Using Transport Layer Multihoming to enhance Network Layer Moving Target Defenses (original) (raw)
Related papers
Implementing an IPv6 Moving Target Defense on a Live Network
2012
The goal of our research is to protect sensitive communications, which are commonly used by government agencies, from eavesdroppers or social engineers. In prior work, we investigated the privacy implications of stateless and stateful address autoconfiguration in the Internet Protocol version 6 (IPv6). Autoconfigured addresses, the default addressing system in IPv6, provide a third party a means to track and monitor targeted users globally using simple tools such as ping and traceroute. Dynamic Host Configuration Protocol for IPv6 (DHCPv6) addresses contain a static DHCP Unique Identifier (DUID) that can be used to track and tie a stateless address to a host identity. Our research focuses on preventing the issue of IPv6 address tracking as well as creating a “moving target defense.” The Moving Target IPv6 Defense (MT6D) dynamically hides network and transport layer addresses of packets in IPv6 to achieve anonymity and protect against certain classes of network attacks. Packets are e...
A Survey of Moving Target Defenses for Network Security
IEEE Communications Surveys & Tutorials, 2020
Network defenses based on traditional tools, techniques, and procedures (TTP) fail to account for the attacker's inherent advantage present due to the static nature of network services and configurations. To take away this asymmetric advantage, Moving Target Defense (MTD) continuously shifts the configuration of the underlying system, in turn reducing the success rate of cyberattacks. In this survey, we analyze the recent advancements made in the development of MTDs and highlight (1) how these defenses can be defined using common terminology, (2) can be made more effective with the use of artificial intelligence techniques for decision making, (3) be implemented in practice and (4) evaluated. We first define an MTD using a simple and yet general notation that captures the key aspects of such defenses. We then categorize these defenses into different sub-classes depending on what they move, when they move and how they move. In trying to answer the latter question, we showcase the use of domain knowledge and gametheoretic modeling can help the defender come up with effective and efficient movement strategies. Second, to understand the practicality of these defense methods, we discuss how various MTDs have been implemented and find that networking technologies such as Software Defined Networking and Network Function Virtualization act as key enablers for implementing these dynamic defenses. We then briefly highlight MTD testbeds and case-studies to aid readers who want to examine or deploy existing MTD techniques. Third, our survey categorizes proposed MTDs based on the qualitative and quantitative metrics they utilize to evaluate their effectiveness in terms of security and performance. We use well-defined metrics such as risk analysis and performance costs for qualitative evaluation and metrics based on Confidentiality, Integrity, Availability (CIA), attack representation, QoS impact, and targeted threat models for quantitative evaluation. Finally, we show that our categorization of MTDs is effective in identifying novel research areas and highlight directions for future research.
International Journal of Advanced Computer Science and Applications, 2015
IPv4 address pool is already exhausted; therefore, the change to use IPv6 is eventually necessary to give us a massive address pool. Although IPv6 was built with security in mind, extensive research must be done before deploying IPv6 to ensure the protection of security and privacy. This paper firstly presents the differences between the old and new IP versions (IPv4 and IPv6), and how these differences will affect the attacks, then the paper will show how the attacks on IPv4 and IPv6 will remain mostly the same; furthermore, the use of IPv6 will give rise to new types of attacks and change other types' behavior.
IPv6 and IPv4 Security challenge Analysis and Best- Practice Scenario
2010
Sharing of information and resources among different devices require networking. As networks are expanding day by day, Internet Protocols are gaining more and more popularity. Different transition mechanisms have been established and yet a lot of research is to be carried out. Internet Protocol version 6 (IPv6) is the next generation Internet Protocol proposed by the Internet Engineering Task Force (IETF) to supersede the current Internet Protocol version 4 (IPv4). To enable the integration of IPv6 into current networks, several transition mechanisms have been proposed by the IETF IPng Transition Working Group. This work examines and empirically evaluates two transition mechanisms, namely 6-over-4, and IPv6 in IPv4 tunneling, as they relate to the performance of IPv6.This paper outlines many of the common known threats against IPv4 and then compares and contrasts how these threats, or similar ones, might affect an IPv6 network. Some new threats specific to IPv6 are also considered. The current capabilities of available products are evaluated, as is how any inherent protocol characteristics of IPv6 affect the nature of the threat. This is prefaced by a brief overview of current best practices around the design of an IPv4 Internet edge network and then followed by a review of how that IPv4 edge network needs to evolve in order to secure the addition of IPv6.
A comparison of migration and multihoming support in IPv6 and XIA
2017
Mobility and multihoming have become the norm in Internet access, e.g. smartphones with Wi-Fi and LTE, and connected vehicles with LTE and DSRC links that change rapidly. Mobility creates challenges for active session continuity when provider-aggregatable locators are used, while multihoming brings opportunities for improving resiliency and allocative efficiency. This paper proposes a novel migration protocol, in the context of the eXpressive Internet Architecture (XIA), the XIA Migration Protocol. We compare it with Mobile IPv6, with respect to handoff latency and overhead, flow migration support, and defense against spoofing and replay of protocol messages. Handoff latencies of the XIA Migration Protocol and Mobile IPv6 Enhanced Route Optimization are comparable and neither protocol opens up avenues for spoofing or replay attacks. However, XIA requires no mobility anchor point to support client mobility while Mobile IPv6 always depends on a home agent. We show that XIA has signifi...
