Escolar Documentos
Profissional Documentos
Cultura Documentos
BELGAUM
A SEMINAR REPORT
on
2016
(Signature)
Asst.Prof. Saraswathi Joshi
ABSTRACT
In response to the emerging deployment of IPv6 on network devices, this paper proposes the
integration of IPv6 on Lock-Keeper, an implementation of a high level security system for
preventing online attacks. It is designed to permit the secure data exchange over physically
separated networks in an IPv4-based environment. A new intercommunication module is
added to manage IPv4/IPv6 handoff inside the Lock- Keeper, which provides several
benefits.
First, the Lock-Keeper gains the flexibility to work in IPv4/IPv6 environments. Second, an
application layer gateway to bridge IPv4 and IPv6 networks is achieved. Third, the IP-layer
protocol isolation is realized inside the Lock-Keeper to enhance the security of the protected
network by exchanging data between physically separated networks using different IP
protocols.
IPv6 is extremely popular with companies, organizations and Internet service providers (ISP)
due to the limitations of IPv4. In order to prevent an abrupt change from IPv4 to IPv6, three
mechanisms will be used to provide a smooth transition from IPv4 to IPv6 with minimum
effect on the network. These mechanisms are Dual-Stack, Tunnel and Translation. This
research will shed the light on IPv4 and IPv6 and assess the automatic and manual transition
strategies of the IPv6 by comparing their performances in order to show how the transition
strategy affects network behaviour.
The motivation for this method is to allow isolated IPv6 hosts, located on a physical link
which has no directly connected IPv6 router, to become fully functional IPv6 hosts by using
an IPv4 domain that supports IPv4 multicast as their virtual local link. It uses IPv4 multicast
as a "virtual Ethernet".
TABLE OF CONTENTS
1. INTRODUCTION.4
1.1 IPV4 ......5
1.2 IPV6...6
1.3 LOCK-KEEPER....8
1.4 LOCK-KEEPER ARCHITECHTURE10
2. TRANSITION STRATEGIES
2.1 DUAL STACK.....11
2.2 TUNNELING...12
2.3 TRANSLATION..13
2.4 PROTOCOL ISOLATION FOR SECURITY......14
3. IPV4/IPV6 HANDOFF INSIDE THE LOCK-KEEPER......15
3.1 IP CONFIGURATION ON LOCK-KEEPER..16
4. RESULT AND CONCLUSIONS
4.1 EXPERIMENTAL RESULT....18
4.2 CONCLUSION.19
5. REFERENCES..20
LIST OF FIGURES
1.1
1.2
1.3
1.4
1.5
2.1
2.2
2.3
2.4
3.1
3.2
3.3
4.1
IPV4 HEADER.........7
FIVE CLASSES OF IPV4 ADDRESS......8
IPV6 HEADER..9
LOCK-KEEPER COMPONENTS........10
THE STATES OF SWITCH INTERVAL
IN THE SINGLE GATE LOCK-KEEPER SYSTEM...11
DUAL STACK..14
TUNNELING.15
HEADER TRANSLATION...15
PROTOCOL ISOLATION FOR SECURITY....16
ENABLING IPV4/IPV6 ON ALL NETWORK INTERFACES OF LOCK-KEEPER.18
IP CONFIGURATIONS ON LOCK-KEEPER...19
IP-BASE EXCHANGE MODULE FUNCTIONALITY.20
PERCENTALE INCREASE IN TRANSFER TIME FOR DIFFERENT FILE SIZES...22
CHAPTER 1
INTRODUCTION
INTRODUCTION
The depletion of IPv4 addresses was the main motivation behind designing IPv6. It provides
a 128-bit address space instead of a 32-bit address space in IPv4. So, IPv6 will have enough
unique addresses for variable types of products, such as smart phones, IP TV, automobiles,
etc. Moreover, IPv6 expands and optimizes some features of IPv4 to make it more powerful.
IPv6 was designed with stateless address auto-configuration, mandatory IPSec for security,
enhanced mobility, simple header structure, Quality of Service (QoS) provisioning, and more.
