Comprehensive Survey of Ipv6 Transition Technologies: a Subjective Classification for Security Analysis
Total Page:16
File Type:pdf, Size:1020Kb
VOL. E102-B NO. 10 OCTOBER 2019 The usage of this PDF file must comply with the IEICE Provisions on Copyright. The author(s) can distribute this PDF file for research and educational (nonprofit) purposes only. Distribution by anyone other than the author(s) is prohibited. IEICE TRANS. COMMUN., VOL.E102–B, NO.10 OCTOBER 2019 2021 SURVEY PAPER Comprehensive Survey of IPv6 Transition Technologies: A Subjective Classification for Security Analysis Gabor´ LENCSEya) and Youki KADOBAYASHIyyb), Members SUMMARY Due to the depletion of the public IPv4 address pool, the technologies (including any protocols that can be used to transition to IPv6 became inevitable. However, this ongoing transition is enable communication in any scenario despite the incom- taking a long time, and the two incompatible versions of the Internet Pro- patibility of IPv4 and IPv6) and identifying those of them, tocol must coexist. Different IPv6 transition technologies were developed, which can be used to enable communication in various scenarios, but they which would be worth submitting to a detailed security anal- also involve additional security issues. In this paper, first, we introduce ysis. To achieve this goal, first, we give a short introduction our methodology for analyzing the security of IPv6 transition technologies to our methodology for the security analysis of IPv6 transi- in a nutshell. Then, we develop a priority classification method for the tion technologies [6], then we develop a priority classifica- ranking of different IPv6 transition technologies and their most important implementations, so that the vulnerabilities of the most crucial ones may be tion method for both the technologies and their most impor- examined first. Next, we conduct a comprehensive survey of the existing tant implementations, and after that, we present an exhaus- IPv6 transition technologies by describing their application scenarios and tive overview of the existing IPv6 transition technologies to- the basics of their operation and we also determine the priorities of their gether with their priority classification. security analysis according to our ranking system. Finally, we show that The aim of this paper is twofold: those IPv6 transition technologies that we gave high priorities, cover the most relevant scenarios. • Its primary goal is to serve as a reference for all IPv6 key words: IPv6 transition technologies, network security, survey transition technologies defined up to now. • Its secondary goal is to select those technologies that 1. Introduction will play the most important role in the transition to IPv6, which we are headed with for several years or Although IPv6, the new version of the Internet Protocol, was perhaps decades. defined in 1998 (by a Draft Standard state RFC [1]), it has become an Internet Standard only in 2017 [2]. Similarly, In this way, our current paper is the next step of the research the deployment of IPv6 was very slow at the beginning, and that targets to identify and mitigate the security vulnerabili- it started to accelerate only in the latest years for several ties of the most important IPv6 transition technologies. reasons [3]. Unfortunately, the old version, IPv4, and the We contend that an up-to-date comprehensive survey new version, IPv6, are incompatible with each other. To of IPv6 technologies is needed, because other surveys than resolve this issue, several IPv6 transition technologies [4] our workshop paper [5] are either too old, like [7], [8] and have been developed, which address various communication [9] (published in 2006, 2010 and 2011, thus may not contain scenarios. (Under communication scenario, we mean the the most relevant technologies), or cover only a low number problem to be solved, e.g. a client, which can use only IPv6, of technologies, like [10] and [11]. The best survey on IPv6 needs to communicate with a server, which can use only transition technologies we have found includes a thorough IPv4.) classification of the methods [12], however, it was published In our workshop paper [5], we have surveyed the IPv6 in 2013, thus it also omits some important novel technolo- transition technologies to have a general picture, what kind gies defined since then. Another excellent paper [13] also of solutions exist. Our results helped us to develop a covers several IPv6 transition technologies, but it focuses on methodology for the identification of potential security is- the IPv4 address sharing mechanisms. Therefore, we con- sues of the various IPv6 transition technologies [6]. clude that there is a need for an up-to-date comprehensive In this paper, we extend our workshop paper [5] by survey of IPv6 transition technologies. conducting a comprehensive survey of the IPv6 transition The remainder of this paper is organized as follows. In Sect. 2, we give a very brief introduction to our methodol- Manuscript received September 11, 2018. ogy for the identification of potential security issues of