Security Analysis of IPv6 Transition Technologies

OData support
Dr. Lencse Gábor Sándor
Department of Networked Systems and Services

When the first RFC of IPv4 was released, engineers did not think about the possibilities, that this protocol could become vital after 30-35 years in our lives. Because of that, they did not think about a very important characteristic of IPv4: the available host addresses. On the other hand, there are several missing functions of IPv4, which would be very helpful. With RFC 2460, in 1998 IPv6 was released, which is similar to IPv4, but most of its problems and limitations were cut out, and some new features were introduced. The most important improvement of IPv6 was clearly the expansion of the address size from 32 bits to 128 bits. Also there were other improvements, such as the simplification and the modularity of the header and also the size of the header was defined to be exactly 40 bytes. It would be great to change from IPv4 to IPv6, but there are several problems: problems with the provider part, and also problems with the client part of the network. The problem that faces us, is that most of the network devices does not support IPv6 by design, so we need some technologies, with which we can change from IPv4 to IPv6 step by step. These technologies are called IPv6 transition technologies, with the help of these technologies, within about 10 years, we can change from IPv4 to IPv6 seamlessly.

I divided this paper into three main parts: First, I will show the possible methods and the most important transition technologies, which might be used in the next few years. Basically there are three possible methods: tunneling, translation and dual-stack. All of the problems can be divided into two categories: there can be connection and transit problems. When two sites or hosts connect with different IP versions, there is a connection problem, it can be solved with the use of a translator to change from one to the other protocol. On the other hand, when two or more native networks are separated by another version of network, there is a transition problem, this could be solved by tunneling. The most important protocols are NAT64, DNS64, 6to4, 6rd, 6PE.

Second, the use of these technologies can lead to several security issues, which could be mitigated with proper settings. I analyzed these technologies, and looked for the known security issues. Attacks can be launched from both the IPv4 and IPv6 networks, also from the clients and from the native network, so I had to check all the possible sources. Also I mentioned some possible solutions to harden the network.

At last but not least, I built a test network with which I checked the security issues of the several open and closed implementations such as Tayga, BIND9 or the built-in services of Cisco and Linux systems.


Please sign in to download the files of this thesis.