Need computer science help with a background paper on IPv6

User Generated

qraavfuhore

Computer Science

Description

Review the NIST document Guidelines for the Secure Deployment of IPv6.  Find and use at least one other qualified source on IPv6 security.Guidelines for the Secure Deployment of IPv6

For this assignment, Tom Pierce from Harry & Mae's has asked that you provide him with a background paper on IPv6.  He wants to understand what it's about, how it's different from IPv4, and how it's more secure than it's predecessors.  Include an explanation of 2-3 risks associated with IPv6 and it's deployment.

Save your description to a Microsoft Word document. Your paper should be about 1500 words (+- 10%) using standard APA formatting, citations, and references.


Unformatted Attachment Preview

Special Publication 800-119 Guidelines for the Secure Deployment of IPv6 Recommendations of the National Institute of Standards and Technology Sheila Frankel Richard Graveman John Pearce Mark Rooks NIST Special Publication 800-119 Guidelines for the Secure Deployment of IPv6 Recommendations of the National Institute of Standards and Technology Sheila Frankel Richard Graveman John Pearce Mark Rooks C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 December 2010 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Dr. Patrick D. Gallagher, Director GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-119 Natl. Inst. Stand. Technol. Spec. Publ. 800-119, 188 pages (Dec. 2010) Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. iii GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 Acknowledgments The authors, Sheila Frankel of the National Institute of Standards and Technology (NIST), Richard Graveman of RFG Security, John Pearce of Booz Allen Hamilton and Mark Rooks of L-1 Identity Solutions (formerly of Booz Allen Hamilton) wish to thank their colleagues who reviewed drafts of this document and contributed to its technical content. The authors would like to acknowledge Tim Grance of NIST for his keen and insightful assistance and encouragement throughout the development of the document. The authors particularly want to thank Mark Carson, Doug Montgomery and Stephen Nightingale of NIST and Scott Hogg for their careful review and valuable contributions to improving the quality of this publication. The authors also appreciate the efforts of those individuals, agencies, and other organizations that contributed input during the public comment period, including John Baird, DREN; Alistair de B Clarkson, nCipher; Vint Cerf, Google; John Curran, ARIN; Terry Davis, Boeing; Francois Donze and Michael Scott Pontillo, HP; Jeffrey Dunn, Chern Liou, and Jeffrey Finke, Mitre; Fernando Gont, the UK Centre for the Protection of National Infrastructure (UK CPNI); Bob Grillo, US Army; Cecilia Hall, Don Radeke and Joseph Bertrand, USMC; J. Holland, David Leach, Sam Nguyen, M. Roed, Beth Scruggs, D. Wellington and Joe Williams, Aerospace Corp.; Ed Jankiewicz, SRI International; Ralph Kenyon, Caida; Lovell King II, Dept. of State; Joe Klein, IPv6 Security Researcher; Dan Luu, VA; Trung Nguyen, FAA; Carroll Perkins, Serco-NA; and Martin Radford, University of Bristol. iv GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 Table of Contents Executive Summary ................................................................................................................. 1 1. Introduction ................................................................................................................... 1-1 1.1 1.2 1.3 1.4 2. Introduction to IPv6 ....................................................................................................... 2-1 2.1 2.2 2.3 2.4 2.5 3. Authority .................................................................................................................1-1 Purpose and Scope ................................................................................................1-1 Audience ................................................................................................................1-1 Document Structure ...............................................................................................1-1 Early History of IPv6 ...............................................................................................2-1 Limitations of IPv4 ..................................................................................................2-1 Major Features of the IPv6 Specification ................................................................2-2 2.3.1 Extended Address Space ........................................................................... 2-3 2.3.2 Autoconfiguration ....................................................................................... 2-3 2.3.3 Header Structure ........................................................................................ 2-3 2.3.4 Extension Headers ..................................................................................... 2-4 2.3.5 Mandatory Internet Protocol Security (IPsec) Support ................................ 2-4 2.3.6 Mobility ....................................................................................................... 2-4 2.3.7 Quality of Service (QoS)............................................................................. 2-5 2.3.8 Route Aggregation ..................................................................................... 2-5 2.3.9 Efficient Transmission ................................................................................ 2-5 IPv4 and IPv6 Threat Comparison ..........................................................................2-5 Motivations for Deploying IPv6 ...............................................................................2-7 IPv6 Overview ................................................................................................................ 3-1 3.1 3.2 3.3 3.4 3.5 3.6 IPv6 Addressing .....................................................................................................3-2 3.1.1 Shorthand for Writing IPv6 Addresses ........................................................ 3-5 3.1.2 IPv6 Address Space Usage ....................................................................... 3-6 3.1.3 IPv6 Address Types ................................................................................... 3-7 3.1.4 IPv6 Address Scope................................................................................... 3-7 3.1.5 IPv4 Addressing ......................................................................................... 3-9 3.1.6 IPv4 Classless Inter-Domain Routing (CIDR) Addressing ........................ 3-10 3.1.7 Comparing IPv6 and IPv4 Addressing ...................................................... 3-11 IPv6 Address Allocations ......................................................................................3-12 3.2.1 IPv6 Address Assignments ...................................................................... 3-12 3.2.2 Obtaining Globally Routable IPv6 Address Space .................................... 3-14 IPv6 Header Types, Formats, and Fields..............................................................3-16 IPv6 Extension Headers .......................................................................................3-18 Internet Control Message Protocol for IPv6 (ICMPv6) ..........................................3-22 3.5.1 ICMPv6 Specification Overview ............................................................... 3-22 3.5.2 Differences between IPv6 and IPv4 ICMP ................................................ 3-25 3.5.3 Neighbor Discovery .................................................................................. 3-26 3.5.4 Autoconfiguration ..................................................................................... 3-28 3.5.5 Path Maximum Transmission Unit (PMTU) Discovery .............................. 3-29 3.5.6 Security Ramifications .............................................................................. 3-30 IPv6 and Routing ..................................................................................................3-34 3.6.1 Specification Overview ............................................................................. 3-34 3.6.2 Security for Routing Protocols .................................................................. 3-35 v GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 3.7 4. IPv6 Advanced Topics .................................................................................................. 4-1 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 5. 3.6.3 Unknown Aspects .................................................................................... 3-36 IPv6 and the Domain Name System (DNS) ..........................................................3-36 3.7.1 DNS Transport Protocol ........................................................................... 3-37 3.7.2 DNS Specification Overview .................................................................... 3-37 3.7.3 Security Impact and Recommendations ................................................... 3-39 Multihoming ............................................................................................................4-1 4.1.1 Differences between IPv4 and IPv6 Multihoming........................................ 4-1 4.1.2 Site Multihoming by IPv6 Intermediation (SHIM6) Specification Overview .. 4-2 4.1.3 Security Ramifications for Multihoming ....................................................... 4-4 IPv6 Multicast .........................................................................................................4-5 4.2.1 IPv6 Multicast Specifications ...................................................................... 4-6 4.2.2 Differences between IPv4 and IPv6 Multicast ............................................. 4-8 4.2.3 Multicast Security Ramifications ................................................................. 4-9 4.2.4 Unresolved Aspects of IPv6 Multicast ........................................................ 4-9 IPv6 Quality of Service (QoS) ...............................................................................4-10 4.3.1 IPv6 QoS Specifications ........................................................................... 4-10 4.3.2 Differences between IPv4 and IPv6 QoS ................................................. 4-11 4.3.3 Security Ramifications .............................................................................. 4-11 4.3.4 Unresolved Aspects of IPv6 QoS ............................................................. 4-12 Mobile IPv6 (MIPv6) .............................................................................................4-12 4.4.1 MIPv6 Specification Overview .................................................................. 4-12 4.4.2 Differences from IPv4 Standards .............................................................. 4-16 4.4.3 Security Ramifications .............................................................................. 4-16 4.4.4 Unknown Aspects .................................................................................... 4-26 Jumbograms ........................................................................................................4-27 4.5.1 Specification Overview ............................................................................. 4-27 4.5.2 Security Ramifications .............................................................................. 4-27 Address Selection ................................................................................................4-28 4.6.1 Specification Overview ............................................................................. 4-28 4.6.2 Differences from IPv4 Standards .............................................................. 4-30 4.6.3 Security Ramifications .............................................................................. 4-30 4.6.4 Unknown Aspects .................................................................................... 4-31 Dynamic Host Configuration Protocol (DHCP) for IPv6 .........................................4-31 4.7.1 Specification Overview ............................................................................. 