Upload
hanums1
View
217
Download
0
Embed Size (px)
Citation preview
8/14/2019 A Study on IPv6 in IPv4 Static
1/5
8/14/2019 A Study on IPv6 in IPv4 Static
2/5
encapsulated inside the packet of protocolarchitecture,thus enabling the original data to be carried
over the second protocol.This mechanism can be used
when two nodes that use same protocol wants to
communicate over a network that uses another network
protocol.The tunneling process involves threesteps:encapsulation,decapsulation,and tunnel
management.It also requires two tunnel end-points,which
in general case are dual-stack IPv4/IPv6 nodes,to handlethe encapsulation and decapsulation.Tunneling is one of
the key deployment strategies for both service providersand enterprises during the period of IPv4 and IPv6
coexistence.
Tunneling allows service providers to offer an end-to-end
IPv6 service without major upgrades to the infrastructure
and without impacting current IPv4 services.Tunneling
allows enterprises to interconnect isolated IPv6 domains
over their existing IPv4 infrastructures,or to connect to
remote IPv6 networks such as the 6bone.The IETF has
made a great contribution on this topic.
(2)Research on analyzing the typical tunnelingscenarios and how to provide relevant tunneling
schemes:As there are a variety of different scenarios
during IPv6 tunneling the typical scenarios need to be
emphasized about IPv6 deployment and applying suitable
transition mechanisms.
This paper presents a comprehensive explanation about the
current status of research on IPv6 in IPv4 Static Tunneling
mechanisms with Automatic 6 to 4 Tunneling.This paper isorganized as follows:We briefly described Introduction to
tunnels in 4G networks,Preliminary Definitions of
Tunneling Techniques,General Working procedure for the
operation of Tunnels,Research on IPv6 tunneling issues in
Section 2.We described,4G and IPv6 networks,desirable
characteristics of 4G networks,the characteristics of IPv6
4G,Initiatives on the 4G in section 3.Basic IPv6 Tunneling
Mechanisms,Role of IPv6 tunnels in 4G,Types of tunnelingin 4G networks,representation of IPv6 Tunneling types in
4G Networks with Class-Diagrams and Instance Diagrams
and a Static tunneling in 4G networks,limitations of IPv6
static tunneling.in section 4.The prototype,threat analysis
due to transition mechanism,IPv6 tunneling,IPv6
threats,Security issues in IPv6 tunneling has explained in
section 5,The future innovative challenges of IPv6 threats
has covered in section 6.Finally we concluded the whole
paper in section 7.
I. IPv6 Tunneling Methods in 4G networks.This section presents a number of tunneling techniques we
have studied and analyzed to tackle the tunneling
mechanisms/strategies.Depending on their objective tunneling
types are broadly divided into different types depending upon
the IPv6 specifications.The IPv6 specification defines several
types of IPv6-in-IPv4 tunnels,including Manually configured
tunneling,Automatic tunneling,Generic routing encapsulation(GRE), Semiautomatic tunneling mechanisms such as tunnel
brokers,6-to-4[12],ISATAP[13]and Teredo[14].IPv6 alsosupports for GRE tunnels over IPv4,our results suggest that
tunnels are very common in the todays internet and the
transition to IPv6 occurs smoothly and slowly.So tunnels to
continue to play an important role in IPv6 networks,as IPv4
network infrastructure will remain widely deployed for many
years.
a.Types of Tunneling in 4G Networks.
Tunneling techniques are broadly divided into two types,firstone is an automatic tunneling and second one is configuration
tunneling.The tunneling technique we can use the compatible
addresses discussed as shown in the below figure-6.A
compatible address is an address of 96 bits of zero followed by
32 bits of IPv4 address.It is used when a computer using IPv6
wants to send a message to another computer using
IPv6.However suppose the packet passes through a region
where the networks are still using IPv4.The sender must use
the IPv4-compatible address to facilitate the passage of the
packet through the IPv4 region.For example the IPv4 address
2.13.17.14 becomes 0::020D:110E.The IPv4 is pre pended
with 96 zeros to create a 128bit address(See figure-3)[10].
Fig3.The IPv6 Compatible Address.
b.Representation of IPv6 Tunneling types in 4G Networks
with Class-Diagrams and Instance Diagrams.
Fig 4.The Tunneling types with Class-Diagram.
