IPv6 and deep packet inspection

bashfulflowersSoftware and s/w Development

Jun 30, 2012 (5 years and 2 months ago)

387 views

Journal of Technology Research
IPv6 and deep packet inspection

Thomas B. Martin
Holy Family University

ABSTRACT

1
The current version of the Internet, IPv4 was depleted of addresses on February 3, 2011.
The shortage of addresses has led to the introduction of IPv6 which has 128-bit (16-byte) source
and destination IP addresses. Many organizations do not see a reason to convert to IPv6, and
2
believe they are not running IPv6. Whether an organization knows it or not, any laptop/PC
running Vista or Windows 7 is a vulnerability from which attacks can come that will be invisible
to IPv4 networks.
3
Since the Internet today uses IPv4 for 99% of the traffic , it will be a slow migration to
IPv6. Three transition strategies are being employed: header translation, dual stack and
4
tunneling of IPv6 inside IPv4. Tunneling is the most precarious method for today’s IPv4
networks. The IPv6 packet is included inside the message field of an IPv4 packet. The contents
of the IPv6 packet will not be noticed by an IPv4 firewall or intrusion detection system. Hidden
IPv6 traffic running across an organization’s network can wreak havoc, allow malware to enter
5
the network, and be the basis for a denial of service attack. The only defense against such
attacks is deep packet inspection (DPI).
The widespread use of DPI is inevitable. The first serious security breach caused by
tunneled IPv6 inside an IPv4 packet is certain to come in the near future. This event will be a
stimulus to organizations to defend against such attacks.

Keywords: IPv4, IPv6, deep packet inspection, cyber terrorism, security







1
http://www.icann.org/en/news/releases/release-03feb11-en.pdf
2
S. Bradner and A. Mankin, “The Recommendation for the Next Generation IP Protocol”, RFC 1752, Jan. 1995
3
https://www.arin.net/knowledge/about_resources/ceo_letter.pdf
4 th
Bihrouzan A. Forouzan, “TCP/IP Protocol Suite”, 4 Edition, McGraw Hill, ISBN: 978-0-07-337604-2, 2010
5
C. Caicedo, J. Joshi, and S. Tuladhar, “IPv6 Security Challenges”, Computer, IEEE Computer Society, February
2009
IPv6 and deep packet, Page 1
J Jo ou ur rn na al l o of f T Te ec ch hn no ol lo og gy y R Re es se ea ar rc ch h