IPv6 is a next generation Internet layer protocol which is designed by Internet Engineering
Task force (IETF) to overcome the limitations of IPv4 networks. IPv4 addresses being 32 bits
in size provide approximately 4.3 billion addresses as compared to IPv6 address which is 128
bits in size and provides approximately 3.4*10^38 addresses. Security attacks have been
common across the Internet therefore in order to protect IPv6 networks from security attacks,
IPSec is made an inbuilt component of IPv6 and it ensures the integrity, authenticity and
confidentiality of data transmitted across the networks. IPSec is a networking layer protocol
which is used to protect the data between two devices. IPSec encrypts and authenticates the
packets before sending them across the Internet. Using IPSec in IPv6 further enhances the
security and protects the data sent in IPv6 networks.
The communication evaluation identifies IPv4 as being limited in not only the addresses
available for customers but also in the services that consumers need to access the
applications. The new version (IPv6) is found to have solved these issues of IPv4 by
extending the size of the network in order to accommodate more customers; it is also easier to
reconfigure addresses.
IPv6 also provides a higher performance, particularly during real time traffic, which requires
quality of service (QoS), and the overall processing time is reduced.
IPv4
The Internet depends on protocol that is known as Internet Protocol version 4 (IPv4), which
uses Classless Interdomain Routing (CIDR) and 32 bit: this protocol can cover 4.3 billion
nodes around the world. Because the technology is developing, and many different services
and devices use 3G and 4G, IPv4 is approaching its limit there is not enough IPs available
from internet service providers (ISP) to meet customer demand.
IPv4 is considered the core of internet addressing, as it allows transmission of data using
TCP/IP. In previous years, this protocol proved its stability and reliability in working in the
internet environment in order to provide a connection for millions of nodes.
In general, IPv4 contains five classes. Each class provides different limits to the address
numbers for networks and hosts; the figure 2 shows the types of addresses and their range.
Class A addresses were designed for large organizations with a large number of attached hosts
or routers. Class B addresses were designed for midsize organizations with tens of thousands
of attached hosts or routers. Class C addresses were designed for small organizations with a
small number of attached hosts or routers.
IPv6
IPv6 is also known as IP next generation: it is considered evolutionary from IPv4, as it does
not make a radical change to IPv4 and the basic concept remains the same, but some features
have been added, which help to improve performance and provide a good service for
customers. In IPv6, the NAT was eliminated, which is considered an advantage.
The IP address is a combination of the MAC address for the interface and the prefix from the
router. The IPv6 size is 128 bits, comprised of Hexadecimal digits which are able to provide
3.8X10^38 addresses, which are enough to give a unique address to each device for today and
the future. Each four digits are separated by a colon which provides eight parts; the zeroes
can be omitted to make the address smaller as shown in figure 3
The IPv6 provides solutions for weakness in IPv4, such as address exhaustion: IPv6nprovides
addresses with 128 bit, there are no private addresses, and the transmission of data is end to
end. IPv4 depends on manual or dynamic host configuration for addressing, whereas IPv6
uses auto configuration: the configuration is done automatically without the need to send a
query and wait for a response from the DHCP server. The security with IPv4 is optional, so
data transferred over the Internet could be hacked; IPv6, however, has IPsec in-built so that
data is encrypted.
IPSEC
IPSec is an Internet layer protocol designed for providing security at the network layer. It is
used to provide authenticity, integrity and confidentiality between two peers communicating
over the network. It ensures safe transmission of data across networking devices.
The objective of IPSec is to provide:
Authentication It ensures data has been sent by an identified sender.
Data Confidentiality It provides protection to data by encrypting the information being
transmitted.
Data Integrity Specifies that there are no changes while transmitting data across the
networks and packets are sent to the receiver intact.
Avoid replay attacks The transmitted packets do not get altered by any of the attacks
deployed by any attacker.
LOCK-KEEPER
VIII SEM ,B.E [ECE] ,RNSIT
Page | 9
Fig. 4 shows the abstract principle of Lock-Keepers operation. The Lock-Keeper system
consists of four components: INNER, OUTER, GATE, and a switch module. To support IPv6
on Lock-Keeper, a new IPv4/IPv6 handoff transformation mechanism is implemented for
managing the IPv4/IPv6 intercommunication process inside the Lock-Keeper.
