The Future of TCP/IP - IP Next Generation
As you may have gathered, TCP/IP is an ever-evolving family of protocols. With the explosion of the Internet, we are seeing some of the limitations of this protocol suite. One problem in particular is that we will soon run out of usable IP addresses under the current specification, with so many new connections to the Internet being built and installed every day. Another major issue is security. Both of these serious problems are being addressed by various consortia that are quickly finding the answers. Let’s look at one of the foremost proposed solutions because it is likely to become a integral part of the protocol suite in the very near future.
The current version of the IP protocol is version 4, or IPv4, and the next generation, IPv6 or IPng (IP next generation), is set to become formally adopted. IPng was recommended by the IPng Area Directors of the Internet Engineering Task Force (IETF) at the Toronto IETF meeting held on July 25, 1994, as documented in RFC 1752, "The Recommendation for the IP Next Generation Protocol." (Request for Comments (RFCs) are a standard way to propose and debate the merits of any significant change or modification to a standard involving TCP/IP and the Internet in an open forum.) IPng was approved by the Internet Engineering Steering Group and made a Proposed Standard on November 17, 1994. The core set of IPng protocols was made an official IETF Proposed Standard on September 18, 1995.
IPng can be installed as a normal software upgrade to Internet devices and is interoperable with the current version of IPv4 found in today’s TCP/IP protocol. IPng is designed to run well on high performance networks, such as Asynchronous Transfer Mode (ATM), and at the same time is still efficient for low-bandwidth networks, such as wireless networks. In addition, IPng provides a platform for new Internet functions that will be required in the near future.
IPng was designed to be an evolutionary step up from IPv4 but not to be a radical step away from it. Functions that work in IPv4 were kept in the IPng specification, and likewise, the functions that didn’t work were removed. The changes from IPv4 to IPng fall primarily into the following categories:
• Expanded routing and addressing capabilities.
• IPng increases the IP address size from 32 bits to 128 bits, which obviously supports more levels of addressing and a much greater number of addressable nodes. IPng also facilitates a simpler means of automatically configuring IP addresses.
• A new type of address, the anycast address, is defined in IPng. An anycast address identifies nodes; a packet sent to an anycast address is delivered to one of the nodes. Using anycast addresses in the IPng source route lets nodes control the path along which their traffic flows. IPng address types are discussed further later in this section.
• Header format simplification - Some IPv4 header fields have been dropped or made optional to reduce the common processing cost of packet handling and to keep the bandwidth cost of the IPng header as low as possible despite the increased size of the addresses. Even though the IPng addresses are four times longer than the IPv4 addresses, the IPng header is only twice the size of the IPv4 header.
• Improved support for options - Changes in the way IP header options are encoded allow for more efficient forwarding, less stringent limits on the length of options, and greater flexibility for introducing new options.
• Quality-of-service capabilities - A new capability enables the labeling of packets belonging to particular traffic flows for which the sender requests special handling, such as nondefault quality of service or real-time service.
• Authentication and privacy capabilities - IPng defines extensions that provide support for authentication, data integrity, and confidentiality. These definitions are included as a basic element of IPng and will be included in all implementations.
There are three basic types of IPng addresses: unicast, anycast, and multicast. Unicast addresses identify a single interface. Anycast addresses identify a set of interfaces so that a packet sent to an anycast address is delivered to one member of the set. Multicast addresses identify groups of interfaces, so that a packet sent to a multicast address is delivered to all the interfaces in the group. Multicast addresses in IPng supersede broadcast addresses.
IPng supports 128-bit addresses, or four times the number of bits as the IPv4 32-bit addresses. This 128-bit addressing scheme is several times the size of the current IPv4 32-bit address space - 4 billion squared times the current space, or 340,282,366,920,938,463,463,374,607,431,768,211,456 bits.
The Internet has a number of major security problems and lacks effective privacy and authentication mechanisms below the application layer. IPng corrects these shortcomings with two integrated options that provide security services. These two options may be used separately or together to provide different levels of security to different users. This feature is very important because different user communities have different security requirements.
The first security mechanism, the IPng Authentication Header, is an extension header that gives IPng datagrams authentication and integrity without confidentiality. Although the extension is algorithm independent and will support many different authentication techniques, the use of an MD5 security system has been proposed to help ensure this feature’s interoperability within the Internet.
The IPng Authentication Header can eliminate a significant class of network attacks, including host-masquerading attacks. Using the IPng Authentication Header is particularly important when source routing is used with IPng because of the known risks in IP source routing. Its placement at the Internet layer can help provide host origin authentication to those upper-layer protocols and services that currently lack meaningful protection schemes.
The second security extension header provided with IPng is the IPng Encapsulating Security Header. This particular mechanism provides integrity and confidentiality to IPng datagrams. It’s simpler than similar security protocols, such as the Network Layer Security Protocol (ISO NLSP), but it remains flexible and algorithm independent. To ensure this header’s interoperability over the Internet, the Data Encryption Standard (DES) algorithm in the Cipher Block Chaining (CBC) mode (DES CBC) is being used as the standard algorithm. The DES CBC encryption process employs a 64-bit cryptographic key system.
Overall, IPng appears to be a very promising way of minimizing, if not eliminating, a few of the major problems in TCP/IP networking, especially Internet and security problems. You can expect every major vendor on the planet to adopt and implement this new protocol version in its hardware and software.
