Ipv6 Comparative Project

Integrative Project

Security Improvements of IPv6 as Compared to IPv4 for Basic Network Administrators

William F. Cleveland TS5990 Integrative Project Capella University Instructor: Dr. Sharon Gagnon March 8, 2009

Abstract The Project is written to answer the question of why the conversion of IPv4 to IPv6 is important from both a general and specifically security reasons. Two of the major reasons are because of the increase in devices that can access the Internet and improvements in security. Other reasons will be brought to the attention of the target audience. The guide is written toward the basic networking administrator and gives reason why they should embrace IPv6 more quickly. It will not cover the how to implement IPv6, other than to explain what software and hardware devices support IPv6 already and those that are quickly adapting the protocol. The project is written to expand the author's experience and to provide a guide to the target audience. The topic must be explained in a matter that instructs the user and explores the topic thoroughly so no doubt may be left as to the importance of converting and upgrading to IPv6 for TCP/IP communications.

Table of Contents Abstract.......................................................................................................................................2 Executive Summary ...................................................................................................................7 Ethical and Legal Assumptions...................................................................................................8 Introduction..................................................................................................................................8 IPv4 Background.........................................................................................................................9 Limitations of IPv4: ...............................................................................................................11 NAT (Network Address Translation):.....................................................................................15 IPv6 Benefits.............................................................................................................................17 IPv6 and Mobility..................................................................................................................17 IPv6 Internet Security ..........................................................................................................18 IPv6 Extension headers: ......................................................................................................19 Hop-by-hop extension header:.........................................................................................19 Destination Options Extension Header: ..........................................................................19 Routing Extension Header: ..............................................................................................20 Fragment Extension header: ...........................................................................................20 Order matters:...................................................................................................................21 IPv6 Security Concerns:............................................................................................................23 General Security concepts for IPv6......................................................................................24 IPsec Protects Packets.........................................................................................................25 Direct end-to-end connections..............................................................................................27 Forwarding of packets .........................................................................................................28 IPv6 Usage:...............................................................................................................................29 So, why so little IPv6 traffic?.................................................................................................30 Incentives..............................................................................................................................31 Conclusion.................................................................................................................................32 References ...............................................................................................................................34 Appendix A: [Stakeholder Acceptance].....................................................................................35 Appendix B: [IPv6 Terminology]................................................................................................36

List of Figures Figure 1: World Population Growth ..................................................................................10 Figure 2: World Population compared to IPv6 Addresses ..............................................11 Figure 3: IPv4 vs IPv6 (Lane & Hauser, 2002, p412).......................................................14 Figure 4: NAT Diagram (Davies, 2008. p8).......................................................................16 Figure 5: IPv6 Header diagram (Hogg & Vyncke, 2009. p16)..........................................23 Figure 6: Internet Traffic (Labovitz, 2008).........................................................................29

Index of Tables Table 1: IPv4 Private Addresses (Graham, 1997)........................................................16 Table 2: Extension Header Order (Hogg & Vyncke, 2009)...........................................21 Table 3: Header Field names and Functions (Hogg & Vyncke, 2009. p16)..................22 Table 4: Risky Message types (Hogg & Vyncke, 2009. p20)........................................24 Table 5: Common Security Weaknesses (Hagen, 2006. p101)....................................25 Table 6: IPsec Framework Elements (Hagen, 2006. p103)..........................................26

William Cleveland

Page 5

Appendices Appendix A Stakeholder Acceptance ..…………………………………………………..35 Appendix B: [IPv6 Terminology].…………………………………………………............36

William Cleveland

Page 6

Executive Summary The project is an analysis of the importance of IPv6, and why it should be implemented on local and global networks. It will give the strengths and weaknesses of the protocol and the details of it's makeup. The target audience will be written for network administrators who have not looked into the details of IPv6, but should have an understanding of the technology and it's benefits. Topics covered include the security improvements of the new protocol, the addressing shortage of IPv4 and large number of possible IPv6 addresses, security concerns, and the structure of IPv6 protocol. Many examples and details are presented from several sources to back up the statements and theories. Very little will be discussed on how to implement IPv6, instead focusing on the why it should be implemented. With more administrators pushing for it's implementation, more and more networks will start using it, and thus force more and more networks to adapt to it.

