day 6 - ipv6, vpn
DESCRIPTION
DAY 6 - IPV6, VPNTRANSCRIPT
© 2009, Velocis Systems
Introducing IPv6 (RFC) 2460
WHAT IS IPV6 AND WHY WE NEED IT
• It is the next generation of Protocol which will run the Internet.• IPv6 is designed to improve upon IPv4's scalability and ease of
configuration and to reintroduce the original TCP/IP benefits for global networking.
• Devices are continuing to develop and every device needs to connect to the internet.
• Microwave ovens, refrigerators, PDAs, Cell Phones, Police Cars, Fire brigades, to become more mobile, for Constant monitoring and recording.
ADVANTAGES OF USING IPV6
• Address Space: It has a very large address space compared to IPV4.• No need for NAT/PAT: Using publicly registered unique addresses on
all devices removes the need for NAT/PAT, which also avoids some of the application layer and VPN-tunneling issues caused by NAT.
• Aggregation: IPv6’s huge address space makes for much easier aggregation of blocks of addresses in the Internet.
• Header Improvements: No Header Checksum, thereby reducing per packet overhead.
Why Do We Need a Larger Address Space?
• Internet population– Approximately 973 million users in November 2005– Emerging population and geopolitical and address space
• Mobile users– PDA,notepad, and so on Approximately 20 million in 2004
• Mobile phones– Already 1 billion mobile phones delivered by the industry
• Transportation– 1 billion automobiles forecast for 2008– Internet access in planes – Example: Lufthansa
• Consumer devices– Sony mandated that all its products be IPv6-enabled by 2005– Billions of home and industrial appliances.
IPv6 Advanced Features
1) Larger address space• Global reachability and
flexibility• End to end without NAT
2) Simpler header• Routing efficiency• Performance• No checksums• Extension headers• Flow labels
IPv6 Advanced Features
3) Support for security—• Inbuilt IPSec Which is not in IPv4
4) Transition Richness- • Many Methods to transition from IPv4 to IPv6 Dual Stack, Tunneling (6 – 4 )
Larger Address Space
IPv4• 32 bits or 4 bytes long
– 4,200,000,000 possible addressable nodes
IPv6• 128 bits or 16 bytes: four times the bits of IPv4
– 3.4 * 1038 possible addressable nodes– 340,282,366,920,938,463,374,607,432,768,211,456– 5 * 1028 addresses per person
~=~=~=
~=
IPv4 and IPv6 Header Comparison
Header Fields
• Version: A 4-bit field, the same as in IPv4. For IPv6, this field contains the number 6; forIPv4, this field contains the number 4.
• Traffic class: An 8-bit field similar to the type of service (ToS) field in IPv4. This field tags
the packet with a traffic class that it uses in differentiated services (DiffServ) QoS. Thesefunctionalities are the same for IPv6 and IPv4.
• Flow label: This 20-bit field is new in IPv6. It can be used by the source of the packet to tag
the packet as being part of a specific flow.
• Payload length: This 16-bit field is similar to the IPv4 total length field.
• Next header: The value of this 8-bit field determines the type of information that followsthe basic IPv6 header. It can be a transport-layer packet, TCP or UDP, or it can be an extension
header.
Header Fields Continued….
• Hop limit: This 8-bit field specifies the maximum number of hops that an IP packet can traverse. Similar to the TTL field in IPv4.
• Source address: This field has 16 octets or 128 bits. It identifies the source of the packet.
• Destination address: This field has 16 octets or 128 bits. It identifies the destination of the packet.
• Extension headers: The extension headers, if any, and the data portion of the packet follow the other eight fields. The number of extension headers is not fixed, so the total length of the extension header chain is variable.
Note: Checksum is not available
IPv6 Extension Headers
Simpler and more efficient header means:
1. IPv6 has extension headers.2. It handles the options more efficiently.3. It enables faster forwarding rate and end nodes processing.
IPv6 Address Representation
Format:• x:x:x:x:x:x:x:x, where x is a 16-bit hexadecimal field
– Case-insensitive for hexadecimal A, B, C, D, E, and F• Leading zeros in a field are optional:
– 2031:0:130F:0:0:9C0:876A:130B• Successive fields of 0 can be represented as ::, but only once per address.Examples:
– 2031:0000:130F:0000:0000:09C0:876A:130B– 2031:0:130f::9c0:876a:130b– 2031::130f::9c0:876a:130b—incorrect– FF01:0:0:0:0:0:0:1 FF01::1– 0:0:0:0:0:0:0:1 ::1– 0:0:0:0:0:0:0:0 ::
IPv4-to-IPv6 Transition
Transition richness means:– No fixed day to convert; no need to convert all at once.– Different transition mechanisms are available:
• Smooth integration of IPv4 and IPv6.• Use of dual stack .
– Different compatibility mechanisms:• IPv4 and IPv6 nodes can communicate.
