William F. Cleveland
TS5990 Integrative Project
Capella University
Instructor: Dr. Sharon Gagnon
March 8, 2009
Abstract
The Project is written to answer the question of why the conversion of IPv4 to IPv6 is
important from both a general and specifically security reasons. Two of the major reasons are
because of the increase in devices that can access the Internet and improvements in security.
The guide is written toward the basic networking administrator and gives reason why
they should embrace IPv6 more quickly. It will not cover the how to implement IPv6, other
than to explain what software and hardware devices support IPv6 already and those that are
The project is written to expand the author's experience and to provide a guide to the
target audience. The topic must be explained in a matter that instructs the user and explores
the topic thoroughly so no doubt may be left as to the importance of converting and upgrading
implemented on local and global networks. It will give the strengths and weaknesses
of the protocol and the details of it's makeup. The target audience will be written for
network administrators who have not looked into the details of IPv6, but should have
Topics covered include the security improvements of the new protocol, the
addressing shortage of IPv4 and large number of possible IPv6 addresses, security
concerns, and the structure of IPv6 protocol. Many examples and details are
Very little will be discussed on how to implement IPv6, instead focusing on the
implementation, more and more networks will start using it, and thus force more and
described as affecting all the people who use and access the Internet. It is well
known in industry that IPv4 addresses are running out and with more and more people
not allow those addresses to run out and cause problems. Failure to convert
communication standards to use IPv6, which allows for unique addresses of nearly
every grain of sand on all the beaches on the planet, would cause widespread
dependent upon.
and those out to exploit the new technology. However, with improved security
features over that of IPv4, IPv6 will provide a more secure long term solution.
Introduction
Written as a persuasive paper on using IPv6, this work will give some
background on IPv4 and why it is quickly becoming outdated, and obsolete. Next you
will read about the improvements that IPv6 has to offer to all Internet users for every
purpose. Some of the weak points will be raised, but solutions will be pointed out that
America, mainly due to other counties trying to remove themselves from the perceived
control America has over the Internet addressing system. Also, as many countries
are creating new networks and expanding or even creating their communications
backbone, it is easy for them to implement IPv6 initially, instead of using IPv4 then
IPv4 Background
The need for moving away from IPv4 and implementing IPv6 can be
understood when you keep in mind how many mobile devices are in the world; how
many people each day are accessing the Internet for the first time; the creation of
huge wireless network grids; and the idea of giving additional electric devices (Stove,
Refrigerator, Washing machines, etc.) access to the Internet. While IPv4 provides
about four billion IP addresses — not enough to assign one to everyone of Earth's
more than six billion inhabitants — IPv6 provides enough address space to assign
more than three billion network addresses to every person on the planet. (Colitti, L. &
Kline, E. 2008). This is significantly lower than the actual number because of the
reservation of address to special devices and entities. To put the total number into
perspective, here is a chart based on data from the US. Census Bureau showing
20,000,000,000
15,000,000,000
10,000,000,000
5,000,000,000
0
04/12 10/17 04/23 10/28 04/34 11/39 05/45 11/50 05/56 11/61 05/67 12/72 06/78 12/83 06/89 12/94 07/00 01/06
07/09 01/15 07/20 01/26 07/31 01/37 08/42 02/48 08/53 02/59 08/64 03/70 09/75 03/81 09/86 03/92 09/97 04/03 10/08
Figure 1: World Population Growth
2009 to 2108. It starts at about 6 billion people on the planet, and by 2108 shows 21
billion people. (This chart does not take into account projected reductions in the
growth rate or other variables, but uses a constant growth number to simplify the data.
Figure 2 shows the exact same population growth data, but the total number of
addresses available in IPv6 is listed as the last data point. Also, the population
1.00E+36
1.00E+32
1.00E+28
1.00E+24
1.00E+20
1.00E+16
1.00E+12
1.00E+08
1.00E+04
1.00E+00
04/12 10/17 04/23 10/28 04/34 11/39 05/45 11/50 05/56 11/61 05/67 12/72 06/78 12/83 06/89 12/94 07/00 01/06
07/09 01/15 07/20 01/26 07/31 01/37 08/42 02/48 08/53 02/59 08/64 03/70 09/75 03/81 09/86 03/92 09/97 04/03 10/08
because the difference between 7 billion and 21 billion is small when working with
numbers that have 38 zeros behind them instead of only 9. Again, all that was done
to the data was to add the total addresses available with IPv6. This number uses 128
bits of space, which can be expressed as a real number of 3.4*10^38 total addresses
Limitations of IPv4:
The protocol for IPv4 has not been changed since Request for Comments
Southern California. The protocol has proven to be robust, easily implemented, and
Internet.
quickly as we approach 2010. IPv4 addressing experienced those growth pains and
allows about 4.2 billion unique addresses, but previous and current allocation
practices only allow for a few hundred million public addresses. This is because
many companies who initially supported the Internet backbone were allocated Class A
network address. (The first number in the address, ex. 9.xxx.xxx.xxx). This removed
large sections of addresses from being used by other entities. This has forced many
organizations to use Network Address Translation (NAT) to map out more addresses
for internal networking (more on how this works later). This directly defeats the true
(Davies, 2008).
more and more devices connecting to the Internet, an easier way to configure them is
needed that do not rely on the administration of DHCP infrastructure (Davies, 2008)
Need for security at the Internet layer: More security is needed because of
public access. Initially the Internet was limited to universities doing research and the
government, so trust was pretty high. An optional security layer was added later to
IPv4 called Internet Protocol Security, or IPSec which provides security. It is standard
in IPv6, and enhances the overall security of each individual packet sent over the
Need to prioritize and support real-time delivery of data across the Internet.
Being able to prioritize the data would greatly help speed up many applications. E-
mail does not need to move at the same speed as a video conference. Gamers may
want to pay more for quicker response times. With IPv4 all data is treated the same
on the Internet.
There are many differences between the two protocols. Many of the
improvements will be detailed later in the paper. Figure 3 goes into detail about the
many changes by breaking down them down and listing them out. Chapter
references in the Figure are from the book by Lane, P. T. & Hauser, R. (2002). CIW
the Internet. Most home and small business networking solutions use a router that
split one IP address assigned by their provider to many hosts or devices on their
using NAT, one IP address can be used by several hundred hosts. However, the more
Using a NAT creates two extra connection steps when all Internet packets leave
the NAT (usually built into the router that connects the Intranet to the Internet). The
extra steps require processing and changing the data packet's contents, hopefully as
The host PC with NAT address (192.168.0.10 port 1025) requests information
from Internet web server: (157.60.13.9 port 80). Port 1025 is used by svchost.exe
(Microsoft Remote Procedure Call (RPC) service ), 80 is a web server listen port.
The router takes that request before allowing it to leave the intranet and
changes a couple of things: The source address is now the NAT public IP address (the
address your Internet provider supplies you), and the source port is changed to 5000
(or some number) and mapped (in a internal table) to 192.168.0.10 port 1025.
When the web server sends back the packet of information the NAT has to read
the packet and decide which device requested it. The NAT checks it translation table
and determines that the packet with a port request of 5000 was requested by local
packet and sends it on to the requesting Host PC. Routers are getting faster then
they were, but so is the increase in the traffic on the network. This will lead to a
reduction in the performance of the intranet devices accessing the Internet (Davies,
2008)
The use of NAT in coordination with private network address allows for
companies of varied size to maintain internal networks and still connect to the Internet.
networks for the foreseeable future. Of course it is hard to imagine what new
technology requirements there may be that would require more addresses. One
requirement might be if not only we had addresses for each device, but also for each
application or data file on the devices, perhaps as a way to prevent piracy or some
other reason. Another suggestion could be for inventory reasons. The military for
instance could keep track of every bullet in every gun ever fired if they wanted to track
forwarding of packets are all reasons to adapt IPv6 technology. This section will
companies and individuals who want the power of their desktop computers in their
hands. Today's hand held devices have much more processing power than the first
mainframe computers. Being mobile means being able to access your e-mail, phone
messages, and information on the Internet while moving between wireless networks.
Users do not want to experience zones of blackout areas where they can not
network providers are increasing their coverage, and devices need to adapt to
switching seamlessly between networks. IPv6 can be used by many applications with
mobility features. These applications can be in cars, bikes, trains, and many other
enables sensor-based networks that form roaming ad hoc meshed networks over
topologies. The huge numbers required to create a mesh network would make IPv6
The Internet is running both IPv4 and IPv6 protocols at the same time because
they are independent. IPv6 addresses are different, so addresses are unique and
easy to filter. Systems need the IPv6 protocol on nodes to access IPv6 services.
There are several risks associated with using IPv6 because each device has its own
direct address and are susceptible to flooding traffic where one computer sends
requests to many computers at the same time. “Benefits of using IPv6 are great, but
so are the consequences if the communication is not secured properly” (Hogg &
would find it harder to propagate because it is difficult to guess the IP address of other
systems since there are so many IPv6 addresses and the total number used is small.
spread. It can not be said that worm writers will not figure out how to get around this,
but it will take a bit longer. For instance, they could use search engines, scan the
host's routing table, or use a combination of IPv4 and IPv6 protocols to spread faster
Extension headers provide additional options for special case packets. IPv4
has options field after, but using these options is rare because of the greatly increased
processing time required for the packet. IPv6 deals with these extension headers
more effectively. The options are located in the header between the IP header and
the data payload. There can be more than one extension header in a packet, but
they are not required. There are several types of extension headers in IPv6 (Lane &
Hauser, 2002).
This header is used to pass optional information to all nodes along a packet's
delivery path. It must be the first header in the packet as it is read by every node
along the path. It should also appear only once in the packet. This header has the
Passes additional parameters to the destination system. This header does not
This header is used for identifying routes for the packet. It lists one or more
intermediate relays through which the packet must be routed on it way to the
destination node. Standards require that all nodes (Routers and hosts) must be able
to handle a IPv6 packet that contains a routing header. There are two types of routing
headers. Type 0 is similar to the concept of IPv4 source routing headers. Type 2 is
This header can be used to reflect traffic through a middle host before reaching
it's destination. Skipping hosts can improve speed, but could be used as a means to
bypass firewalls that do not check for the presence of the routing extension header
be easily carried across a data network that would not normally be able to handle the
large packets (like a wireless network). When the large packet is received,and the
outbound interface MTU is size is too small, each packet is broken up before
transmission, and given a unique identifier (fragment ID). The receiving host
reassembles the fragments by putting them all back together in order and then
passing the resulting complete IP packet to the protocol stack (Hogg & Vyncke. 2009)
(Maximum Transmission Unit ). The IPv6 header does not fragment packets like IPv4.
Large packets are now handled by the sending systems, not the intermediate routers
Order matters:
The IPv6 packet does not need to contain any extension headers, or it can
contain just a few. If it does contain more than one extension header they should be
placed in a specific order. The recommended order is shown in Table 2 (Lane &
The fields withing the IPv6 header each have very specific jobs. Table 3 is a list
of the fields in the header and what they are used for:
Figure 5, shows the header diagram standard. This standard covers the IPv6
header format that is used in the IPv6 protocol. It is based on 32 bit boundaries to
make it easy for 32-bit processors to utilize the structure effectively. The protocol and
header itself do not represent any security vulnerabilities. How they are processed
and created are what lead to security issues. “Packets do not hack computers,
Hogg & Vyncke (2009) warns that although extensions are a good addition to
the protocol, there are several security risks associated with them at this time.
The Internet Engineering Task Force (IETF) is the organization that defines the
specifications of the IPv6 protocol. Implementors must follow these rules to create an
interoperable protocol. Some of the specs are not fully defined and are considered
ambiguous and incomplete. This allows unforeseen security issues to arise after
software is developed and deployed. Most of these vulnerabilities involve fields within
the IPv6 packet header. These headers define the protocol and are the primary focus
There are many elements to a IPv6 packet, and to maximize security you need
to parse the header and skip past several extension headers to reach the upper-layer
information to determine whether the protocol should be passed. The ACL filters for
package, or part of a “Multi-packet attack” (Hogg & Vyncke, 2009). The filters need to
read the header, extension header, upper-layer information and payload of a packet.
One technique that can be easily implemented is to block all the message
packets that have not yet need allocated by the IANA. The Internet Assigned
Numbers Authority (IANA) is responsible for the global coordination of the DNS Root,
IP addressing, and other Internet protocol resources. There are 4 types of messages
Risk Types
Unallocated error messages 5-99, and 102-126
Unallocated informational messages 155-199, and 202-254
Experimental messages 100, 101, 200, and 201
Extension type numbers 127, 255
Table 4: Risky Message types (Hogg & Vyncke, 2009. p20)
Of course if you add these to your filters, they will have to be updated when the
comprehensive security plan needs to consider many aspects, not just attacks from
both the sender and receiver to posses the same encryption key. Both IPv4 (added
later) and IPv6 protocols use IPsec to protect the data in the packets. The framework
and unsecured areas on the network. The boundary can be a single host or network.
The access control rules determine what happens to packets with IPsec information
traversing the boundary. Generally, each packet is either protected using security
The difference between IPsec for IPv4 and IPv6 is that IPsec is optional for
IPv4, but is a requirement for IPv6 and integrated directly into the protocol and
available with any implementation. With IPv6 two headers are included as extension
header (ESP).
“The Authentication Header provides integrity and authentication for all end-to-
end data transported in an IP Packet.” (Hagen, 2006. p109). The header can be used
the fields of the IPv6 header is secured. In tunnel mode, the inner packet contains the
IP address of the sender and receiver. The outer IP header contains the IP address of
Flow Confidentiality for all end-to-end data transported in an IP packet.” (Hagen, 2006.
p111). The ESP header is located in the front of the transport, network control, or
implementations must recognize. However, it also gives the user freedom to allow the
choose algorithms and parameters (like key sizes) (Comer, 2000). Comer (2000) also
IPsec is not a single security protocol. Instead, IPsec provides a set of security
communication.
When using IPv4 there is a barrier between devices connecting directly to each
other. This prevents true peer to peer communications because of NATs in the path of
the data. With IPv6, NATs are no longer necessary to save addressing space, and the
problems with mapping addresses and ports disappear. This true end-to-end
communication between hosts on the Internet means addresses are not changed
while in transit, thus gateways, and application programmers do not have to deal with
the problems of keeping track of the changes. Restoring this connectivity will be come
much more important as more and more devices use peer-to-peer connections such
as mobile phones.
applications needing the direct communication. This would also remove the need for
echo servers on the Internet. For businesses, it means easier development of peer-
around NAT barriers. For home users, they would be able to connect directly to their
PCs from anywhere in the world, rather than having to use intermediate hosts on the
Forwarding of packets
IPv6 has fewer fields to process while forwarding and thus fewer decisions to
make in forwarding. Unlike IPv4, the IPv6 header is a fixed size of 40 bytes, which
contents of the header. Additionally, the structure of IPv6 global addresses means
that there are fewer routers to analyze in the routing tables of organizations and the
Internet backbone routers. This means traffic can be forwarded at higher data rates,
IPv6 Usage:
How much traffic is currently using IPv6 protocols? The graphic below shows
the percentage of IPv6, both native and tunneled, as a percentage of all Internet
traffic. At its peak, in Dec 2007, IPv6 represented less than one hundredth of 1% of
Internet all traffic. (Labovitz, 2008). This graph also shows that as Internet traffic
increases, IPv6 traffic is not increasing at the same rate as IPv4. Consequently, the
….. the above graph may not be completely fair since many of the ISPs
do not have infrastructure to monitor native IPv6 (more about this later). But
our numbers seem to agree with data from a variety of other sources on IPv6
adoption rates.
With all the benefits and rapidly approaching end for IPv4, it is a wonder why
more ISP are not switching over to the new protocol and taking advantage of the
improved technology. The biggest issue is money. The U.S. department of commerce
estimates it will cost $25 billion for ISPs to upgrade to native IPv6. Unlike the federal
incentive to upgrade to HDTV signals, there is little visual stimulus for customers to
The protocol is handled behind the scenes, like what kind of paint is used on
highways. The Internet highway is still here, do customers care how it all works? Not
now, but in the future when more and more devices are accessible on the Internet
problems will start to occur with speed and connectivity. This will be especially true
with users in North America, because other major Internet using countries are already
moving away from IPv4 because of the perceived American control over the protocol.
China, Japan, and the European Union are already well on their way to implementing
The report, from Arbor Networks, claims to be the most comprehensive study of
the results provide a sobering measure of how just slowly the technology has been
adopted. "At its peak, IPv6 represented less than one hundredth of 1 percent of
Internet traffic" over the past year, Arbor Networks' Craig Labovitz (2008) wrote in a
summary of the findings, adding wryly: "This is somewhat equivalent to the allowed
parts of contaminants in drinking water." "We believe this is the largest study of IPv6
and Internet traffic in general to date (by several orders of magnitude)," Labovitz
(2008) wrote.
protocol, IPv4. Its adoption is important because IPv4 can support only about 4 billion
IP (Internet Protocol) addresses and they are fast running out. While IPv6 will be able
to support many trillions more (2 to the 128th power). It also offers advantages in
Incentives
With cost being a major depressor for implementing IPv6, but IPv4 addressing
running very low as an incentive, the IANA has another incentive for ISPs to switch
over. Those that do are offered a minimum number of IP addresses of 2^64, or 1.8 *
may seem like a lot given the millions of ISPs and businesses, but we are working
with a huge number of total addresses, so the IANA is able to do this without causing
the same problems that preallocating IPv4 addresses caused (Labovitz, 2008).
experimenting with the new technologies before they become widespread in their use.
Thus giving an advantage to those that implement IPv6 early, before it is required.
Conclusion
IPv6 is a protocol that is several years old. It was created to replace the IPv4
protocol because of the number of Internet users is every increasing and IPv4 will
without doubt run out of addresses for those users and devices very soon. IPv6 will
have to be implemented and working smoothly before that time comes. It offers the
new security features and almost unlimited expansion of nodes that will be required in
the future.
Details were covered that showed many of the features of IPv6 including the
packet header makeup and security features. Some of the weaknesses were covered
to illustrate the problems that may be encountered, but when addressed, they are sure
to have solutions. Just as the problems of IPv4 were addressed and resolved when it
There are ways for the user to implement IPv6 on their systems, and many
good Web sites that explain how to do this for many different platforms. There are
also many Web sites already created that support the IPv6 protocol only, so IPv4
users are not able to access them at all. A simple search of the web will provide many
results.
If this paper has peeked your interest in implementing IPv6, you should try
provider does not support IPv6 at all or you have a router that does not handle IPv6
connections through your NAT, there are sites that allow you to create a direct network
tunnel, thus allowing you to get around those kind of obstacles (You have to sign up
for those services, but most appear to be free). There are many ways to begin using
IPv6 addressing now, and when more people use it, the more popular it will become.
Colitti, L. & Kline, E. (2008). Looking Towards IPv6. Retrieved Feb. 25th, 2009 from
towards-ipv6.html
Comer, D. (2000). Internetworking with TCP/IP. Upper Saddle River, NJ. Prentice
Hall.
Hogg, S. & Vyncke, E. (2009). IPv6 Security. Indianapolis, IN. Cisco Press.
Labovitz, C. (2008). The End is near, but is IPv6? Retrieved Feb. 2nd, 2009, from Arbor
but-is-ipv6/
As I have mentioned the deliverable for this course is the paper that you write. I can
be your stakeholder for this course and it is not necessary to find other people to be
involved. I have seen this project done several times and a good focus is to compare
IPV4 to IPV6. I will be looking for the "why" factor in your paper, not the "how to do it
Sharon
Address: An identifier that can be used as the source or destination of the IPv6
Host: A node that cannot forward IPv6 packets not explicitly addressed to itself (a
non-router). A host is typically the source and a destination of IPv6 traffic, and it
interface is a tunnel interface that is used to send IPv6 packets across an IPv4
IANA: The Internet Assigned Numbers Authority (IANA) is responsible for the global
resources
ISP: Internet Service Provider. The local provider of Internet access. Usually a
wires, or wireless.
Link MTU: The maximum transmission unit – the number of bytes in a the largest IPv6
packet – that can be sent on a link. This is the same as the maximum payload
Link: The set of network interfaces that are bounded by routers and that use the same
64-bit IPv6 unicast address prefix. Other terms for “link” are subnet and network
segment. Many link-layer technologies are already defined for IPv6, including
Electronics Engineers [IEEE] 802.11 wireless) and a wide are network (WAN)
Additionally, IPv6 packets can be sent over logical links representing an IPv4 or
IPv6 network by encapsulating the IPv6 packet within an IPv4 or IPv6 header.
Neighbors: Nodes connected to the same link. Neighbors in IPv6 have special
reachability.
Network: Two or more subnets connected by routers. Another term for network is
internetwork.
Node: Any Device that runs an implementation of IPv6. This includes routers and
hosts.
Router: A node that can forward IPv6 packets not explicitly addressed to itself. On an
IPv6 network, a router also typically advertises its presence and host
configuration information.
Upper-layer protocol: A protocol above IPv6 that used IPv6 as it's transport.
Examples include Internet layer protocols such as ICMPv6 and Transport layer
protocols such as TCP and UDP (but not Application Layer protocols such as FTP