William Cleveland

Page 7

Ethical and Legal Assumptions The ethical and legal impacts of the IPv6 technology on society are broadly described as affecting all the people who use and access the Internet. It is well known in industry that IPv4 addresses are running out and with more and more people and devices depending on the communication opportunities of the Internet. We can not allow those addresses to run out and cause problems. Failure to convert communication standards to use IPv6, which allows for unique addresses of nearly every grain of sand on all the beaches on the planet, would cause widespread communication problems. Communications that we are becoming more and more dependent upon. As a new technology in a transition period, it will be at it's weakest to hackers and those out to exploit the new technology. However, with improved security features over that of IPv4, IPv6 will provide a more secure long term solution.

Introduction Written as a persuasive paper on using IPv6, this work will give some background on IPv4 and why it is quickly becoming outdated, and obsolete. Next you will read about the improvements that IPv6 has to offer to all Internet users for every purpose. Some of the weak points will be raised, but solutions will be pointed out that should outweigh them.

William Cleveland

Page 8

Topics will be addressed such as the slow pace of adapting IPv6, especially in America, mainly due to other counties trying to remove themselves from the perceived control America has over the Internet addressing system. Also, as many countries are creating new networks and expanding or even creating their communications backbone, it is easy for them to implement IPv6 initially, instead of using IPv4 then switching over at a later date

IPv4 Background The need for moving away from IPv4 and implementing IPv6 can be understood when you keep in mind how many mobile devices are in the world; how many people each day are accessing the Internet for the first time; the creation of huge wireless network grids; and the idea of giving additional electric devices (Stove, Refrigerator, Washing machines, etc.) access to the Internet. While IPv4 provides about four billion IP addresses — not enough to assign one to everyone of Earth's more than six billion inhabitants — IPv6 provides enough address space to assign more than three billion network addresses to every person on the planet. (Colitti, L. & Kline, E. 2008). This is significantly lower than the actual number because of the reservation of address to special devices and entities. To put the total number into perspective, here is a chart based on data from the US. Census Bureau showing world population estimates (see Figure 1).

William Cleveland

Page 9

25,000,000,000

20,000,000,000

15,000,000,000

10,000,000,000

5,000,000,000

0 04/12 10/17 04/23 10/28 04/34 11/39 05/45 11/50 05/56 11/61 05/67 12/72 06/78 12/83 06/89 12/94 07/00 01/06 07/09 01/15 07/20 01/26 07/31 01/37 08/42 02/48 08/53 02/59 08/64 03/70 09/75 03/81 09/86 03/92 09/97 04/03 10/08

Figure 1: World Population Growth

Figure 1 shows a curve displaying a constant 1.14% increase in growth from 2009 to 2108. It starts at about 6 billion people on the planet, and by 2108 shows 21 billion people. (This chart does not take into account projected reductions in the growth rate or other variables, but uses a constant growth number to simplify the data. since this chart is only an example of the large numbers involved). Figure 2 shows the exact same population growth data, but the total number of addresses available in IPv6 is listed as the last data point. Also, the population numbers are represented in scientific notation to save space.

William Cleveland

Page 10

1.00E+40 1.00E+36 1.00E+32 1.00E+28 1.00E+24 1.00E+20 1.00E+16 1.00E+12 1.00E+08 1.00E+04 1.00E+00 04/12 10/17 04/23 10/28 04/34 11/39 05/45 11/50 05/56 11/61 05/67 12/72 06/78 12/83 06/89 12/94 07/00 01/06 07/09 01/15 07/20 01/26 07/31 01/37 08/42 02/48 08/53 02/59 08/64 03/70 09/75 03/81 09/86 03/92 09/97 04/03 10/08

Figure 2: World Population compared to IPv6 Addresses As the graph depicts, the population growth curve appears to go away because the difference between 7 billion and 21 billion is small when working with numbers that have 38 zeros behind them instead of only 9. Again, all that was done to the data was to add the total addresses available with IPv6. This number uses 128 bits of space, which can be expressed as a real number of 3.4*10^38 total addresses (Davies, 2008. p6).

Limitations of IPv4: The protocol for IPv4 has not been changed since Request for Comments (RFC) 791 published in 1981, by the Information Sciences Institute, University of Southern California. The protocol has proven to be robust, easily implemented, and interoperable. Scalable as an intra-network and on a global utility the size of today's Internet.

