Dan Qutaishat

View Original

A Look Into IPv6 & IPSEC

Work belongs to Dan Qutaishat, this work can be referenced by using any of the established referencing methods such as Harvard.

1.   IPV6 and IPsec overview

An IP address works by having two portions: a network and a local portion. Once a portion of the address space is allocated to an administrative domain, all addresses in that range are unavailable for allocation in other locations. After IPv4 was introduced, though it had 4,000,000,000 possible addresses, it quickly became insufficient. The rise of TCP/IP usage outside of PC connections increased demand for IP addresses, thus leading to IP address exhaustion. Several different plans were erected to try and combat this issue, such as Classless Inter-Domain Routing and Dynamic Host Configuration Protocol. However, even with CIDR, the routing tables in IP backbone routers grew too large to be manageable. As a result, IETF established IPng, which later developed the spec for IPv6, which was outlined in RFC-2460. (Racherla, S. & Daniel, J. (2012))

 

1.1   IPv6

 

-       Uses 128-bit addresses allowing for 3.4 x 1038 unique IP addresses. (Bajrami, V. (2019))

-       Contains a larger address space.

-       Has unique hierarchical addressing.

-       Supports autoconfiguration of network interfaces and encapsulation of itself with other protocols.

-       Has built-in authentication/encryptions.

-       Boasts compatibility methods that coexist with IPv4.

 

1.2  IPv6 header

 

When the header format is looked at, the length of the header increases to 40-bytes which has two 16-byte addresses preceded by 8-bytes of control information, which is highly different to IPv4 headers because IPv6 reduces the control information and the option data, which optimises the processing time per packet in the router. IPv6 headers can also add more information by adding extension headers; these come after the basic header field and are part of the payload length. Each extension header has an 8-bit following header field, which allows IPv6 to be able to connect multiple extension headers. (Racherla, S. & Daniel, J. (2012))

Figure 1, IPv6 Extension Headers ((Racherla, S. & Daniel, J. (2012))

1.3  IPsec

 

The issue with IP packets is a lack of assurance of data integrity and confidentiality, which is why IPsec is essential. IPsec has many vital aims to help secure the system; it enables connectionless data integrity as it makes it, so it is not possible to modify an IP datagram through transit and provide IP protection. It also ensures confidentiality as it makes it so that it is not possible to eavesdrop on IP datagram contents. Finally, it has a security policy which means that intermediate nodes & receivers drop IP packets that do not meet the security requirements. (Schafer, G. (n.a.))

1.4 IPsec Standardization Overview

 

Schafer, G. (n.a.) also notes that the IPsec standardization model is an essential basis to recognise due to it identifying the basic architecture of IPsec under RFC-2401, this contains:

-       The concepts e.g., security association and policy.

-       Fundamental IPsec protocols e.g., Authentication Header.

-       Protocol modes e.g., transport and tunnel modes.

-       Various cryptographic primitives e.g., DES-CBD encryption.

-       Key management procedures e.g., ISAKMP.

Figure 2, IPsec Standardized Security Architecture Model (Schafer, G. (n.a.))

2.   Comparison with IPv4

 

IPv4 remains the most widely deployed internet layer protocol; it uses 32-bit addresses and permits 4,294,967,296 unique addresses. However, though it is the most common type, it has its limitations, and there is a gradual shift in the world towards IPv6.It is important to note that both protocols are internet-layer for packet-switched internetworking and provide end-to-end datagram transmissions across IP addresses. (Abu Ali, A. (2012))

 

The shift from IPv4 is due to the growth of internet users and internet-dependent technology such as always-on ADSL modems and cable modems- this led to the introduction of CIDR addressing. (Nakajima, M. & Kobayashi, N. (2003)).

 

2.1 Key features of IPv6 compared to IPv4

 

1)    Larger address space, increased from 32-bits to 128-bits meaning the number of potential unique addresses increased from 4,294,967,296 to 340 trillion trillion IP addresses. The benefits of this are:

a)     Enhanced application functionality due to simplified direct peer-to-peer applications via providing a unique address to each device.

b)    End-to-end transparency because increased available addresses reduce the need of address translation technologies.

c)     Header-format-simplification some IPv4 headers were made-optional to reduce common-case processing cost of packet-handling thus keeps the bandwidth cost of the IPv6 header as low-as-possible. Though IPv6 is 4x longer than IPv4 addresses the header is only 2x the size.

d)    Hierarchical Addressing provides address summarization and aggregation which simplify routing and enable routing-table growth.

