CPEG-561: Network Security. University of Bridgeport, Connecticut, Bridgeport - 06604
1
Improving Security Over IPv6 Authentication Header
Protocol using IP Traceback And TTL (Fall 2014)
Devon Thomas, Alex Isaac, Majdi Alharthi, Ali Albatainah (All: M.S. Computer Engineering)

Abstract - The recent discovery of Internet Protocol Version 6
(IPv6) network attacks have been an interesting topic in the
world of network security. Due to the fact IPv6 is still in the
transition of being the main internet protocol, a lot research has
been done however the implementation of it may take longer than
most people thought. When it comes to being compared to its
predecessor IPv4, it has all of the advantage. The lack of
addresses in IPv4 is mainly the deciding factor in why the IPv6 is
better [1, 2]. While the internet is currently based on IPv4
protocol, it can cause the progression of the internet to be
hindered. IPv6 protocol has provided the capability to expand
addresses for the development of more devices, simplification of
address auto-configuration and authentication header format
and privacy and authentication extensions. However as good as
IPv6 sounds there still are security issues involving spoofing
attacks that we resolve with a combination of algorithms, packet
analyzers and simulation tools
Index Terms - Ant Algorithm, IPv6 spoofing attack, SecureND
(Neighbor Discovery), Time-to-Live (TTL).
I. INTRODUCTION
T
HIS document describes the use of IPv6 spoofing as a
method of attacking a secure network with the purpose of
gaining unauthorized access to private packets sent over the
network. Due to the fact that sending packets (information:
private or not) over the internet, the attack is based on the
premise of improving routing capabilities that are not yet
100% safe. Internet communications between devices are
routinely handled by routers which are protected by IPv6. The
deployment of IPv6 to all enterprises will be here sooner than
later. The security issue that is of main concern in this paper is
called SPOOFING.
Spoofing security attack can be
performed in many different ways such as email spoofing,
Neighbor Solicitation (NS)/ Neighbor Advertisement (NA),
Router Solicitation(RS)/Router Advertisement (RA) spoofing
attack and IP spoofing – Denial-of-Service (DOS). In this
paper we are going to focus on IP spoofing which is based on
the act of attacker faking the identity of a legitimate user by
replicating the users IP address and obtaining the intended
packets sent to the user for the attackers self. It can be
classified based on the direction of the attack in three different
forms (Outgoing attack, Incoming attack and Internal attack)
[3]. In principle the attacker is fooling (spoofing) a distant
-----------------------------------------------------------------------------------------This work was sustained in part by the Network Security course CPEG 561
given at the University of Bridgeport. Course date (08-23-2014) to (12-132014)
device in to believing that they are an authorized member of
the network with no malicious intentions. One of the most
well-known spoofing attacks is DOS which is usually
launched on DNS servers and the Internet which are critical
infrastructures.
II. IPV6 UPDATE FROM IPV4 – NEW HEADER FORMAT
The first difference seen in the update from IPv4 to IPv6 is the
header format. When IPv6 header was designed, a number of
IPv4 header fields were either removed completely or replaced
for better functionality. The address size of IPv6 is much
larger than that of IPv4. They can be compared simply by
IPv6 = 128 bit IP addresses to IPv4 = 32 bit IP addresses. The
security “Option Field” in IPv4 header only addressed (DOD)
specific requirements, whereas IPv6 security provided more
efficient routing.
IPv6 has been set to a fixed length of (40 bytes).
For IPv6:
 The “Header Length” was replaced by “Fixed
Length”.
 The “Total Length” was replaced by “Payload
Length”.
 IPv4 “Segmentation Control” fields were moved into
IPv6 “Fragmentation Extension Header”.
 IPv4 “Type of Service” is now known as IPv6
“Traffic Class”
 The Total Length” was replaced by “Payload Length”
 The “Time to Live” was replaced by “Hop Limit”
 The “Protocol” was replaced by “Next Header Type”.
IPv4 Header Format:
Fig.1: IPv4 Header architecture
CPEG-561: Network Security. University of Bridgeport, Connecticut, Bridgeport - 06604
TTL method.
implement.