William Cleveland

Page 11

However, the Internet grew very quickly in the 90's and continues to grow very quickly as we approach 2010. IPv4 addressing experienced those growth pains and encountered the following problems which were not anticipated: Exponential growth of the Internet. IPv4 is based on 32bit addressing which allows about 4.2 billion unique addresses, but previous and current allocation practices only allow for a few hundred million public addresses. This is because many companies who initially supported the Internet backbone were allocated Class A network address. (The first number in the address, ex. 9.xxx.xxx.xxx). This removed large sections of addresses from being used by other entities. This has forced many organizations to use Network Address Translation (NAT) to map out more addresses for internal networking (more on how this works later). This directly defeats the true peer-to-peer connectivity and fundamental design principle of the original Internet (Davies, 2008). Need for simpler configurations: Dynamic Host Configuration Protocol (DHCP) is a stateful address configuration protocol or manually configured. With more and more devices connecting to the Internet, an easier way to configure them is needed. Automatic configuration of addresses and other configuration settings are needed that do not rely on the administration of DHCP infrastructure (Davies, 2008) Need for security at the Internet layer: More security is needed because of public access. Initially the Internet was limited to universities doing research and the government, so trust was pretty high. An optional security layer was added later to IPv4 called Internet Protocol Security, or IPSec which provides security. It is standard in IPv6, and enhances the overall security of each individual packet sent over the William Cleveland

Page 12

network. Many proprietary solutions also exist to provide the needed security when sending private communications over a public medium (Davies, 2008). Need to prioritize and support real-time delivery of data across the Internet. Being able to prioritize the data would greatly help speed up many applications. Email does not need to move at the same speed as a video conference. Gamers may want to pay more for quicker response times. With IPv4 all data is treated the same on the Internet. There are many differences between the two protocols. Many of the improvements will be detailed later in the paper. Figure 3 goes into detail about the many changes by breaking down them down and listing them out. Chapter references in the Figure are from the book by Lane, P. T. & Hauser, R. (2002). CIW Internetworking Professional Study Guide. Alameda, CA. Sybex Inc.

William Cleveland

Page 13

Figure 3: IPv4 vs IPv6 (Lane & Hauser, 2002, p412)

William Cleveland

Page 14

NAT (Network Address Translation): NAT (Network Address Translation) is widely used to connect many intranets to the Internet. Most home and small business networking solutions use a router that split one IP address assigned by their provider to many hosts or devices on their intranet. This is required because of the limited number of public addresses. By using NAT, one IP address can be used by several hundred hosts. However, the more hosts, the slower the network performance (Davies, 2008). Using a NAT creates two extra connection steps when all Internet packets leave the NAT (usually built into the router that connects the Intranet to the Internet). The extra steps require processing and changing the data packet's contents, hopefully as fast as the hosts are requesting them. Here is how it works: The host PC with NAT address (192.168.0.10 port 1025) requests information from Internet web server: (157.60.13.9 port 80). Port 1025 is used by svchost.exe (Microsoft Remote Procedure Call (RPC) service ), 80 is a web server listen port. The router takes that request before allowing it to leave the intranet and changes a couple of things: The source address is now the NAT public IP address (the address your Internet provider supplies you), and the source port is changed to 5000 (or some number) and mapped (in a internal table) to 192.168.0.10 port 1025.

William Cleveland

Page 15

Figure 4: NAT Diagram (Davies, 2008. p8) When the web server sends back the packet of information the NAT has to read the packet and decide which device requested it. The NAT checks it translation table and determines that the packet with a port request of 5000 was requested by local system with IP address of 192.168.0.10 port 1025. Consequently it modifies the packet and sends it on to the requesting Host PC. Routers are getting faster then they were, but so is the increase in the traffic on the network. This will lead to a reduction in the performance of the intranet devices accessing the Internet (Davies, 2008) The use of NAT in coordination with private network address allows for companies of varied size to maintain internal networks and still connect to the Internet. There are three ranges of IPv4 private addresses (Graham, 1997) IP address range

network/mask

number of address

10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255

10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

16,777,216 (224) 1,048,576 (220) 65,536 (216)

Table 1: IPv4 Private Addresses (Graham, 1997)

William Cleveland

Page 16

IPv6 Benefits As discussed, the benefits of IPv6 include public addressing for all devices and networks for the foreseeable future. Of course it is hard to imagine what new technology requirements there may be that would require more addresses. One requirement might be if not only we had addresses for each device, but also for each application or data file on the devices, perhaps as a way to prevent piracy or some other reason. Another suggestion could be for inventory reasons. The military for instance could keep track of every bullet in every gun ever fired if they wanted to track this type of information. Mobility features, security, direct end-to-end connections, and more efficient forwarding of packets are all reasons to adapt IPv6 technology.