As you may have gathered, TCP/IP is an ever-evolving family of protocols. With the explosion of the Internet, we are seeing some of the limitations of this protocol suite. One problem in particular is that we will soon run out of usable IP addresses under the current specification, with so many new connections to the Internet being built and installed every day. Another major issue is security. Both of these serious problems are being addressed by various consortia that are quickly finding the answers. Let’s look at one of the foremost proposed solutions because it is likely to become a integral part of the protocol suite in the very near future.
The current version of the IP protocol is version 4, or IPv4, and the next generation, IPv6 or IPng (IP next generation), is set to become formally adopted. IPng was recommended by the IPng Area Directors of the Internet Engineering Task Force (IETF) at the Toronto IETF meeting held on July 25, 1994, as documented in RFC 1752, "The Recommendation for the IP Next Generation Protocol." (Request for Comments (RFCs) are a standard way to propose and debate the merits of any significant change or modification to a standard involving TCP/IP and the Internet in an open forum.) IPng was approved by the Internet Engineering Steering Group and made a Proposed Standard on November 17, 1994. The core set of IPng protocols was made an official IETF Proposed Standard on September 18, 1995.
IPng can be installed as a normal software upgrade to Internet devices and is interoperable with the current version of IPv4 found in today’s TCP/IP protocol. IPng is designed to run well on high performance networks, such as Asynchronous Transfer Mode (ATM), and at the same time is still efficient for low-bandwidth networks, such as wireless networks. In addition, IPng provides a platform for new Internet functions that will be required in the near future.
IPng was designed to be an evolutionary step up from IPv4 but not to be a radical step away from it. Functions that work in IPv4 were kept in the IPng specification, and likewise, the functions that didn’t work were removed. The changes from IPv4 to IPng fall primarily into the following categories:
• Expanded routing and addressing capabilities.
• IPng increases the IP address size from 32 bits to 128 bits, which obviously supports more levels of addressing and a much greater number of addressable nodes. IPng also facilitates a simpler means of automatically configuring IP addresses.
• A new type of address, the anycast address, is defined in IPng. An anycast address identifies nodes; a packet sent to an anycast address is delivered to one of the nodes. Using anycast addresses in the IPng source route lets nodes control the path along which their traffic flows. IPng address types are discussed further later in this section.
• Header format simplification - Some IPv4 header fields have been dropped or made optional to reduce the common processing cost of packet handling and to keep the bandwidth cost of the IPng header as low as possible despite the increased size of the addresses. Even though the IPng addresses are four times longer than the IPv4 addresses, the IPng header is only twice the size of the IPv4 header.
• Improved support for options - Changes in the way IP header options are encoded allow for more efficient forwarding, less stringent limits on the length of options, and greater flexibility for introducing new options.
• Quality-of-service capabilities - A new capability enables the labeling of packets belonging to particular traffic flows for which the sender requests special handling, such as nondefault quality of service or real-time service.
• Authentication and privacy capabilities - IPng defines extensions that provide support for authentication, data integrity, and confidentiality. These definitions are included as a basic element of IPng and will be included in all implementations.
There are three basic types of IPng addresses: unicast, anycast, and multicast. Unicast addresses identify a single interface. Anycast addresses identify a set of interfaces so that a packet sent to an anycast address is delivered to one member of the set. Multicast addresses identify groups of interfaces, so that a packet sent to a multicast address is delivered to all the interfaces in the group. Multicast addresses in IPng supersede broadcast addresses.
IPng supports 128-bit addresses, or four times the number of bits as the IPv4 32-bit addresses. This 128-bit addressing scheme is several times the size of the current IPv4 32-bit address space - 4 billion squared times the current space, or 340,282,366,920,938,463,463,374,607,431,768,211,456 bits.
The Internet has a number of major security problems and lacks effective privacy and authentication mechanisms below the application layer. IPng corrects these shortcomings with two integrated options that provide security services. These two options may be used separately or together to provide different levels of security to different users. This feature is very important because different user communities have different security requirements.
The first security mechanism, the IPng Authentication Header, is an extension header that gives IPng datagrams authentication and integrity without confidentiality. Although the extension is algorithm independent and will support many different authentication techniques, the use of an MD5 security system has been proposed to help ensure this feature’s interoperability within the Internet.
The IPng Authentication Header can eliminate a significant class of network attacks, including host-masquerading attacks. Using the IPng Authentication Header is particularly important when source routing is used with IPng because of the known risks in IP source routing. Its placement at the Internet layer can help provide host origin authentication to those upper-layer protocols and services that currently lack meaningful protection schemes.
The second security extension header provided with IPng is the IPng Encapsulating Security Header. This particular mechanism provides integrity and confidentiality to IPng datagrams. It’s simpler than similar security protocols, such as the Network Layer Security Protocol (ISO NLSP), but it remains flexible and algorithm independent. To ensure this header’s interoperability over the Internet, the Data Encryption Standard (DES) algorithm in the Cipher Block Chaining (CBC) mode (DES CBC) is being used as the standard algorithm. The DES CBC encryption process employs a 64-bit cryptographic key system.
Overall, IPng appears to be a very promising way of minimizing, if not eliminating, a few of the major problems in TCP/IP networking, especially Internet and security problems. You can expect every major vendor on the planet to adopt and implement this new protocol version in its hardware and software.
0 comments:
Post a Comment