4-32 4.7.2 Differences from IPv4 Standards .............................................................. 4-34 4.7.3 Security Ramifications .............................................................................. 4-34 4.7.4 Unknown Aspects .................................................................................... 4-35 IPv6 Prefix Renumbering ......................................................................................4-35 4.8.1 Specification Overview ............................................................................. 4-36 4.8.2 Differences from IPv4 Standards .............................................................. 4-38 4.8.3 Security Ramifications .............................................................................. 4-38 4.8.4 Unknown Aspects .................................................................................... 4-39 IPv6 Security Advanced Topics ................................................................................... 5-1 5.1 5.2 5.3 Privacy Addresses..................................................................................................5-1 Cryptographically Generated Addresses ................................................................5-3 IPsec in IPv6 ..........................................................................................................5-4 5.3.1 Specification Overview ............................................................................... 5-5 5.3.2 Differences from IPv4 Standards ................................................................ 5-8 vi GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 5.4 6. 5.3.3 Support for Multicast .................................................................................. 5-8 5.3.4 Status of IPsec and On-Going Work........................................................... 5-9 5.3.5 Security Ramifications .............................................................................. 5-15 5.3.6 Unknown Aspects .................................................................................... 5-16 Secure Stateless Address Autoconfiguration and Neighbor Discovery .................5-17 5.4.1 Using IPsec to Secure Autoconfiguration and ND .................................... 5-18 5.4.2 Using SEND to Secure Autoconfiguration and ND ................................... 5-19 5.4.3 Current Status and Unknown Aspects ...................................................... 5-19 IPv6 Deployment ........................................................................................................... 6-1 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9 Security Risks ........................................................................................................6-1 6.1.1 Attacker Community ................................................................................... 6-1 6.1.2 Unauthorized IPv6 Clients .......................................................................... 6-2 6.1.3 Vulnerabilities in IPv6 ................................................................................. 6-2 6.1.4 Dual Operations ......................................................................................... 6-4 6.1.5 Perceived Risk ........................................................................................... 6-4 6.1.6 Vendor Support .......................................................................................... 6-4 Addressing Security ...............................................................................................6-5 6.2.1 Numbering Plan ......................................................................................... 6-5 6.2.2 Hierarchical Addressing to Support Security Segmentation ........................ 6-6 6.2.3 Problems with EUI-64 Addresses ............................................................... 6-7 6.2.4 Address Management ................................................................................ 6-7 6.2.5 Privacy Extensions ..................................................................................... 6-8 Transition Mechanisms...........................................................................................6-8 Dual Stack IPv4/IPv6 Environments .......................................................................6-9 6.4.1 Deployment of a Dual Stack Environment .................................................. 6-9 6.4.2 Addressing in a Dual Stack Environment ................................................. 6-10 6.4.3 Security Implications of a Dual Stack Environment ................................... 6-11 Tunneling .............................................................................................................6-11 6.5.1 General Security Considerations for Tunneling ........................................ 6-13 6.5.2 Configured Tunneling ............................................................................... 6-15 6.5.3 Automatic Tunneling ................................................................................ 6-16 6.5.4 6over4 Protocol ........................................................................................ 6-16 6.5.5 6to4 and 6rd Protocols ............................................................................. 6-17 6.5.6 Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) ..................... 6-19 6.5.7 Teredo Protocol........................................................................................ 6-22 6.5.8 Tunnel Brokers ......................................................................................... 6-27 6.5.9 Automatic Tunneling of IPv4 over IPv6 (Dual Stack Transition Mechanism [DSTM]) ............................................................................................................... 6-28 6.5.10 Carrier-Grade NAT and Dual-Stack Lite ................................................... 6-30 Translation ...........................................................................................................6-32 6.6.1 SIIT .......................................................................................................... 6-33 6.6.2 NAT-PT .................................................................................................... 6-33 6.6.3 Replacing NAT-PT ................................................................................... 6-34 6.6.4 TRT .......................................................................................................... 6-35 6.6.5 Application Layer Translation ................................................................... 6-36 Other Transition Mechanisms ...............................................................................6-37 The IPv6 Deployment Planning Process for Security ............................................6-37 IPv6 Deployment ..................................................................................................6-38 6.9.1 Initiation Phase ........................................................................................ 6-39 6.9.2 Acquisition / Development Phase ............................................................. 6-41 vii GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 6.9.3 Implementation Phase.............................................................................. 6-44 6.9.4 Operations / Maintenance Phase ............................................................. 6-46 6.9.5 Disposition Phase .................................................................................... 6-46 6.10 Summary ..............................................................................................................6-47 List of Appendices Appendix A— Acronyms and Abbreviations ...................................................................... A-1 Appendix B— References and Other IPv6 Resources ....................................................... B-1 List of Figures Figure 2-1. The IPv6 Packet Header Format (Field Sizes in Bits) ............................................ 2-4 Figure 3-1. IPv6 Address Format ........................................................................................... 3-3 Figure 3-2. 32-Bit Network Prefix ........................................................................................... 3-4 Figure 3-3. 48-Bit Network Prefix ........................................................................................... 3-4 Figure 3-4. 64-Bit Network Prefix ........................................................................................... 3-5 Figure 3-5. A Comparison of IPv4 and IPv6 Addressing ....................................................... 3-11 Figure 3-6. The IPv6 Packet Header Format (Field Sizes in Bits) (RFC 2460) ..................... 3-16 Figure 3-7. Example IPv6 Packet Header ............................................................................ 3-18 Figure 3-8. Next Header Fields in IPv6 and Extension Headers ........................................... 3-18 Figure 3-9. IPv6 Extension Header Chaining ....................................................................... 3-19 Figure 3-10. ICMPv6 Message Format................................................................................. 3-23 Figure 3-11. Example of Neighbor Discovery ....................................................................... 3-27 Figure 3-12. Example of Stateless Address Autoconfiguration (SLAAC) .............................. 3-29 Figure 3-13. Significance of MTU under IPv6 ....................................................................... 3-30 Figure 4-1. SHIM6 Protocol Stack .......................................................................................... 4-4 Figure 4-2. The Main MIPv6 Components ............................................................................ 4-14 Figure 4-3. IKEv1 Identifiers used between a MN and its HA ............................................... 4-20 Figure 4-4. IKEv2 identifiers used between a MN and its HA ............................................... 4-20 Figure 4-5. Return Routability—Init Messages ..................................................................... 4-22 Figure 4-6. Return Routability—Keygen Replies .................................................................. 4-23 Figure 4-7. Reverse Routability—BU and BUA Protected with Kbm ..................................... 4-24 Figure 5-1. Example of IPv6 Privacy Addressing.................................................................... 5-2 Figure 5-2. Generating Cryptographic Addresses from Public-Private Key Pairs .................... 5-3 viii GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 Figure 5-3. IPsec in the TCP/IP Protocol Stack ...................................................................... 5-5 Figure 5-4. Encryption and Authentication Algorithms for the IPsec Protocol ......................... 5-9 Figure 5-5. Cryptographic Algorithms for Use in IKEv2 ........................................................ 5-10 Figure 6-1. Example of Tunneling IPv6 over IPv4 Networks .................................................. 6-12 Figure 6-2. IPv6 over IPv4 Tunnels Transparent to the IPv4 Infrastructure .......................... 6-14 Figure 6-3. Example - Tunneling IPv6 over IPv4 Networks with ISATAP .............................. 6-21 Figure 6-4. Example - Tunneling IPv6 over IPv4 Networks with Teredo ............................... 6-23 Figure 6-5. Teredo Address .................................................................................................. 6-24 List of Tables Table 3-1. Differences between IPv4 and IPv6....................................................................... 3-1 Table 3-2. IPv6 Address Types .............................................................................................. 3-6 Table 3-3. Assignment of Leftmost, Centermost, and Rightmost Bits ................................... 3-13 Table 3-4. IPv6 Extension Headers and Upper Layer Protocols ........................................... 3-21 Table 3-5. ICMPv6 Error Messages and Code Type ............................................................ 