IPV6 and IPSec
IPv6 is short for “Internet Protocol Version 6”. IPv6 has the assigned task of being the Internet’s next-generation protocol, it was initially created to replace the most used Internet Protocol, which is IP version 4 (IPv4).
Whenever it is necessary to communicate over the Internet, must have a designated sender and receiver addresses. These numeric addresses that allow communication are known as Internet Protocol addresses. As the Internet and the the need of interconnectivity between devices grows exponentially, so does the need for IP addresses for each particular device that is connected to the world wide web.
One of the weaknesses of the original Internet Protocol (IP) is that it lacks any
system that can be used to ensure the privacy and authenticity of data as
it is traversing over the internetwork. Since IP datagrams must usually be routed between two devices over unknown and normally unsecured networks, any information in them is subject to being intercepted and even possibly modified.
IPv6 is a standard developed by the Internet Engineering Task Force, an organisation created to develop Internet technologies, in particular the standards that comprise the Internet protocol suite. It is an open standards organisation, with no formal membership or membership requirements. All participants and/or managers are volunteers, although their contribution is usually funded by their employers or sponsors. The IETF, anticipating the need for more IP addresses, created IPv6 to accommodate the ever growing number of users and devices accessing the Internet.
The IPv6 comes accompanied of IPSec which is a set of services and protocols that provide a complete security solution for an IP network. These services and protocols are combined to provide various forms of protection. Since IPsec works at the IP layer, it provides these protections for any higher-layer TCP/IP application or protocol without the need for additional security methods, which is a major advantage over the lack of security in IPv4.
IPv4
IPv6
Address
32 bits (4 bytes) 12:34:56:78
128 bits (16 bytes)
1234:5678:9abc:def0:
1234:5678:9abc:def0
Packet size
576 bytes required, fragmentation optional
1280 bytes required without fragmentation
Packet fragmentation
Routers and sending hosts
Sending hosts only
Packet header
Does not identify packet flow for QoS handling
Contains Flow Label field that specifies packet flow for QoS handling
Includes a checksum
Does not include a checksum
Includes options up to 40 bytes
Extension headers used for optional data
DNS records
Address (A) records, maps host names
Address (AAAA) records, maps host names
Pointer (PTR) records, IN-ADDR.ARPA DNS domain
Pointer (PTR) records, IP6.ARPA DNS domain
Address configuration
Manual or via DHCP
Stateless address autoconfiguration (SLAAC) using Internet Control Message Protocol version 6 (ICMPv6) or DHCPv6
IP to MAC resolution
broadcast ARP
Multicast Neighbor Solicitation
Local subnet group management
Internet Group Management Protocol (IGMP)
Multicast Listener Discovery (MLD)
Broadcast
Yes
No
Multicast
Yes
Yes
IPSec
optional, external
required
Comparison with IPv4
As it can be seen in the table above, the address space is one of the key features of IPv6, which enables a multitude of clients and devices to share data using the internet by utilizing greater numbers to generate IP addresses. Under IPv4, each IP address is 32 bits in length, which permits the creation of 4.3 billion unique addresses. This is a simple IPv4 address: 192.168.1.5
In contrast, IPv6 addresses are 128 bits, which taking into account it is around three hundred and forty trillion, trillion special IP addresses. An example of an IPv6 address is: 2003:db7:ffff:2:203:03ff:fe08:0504
According to Harkins (2002), packets destined for both IPv4 and IPv6 vary and can be up to 64 Kb. The main issue is that the protocols have many options regarding the number of transports that can be used and that itself can have other limits. Normally, this is specified by the “MTU” which stand for Maximum Transmission Unit. These protocols have to obey to a minimum MTU requirement, that being 1280 bytes for IPv6 and 576 bytes for IPv4.
Larger amount of data can be sent through the network by splitting and sending them one by one. Normally, this task is done by the host but in IPv4 it can be done by the router. The hosts in IPv6 need to determine the MTU for a path in order to reach its destination. This method greatly simplifies routers but at the same time adds another level of complexity at the host end. Normally, this is not an issue and the IPv6 minimum MTU can always be used with any path.
These are some of the main key differences amongst IPv4 and IPv6 are:
• The 128-bits in the IPv6 address are eight 16-bit hexadecimal blocks separated by colons. For instance, 2dfc:0:0:0:0217:cbff:fe8c:0.