1. T TH HE E I IM MP PE EN ND DI IN NG G W WO OR RL LD D O OF F I IP PV V6 6

a. Additional Addresses

1
T Th he e c cu ur rr re en nt t v ve er rs si io on n o of f t th he e I In nt te er rn ne et t,, I IP Pv v4 4,, w wa as s d de ep pl le et te ed d o of f a ad dd dr re es ss se es s o on n F Fe eb br ru ua ar ry y 3 3,, 2 20 01 11 1.
Th he e s sh ho or rt ta ag ge e o of f a ad dd dr re es ss se es s h ha as s l le ed d t to o t th he e i in nt tr ro od du uc ct ti io on n o of f I IP Pv v6 6 w wh hi ic ch h h ha as s 128-b bi it t ( (1 16 6-byte) source
128 38
a an nd d d de es st ti in na at ti io on n I IP P a ad dd dr re es ss se es s.. T Th hi is s a ad dd dr re es ss s s sp pa ac ce e i is s: : 2 or about 3.4×10 ( (3 34 40 0 t tr ri il ll li io on n t tr ri il ll li io on n
trillion).
IPv6 will create a an n e er ra a o of f “ “t th hr ro ow w-away” IP addresses. Every light b bu ul lb b,, d do oo or r l lo oc ck k,,
package of lunch meat, q qu ua ar rt t o of f m mi il lk k,, jar of mustard could be given an IPv v6 6 a ad dd dr re es ss s a an nd d a an n R RF FI I
chip that communicates t th he e s st ta at tu us s.. T Th he e l lu un nc ch h m me ea at t could indicate i it t i is s g go oi in ng g s st ta al le e,, t th he e m mu us st ta ar rd d
jar could transmit that i i it t t i i is s s p p pa a as s st t t t t th h he e e r r re e ec c co o om m mm m me e en n nd d de e ed d d u u us s se e e p p pe e er r ri i io o od d d,,, t t th h he e e b b ba a at t tt t te e er r ry y y i i in n n o o ou u ur r r f f fl l la a as s sh h hl l li i ig g gh h ht t t c c co o ou u ul l ld d d
send a “replace me” m me es ss sa ag ge e t to o a an n R RF FI ID D r re ea ad de er r, the light bulb could indicate i it t i is s n ne ea ar r e en nd d o of f
life, the fire detector could t tr ra an ns sm mi it t “my battery needs to be replaced,” etc.
W W Wi i it t th h h e e ev v ve e er r ry y y n n ne e ew w w t t te e ec c ch h hn n no o ol l lo o og g gy y y,,, t t th h he e er r re e e a a ar r re e e n n ne e ew w w s s se e ec c cu u ur r ri i it t ty y y t t th h hr r re e ea a at t ts s s a a an n nd d d v v vu u ul l ln n ne e er r ra a ab b bi i il l li i it t ti i ie e es s s... Inequality
o of f I IP Pv v4 4 d di is st tr ri ib bu ut ti io on n o of f a ad dd dr re es ss se es s h ha as s c ca au us se ed d o ot th he er r c co ou un nt tr ri ie es s t to o e em mb br ra ac ce e I IP Pv v6 6 b be ef fo or re e t th he e U Un ni it te ed d
States. China is the e e w w wo o or r rl l ld d d l l le e ea a ad d de e er r r i i in n n I I IP P Pv v v6 6 6 b b be e ec c ca a au u us s se e e o o of f f t t th h he e e n n ne e ee e ed d d f f fo o or r r m m mo o or r re e e I I IP P P a a ad d dd d dr r re e es s ss s se e es s s,,, w w wh h hi i ic c ch h h
c c ca a an n nn n no o ot t t b b be e e s s su u up p pp p pl l li i ie e ed d d b b by y y I I IP P Pv v v4 4 4,,, t t th h he e e c c cu u ur r rr r re e en n nt t t v v ve e er r rs s si i io o on n n o o of f f t t th h he e e I I In n nt t te e er r rn n ne e et t t... T T Th h he e e i i im m mp p pl l li i ic c ca a at t ti i io o on n ns s s o o of f f t t th h he e e U U US S SA A A
b be ei in ng g b be eh hi in nd d i in n t th hi is s f fi ie el ld d a ar re e o om mi in no ou us s f fo or r s se ec cu ur ri it ty y o of f o or rg ga an ni iz za at ti io on ns s..

b. IPv4 & IPv6 Will l C Co oe ex xi is st t f fo or r a a L Lo on ng g T Ti im me e

6
S Si in nc ce e t th he e I In nt te er rn ne et t t to od da ay y u us se es s I IP Pv v4 4 f fo or r 9 99 9% % o of f t th he e t tr ra af ff fi ic c , it will l b be e a a s sl lo ow w m mi ig gr ra at ti io on n t to o
I IP Pv v6 6.. M Ma an ny y o or rg ga an ni iz za at ti io on ns s d do o n no ot t s se ee e a a r re ea as so on n t to o c co on nv ve er rt t t to o I IP Pv v6 6,, a an nd d b be el li ie ev ve e t th he ey y a ar re e n no ot t
running IPv6. H Ho ow we ev ve er r,, M Mi ic cr ro os so of ft t V Vi is st ta a a an nd d W Wi in nd do ow ws s 7 7 h ha av ve e I IP Pv v6 6 c co om mp pa at ti ib bi il li it ty y e en na ab bl le ed d a as s t th he e
default setting. W W Wh h he e et t th h he e er r r a a an n n o o or r rg g ga a an n ni i iz z za a at t ti i io o on n n k k kn n no o ow w ws s s i i it t t o o or r r n n no o ot t t,,, a a an n ny y y l l la a ap p pt t to o op p p r r ru u un n nn n ni i in n ng g g V V Vi i is s st t ta a a o o or r r W W Wi i in n nd d do o ow w ws s s 7 7 7
is a vulnerability from which a at tt ta ac ck ks s can come that will be invisible to IPv4 ne et tw wo or rk ks s..