Investigating Security Issues and Preventive Mechanisms in Ipv6 Deployment
International Journal of Advanced Engineering and Nano Technology, 2022
Internet Protocols are utilized to empower the communication between the computing devices in the computer networks. IPv6 offers additional address space and more noteworthy security than IPv4. The progress from IPv4 to IPv6 has been finished through three primary change systems: dual-stack, tunneling, and translation. The IPv6 progress relies upon the similarity with the enormous introduced base of IPv4 nodes and routers just as keeping up with the security of the network from possible threats and vulnerabilities of both Internet protocols. This research identifies potential security issues in the transition mechanisms and proposing prevention mechanisms to the problems identified. Dual-Stack & Tunneling mechanisms were completely implemented in this research work and the security test was based on dual-stack network. A simulation has been designed by using GNS3 and the penetration test by the THC-IPv6 toolkit. After the implementation of simulation, IPv6 in the dual-stack mechanis...
A review of IPv6 security concerns
This study focus on the security concerns of IPv6. We make a broad introduction to IPv6 then briefly look at the differences between the IPv6 and IPv4 protocols, their known vulnerabilities and identifies some security concerns when implementing IPv6. Even after 13 years, IPv6is still considered a new network protocol. With this in mind not much is known about IPv6. Since the IPv4 address space will be used upwithin the next few months, IPv6 should finally become more mainstream.
Implementing moving target IPv6 defense to secure 6LoWPAN in the internet of things and smart grid
Proceedings of the 9th Annual Cyber and Information Security Research Conference on - CISR '14, 2014
The growing momentum of the Internet of Things (IoT) has shown an increase in attack vectors within the security research community. We propose adapting a recent new approach of frequently changing IPv6 address assignment to add an additional layer of security to the Internet of Things. We examine implementing Moving Target IPv6 Defense (MT6D) in IPv6 over Low-Powered Wireless Personal Area Networks (6LoWPAN); a protocol that is being used in wireless sensors found in home automation systems and smart meters. 6LoWPAN allows the Internet of Things to extend into the world of wireless sensor networks. We propose adapting Moving-Target IPv6 Defense for use with 6LoWPAN in order to defend against network-side attacks such as Denial-of-Service and Man-In-The-Middle while maintaining anonymity of client-server communications. This research aims in providing a moving-target defense for wireless sensor networks while maintaining power efficiency within the network.
A Survey on Moving Target Defense for Networks: A Practical View
Electronics
The static nature of many of currently used network systems has multiple practical benefits, including cost optimization and ease of deployment, but it makes them vulnerable to attackers who can observe from the shadows to gain insight before launching a devastating attack against the infrastructure. Moving target defense (MTD) is one of the emerging areas that promises to protect against this kind of attack by continuously shifting system parameters and changing the attack surface of protected systems. The emergence of network functions virtualization (NFV) and software-defined networking (SDN) technology allows for the implementation of very sophisticated MTD techniques. Furthermore, the introduction of such solutions as field-programmable gate array (FPGA) programmable acceleration cards makes it possible to take the MTD concept to the next level. Applying hardware acceleration to existing concepts or developing new, dedicated methods will offer more robust, efficient, and secure...
Security Mechanisms for the IPv4 to IPv6 Transition
2007 5th Student Conference on Research and Development, 2007
Transition from lpv4 to lpv6 has been made possible through various transition mechanisms, categorized as dual-staclg tunneling and translation. Ilorvever, feriod of transition may take years to complete which both prolocols will coexist due to Internet services deployed are widelyin lpv4. Sq a successful IPv6 transition is depended on the compatibility with the large installed base of IPv4 hosts and routers. as well as maintaining security of the network from potential threats and vulnerabilities of both Internet protocols. This paper classifies potential security issues in the transltion period and identifies prevention mechanlsms to the problems identified. As dualstacked host or network is the moat simple lpv6 deployment any enterprise can settle for now, this paper focuseJ on possibli implementation of distributed firewall in a dual-stacked environment which involves packet liltering at the edge router as well as the host-based firewall Ind* Term.*IPv6 Transition, Dual stack, Tunneling, Security Mechanismg Distributed Firewalls. I. lurRooucrroN TfilS paper provides an insight on secwity considerations f during the tansition fiom lpv4 to tpv6. Transition to lpv6 will not occur in short time due to wide spread usage of Ipv4 networks since it has beeir intoduced more than 25 years ago. For the mean time we will settle for interoperability between IPv4 and IFv6 where both protocols will coexist and support the present Internet requiranents. Since the two protocols are used in parallel, appropriate security measures must be installed to secure the network while fiansition from lpv4 to IPv6 is in progress. Basically, transition mechanisms [l] are categorized as dual-stack, tunneling and fanslation. Though, the most basic transition mechanisms [2] are dual-stacked and manually configured tunneling of Ipv6 over Ipv4. These two mechanisms are wise options for initial lpv6 deployment due to their simple management and less security considerations [2],[3],[5]. Nevertheless, translation is still important when communicating between IPv6 and legacy lpv4. This paper will not cover security aspects of translation mechanisrnas they are not in our scope ofresearch.