IPv6 Header Format:
2
This process is easier to understand and
V. IP TRACEBACK AND TTL
Fig.2: IPv6 Header architecture
III. IPSEC – INTERNET SECURITY PROTOCOL AND QOS –
QUALITY OF SERVICE
A. IPSec:
IPsec was originated for IPv6 specifications but adopted for
IPv4 for optional purposes [4]. In IPv6 network security IPsec
plays a positive role [4]. It utilizes the Authentication Header
and Encapsulating Security Payload Header to provide
security [9]. In IPv6 it delivers end-to-security and security
between border routers of separate networks.
B. QOS:
Quality of Service is a feature used to ensure that certain
packets are given high priority when need to arrive at a
destination on time [4]. For example: Voice of IP
(VoIP)/Video Stream. Packets that need to arrive close
together since any small delay can cause choppy video or
voice.
IV. SPOOFING => DENIAL-OF-SERVICE (DOS):
When IPv6 packets are sent back and forth through same link
until their bandwidth is overwhelmed DOS attack occurs. The
service disruption caused can trigger following attacks which
can be masked by the DOS. Among the different types of
spoofing attacks DOS have been the most repetitive spoofing
attack on IPv6 network devices. In an attempt to create a
solution to this problem the method of combining Secure
Neighbor Discovery (SEND) protocol with the Time-To-Live
(TTL) method of which uses hop count was provided.
IP traceback is method in which the source of a packet is
found through tracing the path from which the packet was
sent. It is used for identifying source of attacks when
implementing protection procedures over internet networks.
Over many years IP traceback have been designed and tailored
to suit the process of preventing DOS attacks and it has been
found to be consistent in finding the source of IP spoofing [6].
IP traceback by itself is just a tool used to trace paths [7],
however when it is combined with the use of TTL it can not
only trace the DOS spoofing location but detect it with Timeto-Live algorithm.
TTL is found embedded in hop limit field within the IPv6
header which is used to stop packets when they are being
routed endlessly. This helps when a fixed number of hops
cannot be located by the destination host. TTL counts the
number of hops it takes for a packet to reach a destination, the
number of hops it takes to return is den counted. Seeing that
routes don’t change frequently, if the sending and receiving
count is not equivalent the assumption of the packet being
tampered with (DOS) is true.
Hop Count:
Before a packet starts moving forward to the next hop TTL
value is decremented by one using each router. This process
causes the TTL field within the header format to reflect the
Number of hops a packet takes to reach its destination. A
packets TTL algorithm is provided over networks. This helps
to calculate the hop count from the TTL value. Measuring the
hop count from a host can be done by a passive method or an
active method. The best method to use is the passive
measurement which calculates the equation (initial TTL) –
TTL. This equation can only be implemented if the initial
TTL values are known from the start however it is best
method to use because it can be implemented in scenarios
where lots of ICMP packets are sent from thousands of host.
The active measurement method echoes Internet Control
Message Protocol (ICMP) packet which returns accurate hop
count, but only for limited packets sent.
Hop Count = (initial TTL) - TTL:
SEND protocol is suggested as the secure extension of
Neighbor Discovery (ND) to solve the security issues face
today [5]. This protocol uses “Digital Signature, Digital
Certificate Verification” as well as Cryptographically
Generated Address (CGA) to deal with security issues such as
DOS against ND. However during the research period we
have found that the best way to prevent the DOS attack is to
implement the IP traceback technique (part of SEND) with the
Fig. 3 Hop Count values over different operating systems
CPEG-561: Network Security. University of Bridgeport, Connecticut, Bridgeport - 06604
3
Hop count example
Figure 5 shows the IP Trace back from Src to Dst using all
possible paths and to get there.
Example:
Path: Src 25Dst = shortest path = most Pheromone
Path: Src147Dst
Path: Src368Dst
Fig. 4 Hops across a network
A very popular traceback algorithm used is called the “Ant
Algorithm” or “ACS Algorithm” [15]. This algorithm is
really interesting because it represents the behavior of real ants
on trail/path. Each one follows each other in the same path
and the faster they go it is almost impossible to notice the
separation of each individual ant. The behavior of and ant
colony is simple. They are animals that have the ability to
find the shortest path possible for the colony to obtain food
and back. The way in which the colony routes they path
comes from what is called the “Pheromone trail” [6]. This
trail is made when a moving ant lays pheromone in varying
portions on the path, causing it to be a trail of importance.
