IPv6 Presentation
31
INTERNET PROTOCOL, VERSION 6 (IPV6) Presenter: Ngo Duy Kien && Pham Van Ke Date: 07-05-2014 1
-
Upload
ngo-duy-kien -
Category
Documents
-
view
220 -
download
2
Transcript of IPv6 Presentation
INTERNET PROTOCOL, VERSION 6 (IPV6)
Presenter: Ngo Duy Kien && Pham Van KeDate: 07-05-20141
AGENDA Motivation IPv6 Address Auto-Configuration IPv6 package format - functionalities ICMPv6 Security Mobility IPv4-IPv6 transition Retrospective/ QA Session
AGENDA Motivation IPv6 Address Auto-Configuration IPv6 package format - functionalities ICMPv6 Security Mobility IPv4-IPv6 transition Retrospective/ QA Session
FAMOUS LAST WORDS "I think there is a world market for maybe
five computers.“ Thomas Watson, chairman of IBM, 1943
"640K ought to be enough for anybody." Bill Gates, 1981
"32 bits should be enough address space for Internet"
Vint Cerf, 1977 (Honorary Chairman of IPv6 Forum 2000)
INTER PROTOCOL VERSION 4 Limitation of IPv4
Address Shortage issue Inconvenient System Management No Native Mobility Support No QoS guarantee Security issue
00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Version Total LengthIdentification
Time to LiveSource Address
Data ...
IHL Type of ServiceFragment OffsetFlags
Protocol Header Checksum
Destination AddressOptions Padding
00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Version Total LengthIdentification
Time to LiveSource Address
Data ...
IHL Type of ServiceFragment OffsetFlags
Protocol Header Checksum
Destination AddressOptions Padding
IPv4 Problems: Lack of class B IPv4 address space => CIDR addressing Circa 1,800 active Autonomous Systems Inject nearly 43,000 Routable Prefixes Inadequate address aggregation Ballooning BGP databases, and Router memory exhaustion Increased forwarding table look up time Ubiquitous but simplistic
IPv4 Problems: CIDR allowed to survive the first big crisis (92-95), but will
it be able to survive next years growth (xDSL, mobile terminals, etc)?
NAT attempt to translate addresses, without changing the application but it does not really work.
Global Internet
Private addresses
NATA
10.0.1.2
B
203.64.88.1
203.64.105.1
10.0.1.254
NAT obstacles Breaks the End-to-End Paradigm for Security, QoS Kills the performance with intermediate Application Level
Gateway (FTP, DNS, H.323, or SIP) and increases the delay Hidden Costs (i.e. keep consistency in the DNS, routers,
ALG etc., Require network experts) Difficult to scale when more hosts are added and when
allocating from a DHCP server pool with global addresses breaks the always connected mode
Operators cannot use the standard off shelf network equipment scalability and performance analysis
Increased vulnerability to DOS attacks
So, We definitely need IPv6!!!!
IPV6 MOTIVATION
• The enormous growth of Internet.
• The Address space is running out in IPv4 (32 bits).
• Routing tables are exploding.• The lack of security at the
network layer• Device Control – Smart Homes• High Performance Networks• IP Based Cellular Systems• Connect everything over IP
• Several years of networking with TCP/IP had brought lessons and knowledge
• Lack of Mobility support • New Applications such as Real
Time Multimedia.• Networked Entertainment - your
TV will be an Internet host• More Scalable Solution is
needed
AGENDAMotivation IPv6 AddressAuto-Configuration IPv6 package format - functionalities ICMPv6SecurityMobility IPv4-IPv6 transitionRetrospective/ QA Session
IPV6 ADDRESS 128 bits long. Fixed size 2128 = 3.4×1038 addresses => 6.65×1023
addresses per m2 of earth surface If assigned at the rate of 106/s, it would
take 20 years Allows multiple interfaces per host Allows multiple addresses per interface
IPV6 ADDRESS Allows unicast, multicast, anycast Allows provider based, site-local, link-local 85% of the space is unassigned
COLON-HEX NOTATION Dot-Decimal: 203.64.105.100 Colon-Hex:
FEDC:0000:0000:0000:3243:0000:0000:ABCD Can skip leading zeros of each word Can skip one sequence of zero words, e.g.,
FEDC::3243:0000:0000:ABCD The "::" can only appear once in an address The "::" can also be used to compress the leading
and/or trailing zeros in an address Can leave the last 32 bits in dot-decimal,
e.g., ::203.64.105.100 Can specify a prefix by /length, e.g.,
2345:BA23:7::/40
IPV6 PREFIX ALLOCATION
Global
IPV6 ADDRESSING MODEL Addresses are assigned to interfaces
No change from IPv4 Model Interface can have multiple addresses
Addresses have scope Link Local Site Local Global
Addresses have lifetime Valid and Preferred lifetime
Site-Local Link-Local
