© 2009, Velocis Systems

Introducing IPv6 (RFC) 2460

WHAT IS IPV6 AND WHY WE NEED IT

• It is the next generation of Protocol which will run the Internet.• IPv6 is designed to improve upon IPv4's scalability and ease of

configuration and to reintroduce the original TCP/IP benefits for global networking.

• Devices are continuing to develop and every device needs to connect to the internet.

• Microwave ovens, refrigerators, PDAs, Cell Phones, Police Cars, Fire brigades, to become more mobile, for Constant monitoring and recording.

ADVANTAGES OF USING IPV6

• Address Space: It has a very large address space compared to IPV4.• No need for NAT/PAT: Using publicly registered unique addresses on

all devices removes the need for NAT/PAT, which also avoids some of the application layer and VPN-tunneling issues caused by NAT.

• Aggregation: IPv6’s huge address space makes for much easier aggregation of blocks of addresses in the Internet.

• Header Improvements: No Header Checksum, thereby reducing per packet overhead.

Why Do We Need a Larger Address Space?

• Internet population– Approximately 973 million users in November 2005– Emerging population and geopolitical and address space

• Mobile users– PDA,notepad, and so on Approximately 20 million in 2004

• Mobile phones– Already 1 billion mobile phones delivered by the industry

• Transportation– 1 billion automobiles forecast for 2008– Internet access in planes – Example: Lufthansa

• Consumer devices– Sony mandated that all its products be IPv6-enabled by 2005– Billions of home and industrial appliances.

IPv6 Advanced Features

1) Larger address space• Global reachability and

flexibility• End to end without NAT 

2) Simpler header• Routing efficiency• Performance• No checksums• Extension headers• Flow labels

IPv6 Advanced Features

3) Support for security—• Inbuilt IPSec Which is not in IPv4

4) Transition Richness- • Many Methods to transition from IPv4 to IPv6 Dual Stack, Tunneling (6 – 4 )

Larger Address Space

IPv4• 32 bits or 4 bytes long

– 4,200,000,000 possible addressable nodes

IPv6• 128 bits or 16 bytes: four times the bits of IPv4

– 3.4 * 1038 possible addressable nodes– 340,282,366,920,938,463,374,607,432,768,211,456– 5 * 1028 addresses per person

~=~=~=

~=

IPv4 and IPv6 Header Comparison

Header Fields

• Version: A 4-bit field, the same as in IPv4. For IPv6, this field contains the number 6; forIPv4, this field contains the number 4.

• Traffic class: An 8-bit field similar to the type of service (ToS) field in IPv4. This field tags

the packet with a traffic class that it uses in differentiated services (DiffServ) QoS. Thesefunctionalities are the same for IPv6 and IPv4.

• Flow label: This 20-bit field is new in IPv6. It can be used by the source of the packet to tag

the packet as being part of a specific flow.

• Payload length: This 16-bit field is similar to the IPv4 total length field.

• Next header: The value of this 8-bit field determines the type of information that followsthe basic IPv6 header. It can be a transport-layer packet, TCP or UDP, or it can be an extension

header.

Header Fields Continued….

• Hop limit: This 8-bit field specifies the maximum number of hops that an IP packet can traverse. Similar to the TTL field in IPv4.

• Source address: This field has 16 octets or 128 bits. It identifies the source of the packet.

• Destination address: This field has 16 octets or 128 bits. It identifies the destination of the packet.

• Extension headers: The extension headers, if any, and the data portion of the packet follow the other eight fields. The number of extension headers is not fixed, so the total length of the extension header chain is variable.

Note: Checksum is not available

IPv6 Extension Headers

Simpler and more efficient header means:

1. IPv6 has extension headers.2. It handles the options more efficiently.3. It enables faster forwarding rate and end nodes processing.

IPv6 Address Representation

Format:• x:x:x:x:x:x:x:x, where x is a 16-bit hexadecimal field

– Case-insensitive for hexadecimal A, B, C, D, E, and F• Leading zeros in a field are optional:

– 2031:0:130F:0:0:9C0:876A:130B• Successive fields of 0 can be represented as ::, but only once per address.Examples:

– 2031:0000:130F:0000:0000:09C0:876A:130B– 2031:0:130f::9c0:876a:130b– 2031::130f::9c0:876a:130b—incorrect– FF01:0:0:0:0:0:0:1 FF01::1– 0:0:0:0:0:0:0:1 ::1– 0:0:0:0:0:0:0:0 ::

IPv4-to-IPv6 Transition

Transition richness means:– No fixed day to convert; no need to convert all at once.– Different transition mechanisms are available:

• Smooth integration of IPv4 and IPv6.• Use of dual stack .

– Different compatibility mechanisms:• IPv4 and IPv6 nodes can communicate.

Cisco IOS Software Is IPV6-Ready: Cisco IOS Dual Stack

• If both IPv4 and IPv6 are configured on an interface, this interface is dual-stacked.