As we know that tunneling types are broadly divided intoAutomatic,Manually configured tunneling,GRE
tunneling,Tunnel brokers etc.In Fig.4.we have represented the
tunneling types by using Class-Diagrams.A Class digram is a
type of Object diagram.A Class diagram is a
Schema,pattern,or template for describing many possible
instances of data.A Class diagram describes Classes[16].AClass diagram represents either bidirectional or ternary
relationship.In Fig.4.a Class Diagram may be traversed either
from Left to Right or from Right to Left.In the Fig.4.5+
represents the value of multiplicity(Multiplicity specifies how
many instances of one class may relate to a single instance of
an associated class.Or Multiplicity constrains the number of
related objects.) i.e.IPv6 Tunneling has broadly divided intomore than 5 types.A Solid ball is the OMT symbol for manymeaning zero or more.A hollow ball indicates optional
meaning zero or more[16].has-divided represents the Binary
association between IPv6-Tunneling and Tunneling
type.Instance Diagram is also another type of Object diagram
which represents objects or instances.The Fig.5.specifies an
Instance diagram for Tunneling types[16][17][18].The lines
between the objects or instances represents the links[16][17].
8/14/2019 A Study on IPv6 in IPv4 Static
3/5
Fig.5.The Tunneling types with Instance-Diagram.
d. Static Tunneling in 4G Networks.
Static tunneling is also called as Configured tunneling.Static
tunneling can be used to link isolated islands of IPv6, in which
the network domains are well known and unlikely to change
without notice.A static configured tunneling is equal to a
permanent link of two IPv6 domains with the permanent
connectivity provided over an IPv4 backbone.Static tunneling
assigned IPv4 addresses are manually configured to the tunnel
source and the tunnel destination.The identification of which
packets has to send through a tunnel via a routing table in the
tunnel end points,the table direct packets based on their
destination address using prefix mask and match technique.In
a static tunneling the host or router at each end of a static
configured tunnel must support both IPv4 and IPv6 protocol
stacks.The static tunneling in 4G networks was mostpreferred when the necessary of a few tunnels to forward a
packets from source host to the destination host via tunnel end
points.The below figure-6.shows the IPv6 static tunneling in
4G networks.The requirements of IPv6 Static tunneling are
R1,R2 are dual stack.R1 has a reachable address from R2 and
vice versa.In IPv6 static tunneling static configuration is
possible on both the ends.The IPv6 static tunneling has
dependency on the 4 pararmeters like IPv6,IPv4,R1,R2.
Fig.6.IPv6 Static tunneling in 4G networks.The below Table-1 shows the configuration of IPv6 Static tunneling in 4G
networks.
Configuration Parameter Router R2 Router R1
IPv6 Source address 3ffe:b00:1:1::
1
3ffe:b00:1:1::2
IPV6 Destination
address
3ffe:b00:1:1::
2
3ffe:b00:1:1:1
IPv4 Source address 192.0.2.1 192.0.3.1
IPv4 Destination address 192.0.3.1 192.0.2.1
4.4.1.Limitations of IPv6 static tunneling.
Manual configuration is not manageable,ifthe number of tunnels are increasing.
If the IP addresses change,then changes in
manual configuration is also possible.
IP protocol 41 might be filtered in the path.
Does not traverse NAT.
IV.Related Work.
a.Threat Analysis due to Transition Mechanisms.
Threat modeling (or analysis) is essential in order to help us todevelop a security model than can focus or protecting against
certain threats and manage the related assumptions. One
methodology to discover and list all possible security attacks
against a system is known as attack trees.To create an attack
tree we represent attacks against a system in a tree structure,
the attack goals as root nodes and the different sub goals
necessary to achieve them as their leaf nodes.Figure-7
represents the general threat categories we have identifiedagainst network convergence architectures namely attack on
the network processes are responsible for IPv6 transition,Dualstack,Automatic tunneling and Configuration tunneling
threats.Dual Stack threats are totally different from the IPv6
Tunneling techniques like an automatic tunneling and
Configuration tunneling,manually configured tunneling,Static
tunneling etc.As we have discussed there are large number of
transition mechanisms to deploy IPv6 but broadly be
categorized into,Dual Stack,Tunneling(Automatic,Manual
Configuration),and Translation Header.The problems areidentified when IPv6 is tunneled over IPv4 encapsulated in
UDP as UDP is usually allowed to pass through NATS and
Firewalls [59].Consequently allowing an attacker to punchholes with in the security infrastructure.The First and Second
authors of this paper recommends that if the necessary security
measures cannot be taken ,tunneled traffic should be used with
caution if not completely blocked.To provide ingress and
egress filtering of known IPv6 tunneled traffic, perimeterfirewalls should block all inbound and outbound IPv4 protocol
41 traffic.For circumstances where Protocol 41 is not blocked
it can easily be detected and monitored by the open-source
IPv4 IDS Snort.During the development of the IP6-to-IPv4
threat model we have identified that several attacks lead to
other attacks which we have previously included and
analyzed.These are represented in the tree as identical nodes in
different locations.
b. IPv6-Tunneling-IPv6 Threats.
