2. Introduction
What is wrong with IPv4 ?
The address issue:
IPv6
128 bit address = 296
(7.92282 1028
)
Unicast
Anycast
Multicast
IPv4
32 bit address = 232
(4 294 967 296)
Class A between 1 and 126
Class B between 128 and 191
Class C between 192 and 223
3. The header problem:
Version n
o
IHL Type of Service Total Length
Identification Flags Fragment offset
Time-to-live Protocol Header Checksum
Source Address 32 bits
Destination Address 32 bits
Options Padding
IPv4 Header
IPv6 Header
Version no
Class (priority) Flow label
Payload Length Next Header Hop Limit
Source Address 128 bits
Destination Address 128 bits
Headers
4. Major changes from IPv4 to IPv6:
Expanded addressing capabilities
New type of addresses (unicast)
Header format simplification
Improved support of option (extension headers)
Authentication and privacy capabilities
Improvements
6. Architecture
IPv6 addresses are 128 bits long
There are 3 types of IPv6 addresses:
Unicast: An identifier for a single interface
Anycast: An identifier for a set of interfaces
(typically belonging to different nodes)
Multicast: An identifier for a set of interfaces
(typically belonging to different nodes)
7. Address Notation
8 * (16 bit field) = 128 bits
The designers of the protocol chose to write the
128 bits as eight 16-bit integers separated by
colons, each integer is rep by 4 hex digits, e.g:
FEDC:BA98:7654:3210:FEDC:BA98:7654:3210
8. Address Assignments
The first field of any IPv6 address is a variable-
length format prefix, which identifies various
categories of addresses. Some current
allocation of addresses based on the format
prefix are:
Provider-Based Unicast Address: 010
Link Local Use Addresses: 1111 1110 10
Site Local Use Addresses: 1111 1110 11
Multicast Addresses: 1111 1111
9. Unicast
Format of an IPv6 Provider-based global
Unicast address:
TLA: Top level aggregate(provider ID)
NLA: Next level aggregate(subscriber ID)
SLA: Site local aggregate(subnet ID)
IPv4:
010 TLA NLA SLA Interface ID
3 13 32 16 64 bits
Network Subnet Interface ID 32bits
10. Special Unicast Addresses.
In addition to provider based addresses, there
are 5 other unicast addresses:
Unspecified addresses
Loopback addresses
IPv4 -based addresses
Site local addresses
Link local addresses
E.g. IPv4-Compatible IPv6 addresses consists
of a 32-bit IPv4 address prefixed by 96 zeroes.
Bits:
IPv4 Address0.0…. …..0.0
96 32
11. Anycast Address
An anycast address enables a source to specify
that it wants to contact any one node from a group
of nodes via a single address. A packet with such
an address will be routed to the nearest interface
in the group, according to the router's measure of
distance (hop count, cost, etc)
One particular form of anycast address is the
subnet-router anycast address
Bits: n 128-n
000……….000Subnet prefix
12. Multicast Address
IPv6 includes the capability to address a predefined
group of interfaces with a single multicast address.
A multicast address consists of an 8-bit prefix of ones, a
4-bit flag field, a 4-bit scope field and a 112-bit group ID.
Flags:
T = 0: Indicates a permanently assigned or well-known multicast
address, assigned by the global internet numbering authority
T = 1: Indicates a nonpermanently-assigned, or transient, multicast
address
Group ID
4 11248 Bits
1111111 Flgs Scope
000T
13. The IPV6 protocol consists of two headers:
The Basic IP Header
The Extension Header.
Routing
Basic IP
Header
Extension
Header
Data
14. Basic IP header
Version no
Class (priority) Flow label
Payload Length Next Header Hop Limit
Source Address 128 bits
Destination Address 128 bits
4 bit
Version N0
4 bit
Priority N0
Flow
Label
Payload
Length
Next
Header
Hop
Limit
128 bit
Source
128 bit
Destination
15. 4 bit
Version N0
4 bit
Priority N0
Flow
Label
Payload
Length
Next
Header
Hop
Limit
128 bit
Source
128 bit
Destination
Four bit version number: Four bit Internet Protocol
version number. In this case no
6.
