Monday, July 25, 2011

IPv6 Transition Methods and Security Analysis

Summary

 Currently with developments on internet infrastructure , internet protocol transition becomes a neccessity. During this transition period , Ipv6 transition methods and resulting security problems be examined in depth due to users and service providers are not adversely affected .This work includes observation related with transition methods and security .

1 . Introduction

 IP (internet protocol) is basic communication platform with connected network tools (clients , servers , routers etc. ) . Todays popular version IPv4 was made in 1981 . After 80ths , internet experts realized IPv4 has some deficits about devolopments of internet in negative way and they were starting to work on new protocol system . Most important deficit was the number of IPv4 addresses were going end . IPv6 was suggested in 1998 for resolve those deficits .

 Both of these protocol will be used in transition period . A lot of methods was suggested for users and service providers not to be influenced in bad way .

 This article includes suggested transition methods of short definitions and related security observations . After entry ; in second part transition methods and security observations will present and in third part includes information results and future works about this topic .

2 . Transition Methods and Security Observations

 Suggested transition methods are ; binary heap , tunneling and interpretation . Those suggested methods cannot apply for every network . Server administrators have to analys those transition methods and choose one or more method best for their network then apply them on server . Indeed , server administrators have to be informed about vulnerabilities related this topic and have to take precautions .

 Because of this reason routers and security members had to be supported in network . With this support watching traffic in network , checking tunnels mutual opened recogniced for create safe IPv6 network .

2.1. Binary Heap

 Binary heap is supported with both protocols . Tools using this method are given both IPv4 and IPv6 . During tunnelling and interpretationing supported by both two network protocol in some points of network personnel are resolved by using this method.

 Tools using binary heap will be exposed attacks realted with both two protocol . In this method , security addons and routers have to be edited again . In addition , a work named ” Performance Analys of IPv6 Binary Heap Applications in Attacks ” servers using binary heap method influenced more than using IPv6 or IPv4 alone .

 Research , includes supported both two protocols together , shows binary heap networks are safer than using IPv4 or IPv6 alone for vulnerabilities like worns .

2.2. Tunnelling

 Tunneling transition methods contain a model of transport that traffics own a protocol and others .
 So that two tip using same protocol could channel with others protocols . A tunnel using binary heap method for tucking up or open up tips located at tunnels’ tip area.

 Checking created tunnels and filtering tunneled traffic are so important for compose safe network . Clients would be located for created a IPv6 channel even without supporting IPv6 information by server administrators. A period includes IPv6 supports – because of tunneled traffic cannot be filtered – after open up traffics’ paket twine some regulations about protocol have to be filtered .

 For tip points in tunnelling methods , doing identy verfication witout verification of IPv4 addresses creates serious vulnerabilities . Fake IPv4 users can enter a network easily because of this reason .
 A lot of tunneling methods are suggested in literature ; manuel tunneling , tunnel brokers , 6to4 , ISATAP , teredo . Later sections includes informations about these tunneling methods .

2.2.1. Manuel Tunnelling

 Manuel tunneling method contains tip point devices ,and informations (IPv4 addresses , IPv6 addresses etc. ) about tunnel end point . Each device is set for included this informations and updating when there are some changes , so these regulations bring some problems in installing and administrate area .

 Doing created tunnels manuel , filtering , is made these process easily for taking security steps like getting fresh informations and protect attacks like our of service attack . This issue does not included in automatic set methods .

2.2.2 Tunnel Broker

 Tunnel Broker method diffrent from manuel tunneling in setting tunnel tip points’ informations can be run at tunnel broker server . Tunnel broker server is informed tunnel network transition about tunnel that will be created . Client creates tunnel on network transition by using downloaded script .

 In Tunnel Broker Method ;

Client and Tunnel Broker server
 Tunnel Broker server and tunnel network transition
 Tunnel Broker server and DNS server are communicated in safe way .

In addition this protections , hackers would attack for do it out of service with open up a lot of tunnel request . To block this attack administrators have to put a limit by each user for open up a tunnel .

2.2.3 Automatic Tunneling

 Automatic Tunneling was one of the first suggested methods. With this method , IPv6 addresses compatible with IPv4 addresses create an automatic tunneling for move it to tip points supported binary heap . This tip points are using IPv6 addresses and IPv4 addresses sink into IPv6 addresses. This method was given place to 6to4 and ISATAP methods .

2.2.4. 6to4

 6to4 transition method is an automatic tunneling method using to pass router to router . Systems using this method are using 2002::/16 prefixappointed by IANA . Split IPv6 networks can use available IPv4 infrastructure with using this method . Client using this method at split IPv6 network using 2002:V4ADDR::/48 addresses as a prefix .

 Networks using 6to4 can communicate without any settings . Network using 6to4 method have to use relay router for communicate IPv6 network not use 6to4. Relay router includes one 6to4 interface and one IPv6 interface.

 To block using fake IPv6 addresses administrators can use filter source address basis . Other method like this , addresses not appropriate for 2002:V4ADDR::/48 form have to put down with wrapper and wrap open tip points .

2.2.5 6over4

 6over4 describes IPv6 transmission from IPv6 network witout using external tunnels . This method are using for connect split IPv6 clients with IPv4 multicast feature . In this method there is no need for manuel tunnels and IPv6 addresses . 6over4 is commen using due to IPv4 network multisend support .

