Network Layer Protocol & Internet Protocol (IP) · Network Layer Protocol & Internet Protocol (IP)...
Transcript of Network Layer Protocol & Internet Protocol (IP) · Network Layer Protocol & Internet Protocol (IP)...
Network Layer Protocol & Internet Protocol (IP)
Suguru Yamaguchi Nara Institute of Science and Technology
Department of Information Science
Reading Assignment
Information Network 1 / 2012 2
Network Layer Features Basic model Node identification Node aggregation End-to-end Packet delivery Broadcast・Multicast
Failure isolation and Failure recovery Connecting heterogeneous datalinks
Information Network 1 / 2012 3
Information Network 1 / 2012 4
OSI 7 Layer Reference Model
Application
Presentation
Session
Transport
Network
Data Link
Physical
NFS
XDR
Sun RPC
TCP
IP
IEEE802.3
Ethernet Coax
ES (End System) ES (End System)
Upper Layer Protocol
IS (Intermediate System)
Physical connection Physical connection
Connecting Heterogeneous Data Link
Information Network 1 / 2012 5
Network
Gateway
The gateway forwards IP packets as an intermediate system according to the routing structure. Connecting directory with datalink in same network.
Information Network 1 / 2012 6
TCP/IP as a Layered Protocol Architecture
Physical
Network Interface
IP
TCP
Application
Physical
Network Interface
IP
TCP
Application
Physical
Network Interface
IP
IP realizes the end-to-end communication
Information Network 1 / 2012 7
TCP/IP as a Layered Protocol Architecture
(2) The layer upper to the IP protocol defines the service. Thereby, it does not matter what comes below the data link layer.
(1) Service relationship is defined by service provider.
Node Identification Globally unique
address space Address space and
delegation of authority Network identification
and host identification Address class
Information Network 1 / 2012 8
Address class Address space that delegates authority to the layers
Identifying network Identifying host
0xDD 0xA3 0x4A 0x7F
163.221.74.127/24
163 221 74 127
Network area is 24 bits
Ex. IPv4 address
Prefix length
Node Aggregation 163.221/16
163.221.52/24 163.221.127.0/21 ...
Prefix length = Binary tree level
Simple expression → Fast and memory-saving → Especially in relay node...
Information Network 1 / 2012 9
Address Aggregation Aggregating contiguous network blocks
Information Network 1 / 2012 10
Host 00 Network Number 24
Host 01 Network Number
Host 10 Network Number
Host 11 Network Number
C
C
C
C
Prefix 22
4C
Address Aggregation
Information Network 1 / 2012 11
0 1 2 3 12345678 90123456 78901234 56789012 [1] 192.32. 0.0/20 : 11000000.00100000.0000---- -------- [2] 192.24.34.0/23 : 11000000.00011000.0010001- -------- [3] 192.24.32.0/23 : 11000000.00011000.0010000- --------
[4] 192.24.16.0/20 : 11000000.00011000.0001---- -------- [5] 192.24. 0.0/21 : 11000000.00011000.00000--- -------- [6] 192.24. 8.0/22 : 11000000.00011000.000010-- -------- [7] 192.24.12.0/22 : 11000000.00011000.000011-- --------
0 1 2 3 12345678 90123456 78901234 56789012 [1] 192.32. 0.0/20 : 11000000.00100000.0000---- -------- [8] 192.24.32.0/22 : 11000000.00011000.001000-- -------- [4] 192.24.16.0/20 : 11000000.00011000.0001---- --------
[5] 192.24. 0.0/21 : 11000000.00011000.00000--- -------- [9] 192.24. 8.0/21 : 11000000.00011000.00001--- --------
Aggregate; [2] + [3] = [8] (.34/23 + .32/23) [6] + [7] = [9] (.8/22 + .12/22)
End-to-End Packet Delivery
Information Network 1 / 2012 12
Network Layer “Cloud” Hosts are present at the cloud edge Identified uniquely by IPv4 address
Network Layer
163.221.5.5
163.221.4.4
163.221.3.3
Graph Representation of Networks
Information Network 1 / 2012 13
14
Hierarchy Perspective: who carries the ladder?