While this is happening other moving ants are randomly
creating pheromone trails, however if another ant trail crossed
the ant crossing that trail decides with high probability to
continue along the trail thus laying more pheromone on the
trail and causing the other ants to be attracted to the trail. This
behavior is repeated constantly which in turn provides us with
the process of a loop by which if more pheromone is the
strongest on one path the probability at which more ants take
that path becomes high.
Ant Algorithm described:
The process in which the traceback ant algorithm will work is
when the process of packets has already been received from
the source and the path has been set to trace the destination of
the attacker. In the following picture a demonstration of the
ant colony creating different paths by laying a pheromone trail
to travel from source (Src) to destination (Dst) [6].
Shortest path process is found by the mathematical equation
along with the random decision rule.
VI. MATH
Equations:
Equation (1) is the said to be exploitation policy whereby the
path with the highest visibility and most pheromone intensity.
j=
---------- (1)
Equation (2) is the random decision rule whereby any ant
situated at node i will hop to the next random calculated node j
S=
---------- (2)
Pij(t) = Pheromone intensity path between node i and node j at
time.
Nij(t) = No. of routing packets between node i and node j
between time (t-1) and (t)
β = weighing factor of visibility
α = weighing factor of Pheromone
Determining all possible paths of the trail is the main purpose
of the algorithm. However when this is done the next step is
to find the shortest path. The probability density function is
calculated by the Ant colony of all feasible attack paths and
the best one is chosen.
VII. SIMULATION TOOLS
The simulation tools proposed and implemented throughout
this project are Cisco Packet Tracer and Wire shark:
Fig.5: IP Traceback: Ant Algorithm
Cisco Packet Tracer is simulation tool that allows students to
experiment with network tools that can be simulated into any
behavioral situation of a network. This tool provides the
realistic simulation of functional networks and the
CPEG-561: Network Security. University of Bridgeport, Connecticut, Bridgeport - 06604
collaboration capability to assess, and visualize a network
scenario while learning difficult networking concepts. A
newer version of Packet Tracer allows the possibility of
practicing different situations that are covered by the CCNA
curriculum. The limitations allotted with Packet Tracer are
the minimal functions of IPv6 spoofing attack scenarios. It
was difficult to simulate a realistic environment of a spoofing
attack using Packet Tracer, which in turn caused a huge set
back in the simulation timeframe.
Wireshark is mainly a tool which is used to capture packets on
any network and simply analyze them. It’s an open source tool
that can be used for network analysis, troubleshooting and of
course educational purposes. It has been used to analyze the
packets sent to other devices over local networks as well as the
packets received. Wireshark can be installed on a variety of
operating systems and uses “pcap” to capture each packet and
“Qt” to implement the user interface.
pcap: API for capturing packets.
Qt: cross-platfom framework used for software application
development.
4
Safe simulation design: Packets are sent back and forth to
different devices on different networks without interruption
Packet Tracer-PC configuration:
Fig. 8:
Packet Tracer-Router configuration:
Packet Tracer:
Spoofed simulation:
Fig. 9:
Wireshark:
Packet Capture/Analyze tool
Fig. 6: Packet Tracer Spoofed Simulation
Spoofed simulation design: The laptop attacker (RED) is
intercepting packets sent over the network.
Clean and Safe Network:
Fig. 10: Detailed descriptions of packets sent.
The output shows the packets transition over the local
network as well the protocols that are implemented when
anything happens on the network. (Eg. ICMPv6 - Neighbor
Solicitaion, DHCP – Solict, OSPF Hello Packet for
authentication).
Fig. 7: Packet Tracer Spoofed Simulation
CPEG-561: Network Security. University of Bridgeport, Connecticut, Bridgeport - 06604
VIII. SIMPLE ATTACKING SCENE
In the following attacking scene Node D is a malicious
attacker located in a subnet called “N”, with routing
capabilities, wishing to intercept the messages from host A
(PC A) to host B (PC B). Node D will imitate the ND router
and send the specific RA message to host A (PC A).