• Dual stack is an integration method where a node has implementation and connectivity to both an IPv4 and IPv6 network.

Dual Stack

Cisco IOS Software Is IPv6-Ready: Overlay Tunnels

• Tunneling encapsulates the IPv6 packet in the IPv4 packet.

Tunneling

Tunneling is an integration method where an IPv6 packet is encapsulated within another protocol, such as IPv4. This method of encapsulation is IPv4

protocol 41:• This method includes a 20-byte IPv4 header with no options and an IPv6 header

and payload.

© 2009, Velocis Systems

VPN TECHNOLOGY

Types of VPN

1) Remote Access VPN2) Site-to-Site VPN3) Extranet VPN

Authentication and Authorization

• Authentication – the process of determining the identity of a user, a network host or an application process

• Authorization – the act of recognizing an authenticated user, network host or process defined on a particular host or authentication system

Encryption

• A security technique designed to prevent access to information by converting it into a scrambled (unreadable) form of text

• Three encryption models: • Symmetric-key • Asymmetric-key • Hash

Symmetric-Key (Single-Key) Encryption

• One key is used to encrypt and decrypt messages • All parties must know and trust one another

completely, and have confidential copies of the key

• Three most common symmetric algorithms:• Data Encryption Standard (DES)• Triple DES • Advanced Encryption Standard (AES)

Asymmetric-Key (Public-Key) Encryption

• Uses a key pair in the encryption process • Key pair – a mathematically matched key set in

which one key encrypts and the other key decrypts • One of these keys is made public, whereas the

other is kept private • Two most common asymmetric-key algorithms:• Rivest, Shamir, Adleman (RSA)• Digital Signature Algorithm (DSA)

Hash (One-Way) Encryption

• Uses an algorithm to convert information into a fixed, scrambled bit of code

• Any data that has been run through a hash algorithm cannot be decrypted

• Two most common hash algorithm families:1) Message Digest (MD)

– MD2 – MD4 – MD5

2) Secure Hash Algorithm (SHA)

Services Provided by Encryption

Service Explanation Method

Data confidentiality

Ensures that only the intended recipients of information can view it

Symmetric-key, asymmetric-key

Data integrity Applies digital signatures to ensure that data is not illicitly decrypted

Hash

Authentication Proves identity Asymmetric-key, in conjunction with hash

Non-repudiation Proves that a transaction has, in fact, occurred

Asymmetric-key, hash

Digital Certificates and Digital Signatures

• Digital certificates are small files that provide authoritative identification

• A certificate authority (CA) verifies the legitimacy of a digital certificate

• Digital certificates contain digital signatures, which are unique identifiers that authenticate messages

• Digital signatures provide the following services: 1) Authentication 2) Non-repudiation 3) Data integrity

Note: Digital signatures do not provide data confidentiality

Virtual Private Networks (VPNs)

• VPN is an encrypted tunnel that provides secure, dedicated access between two hosts across an unsecured network

• Three types of VPNs: 1) Workstation-to-server 2) Firewall-to-firewall 3) Workstation-to-workstation

IP Security (IPsec)

• An IETF standard that provides packet-level encryption, authentication and integrity between firewalls or between hosts in a LAN

• Contains two elements: 1) Authentication Header (AH) – signs the packets to ensure

authentication and data integrity 2) Encapsulating Security Payload (ESP) – encrypts the data payload

• Two connection modes: 1) Tunnel mode – the header and the data packet are encrypted 2) Transport mode – only data is encrypted

VPN Benefits

• Expand connectivity – VPNs allow you to use the Internet to log on to an internal network

• Save money – Companies can implement VPNs between their remote offices and eliminate the use of expensive private leased lines

• Improve security – VPN transmissions are usually encrypted

• Support telecommuting – Users can securely log on to the corporate network from home

Security Associations

Security Associations ( SA ) establish trust between two devices in a peer-to-peer relationship and enable VPN endpoints to agree on a set of transmission rules by negotiating policies with a potential peer

Types of SAs

Internet Key Exchange ( IKE )• Provides negotiation, peer authentication, key

management and key exchange. As a bidirectional protocol.

IPSec Security Association (IPSec SA)• IPSec SA is unidirectional and thus requires

that separate IPSec SAs is established in each direction.

Internet Key Exchange

In Phase- I, the sender and receiver negotiate the following :

Parameter Site-I Site-II

Encryption Algorithm 3DES 3DESHash Algorithm SHA SHAAuthentication Method Pre-share Pre-shareKey Exchange 1024 D-H 1024 D-HIKE SA Lifetime 86,400 Secs 86,400 Secs

Internet Key Exchange

Phase- II

• One selects IPSEC algorithms and parameters for optimal security and performance.

• Identify IPSEC peer details

• Determine IP addresses and applications of hosts to be protected at local peer and remote peer.