Introduction
IPv4-based networks form most of today's networks due to its relative resilience in spite of its age. Cracks have however been apearing on a new version of the protocol has been in the work.
All new techniques introduced to overcome some of the IPv4’s most-known security deficiencies (SSL, IPSec, etc.) have been judedged useful but insufficient. In other words, despite all recent improvements, the supporting Internet infrastructure continues to lack the appropriate security framework.
IPv4 security issues
Security was not a primary concern when designing IPv4. Basically, the idea was to establish an end-to-end pipe with no regards for security. The end-nodes where assumed address security requirements such as encryption and digital signing (e-mail applications would perform own encryption).
The following resilience requirement are needed to deal with security threats:
- Denial of service attacks (DOS): Certain services are flooded with a large amount of illegitimate requests that render the targeted system unreachable by legitimate users
- Malicious code distribution: Worms and viruses use infected hosts to infect remote systems
- Man-in-the-middle attacks: IPv4’s lack of proper authentication mechanisms may facilitate men-in the-middle attacks
- Fragmentation attacks: This is achieved by exploiting large IPv4 packets at he O/S level (e.g. ping of death attack)
- Port scanning and other reconnaissance attacks: Network is scanned to find potential targets with running services
- ARP poisoning and ICMP redirect: This occurs when forged ARP responses are broadcasted with incorrect mapping information that could force packets to be sent to the wrong destination. ICMP redirect attacks use similar approach.
IPv4 short term remedies
To deal with IPv4 security limitations, certain techniques such as Network Address Translation (NAT) and Network Address Port Translation (NAPT) have been developed . They can offer certain level of protection against some of the security threats addressed above. Also, the introduction of IPSec facilitated the use of encryption communication, although its implementation is optional and continues to be the sole responsibility of the end nodes.
The Network Working Group of the Internet Engineering Task Force (IETF) proposed in 1998 a new suite of protocols called the Internet Protocol version 6 (IPv6) to deal with the limitations of the current Internet infrastructure . This new suite of protocols aims to deal with a number of the issues that affect IPv4-based networks, including its lack of network level security.
Recent Comments