This section will

explore in more detail those benefits.

IPv6 and Mobility More and more devices are becoming mobile because of demands by companies and individuals who want the power of their desktop computers in their hands. Today's hand held devices have much more processing power than the first mainframe computers. Being mobile means being able to access your e-mail, phone messages, and information on the Internet while moving between wireless networks. Users do not want to experience zones of blackout areas where they can not William Cleveland

Page 17

stay connected or delays while switching from one network to another. Wireless network providers are increasing their coverage, and devices need to adapt to switching seamlessly between networks. IPv6 can be used by many applications with mobility features. These applications can be in cars, bikes, trains, and many other types of transportation that would have substantial connectivity requirements. IPv6 enables sensor-based networks that form roaming ad hoc meshed networks over topologies. The huge numbers required to create a mesh network would make IPv6 ideal protocol for communications (Hogg & Vyncke, 2009)

IPv6 Internet Security The Internet is running both IPv4 and IPv6 protocols at the same time because they are independent. IPv6 addresses are different, so addresses are unique and easy to filter. Systems need the IPv6 protocol on nodes to access IPv6 services. There are several risks associated with using IPv6 because each device has its own direct address and are susceptible to flooding traffic where one computer sends requests to many computers at the same time. “Benefits of using IPv6 are great, but so are the consequences if the communication is not secured properly” (Hogg & Vyckie, 2009. p77) An example of risk reductoin in apopting IPv6 would be that network worms would find it harder to propagate because it is difficult to guess the IP address of other systems since there are so many IPv6 addresses and the total number used is small. There is a further reduction in the chance of spreading because different types of

William Cleveland

Page 18

devices may not be susceptible to the vulnerabilities that are allowing the worm to spread. It can not be said that worm writers will not figure out how to get around this, but it will take a bit longer. For instance, they could use search engines, scan the host's routing table, or use a combination of IPv4 and IPv6 protocols to spread faster (Hogg & Vyncke, 2008)

IPv6 Extension headers: Extension headers provide additional options for special case packets. IPv4 has options field after, but using these options is rare because of the greatly increased processing time required for the packet. IPv6 deals with these extension headers more effectively. The options are located in the header between the IP header and the data payload. There can be more than one extension header in a packet, but they are not required. There are several types of extension headers in IPv6 (Lane & Hauser, 2002).

Hop-by-hop extension header: This header is used to pass optional information to all nodes along a packet's delivery path. It must be the first header in the packet as it is read by every node along the path. It should also appear only once in the packet. This header has the same structure as the Destination Options header.(Hogg & Vyncke, 2009)

Destination Options Extension Header: Passes additional parameters to the destination system. This header does not

William Cleveland

Page 19

need to be processed until the destination is reached. This header has the same structure as the Hop-by-hop header (Lane & Hauser, 2002).

Routing Extension Header: This header is used for identifying routes for the packet. It lists one or more intermediate relays through which the packet must be routed on it way to the destination node. Standards require that all nodes (Routers and hosts) must be able to handle a IPv6 packet that contains a routing header. There are two types of routing headers. Type 0 is similar to the concept of IPv4 source routing headers. Type 2 is for IPv6 Mobile. This header can be used to reflect traffic through a middle host before reaching it's destination. Skipping hosts can improve speed, but could be used as a means to bypass firewalls that do not check for the presence of the routing extension header (Hogg & Vyncke, 2009)

Fragment Extension header: Fragmentation is the process of breaking an IP packet in to smaller packets to be easily carried across a data network that would not normally be able to handle the large packets (like a wireless network). When the large packet is received,and the outbound interface MTU is size is too small, each packet is broken up before transmission, and given a unique identifier (fragment ID). The receiving host reassembles the fragments by putting them all back together in order and then passing the resulting complete IP packet to the protocol stack (Hogg & Vyncke. 2009)

William Cleveland

Page 20

The fragment extension header divides packets that are larger than the MTU (Maximum Transmission Unit ). The IPv6 header does not fragment packets like IPv4. Large packets are now handled by the sending systems, not the intermediate routers (Lane & Hauser, 2002).

Order matters: The IPv6 packet does not need to contain any extension headers, or it can contain just a few. If it does contain more than one extension header they should be placed in a specific order. The recommended order is shown in Table 2 (Lane & Hauser, 2002)(Hogg & Vyncke, 2009)..