e)     Auto-Configuration where users using IPv4-addresses use DHCP server to establish an address each time they log-onto a network – this assignment process is stateful, IPv6 supports a revised DHCPv6 protocol that supports stateful-auto-configuration that does not require DHCP server to obtain addresses. This creates a “plug-and-play” environment which simplifies address-management which allows admins to re-number network addresses without needing-to-access all clients. (Jivika, G. et. al (1982))

Figure 3, Auto Configuration (Jivika, G. et. al ((1982))

2.2 Summary of Key IPv6 Benefits

 

The main benefits are scalability of multicast routing, built-in-security, quality-of-service, improved options support and authentication and privacy capabilities. (Jivika, G. et. al (1982))

3.   IPv6 and IPSEC Security Features

 

IPsec is predominately used to establish private virtual networks for connecting users and remote offices to the business via the internet. The move towards IPv6 is significant as it made NAT unnecessary and increased the use of IPsec in end-to-end communications. In addition, using IPsec enables data transported via a network not to need to be observed or modified or spoofed.

 

IPsec in IPv6 implements the authentication header, which provides integrity of the source via signature-based algorithms. Thus, it protects against replayed packets. An encapsulating security payload is also used, which encrypts and encapsulates the content between the header and trailer fields.

 

IPsec is mandatory in all implemented protocols in IPv6; for IPsec to be used at the best of its ability, there are key-management-frameworks necessary to ensure that end-to-end security is possible; these are the ISAKMP and IKE frameworks. However, due to these being independent of IPv6, public key infrastructures are necessary to ensure mass-scale usage. The PKIs operate as authoritative sources for keys certified by the hosts and internet services. At times, the DNS – present-day implementations of this are static key allocations and often do a manual exchange of keys. Alternatively, cryptographically generated addresses can provide an intermediate level of security between public-key authentication and routing-based methods. (Radwan, A. (2005)).

 

3.1 Does IPsec Improve Security?

 

IPsec allows sender authentication and communication encryption to improve security. IPsec is not used for P2P communications. Thus, IPv6 is used. Currently, SSL/TLS is the main method of authenticating and encrypting due to two main reasons:

1.     Processing completed on the application layer without user configuration.

2.     Easily controlled by the firewall.

 

IPsec, though versatile, can support communication with any destination via security policy/ security settings of the terminal – but the configuration is complicated as it has to be specific to the communication path; this means that IPsec is hard to use if the user has layman knowledge. On the other hand, SSL/TLS can be used regardless of the environment once authentication-related information is configured.

Another problem with IPsec is that the though the firewalls can be programmed to allow IPsec communications with the hosts, it is not realistic, so any packets can pass through even if they are compromised, making it hard to automate security control. (Radwan, A. (2005)).

Additionally, IPv6 is relatively new in growth. Though IPsec might not be used all the time, there is a solution to secure an IPv6 network: implementing IP independent security policies and using BCPs and their features (RIPE NNC (2021)).

Figure 4, Pie Charts Depicting The Extent Of IPv6 Vulnerabilities (RIPE NNC (2021))

3.2 Main Limitations of IPsec Security

 

1.     Lack of traffic analysis for authentication header and encapsulating security payload.

2.     No non-repudiation for authentication header and encapsulating security payload with algorithms e.g., CBC.

3.     Looks into replay attack protection.

4.     Hard to protect against all denial of services attacks.

 

4.   Security Associations

 

Before IPsec protects a packet, an SA is established between two cryptographic endpoints to provide protection. They can be established either manually or dynamically. Manually is through proprietary methods of systems management (mainly used in restricted configurations whereas dynamically refers to standardized authentication and key management protocols

IPsec has a standardized method for SA establishment, which is achieved in two methods:

 

1.     Internet Security Association and Key Management Protocol (ISAKMP): this defines protocol formats and procedures in regard to negotiating security.

2.     Internet Key Exchange (IKE): describes IPsec standard authentication and a key exchange protocol. (Schafer, G. (n.a.))

It is important to note that a security association can be identified through 3 parameters: Security Parameter Index, IP Destination Address and Security Protocol Identifier. (Heidari, M. (n.a.))

