new version of IPV4, some of the functions which is functioning to requirements in IPV4 has been kept in IPV6, and the functions that has not been working properly has been replaced by IPV6. In RFC 1752 (Blanchet M, Pg.30) a new feature has been added to the new protocol (IPV6) to boost the functionality of the internet protocol. Below are some of the features of IPV6.
LARGE ADDRESS SPACE
It has a benefit of 128 bits address space, in which IPV4 only has 32 bit address space, and all computer nodes can easily be reached and addressed by eliminating any need for translating a network address.
With the increased IP address size of 128 bits, various IP addresses can be defined, which provides 655,570,793,348,866,943,898,599 (6x10^23) "addresses for every square meter of the earth's surfaces" (Davies, Pg. 9).
EXTENTION HEADER
The implementation option of IPV6 is referred to as extension headers and is marked with processing options. This is so because; routers do not have to look at most extension headers which increases their performance. New header can be added without any impact on the implementation of IPV6. (Marc Blanchet, Pg. 31.)
QUALITY OF SERVICE (QOS)
This is a feature that makes sure that priority will be given to some packet which gets to a destination at the normal or right time. For such situation to occur, the flow label field of the header in IPV6 was implemented. For example, streaming video and text will have different time of processing before it gets to the destination.
COMPULSORY IP SECURITY
Internet protocol security is a set of security protocol which is mandatory in IPV6. It makes sure that all traffic passing through a node is been secure from end to end nodes if the required information is kept in place. Although for the fact that security is important in IPV4, the support in IPV4 was made optional. This in turns makes IPV6 more suitable when it comes to security issues.
AUTOMATIC CONFIGURATION
Based on advertisement of a link address which a router is sent, the node part of a device will sent its media access control address to the host part of this new protocol version called IPV6 address. This can happen with or without the presence of the dynamic host configuration protocol (DHCP) server, which makes it easier for any device present on a network to be configured automatically, by communicating with other devices without any manual intervention.
PRIVACY ADDRESES
It provides privacy to end users in a way that the internet protocol address cannot be used to track how many traffic that has been used.
IPSEC
This is a new security context which is define by RFC 2401 standard of the IPV6 and it is used in the application of virtual private network (VPN). It uses the encryption and authentication header also known as the encapsulation payload security (ESP) to provide a standard security. IPv6 function on the network layer of the OSI model to provide maximum security for applications like, browsing the internet, downloading of files etc. both the authentication and the encapsulation security payload can be used alone or together to give the require security needed. These two headers in IPsec can be used in two different modes namely;
Transport mode
Tunnel mode
http://ipv6.com/articles/general/timeline-of-ipv6.htm
IPV6 SECURITY
The introduction of IPV6 came with a specification which was defined in RFC 2460. The define specification was used to launched the security feature called IPSEC and are divided into two headers which are name below;
AUTHENTICATION HEADER (AH)
ENCRYPTED SECURITY PAYLOAD (ESP)
Some other function which exist in security version of IPV6 are
Security association
Key management
AUTHENTICATION HEADER (AH) (http://docs.hp.com/en/J4255-90011/ch04s03.html)
The authentication header was specially design to provide the integrity and authentication of internet protocol packet and as well to provide protection against any replays. When this is in use, it protects any packet spoofing and any unwanted modification of any fix field. The header in IPV6 contains a minimal type of information that will allow interaction between two different nodes on a network.
IPV6 authentication header
Next header (8 bits)
Length of payloads (8 bits)
Reserved
(16 bits)
Security parameter index
(32 bits)
Sequence number
(32 bits)
Authentication data (32 bits)
IPV6 authentication header consists of some parameters which are;
8 bits next header: this header spot the header will be instantly follow the basic IPV6 header.