Data Link Layer Data Link Layer
Network Layer From data link layer to network layer: Native to data link layer Ex: LLC/SNAP, NLPID From network layer
to datalink layer: Native to network layer Ex) ARP (IPv4) ND (IPv6)
Information Network 1 / 2012
Network to Data Link (1) – ARP Address Resolution Protocol (ARP)
– RFC 826 A → B: “M”
– a → all stations: “where is B” – b → a: “B is at b” – a → b: “A → B: “M””
Information Network 1 / 2012 15
A B C a b c Data-link layer
Network layer
Network to Data Link (2) – ARP The case of routed networks A → C: “M”
– a → all stations: “where is R” – r → a: “R is at r” – a → r: “A → C: “M””
Information Network 1 / 2012 16
A B a b
C D c d
R r
Data-link layer Network layer
– r → all stations: “where is C” – c → r: “C is at c” – r → c: “A → C: “M””
Network to Data Link (3) – ARP The case of bridged networks A → C: “M”
– a → all stations: “where is C” – c → a: “C is at a” – a → c: “A → C: “M””
Information Network 1 / 2012 17
A B a b
C D c d
T t
Data-link layer Network layer
Data Link to Network Several network layer protocols are multiplexed to a single data
link layer. Multiplexing, de-multiplexing
Information Network 1 / 2012 18
IPv4 IPv6 ....
Ethernet
IPv4 IPv6 ....
Ethernet Datalink
Network
?
Ethernet: IEEE802.3, 802.2LLC, …
Information Network 1 / 2012 19
Dst addr Src addr Type FCS DATA (variable)
Length FCS DATA (variable)
Length FCS DATA (variable)
DSAP SSAP CTL DATA (variable) FCS
Protocol ID Type DATA (variable) FCS
6 6 2
1 1 1
2 3
4
(0xFFFFで始まる)
Ethernet2
IEEE802.3 (Length < 0x05DC)
IEEE802.3 Raw
IEEE802.2 LLC
SNAP
Data Link to Network De-multiplexing with LLC
Information Network 1 / 2012 20
Source SAP Address Information
1
Control
1 or 2 bytes
Destination SAP Address Source SAP Address
I/G
7 bits 1
C/R
7 bits 1
Destination SAP Address
1 byte
SAP address examples: 06 IP packet E0 Novell IPX FE OSI packet AA SubNetwork Access protocol (SNAP)
I/G = Individual or group address C/R = Command or response frame
De-multiplexing with LLC/SNAP
Information Network 1 / 2012 21
MAC Header FCS
AA AA 03 LLC PDU 1 1 1
Information SNAP Header
Type ORG
SNAP PDU
3 2
Implementing the Communication Model Unicast
– Peer to Peer communication • Source and destination address allocation • Example p.16, 17, 18 is Unicast
Broadcast
Multicast
Information Network 1 / 2012 22
Broadcast Sending to all hosts running in the same transmission medium
(data link). – Broadcast communication availability depends on the datalink. – Many data links do not support broadcast communication.
Does not guarantee a perfect broadcast. – Passive hosts will not receive the broadcast. – Processing received data depends on the processes run by
receiving hosts.
IP broadcast Link-layer broadcast
Information Network 1 / 2012 23
Bootstrapping with Broadcast Broadcast communication in multi-access network
– It is absolutely necessary to resolve address from network layer to data link layer.
– Automatic configuration is absolutely necessary.
Bootstrap A: – a → all stations: “who is router” – r → a: “router R is at r”
Information Network 1 / 2012 24
A B C a b c Data-link layer
Network layer
R r
Selective Broadcasting Multicast
– Multi-point to Multi-point communication – Selective broadcasting – Membership
• If host is not a member, it won’t be able to listen to communications within the group.