In Tunneling based methods,when a tunnel end point receives
an encapsulated data packet,it decapsulates the packet and
sends it to the other local forwarding scheme.The security
threats in tunneling mechanisms,take IPv6 over IPv4 tunnel
are mostly caused by the spoofed encapsulated packet sent by
the attackers in an IPv4 networks.(Refer-Fig.7).As shown in
Fig.7.the target of attacks can be either a normal IPv6 node, or
the tunnel end point.
Fig.9.Spoofing in an IPv4 with 6 to 4.
Fig.7.Security issues of various tunneling types.
c.The Security issues in IPv6 tunneling are as follows.
1. The hard to trace back :
8/14/2019 A Study on IPv6 in IPv4 Static
4/5
Case-1:IPv4 networking node can make an attack on IPv6
node(network):The attackers(hackers) in IPv4 networks can
make an attack on the IPv6 nodes through the 6to4
router(tunnel)end point by forwarding a spoofed encapsulated
messages(Packets).Therefore here in this situation it is very
difficult to trace back.
Case-2:IPv6 networking node can make an attack on IPv6
network (node):In this type the hacker in IPv6 networks can
make an attack on the IPv6 network through 6-to4 relay endpoint and 6-to4 router by sending a spoofed encapsulated
packets.In this case also its very difficult to trace back.(ReferFig-7)
2.Potential reflect- DoS attack on Destination Host
(Refer-Fig-7):The hackers in the IPv4 networks can make a
reflectDoS attack to a normal IPv6 network (node) through
the 6-to-4 router (tunnel) end point by sending the
encapsulated packets with the spoofed IPv6 source address as
the specific IPv6 node.
3.Cheat by a Hacker with the IPv6 Neighbor Discovery
(ND) message:Whenever IPv4 network is treated as the link
layer in tunneling technology,the hackers in the IPv4 networks
can cheat and DoS attack the tunnel end point by sendingencapsulated IPv6 neighbor discovery (ND)messages with aspoofed IPv6 link local address.The automatic tunneling
techniques like 6-to 4 and Teredo get the information ofremote tunnel end point from the certain IPv6 packets.
Distributed Reflection DoS:This type of attack can be
performed if the very large number of nodes whenever
involved in the sending spoofed traffic with same source IPv6
addresses.
1. If the Destination host generates replies by using TCPSYN ACK,TCP RST,ICMPv6 Echo reply,ICMPv6
Destination unreachable etc):In this case of attack the
victim host is used as a reflector for attacking another
victim connected to the network by using a spoofed
source(Refer Fig-7).
2.Spoofing in IPv4 with 6 to 4:In this type of attack 6 to 4
tunneling spoofed traffic can be injected from IPv4 intoIPv6.The IPv4 spoofed address acts like an IPv4 source,6 to 4
relay any cast (192.88.99.1)acts like an IPv4 destination.The
2002::spoofed source address acts like an IPv4 destination.
[Refer-Fig-9]
7.Theft of Service:During the IPv6 transition period, many
sites will use IPv6 tunnels over IPv4 infrastructure. Sometimes
we will use static or automatic tunnels.The 6 to 4 relay
administrators will often want to use some policy limit the use
of the relay to specific 6 to 4 sites or specific IPv6sites.However some users may be able to use the service
regardless of these controls by configuring the address of the
relay using its IPv4 address instead of 192.88.99.1 or using the
router header to route the IPv6 packets to reach specific 6 to 4
relays.
8.Attack with IPv4 broadcast address:In the 6 to 4
mechanisms,some packets with the destination addresses
spoofed and mapped to their broadcast addresses of the 6to4
or relay routers are sent to the target routers by the attackers inthe IPv6 network.In this case also 6 to 4 or relay routers are
attacked by the broadcast addresses.
The security issues in tunneling mechanisms can generally
limited by investigating the validness of the source/destination
address at each tunnel end point.Usually in tunneling
techniques it is easier to avoid ingress filtering
checks.Sometime it is possible to send packets having link-
local addresses and hop-limit=255,which can be used to attacksubnet hosts from the remote node,but it is very difficult to
deal with attacks with legal IP addresses now[26].Since thetunnel end points of configuration tunnels are fixed,so IPSec
can be used to avoid spoofed attacks[29].IPv6 Security issues
even though it has provided lot off features but its known that
automatic tunneling are dangerous as other end points are
unspecified because its very difficult to prevent automatic
tunneling mechanisms DoS/reflect-DoS attacks by the
attackers in IPv4 network.