Four bit Priority number: Identifies the desired
delivery priority of its packet. The priority values are
divided into two sets. Value 0 through 7 are used to
specify the priority of traffic for which the source is
providing congestion control, that is traffic that
“backs off” in case of congestion (for example TCP
traffic). Values 8 through 15 are used to specify the
priority of traffic that does not back off in response
to congestion (for example real time packets being
sent at a constant rate.)
For congestion control traffic, the following priority
values are recommended for particular applications
categories:
0 Uncharacterized Traffic
1 Filler Traffic (Netnews)
2 Unattended data transfer (e-mail)
3 (Reserved)
4 Attended bulk transfer (FTP, HTTP, NFS)
5 (Reserved)
6 Interactive Traffic (Telnet)
7 Internet Control Traffic (SNMP)
Flow Label: A flow is a sequence of packets sent
from a particular source to a particular destination
for which the source desires special handling by the
routers. The 24 bit flow label field in the IPV6
header may be used by a source to label those
packets for which it requests special handling by the
IPV6 routers. This includes non default quality of
service or “real-time” service. All packets belonging
to the same flow must be sent with the same source
address, same destination address and same non-
zero flow label.
Payload Length: 16 bit field. The payload length
does exactly what it says, give the exact length of
the payload (i.e., the rest of the packet following the
IPV6 header) in bytes.
Next Header: An 8 bit selector. The next header
identifies the type of header (Extension Header)
immediately following the basic IP Header. It uses
the same values as the IPV4 Protocol field.
Hop Limit: The Hop limit is used to prevent a
misrouted packet to travel around the network
forever without being discarded. It is actually a
counter decremented by one each time it reaches a
node. The packet will be discarded when the Hop
Limit reaches zero.
Source Address: 128 bit address of the originator
packet.
Destination address: 128 bit address of the
intended recipient of the packet.
16. Basic IP Header
Next value = TCP
Extension Header =
TCP
Data
Extension header
Basic IP Header
Next value = Routing
DataExtension Header =
TCP
Extension Header = Routing
Next Header value = TCP
In IPV6, optional information is encoded in one or
multiple separate headers that are placed between
the Basic IP Header and the Payload. There are
multiple Extension headers. Each one is identified by
a unique figure in the Next Header value of the Basic
IP Header or preceding Extension headers. The
improvement compare to IPV4 is that Extension
Headers can be of arbitrary length. The total amount
of options carried in a packet is not limited and can
even be fragmented. IPV6 packets may carry zero,
one or multiple Extension headers.
17. Extension header
There are six different Extension headers:
Hop by Hop header
Routing header
Fragment header
Destination header
Authentication header
Encapsulation header
Security
18. The hop-by-hop option handles every special option
which requires hop by hop processing.
For example, the PadN option will be inserted in the
Hop-by-Hop header when needed (the PadN option is
used to insert two or more bytes of padding. To pad out a
packet consists of adding one or two bit to a packet to
obtain a final bit number of 8 or a multiple of 8).
Hop by Hop header
19. Routing header
Identified by a Next Header label of 43, the Routing
Header is used by IPV6 to list one or more intermediate
nodes to “go through” on the way to the packet’s
destination. This new technique is called address
sequencing.
Suppose that address sequences are shown by a list of
individual addresses separated by a comma like the one
here underneath.
SRC, I1, I2, I3, DST
The first Address is the source, the last is the destination
and the middle addresses are intermediate nodes.
20. Address Sequencing
Assume that H1 and H2’s sites are both connected to providers P1
and P2. A third wireless provider, PR, is connected to both.
