i pv4 versus ipv6
TRANSCRIPT
IPv4 versus IPv6
Supervised by : Prof Dr. Nabil Hamdy
Presented by: Ahmed Abdel Hafeez
contents
• Introduction• IP• Addressing• Distinction of IPv4 vs IPv6• Transition strategies from IPv4 to IPv6• Conclusion• References
IP: The waist of the hourglass
Applications
HTTP FTP SMTP
TCP UDP
IP
Data link layer protocols
Physical layer protocols
IPv4 or IPv6
6
Application
TCP
IP
Data Link
Application
TCP
IP
NetworkAccess
Application protocol
TCP protocol
IP protocol IP protocol
DataLink
DataLink
IP
DataLink
DataLink
IP
DataLink
DataLink
DataLink
IP protocol
RouterRouter HostHost
IP Service• IP supports the following services:
• one-to-one (unicast)• one-to-all (only in v4) (broadcast)• one-to-several (multicast)• one-to-nearest of a group (only in v6) (anycast)
• IP multicast requires support of other protocols (IGMP, multicast routing)
8
unicast broadcast multicast anycast
IP Service
• IP provides an unreliable connectionless best effort service (also called: “datagram service”).
– Unreliable: NO make an attempt to recover lost packets
– Connectionless: Each packet (“datagram”) is handled independently.
– Best effort: IP does not make guarantees on the service (no throughput guarantee, no delay guarantee,…)
• Consequences:
• Higher layer protocols have to deal with losses or with duplicate packets
• Packets may be delivered out-of-sequence
9
IPv4 Example…
• IPv4 address range: 0.0.0.0 -> 255.255.255.255 = 4,294,967,296 possible addresses
• An IPv4 address: "173.194.35.104”
IPv4 address
IPv4 address = [Network Prefix] + [Host Number]
address 11000000 11100100 00010001 00111001 is written as 192.228.17.57.
IPv4 addressClassless used today
ClassIP address
rangefrom : to
4 byte Default Mask Notes
Unicast
A 0.x.x.x : 126.x.x.x N.H.H.H 255.0.0.0 or /8 127.x.x.x for a loopback
10.x.x.x (private range)
B 128.x.x.x : 191.x.x.x N.N.H.H 255.255.0.0 or /16
172.16.x.x up to 172.31.x.x (private range)
C 192.x.x.x : 223.x.x.x N.N.N.H 255.255.255.0 or /24 192.168.x.x (private
range)
Multicast D 224.x.x.x : 239.x.x.x
27
Network Address
255 255
BroadcastAddress
Network, Host, Broadcast addresses
Broadcast 198.150.11.255
Broadcast 198.150.12.255
Subnet Mask Number
What is IPv6?
• IPv6 is a revised IP protocol intended to supplement and replace IPv4.
• IPv6 was ratified in 1998 as RFC 2460.• IPv6 addresses use a 128 bit value, vs. IPv4's 32 bits. This
provides an address space on the order of 3.4x10^38 addresses. (Nearly a "duodecillion"!!)
What is IPv6 for?
• IPv6 has this large address space as a necessary enhancement to IPv4's much more limited 4.29X10^9 possible addresses. (4.29 billion)
• The Internet Engineering Task Force (IETF) has foreseen an eventual depletion of available IPv4 addresses, thus IPv6 was designed.
Where is IPv6?
• As a commonly accepted protocol, IPv6 has seen difficulty gaining momentum. Almost the entire IT industry is perfectly happy with IPv4, and converting an established network to use IPv6 addresses is a monumental task.
• Most use of IPv6 today is found in research, dedicated networks, and by an inquisitive few.
Where is IPv6... Really?
• Since 2008, the US Government has mandated that new purchases of computer and network equipment must support certain minimum standards for IPv6. See NIST Special Publication 500-267.
• IPv6 is becoming generally supported in network devices, operating systems, remote management protocols, and other networked applications.
• Microsoft Windows XP/Server 2003 offered optional support for IPv6. Microsoft Windows Vista/Server 2008 and beyond have nearly complete IPv6 support, and the protocol is enabled by default. Linux and Cisco also support IPv6.
