Tlcm513 ipv6
Upcoming SlideShare
Loading in...5
×
 

Tlcm513 ipv6

on

  • 167 views

IPv6 project

IPv6 project
IPv6 integration

Statistics

Views

Total Views
167
Views on SlideShare
167
Embed Views
0

Actions

Likes
0
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Unicast :An identifier for a single interface. A packet sent to a unicast address is delivered to the interface identified by that address. Anycast: An identifier for a set of interfaces (typically belonging to different nodes). A packet sent to an anycast address is delivered to one of the interfaces identified by that address (the "nearest" according to the routing protocols' measure of distance). Multicast: An identifier for a set of interfaces (typically belonging to different nodes). A packet sent to a multicast address is delivered to all interfaces identified by that address.
  • These standards are mandatory for IPv6 and optional for IPv4.
  • Longer IPv6 addresses allow for aggregating add by hierarchies of network, access provider, geography, corporation, and so on. Such aggregation should make for smaller routing tables and faster table look-ups.
  • Transition Process: During the transition from IPv4 to IPv6, there will be a lengthy transition period when IPv6 & IPv4 must coexist. IPv4-compatible IPv6 addresses accomodates for this coexistence period. It consists of a 32-bit IPv4 address prefixed by 96 Zeroes.
  • An anycast address enables a source to specify that it wants to contact any one node from a group of nodes via a single address. A packet with such an address will be routed to the nearest interface in the group, according to the router's measure of distance. An example of the use of an anycast address is within a routing header to specify an intermediate address along a route. The anycast address could refer to the group of routers associated with a particular provider or particular subnet, thus dictating that the packet be routed through that provider or internet in the most efficient manner.
  • Multicasting is a useful capability in a number of contexts. For example, it allows hosts and routers to send neighbor discovery messages only to those machines that are registered to receive them, removing the necessity for all other machines to examine and discard irrelevant packets. As another example, most LANs provide a natural broadcast capability. A multicast address can be assigned that has a scope of link-local with a group ID configured on all nodes on the LAN to be a subnet broadcast address.
  • Address sequencing gives a lot of QOS capabilities to IPV6. For example, it could be used for provider selection (based on policy, performance, cost , etc…), mobility (best route to a current location) or re-addressing (route to a new address).
  • Each fragment packet is composed of: The unfragmentable part of the original packet , with the Payload Length of the original IPV6 header changed to contain the length of this fragment packet. A fragment header containing the header value that identifies the first header of the fragmentable part of the original packet. And finally, the fragment packet itself. At the destination, fragment packets are reassembled into their original, unfragmented form. An original packet is reassembled only from fragment packets that have the same source address, destination address and fragment identification.
  • Until now, the internet community has only developed application-specific security mechanisms
  • These standards are mandatory for IPv6 and optional for IPv4.
  • IP-level security encompasses two functional areas; Authentication and Privacy. In addition, this mechanism ensures that the packet has not been altered in transit.
  • Security parameters index (32 bits): Identifies a security association. The authentication data field contents will depend on the authentication algorithm specified. Authentication Using Keyed MD5 -- RFC 1828 specifies the use of MD5 for authentication. The MD5 algorithm is performed over the IP packet plus a secret key by the source and then inserted into the IP packet. At the destination, the same calculation is performed on the IP packet plus the secret key and compared to the received value. This procedure provides both authentication and data integrity.
  • One drawback to this mode is that it is possible to do traffic analysis on the transmitted packets. Because the IP header contains the destination address and possibly source routing directives and hop-by-hop option information, it is not possible to simply transmit the encrypted IP packet prefixed by the ESP header. Intermediate routes would be unable to process such a packet. Therefore, it is necessary to encapsulate the entire block (ESP header plus encrypted IP packet) with a new IP header that will contain sufficient information for routing but not for traffic analysis. Whereas the transport mode is suitable for protecting connections between hosts that support the ESP feature, the tunnel mode is useful in a configuration that includes a firewall or other sort of security gateway which protects a trusted network from external networks.
  • 2 approaches: Encryption before Authentication Authentication before Encryption

