ipv4, ipv6, and ipsec - auckland · ipv6 the recent version of internet protocol (ip) designed in...
TRANSCRIPT
![Page 1: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/1.jpg)
Slide title
In CAPITALS
50 pt
Slide subtitle
32 pt
Manoranjan Mohanty
IPv4, IPv6, and IPSec
COMPSCI 316 (Cyber Security)
Source of some slides: Princeton University
Also thanks to J.F Kurose and K.W. Ross
![Page 2: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/2.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
2
THE PLAN
This week and next week
Internet layer
– IPv4, IPv6, IPSec, BGP
Wifi security
Software Defined Network (SDN) – If time permits
![Page 3: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/3.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
3
INTERNET LAYER
Provides service to
Transport Layer. Takes
service from Link Layer
Host-to-host
communication
– Host: An end system
(computer) having unique
IP (network) address
![Page 4: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/4.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
4
INTERNET LAYER CONT
Packet delivery, routing, error/information
reporting
https://www.tutorialspoint.com/data_communication_co
mputer_network/network_layer_routing.htm
![Page 5: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/5.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
5
INTERNET PROTOCOL PACKET
DELIVERY
Addressing
Encapsulation
Forwarding
Connectionless
Best service
IPv4 and IPv6 https://en.wikipedia.org/wiki/Encapsulation_(networ
king)#/media/File:UDP_encapsulation.svg
Destination
IP address
![Page 6: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/6.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
6
IPv4
IPv4 is IP version 4
IP address: A 32-bit address that uniquely and
universally identifies a host on the Internet
– 10000000 11000000 11100000 11110000
– Dotted decimal form: 128.192.224.240
The IP address allocation is done as follows
– The “wholesale” approach (ICANN -> ISP ->
Organization -> You)
![Page 7: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/7.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
7
CLASSFUL ADDRESSING VS CLASSLESS
ADDRESSING
For easier addressing, a group of similar IP
addresses are assigned to an organization
The address is divided into two parts
– netid (every device in the organization has the
same netid) and hostid (the hostid changes)
In classful addressing, there are only five
possible ways of division
Source: Data Communications and
Networking by Behrouz A. Forouzan
netid . hostid
![Page 8: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/8.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
8
IPv4 : CLASSLESS ADDRESSING
Classful addressing often leads to misuse of IP
addresses
Classless addressing: The size of “block size”
can vary
– x.y.z.t / n – first n bits for the block (prefix)
Classless addressing also not enough to solve
shortage of IPv4 address
– In the best case, more than four billion IP
addresses (232)
– Only in 2018, more than 2.3 billions of computing
devices shipped (Gartner April 2018)
Network Address Translation (NAT)
![Page 9: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/9.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
9
NAT
Why NAT replaces port numbers ?
Source: Computer
Networking: A Top-
Down Approach Book
by Jim Kurose
In an organization, allows large set of
addresses internally (private) but small set
externally (public)
S = 10.0.0.3, 3345
D = 128.119.40.0, 90
138.76.29.7, 3345 10.0.0.1, 3345
138.76.29.7, 3345 10.0.0.3, 3345
![Page 10: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/10.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
10
IPv4 PACKET FORMAT
4-bit
Version
4-bit
Header
Length
8-bit
Type of Service
(TOS)
16-bit Total Length (Bytes)
16-bit Identification3-bit
Flags 13-bit Fragment Offset
8-bit Time to
Live (TTL)8-bit Protocol 16-bit Header Checksum
32-bit Source IP Address
32-bit Destination IP Address
Options (if any)
Payload
20-byte
![Page 11: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/11.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
11
IP HEADER FIELDS
Version number (4-bit)
– Indicates the version of the IP protocol
– Typically 4 (for IPv4) and sometimes 6 (for IPv6)
Header length (4-bit)
– Number of 32-bit words in the header
– Typically 5 (for a 20-byte IPv4 header)
Type of service (8-bit)
– Used to manage quality of service
– E.g., low delay for audio and high bandwidth for bulk
transfer
![Page 12: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/12.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
12
IP HEADER FIELDS CONT
Total length (16-bit)
– Number of bytes in the packet (header+payload)
– Maximum size can be 64KB
Underlying links may impose harder limits
Fragmentation information (32-bit)
– Packet identification, flags, and fragmentation offset (see
later)
– Supports dividing a large IP packet into fragments when a
link cannot handle that (large) packet
Time-to-live (8-bit)
– Lifetime of a packet
– Used to prevent loops
![Page 13: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/13.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
13
TTL
TTL in packet header (8-bit)
– TTL is decremented as a packet traverses a router
– A packet is discarded when TTL reaches 0
– A ‘time exceeded’ message is sent to the source
![Page 14: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/14.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
14
IP HEADER FIELDS CONT
Protocol (8-bit)
– A value that specifies the type of payload
– E.g., TCP or UDP
Header checksum (32-bit)
– For IP header only
– Recalculated by each router since TTL changes
Source or destination address (32-bit)
– IP address
![Page 15: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/15.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
15
IP FRAGMENTATION AND
REASSEMBLY
Max IP datagram:
64KB
Network links have
Maximum Transfer
Unit (MTU)
Large IP datagrams
can be fragmented
Reassembled at
destination (not router,
internet layer)
fragmentation:
in: one large datagram
out: 3 smaller datagrams
reassembly
![Page 16: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/16.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
16
IP FRAGMENTATION AND
REASSEMBLY CONT
Example
– 4000 bytes
datagram
– MTU is 1500
bytes
length=header+payload
ID=7
offset=0
fragflag=0
length=4000
ID=7
offset=0
fragflag=1
length=1500
ID=7
offset=185
fragflag=1
length=1500
ID=7
offset=370
fragflag=0
length=1040
One large datagram becomesseveral smaller datagrams
1480 bytes in data field
offset =1480/8
ID identifies IP datagram
fragflag=1 means
more fragments availableoffset points fragment
offset (in octet)
![Page 17: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/17.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
17
ISSUES WITH FRAGMENTATION
Complicates router and end system
Reassembly computation cost
Interferes with TCP control flow
DoS attack
– Final fragment never sent
– Overlapping “offset”
![Page 18: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/18.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
18
IP SPOOFING
Source IP address should be the sending host
– But, who is checking that?
