Simulation Study of a Many-to-One Mapping for IPv6 Address Owner Identification in an Enterprise Local Area Network (original) (raw)

One-to-many reversible mapping for IPV6 address generation: Simulation software development

This paper presents the development of a one-to-many reversible mapping mechanism simulation for IPv6 address generation. The aim of this mechanism is to improve IPv6 addresses generation in terms of privacy and security in an enterprise local area network (LAN). Each time a user accesses a network, a dynamic IPv6 address is assigned via the DHCPv6 server. The dynamic address (one-to-many mapping) is to protect a user from unwanted behavior analysis attempting to exploit IPv6 addresses, thus protecting user privacy. However, the dynamic address can be uniquely linked to the user (many-to-one mapping) if the need arises. The one-to-many reversible mapping is generated dynamically using Cipher Feedback (CFB) mode of operation of the Advanced Encryption Standard (AES). Software simulation is developed using the software engineering waterfall model and a Unified Modeling Language (UML) class diagram as a notation. The results show that the mechanism simulates well for IPv6 address generation and IPv6 address owner identification. The one-to-many mapping may be incorporated into DHCPv6 software and many-toone mapping may be implemented as a complement of local area network monitoring software.

User identification in IPV6 network}

Users in IPv4 networks typically use only one IP address per interface configured either statically or dynamically via DHCPv4 server. Several techniques can be used to detect violation of that policy. However, IPv6 protocol brings new techniques and possibilities to obtain an IPv6 address. New concepts -autoconfiguration, multiple IPv6 addresses per interface or temporary IPv6 addresses providing privacy for end users introduce new challenges for users identification. Network administrators have to collect additional information for user identification from more sources, e.g. DHCPv6 log, routers neighbor cache, Radius logs, syslog etc. This paper presents analysis of IPv6 address assignment used in current networks together with guidelines how to identify a user in IPv6 networks. IPv6, address assignment, user identification Ing. Matěj Grégr; Ing. Tomáš Podermański.; prof. Ing. Miroslav Švéda, CSc.

Randomness Test of Cryptographic One-to-many Reversible Mapping for IPv6 Address Generation

This paper presents simulation results on randomness test of a cryptographic one-to-many reversible mapping between user space and the IPv6 address space. A one-to-many reversible mapping mechanism is developed which may be embedded into a DHCPv6 (Dynamic Host Configuration Protocol for IPv6) server in the stateful mode within an enterprise local area network (LAN). Each time a user accesses the network, the DHCPv6 server is able to assign a dynamic IPv6 address. The dynamic address (obtained through one-to-many mapping) is to protect the user from unwanted behavior analysis exploiting IPv6 addresses, thus protecting user privacy. However, the dynamic address can be uniquely linked to the user (through many-to-one reversible mapping) if the need arises. The randomness of the dynamic address (one-to-many mapping) for IPv6 address assignment is evaluated based on uniformity using monobit (frequency) test, and avalanche effect is evaluated using Hamming distance tests. Simulation resul...

A new approach for detection of host identity in IPv6 networks

2013 International Conference on Data Communication Networking (DCNET), 2013

For security, management and accounting, network administrators benefit from knowledge of IP and MAC address bindings. In IPv6, learning these bindings is not as straightforward as it is in IPv4. This paper presents a new approach to track IPv6 address assignments in LANs. The method is based on a study of implementation of IPv6 (mainly neighbor discovery) in current operating systems. The detection is passive for end devices and does not require any software or hardware modifications. In contrast with current methods, our approach does not poll routers in the network and works also in networks where IPv6 multicast is not broadcasted (active Multicast Listener Discovery snooping - MLD snooping). Moreover, our approach detects that an address is no longer used. The approach was successfully tested in a campus network.

Generation of cryptographic one-to-many mapping IPv6 address using S-AES

2010

ABSTRACT The proliferation of enterprise wireless network raises the security concern in any organization despite the unarguable benefits it brings about. At the same time, the initiatives to migrate from IPv4 (Internet Protocol version four) to IPv6 (Internet Protocol version six) is gaining momentum across the globe to resolve the IP address depletion problem as well as reaping the benefit of it. This research proposes a new scheme to manage IPv6 addresses in an enterprise wireless local area network (WLAN) which may be implemented into DHCPv6 (Dynamic Host Configuration Protocol for IPv6) software. Each user will be assigned a group of IP addresses that are generated cryptographically whose parameters as user attributes. Each time user trying to access the network it will be given different IP address which will be generated using S-AES (Simplified Advanced Encryption Standard) algorithm using parameters assigned to that user so that there is a one to many mapping between user and IP addresses. Therefore, the network administrator will be able to identify user realtime from the IPv6 address to facilitate tracking of network anomalies or violation of policies. By the pseudo random IPv6 address generation, we will be able to protect user's privacy even though the communication is transparent end-to-end.