Cisco IOS Software Is IPV6-Ready: Cisco IOS Dual Stack
• If both IPv4 and IPv6 are configured on an interface, this interface is dual-stacked.
• Dual stack is an integration method where a node has implementation and connectivity to both an IPv4 and IPv6 network.
Dual Stack
Cisco IOS Software Is IPv6-Ready: Overlay Tunnels
• Tunneling encapsulates the IPv6 packet in the IPv4 packet.
Tunneling
Tunneling is an integration method where an IPv6 packet is encapsulated within another protocol, such as IPv4. This method of encapsulation is IPv4
protocol 41:• This method includes a 20-byte IPv4 header with no options and an IPv6 header
and payload.
© 2009, Velocis Systems
VPN TECHNOLOGY
Types of VPN
1) Remote Access VPN2) Site-to-Site VPN3) Extranet VPN
Authentication and Authorization
• Authentication – the process of determining the identity of a user, a network host or an application process
• Authorization – the act of recognizing an authenticated user, network host or process defined on a particular host or authentication system
Encryption
• A security technique designed to prevent access to information by converting it into a scrambled (unreadable) form of text
• Three encryption models: • Symmetric-key • Asymmetric-key • Hash
Symmetric-Key (Single-Key) Encryption
• One key is used to encrypt and decrypt messages • All parties must know and trust one another
completely, and have confidential copies of the key
• Three most common symmetric algorithms:• Data Encryption Standard (DES)• Triple DES • Advanced Encryption Standard (AES)
Asymmetric-Key (Public-Key) Encryption
• Uses a key pair in the encryption process • Key pair – a mathematically matched key set in
which one key encrypts and the other key decrypts • One of these keys is made public, whereas the
other is kept private • Two most common asymmetric-key algorithms:• Rivest, Shamir, Adleman (RSA)• Digital Signature Algorithm (DSA)
Hash (One-Way) Encryption
• Uses an algorithm to convert information into a fixed, scrambled bit of code
• Any data that has been run through a hash algorithm cannot be decrypted
• Two most common hash algorithm families:1) Message Digest (MD)
– MD2 – MD4 – MD5
2) Secure Hash Algorithm (SHA)
Services Provided by Encryption
Service Explanation Method
Data confidentiality
Ensures that only the intended recipients of information can view it
Symmetric-key, asymmetric-key
Data integrity Applies digital signatures to ensure that data is not illicitly decrypted
Hash
Authentication Proves identity Asymmetric-key, in conjunction with hash
Non-repudiation Proves that a transaction has, in fact, occurred
Asymmetric-key, hash
Digital Certificates and Digital Signatures
• Digital certificates are small files that provide authoritative identification
• A certificate authority (CA) verifies the legitimacy of a digital certificate
• Digital certificates contain digital signatures, which are unique identifiers that authenticate messages
• Digital signatures provide the following services: 1) Authentication 2) Non-repudiation 3) Data integrity
Note: Digital signatures do not provide data confidentiality
Virtual Private Networks (VPNs)
• VPN is an encrypted tunnel that provides secure, dedicated access between two hosts across an unsecured network
• Three types of VPNs: 1) Workstation-to-server 2) Firewall-to-firewall 3) Workstation-to-workstation
IP Security (IPsec)
• An IETF standard that provides packet-level encryption, authentication and integrity between firewalls or between hosts in a LAN
• Contains two elements: 1) Authentication Header (AH) – signs the packets to ensure
authentication and data integrity 2) Encapsulating Security Payload (ESP) – encrypts the data payload
• Two connection modes: 1) Tunnel mode – the header and the data packet are encrypted 2) Transport mode – only data is encrypted
VPN Benefits
• Expand connectivity – VPNs allow you to use the Internet to log on to an internal network
• Save money – Companies can implement VPNs between their remote offices and eliminate the use of expensive private leased lines
• Improve security – VPN transmissions are usually encrypted
• Support telecommuting – Users can securely log on to the corporate network from home
Security Associations
Security Associations ( SA ) establish trust between two devices in a peer-to-peer relationship and enable VPN endpoints to agree on a set of transmission rules by negotiating policies with a potential peer
Types of SAs
Internet Key Exchange ( IKE )• Provides negotiation, peer authentication, key
management and key exchange. As a bidirectional protocol.
IPSec Security Association (IPSec SA)• IPSec SA is unidirectional and thus requires
that separate IPSec SAs is established in each direction.
Internet Key Exchange
In Phase- I, the sender and receiver negotiate the following :
Parameter Site-I Site-II
Encryption Algorithm 3DES 3DESHash Algorithm SHA SHAAuthentication Method Pre-share Pre-shareKey Exchange 1024 D-H 1024 D-HIKE SA Lifetime 86,400 Secs 86,400 Secs
Internet Key Exchange
Phase- II
• One selects IPSEC algorithms and parameters for optimal security and performance.
• Identify IPSEC peer details
• Determine IP addresses and applications of hosts to be protected at local peer and remote peer.