V.Simulation and Results.
The following are the assumptions made in the ns-2 simulation
model.It consists of IPv6 automatic tunneling ,IPv6 manuallyconfigured tunneling,GRE tunneling,Tunnel broker etc.The
Graph shown In figure-10 is the combined graph of number ofthreats v/s tunneling types.we can observe that if we are using
static tunneling then number of threats were verysmall,otherwise if we are preferring Automatic tunneling or
manually configured tunneling then threats also increases.So
this paper shows how static tunneling is a best technique to
avoid threat issues.The Static tunneling reduces the number of
threats as compared to other IPv6 tunneling types etc.Hence
more number of threats to be avoided by using a static IPv6 to
IPv4 tunneling.The below figure-10 shows the graph of IPv6
threat v/s static tunneling in IPv6.
Fig.10.Threat V/s Tunneling types.
VI.The Current and future Innovative research
challenges of IPv6 threat issues for Researchers.
This paper has not considered the overall threat review of IPv6
for all the aspects like,IPv6 Static tunneling
mechanisms,which is a large and complex topic.To provide a
complete overview of IPv6 security this paper should be in
conjunction with the IPv6 to IPv4 threat review with IPv6
Static and Automatic tunneling considerations.The most
important area to move forward with in IPv6 security is theextension of current IPv6 Firewalls and Network tools to testthem(IPv6 packet constructors,IDSs and so on).This will
allow more users to adopt IPv6 without being paranoid about
their openness to attack.
Before formulating analysis,we have proposed(formulated)
several innovative research challenges.Presently there have
been plenty of studies done on the research about basic
security issues of IPv6, threat issues of IPv6,however there are
still so many problems not yet resolved yet,calling for great
8/14/2019 A Study on IPv6 in IPv4 Static
5/5
challenges ahead.The innovative research challenges of IPv6threat issues are as follows.
1.Notion of the system identification within an
organization:With the advent of privacy extensions and the
size of IPv6 ranges in use,identifying systems within an
organization and in particular identifying mis behaving.
2.Transition mechanisms from IPv4 to IPv6:The current
research on the basic transition mechanisms mostly focus on
the situation of IPv6 over IPv4.Due to advanced deploymentof IPv6,the IPv4 networks may also be separated by IPv6
ones.We are using only few kinds of method in this situationlike IPv4 configuration tunnel and DSTM,more research on
IPv4 over IPv6 transition methods is necessary.
3.Increased dependence on multicast addresses in IPv6 could
have some interesting implications with flooding attacks.For
example all routers and NTP servers have site specific
multicast addresses.Can we use site specific multicast
addresses to create an amplification attacks as similar as to the
smurf attacks in IPv4 4.We know that neighbor discovery is anew addition to the IPv6 to replace ARP and RARP of IPv4
and also it is an essential component of a well-run IPv6
network it should be tested from a security point like aneighbor-discovery cache fall victim to a resource starvation
attack in any of the currently deployed neighbor discovery
implementations.Can the CPU of a device be exhausted by
processing information of IPv6 neighbor discovery?
5.IPv6 is new and security information on the protocol is notwidespread,it is the opinion of all the authors that a large
number of dual stack hosts may be more exposed to attack
with IPv6 than in IPv4.6.With a new IPv6 header
configuration, new extension headers, and ICMP message
types there may be a several novel ways to deal with flooding
attacks.
7.Scenario Analysis:Typical Scenario analysis is still in
progress. Some of them are in draft mode, such as enterprisenetwork analysis along with this other possible scenarios
should also be analyzed to support for next coming future
wireless technologies.
Conclusion.
In this paper,we presented DTMIPv6 a Design tool for mobile
IPv6 to support IPv6 tunneling,IPv6 to IPv4 Static tunneling ,
Mobile IPv6 etc.Motion behind DTMIPv6 stems from the fact
that how mobility,tunneling, threats issues,as well as security
plays an important role in 4G networks.We demonstrated how
DTMIPv6 can address several issues for the future networking,research(innovation)and how it cope with complexity and
dynamic intrinsic to future environments.As for as we know
DTMIPv6 is also a system tool that offers mobility support
like other tools named such as proton for 4G mobile users.We
have also demonstrated concepts from IPv6 in IPv4 static
tunneling,threats issues,and its security issues to avoid threats
can be applied to the design of novel solutions that brings us
one more threat model and security model in open networking
challenges.This project consolidates the idea of building a
threat issues for IPv6 in IPv4 static tunneling.
