tlcm513 ipv6
TRANSCRIPT
Internet Protocol Version 6
Parvin Beekharry
Pascal Chrispeels
IntroductionWhat is wrong with IPv4 ?
The address issue:
IPv6
128 bit address = 296
(7.92282 1028)
Unicast
Anycast
Multicast
IPv4
32 bit address = 232
(4 294 967 296)
Class A between 1 and 126
Class B between 128 and 191
Class C between 192 and 223
The header problem:
Version no IHL Type of Service Total LengthIdentification Flags Fragment offset
Time-to-live Protocol Header ChecksumSource Address 32 bits
Destination Address 32 bitsOptions Padding
IPv4 Header
IPv6 HeaderVersion no Class (priority) Flow labelPayload Length Next Header Hop Limit
Source Address 128 bitsDestination Address 128 bits
Headers
Major changes from IPv4 to IPv6:
Expanded addressing capabilities
New type of addresses (unicast)
Header format simplification
Improved support of option (extension headers)
Authentication and privacy capabilities
Improvements
Addressing
Architecture
IPv6 addresses are 128 bits long
There are 3 types of IPv6 addresses: Unicast: An identifier for a single interface Anycast: An identifier for a set of interfaces
(typically belonging to different nodes) Multicast: An identifier for a set of interfaces
(typically belonging to different nodes)
Address Notation
8 * (16 bit field) = 128 bits
The designers of the protocol chose to write the 128 bits as eight 16-bit integers separated by colons, each integer is rep by 4 hex digits, e.g:
FEDC:BA98:7654:3210:FEDC:BA98:7654:3210
Address Assignments The first field of any IPv6 address is a variable-
length format prefix, which identifies various categories of addresses. Some current allocation of addresses based on the format prefix are: Provider-Based Unicast Address: 010 Link Local Use Addresses: 1111 1110 10 Site Local Use Addresses: 1111 1110 11 Multicast Addresses: 1111 1111
Unicast Format of an IPv6 Provider-based global
Unicast address:
TLA: Top level aggregate(provider ID)
NLA: Next level aggregate(subscriber ID)
SLA: Site local aggregate(subnet ID)
IPv4:
010 TLA NLA SLA Interface ID
3 13 32 16 64 bits
Network Subnet Interface ID 32bits
Special Unicast Addresses. In addition to provider based addresses, there
are 5 other unicast addresses: Unspecified addresses Loopback addresses IPv4 -based addresses Site local addresses Link local addresses
E.g. IPv4-Compatible IPv6 addresses consists of a 32-bit IPv4 address prefixed by 96 zeroes.
Bits:
IPv4 Address0.0…. …..0.0
96 32
Anycast Address An anycast address enables a source to specify
that it wants to contact any one node from a group of nodes via a single address. A packet with such an address will be routed to the nearest interface in the group, according to the router's measure of distance (hop count, cost, etc)
One particular form of anycast address is the subnet-router anycast address
Bits: n 128-n
000……….000Subnet prefix
Multicast Address IPv6 includes the capability to address a predefined
group of interfaces with a single multicast address. A multicast address consists of an 8-bit prefix of ones, a
4-bit flag field, a 4-bit scope field and a 112-bit group ID.
Flags: T = 0: Indicates a permanently assigned or well-known multicast
address, assigned by the global internet numbering authority T = 1: Indicates a nonpermanently-assigned, or transient, multicast
address
Group ID
4 11248 Bits
1111111 Flgs Scope
000T
The IPV6 protocol consists of two headers:
The Basic IP Header The Extension Header.
Routing
Basic IPHeader
ExtensionHeader Data
Basic IP header
Version no Class (priority) Flow labelPayload Length Next Header Hop Limit
Source Address 128 bitsDestination Address 128 bits
4 bitVersion N0
4 bit Priority N0
Flow Label
Payload Length
NextHeader
HopLimit
128 bitSource
128 bitDestination
4 bitVersion N0
4 bit Priority N0
Flow Label
Payload Length
NextHeader
Hop Limit
128 bitSource
128 bitDestination
Four bit version number: Four bit Internet Protocol version number. In this case no 6.