Length of payload is used to show the length of the internet protocol packet of the payloads in bytes
Reserved
Security parameter index
Sequence number
Authentication data
Authentication header is a header that is fixed between the upper level payload and the IPV6 header. This header comprises of 64 bits fix parts along with a 32 bits block which is can be varied, and the fix part is enclosed with the following;
The next header (8 bits)
The length of the payloads also (8 bits)
Reserved (16 bits)
Security parameter index (32 bits)
ENCAPSULATION SECURITY PAYLOAD (ESP) HEADER
http://www.networksorcery.com/enp/protocol/esp.htm
As already explained, encapsulation security payload can either function alone or probably combine with authentication header, and can be used to provide the following security features;
Confidentiality
Data integrity
Authentication of data
Flow of traffic
Anti-replay traffic
It should be noted that the process of authenticated can only be applied to the data that is being encrypted when authenticating encapsulation security payload, which will in turn make it impossible for the field in the Internet protocol header not to be protected by the process of authentication. For this protection to occur, the fields in internet protocol header will have to be encapsulated in the tunnel mode.
Below are some basic explanations of the fields in ESP;
Security parameter index is a parameter used to identify the security association, and it has a 32 bits .
Sequence number is described in authentication header, and its main function is to provide anti-replay guard.
Payload data is an IP packet used in tunnel mode which is protected by encryption
Padding: it is required in block cipher that plaintext should be padded in a block size of multiple sizes, which when a padding is needed it should be just after the padding in the padding field.
Pad length specifies the total number of pad bytes which is directly above padding field.
Next header this header field describe the data types that pay load data field is contain, by finding the first header in the payload. For example, the extension header present in IPV6 and transport control protocol (TCP) which is just above the network layer.
Authentication data is an adjustable field length which contains the integrity checked value (ICV) calculated over encapsulation security payload (ESP) subtracted from the data field of the authentication.
SECURITY ASSOCIATION
Security association is a relationship which occurred in one way communication between a sender and a receiver which in away accepts a security services to a traffic agreed on through the relationship. It is an important concept which occurs in the authentication and confidentiality of the internet protocol tools. For a two way relationship to occur, then there will be a two way secure exchange which will then require two security associations. Security association can be classify by the parameters below
Security parameter index
IP destination address: Only support the unicast addresses
Security protocol identifier: this is used to show whether an association is authentication header or encapsulation security payload header.
http://www.securitydocs.com/library/2757
KEYMANAGEMENT
APPLICATION OF IPV6
http://www.cu.ipv6tf.org/literatura/chap8.pdf
Authentication header and encapsulation security payload are strong internet protocol security tools that can be used for the protection of a secure communication that exist across a local area network, private and public. The next focus will be on how authentication header and encapsulation payload are used in VPN for secure communication will be explain below.
VIRTUAL PRIVATE NETWORKS (VPN)
Most companies have decided to connect their networks together through the internet which is a good idea compare to those days when most organisation use to separate there networks from each other. Most organisations base their business on using the internet to communicate from one network to another due to the fact that the internet is an inexpensive and efficient way of communication. Securing the network has become a very big challenge to every individual and organisations using the internet because not all part of the packets traveling through the internet is secure. Due to this fact, most organisations and individuals begin to have interest to a means in which data can travel through the internet without letting anyone who is not authorised have access to the data been transported from a genuine source to a genuine destination.
For a network to be secure and standard a VPN will have to be created. VPN (Virtual private network) is a way of connecting two different private networks through a public network which can be an internet. It provides a secure links in a cost efficient way so that anyone that wishes to provide information through a secure link can be more guaranteed and genuine. Creating VPN in IPV6 has become a very recognised standard and easy with the help of the authentication header and the encapsulation security payload which when compare with IPV4 is not as easy as IPV6.
Let's take TPC as an example, assuming that a TCP channel between two host name host 1 and host 2 are to be protected just for manipulation of data in network 1 of host 1 and network 2 of host 2 while the privacy of data is not been put into consideration in this same networks. It can be seen from the diagram above that there exist two routers which are named R1 and R2 this two routers serves as a firewall to the network. In cases like this, the authentication header can be misused by unauthorised individual. To start with, when R1 gets a packet the packet will be changed by including the authentication header before been sent to R2. When the packets are been receive in R2, R2 check if the integrity of the packet and as well checks for authentication through the data that exist in the authentication header. If the data check through authentication is successful then the internet protocol and the authentication header that exist in the data will be detached allowing the original packet to be sent to the destination.