Tlcm513 ipv6 Tlcm513 ipv6 Presentation Transcript

  • Internet Protocol Version 6 Parvin Beekharry Pascal Chrispeels
  • Introduction What is wrong with IPv4 ? The address issue: IPv6 128 bit address = 296 (7.92282 1028 ) Unicast Anycast Multicast IPv4 32 bit address = 232 (4 294 967 296) Class A between 1 and 126 Class B between 128 and 191 Class C between 192 and 223
  • The header problem: Version n o IHL Type of Service Total Length Identification Flags Fragment offset Time-to-live Protocol Header Checksum Source Address 32 bits Destination Address 32 bits Options Padding IPv4 Header IPv6 Header Version no Class (priority) Flow label Payload Length Next Header Hop Limit Source Address 128 bits Destination Address 128 bits Headers
  • Major changes from IPv4 to IPv6: Expanded addressing capabilities New type of addresses (unicast) Header format simplification Improved support of option (extension headers) Authentication and privacy capabilities Improvements
  • Addressing
  • Architecture IPv6 addresses are 128 bits long There are 3 types of IPv6 addresses: Unicast: An identifier for a single interface Anycast: An identifier for a set of interfaces (typically belonging to different nodes) Multicast: An identifier for a set of interfaces (typically belonging to different nodes)
  • Address Notation 8 * (16 bit field) = 128 bits The designers of the protocol chose to write the 128 bits as eight 16-bit integers separated by colons, each integer is rep by 4 hex digits, e.g: FEDC:BA98:7654:3210:FEDC:BA98:7654:3210
  • Address Assignments The first field of any IPv6 address is a variable- length format prefix, which identifies various categories of addresses. Some current allocation of addresses based on the format prefix are: Provider-Based Unicast Address: 010 Link Local Use Addresses: 1111 1110 10 Site Local Use Addresses: 1111 1110 11 Multicast Addresses: 1111 1111
  • Unicast Format of an IPv6 Provider-based global Unicast address: TLA: Top level aggregate(provider ID) NLA: Next level aggregate(subscriber ID) SLA: Site local aggregate(subnet ID) IPv4: 010 TLA NLA SLA Interface ID 3 13 32 16 64 bits Network Subnet Interface ID 32bits
  • Special Unicast Addresses. In addition to provider based addresses, there are 5 other unicast addresses: Unspecified addresses Loopback addresses IPv4 -based addresses Site local addresses Link local addresses E.g. IPv4-Compatible IPv6 addresses consists of a 32-bit IPv4 address prefixed by 96 zeroes. Bits: IPv4 Address0.0…. …..0.0 96 32
  • Anycast Address An anycast address enables a source to specify that it wants to contact any one node from a group of nodes via a single address. A packet with such an address will be routed to the nearest interface in the group, according to the router's measure of distance (hop count, cost, etc) One particular form of anycast address is the subnet-router anycast address Bits: n 128-n 000……….000Subnet prefix
  • Multicast Address IPv6 includes the capability to address a predefined group of interfaces with a single multicast address. A multicast address consists of an 8-bit prefix of ones, a 4-bit flag field, a 4-bit scope field and a 112-bit group ID. Flags: T = 0: Indicates a permanently assigned or well-known multicast address, assigned by the global internet numbering authority T = 1: Indicates a nonpermanently-assigned, or transient, multicast address Group ID 4 11248 Bits 1111111 Flgs Scope 000T
  • The IPV6 protocol consists of two headers: The Basic IP Header The Extension Header. Routing Basic IP Header Extension Header Data
  • Basic IP header Version no Class (priority) Flow label Payload Length Next Header Hop Limit Source Address 128 bits Destination Address 128 bits 4 bit Version N0 4 bit Priority N0 Flow Label Payload Length Next Header Hop Limit 128 bit Source 128 bit Destination
  • 4 bit Version N0 4 bit Priority N0 Flow Label Payload Length Next Header Hop Limit 128 bit Source 128 bit Destination Four bit version number: Four bit Internet Protocol version number. In this case no 6. Four bit Priority number: Identifies the desired delivery priority of its packet. The priority values are divided into two sets. Value 0 through 7 are used to specify the priority of traffic for which the source is providing congestion control, that is traffic that “backs off” in case of congestion (for example TCP traffic). Values 8 through 15 are used to specify the priority of traffic that does not back off in response to congestion (for example real time packets being sent at a constant rate.) For congestion control traffic, the following