Four bit Priority number: Identifies the desired delivery priority of its packet. The priority values are divided into two sets. Value 0 through 7 are used to specify the priority of traffic for which the source is providing congestion control, that is traffic that “backs off” in case of congestion (for example TCP traffic). Values 8 through 15 are used to specify the priority of traffic that does not back off in response to congestion (for example real time packets being sent at a constant rate.)
For congestion control traffic, the following priority values are recommended for particular applications categories:
0 Uncharacterized Traffic 1 Filler Traffic (Netnews) 2 Unattended data transfer (e-mail) 3 (Reserved) 4 Attended bulk transfer (FTP, HTTP, NFS) 5 (Reserved) 6 Interactive Traffic (Telnet) 7 Internet Control Traffic (SNMP)
Flow Label: A flow is a sequence of packets sent from a particular source to a particular destination for which the source desires special handling by the routers. The 24 bit flow label field in the IPV6 header may be used by a source to label those packets for which it requests special handling by the IPV6 routers. This includes non default quality of service or “real-time” service. All packets belonging to the same flow must be sent with the same source address, same destination address and same non-zero flow label.
Payload Length: 16 bit field. The payload length does exactly what it says, give the exact length of the payload (i.e., the rest of the packet following the IPV6 header) in bytes.
Next Header: An 8 bit selector. The next header identifies the type of header (Extension Header) immediately following the basic IP Header. It uses the same values as the IPV4 Protocol field.
Hop Limit: The Hop limit is used to prevent a misrouted packet to travel around the network forever without being discarded. It is actually a counter decremented by one each time it reaches a node. The packet will be discarded when the Hop Limit reaches zero.
Source Address: 128 bit address of the originator packet.
Destination address: 128 bit address of the intended recipient of the packet.
Basic IP HeaderNext value = TCP
Extension Header = TCP
Data
Extension header
Basic IP Header Next value = Routing
DataExtension Header = TCP
Extension Header = RoutingNext Header value = TCP
In IPV6, optional information is encoded in one or multiple separate headers that are placed between the Basic IP Header and the Payload. There are multiple Extension headers. Each one is identified by a unique figure in the Next Header value of the Basic IP Header or preceding Extension headers. The improvement compare to IPV4 is that Extension Headers can be of arbitrary length. The total amount of options carried in a packet is not limited and can even be fragmented. IPV6 packets may carry zero, one or multiple Extension headers.
Extension header There are six different Extension headers:
Hop by Hop header Routing header Fragment header Destination header Authentication header Encapsulation header
Security
The hop-by-hop option handles every special option which requires hop by hop processing.
For example, the PadN option will be inserted in the Hop-by-Hop header when needed (the PadN option is used to insert two or more bytes of padding. To pad out a packet consists of adding one or two bit to a packet to obtain a final bit number of 8 or a multiple of 8).
Hop by Hop header
Routing header
Identified by a Next Header label of 43, the Routing Header is used by IPV6 to list one or more intermediate nodes to “go through” on the way to the packet’s destination. This new technique is called address sequencing.
Suppose that address sequences are shown by a list of individual addresses separated by a comma like the one here underneath.
SRC, I1, I2, I3, DST
The first Address is the source, the last is the destination and the middle addresses are intermediate nodes.
Address SequencingAssume that H1 and H2’s sites are both connected to providers P1 and P2. A third wireless provider, PR, is connected to both.
P1
H1 PR H2
P2
The simplest case (no use of address sequences) is when H1 wants to send a packet to H2 containing the addresses:
H1, H2
When H2 replies it reverses the addresses and construct a packet containing the addresses:
H2, H1
In this example either provider could be used, and H1 and H2 would not be able to select which provider traffic would be send and received from. If H1 decides that it wants to enforce a policy that all communications from/to H2 can only use provider P1, it would construct a packet containing the address sequence:
H1, P1, H2
This ensures that when H2 replies to H1, it will reverse the route and the reply would also travel over P1. The addresses in H2’s reply would look like:
H2, P1, H1
If H1 became mobile and moved to provider PR, it could maintain (not breaking any transport connections) communication with H2, by sending packets that contain the address sequence:
H1, PR, P1, H2
This would ensure that when H2 replies, it would enforce H1’s policy of exclusive use of provider P1 and send the packet to H1 new location on provider PR. The reversed address sequence would be:
H2, P1, PR, H1
Fragment Header
The fragment Option is used by an IPV6 source to send a packet larger than would fit in the path to its destination.
