Development of IPv6 Capabilities for Next Generation Internet

Release Date:2005-09-21 Author:Ling Miao, Qin Hao

As more new machines are being added to the Internet, there is a growing shortage of IPv4
(IP Version 4) addresses. To save IPv4 addresses, technologies such as Network Address Translation (NAT), Classless Inter-Domain Routing (CIDR) and hybrid address are called into play. However, these emergency measures also bring forth negative effects. For example, the end-to-end architecture of the network layer is damaged.
IPv6 (IP Version 6) fixes a number of problems in IPv4. The changes from IPv4 to IPv6 fall into the following categories: expanded addressing capabilities, header format simplification, improved support for extensions and options, flow labeling capability, authentication and privacy capabilities, perfect multicast, guaranteed QoS, plug-and-play and better mobility support.

    So far, some world famous vendors of telecom equipment and software/hardware have included IPv6 support in their routers and Operating System (OS). The open system platforms of FreeBSD and Linux are also available with software packages to support IPv6.

    Besides, experimental IPv6 networks such as 6Bone and 6Init have been established in some countries. In China, the experimental network 6TNET has been set up and the brand-new CNGI network (also IPv6 network) is now under construction. At the same time, the IPv6 addresses are being allocated and some network carriers, such as IIJ and KDDI in Japan, have started delivering commercial IPv6 access services.

    To date, standards on basic protocols and routing protocols of IPv6 have been shaped up to deliver all the functionalities available with IPv4. In May 2000, 3GPP, in its 3G standard (R5), chose IPv6 as the standard IP protocol for the next generation mobile communication system. Now it is widely accepted that IPv6 is the successor of IPv4 as the unique new generation inter-network protocol. [1-5]

1 QoS Management
IPv6 is not the solution to every possible problem of IPv4, for example, to the QoS problem. However, IPv6 tries to provide real-sense of QoS in terms of its architecture, and has made significant improvements in this respect. That is the new Flow Label field in the IPv6 header.
IPv6 has two fields added to the IP header:

(1) Traffic Class
    The Traffic Class field (8 bits) comes right after the Version field to indicate some sort of "differentiated services" provided for the data packet. It functions similarly to Type of Service (ToS) of IPv4. However, it takes a more anterior position. This field is supported in IPv6 from the beginning.

(2) Flow Label
    The Flow Label field (20 bits) follows the Traffic Class field to identify the packages of the same service flow. The Flow Label, in conjunction with the source address, uniquely identifies a service flow. All packages in a service flow have the same flow label. This mechanism helps with fast and consistent processing on the flow with the same QoS requirement.

    The IPv6 header has a Transmission Level field that´s similar to ToS in IPv4 and this field provides differentiated QoS for IP. Moreover, the IPv6 header has a 20-bit Flow Label field to better support comprehensive QoS, identifies flows directly and provides resource reservation with the help of Resource Reservation Protocol (RSVP). All these are designed to enhance the QoS capabilities in IPv6.

    The traffic classifier of IPv4 is determined by the source and sink address, source and sink port number and transmission protocol type. Due to packet segmentation and encryption, some fields are hard to obtain the access of high-level protocols and new protocols are hard to be introduced.

    In IPv6 with the Flow Label, one flow can be identified uniquely by the source IPv6 address together with the
non-empty flow label. The source can set up a flow state for the middle node of the forwarding path through the
hop-by-hop extension header or control protocol RSVP. When the IPv6 node receives a marked IPv6 packet, it can classify this packet into a flow by its flow label or source address. Besides, special handling is possible for the packets according to the status of flows set up on a series of IPv6 nodes.

    Figure 1 illustrates the differences between IPv6 and IPv4.

 

    The QoS mechanisms of IPv4 and IPv6 are basically the same except for the Multiple Fields (MF) classification and Differentiated Service Code Point
(DSCP) marking:

    (1) The MF of IPv4 is classified based on the source address, destination address, source port, destination port, protocol number and ToS, where 32-bit IP addresses are used. The MF of IPv6 is classified based on flow label, source address, destination address, source port, destination port, protocol number and traffic class, where 128-bit IPv6 addresses are used.