– Membership management – Group Management
IP multicast Link-layer multicast
Information Network 1 / 2012 25
What if...?
→ Failure isolation and Failure recovery
Information Network 1 / 2012 26
Application
Presentation
Session
Transport
Network
Data Link
Physical
physical connection
Application
Presentation
Session
Transport
Network
Data Link
Physical
Failure Isolation: ICMP (1) RFC792 Failure occurs below the data link layer
– →Dropping a Packet In the case a packet did not reach its destination
– Destination Unreachable – Returning to the source address.
Information Network 1 / 2012 27
failure
ICMP Destination Unreachable
Failure Isolation: ICMP (2) End-to-end reachability verification, faulty section judgement
– Echo Request, Echo Reply
Information Network 1 / 2012 28
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application
Presentation
Session
Transport
Network
Data Link
Physical
Connecting Heterogeneous Data Links (1) Because of heterogeneity...
– Address architecture is different → Resolving with ARP. – Multiplexing method is different → Resolving with LLC/SNAP
– Transmission speed is different • →Resolving with buffer
– Maximum Transmission Unit (MTU) size is different • →Fragmentation
Information Network 1 / 2012 29
Connecting Heterogeneous Data Links (2) Fragmentation and reassembly Fragmentation:
– Fragmenting a packet and keeping fragments within a maximum frame length.
Reassembly: – Reconstructing the fragmented packet at the destination node.
Information Network 1 / 2012 30
MTU = 1520 MTU = 9128
Fragmentation and Reassembly IPv4 header
– Flags = {0, MF, DF} – Fragment offset: 13 bits
Information Network 1 / 2012 31
8 31 0 4 16
Ver.
Option (if any)
IHL Type of Service Total Length (in Octet)
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
BOOTP & DHCP
Information Network 1 / 2012 32
Dynamic Assignment of IP addresses It is desirable for several reasons:
– IP addresses are assigned on-demand – Avoid manual IP configuration – Support mobility of laptops / handheld WiFi devices – etc.
Information Network 1 / 2012 33
RARP Reverse Address Resolution Protocol (RFC 903)
– Works similar to ARP – Broadcast a request for the IP address associated with a given
MAC address – RARP server responds with an IP address – Only assigns IP address (not the default router and subnet mask) – Obsolete!
Information Network 1 / 2012 34
RARP
Ethernet MACaddress(48 bit)
ARPIP address(32 bit)
BOOTP Bootstrap protocol (RFC 951)
– Predecessor of DHCP – Host can configure its IP parameters at boot time – It was designed for a static environment – Three services
• IP address assignment. • Detection of the IP address for a serving machine. • The name of a file to be loaded and executed by the client machine
(boot file name) – Not only assign IP address, but also default router, network mask,
etc. – Sent as UDP messages (UDP Port 67 (server) and 68 (host)) – Use limited broadcast address (255.255.255.255):
• These addresses are never forwarded
Information Network 1 / 2012 35
DHCP (1) Dynamic Host Configuration Protocol
– It was developed in 1993 to improve and resolve specific limitations of BOOTP
– It was devised to automate the configuration – DHCP is the preferred mechanism for dynamic assignment of IP
addresses – It use plug-and-play networking to join a new network and obtain an
IP address – DHCP server can be configured to have two type of addresses :
• Permanent addresses: assigned to server computers • Pool of addresses: these are to be allocated on demand
– DHCP issues a lease on the address for a finite period of time • If lease expires, computer must renegotiate with the DHCP server
Information Network 1 / 2012 36
DHCP (2)
Information Network 1 / 2012 37
BOOTP/DHCP Message Format
Information Network 1 / 2012 38
Number of Seconds