Features of Lock-keeper
VIII SEM ,B.E [ECE] ,RNSIT
Page | 10
Fig 1.5 The states of switch interval in the Single Gate Lock-Keeper System
The Single Gate Lock-Keeper system, which consists of three active Single Board Computers
(SBCs): INNER, OUTER and GATE, is a simple implementation of the Lock-Keeper
technology. Each Lock-Keeper SBC has its own physical components (CPU, RAM, hard
disk, network cards, etc.). INNER is connected to the internal network with high-level
security requirements, for example an intranet of a company as well as the OUTER computer
on the opposite side is connected to the less secure network, e.g., the Internet. The third LockKeeper SBC, GATE, is set up to perform a detailed analysis of the traffic passing through. All
three components are connected to a patented switching unit that restricts their
communication.
CHAPTER 2
TRANSITION STRATEGIES
TRANSITION STRATEGIES
Transition strategies are methods that provide a means of connection between IPv4 and IPv6,
as these two protocols cannot understand each other. Therefore, in order to transfer data, a
special method is needed.
The three strategies are:
Dual-Stack: This method is used to understand simultaneously IPv4 and IPv6: regardless of
which protocol is used, when the traffic is received the node is able to respond.
Tunnel: This strategy is employed when there are two networks that are using the same IP
version but are separated by another network that has a different IP. The tunnel method
establishes a virtual link through the networks by providing a connection in the middle of
them.
Translation: This method is similar to NAT, as it changes the IP packet from IPv4 to IPv6and
vice versa, depending on the source and the destination
Dual-Stack
The Dual Stack technique uses IPv4 and IPv6 within the same stack in parallel. The choice of
protocol is decided by the administrator policies, along with what kind of service is required
and which type of network is used. This technology does not make any change to the packet
header and at the same time does not make encapsulation between IPv4 and IPv6. This
technology is known as native dual stack or Dual IP layer.
Tunneling
Tunneling is a strategy used when two computers using IPv6 want to communicate with each
other and the packet must pass through a region that uses IPv4. To pass through this region,
the packet must have an IPv4 address. So the IPv6 packet is encapsulated in an IPv4 packet
when it enters the region, and it leaves its capsule when it exits the region. It seems as if the
IPv6 packet goes through a tunnel at one end and emerges at the other end. To make it clear
that the IPv4 packet is carrying an IPv6 packet as data, the protocol value is set to 41.
Tunneling is shown in Figure
Header Translation
The resources on the server are accessible from both directions, but the data cannot be passed
through, i.e., Internet users can reach the server, but cannot access the Intranet because it
requires IPX. The advantage of protocol isolation model is that the LAN users can share
information with Internet users without exposing the LAN to unauthorized users. On the
other hand, one limitation of this model is that the LAN users cannot directly access the
Internet.
VIII SEM ,B.E [ECE] ,RNSIT
Page | 16
CHAPTER 3
IPV4/IPV6 HANDOFF INSIDE THE
LOCK-KEEPER
On each component of Lock-Keeper, there is a separated network card. These three network
cards are connected by the LK-Switch Module and responsible for the data transmission
inside the Lock-Keeper system. Besides, on INNER and OUTER, there are two additional
network interfaces, respectively exposing services to internal and external users. Each
interface could have IPv4, IPv6, or both. So, there are many possibilities for IP combinations
on Lock-Keeper to support IP protocol isolation and to achieve the IPv4/IPv6 handoff. By
properly configuring the Lock- Keeper network interfaces, the packets could pass through the
Lock-Keeper using different IP protocols. The most flexible one is to enable both IPv4 and
IPv6 on all interfaces as shown in Fig.10. In this case, the Lock-Keeper will gain high
flexibility to work in IPv4/IPv6 networks at both sides, OUTER and INNER.
IP configurations on Lock-Keeper
The X in the Fig.11 means that the protocol is not supported at the corresponding network
interface. The most interesting configuration cases are shown in Case 1 and Case 2. In these
cases, the Lock-Keeper can communicate with IPv4 and IPv6 at both sides, INNER and
OUTER. Besides achieving high flexibility, a virtual barrier is created on the GATE. So,
messages will be carried through the Lock-Keeper parts using two different IP protocols.
In Case 1, IPv4 is used for GATE-OUTER communication, while IPv6 is used for GATEINNER communication. In Case 2, GATE/OUTER communicate by using IPv6 while
GATE/INNER communicate by IPv4. Accordingly, an isolation protocol region will be
created at the GATE to enhance the Lock-Keeper security. However, these cases require small
modification on GATEs Lock-Keeper Secure Data Exchange LK-SDE software modules to
support IPv6.