    (2) The DSCP of IPv4 is marked in the ToS field. The DSCP of IPv6 is marked in the Traffic Class field.

2 Integrated Security
IPv6 has the IP Security (IPSec) integrated as one of its inherent part instead of a stand-alone protocol.

    (1) Integrated with IPSec, IPv6 provides protocol-level guarantee for security authentication and encryption/encapsulation for the IPv6 network.

    (2) With the address resolution to be handled at the Internet Control Message Protocol (ICMP) layer, the coupling between this protocol and the medium is better than that between ARP and the medium. Besides, the standard IP authentication can be employed.

    (3) Other security measures are still effective in IPv6 in addition to IPSec.
The high security performance of an IPv6 network is reflected in three aspects: protocol security, network security and encryption on hardware.

    As for protocol security, Authentication Header (AH), Encapsulating Security Payload (ESP) extension header and varying encryption algorithms are adopted. In terms of AH, the encryption algorithm uses hmac_md5_96 and hmac_sha_1_96 while in ESP, the algorithms are DES_CBC, 3DES_CBC and Null.

    The application combinations of IPSec tunnel and transmission modes ensures the network security, including end-to-end security, internal network security, secrecy tunnel based VPN based, and network security hierarchy with nested tunnel.

    However, while enhancing network security the mass applications will inevitably lead to performance degradation of router forwarding and processing. To eliminate these negative effects, the Application Specific Integrated Circuit (ASIC) is usually used for encryption or a network processor is used for encryption and forwarding.

    IPSec provides the effectiveness, consistency and completeness of network data and information. However, the security risks of a data network can lie in various parts such as the physical layer, data link layer, network layer, transport layer and application layer.

    In most cases the security risks of the physical layer is attributed to hardware defects, for example, card damages, and deterioration of the electrical features and electromagnetic compatibility environment of the physical interfaces. These risks can be mitigated through redundant devices and lines, safer power supply, protection of electromagnetic compatibility environment and enhanced security management.

    The security risks at the physical layer lie in protocols and illegal presumption of network resource or exhaustion as well. For example, dual 802.1Q encapsulation attack, broadcast packet attack, Media Access Control (MAC) flood, spanning tree attack (Layer-2 attacks) or fraud ICMP packet, ICMP flood, source address spoofing, route oscillation (Layer-3 attacks). At the application layer, there are also attacks possible on the HTTP, FTP/TFTP, TELNET and virus spreading through emails. Against the attacks, these measures are suggested:

    (1) To control users´ network access authority and protect the application layer from attacks, the security access control protocols, such as Authentication, Authorization and Accounting (AAA), TACACS+ and Remote Authentication Dial in User Service (RADIUS) are used.

    (2) To protect Layer 2 from attacks, the following measures can be taken:

  • Bounding MAC address with IP address
  • Restricting the number of MAC addresses used by each port
  • Setting the traffic threshold of broadcast packet of each port
  • Using the ACL (Access Control List) based on port and VLAN (Virtue LAN)
  • Establishing safe user tunnel

    (3) To enhance Layer 3 security, measures can be taken such as route filtering, routing information encryption and authentication, directional multicast control, speeding up routing convergence, and reducing the effects caused by route oscillation.

    The IPSec mechanism in IPv6 not only guarantees the effectiveness, consistency and completeness in network data and information, but also provides approaches to better network security. A safer network also lies in the combined use of AAA authentication, NAT-PT, Multi-Protocol Label Switching (MPLS) VPN at Layer 2 and Layer 3, standard access list and extended access list of ACL, and fragmented packet attack prevention. For safe routing, measures such as route filtering, static routing, policy routing and routing payload sharing can be taken. For process access security and line access security, technologies such as SSHv2, SNMPV3 and EXC can be used. Hierarchical management and customized privilege management can be used for security management. Streamlined alarm, log and auditing functions can be used for network clock safety. Finally, for easier fault analysis, location and counting, procedures such as accessing of list, log of key events, route protocol event and error recording should be taken.