OpCode Hardware Type
Your IP address
Unused (in BOOTP)Flags (in DHCP)
Gateway IP address
Client IP address
Server IP address
Hardware Address Length Hop Count
Server host name (64 bytes)
Client hardware address (16 bytes)
Boot file name (128 bytes)
Transaction ID
Options
DHCP Operations (1)
Information Network 1 / 2012 39
DHCP Client00:a0:24:71:e4:44 DHCP Server
DHCPDISCOVERSent to 255.255.255.255
DHCP Server
DHCP Client00:a0:24:71:e4:44 DHCP Server
DHCP Server
DHCPOFFER
DHCPOFFER
DHCP DISCOVER
DHCP OFFER
DHCP Operations (2)
Information Network 1 / 2012 40
DHCP Client00:a0:24:71:e4:44 DHCP Server
DHCP Server
DHCPREQUEST
DHCPACK
DHCP Client00:a0:24:71:e4:44 DHCP Server
DHCP Server
DHCPREQUEST
DHCPACK
DHCP REQUEST
At this time, the DHCP client can start to use the IP address
Renewing a Lease (sent when 50% of lease has expired)
DHCP Operations (3)
Information Network 1 / 2012 41
DHCP Client00:a0:24:71:e4:44 DHCP Server
DHCP Server
DHCPRELEASE
DHCP RELEASE
At this time, the DHCP client has released the IP address
Lecture Archive
Information Network 1 / 2012 42
Lecture Archive (2011) Network Layer Protocols & Internet Protocol (IP) http://library.naist.jp/Real/9b2cf40300e4f2f41bcbe9166ff8b430/
index.html
Whole class http://library.naist.jp/mylimedio/search/av2.do?
target=local&bibid=135469
Information Network 1 / 2012 43
IPv6
Information Network 1 / 2012 44
The End of IPv4 50 Billion individual elements
on the Internet in 2014
Information Network 1 / 2012 45
IPv4 Address Allocation
Information Network 1 / 2012 46
Report Date: 27-Apr-2012 http://labs.apnic.net/ipv4/report.html
Internet Protocol version 6 (IPv6) Developed in early 90s
– Deployed since late 90s early 2000 Designed to overcome limitations in IPv4 First issue was to deal with addressing
– From 232 to 2128 (4.3 x 109 to 3.4 x 1038) Enhance the security
– IPsec is built in to IPv6 from the start IPv6 global addressing enables you to
– minimize devices, – minimize delay, and – simplify development
Headers allow development of new quality and streaming services
Information Network 1 / 2012 47
IPv4 vs IPv6 (1) Address architecture
– Hierarchic structure – Introduction of the concept of scope – Clear definition of address classes
Multicast Standardization – Discontinuation of broadcast
Able to deal with high-speed networks – Simplified header format
• Suppression of unused fields • Static length • Discontinuation of checksums • Discontinuation of IP header options
– Discontinuation of en-route packet fragmentation
Information Network 1 / 2012 48
IPv4 vs IPv6 (2) Link layer and network layer address resolution
– ARP -> NDP (Neighbor Discovery Protocol) – Unreachability detection
Security – IPsec as a standard
Flexibility – IP extension header
• MobileIPv6 • IPsec
Information Network 1 / 2012 49
IPv6 Address Format
Information Network 1 / 2012 50
IPv6 Address (1) IPv4 address:
– 32 Bits (4 Bytes) – 4 decimal numbers separated by a dot – 192.168.1.240
IPv6 address: – 128 Bits (16 Bytes) – 8 Groups separated by colons ( : ) – Each group represent 4 Hexadecimal digits – 2001:0db8:85a3:0000:0000:8a2e:0370:7334 – Allowing to remove leading zeros and skip consecutive zero
sequence • 2001:0db8:85a3:0000:0000:8a2e:0370:7334 • 2001:db8:85a3:0:0:8a2e:370:7334 • 2001:db8:85a3::8a2e:370:7334
Information Network 1 / 2012 51
IPv6 Address (2) IPv4 compatibility address
– ::IPv4 address – ::203.178.142.1 – Address used for auto-tunneling
IPv4-mapped address – ::ffff:IPv4 address – ::ffff:203.178.142.1 – Address expression to show a node implements IPv4 only
Information Network 1 / 2012 52
Scope (1) Link-Local
– To be used for • auto-address configuration • neighbor discovery
– Valid in the scope of the given link, not routable – fe80::/ 10 prefix
