The Impact of IPv6 and the IoT on Smart Home Technology

Copyright 2016. Icontrol Networks.

Impact of IPv6 on Smart Home TechnologyApril 5, 2016

Copyright 2016. Icontrol Networks. 2

Introduction

Corey GatesCTO

Icontrol Networks, Inc.


RETAIL SOLUTIONS

TOP NORTH AMERICANCABLE PROVIDERS

WORLD’S LARGEST HOMESECURITY PROVIDERS

LEADING INTERNATIONAL SERVICE PROVIDERS

Connected Home Solutions Powered by Icontrol


Doesn’t IPv4 Just Work?

For Sale

iPhone 6 16g cracked screen works fine for sprint willing to trade for another sprint phone also

Source: varagesale.com, March 2016


IPv6 In Context

IPv4 address availability is in decline

Source: APNIC Labs, March 2016


IPv6 In Context

Number of devices dramatically increasing

Source: Business Insider Intelligence, 2015

Smart HomeDevicesIncludedHere


IPv6 In Context

Number of services increasing

Source: Forrester Research Inc., June 2015

Services RequiringInternet

Connectivity


IPv6 In Context

Source: Image from blog.apnic.net

IPv6 is needed to ensure pervasive Internet connectivity


Device Development and IPv6: Top Four Considerations



Education



Education Standards



Education Standards

Security



Education Standards

Security Fallback Plan


Education

Education Plan


Education

Education Plan

IPv6 Protocol


Education

Education Plan

IPv6 Protocol

struct in6_addr addr;

s = socket(AF_INET6, SOCK_STREAM, 0);

IPv6 APIs


IPv6 Protocol: Comparing IPv4 with IPv6

• IPv6 headers are focused on data needed for routing

Source: cisco.com CC-‐BY-‐SA-‐3.0, via Wikimedia Commons


IPv6 Protocol: Comparing IPv4 with IPv6

• IPv6 extension headers add flexibility, but also complexity

IPv6 Header TCP Header Data

Next Header

Ext Header

Next Header

Zero or more extension headers:• Fragments• Routing• Security• Mobility…


IPv6 Protocol: IPv6 vs. IPv4 Address Space

• Different address space means a different network


IPv4 Network

IPv6 Network

Device example.com

DNS: A record

DNS: AAAA record


IPv6 Protocol: Address Assignment

• Stateless Address Auto Configuration (SLAAC) vs. DHCPv6

Network prefix Interface Id

Global prefix Link-‐local prefix MAC-‐based Pseudo-‐random

SLAAC enables a node to obtain an IPv6 address in a decentralized mannerDHCPv6 enables a centralized address assignments

What about Default Router, DNS, NTP, etc.?

☛ Available through DHCPv6 or ICMPv6 Router Announcements


IPv6 Protocol: ICMPv6

• ICMPv6 – Control protocol for IPv6• Must be supported• Replaces ARP with ND over multicast• Assists with configuration, routing -‐more than ICMP did• Reducing fragmentation -‐ Path MTU


checksumtype code

message body

0-‐127 = error message128-‐255 = informational


IPv6 Protocol: Multicast

• Multicast• Must be supported• How to Broadcast? => Link-‐local multicast group• Multicast address format allows multiple scopes:

Source: RFC 7371, September 2014

11111111 flags scope net prefixrsvd plen group id

temporaryor

permanent

1=node-‐local2=link-‐local5=site-‐local8=organization-‐local14=global

0:0:0:0:0:1 = all nodes0:0:0:0:0:2 = all routers…

flgs2


IPv6 Protocol Education Summary

• New addressing scheme means a new network • DNS records are different

• Decentralized way to obtain addresses• Changes to well known protocols:

• ICMPv6 now critical• DHCPv6 less important and often not needed• ARP is not used


IPv6 APIs

IPv6 impacts various APIs• C,C++,C#,Go,Java,JS,Python,Ruby,Swift etc. are affected• New data structures or new interfaces introduced• Error handling may change

IPv6 impacts DNS lookup and processing• Service discovery• Fallback process (more on this later)


IPV4 to IPv6 Porting Example

struct sockaddr_in server;...server.sin_len = sizeof(server);server.sin_family = AF_INET;server.sin_addr.s_addr = INADDR_ANY;server.sin_port = 0;if (bind(sock, (struct sockaddr *) &server, sizeof(server)) <0) {...

struct sockaddr_in6 server;...server.sin6_len = sizeof(server);server.sin6_family = AF_INET6;server.sin6_addr = in6addr_any;server.sin6_port = 0;if (bind(sock, (struct sockaddr *) &server, sizeof(server)) <0) {...

IPv4:

IPv6:


IPv6: Further Education

Learn about IPv6• Tutorials and primers

• Free tutorials on the web• Lots of primers and slideware available

• Technical training• Involve both managers and developers


Standards

Relevant IPv6 standards exist in multiple domains

• IPv6 related standards


Standards


• IPv6 related standards• IPv4 transition standards


Standards


• IPv6 related standards• IPv4 transition standards• Various communication standards related to IPv6

• Example: HTTPS (over TCP over TLS over IPv6)• Example: Thread (mapping IPv6 onto 802.15.4)• …


Security

Security must be considered from the start• New network layer -‐> time to re-‐examine security


Security


• ICMPv6 and multicast• IPv6 depends on ICMPv6 and multicast• Cannot just shut this down (no ARP!)


Security



• Dual stacks• Do not presume IPv6 is “off”• Need to audit and test both connectivity modes


Security



• Dual stacks• Do not presume IPv6 is “off”• Need to audit and test both connectivity modes

• Auto-‐configuration• May expose MAC address• “Privacy” addresses using pseudo-‐random ids


Security

• Multiple addresses• Very common in IPv6


Security

• Multiple addresses• Very common in IPv6

• Some things to watch out for• Buffer overflow issues

• Larger IP addresses• DNS results (glibc had getaddrinfo buffer overflow!)

• Packet Filtering• Fake RA and ND multicasts

• Fallback attacks• Downgrading of security protocols• Forcing IPv4 addresses


Fallback Plan

Is IPv4 alive and well?

By Dhatfield -‐ Own work, CC BY-‐SA 3.0, https://commons.wikimed ia.org/w/ index.php?cur id=4 27988 6


Fallback Plan

Is IPv4 alive and well?

By Dhatfield -‐ Own work, CC BY-‐SA 3.0, https://commons.wikimed ia.org/w/ index.php?cur id=4 27988 6

IPv4


Fallback Plan

Top ten networks by volume only average 39% IPv6

0%10%20%30%40%50%60%70%80%90%

100%

IPv6/Adoption

Source: Internet Society, March 2016


Fallback Plan

Dual Stack IPv4/IPv6• Service discovery

• Can IPv6 be used? Or only IPv4?


Fallback Plan


• Can IPv6 be used? Or only IPv4?• Network discovery

• Can IPv6 route to Internet services?


Fallback Plan



• Can IPv6 route to Internet services?• Security issues

• How to protect a system with multiple interfaces?


Fallback Plan



• Can IPv6 route to Internet services?• Security issues

• How to protect a system with multiple interfaces?• Usability issues

• Does the user need to know which network?• How will the UI expose this duality?


Four Considerations

Education Standards

Security Fallback Plan


Thanks

Questions?

Twitter:@CoreyCoreygates

Copyright 2016. Icontrol Networks.

Documents

The Impact of IPv6 and the IoT on Smart Home Technology