References[1].Dr.Manjaiah.D.H.,Hanumanthappa.J,2009,:IPv6 and IPv4 Threat reviews
with Automatic Tunneling and Configuration Tunneling Considerations
Transitional Model:A Case Study for Universi ty of MysoreNetwork,International Journal of Computer Science and Information Security
(IJCSIS),Vol-3,Number-01,July-2009.
[2].Dr.Manjaiah.D.H.,Hanumanthappa.J,2008,:A Study on Comparison and
Contrast between IPv4 and IPv6 Feature sets.,Proceedings of
ICCNS08,2008,Pune.,pp.297-302.[3].Dr.Manjaiah.D.H.,Hanumanthappa.J.2008,:Transition of IPv4 Network
Applications to IPv6 Applications,Proceedings of ICETiC-09,2009,S.P.G.C.Nagar,VirudhaNagar-626001,TamilNadu,INDIA.,pp.35-40.
[4].Dr.Manjaiah.D.H.,Hanumanthappa.J.2009,:IPv6 over Bluetooth:Security
Aspects,Issues and its Challenges,Proceedings of NCWNT-09,2009,Nitte-574110,Karnataka,INDIA.,pp.18-22.
[5].Dr.Manjaiah.D.H.,Hanumanthappa.J.2009,:Economical and Technical costs
for the Transition of IPv4to-IPv6 Mechanisms[ETCTIPv4 to
ETCTIPv6],Proceedings of NCWNT-09,2009,Nitte-
574110,Karnataka,INDA.,pp.12-17.[6].Dr.Manjaiah.D.H.Hanumanthappa.J.2009,:An Overview of Study on
Smooth Porting process scenario during IPv6 Transition(TIPv6),Proceedings of
IEEE IACC-09,2009,Patiala,Punjab,INDIA-6-7,March-2009.,pp.2217-2222.
[7].Dr.Manjaiah.D.H.Hanumanthappa.J.2009,:IPv6 over IPv4 QoS metrics in
4GNetworks:Delay,Jitter,Packet Loss Performance,Throughput and TunnelDiscovery mechanisms.Proceedings of NCOWN-2009,RLJIT,Doddaballapur,
Bangalore,Karnataka,INDIA,August-21-22-pp.122-137.
[8].S.Deering and R.Hinden,:Internet Protocol Version 6(IPv6)Specification,RFC 2460,December 1998.
[9].S.Tanenbaum,Computer Networks,Third Edition,Prentice Hall
Inc.,1996,pp.686,413-436,437-449.
[10].Behrouz A.Forouzan,Third Edition,:TCP/IP Protocol Suite.
[11].Atul Kahate,Cryptography and Network Security,Tata McGraw-
Hill,2003,pp-8-10.
[12].R.Gilligan and E.Nordmark ,Transition mechanisms for IPv6 Hosts and
Routers,RFC 2893,Aug 2000.
[13].R.Woodburn and D.Miills,RFC1241:Scheme for an Internet
encapsulation protocol:Version 1,July 1991.
[14].R.Atkinson and S.Kent,Security architecture for the internet
protocol,RFC 2401,Nov.1998.
[15].D.Provan,RFC1234:Tunneling IPX traffic through IP networks,June
1991.
[16].Ali bahrami,Object Oriented systems development using UML,Mc-Graw-Hill Intl editions,1999.
[17].James Rumbaugh,Michael Blaha,William Premeralini,Object-Oriented
Modeling and Design,PHI,2001.
[18].Grady Booch,:Object oriented Design.
M r.Hanumanthappa.J. is Lecturer at the DoS inCS,University of Mysore,Manasagangothri,Mysore-06
and current ly pursuing Ph.D in Computer Science and
Engineering, from Mangalore University under the supervision of
Dr.Manjaiah.D.H on entitled Design and Implementation of IPv4to- IPv6 Transition
Scenarios for 4G-Networks.
Dr. Manjaiah.D.H is currently Reader and Chairman, Department
of Computer Science Mangalore University, Mangalore. He received
PhD degree from University of Mangalore, M.Tech. From NITK, Surathkal and B.E.,
from Mysore University. Dr.Manjaiah D.H has an extensive academic, Industry and
Research experience. He has worked at many technical bodies like IAENG, WASET,
ISOC, CSI, ISTE, and ACS. He has authored more than - 45 research papers in
international conferences and reputed journals. He is the recipient of the several talks for
his area of interest in many public occasions and International and National conferences.
He is an expert committee member of an AICTE and various technical bodies. Dr
.Manjaiah. D.Hs areas interest are Computer Networking & Sensor Networks, Mobile
Communication, Operations Research, E-commerce, Internet Technology and Web
Programming.