switchport Security

70-648, NAP, DHCP, IPNG, IPv4, IPV6, DNS, Global Names, WDS, Server Core, WAS, Server Manager, OCSP, WBAdmin, Group Policy, BitLocker, Active Directory, switch module, route module, firewall module, auto secure, network, router ospf, authentication, drupal.org

Wednesday, December 26, 2007

The Extended Universal Identifier

Given a network address and prefix, how would you know the network address of a host in IPv6?

What's in here?
-IEEE 802 address conversion example
-Randomly generated Interface IDs

Interface Identifiers in global unicast and other types of v6 addresses must be 64-bits long and follow a certain format as defined by EUI-64.

This format is dereived from the 48-bit link-layer address of interface cards - the MAC address - and is inserted with the hex value of FFFE between the upper 3-bytes of the OUI and the lower 3-bytes of the link-layer address.
But it doesn't stop here. The other issue is to make the IPv6 address you've just conjured up, or your machine for that matter, to be universally unique. This is done by flagging the seventh (7th) bit of the higher order, most significant byte to be either 0, as in locally, or 1, as global. This then ensures uniqueness of the address.
The 7th bit is known as the U/L-bit. The 8th bit in the higher order, most significant byte is known as the G-bit.

The G-bit is used to manage groups - signifying groups or single hosts. In English, this indicates whether the address is either unicast , set to 0, or multicast, set to 1.

IEEE 802 address conversion example (From http://www.microsoft.com)
In this example, Host A has an IEEE 802 address (Ethernet MAC) of 00-AA-00-3F-2A-1C. The following steps occur when converting this address to IPv6:

To convert the MAC address to EUI-64 format, FF-FE is inserted between the third and fourth bytes. This yields 00-AA-00-FF-FE-3F-2A-1C.

The U/L bit, which is the seventh bit in the first byte, is complemented. The first byte in binary form is 00000000. When the seventh bit is complemented, it becomes 00000010 (0x02).

Note: When complementing the U/L bit, perform the following steps:

  • If the EUI-64 address is universally administered, add 0x2 to the first byte.
  • If the EUI-64 address is locally administered, subtract 0x2 from the first byte.

The result, 02-AA-00-FF-FE-3F-2A-1C, is converted to colon-hexadecimal notation, yielding the interface identifier 2AA:FF:FE3F:2A1C.

Thus, in this example, the link-local address that corresponds to the network adapter with the MAC address of 00-AA-00-3F-2A-1C is FE80::2AA:FF:FE3F:2A1C.

Randomly generated Interface IDs
Because IPv6 address identifiers remain static, for security reasons, a method is required to provide temporary addresses. The IPv6 protocol for Windows CE .NET 4.1 and later creates temporary addresses for global address prefixes by default.

In the IPv4-based Internet it is difficult to track a user's traffic on the basis of IP address. A typical user connects to an Internet service provider (ISP) and then obtains an IPv4 address by using the Point-to-Point Protocol (PPP) and the Internet Protocol Control Protocol (IPCP). Each time the user connects to the Internet, a different IPv4 address might be obtained, making it difficult to track their usage.

For IPv6-based dial-up connections, after the connection is made through router discovery and stateless address autoconfiguration, the user is assigned a 64-bit prefix. If the interface identifier is based on a EUI-64 address derived from the static IEEE 802 address, the traffic of a specific node can be identified regardless of the prefix. This makes it easy to track a specific user and their use of the Internet. To address this concern and provide a level of anonymity, an alternative IPv6 interface identifier can be randomly generated and changed over time. This method is described in RFC 3041.

The following list shows how the initial interface identifier is generated by using random numbers:

  • For IPv6 systems that cannot store historical information for generating future interface identifier values, a new random interface identifier is generated each time the IPv6 protocol is initialized.

  • For IPv6 systems that have storage capabilities, a history value is stored. When the IPv6 protocol is initialized, a new interface identifier is created through the following process:
  1. Retrieve the history value from storage and append the interface identifier based on the EUI-64 address of the adapter.
  2. Compute the Message Digest-5 (MD5) one-way encryption hash over the quantity in step 1.
  3. Save the last 64 bits of the MD5 hash computed in step 2 as the history value for the next interface identifier computation.
  4. Take the first 64 bits of the MD5 hash computed in Step 2 and set the seventh bit to zero. The seventh bit corresponds to the U/L bit which, when set to 0, indicates a locally administered interface identifier. The result is the interface identifier.
The IPv6 address based on this random interface identifier is known as a temporary address. Temporary addresses are generated for public address prefixes that use stateless address autoconfiguration - routers give the addresses.
Temporary addresses are used for the lower of the valid and preferred lifetimes values shown in the following table.
After the valid lifetime of temporary address expires, a new interface identifier and temporary address are generated.

No comments: