Architecture for Secure IPv4/IPv6 Address Translation
An Integrated Architecture for Secure IPv4/IPv6 Address Translation between IPv4 and IPv6 Networks
- Amutha J, Meenakshi Sundaram R, Albert Rabara S3
Abstract. An All-IP network is probably getting highly feasible since all applications and services in the telecommunication are already getting IP enabled. Internet Protocol version 6 or IPv6, is a later version of IP suite as it is designed to handle the increasing number of Internet applications. Security has become a major concern for the IP next generation network architecture and is considered as one of the most fundamental requirements for business continuity and service delivery. Several initiatives have been made by researchers to integrate secure IPv4/IPv6 address translation between IPv4 and IPv6 networks. But, not much progress has been reported in recent past. Hence, in this research, An Integrated Architecture for Secure IPv4/IPv6 Address Translation between IPv4 and IPv6 Networks, with an IPv4/IPv6 Enabled Gateway Translator (IP46EGT) has been proposed to achieve MAC-level, VPN-IPSec and Certificate level security. Network performance is evaluated and the generated results are tabulated and graphically presented.
Keywords: IPv4, IPv6, Address Translation, Security, IPSec.
1 Introduction
The next generation Internet Protocol, IPv6 is intended to replace IPv4, which is gaining popularity now-a-day and exists sparsely in today’s world. Though IPv6 contains built-in IPSec security protocol, the initiation of IPv6 makes changes in the security field and transition from IPv4 creates new risks and weakens the security strategies of an organization. IPv6 is enmeshed with various issues: its global interoperability is limited due to the weakness of the encryption algorithm, IPSec has not yet been fully standardized and there is no protection against Denial of Service/Flooding attacks [1]. One of the core issues with IP security exists today is that it is an “add-on” and was not built-in from the start, in which the core functionality is developed first, which then satisfies the needs of security requirements. It tends to create a problem because IP is becoming ubiquitous form of communication that affects the entire enterprise [2].
IPSec protocol suite, as an extension to the basic IP Protocol, provides confidentiality, authentication service and overcomes the security problems caused by the mobility between the mobile node and the home agent [3]. IPSec is compatible with current Internet standards in IPv4. But in IPv6, IPSec is defined as mandatory feature and the objective of improved security is to create routing changes that provide both mobility in the network and safety against various security threats [4].
To prevent the attacker from establishing false connections and to ensure the integrity of the mobile node and its peers, security in the proposed architecture guarantees data origin authentication of IP packets through Cryptographically Generated Address (CGA), while securing binding update message between the mobile node, home agent and the correspondent node. Hence, in this research, an Integrated Architecture for Secure IPv4/IPv6 Address Translation between IPv4 and IPv6 Networks, with an IPv4/IPv6 Enabled Gateway Translator (IP46EGT) has been proposed to achieve various levels of security namely MAC-Level Security, VPN-IPSec Security and Certificate level security. Network performance is evaluated and the generated results are tabulated and graphically presented.
2 Review of Literature
Frederic et al. [5] advocated various algorithms and tools which ensure the security configuration of the firewalls, and for the generation of the IPv6 addressing scheme in and for an IPv4 enterprise network, in which the firewalls deployed are stateful. A new model was suggested by Nazrul et al. [6] in the form of a new Internet Key Exchange (IKE) authentication in order to ensure end to end IPSec interoperability across translation gateway. This model uses Address Based Keys (ABK) with certificateless signature for securing the communication channel between end nodes by using their end IP addresses as public / secret keys for authentication which eliminates the notification of the revoked keys. Seewald [7] proposed an architecture for NGN which provided flexibility, interoperability and built-in security technologies (IPSec). Serap et.al. [8] proposed an autonomic and self-adaptive systems which integrates the NGN architecture with the ITU-T security model for assuring the security of NGNs and new additional features enabling it to dynamically detect vulnerabilities, threats and risk analyses. Mahdi et. al. [9] presented an integrity security open architecture model for NGN based on the concepts of an Integrated Security Module (ISM) to protect data and Targeted Security Models (TSMs) to protect entities, users, servers and resources. The protocol used in this model provides only the network-level security and the functionality of this set of protocols is only related to the infrastructure layer of the X.805 standard which is concerned with the security of network links and elements.
3 Proposed Architecture
The proposed unique architecture is designed to integrate the two independent IP versions IPv4 and IPv6, by mutually permitting one version of IP mobile nodes to communicate with another version of IP networks. Therefore IPv4 networks communicate with IPv6 mobile nodes, and IPv6 networks communicate with IPv4 mobile nodes. This is achieved by designing a novel translator namely an IPv4/IPv6 Enabled Gateway Translator (IP46EGT) which is simulated in the form of a PC-Emulator. The IP46EGT translates IPv4 address into IPv6 address and IPv6 address into IPv4 address. When an IPv6 node communicates with an IPv4 host in the IPv4 network, the translated IPv6 source prefix is configured in the IP46EGT which detects the destination address of the IPv6 packet. If this prefix is the same as the configured prefix, the address mapping takes place and converts the IPv6 address to IPv4 address. Fig.1 represents the proposed Secure Architecture for IPv4/IPv6 Address Translation between IPv4 and IPv6 Networks.
Fig. 1. Proposed architecture for secure IPv4/IPv6 Address Translation between
IPv4 and IPv6 Networks
Three various levels of security namely MAC level security, VPN-IPSec security and Certificate Level security is incorporated in the proposed architecture which provides data integrity, data confidentiality, data origin authentication and replay attacks. Virtual Private Network (VPN) is incorporated in the proposed architecture to provide secure data transmission between the VPN mobile node and the network. These systems ensure that only authenticated users can access the network and the data cannot be intercepted. The PC-Emulator in the architecture generates a New Secret Key (NSKG) which is the Cryptographically Generated Address (CGA) for every communication. Load balancer balances traffic over multiple connections, which ensures the availability of the network and improves the overall performance of the availability of the applications.
Level 1: MAC-Level Security
MAC (Media Access Control) level security is used in the proposed architecture because of its unique identifier assigned to a network interface for communications on the physical network. The source node used for communication consists of a MAC address as the source public key (SPuk), which generates a New Secret Private Key (NSKG) as the Cryptographically Generated Private Address (CGPrA) for every communication. The NSKG is a combination of the four-digit random number (SKG) and the last two bit positions of the source client node MAC address (MSKG) that is, NSKG = SKG + MSKG. The NSKG is sent to the source and destination to establish an authentication between the mobile node and the server which provides the end-to-end security.
Level 2: VPN-IPSec Security
Virtual Private Network (VPN) is incorporated in the proposed architecture to provide secure data transmission between the VPN mobile node and the network. These systems ensure that only authenticated users can access the network and the data cannot be intercepted. VPN-IPSec permits highly secure site-to-site connectivity and protects IPv4 and IPv6 traffic as it communicates between end hosts or security gateways. Packets sent by an attacker are dropped by VPN-IPSec enabled hosts which provides connectionless integrity and authentication.
Level 3: Certificate Level Security
To obtain a certificate, a private secret key (NSKG) based on the public key (SPuK) is generated from the Level-1 security. A certificate is created by binding the public and the private key and the payload is passed to the Certificate Server to verify that the information is valid or not. If valid, a secured connection is established between the end-users and the translation between the source and the destination happens. If not, the connection will not be established and the translation process fails.
3.1 Proposed Addressing Concept
IPv4 addresses use 32-bit and IPv6 addresses use 128â€bit identifiers. The type of an IPv6 address is identified by the high-order bits of the address. IPv4â€compatible IPv6 address and IPv4â€mapped IPv6 addressing concept is used in the proposed architecture to represent the IPv6 address and IPv4 address respectively. Hence, in the proposed addressing architecture, in order to promote IPv4 and IPv6 translation, the IPv6 global unicast address is modified and used. For the IPv4-mapped IPv6 address, the most significant 16 bits, from 1st to 16th bit are assigned with the format prefix 2001. The address format for IPv6 in IPv4 visited network represents the IPv4-mapped IPv6 address in which the 17th to 32nd bits are assigned FFFF. The next 32 bits, from 33rd to 64th represents the 32-bit IPv4 router address. The least significant 64 bits from 65th to 128th are assigned with Interface Identifier (ID) by the cryptographically generated address. For the IPv4-compatible IPv6 address, the IP46EGT extracts the 32-bits from the 33rd to 64th bit position of the network part of the IPv6 address and converts then to its corresponding IPv4 address. The remaining bit positions are assigned with zeroes representing IPv4-compatible IPv6 address.
3.2 Proposed Interface Design
An Interface is designed for the proposed secure architecture for IPv4/IPv6 Address Translation between IPv4 and IPv6 Networks and is presented below.
Procedure PCEmulator
Begin
{
If Request_from_MNv6_IPv4RouterAddr_Solicitation_ (Rv4_Addr) then
{
Response_Request_from_MNv6_IPv4RouterAddr_Solicitation_ (Rv4_Addr);
}// End of If
{ //Key Generation
Secret_Key_Gen()
{
SKG=Random_No_Gen();// 4-digit Random Number Generation
MSKG=Get_MAC_ID(PE_MAC,15,17)
NSKG = SKG +MSKG; // Generation of key
Key_Exchange()
{
Key_Exchange(SRC, DST, NSKG)
{
PE=NSKG;
NSKG-> Send_to_SRC;
NSKG-> Send_to_DST;
}
{
V6Bdd(1-16)ï€ ïƒŸï€ FP(2001);
V6Bdd(17-32)  MA(FFFF) ;
V6Bdd(33-64)  Decimal_to_Hexadecimal(46);
V6Bdd(65-128)  MAC address;
V6CGBdd = V6Bdd+ NSKG;
IPv6AP  V6CGBdd + HAv6
}
If Request_from_MNv4_IPv6RouterAddr_ Solicitation_(Rv6_Addr) then
{
Response_Request_from_MNv4_IPv6RouterAddr_ Solicitation_(Rv6_Addr);
}// End of If
{
V4Bdd(1-32)  CA(0000) ;
V4Bdd(33-64)  Hexadecimal_to_Decimal(64);
V4CGBdd = V4Bdd+ NSKG;
IPv4AP ïƒŸï€ V4CGBdd + HAv4
}
If (Successful(DAD) then
{
// Performs Registration_process and communication
// between IPv4 and IPv6 nodes takes place
}
} // End of If
End; // End of Begin
4 Experimental Study
The main focus of the experimental study is to test the functionality of the IPv4/IPv6 address translation architecture with respect security between IPv4 and IPv6 nodes and to measure the performance of these mechanisms on a network. The testing process is carried out in the lab environment using a virtual topology. The performance of the proposed system is investigated in terms of packet reachability, round trip latency of ping packet using a security enabled translator. The results of the study are tabulated and presented graphically.
5 Performance Analysis
5.1 Packet Reachability of Ping packets
Packet Reachability of ping packets is calculated varying in size from 64 bytes to 1440 bytes (64, 128, 256, 512, 1024, 1440). Table 1 shows the packet reachability of ping packets. The columns labeled PR-T and PR-TS shows the packet reachability using the translator and the security enabled translator respectively.