The above example is simply emphasising on when only the authentication header (AH) is used to implement VPN it will be easy for an attacker to modify a packet been transmitted purposely and include a false packet in the TCP channel. In a way, the contents of the packet can still be read bythe attackers.
http://www.amaranten.com/support/user%20guide/VPN/VPN_Overview/Overview.htm
http://ipv6.com/articles/security/Virtual-Private-Network.htm
http://my.safaribooksonline.com/book/networking/security/9781587058387/ipsec-and-ssl-virtual-private-networks/ch08lev1sec5#X2ludGVybmFsX0ZsYXNoUmVhZGVyP3htbGlkPTk3ODE1ODcwNTgzODcvMjYy
REQUEST FOR COMMENTS (RFC) IPV6 STANDARDS
There are standard governing the communication and authentication of IPV6, which are RFC standards. Below are some of the important standards;
RFC2460
This standard is a specification of IPV6 which covers some of the new features of IPV6, and the features it covers range from the following;
Large address spaces of 128 bits which is scalable, and in a way extending the available space of both multicast, and unicast addresses.
Quality of service improvement
Extension of headers which allows some more extra internet protocols to be included to IPV6, so that it will be easy to add IPsec and mobile IPV6 to the header present in IPV6.
RFC 2460, 4301, 4302, 4303 and more
This standard was implemented to specifically increase the support for security features through internet protocol security ("IPSEC"), e.g. Encapsulation security payload
RFC 2461, 2462, and more
Standards in this range is use to support automatic configuration by using addresses which are linked.
RFC 2463
Above standard is used for internet control message protocol present in IPV6
RFC 3041, 3972
Used for securing addresses for protecting privacy and cryptographically addresses used to sign and authenticate messages.
http://ipv6.com/articles/general/timeline-of-ipv6.htm
Below are some other important of IPV6
RFC 2401: this is standard used for the overview of security architecture
RFC 2402: used to describe the authentication extension of both IPV4 and IPV6 of a packet
RFC 2403: A standard used to describe the capabilities of key management
RFC 4294: node requirement standard which was pronounced in 2006
Ref: 1. Ahmad Rivkin IPV6 security (2007)http://e-articles.info/e/a/title/IPv6-Security/
2. Ahmad Rivkin IPV6 security (2007) http://e-articles.info/e/a/title/General-IPv6-Security-Concepts/
3. Microsoft security features for IPV6 http://technet.microsoft.com/en-us/library/cc775898(WS.10).aspx
(http://www.6net.org/events/workshop-2003/marin.pdf)
Samuel Sotillo (http://www.infosecwriters.com/text_resources/pdf/IPv6_SSotillo.pdf)
Security features of IPV6 (http://www.cu.ipv6tf.org/literatura/chap8.pdf)
(http://en.wikipedia.org/wiki/IPv6)
http://tools.ietf.org/html/rfc2460
http://www.answers.com/topic/list-of-ipv4-protocol-numbers
(http://www.isoc.org/briefings/004/isocbriefing04.pdf)
http://www.networkdictionary.com/networking/IPv6vsIPv4.php
http://mirrors.bieringer.de/www.deepspace6.net/docs/overview.html
http://www.networksorcery.com/enp/protocol/ah.htm
http://www.broadband-forum.org/technical/download/TR-187.pdf
http://media.techtarget.com/searchNetworking/downloads/IPv4_or_IPv6.pdf
http://www.cs.princeton.edu/~mef/research/napt/reports/usenix98/index.html
http://mirrors.bieringer.de/www.deepspace6.net/docs/overview.html#id2865600
http://technet.microsoft.com/en-us/library/bb726956.aspx#EGAA
http://technet.microsoft.com/en-us/network/bb530961
http://www.sans.org/reading_room/whitepapers/protocols/security-features-ipv6_380
http://www.securitydocs.com/library/2757