• Recent versions of Microsoft Windows also include utilities which will encapsulate IPv6 traffic within an IPv4 tunnel.
So I might be running IPv6 now?
• Yes! And this new IPv6 capability in contemporary systems represents an unknown security risk.
• The IT industries' propensity to ignore IPv6 in favor of IPv4 means that local administrators might be unaware of the potential IPv6 traffic traversing their network and interacting with their information systems.
• Furthermore, support for IPv6 on contemporary network security devices seems to be lagging behind IPv6 support in operating systems and routers. Network based Content Inspection, Intrusion Prevention, and Antivirus may be ineffective at scanning native or encapsulated IPv6 traffic.
IPv6 Interfaces in Windows Vista
IPv6Address Representation
• 128-bit IPv6 addresses are represented by breaking them up into
eight 16-bit segments.
• Each segment is written in hexadecimal between 0x0000 and
0xFFFF, separated by colons.
• An example of a written IPv6 address is
3ffe:1944:0100:000a:0000:00bc:2500:0d0b
54
Rule 1: Leading 0’s• Two rules for reducing the size of written IPv6 addresses. • The first rule is:The leading zeroes in any 16-bit segment do not have to be written;
if any 16-bit segment has fewer than four hexadecimal digits, it is assumed that the missing digits are leading zeroes.
Example3ffe : 1944 : 0100 : 000a : 0000 : 00bc : 2500 : 0d0b3ffe : 1944 : 100 : a : 0 : bc : 2500 : d0b
55
Rule 1: Leading 0’sPractice
3ffe : 0404 : 0001 : 1000 : 0000 : 0000 : 0ef0 : bc00
3ffe : 0000 : 010d : 000a : 00dd : c000 : e000 : 0001
ff02 : 0000 : 0000 : 0000 : 0000 : 0000 : 0000 : 0005
56
Rule 1: Leading 0’sPractice
3ffe : 0404 : 0001 : 1000 : 0000 : 0000 : 0ef0 : bc003ffe : 404 : 1 : 1000 : 0 : 0 : ef0 : bc00
3ffe : 0000 : 010d : 000a : 00dd : c000 : e000 : 00013ffe : 0 : 10d : a : dd : c000 : e000 : 1
ff02 : 0000 : 0000 : 0000 : 0000 : 0000 : 0000 : 0005 ff02 : 0 : 0 : 0 : 0 : 0 : 0 : 5
57
Rule 1: Leading 0’s
• Notice that only leading zeroes can be omitted; trailing zeroes cannot, because doing so would make the segment ambiguous.
• You would not be able to tell whether the missing zeroes belonged before or after the written digits.
3ffe : 1944 : 100 : a : 0 : bc : 2500 : d0b
Correct Original Address3ffe : 1944 : 0100 : 000a : 0000 : 00bc : 2500 : 0d0b
ORWrong, Ambiguous Original Address3ffe : 1944 : 1000 : a000 : 0000 : bc00 : 2500 : d0b0
58
Rule 2: Double colon :: equals 0000…0000
• The second rule can reduce this address even further:• Any single, contiguous string of one or more 16-bit
segments consisting of all zeroes can be represented with a double colon.
ff02 : 0000 : 0000 : 0000 : 0000 : 0000 : 0000 : 0005 ff02 : 0 : 0 : 0 : 0 : 0 : 0 : 5 ff02 : : 5
ff02::5
59
Rule 2: Double colon :: equals 0000…0000
• Only a single contiguous string of all-zero segments can be represented with a double colon.
Example: Both of these are correct2001 : 0d02 : 0000 : 0000 : 0014 : 0000 : 0000 : 00952001 : d02 :: 14 : 0 : 0 : 952001 : d02 : 0 : 0 : 14 :: 95
2001 : 0d02 : 0000 : 0000 : 0014 : 0000 : 0000 : 00952001 : d02 :: 14 : 0 : 0 : 95 OR2001 : d02 : 0 : 0 : 14 :: 95
60
Network Prefixes
• IPv4, the prefix—the network portion of the address—can be identified by a dotted decimal or a bitcount.
