null  null
Yi-Hsun Lai
Why do we need IPv6
 Introduction to IPv6
 IPv6/IPv4 Transition
 IPv4/IPv6 Dual Stack Schemes
 IPv4/IPv6 Tunnel Mechanism
 IPv6 Tunnel Broker
 Using Tunnel Broker
Why need IPv6
5 percent of the world's population uses 60
percent of the allocable IPv4 address space
 20 percent of the world population wants to
access to the Internet
 Huge address space
 The IPv6 address space uses a 128-bit address
 340,282,366,920,938,463,463,374,607,431,76
 6.65 x 1023 addresses in every square meter on
Why need IPv6
Header format simplification.
 IPv6 has been designed to be extensible
by introducing a more flexible header
 survive a longer time in current complex
networks than IPv4
 Both cellular and wireless networks have
been further developed.
IPv6 improvement (1)
 Expanded Addressing Capabilities
 IPv6 increases the IP address size from 32
bits to128 bits, to provide more levels of
addressing hierarchy, a much greater
number of addresses.
 Header Format Simplification
 The simple IPv6 header makes the IPv6
packet faster at processing and more
IPv6 improvement (2)
 Improved Support
for Extensions and
 More efficient forwarding, less stringent limits on
the length of options, and greater flexibility for
introducing new options in the future.
 Flow
Labeling Capability
 Some special traffic flows need special handling
such as no-default quality of service or real-time
IPv6 improvement (3)
 Authentication
and Privacy Capabilities
 Extensions to support authentication, data integrity,
and data confidentiality are specified for IPv6.
 Neighbor
Discovery and Address Autoconfiguration
 Address Auto configuration: One of the most useful
features of IPv6
 Plug them into your network, and each of them will
automatically be assigned a valid IPv6 address.
 Find the information of the neighbor which is
connecting with the device.
IPv6 Security features
 Option in IPv4, require in IPv6
 SEND (SEcuring Neighbour Discovery)‫‏‬
 Protection against Neighbor
Discovery-based denial of service
(DoS) attacks by nodes
 AAAv6
 Provide Authentication, Authorization
and Accounting
Attacks against IPv6
 DoS attacks
 Attacker causes congestion on victim’s
 Hijack Attacks
 Attacker gains unauthorized access to
 Impersonation
 Packet forgery
 Man In the Middle
 Snooping
 Data Insertion/Deletion
IPv4-to-IPv6 Transition
Today, most of the world has already been
adopting IPv6
 Develop a well-planned transition
mechanism to ensure IPv6 can coexist
with IPv4.
 IPv4/IPv6 Dual Stack Schemes
 IPv4/IPv6 Tunnel Mechanism
 Translate IPv4 headers to IPv6 headers and
vice versa
IPv4/IPv6 Dual Stack Schemes
Running IPv4 and IPv6 concurrently.
 End-hosts and network devices run both
 Dual-stack device will have to tackle the
vulnerabilities of both protocols
IPv4 (type 0x0800)‫ ‏‬IPv6 (type 0x86DD)‫‏‬
IPv4 / IPv6 Tunnel Mechanism
 Configured Tunnel
 6to4 Tunnel (Automatic)
 Tunnel broker
 Defined in RFC3053
 Client must support Dual-stack
6to4 Tunneling (1)
RFC3056 Connection of IPv6 domains via IPv4
clouds (6to4)
 6to4 tunneling is a method we used when an end
user wants to connect to IPv6 environment using
their own IPv4 connection.
 It encapsulates IPv6 packets inside IPv4 packets for
transmission over an IPv4 network
IPv4 payload
IPv4 header
IPv6 header
IPv6 payload
6to4 Tunneling(2)
IPv4 network
IPv6 network
IPv6 in IPv4 tunnel
6to4 prefix: 2002:c0a8:0101::/48
Security Issues (1)
6to4 routers do not check the data that is
contained within the packets
 No trust mechanism exists between 6to4
routers and 6to4 relay routers.
 6to4 architecture used to participate in
DoS or reflected DoS, making another
attack harder to trace
Security Issues (2)
Address spoofing
 For example, via 6to4 tunneling spoofed
traffic can be injected from IPv4 into IPv6.
– IPv4 Src: Spoofed IPv4 Address
– IPv4 Dst: 6to4 Relay Anycast (
– IPv6 Src: 2002:: Spoofed Source
– IPv6 Dst: Valid Destination
IPv6 net
IPv4 net
IPv6 in IPv4
IPv6 net
Security Issues (3)
 Most
IPv6 hosts will be 'dual stack'
 IPv4 systems will not have same
security feature set as IPv6
 Double Handling of security policy
(Mistakes easier).
Tunnel Broker
IPv6 tunneling over the internet requires
heavy manual configuration
 Network administrators are faced with
overwhelming management load
 Getting connected to the IPv6 world is not an easy
task for IPv6 beginners
The Tunnel Broker approach is an opportunity
to solve the problem
 The basic idea is to provide tunnel broker to
automatically manage tunnel requests coming
from the users
Tunnel Broker
Main difference between 6to4 and Tunnel
 They serve a different segment of the IPv6
Tunnel Broker fits well for small isolated
IPv6 sites
 6to4: well suited for extranet and VPNs
Tunnel Broker
How it works?
User registers with the Tunnel Broker first.
 Tunnel Broker will search for a suitable
Tunnel Server to allow the user to enter
the IPv6 network.
 Tunnel Broker sends information regarding
Tunnel Server and the assigned IPv6
address to the User
 User establishes the Tunnel and connects
to the IPv6 network
Security Considerations
Tunnel Broker (1)
Interaction between the client and TB:
 The usage of SSL to encrypt data
 Rely on AAA facilities (RADIUS) to enforce
access control
 Transferring tunnel configuration
parameters in a MIME type over https
 Interaction between the TB and TS
 Use IPSec to secure SNMP messages
Security Considerations
Tunnel Broker (2)
What if a user disconnects the internet
without tearing down the Tunnel?
 Implementing keep-alive mechanism on every
tunnel (assign a lifetime)
 Allowing the TB to stop IPv6 traffic forwarding
toward disconnect users
Limiting the number of tunnels that a
single user is allowed to set up at the
same time to prevent DoS.
IPv6 will slowly and gradually penetrate
into our networks and develop on the
 The transition from IPv4 to IPv6 presents
even more challenges, we are still facing
lots of challenges in the foreseeable
Thank you!
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF