Presentation is loading. Please wait.

Presentation is loading. Please wait.

IPv6 Network Security.

Similar presentations

Presentation on theme: "IPv6 Network Security."— Presentation transcript:

1 IPv6 Network Security

2 Topics Introduction Comparison with IPv4 Header format
Extension headers Neighbour discovery Transition from IPv4 to IPv6 ICMPv6 IPv6 addresses Address Autoconfiguration IP Security Network Security

3 About IPv6 Internetworking Protocol version 6, IPng
IPv6 was developed because about 1992 it became clear that at the rate that the Internet was growing the world would soon be out of IPv4 numbers The experimental deployment of IPv6 started in 1995 IPv6 was designed to work alongside IPv4 on all network devices. This is often called the “Dual Stack” because devices have both an IPv4 Protocol Stack and an IPv6 Protocol Stack 128-bit address written in 8 hex quads It supports 2128 (about 3.4×1038) addresses Network Security

4 IPv4 deficiencies Address depletion
No support for real-time audio and video transmission No encryption and authentication of data Network Security

5 IPv6 advantages over IPv4
Large address space Better header format Stateless and stateful address auto-configuration Built-in security New options Extensibility Support for real-time audio and video

6 IPv4 Vs IPv6 Network Security

7 Reasons for delay in adoption
Classless addressing Use of DHCP Network Address Translation Network Security

8 IPv6 datagram Base Header
Network Security

9 IPV4 and IPV6 Header Network Security

10 IPV4 Vs IPV6 Packet Header
Network Security

11 IPv6 Extension Headers Network Security

12 IPv6 Extension Headers Hop-by-Hop Options header Source routing
When the source needs to pass info to all routers visited by the datagram. Source routing Combines the concepts of strict and loose source route options of IPv4. Fragmentation Source is required to fragment if size of datagram is larger that the MTU of network. Only original source can fragment. Network Security

13 Extension Headers contd…
Authentication header (AH) Validates the message sender and ensures integrity of data. Encrypted security payload (ESP) Provides confidentiality and guards against eavesdropping. Destination Options Used when source needs to pass info to the destination only. Intermediate routers are not permitted access. Network Security

14 IPv4 options and IPv6 extension headers
Network Security

15 Transition from IPv4 to IPv6
Network Security

16 Dual Stack A station must run IPv4 and IPv6 simultaneously until all the Internet uses IPv6 To determine which version to use when sending a packet to a destination, the source host queries the DNS If the DNS returns an IPv4 address, the source host sends an IPv4 packet If the DNS returns an IPv6 address, the source host sends an IPv6 packet Network Security

17 Tunneling a strategy used when two computers using IPv6 want to communicate with each other and the packet must pass through a region that uses IPv4 So the IPv6 packet is encapsulated in an IPv4 packet when it enters the region, and it leaves its capsule when it exits the region. Network Security

18 Header Translation necessary when the majority of the Internet has moved to IPv6 but some systems still use IPv4 the sender wants to use IPv6, but the receiver does not understand IPv6 the header format must be totally changed through header translation header of the IPv6 packet is converted to an IPv4 header uses the mapped address and some rules to translate an IPv6 address to an IPv4 address Network Security

19 ICMPv6 Internet Control Message Protocol Combines ICMPv4, ARP and IGMP
Message – oriented It uses messages to report errors Like version 4, ICMPv6 reports errors, handles group memberships, updates specific router and host tables, and checks the viability of a host. ICMPv6 forms an error packet which is then encapsulated in an IP datagram Network Security

20 ICMPv6 messages Error messages Informational messages
Destination unreachable, packet too big, time exceeded, parameter problems Informational messages Echo request & reply message Neighbour discovery messages Route solicitation & advertisement message Neighbour solicitation & advertisement message Group membership messages Membership query & report message Network Security