priority values are recommended for particular applications categories: 0 Uncharacterized Traffic 1 Filler Traffic (Netnews) 2 Unattended data transfer (e-mail) 3 (Reserved) 4 Attended bulk transfer (FTP, HTTP, NFS) 5 (Reserved) 6 Interactive Traffic (Telnet) 7 Internet Control Traffic (SNMP) Flow Label: A flow is a sequence of packets sent from a particular source to a particular destination for which the source desires special handling by the routers. The 24 bit flow label field in the IPV6 header may be used by a source to label those packets for which it requests special handling by the IPV6 routers. This includes non default quality of service or “real-time” service. All packets belonging to the same flow must be sent with the same source address, same destination address and same non- zero flow label. Payload Length: 16 bit field. The payload length does exactly what it says, give the exact length of the payload (i.e., the rest of the packet following the IPV6 header) in bytes. Next Header: An 8 bit selector. The next header identifies the type of header (Extension Header) immediately following the basic IP Header. It uses the same values as the IPV4 Protocol field. Hop Limit: The Hop limit is used to prevent a misrouted packet to travel around the network forever without being discarded. It is actually a counter decremented by one each time it reaches a node. The packet will be discarded when the Hop Limit reaches zero. Source Address: 128 bit address of the originator packet. Destination address: 128 bit address of the intended recipient of the packet.
  • Basic IP Header Next value = TCP Extension Header = TCP Data Extension header Basic IP Header Next value = Routing DataExtension Header = TCP Extension Header = Routing Next Header value = TCP In IPV6, optional information is encoded in one or multiple separate headers that are placed between the Basic IP Header and the Payload. There are multiple Extension headers. Each one is identified by a unique figure in the Next Header value of the Basic IP Header or preceding Extension headers. The improvement compare to IPV4 is that Extension Headers can be of arbitrary length. The total amount of options carried in a packet is not limited and can even be fragmented. IPV6 packets may carry zero, one or multiple Extension headers.
  • Extension header There are six different Extension headers: Hop by Hop header Routing header Fragment header Destination header Authentication header Encapsulation header Security
  • The hop-by-hop option handles every special option which requires hop by hop processing. For example, the PadN option will be inserted in the Hop-by-Hop header when needed (the PadN option is used to insert two or more bytes of padding. To pad out a packet consists of adding one or two bit to a packet to obtain a final bit number of 8 or a multiple of 8). Hop by Hop header
  • Routing header Identified by a Next Header label of 43, the Routing Header is used by IPV6 to list one or more intermediate nodes to “go through” on the way to the packet’s destination. This new technique is called address sequencing. Suppose that address sequences are shown by a list of individual addresses separated by a comma like the one here underneath. SRC, I1, I2, I3, DST The first Address is the source, the last is the destination and the middle addresses are intermediate nodes.
  • Address Sequencing Assume that H1 and H2’s sites are both connected to providers P1 and P2. A third wireless provider, PR, is connected to both. P1 H1 PR H2 P2 The simplest case (no use of address sequences) is when H1 wants to send a packet to H2 containing the addresses: H1, H2 When H2 replies it reverses the addresses and construct a packet containing the addresses: H2, H1 In this example either provider could be used, and H1 and H2 would not be able to select which provider traffic would be send and received from. If H1 decides that it wants to enforce a policy that all communications from/to H2 can only use provider P1, it would construct a packet containing the address sequence: H1, P1, H2 This ensures that when H2 replies to H1, it will reverse the route and the reply would also travel over P1. The addresses in H2’s reply would look like: H2, P1, H1 If H1 became mobile and moved to provider PR, it could maintain (not breaking any transport connections) communication with H2, by sending packets that contain the address sequence: H1, PR, P1, H2 This would ensure that when H2 replies, it would enforce H1’s policy of exclusive use of provider P1 and send the packet to H1 new location on provider PR. The reversed address sequence would be: H2, P1, PR, H1
