Utilisation d'identifiants cryptographiques pour la sécurisation IPv6 / Use of crypto based identifiers for IPv6 security

Combes, Jean-Michel

28 September 2012

IPv6, protocole succédant à IPv4, est en cours de déploiement dans l’Internet. Il repose fortement sur le mécanisme Neighbor Discovery Protocol (NDP). Celui-ci permet non seulement à deux nœuds IPv6 de pouvoir communiquer, à l’instar du mécanisme Address Resolution Protocol (ARP) en IPv4, mais il apporte aussi de nouvelles fonctionnalités, telles que l’autoconfiguration d’adresse IPv6. Aussi, sa sécurisation pour le bon fonctionnement de l’Internet en IPv6 est critique. Son mécanisme de sécurité standardisée à l’Internet Engineering Task Force (IETF) se nomme Secure Neighbor Discovery (SEND). Il s’appuie à la fois sur l’utilisation d’identifiants cryptographiques, adresses IPv6 appelées Cryptographically Generated Addresses (CGA) et qui sont générées à partir d’une paire de clés publique/privée, et de certificats électroniques X.509. L’objet de cette thèse est l’étude de ces identifiants cryptographiques, les adresses CGA, ainsi que le mécanisme SEND les employant, et leurs réutilisations potentielles pour la sécurisation IPv6. Dans une première partie de cette thèse, tout d’abord, nous posons l’état de l’art. Dans une deuxième partie de cette thèse, nous nous intéressons à la fiabilité du principal mécanisme connu employant les adresses CGA, le mécanisme SEND. Dans une troisième et dernière partie de cette thèse, nous présentons des utilisations des identifiants cryptographiques pour la sécurisation IPv6 / IPv6, next Internet protocol after IPv4, is under deployment in the Internet. It is strongly based on the Neighbor Discovery Protocol (NDP) mechanism. First, it allows two IPv6 nodes to communicate, like the Address Resolution Protocol (ARP) mechanism in IPv4, but it brings new functions too, as IPv6 address autoconfiguration. So, the security of this mechanism is critical for an Internet based on IPv6. The security mechanism standardized by the Internet Engineering Task Force (IETF) is Secure Neighbor Discovery (SEND). It is based on the use of cryptographical identifiers, IPv6 addresses named Cryptographically Generated Addresses (CGA) and generated from a public/private keys pair, and X.509 certificates. The goal of this PhD thesis is the study of such cryptographical identifiers, CGA addresses, as well as SEND using them, and their potential re-use to secure IPv6. In a first part of this thesis, we recall the main features of the IPv6 protocol. In a second part of this thesis, we are interested in the reliability of the main known mechanism using the CGA addresses, SEND. In a third and last part of this thesis, we present different uses of cryptographical identifiers to secure IPv6

IPv6

Sécurité

Cryptographie

CGA

IBC

NDP

DNS

IPv6

Security

Cryptography

CGA

IBC

NDP

DNS

Účtování uživatelů v sítích nové generace / User accounting in next generation networks

Grégr, Matěj

January 2016

Velikost sítě Internet dosáhla takového rozměru, že globálně jednoznačná adresace všech připojených zařízení již není možná při zachování současné architektury TCP/IPv4. Tímto problémem se začalo zabývat již v 90. letech a od té doby bylo představeno několik návrhů nových architektur a síťových protokolů, které mají či měly ambice omezení adresace vyřešit. V současné době, v roce 2016, je jediným globálně nasazovaným řešením problému adresace protokol IPv6. Tento protokol zvětšuje velikosti síťové adresy čímž umožňuje adresovat téměř libovolné množství zařízení, ovšem za cenu nekompatibility se současným protokolem IPv4. Rozdílně se také staví ke způsobu automatické konfigurace koncových zařízení, proměnlivé velikosti síťové hlavičky a omezení nekompatibility řeší různými přechodovými mechanismy. Tato práce diskutuje dopady, které tyto změny mají na oblast monitorování a účtování uživatelů. Zejména změny způsobu konfigurace adresy vyžadují jiný přístup než v současných monitorovacích systémech, které ukládají pouze metadata o síťové komunikace pomocí protokolu NetFlow/IPFIX. Práce je zaměřena primárně na vyřešení problému účtování uživatelů v sítích kde jsou souběžně nasazeny protokoly IPv4 i IPv6, použity tunelovací přechodové mechanismy nebo překlad adres. Část práce je za- měřena na měření globálního vývoje a nasazení protokolu IPv6 mezi koncovými poskytovateli internetového připojení, poskytovateli obsahu a páteřními operátory.

