- »Lectures and Classes
- Diskrete Strukturen und Logik (WS 2011/12)
- Internet Security (WS2011/2012)
- Semantic Web Technologien (WS2011/2012)
- Large Scale Processing for Multimedia Analysis (WS2011/2012)
- Webprogrammierung und Web 2.0-Technologien (WS2011/12)
- Der neue Personalausweis: Konzept und Umsetzung (WS2011/2012)
- Web Service Security (WS2011/2012)
- Network Security in Practice (WS2011/2012)
- Archive
- »Tele-Lectures
- »Master-Projekte
- Master Theses
- »Bachelor Projects
- PhD Students
- D-School teaching
- Research Seminars
- »Lectures and Classes
Contact
Prof. Dr. Christoph Meinel
Hasso-Plattner-Institut
an der Universität Potsdam
Tel: +49 0331/5509-222
Fax: +49 0331/5509-325
Mobil: +49 176 10010727
meinel"at"hpi.uni-potsdam.de
Blogs
Books
Introduction
Internet Protocol version 6 (IPv6) has been developed to boost the future of the Internet. It is intended to replace IPv4 as the main communication protocol. In addition to the large address space (128-bit), IPv6 comes with new features and mechanisms such as StateLess Address Auto-Configuration (SLAAC), Neighbor Discovery (ND), header extension, enhanced mobility, etc.
Despite the fact that IPv6 still maintains much of IPv4's semantics and the two protocols have similar functionalities, IPv6 is incompatible with IPv4. IPv6 has its own addressing scheme, so it poses new challenges to routers concerning, for instance, the growth of the forwarding table or the integration with routing algorithms. Moreover, IPv6 and IPv4 headers do not inter-operate since some fields have been removed, changed, added or expanded. Therefore, among others, the Internet Engineering Task Force (IETF) have been working on several transition mechanisms in order to ensure a smooth migration to IPv6.
Because security is one of the top priorities in today's networks, our focus is the identification, mitigation and protection against possible risks caused by IPv6 deployments. In this way, we hope to contribute to a more reliable and trustworthy networking environment.
IPv6 Security Concerns
In IPv6 networks, vulnerabilities may arise due to two main reasons: new protocol features and coexistence with IPv4 protocol. IPv6 introduces new functionalities in order to facilitate network configuration and management. However, they have also exposed the network to new security threats. For instance, the Neighbor Discovery (ND) and Stateless Address Autoconfiguration (SLAAC) are vulnerable to spoofing and Denial of Service (DoS) attacks. Another example is the randomly generated addresses, which keep changing over time to enhance the users' privacy. This implies, however, new challenges for network administrators, as it also complicates the management of user identities. Finally, although IPv6 and IPv4 are incompatible protocols, they compete for the same computing resources. Therefore, running these two protocols in parallel poses new deployment and security challenges.
Research topics:
Securing IPv6 Addressing Mechanism
IPv6 Stateless Address Auto-Configuration (SLAAC) and Neighbor Discovery (ND) are used for autoconfiguring addresses (without a server) and discover other nodes on IPv6 link. Although the autoconfiguration mechanism greatly improves the efficiency and network managements, it has security and privacy implications. SEcure Neighbor Discovery (SEND) was designed as a first line of defense against spoof and Denial of Service (DoS) attacks. It assures the integrity and authenticity of ND messages. SEND is based on the usage of RSA Key pair, Cryptographically Generated Addresses (CGA), digital signature and X.509 certificates. Unfortunately, SEND deployment is still a challenge for several reasons. First, SEND is compute-intensive. Second, its deployment is not trivial, and the SEND Authorization Delegation Discovery (ADD) is mostly so far theoretical rather than practical. Third, operating systems lack the sophisticated implementations for SEND. The objective of this research topic is to find and develop an efficient and easy model to optimize CGA and SEND to make it applicable in different IPv6 networks, mainly in limited recourses devices.