2. M MI IG GR RA AT TI IO ON N S ST TR RA AT TE EG GI IE ES S F FR RO OM M I IP PV V4 4 T TO O I IP PV V6 6

4
There are three t te ec ch hn ni iq qu ue es s b be ei in ng g u us se ed d i in n t th he e t tr ra an ns si it ti io on n p pe er ri io od d f fr ro om m I IP Pv v4 4 t to o I IP Pv v6 6.. Each
o of f t th he es se e i is s s sh ho ow wn n i in n t th he e g gr ra ap ph hi ic cs s b be el lo ow w..

a. Header Translation



6
h ht tt tp ps s: :/ // /w ww ww w..a ar ri in n..n ne et t/ /k kn no ow wl le ed dg ge e/ /a ab bo ou ut t_ _r re es so ou ur rc ce es s/ /c ce eo o_ _l le et tt te er r..p pd df f
I IP Pv v6 6 a an nd d d de ee ep p p pa ac ck ke et t,, P Pa ag ge e 2
J Jo ou ur rn na al l o of f T Te ec ch hn no ol lo og gy y R Re es se ea ar rc ch h

H He ea ad de er r t tr ra an ns sl la at ti io on n c ca an n b be e u us se ed d w wh he en n s se en nd di in ng g I IP Pv v6 6 t tr ra af ff fi ic c t to o a an n I IP Pv v4 4 n ne et tw wo or rk k a as s t th he e e en nd d
destination. T T Th h hi i is s s t t tr r ra a an n ns s si i it t ti i io o on n n s s st t tr r ra a at t te e eg g gy y y i i is s s n n no o ot t t l l li i ik k ke e el l ly y y t t to o o b b be e ec c co o om m me e e a a a p p pr r re e ef f fe e er r rr r re e ed d d t t tr r ra a an n ns s si i it t ti i io o on n n m m me e et t th h ho o od d d,,,
because t th he e a ad dv va an nt ta ag ge es s o of f b bo ot th h p pr ro ot to oc co ol ls s c ca an n b be e l lo os st t..

b. Dual Stack



D Du ua al l s st ta ac ck k c ca an n b be e u us se ed d w wh he en n a a n ne et tw wo or rk k h ha an nd dl le es s b bo ot th h k ki inds of traffic. A Al lt th ho ou ug gh h d du ua al l
s s st t ta a ac c ck k k i i is s s t t th h he e e t t tr r ra a an n ns s si i it t ti i io o on n n m m me e et t th h ho o od d d m m mo o os s st t t l l li i ik k ke e el l ly y y t t to o o b b be e e w w wi i id d de e el l ly y y d d de e ep p pl l lo o oy y ye e ed d d,,, i i it t t e e es s ss s se e en n nt t ti i ia a al l ll l ly y y d d do o ou u ub b bl l le e es s s t t th h he e e
5
network security problem. O O On n n J J Ju u un n ne e e 8 8 8,,, 2 2 20 0 01 1 11 1 1 a a a “ “ “W W Wo o or r rl l ld d d I I IP P Pv v v6 6 6 D D Da a ay y y” ” ” w w wi i il l ll l l b b be e e c c co o on n nd d du u uc c ct t te e ed d d f f fo o or r r 2 2 24 4 4
h ho ou ur rs s t to o t te es st t m ma aj jo or r o or rg ga an ni iz za at ti io on ns s’ ’ c ca ap pa ab bi il li it ty y t to o o op pe er ra at te e s su uc cc ce es ss sf fu ul ll ly y u us si in ng g d du ua al l s st ta ac ck k
7
methodology. D D Du u ua a al l l s s st t ta a ac c ck k k i i is s s e e ex x xp p pe e ec c ct t te e ed d d t t to o o b b be e e t t th h he e e p p pr r re e ef f fe e er r rr r re e ed d d m m me e et t th h ho o od d d o o of f f t t tr r ra a an n ns s si i it t ti i io o on n ni i in n ng g g t t to o o I I IP P Pv v v6 6 6...