The Cases 3 and 5 do not need modifications to GATEs LK-SDE software modules. These
cases provide the flexibility to communicate with IPv4 or IPv6 at the external side of the
OUTER. At the same time, IPv6 traffic is stopped at the OUTER. And IPv4 is used for the
communication between GATE-OUTER and GATE-INNER.
Case 5 allows the INNER to communicate only by IPv6. The Cases 4 and 6 mainly depend
on IPv6 protocol for the Lock-Keeper internal communication and these cases need
modifications to GATEs LK-SDE software modules to support IPv6.
To mitigate this vulnerability, a new IP-Based eXchange (IP-BX) module is added on
OUTER of the Lock-Keeper. This Module manages the intercommunication process between
IPv4 and IPv6. The functionality of this module is to receive the IPv4/IPv6 packets and then
checks the Version field value in IP header. Base on the Version field value, IP-BX
CHAPTER 4
RESULTS AND
CONCLUSION
EXPERIMENTAL RESULT
Even though IPv6 data header length is twice as that of the IPv4 header implying that IPv6
has a higher overhead than IPv4, the time delay through the Lock-Keeper is almost identical
in both cases, i.e., with original IPv4-only and with integrating IPv6. By experiment, we
found that the Lockkeeper has about 0.08 % increases in the transfer time than with IPv4only when an external user uses IPv6 to get 1GB file form IPv6-internal server. IPv4
outperforms IPv6 by only about 0.001% for transferring 10KB file. For smaller file sizes, the
transfer times are roughly equal. Fig. 8 shows the percentage increase in transfer time through
the Dual Gate Lock-Keeper by integrating IPv6 comparing to the original IPv4-only LockKeeper when transferring different file sizes.
Fig 4.1 Percentale increase in transfer time for different file sizes due to
integrating IPv6 on Lock-Keeper comparing to the original LockKeeper.
The above results have been possible since IPv6 header structure is designed to get a
simplified standard format which can be processed faster than IPv4 headers. Moreover, the
switching mechanism, queuing delay, and scanning time inside the Lock-Keeper from the
significant portion of the total transfer time rather than the processing time.
CONCLUSION
IPv6 is a viable solution to IPv4 addressing space depletion problem. Accordingly, IPv6 is
being integrated into more and more new products. However, the migration to IPv6 may
take many years and new products should be able to communicate with both IPv4 and
IPv6 during the coexistence period.
Increasing the usability of the Lock-Keeper to work with both IPv4 and IPv6.
REFERENCES
[1] F. Cheng, P. Ferring, C. Meinel, G. M llenheim, and J. Bern, The DualGate LockKeeper: A Highly Efficient, Flexible and Applicable Network Security Solution, in
Proceedings of the 4th ACIS International Conference on Software Engineering, Artificial
Intelligence, Networking, and Parallel/Distributed Computing (SNPD 2003). Luebeck,
Germany. October 16-18, 2003.
[2] Lock-Keeper Website, Dec. 2010, http://www.lock-keeper.org/
[3] Ali Albkerat and Biju Issac, Analysis of IPV6 Transition Technologies, International
Journal of Computer Networks & Communications (IJCNC)
Vol.6, No.5, September 2014.
[4] F. Cheng, and C. Meinel, Lock-Keeper: A new implementation of physical separation
technology, In: Paulus, S., Pohlmann, N., Reimer, H. (eds.) Securing Electronic Business
Processes: Highlights of the Information Security Solutions Europe Conference, (ISSE 2006),
Friedrich Vieweg & Sohn Verlag, 2006, pp. 275286.
[5] D. S. Punithavathani and K. Sankaranarayanan, IPv4/IPv6 Transition Mechanisms
European Journal of Scientific Research, Vol.34 No.1, 2009, pp.110-124.
[6]
Architecture, IJCSNS International Journal of Computer Science and Network Security, Vol.
7(1), January 2007, pp. 232-243.
[7] Tina Sharma and Savita Shiwani, Statistical Results of IPSec in IPv6 Networks,
International Journal of Computer Applications (0975 8887) Volume 79 No.2, October
2013.