Next-Header Number

Header Name

1

IPv6 Header

2

Hop-by-Hop Options header

3

Destination Options header

4

Routing header

5

Fragment header

6

Authentication header

7

Encrypted Security Payload header

8

Destination Options header

9

Upper-layer header header Payload

Table 2: Extension Header Order (Hogg & Vyncke, 2009)

The fields withing the IPv6 header each have very specific jobs. Table 3 is a list of the fields in the header and what they are used for:

William Cleveland

Page 21

Field Name

Function

Version

Always equal to 6 for IPv6

Traffic Class

Identifies the priority and class of service of this packet

Flow Label

For future use in identifying packets that are part of a unique flow, stream or connection.

Payload Length

Defined the length in octets of the packet that follows the IPv6 header

Next Header

Identifies the type of header that follows the IPv6 header

Hop Limit

Counter for the remaining number of hops that the packet can traverse.

Source Address

The IPv6 address of the node that originated this packet.

Destination Address

The IPv6 address that this packet is destined for.

Table 3: Header Field names and Functions (Hogg & Vyncke, 2009. p16)

Figure 5, shows the header diagram standard. This standard covers the IPv6 header format that is used in the IPv6 protocol. It is based on 32 bit boundaries to make it easy for 32-bit processors to utilize the structure effectively. The protocol and header itself do not represent any security vulnerabilities. How they are processed and created are what lead to security issues. “Packets do not hack computers, hackers hack computers” (Hogg & Vyncke, 2009. p17).

William Cleveland

Page 22

Figure 5: IPv6 Header diagram (Hogg & Vyncke, 2009. p16)

Hogg & Vyncke (2009) warns that although extensions are a good addition to the protocol, there are several security risks associated with them at this time.

IPv6 Security Concerns: The Internet Engineering Task Force (IETF) is the organization that defines the specifications of the IPv6 protocol. Implementors must follow these rules to create an interoperable protocol. Some of the specs are not fully defined and are considered ambiguous and incomplete. This allows unforeseen security issues to arise after software is developed and deployed. Most of these vulnerabilities involve fields within the IPv6 packet header. These headers define the protocol and are the primary focus of research into security for IPv6. There are many elements to a IPv6 packet, and to maximize security you need

William Cleveland

Page 23

an extensive ACL (Access control List). This will provide filtering on a network device to parse the header and skip past several extension headers to reach the upper-layer information to determine whether the protocol should be passed. The ACL filters for IPv6 need to handle fragmentation and determine if a fragment is part of a multi-part package, or part of a “Multi-packet attack” (Hogg & Vyncke, 2009). The filters need to read the header, extension header, upper-layer information and payload of a packet. One technique that can be easily implemented is to block all the message packets that have not yet need allocated by the IANA. The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources. There are 4 types of messages with unallocated message types. They are listed in Table 4. Risk

Types

Unallocated error messages

5-99, and 102-126

Unallocated informational messages

155-199, and 202-254

Experimental messages

100, 101, 200, and 201

Extension type numbers

127, 255

Table 4: Risky Message types (Hogg & Vyncke, 2009. p20)

Of course if you add these to your filters, they will have to be updated when the types become valid (Hogg & Vyncke, 2009).

General Security concepts for IPv6 A general security review is always good for a network administrator. A comprehensive security plan needs to consider many aspects, not just attacks from

William Cleveland

Page 24

outside the network. The list in Table 5 covers many of the points of weakness that may be encountered in a network plan:

Common Security Weaknesses Insufficient of nonexistent IT security concepts and corresponding provisions Nonobservance or insufficient control of IT security Provisions Usurping of rights (password Theft) Incorrect use or faulty administration of IT systems Abuse of rights Weaknesses in software (buffer/heap overflows in conjunction with application running with superuser rights). Manipulation, theft or destruction of IT devices, software or data (physical security). Network eavesdropping (sniffing wired or wireless network) or replaying of messages. Trojan horses, viruses, and worms Security attacks such as masquerading, IP spoofing, Denial of Service (DoS) attacks, or man-in-the-middle attacks Routing misuse Table 5: Common Security Weaknesses (Hagen, 2006. p101)

IPsec Protects Packets The IPsec standard uses a combination of algorithmic choices based on symmetric and asymmetric cryptography. Asymmetric cryptography is the use of public and private security keys to communicate. Symmetric cryptography requires both the sender and receiver to posses the same encryption key. Both IPv4 (added later) and IPv6 protocols use IPsec to protect the data in the packets. The framework

