22-IPv6-BF - EECS People Web Server

Download Report

Transcript 22-IPv6-BF - EECS People Web Server

IPv6 Overview
Brent Frye
EECS710
Overview
•
•
•
•
Google Drive
Microsoft Cloud Drive
Dropbox
Paid-for alternatives
2
Larger Address Space
• IPv4 has 4.3 billion unique addresses
• IPv6 has 340 trillion trillion trillion
(undecillion) addresses or 3.4 x 10^38.
• That is enough for a billion billion IP addresses
for every person in the world for every second
of their life.
• No Network Address Translation (NAT)
required.
3
New Header Format
• Header overhead is minimized, even though address is 4
times as long as IPv4 the header is only twice as long.
• Not backward compatible with IPv4
• Header information contains Source Address, Destination
Address, and Hop Limit.
4
Hierarchical Addressing and Routing
Infrastructure
•
•
•
•
•
•
•
IPv6 uses unicast address routing topology to make a simple hierarchical
infrastructure that is more efficient and requires smaller routing tables on
backbone routers.
Aggregatable global unicast addresses (highest level, public facing)
Link-local addresses (Communicate with neighboring nodes on same link, FP 1111
1110 10, auto configured)
Site-local addresses (similar to IPv4 private addresses, assigned through stateless
or stateful configuration.)
Special addresses (Unspecified address 0:0:0:0:0:0:0:0 or ::, Loopback address
0:0:0:0:0:0:0:1 or ::1)
Compatibility Addresses (6to4 addresses, IPv4-mapped address)
NSAP addresses (Network Service Access Point)
5
Stateless and stateful address
configuration
• Stateful address configuration is with a DHCP
server
• Stateless configuration is without a DHCP
server. Link-local auto configuration.
• Combined: configuration based on Router
Advertisement messages. Stateless prefixes
that host stateful address protocol.
6
Built-in security
• Confidentiality – IPSec encryption of all traffic
• Authentication – IPSec traffic digitally signed for sender
verification
• Data integrity – IPSec traffic includes crypto checksum to
validate integrity.
• IPSec is not enabled by default but requires configuration by
the network administrator
7
Built-in security cont.
• Optional security feature Moving Target IPv6 Defense (MT6D)
allows dynamic obscuring of the sender and reciever
addresses
• MT6D is possible because of the large address space allowed
in IPv6 can provide and because of stateless address
configuration (SLAAC)
• Packets are encrypted and tunneled end-to-end so that
source and destination address can be changed without
breaking the session.
8
Better Quality of Service (QoS)
• IPv6 can use “flows” to provide special
handling to a packet.
• New IPv6 header Flow Label field in the
header means that QoS works even when the
payload of the packet is encrypted.
9
Neighboring node interaction
• IPv6 Neighbor Discovery (ND) replaces ARP and ICMP
• Hosts use ND to discover neighboring routers and to discover
addresses, address prefixes, and other parameters.
• Routers use ND to advertise their presence, configure host
parameters, inform hosts of next-hop address and on-link
prefixes.
• Nodes use ND to resolve link-layer address of a neighboring
node to see if it has changed and to determine if IPv6 packets
can be sent to or received from the neighbor.
10
Extensability
• Added support for extension headers not
limited to size of packet instead of 40 bytes
like IPv4
• Current defined extension headers for: Hop-by
Hop option, routing, fragmentation,
authentication, encapsulation, destination
options.
11
Threats
• Many new operating systems have IPv6 enabled but
uncontrolled by default when using IPv4
• IPSec is not mandatory and requires configuration
• IPv6 using ND is vulnerable to man-in-the-middle attacks
(route advertisement can expose all local assets to the global
IPv6 network)
12
Conclusions
• IPv6 is more than just extended address
space.
• Potential for more security challenges as well
as improved security features.
13
Links
• Microsoft overview - http://technet.microsoft.com/enus/library/cc738636(v=ws.10).aspx
• IPv6 white paper http://140.116.82.38/members/html/ms03/dclin/technique_
paper/IPv6/IPv6%20Features%20and%20Benefiits.pdf
• IPv6 Security Fallacies http://www.networkcomputing.com/ipv6/4-ipv6-securityfallacies/240159771
14