3 Address Management
The IPv6 extends the length of the IP address from 32 bits to 128 bits to solve the problem of address shortage of the current Internet. A comparative large address space can use a multi-level hierarchy inside the address space. Stringent level-based addressing is conducive to route convergence, thus much less route item is needed, network performance is enhanced and routing efficiency and expandability are improved. This strict route convergence feature makes multi-point access possible for IPv6.

    IPv6 supports automatic address configuration. Thanks to its large address capacity, IPv6 is able to configure addresses automatically for devices while keeping the address unique globally. This address configuration mechanism attaches the link layer address (Ethernet MAC address, for instance), in the format of EUI-64, after the globally unique unicast IPv6 prefix of the subnet advertisement. This ensures that the automatically configured 128-bit address is unique globally. IPv6 allows its network nodes to configure their own IPv6 address features, thus ensuring future mobile device access and hot plugging applications.

    The re-addressing mechanism of IPv6 makes the inter-provider IPv6 address conversion transparent to end users. IPv6 grants the advertisement subnet prefix a lifespan value. When the lifespan expires, the node is allowed to use the latest prefix. Therefore, the host and server can automatically select the latest globally unicast IPv6 prefix and use a new address.

    IPv6 uses multicast instead of broadcast as used by IPv4. When a packet is being sent with the multicast address of the multicast group through the local link, only the members of this group will process the packet. With different multicast groups used for different functions, network resources are effectively utilized and the broadcast storm in IPv4 is prevented.

4 Mobility Support
The IP core backbone network of Next Generation Internet (NGI) is constructed on IPv6 and billions of 3G cellular devices run the IPv6 protocol stack, which make IPv6 mobility mandatory. In IPv4, the mobility is an add-on feature, while in IPv6 this feature is built in the protocol. Therefore, any node that supports IPv6 should be able to support mobility when necessary.

    The target of mobile IPv6 is to make the mobile node always perform addressing through the home address, whether it is connected to a home link or has moved to a foreign network. Because the mobile IPv6 is totally transparent for the protocol layer above the IP layer, the applications remains available, without further modifications or configurations on a mobile node that is moving between sub-networks.

    While the mobile IPv4 uses both the home agent and the foreign agent to provide mobility support, the mobile IPv6 only needs home agent since each mobile IPv6 node supports mobility. The mobile IPv6 uses two IPv6 extension headers: destination address extension header (for registration) and routing extension header (for transmitting data packet between a mobile node and a correspondent node).

    The mobile IPv6 makes full use of the inherent support of the IPv6 protocol for mobility. The mobile node registers with any home agent based on the router advertisements. The home agent suores an address translation table of the home address and care-of address of the mobile node. With this table, the home agent can forward packets to the mobile node. Once the mobile node receives packets sent from other hosts, it uses the care-of address as the source address in its response packet and attaches the home address of the mobile node. When the subsequent packets of the host use the care-of address of the mobile node as the destination address, it needs to attach the source routing extension header, and the packet contains the home address of the mobile node. This mechanism makes sure that no packet gets lost while the mobile node is on the move. When the mobile node undergoes a handoff between cells, the Base Transceiver Station (BTS) should send redirection packet to the original BTS after the mobile node re-registers successfully. Therefore, the packets with deviated routing during the handoff process can find the mobile node again.
However, the mobile IPv6 is not a solution to every problem, for example, seamless handoff and AAA.

5 VPN Service
With the fast growing IPv6 traffic, the MPLS technology that boasts both high performance and expandability will play a significant role in the backbone network of the NGI. Based on labeled packet switching, MPLS obviates the need of route searching among all network nodes and thus relieving hardware burden. MPLS uses Label Distribution Protocol (LDP) or Resource Reservation Protocol-Traffic Engineering (RSVP-TE) for label distribution, sets up tunnels on the IP backbone network and uses label forwarding to make data run through the tunnels quickly. These approaches work together for even better QoS guarantee and traffic engineering.