P1
H1 PR H2
P2
The simplest case (no use of address sequences) is when H1 wants to
send a packet to H2 containing the addresses:
H1, H2
When H2 replies it reverses the addresses and construct a packet
containing the addresses:
H2, H1
In this example either provider could be used, and H1 and H2 would
not be able to select which provider traffic would be send and
received from. If H1 decides that it wants to enforce a policy that all
communications from/to H2 can only use provider P1, it would
construct a packet containing the address sequence:
H1, P1, H2
This ensures that when H2 replies to H1, it will reverse the route and
the reply would also travel over P1. The addresses in H2’s reply
would look like:
H2, P1, H1
If H1 became mobile and moved to provider PR, it could maintain
(not breaking any transport connections) communication with H2, by
sending packets that contain the address sequence:
H1, PR, P1, H2
This would ensure that when H2 replies, it would enforce H1’s
policy of exclusive use of provider P1 and send the packet to H1 new
location on provider PR. The reversed address sequence would be:
H2, P1, PR, H1
21. Fragment Header
The fragment Option is used by an IPV6 source to send a
packet larger than would fit in the path to its destination.
In order to send a packet that is too large, a source node
may divide the packet into fragments and send each
fragment as a separate packet to be reassembled at the
receiver’s point.
22. Fragment Header
The initial packet is referred to as the original packet and
consists of two parts: the unfragmentable part and the
fragmentable part.
The unfragmentable part consists of the IPV6 header plus
any extension headers that must be processed by nodes
along the path to destination.
Unfragmentable Part Fragmentable Part
The fragmentable part is made out of the rest of the packet,
that is, any extension header that only needs to be
processed by the final destination.
Unfragmentable Part Fragment Header First Fragment
Unfragmentable Part Fragment Header Second Fragment
23. Destination Header
The destination option is used to carry optional information
that need to be examined only by a packet’s destination
node. This header is identified by a next header value of 60.
Different actions will be available in the destination header
but have yet to be defined.
25. Security
Application-specific security mechanisms, e.g:
secure HTTP & Secure Socket Layer for web access
SNMPv2 security for network management &
Privacy enhanced mail, PGP for electronic mail
However the security concerns that cuts across
protocol layers still has to be addressed.
Solution: By implementing security at the IP level,
an organization can ensure secure networking not
only for applications that have security mechanisms
but for the many security-ignorant applications.
26. IETF standards
RFC 1825: An overview of a security
architecture
RFC 1826: Description of a packet
authentication extension to IP
RFC 1828: A specific authentication
mechanism
RFC 1827: Description of a packet
encryption extension to IP
RFC 1829: A specific encryption
mechanism
27. IP level security
Authentication:The authentication mechanism
ensures that a received packet was in fact
transmitted by the party identified as the source
in the packet header.
Privacy: The privacy facility enables
communicating nodes to encrypt messages to
prevent eavesdropping by third parties.
The security features are implemented as extension
headers that follow the main IP header. The
extension header for authentication is known as
the authentication header; that for privacy, the
encapsulating security payload (ESP) header.
28. Security Association
A security association is uniquely identified by an
internet destination address and a security
parameter index (SPI). Hence, in any IP packet,
the security association is uniquely identified by
the destination address in the IPv4 or IPv6 header
and the SPI in the enclosed extension header
(authentication header, AH, or ESP header).
Ex. Authenticated & Encrypted packets:
IPv6 H ---Routing H A H ESP H TCP H +Data
30. ESP
The AH header does not transform data. When
confidentiality is desired, the ESP header should be
used. This Header is always the last one in the
chain of IPv6 extension headers.
Format of the ESP header:
32-bit SPI
32-bit Sequence number
Encrypted Data
&Parameters
Authentication Data
31. ESP
The use of ESP provides support for privacy and
data integrity for IP packets.
ESP can operate in two different modes:
Transport-mode ESP, encrypt either a TCP, UDP
or ICMP segment
Tunnel-mode ESP, encrypts an entire IP packet
32. ESP
Transport-mode operation provides privacy for
any application that uses it, thus avoiding the
need to implement privacy in every individual
application.
Tunnel-Mode ESP -- Tunnel-mode ESP is
used to encrypt an entire IP packet. For this
mode, the ESP is prefixed to the packet and
then the packet plus a trailing portion of the
ESP header is encrypted. This method can be
used to counter traffic analysis.