3-24 Table 3-6. ICMPv6 Informational Messages ......................................................................... 3-24 Table 3-7. ICMPv6 Recommended Filtering Actions – Must Not Drop & Should Not Drop ... 3-33 Table 4-1. IPv6 Scoped Multicast Values (from RFC 4291).................................................... 4-7 ix GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 Executive Summary Due to the exhaustion of IPv4 (Internet Protocol version 4) address space, and the Office of Management and Budget (OMB)1 mandate that U.S. federal agencies begin to use the IPv6 (Internet Protocol version 6) protocol, NIST undertook the development of a guide to help educate federal agencies about the possible security risks during their initial IPv6 deployment. This document provides guidelines for organizations to aid in securely deploying IPv6. Since the majority of organizations will most likely run both IPv6 and IPv4 on their networks for the foreseeable future, this document speaks about the deployment of IPv6 rather than the transition to IPv6.2 The deployment of IPv6 can lead to new challenges and types of threats facing an organization. The goals of this document are:  To educate the reader about IPv6 features and the security impacts of those features  To provide a comprehensive survey of mechanisms that can be used for the deployment of IPv6  To provide a suggested deployment strategy for moving to an IPv6 environment The migration to IPv6 services is inevitable as the IPv4 address space is almost exhausted. IPv6 is not backwards compatible with IPv4, which means organizations will have to change their network infrastructure and systems to deploy IPv6. Organizations should begin now to understand the risks of deploying IPv6, as well as strategies to mitigate such risks. Detailed planning will enable an organization to navigate the process smoothly and securely. Federal agencies will most likely face security challenges throughout the deployment process, including:  An attacker community that most likely has more experience and comfort with IPv6 than an organization in the early stages of deployment  Difficulty in detecting unknown or unauthorized IPv6 assets on existing IPv4 production networks  Added complexity while operating IPv4 and IPv6 in parallel  Lack of IPv6 maturity in security products when compared to IPv4 capabilities  Proliferation of transition-driven IPv6 (or IPv4) tunnels, which complicate defenses at network boundaries even if properly authorized, and can completely circumvent those defenses if unauthorized (e.g. host-based tunnels initiated by end users) Organizations planning the deployment of IPv6 should consider the following during the planning process:  IPv6 is a new protocol that is not backward compatible with IPv4  In most cases IPv4 will still be a component of IT (Information Technology) infrastructure. As such, even after the deployment of IPv6, organizations will require mechanisms for IPv6 and IPv4 co-existence. 1 2 OMB Memo M-05-22, Transition Planning for Internet Protocol Version 6 (IPv6), August 2005; OMB Memo, Transition to IPv6, September 2010 Since many of the IPv6-related protocols, tools and mechanisms are typically referred to as transition mechanisms, this document does use the word transition in that context. ES-1 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6  IPv6 can be deployed just as securely as IPv4, although it should be expected that vulnerabilities within the protocol, as well as with implementation errors, will lead to an initial increase in IPv6-based vulnerabilities. As a successor to IPv4, IPv6 does incorporate many of the lessons learned by the Internet Engineering Task Force (IETF) for IPv4.  IPv6 has already been deployed and is currently in operation in large networks globally. To overcome possible obstacles associated with deploying IPv6, organizations should consider the following recommendations:  Encourage staff to increase their knowledge of IPv6 to a level comparable with their current understanding of IPv4  Plan a phased IPv6 deployment utilizing appropriate transition mechanisms to support business needs; don’t deploy more transition mechanisms than necessary  Plan for a long transition period with dual IPv4/IPv6 co-existence Organizations that are not yet deploying IPv6 globally should implement the following recommendations:  Block all IPv6 traffic, native and tunneled, at the organization's firewall. Both incoming and outgoing traffic should be blocked.  Disable all IPv6-compatible ports, protocols and services on all software and hardware.  Begin to acquire familiarity and expertise with IPv6, through laboratory experimentation and/or limited pilot deployments.  Make organization web servers, located outside of the organizational firewall, accessible via IPv6 connections. This will enable IPv6-only users to access the servers and aid the organization in acquiring familiarity with some aspects of IPv6 deployment. Organizations that are deploying IPv6 should implement the following recommendations to mitigate IPv6 threats:  Apply an appropriate mix of different types of IPv6 addressing (privacy addressing, unique local addressing, sparse allocation, etc) to limit access and knowledge of IPv6-addressed environments.  Use automated address management tools to avoid manual entry of IPv6 addresses, which is prone to error because of their length.  Develop a granular ICMPv6 (Internet Control Protocol for IPv6) filtering policy for the enterprise. Ensure that ICMPv6 messages that are essential to IPv6 operation are allowed, but others are blocked.3  Use IPsec (Internet Protocol Security) to authenticate and provide confidentiality to assets that can be tied to a scalable trust model (an example is access to Human Resources assets by 3 NIST SP 500-267, A Profile for IPv6 in the US Government, specifies the capability to perform selective ICMPv6 filtering as a mandatory function. However, currently, that capability is not available in all products. ES-2 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 internal employees that make use of an organization’s Public Key Infrastructure (PKI) to establish trust).  Identify capabilities and weaknesses of network protection devices in an IPv6 environment.  Enable controls that might not have been used in IPv4 due to a lower threat level during initial deployment (implementing default deny access control policies, implementing routing protocol security, etc).  Pay close attention to the security aspects of transition mechanisms such as tunneling protocols.  Ensure that IPv6 routers, packet filters, firewalls, and tunnel endpoints enforce multicast scope boundaries and make sure that Multicast Listener Discovery (MLD) packets are not inappropriately routable.  Be aware that switching from an environment in which NAT (Network Address Translation) provides IP (Internet Protocol) addresses to unique global IPv6 addresses could trigger a change in the FISMA (Federal Information Security Management Act) system boundaries. After reviewing this document, the reader should have a reasonable understanding of IPv6 and how it compares to IPv4, as well as security impacts of IPv6 features and capabilities, and increased knowledge and awareness about the range of IPv4 to IPv6 transition mechanisms. ES-3 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 1. Introduction 1.1 Authority The National Institute of Standards and Technology (NIST) developed this document in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets; but such standards and guidelines shall not apply to national security systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), ―Securing Agency Information Systems,‖ as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in A-130, Appendix III. This guideline has been prepared for use by Federal agencies. It may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright, though attribution is desired. Nothing in this document should be taken to contradict standards and guidelines made mandatory and binding on Federal agencies by the Secretary of Commerce under statutory authority, nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other Federal official. 1.2 Purpose and Scope The purpose of Guidelines for the Secure Deployment of IPv6 is to provide information security guidance to organizations that are planning to deploy IPv6 technologies or are simply seeking a better understanding of IPv6. The scope of this document encompasses the IPv6 protocol and related protocol specifications. IPv6-related security considerations are discussed with emphasis on deployment-related security concerns. The document also includes general guidance on secure IPv6 deployment and integration planning. 1.3 Audience This document is intended primarily for network engineers and administrators who are responsible for planning, building, and operating IP networks, as well as security engineers and administrators who are responsible for providing Information Assurance support. Anyone interested in deploying IPv6 technologies and related security implications may also find the document useful. It includes a discussion of the major features and protocols that constitute IPv6. For each of these, the description is comprised of an introductory section, a more in-depth description, and three analytical sections: differences between the IPv4 and the IPv6 versions, security ramifications and unknown aspects. Managers or users who are trying to understand IPv6 might want to skip the in-depth descriptions but read the other sections (Introduction, Differences, Security Ramifications and Unknown Aspects). They should also read Section 1 (Introduction) and Sections 6.8-6.9 (IPv6 Deployment). It is assumed that readers are already familiar with basic IPv4, data networking, and network security concepts. 1.4 Document Structure The remainder of this document is composed of the following sections and appendices: 1-1 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6  Section 2 provides an introduction to IPv6, including its history, features, and comparisons with IPv4.  Section 3 discusses in more detail IPv6 addressing, allocation, packet organization, and ICMPv6.  Section 4 examines some of the more advanced features of IPv6 and their security implications, including multihoming, multicast, QoS (Quality of Service), Mobile IPv6, Jumbograms and address selection.  Section 5 provides an introduction to some of the advanced security features included in IPv6, including privacy addresses; IPsec; and secure stateless address autoconfiguration and neighbor discovery.  Section 6 covers the process of securely deploying IPv6 and discusses the risks, addressing security, various transition mechanisms and the deployment process. Appendix A provides a list of acronyms and abbreviations used in this document. Appendix B lists references and other resources related to IPv6. 1-2 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 2. Introduction to IPv6 Internet Protocol version 6 (IPv6) is a new network layer protocol. It is an enhancement to Internet Protocol version 4 (IPv4), the protocol in use since the 1980s. There are numerous upgrades in IPv6. Most significantly, in comparison with IPv4, IPv6 has increased its network address size from 32 bits to 128. This provides more than enough addresses to satisfy the global demand for unique IP addresses. This chapter provides an overview of IPv6 as a foundation for later sections. The section starts with the early history of IPv6 and the limitations of IPv4, followed by descriptions of the major features of the IPv6 specifications. This is followed by a threat comparison between IPv4 and IPv6 and concludes with motivations for deploying to IPv6. 