New IPv6 Identification Paradigm: Spreading of Addresses Over Time

The identification of packet flows is a very important feature to provide security on the Internet. This flow identification is traditionally done by the well-know five tuple source IP address, destination IP address, transport layer protocol number and the two source/destination identifiers of transport layer protocols (named ports on UDP and TCP). Unfortunately, the IP source address is not reliable at all. However, we can use new security paradigms based on new IPv6 properties. In particular, IPv6 introduces a large address space. Our solution takes the benefit of this space with a high frequency rotation of IP addresses, that we call spreading. This spreading improves the security since only the sender and the receiver are able to generate and follow this temporal sequence. An attacker will not be able to successfully insert malicious packets into a flow or to initialize a flow. It protects against session initialization flooding and against attacks on established connections. In this paper, we describe the architecture of our solution and the protocol to initiate a connection and also performance evaluation of our spreading.

[1]  Brian E. Carpenter,et al.  Survey of Proposed Use Cases for the IPv6 Flow Label , 2011, RFC.

[2]  Jun Bi,et al.  Swing - A Novel Mechanism Inspired by Shim6 Address-Switch Conception to Limit the Effectiveness of DoS Attacks , 2008, Seventh International Conference on Networking (icn 2008).

[3]  Tuomas Aura,et al.  Cryptographically Generated Addresses (CGA) , 2005, ISC.

[4]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[5]  Ping Pan,et al.  Internet Engineering Task Force , 1995 .

[6]  Bogdan M. Wilamowski,et al.  The Transmission Control Protocol , 2005, The Industrial Information Technology Handbook.

[7]  Joseph G. Tront,et al.  MT6D: A Moving Target IPv6 Defense , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[8]  Thomas Narten,et al.  IPv6 Address Assignment to End Sites , 2011, RFC.

[9]  Brian E. Carpenter,et al.  IPv6 Flow Label Specification , 2004, RFC.

[10]  Nevil Brownlee,et al.  Traffic Flow Measurement: Architecture , 1999, RFC.

[11]  Marcelo Bagnulo,et al.  An Architecture for Network Layer Privacy , 2007, 2007 IEEE International Conference on Communications.