33. Authentication plus Privacy
The two IP security mechanisms can be
combined in order to transmit an IP packet that
has both privacy and authentication.
Encryption Before Authentication: The entire
transmitted IP packet is authenticated, including
both encrypted & unencrypted parts.
Authentication Before Encryption: The AH is
placed inside the inner IP packet, this inner
packet is both authenticated and protected by
the privacy mechanism.
Unicast :An identifier for a single interface. A packet sent to a unicast address is delivered to the interface identified by that address. Anycast: An identifier for a set of interfaces (typically belonging to different nodes). A packet sent to an anycast address is delivered to one of the interfaces identified by that address (the "nearest" according to the routing protocols' measure of distance). Multicast: An identifier for a set of interfaces (typically belonging to different nodes). A packet sent to a multicast address is delivered to all interfaces identified by that address.
These standards are mandatory for IPv6 and optional for IPv4.
Longer IPv6 addresses allow for aggregating add by hierarchies of network, access provider, geography, corporation, and so on. Such aggregation should make for smaller routing tables and faster table look-ups.
Transition Process: During the transition from IPv4 to IPv6, there will be a lengthy transition period when IPv6 & IPv4 must coexist. IPv4-compatible IPv6 addresses accomodates for this coexistence period. It consists of a 32-bit IPv4 address prefixed by 96 Zeroes.
An anycast address enables a source to specify that it wants to contact any one node from a group of nodes via a single address. A packet with such an address will be routed to the nearest interface in the group, according to the router's measure of distance. An example of the use of an anycast address is within a routing header to specify an intermediate address along a route. The anycast address could refer to the group of routers associated with a particular provider or particular subnet, thus dictating that the packet be routed through that provider or internet in the most efficient manner.
Multicasting is a useful capability in a number of contexts. For example, it allows hosts and routers to send neighbor discovery messages only to those machines that are registered to receive them, removing the necessity for all other machines to examine and discard irrelevant packets. As another example, most LANs provide a natural broadcast capability. A multicast address can be assigned that has a scope of link-local with a group ID configured on all nodes on the LAN to be a subnet broadcast address.
Address sequencing gives a lot of QOS capabilities to IPV6. For example, it could be used for provider selection (based on policy, performance, cost , etc…), mobility (best route to a current location) or re-addressing (route to a new address).
Each fragment packet is composed of: The unfragmentable part of the original packet , with the Payload Length of the original IPV6 header changed to contain the length of this fragment packet. A fragment header containing the header value that identifies the first header of the fragmentable part of the original packet. And finally, the fragment packet itself. At the destination, fragment packets are reassembled into their original, unfragmented form. An original packet is reassembled only from fragment packets that have the same source address, destination address and fragment identification.
Until now, the internet community has only developed application-specific security mechanisms
These standards are mandatory for IPv6 and optional for IPv4.
IP-level security encompasses two functional areas; Authentication and Privacy. In addition, this mechanism ensures that the packet has not been altered in transit.
Security parameters index (32 bits): Identifies a security association. The authentication data field contents will depend on the authentication algorithm specified. Authentication Using Keyed MD5 -- RFC 1828 specifies the use of MD5 for authentication. The MD5 algorithm is performed over the IP packet plus a secret key by the source and then inserted into the IP packet. At the destination, the same calculation is performed on the IP packet plus the secret key and compared to the received value. This procedure provides both authentication and data integrity.
One drawback to this mode is that it is possible to do traffic analysis on the transmitted packets. Because the IP header contains the destination address and possibly source routing directives and hop-by-hop option information, it is not possible to simply transmit the encrypted IP packet prefixed by the ESP header. Intermediate routes would be unable to process such a packet. Therefore, it is necessary to encapsulate the entire block (ESP header plus encrypted IP packet) with a new IP header that will contain sufficient information for routing but not for traffic analysis. Whereas the transport mode is suitable for protecting connections between hosts that support the ESP feature, the tunnel mode is useful in a configuration that includes a firewall or other sort of security gateway which protects a trusted network from external networks.
2 approaches: Encryption before Authentication Authentication before Encryption