2.1 Early History of IPv6 IPv4 was developed in the 1970s and early 1980s for use in government and academic communities in the United States to facilitate communication and information sharing. Today’s networking demand, in particular web pages, email, peer-to-peer services, and the use of mobile devices, has grown well beyond its originators’ expectations. Widespread deployment and growth of networking technologies and mobile communications have surpassed IPv4’s ability to provide adequate globally unique address space4. Efforts to develop a successor to IPv4 started in the early 1990s within the Internet Engineering Task Force (IETF)5. The objective was to solve the address space limitations as well as provide additional functionality. The IETF started the Internet Protocol Next Generation (IPng) work in 1993 to investigate different proposals and to make recommendations for further actions. The IETF recommended IPv6 in 1994. (The name IPv5 had previously been allocated to an experimental stream protocol.) Their recommendation is specified in RFC 1752, The Recommendation for IP Next Generation Protocol. Several proposals followed; the Internet Engineering Steering Group approved the IPv6 recommendation and drafted a Proposed Standard on November 17, 1994. RFC 1883, Internet Protocol, Version 6 (IPv6) Specification, was published in 1995. The core set of IPv66 protocols became an IETF Draft Standard on August 10, 1998. This included RFC 2460, which replaced RFC 1883. IPv6 is a protocol designed to handle the growth rate of the Internet and to cope with the demanding requirements of services, mobility, and end-to-end security. The following sections describe the limitations of IPv4, the major features of IPv6, and motivations for deploying IPv6. 2.2 Limitations of IPv4 IPv4 (RFC 791) was designed over 30 years ago for a relatively small number of users. At that time, it seemed unlikely that personal computing technology would become as widespread as it is today in the United States and worldwide. The rapid, universal adoption and growth of personal computing technologies, including IP networking, were unforeseen in 1981. At that time, the Internet was used almost exclusively by scholars and researchers, and IPv4’s 4.3 billion theoretically available addresses were considered to be more than sufficient. 4 5 6 Hagen, IPv6 Essentials 2nd Edition. The IETF is an open international community charged with the evolution of the Internet architectures and standards. An Internet standard begins as an Internet Draft, which generally evolves during the publication of successive versions. It may then be published as a Request for Comments (RFC) document. Some RFCs define IETF standards; others are informational documents or describe experimental protocols. Two current IETF working groups that concentrate on IPv6 operations and protocols are the IPv6 Operations (v6ops) Working Group and the IPv6 Maintenance (6man ) Working group. 2-1 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 As a result of growing Internet use, IPv4’s address capacity could not meet the demand. In practice, the supply of available IPv4 addresses has been limited since the early 1990s. Previously, an organization could apply for and receive an order of magnitude more IPv4 addresses than it could actually justify. However, as a result of regulatory advances, IP address allocations are now bound by strict policies that include formal justification to a Regional Internet Registry (RIR). During the 1990s, address allocation policies, along with address reuse and restriction technologies, were put into place to conserve IPv4 addresses. Technologies widely adopted in response to the constrained supply of IPv4 addresses are network address translation (NAT [RFC 3022]) and classless inter-domain routing (CIDR [RFC 4632]); both are discussed in detail in Chapter 3. NAT essentially makes private IPv4 addresses (also known as non-routable addresses) at least partially functional on the global Internet. Despite their adaptation to other uses, private IPv4 addresses were designed for testing and other non-production purposes and never intended to be usable on the Internet. Nevertheless, a NAT-capable router positioned at an organization’s boundary has the ability to connect an entire network of privately addressed nodes within the organization to the Internet via a single routable IP address. This technology saves IPv4 address space because nodes bearing private addresses are essentially ―on‖ the Internet but do not have globally unique IP addresses. Nevertheless, this address conservation technology can actually defeat certain aspects of the design intent of IPv4: network layer end-to-end security, peer-to-peer (host-to-host connectivity), and interoperability. A host using private addressing behind a NAT device cannot have a full peer-to-peer relationship with another host via the Internet or backbone enterprise network using globally unique addressing. This is because NAT does not allow communication sessions to be initiated from globally addressed nodes to the privately addressed nodes. NAT traversal technologies are available to work around some of these barriers. They typically work in one of two ways: (1) by maintaining stateful address lookup tables and redirecting inbound traffic to appropriate private addresses; (2) by employing application layer gateways that listen for specific port numbers and redirect traffic according to pre-configured parameters. Neither of these approaches to NAT traversal lends itself to scalability or guarantees compatibility with all forms of NAT, not to mention the efforts put into each of these work-arounds. In addition, neither approach lends itself to dynamic configuration when, for example, hosts move or networks are renumbered. Another limitation of IPv4 is that its design favored interoperability over security and did not contain features that protected the confidentiality, integrity, or availability of communications. For example, IPv4 could not cryptographically protect data from eavesdropping or manipulation, and IPv4 did not provide a method for endpoints to authenticate each other. Over time, the open nature of IPv4 was increasingly a target of exploitation. The multi-path nature of the Internet, which was designed for high availability, also allows multiple attack vectors for a variety of threats. As a response, new technologies were added to IPv4 to provide needed security functionality. With IPv6, these features were designed into the new protocol as mandatory components. 2.3 Major Features of the IPv6 Specification IPv6 has many new or improved features that make it significantly different from its predecessor. These features include extended address space, autoconfiguration, header structure, extension headers, IPsec, mobility, quality of service, route aggregation, and efficient transmission. This section discusses these features and compares specific aspects of IPv4 and IPv6 to help establish an understanding of the protocols’ similarities and differences. 2-2 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 2.3.1 Extended Address Space Each IPv4 address is typically 32 bits long and is written as four decimal numbers representing 8-bit octets and separated by decimal points or periods. An example address is 172.30.128.97. Each IPv6 address is 128 bits long (as defined in RFC 4291) and is written as eight 16-bit fields in colon-delimited hexadecimal notation (an example is fe80:43e3:9095:02e5:0216:cbff:feb2:7474). This new 128-bit address space provides an enormous number of unique addresses, 2128 (or 3.4 x 1038) addresses, compared with IPv4’s 232 (or 4.3 x 109) addresses. That is enough for many trillions of addresses to be assigned to every human being on the planet. Moreover, these address bits are divided between the network prefix and the host identifier portions of the address. The network prefix designates the network upon which the host bearing the address resides. The host identifier identifies the node or interface within the network upon which it resides. The network prefix may change while the host identifier can remain static. The static host identifier allows a device to maintain a consistent identity despite its location in a network. This enormous number of addresses allows for end-to-end communication between devices with globally unique IP addresses and can better support the delivery of peer-to-peer services with data-rich content such as voice and video. Chapter 3 describes IPv6 addressing in detail. 2.3.2 Autoconfiguration Essentially plug-and-play networking, autoconfiguration, defined in RFC 4862, IPv6 Stateless Address Autoconfiguration, is one of the most interesting and potentially valuable addressing features in IPv6. This feature allows devices on an IPv6 network to configure themselves independently using a stateless protocol. In IPv4, hosts are configured manually or with host configuration protocols like Dynamic Host Configuration Protocol (DHCP); with IPv6, autoconfiguration takes this a step further by defining a method for some devices to configure their IP addresses and other parameters without the need for a server. Moreover, it also defines a method, renumbering, whereby the time and effort required to renumber a network by replacing an old prefix with a new prefix are vastly reduced. Section 3.5.4 describes autoconfiguration in detail. 2.3.3 Header Structure The IPv6 header is much simpler than the IPv4 header and has a fixed length of 40 bytes (as defined in RFC 2460). Even though this header is almost twice as long as the minimum IPv4 header, much of the header is taken up by two 16-byte IPv6 addresses, leaving only 8 bytes for other header information. This allows for improved fast processing of packets and protocol flexibility. IPv6 datagrams use a structure that always includes a 40-byte base header and, optionally, one or more extension headers. This base header is like the header of IPv4 datagrams, though it has a different format. Five IPv4 header fields have been removed: IP header length, identification, flags, fragment offset, and header checksum. The IPv6 header fields are as follows: version (IP version 6), traffic class (replacing IPv4’s type of service field), flow label (a new field for Quality of Service (QoS) management), payload length (length of data following the fixed part of the IPv6 header), next header (replacing IPv4’s protocol field), hop limit (number of hops, replacing IPv4’s time to live field), and source and destination addresses. The IPv6 header format is illustrated in Figure 2-1. The payload can be up to 64KB in size in standard mode, or larger with a jumbo payload option. Section 3.3 describes these headers in detail. 2-3 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 Version (4) Traffic Class (8) Flow Label (20 bits) Payload length (16) Next Header (8) Hop Limit (8) Source Address (128 bits) Destination Address (128 bits) Figure 2-1. The IPv6 Packet Header Format (Field Sizes in Bits)7 2.3.4 Extension Headers An IPv4 header can be extended from 20 bytes to a maximum of 60 bytes, but this option is rarely used because it impedes performance and is often administratively prohibited for security reasons. IPv6 has a new method to handle options, which allows substantially improved processing and avoids some of the security problems that IPv4 options generated. IPv6 RFC 2460 defines six extension headers: hop-byhop option header, routing header, fragment header, destination options header, authentication header (AH), and encapsulating security payload (ESP) header. Each extension header is identified by the Next Header field in the preceding header. Section 3.4 describes extension headers in detail. 2.3.5 Mandatory Internet Protocol Security (IPsec) Support IP security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications by authenticating the sender and providing integrity protection plus optionally confidentiality for the transmitted data. This is accomplished through the use of two extension headers: the Encapsulating Security Payload (ESP) and the Authentication Header (AH). The negotiation and management of IPsec security protections and the associated secret keys is handled by the Internet Key Exchange (IKE) protocol. IPsec is a mandatory part of an IPv6 implementation; however, its use is not required. IPsec is also specified for securing particular IPv6 protocols (e.g., Mobile IPv6 and OSPFv3 [Open Shortest Path First version 3]). Section 5.3 describes IPsec in detail. 