IPv6 basics

Authors: Lauri Sormunen, Timo Hämäläinen and Mikhail Zolotukhin

Introduction

What are IPv4 and IPv6?

• Internet Protocol version 4 or 6
• Layer 3 (network layer) protocols
• Responsible only for routing packets to intended destination - and nothing else!
• IPv4 and IPv6 are entirely separate protocols and do not interact

Address space of IPv4

IPv4 addresses: an identifier consisting of 32 bits, or 4 bytes

• Usually presented as a tuple of decimal numbers, separated by dots
• e.g. address 130.234.4.30 in different formats

Address space of IPv6

IPv6 addresses: an identifier consisting of 128 bits, or 16 bytes

• Usually presented as a tuple of hexadecimal numbers, separated by colons
• e.g. address 2001:123:4567:89ab:cdef:0:82ea:041e in different formats

IPv6 address representation

• 8 blocks of 2 bytes

• Leading zeroes of each block are omitted

• Consecutive zero blocks can once be replaced with "::"

• For example:

  • 2001:0:0:0:aaaa:bbbb:cccc:dddd is shortened to 2001::aaaa:bbbb:cccc:dddd

  • 2001:0:0:0:aaaa:0:0:dddd can be shortened to either 2001::aaaa:0:0:dddd or 2001:0:0:0:aaaa::dddd.

• First 64 bits represent the network ID, last 64 bits a host ID.

A few notable address types

See IPv6 reference card for more details.

How large is IPv6 Internet?

• Theoretical number of IPv4 addresses: \(2^{32} = 4\,294\,967\,296\)

• Theoretical number of IPv6 addresses: \(2^{128} \approx 3.4 \cdot 10^{38}\)

  => IPv6 Internet could contain 79 228 162 514 264 337 593 543 950 336 IPv4 Internets!

• Practically, some addresses are reserved for different uses, e.g. broadcast, multicast, NATed LAN/Link-Local

• Additionally, netmask length is almost always 64 bits in IPv6 Internet. Therefore the first 64 bits identify the network and last 64 bits the device in the network.

  => There are \(2^{64}\) addresses available for devices in a single LAN!

Why IPv6?

• Global depletion of IPv4 addresses
  • NAT "solved" this in the 90s
  • Finnish ISPs have not depleted their allocations of IPv4 addresses
• Restores end-to-end principle of the Internet (broken by NAT)
• Better support for mobility (Mobile IP)
• "Mandatory" IPsec (was changed from "must implement" to "should" in RFC6434)
• Simpler header structure: always 40 bytes + extension headers
  • Includes unused flow label of 20 bits

However:

• NAT has (so far) extended lifetime of IPv4
• End-to-end availability not required because of compatibility of client-server model with NAT
  • i.e. servers have public availability, clients do not
• Mobile IP was also implemented to IPv4 with subtle differences
  • ...and mobile IP has almost no demand
• Security is not better since it is not required to be implemented
• No "killer apps" for IPv6 Internet

Differences to IPv4

• Many Layer 3 protocols have IPv6 versions of them, e.g. ICMPv6
• Server applications are often required to be configured to enable IPv6 connections
• No broadcast addresses - instead multicast support is "better"
  • In a LAN, ff02::1 is the Link-Local multicast address
• No ARP, instead Neighbor Discovery Protocol (NDP)
  • Clients send Neighbor Solicitations
  • Routers answer with Neighbor Advertisements

• IP addresses are acquired using either DHCPv6 or Stateless Address Autoconfiguration (SLAAC)
  • Overview of SLAAC: Clients joining network send Link-Local Multicast ICMPv6 messages to discover routers and other devices
    • Clients send Router Solicitations
    • Routers send Router Advertisements
  • In exercises, we enable DHCPv6 to make sure each device discovers being in an IPv6-enabled network
• Duplicate Address Detection (DAD) is used to detect if same host ID (last 64 bits) exists in the network

Security considerations

• Restoration of end-to-end Internet => Every device reachable by any device
• Security of e.g. IoT devices is not convincing
  • DDoS attacks by smurf attacks or using compromised devices
• IPv6 header structrure is simpler, but allows usage of IPv6 header extensions, enabling DoS attacks.
• Most modern routers implement dual stack - but not all. If IPv6 is available, it is often preferred.
• IPv6 may be enabled without user's knowledge, which offers alternative attack channels bypassing NAT and IPv4 firewalls.
• Some routers and IDSs are not equipped to handle IPv6 firewalling properly

Effectivity of attacks

• Scanning for hosts takes forever!

  • E.g. nmap in an IPv4 /24 LAN takes a few seconds (254 hosts)
  • nmap in IPv6 /64 LAN takes ~58 000 years with 10 million pings per second (\(2^{64}\) hosts)
  • By Link-Local multicast messages, hosts can be identified from inside
  • DNS servers (internal and external) must be protected, since they can be used to find alive hosts

• DoS attacks in LAN:

  • Answer every DAD ("Is anyone using this address...?" - "YES!")
  • RA/NA flooding (increase neighbor database size)
  • Spoof being a router or announce a router to have a lifetime of zero

• IPv6 protocols support multiple routers in a network

  => Anyone can become a router => MitM or DoS

Security solutions

• Set up firewalls! Upgrade router software/hardware to support IPv6.
• Disable IPv6 on routers entirely if enough public IPv4 addresses are usable
• Do not assign IPv6 address host IDs in numerical order. Use other methods, e.g. host IDs calculated from MAC or cryptographically generated host IDs.
• "NAT is not firewall" i.e. lack of NAT does not make IPv6 unsafer
  • Though NAT obscures view of network to outside world, NAT should not be trusted as a protective measure
  • Older implementations of NAT may even route unexpected packets to random hosts

When will the transition from IPv4 to IPv6 happen?

• It is happening! More and more devices globally join the IPv6 network.
• Accesses of Google through IPv6
• Notable factors:
  • Customers' demands from ISPs
  • New applications
  • IoT