    The traditional Layer 2 VPN uses point-to-point direct connection link. L2TP is a typical example of Layer 2 VPN. However, the NGI adopts the virtual pseudo wire and multipoint-to-multipoint Layer 2 MPLS VPN, such as Virtual Private Wire Service (VPWS) and Virtual Private LAN Segment (VPLS). VPLS delivers Ethernet emulation service in the MPLS/IP core transmission network. VPWS supports traditional services, such as ATM, Frame Relay (FR), High-Level Data Link Control (HDLC) or Point-to-Point Protocol (PPP), in the MPLS/IP core transmission network and it provides "Any Transport over MPLS". The Layer 2 MPLS VPN does not need to maintain the routing information of the user network, thus greatly relieving the Provider Edge (PE) router (in terms of processing capability) and Customer Edge (CE) router (in terms of hardware). The Layer 2 MPLS VPN is simple in management and can reduce operation & maintenance expenses.

    The traditional Layer 3 VPN mainly uses the point-to-point Generic Routing Encapsulation (GRE) and IPinIP. The Layer 3 VPN of the next generation network mainly uses the Border Gateway Protocol (BGP) MPLS VPN, which allows several user sites to communicate through a public IP network, as if all users reside in a private network. The PE router must maintain a Virtual Routing and Forwarding (VRF) instance table for each VPN user. It records the user routing information learned from the CE for VPN data forwarding. The ingress PE router attaches two labels for each data packet. The outer label is used to direct the packet to the peer PE router while the inner label  identify CE connections. When the packet reaches the peer egress PE router, the egress PE router will check the VPN according to the inner label before forwarding the packet.

    The 6PE function means to support IPv6 routing over the PE router of MPLS to deliver BGP MPLS VPN for an IPv6 private network. Moreover, it supports IPv6 inter-networking by means of MP-BGP technology and MPLS. This function entails only additional software configuration on PE router to deliver IPv6 service and neither MPLS backbone network devices nor software configuration needs modification. As seen from the Internet Service Provider (ISP) perspective, the control side of the whole backbone network remains unchanged and involves no extra overhead on operation management and device expense. Therefore, the ISPs would be willing to introduce IPv6 services. In the meantime, they can share network resources to the greatest extent to save network operation and management cost while reducing technical investment risks.

6 Conclusions
All the technical advantages in IPv6 make it possible for IPv6 networks to support large-scale new  applications. This would involve the research and development of many system software and application programs. The IPv6 technology, with its rosy market prospect, can bring in large growth space for the software industry of China.
Devices used on the Internet are telecom device, network device (routers and switches), hosts and terminals, network and information security device (firewall, for instance). The world largest IPv6-based Internet market is expected to emerge in China, hence posing a great opportunity for vendors of the Internet devices. Chinese vendors should take this opportunity to output more devices with the most important technologies [6,7]. In addition, the network expandability and mobility delivered by IPv6 are opening the market to mobile terminals, streaming information terminals and peripherals, and information home appliances.

    By experimenting and verifying the feasibility of IPv6 technology, new service patterns and corresponding operation modes are created for telecom carriers, thus driving the traditional telecom to adopt IP technology. By supporting various applications and services, the telecom carriers are able to profit from NGI. The IPv6-powered Internet will cover not only its data communication market, but also the voice-service-dominant fixed-line and mobile markets. The fresh markets of video communication for recreational / educational purposes and information household appliance networking are also on the horizon. In other words, IPv6 means new revenue resources for telecom carriers.

References
[1] IETF RFC2401 Security Architecture for the Internet Protocol [S].
[2] IETF RFC2402 IP Authentication Header [S].
[3] IETF RFC2406 IP Encapsulating Security Payload [S].
[4] IETF RFC2474 Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers [S].
[5] IETF RFC3697 IPv6 Flow Label Specification [S].
[6] Technical White Paper for Broadband Data Network Security [Z]. ZTE Corporation
[7] Technical White Paper for ZXR10 T128/64E QoS [Z]. ZTE Corporation

Manuscript received: 2005-04-07