2.3.6 Mobility Mobile IPv6 (MIPv6) is an enhanced protocol supporting roaming for a mobile node, so that it can move from one network to another without losing IP-layer connectivity (as defined in RFC 3775). RFC 3344, IP Mobility Support for IPv4, describes Mobile IP concepts and specifications for IPv4. Nevertheless, using Mobile IP with IPv4 has various limitations, such as limited address space, dependence on address resolution protocol (ARP), and challenges with handover when a device moves from one access point to another. Mobile IPv6 uses IPv6’s vast address space and Neighbor Discovery (RFC 4861) to solve the handover problem at the network layer and maintain connections to applications and services if a device changes its temporary IP address. Mobile IPv6 also introduces new security concerns such as route optimization (RFC 4449) where data flow between the home agent and mobile node will need to be appropriately secured. 7 Additional illustration and explanation of the major differences between the IPv6 and IPv4 headers can be found in the GAO report, Internet Protocol Version 6: Federal Agencies Need to Plan for Transition and Manage Security Risks. 2-4 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 Section 4.4 describes Mobile IPv6 in detail. 2.3.7 Quality of Service (QoS) IP (for the most part) treats all packets alike, as they are forwarded with best effort treatment and no guarantee for delivery through the network. TCP (Transmission Control Protocol) adds delivery confirmations but has no options to control parameters such as delay or bandwidth allocation. QoS offers enhanced policy-based networking options to prioritize the delivery of information. Existing IPv4 and IPv6 implementations use similar QoS capabilities, such as Differentiated Services and Integrated Services, to identify and prioritize IP-based communications during periods of network congestion. Within the IPv6 header two fields can be used for QoS, the Traffic Class and Flow Label fields. The new Flow Label field and enlarged Traffic Class field in the main IPv6 header allow more efficient and finer grained differentiation of various types of traffic. The new Flow Label field can contain a label identifying or prioritizing a certain packet flow such as voice over IP (VoIP) or videoconferencing, both of which are sensitive to timely delivery. IPv6 QoS is still a work in progress and security should be given increased consideration in this stage of development. Section 4.3 describes QoS in detail. 2.3.8 Route Aggregation IPv6 incorporates a hierarchal addressing structure and has a simplified header allowing for improved routing of information from a source to a destination. The large amount of address space allows organizations with large numbers of connections to obtain blocks of contiguous address space. Contiguous address space allows organizations to aggregate addresses under one prefix for identification on the Internet. This structured approach to addressing reduces the amount of information Internet routers must maintain and store and promotes faster routing of data77. Additionally, it is envisioned that IPv6 addresses will primarily be allocated only from Internet Service Providers (ISPs) to customers. This will allow for ISPs to summarize route advertisements to minimize the size of the IPv6 Internet routing tables. This is covered in more detail in Section 3.2. 2.3.9 Efficient Transmission IPv6 packet fragmentation control occurs at the IPv6 source host, not at an intermediate IPv6 router. With IPv4, a router can fragment a packet when the Maximum Transmission Unit (MTU) of the next link is smaller than the packet it has to send. The router does this by slicing a packet to fit into the smaller MTU and sends it out as a set of fragments. The destination host collects the fragments and reassembles them. All fragments must arrive for the higher level protocol to get the packet. Therefore, when one fragment is missing or an error occurs, the entire transmission has to be redone. In IPv6, a host uses a procedure called Path Maximum Transmission Unit (PMTU) Discovery to learn the path MTU size and eliminate the need for routers to perform fragmentation. The IPv6 Fragment Extension Header is used when an IPv6 host wants to fragment a packet, so fragmentation occurs at the source host, not the router, which allows efficient transmission. PMTU is discussed in Section 3.5.5, and Section 4.5 describes efficient transmission in detail. 2.4 IPv4 and IPv6 Threat Comparison The deployment of IPv6 can lead to new challenges with respect to the types of threats facing an organization. This section provides a high-level overview as to how threats differ from an IPv4 environment to an IPv6 environment and combined IPv4-IPv6 environment. The following chapters provide additional details to these threats as required. It should be noted that many IPv6 threat discussions rely on IPsec to provide protection against attack. Due to issues with key management and overall configuration complexity (including applications), it is possible that IPsec will not be deployed 2-5 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 much more than it is with IPv4 today for initial IPv6 use. IPsec is covered in detail in Section 5.3. Network reconnaissance is typically the first step taken by an attacker to identify assets for exploitation (RFC 5157).8 Reconnaissance attacks in an IPv6 environment differ dramatically from current IPv4 environments. Due to the size of IPv6 subnets (264 in a typical IPv6 environment compared to 28 in a typical IPv4 environment), traditional IPv4 scanning techniques that would normally take seconds could take years on a properly designed IPv6 network. This does not mean that reconnaissance attacks will go away in an IPv6 environment; it is more likely that the tactics used for network reconnaissance will be modified. Attackers will still be able to use passive techniques, such as Domain Name System (DNS) name server resolution, to identify victim networks for more targeted exploitation. Additionally, if an attacker is able to obtain access to one system on an IPv6 subnet, the attacker will be able to leverage IPv6 neighbor discovery to identify hosts on the local subnet for exploitation. Neighbor discovery-based attacks will also replace counterparts on IPv4 such as ARP spoofing. Prevention of unauthorized access to IPv6 networks will likely be more difficult in the early years of IPv6 deployments. IPv6 adds more components to be filtered than IPv4, such as extension headers, multicast addressing, and increased use of ICMP. These extended capabilities of IPv6, as well as the possibility of an IPv6 host having a number of global IPv6 addresses, potentially provides an environment that will make network-level access easier for attackers due to improper deployment of IPv6 access controls. Moreover, security related tools and accepted best practices have been slow to accommodate IPv6. Either these items do not exist or have not been stress tested in an IPv6 environment. Nevertheless, global aggregation of IPv6 addresses by ISPs should allow enhanced anti-spoofing filtering across the Internet where implemented. Attacks that focus on exploitation above the IP layer, such as application-based attacks and viruses, will not see a difference in the types of threats faced in an IPv6 environment. Most likely, some worms will use modified IPv6 reconnaissance techniques for exploitation. Additionally, because many IPv4 broadcast capabilities have been replaced with IPv6 multicast functionality, broadcast amplification attacks will no longer exist in an IPv6 environment. From this comparison of IPv4 and IPv6 threats, one can surmise that IPv6 will not inherently be either more or less secure than IPv4. While organizations are in the process of deploying IPv6, the lack of robust IPv6 security controls (described in Section 6) and a lack of overall understanding of IPv6 by security staff may allow attackers to exploit IPv6 assets or leverage IPv6 access to further exploit IPv4 assets. There is a very likely possibility that many IPv6 services will rely on tunneling IPv6 traffic in IPv4 for infrastructures that do support the protocol, which will also increase the complexity for security staff. Additionally, since IPv6 systems and capabilities are not yet widely used in production environments, there is a distinct possibility that the number of vulnerabilities in software from implementing IPv6 capabilities could rise, as IPv6 networks are increasingly deployed. Based on of the threat comparison between IPv4 and IPv6, the following actions are recommended to mitigate IPv6 threats during the deployment process:  Apply different types of IPv6 addressing (privacy addressing, unique local addressing, sparse allocation, etc) to limit access and knowledge of IPv6-addressed environments.  Assign subnet and interface identifiers randomly to increase the difficulty of network scanning. 8 Bellovin, Cheswick and Keromytis, Worm propagation strategies in an IPv6 Internet. 2-6 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6  Develop a granular ICMPv6 filtering policy for the enterprise. Ensure that ICMPv6 messages that are essential to IPv6 operation are allowed, but others are blocked.  Use IPsec to authenticate and provide confidentiality to assets that can be tied to a scalable trust model (an example is access to Human Resources assets by internal employees that make use of an organization’s Public Key Infrastructure (PKI) to establish trust).  Identify capabilities and weaknesses of network protection devices in an IPv6 environment.  Enable controls that might not have been used in IPv4 due to a lower threat level during initial deployment (implementing default deny access control policies, implementing routing protocol security, etc).  Pay close attention to the security aspects of transition mechanisms such as tunneling protocols.  On networks that are IPv4-only, block all IPv6 traffic. 2.5 Motivations for Deploying IPv6 IP technologies were invented in the United States, and the early adoption of those technologies occurred predominantly in the United States. As mentioned in Section 2.2, early address allocation policies were relatively relaxed and large quantities of IPv4 addresses were assigned upon request, even when those allocations were not thoroughly justified. This resulted in a high concentration of IPv4 address allocations in the United States, with more than half of all routable IPv4 addresses assigned to U.S.-based organizations. Some large U.S.-based Internet backbone service providers have more IPv4 addresses than all of the nations that comprise the Asian region of the world. These circumstances have left most of the world, especially Asia, with little choice other than to adopt the IPv6 specification if they are to become pervasive participants in IP technologies or the global Internet at large. Nations such as Japan have built IPv6-capable Internet infrastructures to support their growing demand for Internet connectivity. Further, the advanced state of wireless telecommunications in Asia produced an environment where globally unique IP addresses are required to enable the features of Third Generation (3G) wireless technologies. In essence, every mobile 3G device becomes a mobile personal computing platform, and each of those devices requires true end-to-end connectivity to realize its full potential. All organizations making use of IP networking should study and consider IPv6’s feature set when designing and managing their networks. Even with no intent to replace IPv4, the IPv6 security controls discussed later in this document should be planned and deployed to detect unauthorized use of IPv6. Fundamental knowledge of IPv6—what it is, what its attributes are, and how it operates—is critical to any organization. As the IPv6 protocol becomes increasingly ubiquitous, all enterprise and Internet-connected networks need to be prepared for specific threats and vulnerabilities that the new protocol will bring. For example, an IPv4-only network segment may contain several newly installed hosts that are both IPv4 and IPv6capable, as well as hosts that have IPv6 enabled by default. This circumstance can come about simply as a result of the normal systems life cycles. Additionally, IPv6 could be enabled on a host by an attacker to circumvent security controls that may not be IPv6-aware; these hosts can then be leveraged