In order to send a packet that is too large, a source node may divide the packet into fragments and send each fragment as a separate packet to be reassembled at the receiver’s point.
Fragment Header
The initial packet is referred to as the original packet and consists of two parts: the unfragmentable part and the fragmentable part.
The unfragmentable part consists of the IPV6 header plus any extension headers that must be processed by nodes along the path to destination.
Unfragmentable Part Fragmentable Part
The fragmentable part is made out of the rest of the packet, that is, any extension header that only needs to be processed by the final destination.
Unfragmentable Part Fragment Header First Fragment
Unfragmentable Part Fragment Header Second Fragment
Destination Header
The destination option is used to carry optional information that need to be examined only by a packet’s destination node. This header is identified by a next header value of 60. Different actions will be available in the destination header but have yet to be defined.
IPv6 Security
Security Application-specific security mechanisms, e.g:
secure HTTP & Secure Socket Layer for web access SNMPv2 security for network management & Privacy enhanced mail, PGP for electronic mail
However the security concerns that cuts across protocol layers still has to be addressed.
Solution: By implementing security at the IP level, an organization can ensure secure networking not only for applications that have security mechanisms but for the many security-ignorant applications.
IETF standards RFC 1825: An overview of a security
architecture RFC 1826: Description of a packet
authentication extension to IP RFC 1828: A specific authentication
mechanism RFC 1827: Description of a packet
encryption extension to IP RFC 1829: A specific encryption
mechanism
IP level security Authentication:The authentication mechanism
ensures that a received packet was in fact transmitted by the party identified as the source in the packet header.
Privacy: The privacy facility enables communicating nodes to encrypt messages to prevent eavesdropping by third parties.
The security features are implemented as extension headers that follow the main IP header. The extension header for authentication is known as the authentication header; that for privacy, the encapsulating security payload (ESP) header.
Security Association
A security association is uniquely identified by an internet destination address and a security parameter index (SPI). Hence, in any IP packet, the security association is uniquely identified by the destination address in the IPv4 or IPv6 header and the SPI in the enclosed extension header (authentication header, AH, or ESP header).
Ex. Authenticated & Encrypted packets:
IPv6 H ---Routing H A H ESP H TCP H +Data
Authentication The authentication header provides support
for data integrity and authentication of IP packets. The AH consists of the following fields :
ESP The AH header does not transform data. When
confidentiality is desired, the ESP header should be used. This Header is always the last one in the chain of IPv6 extension headers.
Format of the ESP header:
32-bit SPI
32-bit Sequence number
Encrypted Data
&Parameters
Authentication Data
ESP
The use of ESP provides support for privacy and data integrity for IP packets.
ESP can operate in two different modes: Transport-mode ESP, encrypt either a TCP, UDP
or ICMP segment Tunnel-mode ESP, encrypts an entire IP packet
ESP Transport-mode operation provides privacy for
any application that uses it, thus avoiding the need to implement privacy in every individual application.
Tunnel-Mode ESP -- Tunnel-mode ESP is used to encrypt an entire IP packet. For this mode, the ESP is prefixed to the packet and then the packet plus a trailing portion of the ESP header is encrypted. This method can be used to counter traffic analysis.
Authentication plus Privacy The two IP security mechanisms can be
combined in order to transmit an IP packet that has both privacy and authentication. Encryption Before Authentication: The entire
transmitted IP packet is authenticated, including both encrypted & unencrypted parts.
Authentication Before Encryption: The AH is placed inside the inner IP packet, this inner packet is both authenticated and protected by the privacy mechanism.
Authentication plus Privacy