Design and Implementation of Ipv6 Address Using Cryptographically Generated Address Method

There is always a tradeoff between privacy and the desired level of security for any internet user in the contemporary cyber world. Cyber security, of late, is paramount and its breach could lead to untoward consequences, at times, disastrous. The advent of the IPv6 provides a hope to resolve this tradeoff satisfactorily. Included in the IPV6 suite is a method for devices to automatically configure their own addresses in a secure manner. This technique is called Cryptographically Generated Addresses (CGAs). CGA provides the ownership proof necessary for an IPv6 address without relying on any trust authority. However, the computation involved in CGAs is very high, especially for a high security level defined by the security parameter (Sec). The sheer cost involved here may pose to be an inhibiting factor for any user to continue with this security regime and may tempt her not to change her address on a frequent basis. Thus, the way forward could be to modify the standard CGA to make it more applicable across applications and scenarios and at the same time not to let it compromise with the optimum security level. We propose to reduce the CGA granularity of the security level from 16 to 8, which make it more feasible for use in most applications and scenarios. And the privacy part is taken care of by changing addresses over time which protects users from being tracked. Here, we strive to implement and evaluate these extensions to the standard CGA.

ANALYSIS OF IPV6 COMMUNICATION ARCHITECTURE USING SPECIFIC ADDRESSES

Concepts Books Publication, 2017

In the current Internet architecture, IP address used for the node identifier, that is, generally a single IP address is assigned to a node, and used permanently until the node becomes inactive. The same address is used for all communications from/to the node. However, this communication paradigm has a fundamental problem regarding security that the information of IP address of the node is open not only to nodes who intend to communicate to it, but also to anonymous parties who try to attack the node. To solve this problem, we change our traditional paradigm completely and propose a new solution called Unified Multiplex Communication Architecture. The most difference from the current Internet is that an IP address is not used for node identifier, but for service identifier. In the Unified Multiplex Communication Architecture, we change IP addresses session-by-session, and the assigned address is invalid immediately after the session terminates. This architecture simply changes the direction for use of IP address but enhances the security significantly.However, there is a major issue on Unified Multiplex how to determine the IP address to connect the server, since IP address is assigned to session one-by-one. Prior to communication, the client should know the IP address of the server which is used for awaiting the connection from the client. For this problem, in this thesis we propose a new, non-negotiation type IP address determination mechanism that is feasible by updating the operating system on end hosts only (no modification of application is needed). In our mechanism, IP address generation is performed on both server and client independently, but generated addresses are synchronized because time information is used for address generation. We then analyze the interval of address update (i.e., the lifetime of generated address) for avoiding unexpected failure due to our mechanism. Our numerical result shows that our address update mechanism is extremely robust against brute-force type attacks. Moreover, detailed design and implementation methods are described for realization. Keywords Communication Architecture Secure Communication IPv6

AN EMPIRICAL STUDY ON INTERNET PROTOCOL IPV6 IN NETWORKING

The internet protocol IPv4 has met requires for years, but the number of addresses, while huge is finite. It has several shortcomings which are unavoidable and complicate such exhausted address space, security issues, non-availability of auto-configuration and in some cases present a obstacle to, the advance improvement of the Internet. The resolution to mitigate this problem was the development of the new IPv6 protocol which enlarges the address space from 32-bits to 128-bits. IPv6 assembles a high address space, superior address design and better safety among other profits. IPv6 distribution necessitates deep and careful firm to minimize network disruption and ensure that the profits of IPv6 are accessed. Due to the issues of IPv4, now-a-days IPv6 is extremely popular in associations, corporations and Internet Service Providers (ISP). In this paper, we aim to provide a Literature Survey which describes the various techniques to implement IPv6 transition most optimal method to increase the network performances.

IPv6 Cryptographically Generated Address: Analysis, Optimization and Protection

Computers, Materials & Continua

In networking, one major difficulty that nodes suffer from is the need for their addresses to be generated and verified without relying on a third party or public authorized servers. To resolve this issue, the use of selfcertifying addresses have become a highly popular and standardized method, of which Cryptographically Generated Addresses (CGA) is a prime example. CGA was primarily designed to deter the theft of IPv6 addresses by binding the generated address to a public key to prove address ownership. Even though the CGA technique is highly effective, this method is still subject to several vulnerabilities with respect to security, in addition to certain limitations in its performance. In this study, the authors present an intensive systematic review of the literature to explore the technical specifications of CGA, its challenges, and existing proposals to enhance the protocol. Given that CGA generation is a time-consuming process, this limitation has hampered the application of CGA in mobile environments where nodes have limited energy and storage. Fulfilling Hash2 conditions in CGA is the heaviest and most timeconsuming part of SEND. To improve the performance of CGA, we replaced the Secure Hash Algorithm (SHA1) with the Message Digest (MD5) hash function. Furthermore, this study also analyzes the possible methods through which a CGA could be attacked. In conducting this analysis, Denial-of-Service (DoS) attacks were identified as the main method of attack toward the CGA verification process, which compromise and threaten the privacy of CGA. Therefore, we propose some modifications to the CGA standard verification algorithm to mitigate DoS attacks and to make CGA more security conscious.