dif- Manuscript revised February 2, 2019. Manuscript publicized April 8, 2019. ferent IPv6 transition technologies. In Sect. 3, we disclose yThe author is with the Department of Networked Systems our priority classification method. In Sect. 4, we survey all and Services, Budapest University of Technology and Economics, the existing IPv6 technologies and classify the importance Magyar tudosok´ kor¨ utja´ 2, H-1117 Budapest, Hungary. of their analysis. In Sect. 5, we discuss our recommenda- yyThe author is with Laboratory for Cyber Resilience, Nara In- tions by reconsidering the most important scenarios from stitute of Science and Technology, Ikoma-shi, 630-0192 Japan. the viewpoints of the users, ISPs and content providers. We a) E-mail: [email protected] b) E-mail: [email protected] check the sufficiency and parsimony of our selections. Sec- DOI: 10.1587/transcom.2018EBR0002 tion 6 concludes our paper. Copyright c 2019 The Institute of Electronics, Information and Communication Engineers IEICE TRANS. COMMUN., VOL.E102–B, NO.10 OCTOBER 2019 2022 decided in [6] to consider only those implementations that 2. Our Methodology for the Security Analysis of IPv6 are free software [18] (also called open source [19]) for mul- Transition Technologies in a Nutshell tiple reasons: • “Free software comes with source code and free soft- We have developed a methodology for the identification of ware licenses explicitly allow the study of the source potential security issues of different IPv6 transition tech- code, which can be essential for security analysis. nologies [6]. This methodology is based on STRIDE, which • Proprietary software usually does not include source is the abbreviation of Spoofing, Tampering, Repudiation, In- code, and the licenses of certain vendors (e.g. [20] and formation disclosure, Denial of Service, and Elevation of [21]) do not allow reverse engineering and sometimes privilege. STRIDE was developed for software design, and even the publication of benchmarking results is prohib- uses a systematic approach to help uncovering potential vul- ited. nerabilities [14]. STRIDE operates on the DFD (Data Flow • Free software can be used by anyone for any purposes Diagram) model of the system and it examines whether the thus our results can be helpful for anyone. building blocks of the DFD are susceptible to the above • Free software is available free of charge for us, too.” mentioned six vulnerabilities. Marius Georgescu recom- [6] mended one approach to applying the STRIDE approach to the security analysis of IPv6 transition technologies [15]. That paper used the STRIDE method for examining the pos- 3. Our Priority Classification Method sible vulnerabilities of the following four categories of IPv6 transition technologies: dual stack, single translation, dou- 3.1 General Considerations ble translation, and encapsulation. We found that approach very promising, and we have complemented it in two ways IETF has standardized several technologies and occupied a [6]: neutral position trusting the selection of the most appropri- • We have pointed out that DNS64 was not covered by ate ones to the market. Therefore, several IPv6 transition the above mentioned four categories, and added a new technologies exist even for the same scenarios, and some of category for DNS64 [16]. them have many implementations, thus the thorough analy- • We have also shown that the general categories, which sis of all of them would require a huge amount of resources. are useful for a comprehensive analysis at basic level, Therefore, we develop a simple method for their priority are worth complementing with deeper analysis at two classification both at IPv6 transition technology level and levels: at the level of the individual IPv6 transition at implementation level. Our aim is to choose only a few technologies and at the level of their most prominent number of technologies into the highest priority classes to implementations, see Fig. 1. be able to start our security analysis with the most important technologies and their most promising implementations. We Please refer to our paper [6] for an in-depth description of contend that on the one hand, using only formal criteria our new methodology and for the demonstration of its oper- would not lead to meaningful results (e.g. too many tech- ability on the example of DNS64 [16] and Stateful NAT64 nologies would satisfy them) but on the other hand, com- [17]. plex expert deliberation always contains arguable elements. From our survey point of view, our methodology re- We are aware that any such ranking systems have their lim- sults in a few constraints (or consequences). First of all, its. (E.g. considering too few factors, we may oversimplify the operation of the IPv6 transition technologies selected the problem, whereas considering too many factors, we may for deeper analysis needs to be public and well-defined to make the problem too complex.) The choice of the exam- be able to apply the STRIDE approach. Furthermore, we ined factors, the determination of their relative priority (or using a weighting system) are also subjective decisions.