Global – Global/Universal address – Routable – Connect to any global scope address anywhere
Information Network 1 / 2012 53
Scope (2)
Information Network 1 / 2012 54
HOST HOST
Organization
Router
HOST
Link-local
Link-local
Global
Organization
IPv4 Header
Information Network 1 / 2012 55
version HL ToS Total Length
Iden4fica4on Flag Fragment Offset
TTL Protocol Header Checksum
Source address (32 bits)
Des4na4on address (32 bits)
Op4ons Padding
4 32 16 20 8
Total length: 20 bytes + options Fields in red are suppressed or renamed in IPv6
bit
IPv6 Header
Information Network 1 / 2012 56
version Traffic class Flow label
Payload length Next header Hop limit
Source address (128 bits)
Des4na4on address (128 bits)
4 32 16 24 12 bit
Fixed length: 40 bytes All optional/additional info is encoded in Extension Header It isn’t protected by checksum
Address Structure (1) Separating network prefix and interface ID
– Network prefix (Upper 64 bits) – Interface ID (Lower 64 bits): MAC address (EUI-64)
• E.g. 00:e0:18:98:93:6d (MAC address) → 2001:200:16a:e320:2e0:18ff:fe98:936d
Information Network 1 / 2012 57
Interface ID Network Prefix
64 bits 64 bits
interface id subnet id global routing prefix 001
3 45 16 64
IANA → RIR RIR→ LIR /48 block for end user
Address Structure (2) Address assignment following the network topology
Information Network 1 / 2012 58
FP TLA ID RE NLA ID SLA ID Interface ID
3 13 13 6 13 16 64
FP TLA ID RE NLA ID SLA ID Interface ID
3 13 8 24 16 64
sub-TLA
RFC2374
RFC2450
FP Format Prefix RE Reserved TLA ID Top-Level Aggregation Identifier NLA ID Next-Level Aggregation Identifier SLA ID Site-Level Aggregation Identifier
Address Assignment
Information Network 1 / 2012 59
APNIC
WIDE
NAIST USM
2001:200::/29 - 2001:3f8::/29
2001:200::/35
2001:200:16a::/48 2001:200:703::/48
TLA ID
sub-TLA
NLA ID
Top Level Aggregator (TLA) Assigned from RIRs (ARIN, RIPE, APNIC) /29 address space
Information Network 1 / 2012 60
TLA ID RE
3 13 8 24
NLA ID FP
TLA ID NLA ID SubTLA ID
Previous assignment
Current assignment
3 13 13 19
FP
Next Level Aggregator (NLA) ISPs and organizations acquire addresses from TLA Enabling to set a subnet From /35 to /48 address spaces
Information Network 1 / 2012 61
TLA ID RE
3 13 8 24
NLA ID FP
TLA ID NLA ID SubTLA ID
Previous assignment
Current assignment
3 13 13 19
FP
Site Level Aggregator (SLA) Organizations acquire addresses from NLA. From /49 to /64 address spaces
Information Network 1 / 2012 62
TLA ID NLA ID SubTLA ID
3 13 13 19 16
FP SLA ID
Unicast Address Unicast Address
– Assigned to a single interface – Address valid at the link scope – fe80::2e0:18ff:fe98:936d
Information Network 1 / 2012 63
1111111010
10 bits 64 bits
00000 ......... 0000
56 bits
interface Id
Multicast Address Multicast Address
– Assigned to several interfaces and delivered to all these interfaces
Information Network 1 / 2012 64
11111111 8 bits 112 bits
flgs scope
4 4
group ID
0 reserved 1 node-local scope 2 link-local scope 5 site-local scope 8 organization-local scope E global scope F reserved
0000 permanent(defined)address 0001 temporary address
Format Prefix (1)
Information Network 1 / 2012 65
Usage Prefix Occupation Reserved 0000 0000 1/256 Unassigned 0000 0001 1/256 Reserved for NSAP Allocation 0000 001 1/128 Reserved for IPX Allocation 0000 010 1/128 Unassigned 0000 011 1/128 Unassigned 0000 1 1/32 Unassigned 0001 1/16 Aggregatable Global Unicast Address 001 1/8
Unassigned 010 1/8 Unassigned 011 1/8 Unassigned 100 1/8 Unassigned 101 1/8
Format Prefix (2)
Information Network 1 / 2012 66
Usage Prefix Occupation Unassigned 110 1/8 Unassigned 1110 1/16 Unassigned 1111 0 1/32 Unassigned 1111 10 1/64 Unassigned 1111 110 1/128 Unassigned 1111 1110 0 1/512 Link-Local Unicast Address 1111 1110 10 1/1024 Multicast Address 1111 1111 1/256
Unassigned is dealt with as Unicast from now on.