An Examination of the Design, Development, and Implementation of an Internet Protocol Version 6 Network: The ADTRAN Inc. Case Study

Perigo, Levi

01 January 2013

In this dissertation, the author examined the capabilities of Internet Protocol version 6 (IPv6) in regard to replacing Internet Protocol version 4 (IPv4) as the internetworking technology for Medium-sized Businesses (MBs) in the Information Systems (IS) field. Transition to IPv6 is inevitable, and, thus, organizations are adopting this protocol to be prepared in it becoming the dominant internetworking protocol. The goal of the research was to develop a model for IS specialists to use with MBs in the transition from IPv4 to IPv6. To achieve this goal, the author performed a case study of ADTRAN Inc.'s IPv6 implementation, using the Systems Development Life Cycle (SDLC) framework. The SDLC methodology consists of five phases and was used to support the design, development, and implementation of the ADTRAN Inc. IPv6 solution. For Phase 1, the Research Phase, the author examined business requirements, administered a questionnaire, and recorded participant observation. In Phase 2, the Analysis Phase, the author analyzed the data from Phase 1 and created a functional and nonfunctional requirements list. For Phase 3, the Logical Design Phase, the author developed documentation and diagrams for the IPv6 implementation. In Phase 4, the Physical Design Phase, the author determined what internetworking hardware would be needed and where it should be deployed. For Phase 5, the Implementation Phase, the author completed the IPv6 network implementation. Finally, the author analyzed the data collected from this investigation. The use of the findings, in conjunction with the SDLC methodology, resulted in the ADTRAN Inc. Implementation model, which can be used by MBs of a similar size to ADTRAN Inc., when IPv6 transition initiatives are being considered.

Design

Implementation

Internetwork

IPv4

IPv6

Transition

Computer Sciences

IPv4 to IPv6 transition : security challenges

Duarte, Tomé Araújo

January 2013

Tese de mestrado integrado. Engenharia Informática e Computação. Faculdade de Engenharia. Universidade do Porto. 2013

Endereços IPv4

Adoção de IPv6

Transição de protocolos

Segurança das redes

Improving mobile IP handover latency on end-to -end TCP in UMTS/WCDMA networks

Lau, Chee Kong, Electrical Engineering & Telecommunications, Faculty of Engineering, UNSW

January 2006

Due to terminal mobility and change of service area, efficient IP mobility support is an important aspect in UMTS networks in order to provide mobile users negligible packet loss rate and low handover latency, and thus some level of guaranteed quality-ofservice (QoS) to support real-time applications. 3G/UMTS has been specified and implemented as an end-to-end mobile communications system. The underlying WCDMA access systems manage radio access handover (layer 1) and provide linklayer mobility (layer 2) in terms of connection setup and resource management. For the UMTS nodes to have seamless connectivity with the Internet, the UMTS core networks need to be able to support continuous and no network service session handover (layer 3 and above). A long IP handover latency results in high packet loss rate and severely degrades its end-to-end transport level performance. Network-layer handover latency has therefore been regarded as one of the fundamental limitations in IP-based UMTS networks. Therefore, it is crucial to provide efficient network-layer mobility management in UMTS/WCDMA networks for seamless end-to-end TCP connection with the global Internet. Mobility of UMTS nodes necessitates extra functionalities such as user location tracking, address registration and handover related mechanisms. The challenge to provide seamless mobility in UMTS requires localised location management and efficient IP handover management. Mobile IPv6 protocol offers a better mobility support as the extended IPv6 features with mobility mechanism are integrated to the mobile nodes. To mitigate the effect of lengthy IP handover latency, two well-known handover reducing mechanisms based on Mobile IPv6 support have been proposed in the literature. They are designed with hierarchical network management and address pre-configuration mechanism. Hierarchical management aims to reduce the network registration time, and fast-handover attempts to minimise the address resolution delay. S-MIP (Seamless Mobile IP) integrates the key benefits of the above IP mobility mechanisms coupled with local retransmission scheme to achieve packet lossless and extremely low handover latency, operating in WLAN environments. In this thesis, we explore the possible Mobile IP solutions and various IP handover optimisation schemes in IPv6 to provide seamless mobility in UMTS with the global Internet. It aims at developing an optimised handover scheme that encompasses the packet lossless and extremely low handover latency scheme in S-MIP, and applying it into the UMTS/WCDMA packet data domain. Therefore, the hybrid UMTS-SMIP architecture is able to meet the requirements of delay sensitive real-time applications requiring strict delay bound, packet lossless and low handover latency performance for end-to-end TCP connection during a UMTS IP-based handover. The overall seamless handover architecture in UMTS facilitates integrated, scalable and flexible global IP handover solution enabling new services, assuring service quality and meeting the user???s expectations in future all-IP UMTS deployment. The viability of the seamless mobility scheme in UMTS is reflected through and validated in our design model, network protocol implementation, and service architecture. We illustrate the performance gained in QoS parameters, as a result of converged UMTS-SMIP framework compared to other Mobile IPv6 variants. The simulation results show such a viable and promising seamless handover scheme in UMTS on IP handover latency reduction on its end-to-end TCP connection.