 

4.1 ISKAMP

 

ISKAMP has two adopted RFCs from IETF which are RFC 2408 which defines the base protocol and RFC 2407 which contains IPsec’s domain of interpretation and further detailed message formats. The use of ISKAMP’s base protocol is that it acts as a general protocol which has a variety of uses e.g., specifies procedures for one application in detailed DOI document and Group DOI and MAP DOI. There are two fundamental categories of exchanges:

1.     Phase 1 exchanges, negotiate Master SA.

2.     Phase 2 exchanges, use Master SA to establish other SAs.

 

There are various payloads for RFC 2408:

1.     Generic payloads: signature, hash, vendor ID, nonce, key exchange.

2.     Specific payloads: certificate request, certificate, SA, identification.

 

 There are two payloads which are dependent and encapsulated payloads which are proposal payload which describes SA negotiation proposal or transform payload which illustrates one proposal transformation. There is mainly one generic attribute payload which is not an ISAKMP payload but also appeared inside ISAKMP’s payloads – all attribute payloads have a common structure: Schafer, G. (n.a.),

Figure 5, ISKAMP attribute payload common structure

There are three payloads:

1.     Security association payload, the DOI defines application domain for SA to be negotiated under emergency field.

2.     Proposal payload expresses policy and negotiates proposals based on logical or priority. The use of priority ID of current negotiation e.g., AH and SPI size.

3.     Transform payload, specifies security mechanism for communications channel via unique transform # with different transform IDs e.g., SHA.

 

The SA establishment negotiates security mechanisms and associations for security protocols, that means there is combined protection suite for many protocols under same proposal number in order to run concurrently the results – there are different transformation IDs.

 

The responder sends a Security Association payload sends multiple proposal payloads to associated transform payloads. Each of the proposed payload has a single transform-payload with protocol; this inserts proposal # fields and transform # fields in selected proposal. There has to be retention of proposals to increase initiator’s protocol in speed and values enable initiator to be quicker – the initiator must verify the SA payload received from responders’ proposals.

 

There are four different keys with an authentication exchange:

1.     SKEYID served as a master key for active players in exchange via authentication method.

2.     SKEYID_e is the code used by the code to protect confidentiality of its messages.

3.     SKEYID_a is the code used to authenticate its messages.

4.     SKEYID_d is the code used to derive keys from non-ISAKMP security associations.

 

4.2 IKE

 

The internet key exchange specifies standardized protocols to negotiate IPsec SAs; there are five main exchanges:

1.     Phase 1 exchanges for establishment of IKE SA: there are more than one code such as main code and aggressive code; the main mode exchange as there are six exchanged messages used but also aggressive mode needs three message exchange.

2.     Phase 2 exchange for IPsec SAs; this means quick mode used for three messages.

3.     Other exchanges such as informational exchanges e.g., search for errors or new group exchanges to accept private Diffie-Hellman groups.

 

There are many computation IKE session keys as there are four different types for authentication exchange:

1.     SKEYID is master key exchange in active players.

2.     SKEYID_d derive keys for non-IKE SAs denoting shared Diffie-Hellman secret.

3.     SKEYID_a keying by IKE SA to authenticate messages.

4.     SKEYID_e keyring by IKE SA to protect messages’ confidentiality.

 

IKE contains several methods such as: authentication, main mode exchange with pre-shared key, exchange with signatures, exchange with public key encryption and aggressive mode exchange with pre-shared key and quick mode exchange.

Figure 6, Aggressive Mode Exchange model

For instance, aggressive mode exchange with pre-shared key means that the identities of the initiator or responder have to be made before a session key is established, provides minimal identity protection. The similar aggressive mode variants for authentication such as digital signature as well as public key encryption. (Schafer, G. (n.a.))

4.3 IPsec Issues

 

There are several complications with IPsec and some details, there are mainly two purposes, such as compression and interoperability problems in security:

1.     Compression: the encryption used so the resulting IP packets could not be compressed in the link layer e.g., IP payload compression protocol was defined (PCP). Additionally, the PCP is used with IPsec, so the IPsec increases policy definition to improve the PCP and the IKE SA negotiation allows in PCP proposals.

2.     Interoperability problems of end-to-end security with header processes in intermediate nodes: there are two issues such as interoperability of firewalls where they inspect upper layers protocol headers in IP packets or the use with network address translation (NAT) which is the encrypted packets were not used and authenticated packets would be discarded, or destination changed. (Schafer, G. (n.a.))

 

5.   IPsec Transport and Tunnel Modes

 

Alshamrani, H. (2014) believes that modern-day, there are three types of IPsec modes such as the transport, the tunnel and the nested. There are three main types:

1.     Transport model: ensures the protection of the payload of the packet mainly; its implemented directly between remote systems that support IP security.

2.     Tunnel mode: protects the complete packet and is implemented between intermediate systems for encapsulating vulnerable IP datagram.