Defined Multicast Address FF00:0:0:0:0:0:0:0 reserved FF01:0:0:0:0:0:0:0 reserved : FF0F:0:0:0:0:0:0:0 reserved FF01:0:0:0:0:0:0:1 All IPv6 nodes address (node-local) FF02:0:0:0:0:0:0:1 All IPv6 nodes address (link-local) FF01:0:0:0:0:0:0:2 All IPv6 routers address (node-local) FF02:0:0:0:0:0:0:2 All IPv6 routers address (link-local) FF02:0:0:0:0:0:0:C DHCP servers / relay agents FF02:0:0:0:0:1:x:x Solicited-Node address
Information Network 1 / 2012 67
ICMPv6 & NDP
Information Network 1 / 2012 68
Control Protocols IPv4 control protocols:
– ICMP – ARP – IGMP
IPv6 control protocol: – Internet Control Message Protocol version 6 (ICMPv6)
Information Network 1 / 2012 69
ICMPv6 Many messages are the same as the IPv4 counterpart:
– Type 1: Destination Unreachable – Type 2: Packet Too Big (MTU) – Type 3: Time Exceeded – Type 4: Parameter Problem – Type 128/129: Echo Request/ Echo Reply
Must not be fragmented Must not be originated in response to
– ICMPv6 error or redirect messages – multicast/broadcast packets addresses
Information Network 1 / 2012 70
Type Code Checksum
Message body
8 bits 8 bits 16 bits
Neighbor Discovery Protocol (NDP) Uses ICMPv6 messages Used to
– Neighbor Solicitation (NS) • determine link-layer address of neighbor
– Neighbor Advertisement (NA) • actively keep track of neighbor reachability
– Router Solicitation (RS) • determine on-link routers and default route
– Router Advertisement (RA) • send network information from routers to hosts
– Redirect • router can inform a node about better first-hop routers
Protocol used for host auto-configuration All ND messages must have hop limit = 255
– must originate and terminate from the same link Information Network 1 / 2012 71
Neighbor Solicitation (NS) Sent by node to determine link-layer address of a neighbor Similar to an IPv4 ARP request Packet description
– Source address: Link-Local address – Destination: Solicited-node multicast address or all nodes multicast
(FF02::1) – Data contains Link-Layer address of source – Query: “please send me your link-layer address” – ICMP type 135
Information Network 1 / 2012 72
Neighbor Advertisement (NA) Response to Neighbor Solicitation Similar to an IPv4 ARP response Includes my MAC address, so you can send me information Packet description
– Source address: Link-Local address of source – Destination: Destination address of the NS request – Data contains Link-Layer address of source – ICMP type 136
Information Network 1 / 2012 73
Router Solicitation (RS) Nodes request routers to send Router Advertisement
immediately Packet description
– Source: Link-Local address – Destination: Multicast address all routers (FF02::2) – ICMP type 133
Information Network 1 / 2012 74
Router Advertisement (RA) Routers advertise periodically
– Max time between advertisement ~ 4 – 8,000 sec. – The advertisement has a lifetime
Specifies if stateful or stateless auto-configuration is to be used Packet description
– Source: Router Link-Local address – Destination: All nodes multicast address (FF02::1) – Data: prefix, lifetimes, default router, options – ICMP type 134
Information Network 1 / 2012 75
Duplicate Address Detection (DAD) Similar to IPv4 ARP self