to create covert or backdoor channels. Taken further, IPv6 traffic could be encapsulated within IPv4 packets using readily available tools and services and exchanged with malicious hosts via the Internet. Interoperability of geographically dispersed Internet-connected nodes may become a profit motivation for some organizations to deploy IPv6. For instance, content providers are making more multimedia features 2-7 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 available via a diverse set of customer platforms. Mobile phones, handheld personal computers, notebook computers, desktop PCs, and home multimedia and gaming centers are all IPv4-capable today. Delivering multimedia content to those platforms is increasingly viable given the broadband network bandwidths available. Nevertheless, IPv4 clearly cannot address all of these devices without using an address conservation technology like NAT, and NAT by its nature denies true end-to-end IP connectivity. Multimedia service offerings and ultimately the market for those offerings are likely always to be constrained by IPv4, while IPv6 may prove to be an enabling technology. If an organization is not constrained by IPv4 address availability or the disruption that NAT causes to true end-to-end connectivity between nodes, it should still plan for a world in which IPv6 will eventually be ubiquitous. All major vendors of IT products are shipping IPv6-capable products. Wholesale replacement of computing platforms and network infrastructure as a deployment requirement is less likely now than only five years ago, since many operating systems and networking products contain a native IPv6 protocol stack. Also, tunneling IPv6 over the existing IPv4 Internet is possible today by using free, readily available tunnel clients. An end user may download client software, obtain a routable IPv6 address, and begin tunneling IPv6 over IPv4 networks with few technical or administrative barriers. Many open source IP networking tools are IPv6-capable, as are many consumer-oriented wireless access points. Many consumers of personal computing and home networking equipment are IPv6-capable, even if they do not use the features. Because of the increasing availability and use of IPv6, as well as many years of coexistence between IPv6 and IPv4, management and technical experts within any organization should understand IPv6 technology—its background, basis, and capabilities, and how they can mitigate risks associated with running dual stack IPv4 and IPv6 networks. In the context of this document, dual stack means that nodes are running both IPv4 and IPv6 protocols concurrently. The remainder of this document examines certain aspects of the IPv6 specification in detail, and discusses threats, vulnerabilities, and the mitigation of risks, in detail. 2-8 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 3. IPv6 Overview From the standpoint of header design, IPv6 is both more powerful and more flexible than its IPv4 predecessor. Section 2.3 introduced a number of enhancements and features in IPv6. Most significant is the vast amount of address space, along with support for orderly address assignment and efficient network address aggregation on the Internet. Illustrated in Table 3-1 are some of the major differences between IPv4 and IPv6 followed by basic IPv6 terminology used later in this guide. These differences can have implications for IPv6 security and are discussed throughout this and subsequent sections. Table 3-1. Differences between IPv4 and IPv69 Property IPv4 IPv6 Address size and 32 bits, 128 bits, network size network size 8-30 bits network size 64 bits Packet header size 20-60 bytes 40 bytes Header-level extension limited number of small IP options unlimited number of IPv6 extension headers Fragmentation sender or any intermediate router allowed to fragment only sender may fragment Control protocols mixture of non-IP (ARP), ICMP, and other protocols all control protocols based on ICMPv6 Minimum allowed MTU 576 bytes 1280 bytes Path MTU discovery optional, not widely used strongly recommended Address assignment usually one address per host usually multiple addresses per interface Address types use of unicast, multicast, and broadcast address types broadcast addressing no longer used, use of unicast, multicast and anycast address types Address configuration devices configured manually or with host configuration protocols like DHCP devices configure themselves independently using stateless address autoconfiguration (SLAAC) or use DHCP Basic Terms (RFC 2460, RFC 4862) The following basic IPv6 definitions are important for any IPv6 discussion.  Address. An IPv6-layer identifier for an interface or a set of interfaces.  Node. A device on the network that sends and receives IPv6 packets  Deprecated address. An address, assigned to an interface, whose use is discouraged, but not forbidden (e.g., site-local addresses such as FEC0::/10). A deprecated address should no 9 NSA Report, Router Security Configuration Guide Supplement – Security for IPv6 Routers. 3-1 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 longer be used as a source address in new communications, but packets sent from or to deprecated addresses are delivered as expected.  Router. A node that sends and receives packets, and also accepts packets and forwards them on behalf of other nodes.  Host. A node that may send and receive packets but does not forward packets for other nodes.  Link. A communication facility or medium over which nodes can communicate at the link layer, i.e., the layer immediately below IPv6. Examples are Ethernets (simple or bridged); Point-to-Point Protocol (PPP); X.25, Frame Relay, or Asynchronous Transfer Mode (ATM) networks; and layer three (or higher) tunnels, such as tunnels over IPv4 or IPv6 itself.  Link MTU. The maximum transmission unit (MTU), i.e., maximum packet size in octets, which can be conveyed over a link.  Path MTU. The minimum link MTU of all the links in a path between a source node and a destination node.  Upper Layer. A protocol layer immediately above IPv6. Examples are transport protocols such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), control protocols such as Internet Message Control Protocol (ICMP), routing protocols such as Open Shortest Path First (OSPF), and internet or lower-layer protocols being tunneled over (i.e., encapsulated in) IPv6 such as Internetwork Packet Exchange (IPX), AppleTalk, or IPv6 itself.  Interface. The point at which a node connects to a link. Unicast IPv6 addresses are always associated with interfaces.  Packet. An IPv6 header plus payload.  Neighbors. Nodes attached to the same link. This section provides general information about IPv6 as a foundation for later sections. The rest of this section is a resource for understanding the similarities and differences between IPv4 and IPv6, with a focus on addressing (RFC 4291). Section 3.1 discusses IPv6 addresses, how the IPv6 address space is used, and IPv6 address types and scope. This is followed by a review of IPv4 addressing and IPv4 Classless Inter-Domain Routing (CIDR) addressing. Then IPv4 and IPv6 addressing are summarized and compared. Section 3.2 covers IPv6 address allocation. IPv6 headers, their formats, and fields are discussed in Section 3.3. Sections 3.4 through 3.7 cover extension headers, ICMPv6, IPv6 routing, and IPv6 Domain Name System (DNS) respectively. 3.1 IPv6 Addressing Described in RFC 4291, IPv6 addresses are 128 bits long and are written in what is called colon-delimited hexadecimal notation. An IPv6 address is comprised of eight distinct numbers representing 16 bits each and written in base-16 (hexadecimal or hex) notation. The valid hex digits are 0 through 9 and A through F and together with the colon separator are the only characters that can be used for writing an IPv6 address. A comparison of IPv4 and IPv6 addressing conventions is illustrated in Figure 3-5 and discussed in more detail in Section 3.1.7. An example of an IPv6 address is: 3-2 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 2001:0db8:9095:02e5:0216:cbff:feb2:7474 Note that the address contains eight distinct four-place hex values, separated by colons. Each of these values represents 16 bits, for a total of 128 bits in the entire address. IPv6 addresses are divided among the network prefix, the subnet identifier and the host identifier portions of the address. The network prefix is the high-order bits of an IP address, used to identify a specific network and, in some cases, a specific type of address (see Table 3-2). The subnet identifier (ID) identifies a link within a site. The subnet ID is assigned by the local administrator of the site; a single site can have multiple subnet IDs. This is used as a designator for the network upon which the host bearing the address is resident. The host identifier (host ID) of the address is a unique identifier for the node within the network upon which it resides. It is identified with a specific interface of the host. Figure 3-1 depicts the IPv6 address format with the network prefix, subnet identifier and host identifier. 128 bits n bits 64 - n bits 64 bits Network Prefix Subnet ID Host ID Identifies the address range assigned to a site Identifies a link within a site Interface ID, 64 bits Figure 3-1. IPv6 Address Format RFC 4291 also describes the notation for prefixes. The network prefix is analogous, but not equivalent, to the subnet mask in IPv4. IPv4 addresses are written in Classless Inter-domain Routing (CIDR) notation, with a subnet mask that contains ―1‖s in the bit positions that identify the network ID (see Section 3.1.6). There is no subnet mask in IPv6, although the slash notation used to identify the network address bits is similar to IPv4’s subnet mask notation. The IPv6 notation appends the prefix length and is written as a number of bits with a slash, which leads to the following format: IPv6 address/prefix length The prefix length specifies how many of the address’s left-most bits comprise the network prefix. An example address with a 32-bit network prefix is: 2001:0db8:9095:02e5:0216:cbff:feb2:7474/32 Quantities of IPv6 addresses are assigned by the international registry services and Internet service providers (ISP) (see Section 3.2.2) based in part upon the size of the entity receiving the addresses. Large, top-tier networks may receive address allocations with a network prefix of 32 bits as long as the need is justified. In this case, the first two groupings of hex values, separated by colons, comprise the network prefix for the assignee of the addresses. The remaining 96 bits are available to the local 3-3 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 administrator primarily for reallocation of the subnet ID and the host ID. The subnet ID identifies a link within a site, which can have multiple subnet IDs. The host ID within a network must be unique and identifies an interface on a subnet for the organization, similar to an assigned IPv4 address. Figure 3-2 depicts an IPv6 address with 32 bits allocated to the network prefix. 32 bits 96 bits 2001:0db8: 9095:02e5: 0216:cbff:feb2:7474 Network Prefix Subnet ID Host ID Figure 3-2. 32-Bit Network Prefix Government, educational, commercial, and other networks typically receive address allocations from toptier providers (ISPs) with a network prefix of 48 bits (/48), leaving 80 bits for the subnet identifier and host identifier. Figure 3-3 depicts an IPv6 address with 48 bits allocated to the network prefix. 48 bits 2001:0db8:9095: Network Prefix 80 bits 02e5: 0216:cbff:feb2:7474 Subnet ID Host ID Figure 3-3. 48-Bit Network Prefix Subnets within an organization often have network prefixes of 64 bits (/64), leaving 64 bits for allocation to hosts’ interfaces. The host ID should use a 64-bit interface identifier that follows EUI-64 (Extended Unique Identifier) format when a global network prefix is used (001 to 111), except in the case when multicast addresses (1111 1111) are used10. Figure 3-4 depicts an IPv6 address with 64 bits allocated to the network prefix. 10 IEEE EUI-64, Guidelines for 64-Bit Global Identifier (EUI-64) Registration Authority. 3-4 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 64 bits 2001:0db8:9095: Network Prefix 64 bits 02e5: 0216:cbff:feb2:7474 Subnet ID Host ID Figure 3-4. 