3.     Nested model: combination of two or more tunnel modes; router can use only tunnel mode.

5.1 Transport Mode

 

IP security adds a new header in the IP datagram between the payload and the original header whilst in ESP data is encrypted and a new datagram trailer is added.

This means that there are four main functionalities:

1.     Security Associations.

2.     Authentication.

3.     Encryption.

4.     Key management

Figure 7, IPv6 Security Datagram – Transport Mode (Alshamrani, H. (2014))

In this mode, IP addresses in the outer header which aids in determining which policy should be administered for the packet, this policy is best for existing gateways when IPsec is applied on behalf of another host. Though the ESP encrypts data, the IP header information is still visible. The main advantages of using tunnel mode is that provides end-to-end security and has a lower overhead than tunnel mode while having a larger MTU. However, it requires IPsec to implement IPS entities and struggles with NAT transversal. (Alshamrani, H. (2014))

  

5.2 Tunnel Mode

 

Has several layers similar to the transport mode. The authentication header is significant as it authenticates all the inner packets and selected areas of the outer IP header and outer IPv6 extension header and its ESP encrypts inner IP packets.

Figure 8, IPv6 Security Datagram – Tunnel Mode (Alshamrani, H. (2014))

In the use of a mode for business or for user security, this mode would be more secure due to it creating a secure connection between the two-endpoints by encapsulating packets in an additional IP header and it encrypts the entire packet – thus more secure than transport mode. (Perimeter 81. (n.a.))

6.   References

 

Abu Ali, A. (2012). “Comparison Study Between IPv4 & IPv6”. Philadelphia University. IJCSI International Journal of Computer Science issues, Vol.9, Issue 3, No 1. https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.402.3655&rep=rep1&type=pdf. pages 314-317. (Viewed on 22nd, March 2022)

 

Alshamrani, H. (2014). “Internet Protocol Security (IPsec) Mechanisms”. International Journal of Scientific & Engineering Research, Volume 5, Issue 1. https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.679.7620&rep=rep1&type=pdf#:~:text=IPSec%20supports%20two%20security%20services,encryption%20modes%3A%20Transport%20and%20Tunnel. (Viewed on 26th, March 2022)

 

Bajrami, V. (2019) “What you need to know about IPv6. RedHat. https://www.redhat.com/sysadmin/what-you-need-know-about-ipv6#:~:text=IPv6%20uses%20128%2Dbit%20(2,%3D%20128)%20bits%20in%20total. (Viewed on 21st, March 2022)

 

Heidari, M. (n.a.). “IPv6 Security Considerations”. Infosecwriters. http://www.infosecwriters.com/text_resources/pdf/ipv6.pdf. (Viewed on 24th, March 2022)

 

Jivika, G. et. al (1982). “An examination of IPv4 and IPv6 networks: Constraints and various transition mechanisms”. IEEE. https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4494282 . (Viewed on 23rd, March 2022)

 

Nakajima, M. & Kobayashi, N. (2003).” IPv4/IPv6 Translation Technology”. Fujitsu. https://www.fujitsu.com/global/documents/about/resources/publications/fstj/archives/vol40-1/paper21.pdf. pages 159-169. (Viewed on 22nd, March 2022)

 

Perimeter 81. (n.a.) “IPsec Tunnel Mode vs. Transport Mode”. Perimeter 81. https://www.perimeter81.com/glossary/ipsec-tunnel-mode-vs-transport-mode#:~:text=The%20main%20advantage%20of%20IPsec%20tunnel%20mode%20is%20that%20it,entire%20original%20packet%20is%20encrypted. (Viewed on 28th, March 2022)

 

Racherla, S. & Daniel, J. (2012) “IPv6 Introduction and Configuration”. IBM. https://www.redbooks.ibm.com/abstracts/redp4776.html?Open&pdfbookmark . pages 1-22 (Viewed on 20th, March 2022)

 

Radwan, A. (2005). “Using IPsec in IPv6 Security”. Community College of Applied Science and Technology. https://www.academia.edu/2261401/Using_IPSec_in_IPv6_Security. (Viewed on 23rd, March 2022)

 

RIPE NNC, (2021). “IPv6 Security Training Course”. RIPE NNC. https://www.ripe.net/support/training/material/ipv6-security/ipv6security-slides.pdf. (Viewed on 3rd April 2022)

Schafer, G. (n.a.), “Network Security: The IPsec Security Architecture for the Internet Protocol”. Telematik. https://www.tu-ilmenau.de/fileadmin/Bereiche/IA/telematik/Buch_Security_in_Fixed_and_Wireless_Networks/12_IPsec.pdf. (Viewed on 21st, March 2022)