c. Tunneling



T T Tu u un n nn n ne e el l li i in n ng g g i i is s s t t th h he e e m m mo o os s st t t p p pr r re e ec c ca a ar r ri i io o ou u us s s m m me e et t th h ho o od d d f f fo o or r r t t to o od d da a ay y y’ ’ ’s s s I I IP P Pv v v4 4 4 n n ne e et t tw w wo o or r rk k ks s s... T T Th h he e e I I IP P Pv v v6 6 6 p p pa a ac c ck k ke e et t t i i is s s
tunneled i i in n ns s si i id d de e e t t th h he e e m m me e es s ss s sa a ag g ge e e f f fi i ie e el l ld d d o o of f f a a an n n I I IP P Pv v v4 4 4 p p pa a ac c ck k ke e et t t... T T Th h he e e c c co o on n nt t te e en n nt t ts s s o o of f f t t th h he e e I I IP P Pv v v6 6 6 p p pa a ac c ck k ke e et t t w w wi i il l ll l l n n no o ot t t b b be e e
n no ot ti ic ce ed d b by y a an n I IP Pv v4 4 f fi ir re ew wa al ll l o or r i in nt tr ru us si io on n d de et te ec ct ti io on n s sy ys st te em m.. Cyber terrorists c ca an n u us se e t th hi is s
v vu ul ln ne er ra ab bi il li it ty y t to o d de el li iv ve er r m ma al lw wa ar re e,, penetrate databases, plant bots, etc.

3. WHY C CA AN N I IP PV V6 6 B BE E D DA AN NG GE ER RO OU US S? ?

T T Tu u un n nn n ne e el l li i in n ng g g o o of f f I I IP P Pv v v6 6 6 i i in n ns s si i id d de e e a a an n n I I IP P Pv v v4 4 4 p p pa a ac c ck k ke e et t t w w wi i il l ll l l b b be e e i i in n nv v vi i is s si i ib b bl l le e e t t to o o a a an n n o o or r rg g ga a an n ni i iz z za a at t ti i io o on n n u u us s si i in n ng g g only
I IP Pv v4 4.. H Hi id dd de en n I IP Pv v6 6 t tr ra af ff fi ic c r ru un nn ni in ng g a ac cr ro os ss s a an n o or rg ga an ni iz za at ti io on n’ ’s s n ne et tw wo or rk k c ca an n w wr re ea ak k h ha av vo oc c,, a al ll lo ow w
malware to e en nt te er r t th he e n ne et tw wo or rk k,, a an nd d be the basis for a denial of service attack.


7
http://isoc.org/wp/worldipv6day/
I IP Pv v6 6 a an nd d d de ee ep p p pa ac ck ke et t,, P Pa ag ge e 3
Journal of Technology Research
4. WHAT ACTIONS CAN BE TAKEN TO REDUCE THE THREAT OF INVISIBLE
IPV6 TRAFFIC?

a. Upgrade Today to IPv6

This is a costly, but effective solution, but the best of the choices. Very few
organizations, however, have chosen this path because of the financial implications of upgrading
their entire network in a short period of time.

b. Block all IPv6 Traffic

This solution is only temporary and difficult to administer. Furthermore, it is ineffective
against tunneled IPv6 traffic, unless a technique known as Deep Packet Inspection (DPI) is
employed. We shall address DPI shortly.

5. DEEP PACKET INSPECTION – FRIEND OR FOE?

Internet communications employ packets with headers containing routing information,
including source and destination addresses. Historically, only the header was examined by
network routers. This is inadequate for the detection of tunneled IPv6 inside an IPv4 packet.
Since we are in a world dominated by IPv4, the only way to detect tunneled IPv6 is to use Deep
Packet Inspection.
Deep Packet Inspection (DPI) is the act of any packet network equipment which is not an
endpoint of a communication using non-header content (typically the actual payload) for some
purpose. This is performed as the packet passes an inspection point, searching for protocol non-
compliance, viruses, spam, intrusions or predefined criteria to decide what actions to take on the
packet, including collecting statistical information. This is in contrast to shallow packet
inspection (usually called Stateful Packet Inspection) which just checks the header portion of a
8
packet).
Deep Packet Inspection operates at all layers of a network above the physical layer. Each
packet is examined for the information in the entire packet, not just the headers. DPI places a
processing burden on the device performing this task, and can be a source of latency in a
network. In an ideal world, processing speed requirements of DPI would be met by increases in
device technology in accordance with Moore’s Law. The current situation is that delays in
networks are mostly caused by processing delays.
DPI can also be used for commercial gain by classifying Internet traffic by type, with
charging policies flowing there from. This would seem to violate the concept of Internet
neutrality, but it is a direction that various ISPs have been favoring and lobbying to achieve.
The widespread use of DPI is inevitable. The first serious security breach caused by
tunneled IPv6 inside an IPv4 packet is certain to come in the near future. This event will be a
stimulus to organizations to defend against such attacks. It has already been a major source of
attacks against the US Government.


