THE FOLLOWING PRESENTATION HAS BEEN APPROVED FOR

TOURO COLLEGE
BY THE I.T. ASSOCIATION OF AMERICA

THIS POWERPOINT HAS NOT YET BEEN RATED

June 1, 2011 William C. Lee

For more than three decades, this end-toend model has sufficiently met the needs of its users. Since the 80s IPv4 has supported internet growth by accommodating over 4 million unique internet addresses given by Internet Service Providers.

However the landscape is changing.

Despite its dominance in the industry, it is anticipated that in the near future the usage of IPv4 will yield to the more current IPv6. Satisfying the requirements of earlier generations, IPv4 is no longer considered sufficient for the needs of the users of today due to its limited capacity for addressing as well as its inclination to security threats. IPv6 presents certain advantages to those users and companies who know how to utilize this protocol.

IPv4 was the first major version of a standardized Internet Protocol.

Initiative begun by ARAPA in 1973 to advance functionality of existing

IPv4 : History & Features

protocols Protocol

By 1981 a final version was published in RFC as a standardized Internet

32 bit addressing- designers of IPv4 created a two-level structure for

addressing that would utilize network number and host number each a 32 bit field. This would allow for the possibility of generating over 4 million unique addresses. Initially many considered that this level of opportunity for volume would suit the needs of internet users however, it has proven to be a crippling limitation. Today the internet and its users have grown so large it has now run out of IP addresses. Network Administrators were able to take precautions to combat this difficulty by implementing NAT or Network Address Translation.

Limited Security features

Today, the internet has grown to be a millionnetwork network, which is something with startling consequences. Security and addressing become more prevalent issues

IPv6 : History & Features

IPv6 was developed in response to the evolving needs of users and businesses in a more current environment
The Internet Engineering Task Force began work on the

ENTIRELY NEW IPv6 in 1991 implemented.

In 1998 to get the basic standards were agreed upon and

128 bit hierarchical addressing- IPv6, with its 128-bit

addresses, provides globally unique and hierarchical addressing based on prefixes rather than address classes, which keeps routing tables small and backbone routing efficient.

Built-in security features

The importance of Security

At the time of its design, and keeping up with the original endto-end model, the Internet was thought as a friendly environment. Therefore, no security was embedded in the original architecture

Today, it has become a very hostile environment. Although certain techniques have been introduced to overcome some of the Internets best known security deficiencies (SSL, IPSec, etc.), they seem to be insufficient

Denial of service attacks (DOS) When there is an attempt to make a computer source unavailable to users. A common method is flooding the target hosts with requests, thus preventing valid network traffic to reach the host. Malicious code distribution- These can propagate themselves from one infected host to another. Man-in-the-middle attacks - An attack is able to read, insert and modify at will messages between two hosts without either hosts knowing that their communication has been compromised. Fragmentation attacks - Different Operating systems have their own method to handle large IPv4 packets and this attack exploits that method. For example the ping of death attacks. This attack uses many small fragmented ICMP packets which when reassembled at the destination exceed the maximum allowable size for an IP datagram which can cause the victim host to crash, hang or even reboot. Port scanning and other reconnaissance attacks - this is used to scan for multiple listening ports on a single, multiple or an entire network hosts. Open ports can be used to exploit the specific hosts further. Because of the small address space, port scanning is easy in IPv4 architecture ARP poisoning and ICMP redirect - ARP poison attack is to send fake, or spoofed, ARP messages to a network. The aim is to associate the attackers MAC address with the IP address of another node. Any traffic meant for that IP address would be mistakenly sent to the attacker instead.

IPv4 : Potential Threats

IPv6: Security Improvements

Large address space
Built-in IPSec Authentication Header

Encapsulating Security Payload

Transport and Tunnel Modes Protocol Negotiation and Key Exchange

Management Neighbor Discovery and Address Autoconfiguration

IPv6: Security Improvements

Large address space
Port scanning is used today to listen to specific

services that could be linked to known weaknesses. To scan ports on IPv4 is very simple because most addresses only 8 bits are allocated for host addressing. Scanning a larger address such as the IPv6, 128 bit encryption becomes more difficult.

IPv6: Security Improvements

Built-in IPSec
IPSec was an optional feature in IPv4. IPSec is

required in IPv6 protocol, mandated by RFC4301. IPsec consist of cryptographic protocols that provide a safe communication and key exchange

IPv6: Security Improvements

Authentication Header
Authentication header (AH) provides the

authentication confidentiality and data integrity. Authentication header protocol prevents packets from being changed or modified with.

IPv6: Security Improvements

Encapsulating Security Payload
Encapsulation Security Payload does the same as

Authentication header, however also provides confidentiality. In this header there is a field that identifies what group of security parameters the

sender is using to secure communications, this is

called security parameter index SPI.

IPv6: Security Improvements

Transport and Tunnel Modes
IPSec provides two modes of securing traffic :

Transport and Tunnel Mode. Transport mode is

intended to provide secure communication

between endpoints by securing only the packets payload. Tunnel mode is intended to protect the entire IPv4 packet. However, in IPv6 networks, there is no need for a tunnel mode

IPv6: Security Improvements

Protocol Negotiation and Key Exchange Management
Key exchange management provides much

functionality to communicate between parties. It negotiates with other peoples protocols, encryption algorithms and keys. It can simply

exchange keys as well as changing them.

Additionally, keeps track of all agreements.

IPv6: Security Improvements

Neighbor Discovery and Address Autoconfiguration
IPv6 Neighboring Discovery is a way to give nodes

the ability to discover other nodes link-layer address on the local link. It can also find routers on the local link ; this assists in detecting when a

local node becomes unreachable, resolving

duplicate IP address, and for routers to alert other nodes when another router is needed

IPv6
Though IPv6 addresses many of the deficiencies present in IPv4 it is by no means a perfected system. Source trouble through processing all stacks by extension header Potential for security breeches during transitioning between IPv4 and IPv6