William Cleveland

Page 25

elements for IPsec are listed in Table 6:

IPsec Framework elements: A general description of security requirements and mechanisms at the network layer A protocol for encryption (Encapsulating Security Payload, ESP) A protocol for authentication (Authentication header, AH) A definition for the use of cryptographic algorithms for encryption and authentication A Definition of security policies and security associations between communication peers. Key management Table 6: IPsec Framework Elements (Hagen, 2006. p103)

The configuration of IPsec creates a protective boundary between the secure and unsecured areas on the network. The boundary can be a single host or network. The access control rules determine what happens to packets with IPsec information traversing the boundary. Generally, each packet is either protected using security services, discarded, or allowed to bypass the protection based on policies. These policies match traffic to specific criteria defined by an administrator. The difference between IPsec for IPv4 and IPv6 is that IPsec is optional for IPv4, but is a requirement for IPv6 and integrated directly into the protocol and available with any implementation. With IPv6 two headers are included as extension headers, an Authentication Header (AH), and the Encapsulating Security Payload header (ESP). “The Authentication Header provides integrity and authentication for all end-toend data transported in an IP Packet.” (Hagen, 2006. p109). The header can be used

William Cleveland

Page 26

in both transport and tunnel modes. In transport mode, the entire payload including the fields of the IPv6 header is secured. In tunnel mode, the inner packet contains the IP address of the sender and receiver. The outer IP header contains the IP address of the tunnel endpoints. The rest of the complete packet is secured. “The Encapsulating Security payload header (ESP) provides Integrity, Confidentiality, Data Origin Authentication, Anti-Replay Service, and limited Traffic Flow Confidentiality for all end-to-end data transported in an IP packet.” (Hagen, 2006. p111). The ESP header is located in the front of the transport, network control, or routing protocol header. To guarantee interoperability, IPsec does include encryption algorithms that all implementations must recognize. However, it also gives the user freedom to allow the user to choose a specific encryption to authentication algorithm. IPsec is simply providing a general framework that allows each pair of communicating endpoints to choose algorithms and parameters (like key sizes) (Comer, 2000). Comer (2000) also goes on to state that: IPsec is not a single security protocol. Instead, IPsec provides a set of security algorithms plus a general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication.

William Cleveland

Page 27

Direct end-to-end connections When using IPv4 there is a barrier between devices connecting directly to each other. This prevents true peer to peer communications because of NATs in the path of the data. With IPv6, NATs are no longer necessary to save addressing space, and the problems with mapping addresses and ports disappear. This true end-to-end communication between hosts on the Internet means addresses are not changed while in transit, thus gateways, and application programmers do not have to deal with the problems of keeping track of the changes. Restoring this connectivity will be come much more important as more and more devices use peer-to-peer connections such as mobile phones. Restoring global addressing and end-to-end connectivity removes barriers for applications needing the direct communication. This would also remove the need for echo servers on the Internet. For businesses, it means easier development of peerbased applications to share music or media, or collaborate without having to work around NAT barriers. For home users, they would be able to connect directly to their PCs from anywhere in the world, rather than having to use intermediate hosts on the Internet (Davies, 2008).

Forwarding of packets IPv6 has fewer fields to process while forwarding and thus fewer decisions to make in forwarding. Unlike IPv4, the IPv6 header is a fixed size of 40 bytes, which

William Cleveland

Page 28

allows faster processing by routers, because they do not have to determine the contents of the header. Additionally, the structure of IPv6 global addresses means that there are fewer routers to analyze in the routing tables of organizations and the Internet backbone routers. This means traffic can be forwarded at higher data rates, resulting in higher performance for tomorrow's high-bandwidth application that use multiple data types (Davies, 2008)

IPv6 Usage: How much traffic is currently using IPv6 protocols? The graphic below shows the percentage of IPv6, both native and tunneled, as a percentage of all Internet traffic. At its peak, in Dec 2007, IPv6 represented less than one hundredth of 1% of Internet all traffic. (Labovitz, 2008). This graph also shows that as Internet traffic increases, IPv6 traffic is not increasing at the same rate as IPv4. Consequently, the percentage decreases over time as shown in Figure 6.

William Cleveland Figure 6: Internet Traffic (Labovitz, 2008)

Page 29

A disclaimer to Figure 6 is put forward by Labovitz (2008):

….. the above graph may not be completely fair since many of the ISPs do not have infrastructure to monitor native IPv6 (more about this later). But our numbers seem to agree with data from a variety of other sources on IPv6 adoption rates.

