Securing tunnel endpoints for IPv6 transition in enterprise networks

Tunneling IPv6-in-IPv4 has become common at the early stage of IPv6 deployment. Unfortunately, tunneling introduces security threats in which intruders may spoof the address of the packet origin, and potentially inject the packet at the tunnel endpoint. Additionally, during the coexistence of both IPv4 and IPv6 in the network, one of the protocols may escape from firewall by being encapsulated in the other protocol. Mitigating the issue is possible by utilizing IPsec to authenticate the incoming packet. Nevertheless, in order to thoroughly secure the tunnel endpoints, this paper puts forward the importance of having separate firewalls to filter IPv4 as well as IPv6 packet to ensure that none of the packets can escape the filtering process. Our preliminary result shows that applying separate firewalls at the tunnel endpoints does not really cause delay or give significant effect to the filtering time.

[1]  David Thaler,et al.  Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) , 2005, RFC.

[2]  Elwyn B. Davies,et al.  IPv6 Transition/Co-existence Security Considerations , 2007, RFC.

[3]  Christian Huitema,et al.  Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs) , 2006, RFC.

[4]  Jianping Wu,et al.  An Authentication Based Source Address Spoofing Prevention Method Deployed in IPv6 Edge Network , 2007, International Conference on Computational Science.

[5]  Hiroshi Esaki,et al.  IPv6 integration and coexistence strategies for next-generation networks , 2004, IEEE Communications Magazine.

[6]  Choong Seon Hong,et al.  On IPv6 traceback , 2006, 2006 8th International Conference Advanced Communication Technology.

[7]  Hannes Tschofenig,et al.  Using IPsec to Secure IPv6-in-IPv4 Tunnels , 2007, RFC.

[8]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[9]  Fangzhe Chang,et al.  Realizing the transition to IPv6 , 2002 .

[10]  James B. D. Joshi,et al.  IPv6 Security Challenges , 2009, Computer.

[11]  Christian Huitema Teredo: Tunneling IPv6 over UDP through NATs , 2002 .

[12]  Pekka Savola,et al.  Security Considerations for 6to4 , 2004, RFC.

[13]  Jim Bound,et al.  IPv6 Enterprise Network Scenarios , 2005, RFC.

[14]  Young-Ho Sohn,et al.  A Secure Packet Filtering Mechanism for Tunneling over Internet , 2007, ICESS.

[15]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[16]  Shigehiro Ano,et al.  An implementation and evaluation of IPv6 end-to-end secure communication system for closed members , 2006, International Symposium on Applications and the Internet Workshops (SAINTW'06).