Abstract
A considerable amount of time will be needed before each system in the Internet can convert from Internet Protocol version 4 (IPv4) to Internet Protocol version 6 (IPv6). Three strategies have been proposed by the Internet Engineer Task Force (IETF) to help the transition from IPv4 to IPv6 which are dual stack, header translation and tunneling. Tunneling is used when two computers using IPv6 want to communicate with each other and the packet will travel through a region that uses IPv4. To pass through this region, IPv6 packet must be encapsulated in IPv4 packet to have an IPv4 address in order to make it IPv4 routing compatible. Internet Protocol security (IPsec) in transport mode carries the payload of the encapsulating packet as a plain data without any mean of protection. That is, two nodes using IPsec in transport mode to secure the tunnel can spoof the inner payload; the packet will be de-capsulated successfully and accepted. IETF mentioned this problem in many RFCs. According to RFC 3964 there is no simple way to prevent spoofing attack in IPv6 over IPv4 tunnel and longer term solutions would have to be deployed in both IPv4 and IPv6 networks to help identify the source of the attack, a total prevention is likely impossible. This study proposed a new spoofing defense mechanism based on IPsec’s protocol Encapsulated Security Payload (ESP). ESP’s padding area had been used to write the IPv6 source address of the encapsulated packet. Simulation is conducted based on two scenarios, one with spoofing attack and one without. The outcome proved that proposed mechanism has managed to eliminate spoofing threat in IPv6 over IPv4 tunnel.
Highlights
A crucial element enabling numerous different types of Internet Protocol (IP) attacks is the ability for an adversary to modify their source IP address and the ports they are communicating on to appear as though traffic initiated from another location or another application
When Internet Protocol version 6 (IPv6) packet is encapsulated in Internet Protocol version 4 (IPv4) payload there is no means for administrators to know about IPv6 traffic that has tunneled into their networks (Sabnis and Tech, 2013)
In this article we introduced a new spoofing defense mechanism to eliminate spoofing threat that happen when using Internet Protocol security (IPsec) in transport mode to secure IPv6 over IPv4 tunnel
Summary
I.e., IPv6 packets are encapsulated in IPv4 packets and are transmitted over IPv4 networks like ordinary. The security threats in IPv6 over IPv4 tunnel are caused by the spoofed encapsulated packet sent by the attackers in IPv4 networks. When IPv6 packet is encapsulated in IPv4 payload there is no means for administrators to know about IPv6 traffic that has tunneled into their networks (Sabnis and Tech, 2013). In order to do ingress filtering, the network needs to know which IP addresses each of the networks it is connected to may send. A network that has a single connection to the Internet has no way to know if a packet coming from that connection is spoofed or not
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