8
http://www.symantec.com/connect/articles/perils-deep-packet-inspection
IPv6 and deep packet, Page 4
Journal of Technology Research
6. LEGAL, SOCIAL, AND SECURITY IMPLICATIONS

It is inevitable that DPI will be widely employed out of necessity since organizations
cannot switch overnight to IPv6. Another aspect is that DPI is a rich source of information for
intelligence agencies and government surveillance. DPI is opposed by advocates of network
9, 10
neutrality and the ACLU.

7. ENCRYPTION AND IPV6

An issue that must be resolved by a security policy for an organization is encryption.
Headers are never encrypted since they need to be read for routing purposes. Messages,
however, can be encrypted. The reason that the United Arab Emirates and Saudi Arabia recently
banned Blackberry was because Blackberry uses encryption and message content cannot be
monitored. Government surveillance is not possible with encrypted traffic. RIM capitulated
under pressure by the Saudis and agreed to place a server in Saudi Arabia, thereby providing the
11
means for government surveillance of Blackberry traffic. Skype also uses encryption; do not
look for widespread acceptance of Skype in countries using total surveillance of citizens’
electronic communications.
The access control policies for an organization should be determined by the message
content that is found by DPI. Presumably, unencrypted messages of tunneled IPv6 inside an
IPv4 would be easy to decide whether to forward to the addressee. If the message is encrypted, a
policy must be established. The simplest solution is to block all tunneled traffic that has the
message encrypted. This policy may have secondary negative effects on an organization’s
ability to communicate. If the encrypted message is allowed to enter the enterprise, a greater risk
in taken, since inside the organization is an individual who may be trying to avoid the internal
security policies.

8. OBSERVATIONS AND RECOMMENDATIONS

The transition period between IPv4 and IPv6 is full of future unknowns. Unanticipated
security vulnerabilities are certain. Legal issues on the rights to privacy, surveillance, and
Internet neutrality will all come into play. It will be an interesting next stage in the growth of the
Internet. The threats caused by the advent of IPv6 must not be ignored by an organization. It is
imperative to begin guarding against a major catastrophe caused by inattention to the
forthcoming world of IPv6.



9
http://www.aclu.org/technology-and-liberty/aclu-warns-against-intrusive-deep-packet-inspection
10
http://www.aclu.org/net-neutrality
11
http://www.msnbc.msn.com/id/38594687/ns/technology_and_science-tech_and_gadgets/
IPv6 and deep packet, Page 5
Journal of Technology Research
9. REFERENCES

1. http://www.icann.org/en/news/releases/release-03feb11-en.pdf
2. S. Bradner and A. Mankin, “The Recommendation for the Next Generation IP Protocol”,
RFC 1752, Jan. 1995
3. https://www.arin.net/knowledge/about_resources/ceo_letter.pdf
th
4. Bihrouzan A. Forouzan, “TCP/IP Protocol Suite”, 4 Edition, McGraw Hill, ISBN: 978-
0-07-337604-2, 2010
5. C. Caicedo, J. Joshi, and S. Tuladhar, “IPv6 Security Challenges”, Computer, IEEE
Computer Society, February 2009
6. https://www.arin.net/knowledge/about_resources/ceo_letter.pdf
7. http://isoc.org/wp/worldipv6day
8. http://www.symantec.com/connect/articles/perils-deep-packet-inspection
9. http://www.aclu.org/technology-and-liberty/aclu-warns-against-intrusive-deep-packet-inspection
10. http://www.aclu.org/net-neutrality
11. http://www.msnbc.msn.com/id/38594687/ns/technology_and_science-tech_and_gadgets/


IPv6 and deep packet, Page 6