255.255.255.0 or /24
• IPv6 prefixes are always identified by bitcount. 3ffe:1944:100:a::/64
62
• The IPv4 header contains 12 basic header fields, followed by an options
field and a data portion (usually the transport layer segment).
• The basic IPv4 header has a fixed size of 20 octets.
• The variable-length options field increases the size of the total IP header.
IP Header
67
IPv6 address
68
The three types of IPv6 address are:1. Unicast2. Anycast3. Multicast• No IPv6 broadcast address.
Address Type IPv6 NoteUnspecified :: /128Loopback ::1 /128Multicast FF00:: /8 identifies not one device but a set of devices
(multicast group).
Link local unicast FE80:: /10 address whose scope is confined to a single link.Site local unicast FEC0:: /10Global unicast 2:: /3Reserved
Anycast Addresses An anycast address represents a service
rather than a device The same address can reside on one or
more devices providing the same service. The advantage of anycast addresses is that
a router always routes to the "closest" or "lowest-cost" server.
If one server becomes unavailable, the router routes to the next nearest server.
Example A service is offered by three servers, all advertising the service at the IPv6 address
3ffe:205:1100::15. The router, receiving advertisements for the address, does not know that it is being
advertised by three different devices; instead, the router assumes that it has three routes to the same destination and chooses the lowest-cost route.
In this is the route to server C with a cost of 20.
Conclusion (ctd..)• Ipv6 can no longer be ignored • IPv6 isn’t "bad", and may represent the future for a lot of networks.
Some say that IPv4 will never go away, but in the meantime, IPv6 is here.
• IT Administrators need to be aware of IPv6 as a protocol which is gaining legitimacy and is actually supported on a wide number of systems.
• IPv4 to IPv6 encapsulation mechanisms exist as a tool to aid in the migration from a predominantly IPv4 environment to an IPv6 environment.
• With this awareness comes the requirement to control IPv6 with the same attention to detail that they would apply to controlling the more commonplace IPv4 traffic.
References – Transitional Security Issues
• Security Concerns With IP Tunnelinghttp://tools.ietf.org/html/draft-ietf-v6ops-tunnel-security-concerns-02
• Support for IPv6 in Windows Server 2008 R2 and Windows 7http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx
• IPv6 Security Considerations and Recommendations http://technet.microsoft.com/en-us/library/bb726956.aspx
References – Threat Mitigation
• How to prevent ipv6 tunneling across firewalls and routers
http://www.howfunky.com/2010/02/how-to-prevent-ipv6-tunneling-across.html
• Disable all IPv6 in Windowshttp://tutorials-tips-tricks.info/disable-and-turn-off-ipv6-in-windows
• Wiki - IPv6 Firewallshttp://www.getipv6.info/index.php/IPv6_Firewalls
• IPv6 firewalling knows no middle groundhttp://arstechnica.com/hardware/news/2007/05/ipv6-firewall-mixed-blessing.ars
References – Guidelines for IPv6 Adoption
• An Internet Transition Planhttp://tools.ietf.org/html/rfc5211
• Hurricane Electric IPv6 Certification Projecthttp://ipv6.he.net/certification/
• NIST Special Publication 800-119 - Guidelines for the Secure Deployment of IPv6 (Draft)
http://csrc.nist.gov/publications/drafts/800-119/draft-sp800-119_feb2010.pdf
• Microsoft Windows Server 2008 Whitepaper - IPv6 Transition Technologies
http://download.microsoft.com/download/1/2/4/124331bf-7970-4315-ad18-0c3948bdd2c4/IPv6Trans.doc
References – Guidelines for IPv6 Adoption
• Tier 1 for IPv4! = Tier 1 for IPv6http://www.networkworld.com/community/blog/tier-1-ipv4-tier-1-ipv6
• BT Diamond IP IPv6 Address Management Guidehttp://btdiamondip.com/software/offers/confirm_ipv6.aspx
• Google, Microsoft, Netflix in talks to create shared list of IPv6 users
http://www.networkworld.com/news/2010/032610-dns-ipv6-whitelist.html