21 ND messages Mainly used by: Router-solicitation message
Hosts to find routers in the neighbourhood Nodes to find the link layer addresses of neighbours Nodes to find IPv6 addresses of the neighbour Router-solicitation message Router-advertisement message Neighbour-solicitation message Neighbour-advertisement message Network Security

22 IPv6 addressing Unicast address Anycast address Multicast address
IPv6 doesn’t implement broadcast address Broadcasts are replaced by multicasts and anycasts However, a multicast to address ff02::1 would result in a transmission to all nodes within the same local link, which is similar to IPv4 multicast to address  Network Security

23 Unicast & Anycast Address format
Unicast (one-to-one) and anycast (one-to-one-of-many) addresses are typically composed of two logical parts: a 64-bit network prefix used for routing, and a 64-bit host part used to identify a host within the network. The network prefix is /1 followed by a 40-bit random number. The 16 bits of the subnet identifier field are available to the network administrator to define subnets within the given network. The 64-bit interface identifier is either automatically generated from the interface's MAC address obtained from a DHCPv6 server randomly, or assigned manually. Network Security

24 Multicast Address format
The prefix holds the binary value   for any multicast address. Flag field defines the group address as either permanent or transient. Scope field defines the scope of the group address. Network Security

25 IPv6 notation An IPv6 address is represented as eight groups of four hexadecimal digits, each group representing 16 bits (two octets). The groups are separated by a colon (:). A typical example of an IPv6 address follows: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 The hexadecimal digits are case-insensitive. Network Security

26 Compressing Zeros A contiguous sequence of 16-bit blocks set to 0 in the colon hexadecimal format can be compressed to “::”, known as double-colon For example, the link-local address of FE80:0:0:0:2AA:FF:FE9A:4CA2 can be compressed to FE80::2AA:FF:FE9A:4CA2 Zero compression can only be used once in a given address Network Security

27 Address Autoconfiguration
Host has an ability to automatically configure itself, even without the use of a stateful configuration protocol such as DHCPv6 Types of Autoconfiguration: Stateless: Configuration of addresses is based on the receipt of Router Advertisement messages Stateful: Configuration is based on DHCPv6 to obtain addresses and other configuration options. A host will use a stateful address configuration protocol when there are no routers present on the local link. Network Security

28 Autoconfiguration process
Host first creates a link local address for itself The host then tests to see if this link local address is unique and not used by other hosts If the uniqueness of the link local address is passed, the host stores this address as its link-local address, but it still needs a global unicast address Network Security

29 IP Security IPSec is a collection of protocols designed by IETF to provide security for a packet at the network layer It helps create authenticated and confidential packets for the IP layer Two modes: Transport does not protect the IP header; it only protects the information coming from the transport layer Tunnel protects the original IP header Network Security

30 IPSec modes Network Security

31 IPSec Protocols AH and ESP Authentication Header
designed to authenticate the source host and to ensure the integrity of the payload carried in the IP packet uses a hash function and a symmetric key to create a message digest; the digest is inserted in the authentication header Network Security

32 AH Protocol in transport mode
Network Security

33 What is Message Digest? The electronic equivalent of the document and fingerprint pair is the message and message digest pair To preserve the integrity of a message, the message is passed through an algorithm called a hash function. The hash function creates a compressed image of the message that can be used as a fingerprint. The message digest needs to be kept secret. SHA-1 (Secure Hash Algorithm 1) Network Security

34 Encapsulating Security Payload (ESP)
The AH Protocol does not provide privacy, only source authentication and data integrity ESP adds a header and trailer ESP's authentication data are added at the end of the packet ESP does whatever AH does with additional functionality (privacy) Network Security

35 ESP Protocol in transport mode
Network Security

36 IPSec services Network Security

37 Things to study IPv4 packet, ICMPv4 DHCPv6, ICMPv6 IPv6 Routing
Internet Key Exchange for IPSec QoS support for IPv6 API for IPv6 Network Security

Download ppt "IPv6 Network Security."

Similar presentations

Ads by Google