– nodes can check whether an address is already in use Packet description
– Source: Unspecified – Destination: Solicited-node multicast address – Data: Link-layer address of source – Query: “please send me your link-layer address” – ICMP type 135
If no NA is received, address is ok
Information Network 1 / 2012 76
Auto-configuration States Stateful
– Manual IP configuration – DHCPv6 configuration
Stateless – Applies to hosts only (not to routers) – No manual configuration required
• Specifies the prefix, default route, and lifetime • RA doesn’t specify the DNS servers
– Assumes interface has unique identifies – Assumes multicast capable link – Uses Duplicate Address Detection
Information Network 1 / 2012 77
Auto-configuration Example
Information Network 1 / 2012 78
Auto-configuration Example
Information Network 1 / 2012 79
Internet Protocol Security (IPsec)
Information Network 1 / 2012 80
IP Security Overview IPSec is not a single protocol
– IPSec provides a set of security algorithms IPSec provides a general security framework for a pair of
communicating entities – Across LAN, Private & Public WANs – Across Internet
Applications of IPSec – Secure branch office connectivity over the Internet – Secure remote access over the Internet – Establishing extranet and intranet connectivity with partners – Enhancing electronic commerce security
Information Network 1 / 2012 81
IPsec Scenario
Information Network 1 / 2012 82
IPsec Services Access Control Connectionless integrity Data origin authentication Rejection of replayed packets Confidentiality (encryption) Limited traffic flow confidentiality
Information Network 1 / 2012 83
IPsec Protocols Authentication Header (AH)
– provide connectionless integrity and data origin authentication for IP datagrams
Encapsulating Security Payload (ESP) – provides confidentiality services – ESP with Authentication
Security Associations (SA) – provides the bundle of algorithms and data that provide the
parameters necessary to operate the AH and ESP operations
Information Network 1 / 2012 84
Protocols & Services
Information Network 1 / 2012 85
AH ESP
(encryption only)
ESP (encryption &
authentication)
Access control yes yes yes
Connectionless integrity yes yes
Data origin authentication yes yes
Rejection of replay attacks yes yes yes
confidentiality no yes yes
Limited traffic flow confidentiality no yes yes
IPsec Modes of Operations Transport
– IPSec protects IP payload – IPSec headers added before IP payload – No change in IP header
Tunnel – IPSec protects total IP packet – IPSec headers encapsulates IP packet – New IP header is created
Information Network 1 / 2012 86
Security Services
Information Network 1 / 2012 87
Protocols Transport Mode SA Tunnel Mode SA
AH Authenticates IP payload and selected portions of IP header and IPv6 extension headers
Authenticates entire inner IP packet plus selected portions of outer IP header
ESP Encrypts IP payload and any IPv6 extesion header Encrypts inner IP packet
ESP with authentication
Encrypts IP payload and any IPv6 extesion header. Authenticates IP payload but no IP header
Encrypts inner IP packet. Authenticates inner IP packet.