Improving mobile IP handover latency on end-to -end TCP in UMTS/WCDMA networks

Lau, Chee Kong, Electrical Engineering & Telecommunications, Faculty of Engineering, UNSW

January 2006

Due to terminal mobility and change of service area, efficient IP mobility support is an important aspect in UMTS networks in order to provide mobile users negligible packet loss rate and low handover latency, and thus some level of guaranteed quality-ofservice (QoS) to support real-time applications. 3G/UMTS has been specified and implemented as an end-to-end mobile communications system. The underlying WCDMA access systems manage radio access handover (layer 1) and provide linklayer mobility (layer 2) in terms of connection setup and resource management. For the UMTS nodes to have seamless connectivity with the Internet, the UMTS core networks need to be able to support continuous and no network service session handover (layer 3 and above). A long IP handover latency results in high packet loss rate and severely degrades its end-to-end transport level performance. Network-layer handover latency has therefore been regarded as one of the fundamental limitations in IP-based UMTS networks. Therefore, it is crucial to provide efficient network-layer mobility management in UMTS/WCDMA networks for seamless end-to-end TCP connection with the global Internet. Mobility of UMTS nodes necessitates extra functionalities such as user location tracking, address registration and handover related mechanisms. The challenge to provide seamless mobility in UMTS requires localised location management and efficient IP handover management. Mobile IPv6 protocol offers a better mobility support as the extended IPv6 features with mobility mechanism are integrated to the mobile nodes. To mitigate the effect of lengthy IP handover latency, two well-known handover reducing mechanisms based on Mobile IPv6 support have been proposed in the literature. They are designed with hierarchical network management and address pre-configuration mechanism. Hierarchical management aims to reduce the network registration time, and fast-handover attempts to minimise the address resolution delay. S-MIP (Seamless Mobile IP) integrates the key benefits of the above IP mobility mechanisms coupled with local retransmission scheme to achieve packet lossless and extremely low handover latency, operating in WLAN environments. In this thesis, we explore the possible Mobile IP solutions and various IP handover optimisation schemes in IPv6 to provide seamless mobility in UMTS with the global Internet. It aims at developing an optimised handover scheme that encompasses the packet lossless and extremely low handover latency scheme in S-MIP, and applying it into the UMTS/WCDMA packet data domain. Therefore, the hybrid UMTS-SMIP architecture is able to meet the requirements of delay sensitive real-time applications requiring strict delay bound, packet lossless and low handover latency performance for end-to-end TCP connection during a UMTS IP-based handover. The overall seamless handover architecture in UMTS facilitates integrated, scalable and flexible global IP handover solution enabling new services, assuring service quality and meeting the user???s expectations in future all-IP UMTS deployment. The viability of the seamless mobility scheme in UMTS is reflected through and validated in our design model, network protocol implementation, and service architecture. We illustrate the performance gained in QoS parameters, as a result of converged UMTS-SMIP framework compared to other Mobile IPv6 variants. The simulation results show such a viable and promising seamless handover scheme in UMTS on IP handover latency reduction on its end-to-end TCP connection.

Independent Local Locator Substrate Indirection Transport / ILLSIT

Svensson, Mikael, Santibañez Jara, Pablo

January 2009

<p>Interoperation between IPv4 and IPv6 on a global scale is largely an unsolved problem, and in principle a problem without a proper solution. The 32-bit IPv4 address can simply not express all possible IPv6 hosts. Today, IP plays a double role. It is both a topological locator as well as a host identity. By decoupling the two roles a communication could also span over incompatible locator domains (e.g. IPv4 and IPv6). The Host Identity Protocol (HIP) [W16] uses this decoupling by providing two discrete data structures, one for the host identity and one for the interfaces locator.  By extending HIP to allow differently formatted locators, and with the help of an Identity Router, one could cross past differing locator domains without the individual hosts needing to be configured for any particular domain other than their own.</p><p>The goal of this thesis is to investigate possible methods and architectures to allow this kind of locator domain interoperability and to implement a proof of concept gateway. The first part of the thesis consists of the exploration of the problem domain. Collecting the requirements of HIP enabled hosts, and to define a method for the interoperability of two HIP-hosts residing in two differing locator domains (IPv4/IPv6 will be assumed for scope limiting purposes). The output of this part will be a set of requirements, a suggested solution and a rationale for the chosen solution. The second part consists of the design and implementation of the required components for the interoperation. At the time of writing, the foreseen components will be: a parameter to HIP and a gateway, however, this is subject to change depending on the output of part one. The expected output of part two is a design specification, an implementation plan for the components and finally the implementation of the defined components.</p> / NordicHIP