64-Bit Network Prefix 3.1.1 Shorthand for Writing IPv6 Addresses Due to their length, IPv6 addresses do not lend themselves to human memorization. Administrators of IPv4 networks typically can recall multiple IPv4 network and host addresses; remembering multiple IPv6 network and host addresses is more challenging. The notation for IPv6 addresses may be compressed and simplified under specific circumstances. One to three zeroes that appear as the leading digits in any colon-delimited hexadecimal grouping may be dropped. This simplifies the address and makes it easier to read and to write. For example: 2001:0db8:0aba:02e5:0000:0ee9:0000:0444/48 becomes 2001:db8:aba:2e5:0:ee9:0:444/48 It is important to note that trailing zeroes may not be dropped, because they have intrinsic place value in the address format. Further efficiency is gained by combining all-zero portions of the address. Any colon-delimited portion of an address containing all zeros may be compressed so that nothing appears between the leading and trailing colons. For example: 2001:0db8:0055:0000:cd23:0000:0000:0205/48 becomes 2001:db8:55:0:cd23::205/48 In this example, the sixth and seventh 16-bit groupings contain all zeroes; they were compressed by eliminating the zeroes completely, as well as the colon that divided the two groupings. Nevertheless, compressing an address by removing one or more consecutive colons between groups of zeroes may only be done once per address. The fourth 16 bit-grouping in the example also contains all zeroes, but in the condensed form of the address, it is represented with a single zero. A choice had to be made as to which group of zeroes was to be compressed. The example address could be written: 2001:db8:55::cd23:0:0:205/48, but this is not as efficient as 2001:db8:55:0:cd23::205/48. It is important to note that both of the addresses in the preceding paragraph are properly formatted, but the latter address is shorter. Compression is just a convention for writing addresses, it does not affect how an address is used, and it makes no difference whether compression falls within the network prefix, host identifier, or across both portions of the address. 3-5 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 3.1.2 IPv6 Address Space Usage This section introduces the different types of IPv6 addresses, their scope, and use. It introduces IPv6 addressing as basic information needed for secure adoption and deployment of the protocol. RFC 4291, IP Version 6 Addressing Architecture, is the authoritative source for information on IPv6 addressing, and it should be referenced for comprehensive details. Mechanisms for generating and assigning IPv6 addresses are discussed in detail in subsequent sections of this document. Table 3-2. IPv6 Address Types Address Type Binary Prefix Embedded IPv4 address 00…1111 1111 1111 1111 IPv6 notation Uses ::FFFF/96 Prefix for embedding IPv4 address in an IPv6 address ::1/128 Loopback address on every interface [RFC 2460] (96 bits) Loopback 00…1 (128 bits) Global unicast 001 2000::/3 Global unicast and anycast (allocated) [RFC 4291] Global unicast 01 – 1111 1100 0 4000::/2 – FC00::/9 Global unicast and anycast (unallocated) Teredo 0010 0000 0000 0001 0000 0000 0000 0000 2001:0000::/32 Teredo [RFC 4380] Nonroutable 0010 0000 0000 0001 0000 1101 1011 1000 2001:DB8::/32 Nonroutable. Documentation purposes only [RFC 3849] 6to4 0010 0000 0000 0010 2002::/16 6to4 [RFC 3056] 6Bone 0011 1111 1111 1110 3FFE::/16 Deprecated. 6Bone testing assignment, 1996 through mid-2006 [RFC 3701] Link-local unicast 1111 1110 10 FE80::/10 Link local unicast Reserved 1111 1110 11 FEC0::/10 Deprecated. Formerly Site-local address space, unicast and anycast [RFC 3879] Local IPv6 address 1111 110 FC00::/7 Unicast Unique local address space, unicast and anycast [RFC 4193] Multicast 1111 1111 FF00::/8 Multicast address space [RFC 4291] IPv6 addressing differs from IPv4 in several ways aside from the address size. In both IPv4 and IPv6, addresses specifically belong to interfaces, not to nodes. However, because IPv6 addresses are not in short supply, interfaces often have multiple addresses. As discussed in 3.1, IPv6 addresses consist of a network prefix in the higher order bits and an interface identifier in the lower order bits. Moreover, the prefix indicates a subnet or link within a site, and a link can be assigned multiple subnet IDs. Many IPv6 address ranges are reserved or defined for special purposes by the IETF’s IPv6 standards and by the Internet Assigned Number Authority (IANA). Table 3-2 lists the major assignments and how to identify the different types of IPv6 address from the high-order bits. 3-6 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 All address ranges not listed in Table 3-2 are reserved or unassigned. IANA currently assigns only out of the binary range starting with 001.11 3.1.3 IPv6 Address Types IPv6 uses the notion of address types for different situations. These different address types are defined below:  Unicast Addresses. Addresses that identify one interface on a single node; a packet with a unicast destination address is delivered to that interface.  Multicast Addresses. RFC 4291 defines a multicast address as, ―An identifier for a set of interfaces (typically belonging to different nodes). A packet sent to a multicast address is delivered to all interfaces identified by that address.‖ Although multicast addresses are common in both IPv4 and IPv6, in IPv6 multicasting has new applications. The single most important aspect of multicast addressing under IPv6 is that it enables fundamental IPv6 functionality, including neighbor discovery (ND) and router discovery. Multicast addresses begin with FF00::/8. They are intended for efficient one-to-many and many-to-many communication. The IPv6 standards prohibit sending packets from a multicast address; multicast addresses are valid only as destinations. Multicast Addressing is discussed in Section 4.2.  Anycast Addresses. Addresses that can identify several interfaces on one or more nodes; a packet with an anycast destination address is delivered to one of the interfaces bearing the address, usually the closest one as determined by routing protocols. Anycast addressing was introduced as an add-on for IPv4, but it was designed as a basic component of IPv6. The format of anycast addresses is indistinguishable from unicast addresses. n bits 128  n bits subnet prefix 00000000000000 The subnet prefix in an anycast address is the prefix that identifies a specific link. Anycast addresses are intended for efficiently providing services that any one of a number of nodes can perform (e.g., a Home Agent for a Mobile IP node). Anycast addresses may not be used as source addresses and, as of the writing of this guide, may only be assigned to routers. It should be noted that there are no defined mechanisms for security or registration for anycast, nor is there a way to verify that a response to a packet sent to an anycast address was sent by an interface authorized to do so. This leaves open the possibility of impersonating anycast servers.  Broadcast Addresses. Broadcast addressing is a common attribute of IPv4, but is not defined or implemented in IPv6. Multicast addressing in IPv6 meets the requirements that broadcast addressing formerly fulfilled. 3.1.4 IPv6 Address Scope The shortage of IPv4 addresses led to the designation of non-routable addresses in RFC 1918 and the 11 IANA, Internet Protocol Version 6 Address Space. 3-7 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 widespread use of Network Address Translation (NAT) to share globally routable addresses (with certain limits placed on the hosts using so-called RFC 1918 addresses). IPv6 has no such shortage, so the use of NAT is unnecessary; nevertheless, the usefulness of addresses with limited scope was identified and maintained in IPv6. IPv6 addresses with different scopes were defined. In the original design for IPv6, link local, site local, and global addresses were defined; later, it was realized that site local addresses were not well enough defined to be useful. Site local addresses were abandoned and replaced with unique local addresses. Older implementations of IPv6 may still use site local addresses, so IPv6 firewalls need to recognize and handle site local addresses correctly. The IPv6 standards define several scopes for meaningful IPv6 addresses:  Interface-local. This applies only to a single interface; the loopback address has this scope.  Link-local. This applies to a particular LAN (Local Area Network) or network link; every IPv6 interface on a LAN must have an address with this scope. Link-local addresses start with FE80::/10. Packets with link-local destination addresses are not routable and must not be forwarded off the local link. Link-local address: 10 bits 54 bits 64 bits 1111 1110 10 0000………………0000 Interface ID FE80/10 0000………………0000 Interface ID Link-local addresses are used for administrative purposes such as neighbor and router discovery.  Site-local. This scope was intended to apply to all IPv6 networks or a single logical entity such as the network within an organization. Addresses with this scope start with FEC0::/10. They were intended not to be globally routable but potentially routed between subnets within an organization. Site local addresses have been deprecated and replaced with unique local addresses.  Unique local unicast. This scope is meant for a site, campus, or enterprise’s internal addressing. It replaces the deprecated site-local concept. Unique local addresses (ULAs) may be routable within an enterprise. Use of unique local addresses is not yet widespread; see RFC 4193, Unique Local IPv6 Unicast Addresses, for more information.  Global. The global scope applies to the entire Internet. These are globally unique addresses that are routable across all publicly connected networks.  Embedded IPv4 Unicast. The IPv6 specification has the ability to leverage existing IPv4 addressing schemes. The transition to IPv6 will be gradual, so two special types of addresses have been defined for backward compatibility with IPv4: IPv4-compatible IPv6 addresses (rarely used and deprecated in RFC 4291) and IPv4-mapped IPv6 addresses. Both allow the protocol to derive addresses by embedding IPv4 addresses in the body of an IPv6 address. An IPv4-mapped IPv6 address is used to represent the addresses of IPv4-only nodes as an IPv6 address, which allows an IPv6 node to use this address to send a packet to an IPv4-only node. 3-8 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 IPv4-compatible IPv6 address: 80 bits 16 bits 32 bits 0000………………………….……..0000 0000 IPv4 address 80 bits 16 bits 32 bits 0000………………………….……..0000 FFFF IPv4 address IPv4-mapped IPv6 address: The two IPv4 embedded address types are similar. The only difference is the sixth group of 16 bits. IPv4-compatible addresses set these to 0; IPv4-mapped addresses set these to 1. A more generalized form of IPv4-embedded IPv6 addresses has been defined (RFC 6052), to aid the process of automated translation from one type of address to the other. Two new variants of IPv4embedded IPv6 addresses are:  IPv4-converted IPv6 addresses: "IPv6 addresses used to represent IPv4 nodes in an IPv6 network"  IPv4-translatable IPv6 addresses: "IPv6 addresses assigned to IPv6 nodes for use with stateless transition" It is quite likely that additional special-use variants will be defined in the future.  