– One could send packets with any source IP
Why would someone want to do this?
– Launch a DoS attack
– Evade detection
– An attack against the spoofed host
Spoofed host is wrongly blamed
Spoofed host may receive return traffic from the receiver
![Page 19: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/19.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
19
IPv4 SECURITY
Confidentiality
Integrity
Authenticity
Availability
Replay attack
IPSec
![Page 20: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/20.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
20
IPv6
The recent version of Internet Protocol (IP)
Designed in 90s
It offers larger address space
– 128-bits (16-byte) address
– 18 million trillion addresses
IPv6 is intended to replace IPv4
– Likely to co-exist with IPv4 for many years
![Page 21: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/21.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
21
IPv6 ADDRESS
Source: Data Communications and Networking
by Behrouz A. Forouzan
"colon hex" notation – A colon between two
sections (four hex values)
![Page 22: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/22.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
22
ABBREVIATED IPv6 ADDRESSES
Source: Data Communications and Networking
by Behrouz A. Forouzan
![Page 23: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/23.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
23
IPv6 SIMPLIFIED HEADER
![Page 24: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/24.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
24
IPv6 HEADER: SIMPLIFICATION
Fixed length for the basic header
– IPv4 header of variable length: 20-byte (min)
– IPv6 has the main header: 40-byte (fixed)
Leads to fast header processing
No need of header length (hlen)
Fragmentation only by traffic source
– Source does path MTU discovery
– No burden on routers to do fragmentation
– No need of identification, flag, and fragment offset
![Page 25: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/25.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
25
IPv6 HEADER: SIMPLIFICATION CONT
Header checksums are eliminated
– IP header checksum is recalculated by every
node due to change in TTL
– The idea is to improve performance by saving
some resources
– Error detection check can be enforced by upper
layers
![Page 26: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/26.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
26
NEXT HEADER FIELD
![Page 27: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/27.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
27
IPv6 EXTENSION HEADERS
Separate header(s) between the base header and data
to carry optional internet-layer information
![Page 28: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/28.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
28
TRANSITION FROM IPv4 to IPv6
What’s wrong with dual-
stack approach?
Computer Networking: A Top-Down Approach Book by Jim Kurose
![Page 29: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/29.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
29
MAC ADDRESS TO IPv6 CONVERSION
![Page 30: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/30.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
30
SUMMARY
IPv4 alone is not sufficient for providing global
connectivity
– Combining IPv4 with NAT solves the problem
IPv4 header checksum is recalculated by each router
since TTL changes
TTL is decremented as a packet traverses a router
– A packet discarded when TTL is 0
Source IP address could be spoofed
![Page 31: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/31.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
31
SUMMARY
IPv6 uses 16-byte addressing scheme
IPv6 made some simplifications
– Fixed length basic header
– Fragmentation only by traffic source
– No header checksum
Flow label is a new field in IPv6 header, which is quite
useful
IPv6 is being deployed
![Page 32: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/32.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
32
Questions?
Thanks for your attention!
![Page 33: IPv4, IPv6, and IPSec - Auckland · IPv6 The recent version of Internet Protocol (IP) Designed in 90s It offers larger address space – 128-bits (16-byte) address – 18 million](https://reader036.vdocument.in/reader036/viewer/2022062317/5f0202e37e708231d402235a/html5/thumbnails/33.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
33
ACKNOWLEDGEMENT
Some slides are provided by Muhammad Rizwan Asghar.
Thanks to him!