• IPv4 addresses are partitioned into “classes” with Class A networks for a couple of greater networks, Class C systems for thousands of small networks, and Class B networks that are in the middle. Conversely, IPv6 utilizes subnetting to change sizes with a given address space assignment.
• IPv4 utilizes class-type address space for multicast (224.0.0.0/4). IPv6 utilizes an integrated address space for multicast, at FF00::/8.
• IPv4 utilizes “broadcast” addresses that constrained every gadget to stop and take a gander at bundles. IPv6 utilizes multicast gatherings.
• IPv4 uses 0.0.0.0 as an unspecified address, and class-type address (127.0.0.1) for loopback. IPv6 uses :: and ::1 as unspecified and loopback address respectively.
• IPv4 makes use of global unique public addresses for traffic and private addresses. While, IPv6 uses global unique unicast addresses and local addresses (FD00::/8).
IPv6 and IPSec Security features
IPSec is a framework of open standards that establishes the policies that are necessary for secure communication on a network. The standards also define how can these policies be enforced. In IPv4, IPSec is an optional component, whereas, in IPv6 is compulsory to have in all of its implementations.
Computers taking part in the process of communication can successfully achieve:
data authentication – The IPSec sender can encrypt packets before transmitting them across a network.
Integrity – The IPSec receiver can authenticate packets sent by the IPSec sender to ensure that the data has not been altered during transmission.
Data origin authentication—The IPSec receiver can authenticate the source of the IPSec packets sent. This service is dependent upon the data integrity service.
Antireplay—The IPSec receiver can detect and reject replayed packets.
The RFC 2401 is used to specify the base architecture for IPsec compliant systems. This specific RFC mentions that “the goal of the architecture is to provide various security services for traffic at the IP layer, in both the IPv4 and IPv6 environments.”
For this particular purpose it uses the AH authentication header and the ESP extension header. At the moment, all operating systems (including client and servers) support IPSec, it is just needed to be integrated by IT administrators in both IPv4 and IPv6, it can be adapted without changing current infrastructure.
According to the Department for Business Innovation and Skills (2010), the government is mandating to acquire IPv6 ready equipment and prepare the transition of having IPv6 networks in the upcoming years.
Providing high quality, interoperable and cryptographic security in IPv4 and IPv6 is one of the main purposes of IPsec. Many security components involves connectionless integrity, data origin authentication, access control, protection against replays and limited traffic control confidentiality.
Environments where it’s used in conjunction with L2TP tunneling
Certificate authorities and Internet Key Exchange (IKE) negotiation. IKE is defined in RFC 2409.
Encryption that can be deployed in standalone environments between clients, routers, and firewalls
Data Encryption Standard (DES) 56-bit and Triple DES (3DES) 168-bit symmetric key encryption algorithms in IPSec client software.
Supporting Features
In more details:
AH (Authentication Header) – provides authenticity guarantee for transported packets. This is done by check-summing the packages using a cryptographic algorithm.
IPcomp (IP payload compression) – provides a form of compression before a packet is encrypted.
ESP (Encapsulating Security Payload) – provides encryption of network packets.
IKE (Internet Key Exchange) – provides the means of exchanging keys before a communication is able to start.
When using an IPSec, the user will not notice any major difference. Normally, noticeable aspects and advantages are the support for a great number of operating systems, best option for VPN solutions were true confidentially is paramount, and the ease of setting up the interoperability of devices.
Security Associations
In IPv6, security associations can be considered as relationships between two or more entities that describes how the entities will use security services to communicate securely between them. In agreement with Doraswamy and Harkins (2003), IPSec provides many forms of performing network encryption and authentication. Before establishing a connection, the IPSec peers must decide which type of algorithm they will use for their communication, for example, DES or 3DES for encryption, MD5 or SHA for integrity, after making this decision, the peers must exchange the keys of the session.
As it can be seen by the necessary steps, the security association is the method IPSec utilizes to track all devices involved in a particular IPSec communication session.