  • Fragment Header The fragment Option is used by an IPV6 source to send a packet larger than would fit in the path to its destination. In order to send a packet that is too large, a source node may divide the packet into fragments and send each fragment as a separate packet to be reassembled at the receiver’s point.
  • Fragment Header The initial packet is referred to as the original packet and consists of two parts: the unfragmentable part and the fragmentable part. The unfragmentable part consists of the IPV6 header plus any extension headers that must be processed by nodes along the path to destination. Unfragmentable Part Fragmentable Part The fragmentable part is made out of the rest of the packet, that is, any extension header that only needs to be processed by the final destination. Unfragmentable Part Fragment Header First Fragment Unfragmentable Part Fragment Header Second Fragment
  • Destination Header The destination option is used to carry optional information that need to be examined only by a packet’s destination node. This header is identified by a next header value of 60. Different actions will be available in the destination header but have yet to be defined.
  • IPv6 Security
  • Security Application-specific security mechanisms, e.g: secure HTTP & Secure Socket Layer for web access SNMPv2 security for network management & Privacy enhanced mail, PGP for electronic mail However the security concerns that cuts across protocol layers still has to be addressed. Solution: By implementing security at the IP level, an organization can ensure secure networking not only for applications that have security mechanisms but for the many security-ignorant applications.
  • IETF standards RFC 1825: An overview of a security architecture RFC 1826: Description of a packet authentication extension to IP RFC 1828: A specific authentication mechanism RFC 1827: Description of a packet encryption extension to IP RFC 1829: A specific encryption mechanism
  • IP level security Authentication:The authentication mechanism ensures that a received packet was in fact transmitted by the party identified as the source in the packet header. Privacy: The privacy facility enables communicating nodes to encrypt messages to prevent eavesdropping by third parties. The security features are implemented as extension headers that follow the main IP header. The extension header for authentication is known as the authentication header; that for privacy, the encapsulating security payload (ESP) header.
  • Security Association A security association is uniquely identified by an internet destination address and a security parameter index (SPI). Hence, in any IP packet, the security association is uniquely identified by the destination address in the IPv4 or IPv6 header and the SPI in the enclosed extension header (authentication header, AH, or ESP header). Ex. Authenticated & Encrypted packets: IPv6 H ---Routing H A H ESP H TCP H +Data
  • Authentication The authentication header provides support for data integrity and authentication of IP packets. The AH consists of the following fields :
  • ESP The AH header does not transform data. When confidentiality is desired, the ESP header should be used. This Header is always the last one in the chain of IPv6 extension headers. Format of the ESP header: 32-bit SPI 32-bit Sequence number Encrypted Data &Parameters Authentication Data
  • ESP The use of ESP provides support for privacy and data integrity for IP packets. ESP can operate in two different modes: Transport-mode ESP, encrypt either a TCP, UDP or ICMP segment Tunnel-mode ESP, encrypts an entire IP packet
  • ESP Transport-mode operation provides privacy for any application that uses it, thus avoiding the need to implement privacy in every individual application. Tunnel-Mode ESP -- Tunnel-mode ESP is used to encrypt an entire IP packet. For this mode, the ESP is prefixed to the packet and then the packet plus a trailing portion of the ESP header is encrypted. This method can be used to counter traffic analysis.
  • Authentication plus Privacy The two IP security mechanisms can be combined in order to transmit an IP packet that has both privacy and authentication. Encryption Before Authentication: The entire transmitted IP packet is authenticated, including both encrypted & unencrypted parts. Authentication Before Encryption: The AH is placed inside the inner IP packet, this inner packet is both authenticated and protected by the privacy mechanism.
  • Authentication plus Privacy