So, why so little IPv6 traffic? With all the benefits and rapidly approaching end for IPv4, it is a wonder why more ISP are not switching over to the new protocol and taking advantage of the improved technology. The biggest issue is money. The U.S. department of commerce estimates it will cost $25 billion for ISPs to upgrade to native IPv6. Unlike the federal incentive to upgrade to HDTV signals, there is little visual stimulus for customers to demand upgrades from their ISPs (Labovitz, 2008). The protocol is handled behind the scenes, like what kind of paint is used on highways. The Internet highway is still here, do customers care how it all works? Not now, but in the future when more and more devices are accessible on the Internet problems will start to occur with speed and connectivity. This will be especially true with users in North America, because other major Internet using countries are already moving away from IPv4 because of the perceived American control over the protocol. China, Japan, and the European Union are already well on their way to implementing IPv6 backbones within their countries (Labovitz, 2008). The report, from Arbor Networks, claims to be the most comprehensive study of

William Cleveland

Page 30

IPv6 use to date. It includes few surprises for those who follow the area closely, but the results provide a sobering measure of how just slowly the technology has been adopted. "At its peak, IPv6 represented less than one hundredth of 1 percent of Internet traffic" over the past year, Arbor Networks' Craig Labovitz (2008) wrote in a summary of the findings, adding wryly: "This is somewhat equivalent to the allowed parts of contaminants in drinking water."

"We believe this is the largest study of IPv6

and Internet traffic in general to date (by several orders of magnitude)," Labovitz (2008) wrote. IPv6 is the successor to the current version of the Internet's underlying protocol, IPv4. Its adoption is important because IPv4 can support only about 4 billion IP (Internet Protocol) addresses and they are fast running out. While IPv6 will be able to support many trillions more (2 to the 128th power). It also offers advantages in security and network management.

Incentives With cost being a major depressor for implementing IPv6, but IPv4 addressing running very low as an incentive, the IANA has another incentive for ISPs to switch over. Those that do are offered a minimum number of IP addresses of 2^64, or 1.8 * 10^19 (18,446,744,073,709,551,616) addresses, just for switching over to IPv6. That may seem like a lot given the millions of ISPs and businesses, but we are working with a huge number of total addresses, so the IANA is able to do this without causing the same problems that preallocating IPv4 addresses caused (Labovitz, 2008). William Cleveland

Page 31

For individual networks there could also be the incentive to be cutting edge and experimenting with the new technologies before they become widespread in their use. Thus giving an advantage to those that implement IPv6 early, before it is required.

Conclusion IPv6 is a protocol that is several years old. It was created to replace the IPv4 protocol because of the number of Internet users is every increasing and IPv4 will without doubt run out of addresses for those users and devices very soon. IPv6 will have to be implemented and working smoothly before that time comes. It offers the new security features and almost unlimited expansion of nodes that will be required in the future. Details were covered that showed many of the features of IPv6 including the packet header makeup and security features. Some of the weaknesses were covered to illustrate the problems that may be encountered, but when addressed, they are sure to have solutions. Just as the problems of IPv4 were addressed and resolved when it grew to widespread use. There are ways for the user to implement IPv6 on their systems, and many good Web sites that explain how to do this for many different platforms. There are also many Web sites already created that support the IPv6 protocol only, so IPv4 users are not able to access them at all. A simple search of the web will provide many results. If this paper has peeked your interest in implementing IPv6, you should try William Cleveland

Page 32

some of the instructions available on the Internet and begin testing. If your Internet provider does not support IPv6 at all or you have a router that does not handle IPv6 connections through your NAT, there are sites that allow you to create a direct network tunnel, thus allowing you to get around those kind of obstacles (You have to sign up for those services, but most appear to be free). There are many ways to begin using IPv6 addressing now, and when more people use it, the more popular it will become.

