Title: Secure IPv6 Communications across Multiple Untrusted Networks
Abstract: IPv6 is the emerging addressing system to replace IPv4, and its vast address space will have major implications on Internet and network security. The Research stage of this report analyses currently deployed interception, packet inspection, and traffic filtering technologies, and also their countermeasures. The Development stage proposes the design for a secure communications system that is highly resistant to Internet surveillance and traffic filtering measures, leveraging the address space of IPv6, data encryption and IPsec. The Evaluation stage assesses the feasability of a real-world implementation of the secure communications system.
The initial aim of the dissertation project was to develop a next generation communications system that’s highly resistant against Internet traffic filtering and surveillance, or at least a method for creating such a system.
The project had three stages:
* Research: By far the most extensive part of the report, the Research stage included analyses of current traffic filtering methods, interception and surveillance, and existing countermeasures. It also covered IPv6 itself, and the features of IPv6 that could be utilised for improving communications security.
* Development: The development stage resulted in the design and the main components for an IPv6-based system capable of tunneling traffic through Deep Packet Inspection and several layers of filtering between networks.
* Evaluation: An assessment of the system’s effectiveness, deployability and areas for improvement. I’ve decided to continue building on the dissertation work.
The dissertation report was recently submitted at the University of Wales, Newport (now the University of South Wales). The outcome was a fairly detailed design for a point-to-point and multicast communications system, the core component being a software client that manages the encryption, IPsec tunneling, address management, group messaging and other features.
The main component of the system (which is still under development) is a software client for P2P/point-to-point communication that manages application-layer encryption, IPsec tunneling and IPv6 address management. It uses a PRNG to select an address from within an assigned IPv6 block, and an asymmetric cipher to update the application databases of the other clients within a closed group. This system should meet the criteria of being highly resilient to discovery, traffic filtering and interception.
When fully developed, the software can be modified for a range of other applications, such as distributed hosting, social networking and even online banking.
The Simulated Internetwork
In order to test the software client, an internetwork consisting of two Local Area Networks and traffic filtering layers must be constructed. This could be built with standard routers powered by the DD-WRT software (as most standard firmware still doesn’t support IPv6).
For those with access to carrier-grade equipment, the system can be tested with two Cisco 2600/2800 routers and an Integrated Access Device (such as the ADTRAN 550).
The dissertation has been completed and published, along with the main components for the software client, and I intend to use it as the basis for developing the communications system further.