2.2.6. ISATAP ( Intra- Site Automatic Tunnel Addressing Protocol )

 ISATAP was suggested instead od 6over4. Like 6over4 method in ISATAP , IPv4 infrastructure is using for connecter for network . However system is named Non-Broadcast Multiple Accsessdue to non-using IPv4 multisend infrastructure . IPv4 addresses is using for descriptive on network like 6over4 and using for IPv6 last 32 bit . It is supported edit address manuel or automatic .

 Configuring ISATAP properly is important for networks using it . Lıterature includes ISATAP routers configured in LINUX operating system .

 Network using ISATAP method , ISATAP servers should answer only internal client requests . This case can happen via using IPv4 firewall rules . In addition , tip points at server have to allow known tips only for traffic at number 41 protocol . Therefore , not only ISATAP servers but also clients in network protected . If ISATAP server list is announced automaticly like DNS,DHCP this list have to be protected also . Located network discovery messages have to be protected at ISATAP servers like IPv6 networks.

2.2.7 Teredo

 Teredo is a located behing NAT of IPv4 clients tunneling method and it provides connection system for IPv4 clients to IPv6s. Working with the client to the client model in this method, one or more Placed behind NAT, using the binary heap client, UDP, IPv4-based messages that IPv6 packets sends around it. Service Teredo consist of two part ; teredo server and teredo relay . Teredo server is listening UDP port ( 3544 ) for requests from teredo servers .

 Teredo server is listening clients’ requests and aswer them with IPv6 addresses. Teredo server transmit IPv6 pockets covered IPv4 to teredo relay . Teredo server, Teredo conveyor at the same time router (relay) from the IPv6 packets, the IPv4 UDP port provides a connection to client allows the transmission. Teredo is an IPv6 router only acts as transmitter server, the Teredo server IPv6 packets from IPv6 network, the IPv6 network from the Teredo server transmits packets.

 Teredo administration allows using services like IKE (Internet Key Exchange) , AH (Authentication Header) , ESP (Encapsulation Security Payload) gibi IPSec (Internet Protocol Security) .However there are some protections need while using teredo services . This problems are listed in RFC 4380 as ; The structure of the NAT hole-punching, to attack the middle man Use the Teredo service, the Teredo service out of service drop attack, using the Teredo service ends drop out of service attack.

 Method in a network that uses Teredo, IPv6 packets wrapped in UDP packet that the NAT service in the firewall application on the machine can exceed. In such a case all the services are open to local use, the IPv6 network could become a potential target for hackers. In this way, resulting in a clear, IPv6 packet wrapper to be used after opening a fire wall (eg, a firewall application on the client computer) or shut down with the use of IPSec.

 Another attack that used teredo method users , client of teredo would cut router request and create new fake router request and answer them via it . At this point, guiding the client to an address that the attacker can not be accessed out of service attack can expose you to leave. With second option attacker realize middle-man attack . IPv6 security application Ipsec cannot protect server because it is provides verfication IPv6 only not for IPv4s. In this case teredo server cannot do anything for IPv6 and IPv4 traffics and get bloked .

2.3. Translation

 Translation topic methods are changing protocol formats one to another . However this method breaks internet structure . Networks using binary heap or tunnelling method pocket sending via tip to tip . But in translation methods ,supported with protocol and nonsupported with others applications is using due to pocket titles were changed . Translation method, supported by a protocol for the packet headers is changed, can not be used by the other features that are not supported subject. For example, using this method, end-to-end IPSec encryption and authentication applications are problems.

2.3.1. SIIT (Stateless IP/ICMP Translation Algorithm)

 Assemblers located protocol heaps at network layer named “title assemblers” . These assemblers work on assembiling of IPv4 to IPv6 . Example for this assemblers is SIIT (Stateless IP/ICMP Translation Algorithm) method .

 Using SIIT method does not case any other security warnings. However at using SIIT method networks , Ipsec supported IPv6 creates some limitations . One of IPSec features AH describes IPSec located area . Identification field is always converted to the proper function of the turn not possible. In such a case, the package defining the tip point of the IPv6 header (AH) cannot be calculated . Therefore, AH feature is not available in networks that use translation method. IPSec Another feature that comes with the use of the ESP header is not connected to information networks can be applied using the translation method. ESP in tunnel mode to establish the title of the IPv4 and IPv6 end of the package you send receives a package, to remove the necessity of this title, the ESP transport mode makes it easier to use.

2.3.2. NAT-PT and NAPT-PT Methods

 NAT-PT (Network Address Translation with Protocol Translation) method turns communication with two different protocol pockets to another pocket . Like a NAT application in IPv4 protocol , NAT part of NAT-PT is turning IPv4 addresses to IPv6 and also IPv6 addresses to IPv4 . Part of PT is related with turning pocket titles with each others . In method NAT-PT appointed addresses should be choosen from address pool .

 NAPT-PT (Network Address Port Translation with Package Translation) method provide communication via putting IPv6 tips to IPv4 tips . This method set a certain number of port with NAPT-PT tip .

 NAPT-PT method cannot be protected in tip to tip . When alone IPv6 tip wants to communicate with alone IPv4 tip , it sends pocket includes ESP and AH like IPSec features with TCP/UDP/ICMP . However NAPT-PT IPv6 tip address is turning it irrelavent IPv4 address . Therefore router IPv4 tip cannot be delivered to real IPv6 address so cannot verficate a pocket .

 In literature NAT-PT method is reviewed detailed and decided that this method have to remove from suggested methods area .

3. Conclusion

 Each network shows different methods to transition to new generation Internet Protocol . Network administrators should analys each transition methods and related security regulations then choose the best method for their network . This article aims to explain suggested and common transition methods about IPv6 and possible security warnings if these methods will be in use .

No comments:

Post a Comment