Research Project Implementation: “WinSEND: Windows SEcure Neighbor Discovery”. It is an implementation of the following RFCs:
- RFC 3971: SEcure Neighbor Discovery (SEND)
- RFC 3972: Cryptographically Generated Addresses (CGA)
- RFC3779: X.509 Extensions for IP Addresses and AS Identifiers
Spam Filter in IPv6 Networks
The widespread usage of emails as means of formal and informal correspondence have originated an unfortunate side effect: the spammers. Spammers are organizations, individuals or even criminals that profit from the security vulnerabilities of the email system. In IPv6, new challenges arise. Due to huge address space, existing spam mitigation techniques, such as the Domain Name Service Blackhole List (DNSBL) are not feasible. Another problem are the randomly created IPv6 addresses. In this case, because host addresses are constantly changing, we are still not sure how to integrate them into the DNS System. As an example, when a spammer find a way to send email via a university domain, this domain is added to a DNS gray list database. This may hinder or even completely block external email delivery. Finally, in order to tackle these and similar issues, we research on email filtering, spam source identification and on new concepts and mechanisms for DNSBL and white listing. Our target is to have a more reliable and trustworthy email system for IPv6 networks.
IPv6 Integration
The future of the Internet depends on how well we are able to migrate to IPv6. Unfortunately, this process cannot be finished overnight, so we need to work towards integrating this new protocol into the existing networks. In fact, the deployment of IPv6 has being started more than a decade ago and multiple transition mechanisms have been proposed so far. Nevertheless, at World IPv6 Day in 2011, we have been confronted with two alarming facts: the coverage of IPv6 is still very small and the only viable transition mechanism is dual-stacking. Dual-stacking means that we will need to operate two Internets fully in parallel. This is an intricate task, because two incompatible but interacting protocols must provide the same crucial service: the global reachability. As a conclusion, the future of the Internet depends on how well we will be able to run two global networks in parallel. This is a long and hard process, but it is needed to safeguard the future of Internet.
IPv6 Security Team
- Prof. Dr. Christoph Meinel
- Ahmad AlSa'deh : Ahmad.AlSadeh(at)hpi.uni-potsdam.de
- Hosnieh Rafiee : Hosnieh.Rafiee(at)hpi.uni-potsdam.de
- Tacio Santos : Tacio.Santos(at)hpi.uni-potsdam.de
Events
Publications
Ahmad AlSa'deh and Christoph Meinel, "SEcure Neighbor Discovery: Review, Challenges, Perspectives and Recommendations", Security & Privacy, IEEE Computer Society, Volume: ??, Issue:99, 2012. (to appear)
Ahmad AlSa'deh, Hosnieh Rafiee and Christoph Meinel, “Stopping Time Condition for Practical IPv6 Cryptographically Generated Addresses”, 26th IEEE International Conference on Information Networking (ICOIN), Bali, Indonesia, February 1 - 3, 2012.
Hosnieh Rafiee, Ahmad AlSa'deh and Christoph Meinel “Multicore-Based Auto-Scaling SEcure Neighbor Discovery for Windows Operating Systems” , 26th IEEE International Conference on Information Networking (ICOIN), Bali, Indonesia, February 1 - 3, 2012.
Ahmad AlSa'deh, Feng Cheng, and Christoph Meinel,"CS-CGA: Compact and More Secure CGA", 17th IEEE International Conference on Networks (ICON2011), Singapore, pages: 299-304, December 14 - 16, 2011.
Hosnieh Rafiee, Ahmad AlSa’deh, and Christoph Meinel, “WinSEND: Windows SEcure Neighbor Discovery”, 4th International Conference on Security of Information and Networks (SIN 2011), 14-19 November 2011, Sydney, Australia, pages: 243-246, November 2011.
Ahmad AlSa'deh, Feng Cheng, Sebastian Roschke, and Christoph Meinel, "IPv4/IPv6 Handoff on Lock-Keeper for High Flexibility and Security", in Proceedings of 4th IFIP/IEEE International Conference on Network Technologies, Mobility and Security (NTMS'11), IEEE Press, Paris, France, pages: 1-6, February 7-10, 2011.