HIP

Gateway

ILLSIT

IPv4

IPv6

Computer engineering

Datorteknik

Privacy in the next generation Internet. Data proection in the context of European Union policy

Escudero-Pascual, Alberto

January 2002

With the growth in social, political and economic importanceof the Internet, it has been recognized that the underlyingtechnology of the next generation Internet must not only meetthe many technical challenges but must also meet the socialexpectations of such a pervasive technology. As evidence ofthe strategic importance of the development of the Internet,the European Union has adopted a communication to the Counciland the European Parliament focusing on the next generationInternet and the priorities for action in migrating to the newInternet protocol IPv6 andalso a new Directive (2002/58/EC) on'processing of personal data and protection of privacy in theelectronic communication sector'. The Data Protection Directiveis part of a package of proposals for initiatives which willform the future regulatory framework for electroniccommunications networks and services. The new Directive aims toadapt and update the existing Data ProtectionTelecommunications Directive (97/66/EC) to take account oftechnological developments. However, it is not well undersoodhow this policy and the underlying Internet technology can bebrought into alignment. This dissertation builds upon the results of my earlierlicentiate thesis by identifying three specific, timely, andimportant privacy areas in the next generation Internet: uniqueidentifiers and observability, privacy enhanced location basedservices, and legal aspects of data traffic. Each of the three areas identified are explored in the eightpublished papers that form this dissertation. The paperspresent recommendations to technical standarization bodies andregulators concerning the next generation Internet so that thistechnology and its deployment can meet the specific legalobligations of the new European Union data protectiondirective.

location privacy

IPv6

data protection

mobile internet

PUL

Implementation & Analysis of Application Layer Multicast over Mobile IPv6 Network

Chang, Wan-Yu

06 July 2005

¡@¡@In recent years, the trends in network communication towards mobile network .Traditional network cannot meet the need of new communication challenge. The 802.11 outperforms other new wireless network technique ¡@¡@In this paper, we assume user have wireless NIC devices with Mobile IPv6 protocol module. We use this model to build an environment and use this environment to design our Mobile IPv6 multicast simulation. We do these for two reasons, (1)To analyze how to use multicast over Mobile IPv6 wireless network. (2)To design an experimentation for multicast over wireless LAN. After we get results of the experimentation, we could know why wireless network does not have better quality than wired LAN. ¡@¡@During our implementation, we have a high latency problem and try to solve it by our program. After our improvement, average latency reduces to 27.77% and miss rate reduces to 33.07%. ¡@¡@Our implementation not only provide some useful information when some one need to build Mobile IPv6 environment but also give a solution for solving handover latency problem.

IPv6

Bi-directional Tunneling

Multicast

Measure

Handover

Mobility

A Jitter Minimization Mechanism with Credit/Deficit Adjustment in IPv6-Based DiffServ Networks

Shiu, Yi-Min

13 August 2003

In a DiffServ networks, edge and core router classify traffic flows into different PHBs and provide different QoS for the classified flows. In order to achieve satisfactory QoS guarantee, many packet schedulers were proposed. However IETF have not formally standardized an appropriate and effective packet scheduler to minimize the jitter for real-time traffic. In RFC, EF flows are characterized with low-latency, low packet loss rate, and low jitter. Therefore, real-time traffic is often classified into EF flow. By considering the characteristics of real-time traffic, it is not appropriate to forward packets either too fast or too slow. Hence, in this Thesis, we propose a mechanism in which each packet is attached with its own per-hop queuing delay. If a packet is forwarded within its own per-hop queuing delay, we say the packet may arrive too early (credit accumulation). If a packet is forwarded beyond its own per-hop queuing delay, we say the packet has late arrival (deficit accumulation). The Credit/Deficit information can be stored in the IPv6 optional header so that it can pass through the whole networks. If we can minimize the Credit/Deficit, the jitter can be minimized too. Our design is based on a modified WFQ by adding functions such as estimated queuing delay and dynamic class changes. The dynamic class changes allow EF packets to switch among queues to achieve lower jitter and constant delay. We first implement the traditional WFQ scheduler on Linux platform and then followed by the implementation of the Credit/Deficit WFQ (CDWFQ). The experimental results have shown that CDWFQ can provide nearly constant queuing delay, lower packet loss rate, and lower jitter for EF traffic flows.

Jitter

IPv6

DiffServ

Packet Scheduling

WFQ

DSCP Adjustment

Linux