Other address or Special Address types. IPv6 makes use of addresses other than those shown above. The unspecified address consists of all zeros (0:0:0:0:0:0:0:0 or simply ::) and may be the source address of a node soliciting its own IP address from an address assignment authority (such as a DHCPv6 [DHCP for IPv6] server). IPv6-compliant routers never forward a packet with an unspecified address. The loopback address is used by a node to send a packet to itself. The loopback address, 0:0:0:0:0:0:0:1 (or simply ::1), is defined as being interfacelocal. IPv6-compliant hosts and routers never forward packets with a loopback destination. An essential design consideration for IPv6 is to simplify routing in enterprise and global networks. One of the intents of the IPv6 address schema is to facilitate hierarchical routing. Hierarchical routing in turn accelerates the end-to-end routing function, and routing table convergence and maintenance are vastly simplified. A typical IPv6 interface is configured to receive packets sent to several addresses. In addition to its link local and global unicast addresses, it may have a unique local address. It can also receive multicast messages sent to the all hosts and solicited node multicast addresses, as well as possibly to other multicast addresses. Finally, because of renumbering, multiple instances of some of these addresses may be active at once. How these addresses are selected is covered in the Sections 4.6, Address Selection, and 4.2, Multicast. 3.1.5 IPv4 Addressing Each IPv4 address is 32 bits long and is typically written as four decimal numbers (0-255) representing eight bits each and separated by decimal points or periods. This is called dotted decimal. An example of an IPv4 address is 172.30.128.97. Each IPv4 address is associated with an additional component called a 3-9 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 subnet mask, which denotes how many high-order bits of the address are assigned to the network address (RFC 950). The remaining lower-order bits are used to identify the node. Three primary subnet types or network classifications were designed for IPv4: Class A, Class B, and Class C (RFC 791). Typically, Class A networks were assigned to the early pioneers of the Internet. Class B networks typically were assigned to larger enterprises and service providers, and Class C network addresses usually were allocated to smaller organizations and treated as subnets of larger networks. The following are examples of IPv4 network addresses and their related subnet masks:  Class A: 10.0.0.0 netmask 255.0.0.0 The first octet denotes the network and the remaining three octets (24 bits) are available to identify a node on that network. This means that over 16 million host addresses are available on this single Class A network. Class A allocations were often made to organizations that could never put 16 million distinct host addresses to use.  Class B: 172.30.0.0 netmask 255.255.0.0 The first two octets denote the network and the remaining two octets (16 bits) are available to identify a node on that network. More than 65,000 distinct addresses are available to network nodes in each Class B network. As with Class A allocations, this also produced a wasteful situation, because many recipients of Class B address allocations did not need to employ more than a small fraction of the addresses.  Class C: 192.168.1.0 netmask 255.255.255.0 The first three octets denote the network and the final octet (8 bits) is available to identify a node on that network. This provides 254 addresses for allocation to network nodes (the all ones and all zeros addresses are reserved for other uses). More than two million Class C networks were available. Class C was the smallest, most granular network and host address allocation possible until the introduction of CIDR in 1993. 3.1.6 IPv4 Classless Inter-Domain Routing (CIDR) Addressing CIDR addresses do not follow the Class A/B/C model. Netmasks in CIDR addresses are not confined to the octet boundaries of an IPv4 address. For example, the CIDR address 192.168.1.1/27 indicates that the IP address is 192.168.1.1 and the netmask splits the address after the 27th bit.12 The first 27 bits are designated for the network address, and the final five bits are available to provide 30 node or host addresses within that network. This allows for a much more granular approach to address allocation because ranges of addresses can be sized appropriately to the organization receiving them. Of equal importance to address conservation is the related mechanism for routing efficiency that CIDR brings. CIDR addressing allows multiple subnets, defined by common netmasks and having adjacent addresses, to be supernetted together. This means that multiple networks are aggregated and reachable under one routing table entry. The Internet and many large enterprise networks are comprised of core routers (also known as backbone routers) that move vast amounts of data between networks. These routers connect disparate networks and thus make the Internet what it truly is: a network of networks. This same concept applies to large, geographically dispersed enterprise networks. Core routers maintain large, complex routing tables that contain accurate and timely information about how to reach nearly every network that is a part of the global Internet. The number of entries in these backbone routing tables has increased dramatically since CIDR addressing was introduced in 1993 (RFC 4632), despite the best intentions of supernetting CIDR address space 12 If written in the classful notation described previously, it would be represented as 192.168.1.1 netmask 255.255.255.224. 3-10 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 together. As a result, core routers are burdened with ever increasing demands on their memory and processing capacities. In short, IPv4 does not lend itself to a highly scalable and efficient Internet backbone infrastructure. Routing prefix aggregation allows contiguous groupings of CIDR addresses to be advertised to the global Internet as a single network rather than as multiple, distinct networks. Separate routing table entries no longer need to be made for each allocation of address space. Much like the concept of supernetting, this means that two distinct organizations sharing only one common attribute, their Internet Service Provider (ISP), can be attached to the Internet with unique IP addresses from an appropriately sized allocation. Yet those two distinct entities are reachable through the global Internet using only one globally unique network route. The two concepts discussed here, scalability of address allocations and routing efficiency through prefix aggregation, are integral aspects of the design of IPv6. 3.1.7 Comparing IPv6 and IPv4 Addressing IPv6 was designed to provide sufficient numbers of globally unique IP addresses to enable true peer-topeer communication between nodes on interconnected networks. It was also designed to provide a simplified hierarchical routing architecture across the Internet backbone—one that does not suffer from inefficiencies and increasing demands for memory and processing capacities on backbone Internet routers. Several accommodations have been made to retrofit these concepts onto IPv4, while these same concepts are native to the IPv6 specification. IPv6 provides an enormous number of unique addresses, about 3.4 x 1038 compared with IPv4’s roughly 4.3 x 109 addresses. The number of possible IPv6 addresses is so large that many analogies and metaphors have been created that attempt to convey its magnitude. For example, if each IPv6 address weighed one gram, the sum total weight of all IPv6 addresses would be greater than the weight of 56 Earths. The available address space under IPv6 is generally considered to be sufficient for the foreseeable future, even considering the historical growth of the Internet and the devices expected to connect to it in the future. See Figure 3-5 for a comparison of IPv4 and IPv6 addressing conventions. Figure 3-5. A Comparison of IPv4 and IPv6 Addressing7 3-11 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 The constraints of IPv4 addressing were major considerations when IPv6 addressing was designed. The IPv6 addressing architecture is different not only in terms of address length, but also in terms of address types, address notation, and address aggregation. As discussed in Section 2, as well as later in Sections 3 and 4, each of these differences enables new features in IPv6. In both IPv4 and IPv6, Dynamic Host Configuration Protocol (DHCP) and the Domain Name System (DNS) can be used to assign, monitor, administer, and change IP addresses. IPv6 also includes an autoconfiguration capability for assigning IP addresses to hosts. Due to the smaller amount of address space available with IPv4, address management was often not complex, with some organizations manually tracking address assignments. The longer, more complex IPv6 addresses, as well as the much larger amount of address space, will most likely require the use of address management tools to avoid errors. In IPv4, it is customary to allocate addresses sequentially, whether they are allocated manually or using DHCP. In IPv6, with an address space large enough to defeat attackers’ scanning attempts, addresses should be allocated non-sequentially (e.g., randomly), to preserve that advantage. 3.2 IPv6 Address Allocations IPv6 addresses have a flexible structure for address assignments. This enables registries, ISPs, network designers, and others to assign address ranges to organizations and networks based on different criteria, such as size of networks and estimated growth rate. Often, an initial assignment does not scale well if a small network becomes larger than expected and hence needs more addresses. The assignment authority may not be able to allocate contiguous addresses if they were already assigned to another network. Section 3.2.1 describes address assignments using leftmost, rightmost, and centermost strategies. With these methods, organizations have the flexibility to aggregate their IPv6 address allocations efficiently. Section 3.2.2 explains how organizations can obtain IPv6 addresses allocations globally through several regional registry services. 3.2.1 IPv6 Address Assignments IPv6 network prefix assignment is the first step in network deployment. Understanding several methods such as leftmost, rightmost, and centermost helps provide for flexibility and efficient aggregation of an assigned IPv6 block, as described in RFC 3531, A Flexible Method for Managing the Assignment of Bits of an IPv6 Address Block. If done without foresight, boundaries between sub-allocations become difficult to move, and future increases in the use of address space cannot be kept contiguous. The easiest but least flexible solution is to make block address assignment in order from the beginning of the organization’s allocated IPv6 block. For example, if an organization is assigned the prefix 2001:0db8:9095::/48, prefixes can be distributed in simple sequential order: 2001:0db8:9095:0001::/64 2001:0db8:9095:0002::/64 2001:0db8:9095:0003::/64 This is the simplest way to distribute address assignments, but it lacks consideration for future needs and does not take into account grouping networks by site for clean routing aggregation. Additionally, this method makes it impossible to make an existing network assignment larger and keep its address space contiguous. 3-12 GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 RFC 3531 proposes a method to manage the assignment of bits of an IPv6 address block or range. First, the scheme defines parts of the IP address as p1, p2, p3, ….pN in order, so that an IP address is composed of these parts contiguously. Boundaries between each part are based on the prefix assigned by the next level authority. Part (p1) is the leftmost part probably assigned to a registry, Part (p2) can be allocated to a large ISP or national registry. Part (p3) can be allocated to a large customer or a smaller provider, etc. Each part can be of different length. p1 p2 p3  p4 …. pN  IPv6 addresses The algorithm for allocating addresses is as follows: (p1) for the left-most part, assign addresses using the leftmost bits first; (pN) for the rightmost part, assign addresses using the rightmost bits first; and for all other parts (center parts), predefine an arbitrary boundary (prefix) and then assign addresses using center bits of the part being assigned first. This algorithm increases the assigned bits in such way that it keeps unassigned bits near the boundaries between the parts. This means that the boundary between any two parts can be changed forward or backward, later on, up to the assigned bits. ...
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer


Anonymous
I use Studypool every time I need help studying, and it never disappoints.

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Related Tags