5
IX. PROCESS DESCRIPTION
Graphical Description of Proposed solution:
Attacking Scene:
The main parameters of the packet are:
Src MAC : [MAC of D in Subnet N]
Dst MAC : 33:33:00:00:00:01
Src IP : [LinkLocal IP of D in Subnet N]
Dst IP : ff02::1
Prefix: [Prefix_Illegal::/64]
Fig. 11: Attacking Scenario
The following scenario is a simple experimental of a network
environment which is consisted of two subnets. From Fig. 11
subnet N is mixed of Secure Neighbor Discovery and
Neighbor Discovery. Host A (PC A) acts as the victim on in
the scenario in which Ubuntu 11.10 and ND protocol are
installed.
As in section IV the SEND protocol uses ND protocol
combined with secure tools such as IP traceback (Ant
Algorithm) to implement and configure the SEND
environment in subnet N.
Fig. 13: Flow chart of sending packet and detecting IP
spoofing with Ant Algorithm.
The process in Fig.13 describe the steps in which an IPv6
packet is transmitted over a network using the encapsulated
technique tunneling [8]. An IP spoofing attack occurs during
the transmission and therefore the proposed solution of
combining IP traceback technique using the Ant algorithm
and Time-to-Live (TTL) which is already found in the IPv6
header is implemented.
The calculated process counts the number of hops from the
victims address back to the IP spoofing attack source in order
to analyze whether it was the same path that the original was
transmitted through.
Fig 12: Experimental Setup
The resulted outcome depends on the conclusion of whether
he forward hop count is the same as the reversed hop count.
Once the hop counts are equal, the request qualifies as
legitimate and the packet is received, however if the hop
counts are not equal, the request is then said to be partially
spoofed and therefore the packet is dropped and discarded.
CPEG-561: Network Security. University of Bridgeport, Connecticut, Bridgeport - 06604
X. CONCLUSION
The proposed methods used in this research paper include the
operations of combining IP traceback toolset with Time-toLive calculation technique. Due to the fact that TTL is part of
the hop limit field within the IPv6 header that implements the
hop counting process, allows the analysis of tracing back
through paths successful. The analysis of IP traceback is
possible from the Ant algorithm. The process that takes place
throughout the network is inspected by the method of the ant
algorithm, which allows the shortest path to be found, which
also verifies as the path of a legitimate request due to the fact
that the shortest path is engulfed with the highest pheromone
intensity. The proposed solution for this paper was developed
through thorough research of multiple articles, found on the
IEEEXplore Digital library as well as other online search
engines.
REFERENCES
1.
JaeDeok, L. and K. YoungKi. Protection Algorithm
against security holes of IPv6 routing header. in
Advanced Communication Technology, 2006. ICACT
2006. The 8th International Conference. 2006.
2.
Colitti, L., G. Di Battista, and M. Patrignani, IPv6-inIPv4 Tunnel Discovery: Methods and Experimental
Results. Network and Service Management, IEEE
Transactions on, 2004. 1(1): p. 30-38.
3.
Voravud, S. and Y. Permpoontanalarp. A graphbased methodology for analyzing IP spoofing attack.
in Advanced Information Networking and
Applications, 2004. AINA 2004. 18th International
Conference on. 2004.
4.
Xinyu, Y. and M. Ting. A Link Signature Based
DDoS Attacker Tracing Algorithm under IPv6. in
Future Generation Communication and Networking
(FGCN 2007). 2007.
5.
Hou, Y., et al. Routing Attack in the ND and SEND
Mixed Environment. in Multimedia Information
Networking and Security (MINES), 2012 Fourth
International Conference on. 2012.
6.
Jae-Deok, L., K. Young-Ho, and K. Ki-Young.
Packet Filter Algorithm to prevent the security hole
of routing header in IPv6. in SICE-ICASE, 2006.
International Joint Conference. 2006.
7.
Qwasmi, N., F. Ahmed, and R. Liscano. Simulation
of DDOS Attacks on P2P Networks. in High
Performance Computing and Communications
(HPCC), 2011 IEEE 13th International Conference
on. 2011.
8.
6
Ali, W.N.A.W., et al. IPv6 attack scenarios testbed.
in Humanities, Science and Engineering Research
(SHUSER), 2012 IEEE Symposium on. 2012.