Tags

, , , , , , , , , , , , , , ,

It’s only recently I’ve given IPv6 any serious thought, and I’m still going through a mass of literature on the subject and related technologies. As I’ve already pointed out, it’s still TCP/IP, which encapsulates data and routes it exactly as with IPv4, but the colossal address range makes numerous other things possible. Without giving too much away, this is one component of a system I believe will defeat traffic filtering and interception, hence my interest.

Multicast Groups
Without Network Address Translation, hosts located anywhere can form a group sharing a multicast address – one host sends data to that address, and it would be broadcast to the entire group.

IPv6 multicast addresses begin with ff:, so there are 2e+112 possible addresses a group can use, disregarding a handful of reserved addresses. The other bits in the first segment determine the type of multicasting.
A third party trying to intercept the broadcasts for a given group must therefore potentially scan through 2e+112 addresses to determine the correct one. We could say this is comparable to cracking 112-bit encryption. However, there are a couple of problems: the group must be able to select a random multicast address, and that address must somehow be communicated securely. It leaves us with the old key distribution problem, but that might be solveable with some implementation of RSA.

Proxy Servers
Also in my previous post, I pointed out that it’s possible to allocate roughly 6.67e+25 addresses to each square centimetre of the Earth’s surface, assuming my maths is correct. The point here is there’s no practical limit to the number of addresses a proxy server could use and discard, which makes the task of blacklisting them extremely difficult. This could even negate the current need to use proxies to defeat IP-based filtering systems.

IPsec
A few readers might wonder why I haven’t mentioned IPsec yet. IPsec is natively supported by IPv6, and functions at the TCP/IP layer instead of the application layer. This enables secure tunnels to be established between two points, and unlike SSL provides security for both routing and payload. It’s not commonly used at the moment as Network Address Translation re-encapsulates data, making it difficult to preserve the integrity of TCP/IP packets.

Where I’m Going with All This
Recent events proved the concepts of copyright and ‘intellectual property’ have been taken way out of proportion. Increasingly web sites are being arbitrarily blocked and removed without due process, ‘checks and balances’ provide no real protection, and we came dangerously close to allowing the US government to degrade the DNS in the name of copyright. As some of us feared, the United States is following China’s lead in blocking traffic exchanged between the US and other countries.
All this directly contradicts what ‘Cyber Security Strategies’ are supposed to achieve, and in the long run it will ultimately degrade the security of the Internet while aiding criminals. In my view, this is an engineering problem in need of a solution.

Looking at this objectively, the IPv6 Internet should route traffic without interference and regardless of content, especially when it develops into an ‘Internet of things’ that connects all manner of electrical and electronic device. To preserve the reliability and security of the Internet, a new system – perhaps a successor to the Tor network that takes advantage of IPv6 – is needed to render useless whatever methods are used for blocking traffic.

Advertisements