William Cleveland

Page 33

References Beijnum, I. (2006). Running IPv6. New York, NY. Apress. Capella University. (2008). TS5160: Business foundations for IT professional (2nd ed.). Boston, MA: Prentice Hall Custom Publishing. Colitti, L. & Kline, E. (2008). Looking Towards IPv6. Retrieved Feb. 25th, 2009 from Official Google Blog. Web Site: http://googleblog.blogspot.com/2008/05/lookingtowards-ipv6.html Comer, D. (2000). Internetworking with TCP/IP. Upper Saddle River, NJ. Prentice Hall. Davies, J. (2008). Understanding IPv6. Redmond, WA. Microsoft Publishing. Graham, B. (1997). TCP/IP Addressing, Designing and optimizing your IP addressing scheme. San Diego, CA. Academic Press, Hagen, S. (2006). IPv6 Essentials. Sebastopol, CA. O'Reilly Media. Hogg, S. & Vyncke, E. (2009). IPv6 Security. Indianapolis, IN. Cisco Press. Labovitz, C. (2008). The End is near, but is IPv6? Retrieved Feb. 2nd, 2009, from Arbor Networks.

Web Site: http://asert.arbornetworks.com/2008/08/the-end-is-near-

but-is-ipv6/ Lane, P. T. & Hauser, R. (2002). CIW Internetworking Professional Study Guide. Alameda, CA. Sybex Inc. Siil, K. (2008). IPv6 Mandates. Indianapolis, IN. Wiley Publishing. William Cleveland

Page 34

Appendix A: [Stakeholder Acceptance] Subject: Re:u01d1 Project Topic Cleveland Author: Sharon Gagnon

Topic: u01d1 Project Topic Date: January 10, 2009 1:07 PM

Bill, As I have mentioned the deliverable for this course is the paper that you write. I can be your stakeholder for this course and it is not necessary to find other people to be involved. I have seen this project done several times and a good focus is to compare IPV4 to IPV6. I will be looking for the "why" factor in your paper, not the "how to do it factor" This is a good topic. Best wishes on your job search. Sharon

William Cleveland

Page 35

Appendix B: [IPv6 Terminology] (Davies, 2008. p9-10)

Address: An identifier that can be used as the source or destination of the IPv6 packets that is assigned at the IPv6 layer to an interface or set of interfaces. Host: A node that cannot forward IPv6 packets not explicitly addressed to itself (a non-router). A host is typically the source and a destination of IPv6 traffic, and it silently discard traffic received that is not explicitly addressed to itself. Interface: The representation of a physical or logical attachment of a node to a link. An example of a physical interface is a network adapter. An example of a logical interface is a tunnel interface that is used to send IPv6 packets across an IPv4 network by encapsulating the IPv6 packet inside an IPv6 header. IANA: The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources ICANN: Internet Corporation for Assigned Names and Numbers an international nonprofit corporation set up by the world’s communities to help coordinate Internet-related tasks. ICANN also replaced the U.S. government as the responsible party that oversees Internet Assigned Numbers Authority (IANA). ISP: Internet Service Provider. The local provider of Internet access. Usually a company that for a fee provides individual households or businesses access to

William Cleveland

Page 36

the Internet. Access can be done through Coax cable, phone lines, electrical wires, or wireless. Link MTU: The maximum transmission unit – the number of bytes in a the largest IPv6 packet – that can be sent on a link. This is the same as the maximum payload size of the link-layer technology. Link: The set of network interfaces that are bounded by routers and that use the same 64-bit IPv6 unicast address prefix. Other terms for “link” are subnet and network segment. Many link-layer technologies are already defined for IPv6, including typical LAN technologies (such as Ethernet and Institute of Electrical and Electronics Engineers [IEEE] 802.11 wireless) and a wide are network (WAN) technologies (such as the Point-to-Point Protocol [PPP] and Frame Relay). Additionally, IPv6 packets can be sent over logical links representing an IPv4 or IPv6 network by encapsulating the IPv6 packet within an IPv4 or IPv6 header. Neighbors: Nodes connected to the same link. Neighbors in IPv6 have special significance because of the IPv6 Neighbor Discovery, which has facilities to resolve neighbor link-layer addresses and detect and monitor neighbor reachability. Network: Two or more subnets connected by routers. Another term for network is internetwork. Node: Any Device that runs an implementation of IPv6. This includes routers and hosts.

William Cleveland

Page 37

Packet: The protocol data unit (PDU) that exists at the IPv6 layer and is composed of an IPv6 header and payload. Router: A node that can forward IPv6 packets not explicitly addressed to itself. On an IPv6 network, a router also typically advertises its presence and host configuration information. Upper-layer protocol: A protocol above IPv6 that used IPv6 as it's transport. Examples include Internet layer protocols such as ICMPv6 and Transport layer protocols such as TCP and UDP (but not Application Layer protocols such as FTP and DNS, which use TCP and UDP as their transport).

William Cleveland

Page 38