Table 1. Packet Reachability of ping packets
|
Packet size (bytes) |
PR-TS (microseconds) |
PR-T (microseconds) |
|
64 |
27 |
20 |
|
128 |
30 |
23 |
|
256 |
32 |
25 |
|
512 |
32 |
25 |
|
1024 |
37 |
30 |
|
1440 |
47 |
37 |
Fig.2 depicts the packet reachability of ping packets in which X-axis in the graph represents the packet size in bytes and the Y-axis represents the time interval in microseconds. From the graph, it is observed that the reachability of ping packets using the security-enabled translator (PR-TS) is a little high, when compared to the reachability of packets without security.
5.2 Round-Trip Latency using security enabled translator
The round-trip latency between IPv4 and IPv6 with security enabled translator is tabulated in Table 2. The columns labeled IPv4-IPv6 and IPv6-IPv4 shows the latency between two machines communicating directly observed to be normal as expected. The columns labeled RTL-S show the round-trip latency with security enabled translator.
Fig. 2. Packet Reachability of ping packets
Fig. 3 represents the communication between the IPv4 and IPv6 nodes with security enabled translator, in which the X-axis in the graph represents the packet size in bytes and Y-axis represents the time interval in microseconds. It is observed that the communication from IPv6 to IPv4 is faster than IPv4 to IPv6 communication with the security enabled translator.
Fig. 3. Round-Trip Latency using security enabled translator
Table 2. Round-Trip Latency using security enabled translator
|
Packet size (bytes) |
IPv4-IPv6 (microseconds) |
IPv6-IPv4 (microseconds) |
IPv4-IPv6 (RTL-S) (microseconds) |
IPv6-IPv4 (RTL-S) (microseconds) |
|
64 |
266 |
244 |
306 |
281 |
|
128 |
282 |
261 |
334 |
308 |
|
256 |
327 |
295 |
394 |
347 |
|
512 |
374 |
360 |
451 |
426 |
|
1024 |
587 |
572 |
676 |
651 |
|
1440 |
708 |
676 |
808 |
768 |
5 Conclusion
Security has become a very important issue for the communication between IPv4 and IPv6 networks. Hence, three various levels of security namely MAC level security, VPN-IPSec security and Certificate Level security are incorporated in the proposed architecture which provides data integrity, data confidentiality, data origin authentication and thereby end-to-end secure communication is achieved. Packets sent by an attacker are dropped by VPN-IPSec enabled hosts which provides connectionless integrity and authentication. The proposed architecture is tested and the results are tabulated and graphically presented.
References
[1] Abu Taha Zamani, Syed Zubair: Deploying IPv6: Security and Future. International Journal of advanced studies in Computer Science and Engineering( IJASCSE ), vol. 3, No. 4 (2014)
[2] Juniper Networks: An IPv6 Security Guide for U.S. Government Agencies. The IPv6 World Report Series. vol. 4 (2008)
[3] Huiping Sun, Junde Song, Zhong Chen: Survey of Authentication in Mobile IPv6 Network. IEEE CCNC proceedings (2010)
[4] Hero Modares, Amirhossein Moravejosharieh, Hassan Keshavarz, Rosli Salleh:Protection of Binding Update Message in Mobile IPv6. IEEE UKSim-AMSS 6th European Modelling Symposium (2012)
[5] Frederic Beck, Olivier Festor, Isabelle Chrisment, Ralph Droms:Automated and Secure IPv6 Configuration in Enterprise Networks. IEEE International Conference on Network and Service Management – CNSM (2010).
[6] Nazrul M. Ahmad and Asrul H. Yaacob: End to End IPSec Support across IPv4/IPv6 Translation Gateway. IEEE Second International Conference on Network Applications, Protocols and Services (2010)
[7] Seewald M. G.: Benefits of end-to-end IP for cyber and physical security. IEEE (2012)
[8] Serap Atay, Marcelo Masera: Challenges for the security analysis of Next Generation Networks. Elsevier (2010)
[9] Mahdi Aiash, Glenford Mapp, Aboubaker, Raphael Phan: Providing Security in 4G Systems: Unveiling the Challenges. IEEE(2010)