LOCAL-USE ADDRESS Link Local: Not forwarded outside the link,
FE80::xxx
Site Local: Not forwarded outside the site,FEC0::xxx
1111 1110 10 0 Interface ID
10 n 118-n bits
1111 1110 11 0 Subnet ID Interface ID
bitsn10 m 118-n-m
MULTICAST ADDRESS
T=0 => Permanent (well-known) multicast address, T=1 => Transient
Scope: 1 Node-local, 2 Link-local, 5 Site-local,8 Organization-local, E Global, F Reserved
Predefined: 1 => All nodes, 2 => Routers, 1:0 => DHCP Servers
0 0 0 T
1111 1111 Flags Scope Group ID
4bits8bits 112bits4bits
MULTICAST ADDRESS
Example: 43 => Network Time Protocol Servers FF01::43 => All NTP servers on this node FF02::43 => All NTP servers on this link FF05::43 => All NTP servers in this site FF08::43 => All NTP servers in this organization FF0E::43 => All NTP servers in the Internet
0 bits 84 16
IPV4 HEADER20 OCTETS+OPTIONS : 13 FIELDS, INCLUDE 3 FLAG BITS
31
Ver IHL Total Length
Identifier Flags Fragment Offset
32 bit Source Address
32 bit Destination Address
24
Service Type
Options and Padding
Time to Live Header ChecksumProtocol
RemovedChanged
IPV6 HEADER40 OCTETS, 8 FIELDS
0 31
Version Class Flow Label
Payload Length Next Header Hop Limit
128 bit Source Address
128 bit Destination Address
4 12 2416
Simplified IPv6 header format: (Number of fields has been reduced from 12 to 8 )
ver Prio Flow Label
Payload Length Next Header Hop Limit
Source Address
Destination Address
KEY IPV6 FEATURES Redundant header options dropped:
Type of service Flags Identification Fragmentation offset (IPv6 uses path MTU
discovery) Header Checksum (most encapsulation
procedures include this function eg: IEEE 802 MAC, PPP Framing, ATM adaption layer)
INTRODUCING IPV6
Some fields re-named: length => payload protocol type => next header time to live => hop limit
One field revised: Option mechanism (variable length field replaced by
fixed length extension header) Two fields added:
Priority Flow Label
AGENDA Motivation IPv6 Address Auto-Configuration IPv6 package format - functionalities ICMPv6 Security Mobility IPv4-IPv6 transition Retrospective/ QA Session
BRIEF OVERVIEW There are two auto-configuration mechanisms in
IPv6: Stateless: SLAAC (Stateless Address Auto-
Configuration), based on ICMPv6 messages (Router Solicitation y Router Advertisement)
Stateful: DHCPv6 SLAAC is mandatory, while DHCPv6 is optional In SLAAC, “Router Advertisements” communicate
configuration information such as: IPv6 prefixes to use for autoconfiguration IPv6 routes Other configuration parameters (Hop Limit, MTU, etc.) etc.
SECURITY CONSIDERATIONS By forging Router Advertisements, an attacker can
perform: Denial of Service (DoS) attacks “Man in the Middle” (MITM) attacks
Possible mitigation techniques: Deploy SEND (SEcure Neighbor Discovery) Monitor Neighbor Discovery traffic (e.g., with NDPMon) Deploy Router Advertisement Guard (RA-Guard) Restrict access to the local network
Unfortunately, SEND is very difficult to deploy (it requires a PKI) ND monitoring tools can be trivially evaded RA-Guard can be trivially evaded Not always is it possible to restrict access to the local network
Conclusion: the situation is not that different from that of IPv4 (actually, it’s a bit worse)
KEY IPV6 FEATURES IPv6 Mandates Auto-Address
Configuration: IPv4 Configuration Process :
1) IPv4 Address2) Default Gateway3) Subnet Mask / Prefix Number4) Domain Name Server and Domain Name5) Solutions => Bootstrap (Static) & DHCP (Dynamic /
Server based IPv6 Configuration Process:
1) Neighbor Discovery (stateless configuration)2) DHCPv6 (statefull configuration)
KEY IPV6 FEATURES Security:
IPv4 Security Problems:1) Denial of service attack (BGP / RIP hijacking)2) Address spoofing3) Use of source routing defeats address
authentication IPv6 Security:
1) Mandated at the Kernel level => IPSEC2) Authentication Header (Default to MD5)3) Encryption ( Default to DES-CBC)4) Security Parameter Index (Defines non-default
security association)5) Repudiation features
KEY IPV6 FEATURES IPv6 QoS Advantages:
QoS becoming an issue as real time services emerge:
1) Need for lower latency and jitter, but improved tolerance to lost packets
2) Less emphasis on re-transmission of lost data3) More emphasis on timing relationships (time-
stamping) 24-bit Flow Label enables identification of traffic
flows Drop Priority field to manage conflicts RSVP used by routers to deal with requests
WHAT IS THE REASON OF LACK OF ADDRESSES
Mobile phone require IP addresses with GPRS and UMTS technologies (a phone = at
least one address)
Need of addresses in Asia
Ambient network
Q&A