The Internet Key Exchange (IKE, RFC 2409) describes a protocol that allows parties in a communication to obtain authenticated keys and manage Security Associations for the use of the AH and ESP services within IPSEC. IKE is considered an application-layer protocol from an IPSEC point of view, and it runs on port 500/UDP. Thus, other key management frameworks besides the default IKE could be provided.
IPSec Security Association example
IPSec Transport and Tunnel modes
When using IPSec there are two configuration options that can be used, called Tunnel and Transport mode. The use cases of each mode are dependent on the requirements and implementations.
Tunnel Mode:
Tunnel mode is considered the default mode of IPSec, when using this mode the IP packet is protected by IPSec, meaning that IPSec will hide the original packet, encrypt it, then it will create a new IP header and afterwards send through the VPN tunnel to the other IPSec peer.
It is mostly used between IP gateways or at the end station to a gateway that acts as a proxy for the hosts behind it. This mode is often used to encrypt all the traffic being passed between IPSec gateways. After the contents are passed through the encrypted tunnel, it will then be decrypted by the firewall appliance and the original IP packet is sent the receivers local network.
IPSec Tunnel Mode
The IPSec header, specifically AH and ESP Header are inserted between the IP header and upper layer protocol. ESP is mostly used to configure the VPN Tunnel.
Tunnel with ESP header
Transport Mode:
In IPSec, transport mode was created specifically for end-to-end communications. For example, if a client/workstation needs to establish a connection to a server/gateway this mode would be suitable. Or in the case of Remote Desktop’s that establishes a connection to a workstation that in turn connects to a server.
This mode provides a level of protection to data, called IP payload, which contains TCP/UDP header and data that is passed using AH or ESP header which is encapsulated by the IPSec header and its trailer. Apart from that, all headers will remain intact, only the IP protocol is replaced with AH or ESP. All values of the original protocol is saved for when it is decrypted from the receivers side.
connection between Server and client
In the below example, it can be seen that the original IP header is placed in the front, by doing this it can be seen that there is no protection nor encrypts the original IP header. This shows why transport is not the most secure method between the two.
The authentication header (AH) can be used in conjunction with ESP or on its own when IPSec is being used in transport mode because the main job of the AH is to protect the entire packet, however, in this mode it does not create a new header but instead it will duplicate the original copy and only perform minor changes to the protocol ID, as a result, not giving essential protection the inner data of the contained in the IP header.
Conclusion
The results of the above discussion is that IPv6 has numerous advantages over the archaic IPv4, such as overcoming the exhaustion of IPv4 addresses and the IPv4 restriction in regards to real-time delivery of data, security and routing performance and its synergy with IPv4 reduces the time in configuring and managing systems. But it has been seen that we are migrating our networks to IPv6 to gain all the advantage of IPv6, even though it is not a one-day job, it will take years.
References
Harkins, D.R (2002). IPSec (2nd Edition) . (2nd ed.). New Jersey: Prentice-Hall.
Department for business innovation and skills. (2010). IP rollout in the UK. Retrieved 1 March, 2018, from https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/78236/10-1229-ipv6-rollout-in-the-uk.pdf
Doraswamy, N. and Harkins, D. (2003). IPSec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks, Second Edition. 2nd ed. New Jersey: Prentice Hall.
Bibliography
AlaHamarsheh and MarnixGoossens (2011). Exploiting Local IPv4-only Access Networks to Deliver IPv6 Service to End-users.International Journal of Computers and Communications, volume 5
AmerNizar Abu Ali (2012). Comparison study between IPV4 & IPV6. Philadelphia University, Jordan, CIS department.International Journal of Computer Science Issues, Vol. 9
JivikaGovi, Jivesh Govil, Navkeerat Kaur and Harkeerat Kaur(2008). An Examination of IPv4 and IPv6 Networks: Constraints and Various Transition Mechanisms. IEEE Journal.
ShilpaVerma and KunalMeher (2012). Interoperability between IPv4 and IPv6 Clients and Servers International Journal of Information and Electronics Engineering, Vol. 2, No. 4
Apple.com. (2018). Apple Support. Retrieved 27 February, 2018, from https://support.apple.com/en-us/HT202236
Electronicdesigncom. (2012). Electronic Design. [Online]. [27 February 2018]. Available from: http://www.electronicdesign.com/embedded/whats-difference-between-ipv4-and-ipv6