Authentication Header (1) It uses hashing operation to hide packet information It provides
– connectionless integrity, – data authentication, and – replay protection
Guards against replay attacks Header before applying AH
Information Network 1 / 2012 88
Authentication Header (2)
Information Network 1 / 2012 89
Tunnel Mode (AH Authentication)
Transport Mode (AH Authentication)
Encapsulating Security Payload (1) It encrypts the packet’s payload with a symmetric key It provides
– confidentiality, – data integrity, – data origin authentication, and – an anti-replay service
Encryption – Three-key triple DES – RC5 – IDEA – Three-key triple IDEA – CAST – Blowfish
Information Network 1 / 2012 90
Authentication – HMAC-MD5-96 – HMAC-SHA-1-96
Encapsulating Security Payload (2)
Information Network 1 / 2012 91
Transport Mode
Tunnel Mode
RFCs IPSec documents:
– RFC 2401: An overview of security architecture – RFC 2402: Description of a packet authentication extension to IPv4
and IPv6 – RFC 2406: Description of a packet encryption extension to IPv4
and IPv6 – RFC 2408: Specification of key management capabilities
Information Network 1 / 2012 92
IPv6 Transition
Information Network 1 / 2012 93
Dual Stack Dual stack host can speak both IPv4 and IPv6
– Most workstations are IPv6-enabled
Information Network 1 / 2012 94
IPv4 IPv6
Application Layer
Transport Layer (TCP/UDP)
Network Interface Layer
Tunneling Connection of IPv6 domains via IPv4 clouds 6to4
– the most common IPv6 over IPv4 tunneling protocol – Tunnel endpoints must have public IPv4 addresses
Teredo – encapsulating IPv6 inside IPv4/UDP
Information Network 1 / 2012 95
IPv6/Dual Network
6to4 Router Adds v4 header
IPv6/Dual Network IPv4 Core
IPv4 Router Forwards as Usual
Destination 6to4 router removes IPv4 header
Delivery Generation
Address Translation NAT64
– Packet headers are translated according to Stateless IP/ICMP Translation Algorithm (SIIT)
– IPv6 (address + port) is mapped to IPv4 (address + port) – IPv4 is mapped into IPv6 as Pref64::IPv4
• Pref64 is an /96 IPv6 address pool
Information Network 1 / 2012 96
More Details Many resources available
– ARIN • http://www.getipv6.info/index.php/Main_Page
– APNIC • http://www.apnic.net/community/ipv6-program
– RIPE • http://www.ripe.net/lir-services/resource-management/number-
resources/ipv6 – AfriNIC
• http://www.afrinic.net/IPv6/index.htm – LACNIC
• http://portalipv6.lacnic.net/en
Information Network 1 / 2012 97
IPv6 Advantages More efficient address space allocation End-to-end addressing; no NAT anymore Fragmentation only by the source host Routers don’t calculate header checksum (speed up) Multicasting instead of broadcasting Built-in security mechanisms Single control protocol (ICMPv6) Auto-configuration etc.
Information Network 1 / 2012 98
Assignment 2
Information Network 1 / 2012 99
Network Configuration (1) Goal: To understand the dynamics of IPv6 and to be able to
troubleshoot connectivity in an IPv6 network What to do:
– Download the provided network topology from the link below: • http://iplab.naist.jp/class/infoN/2012/materials/sample.pkt
– Configure the IPv6 addresses on the routers in the topology – Enable Auto Config in IPv6 of the PCs in the network – Test network connectivity by using Neighbor Discovery Protocol – Configure the RIPng in the routers – Disconnect one link between two routers and test network
connectivity again. Observe the communication between the two disconnected routers.
Information Network 1 / 2012 100
Network Configuration (2) Essay
– Briefly explain the following: • IPv6 (i.e., addressing and subnetting) • Neighbor Discovery protocol • Routing • RIPng
– For the last step in the instructions, can the routers still communicate? Answer by yes or no, then explain why.
Information Network 1 / 2012 101
Submission Deadline: May 16, 2012 (Wed) at 17:00 JST Compress your Packet Tracer file and essay in one folder with
your name and student ID (e.g., DoudouFall1234567.zip) then send it to:
– [email protected] For questions and concerns about the assignment, you may
contact the TAs by email ([email protected]) or meet them in A307 Internet Engineering Laboratory
Information Network 1 / 2012 102