BASIL_NETWORKS


Designed & Made
in America (DMA)

ABOUTABOUTPRODUCTSSERVICESSUPPORTCONTACTARTICLESBLOG
BASIL Networks BN'B

BASIL Networks BN'B

The BASIL Networks Public Blog contains information on Product Designs, New Technologies. Manufacturing, Technology Law, Trade Secretes & IP, Cyber Security, LAN Security, Product Development Security

Internet of Things (IoT) -Security, Privacy, Safety-Platform Development Project Part-3

saltuzzo | 24 November, 2016 09:26

Part 3: IPv4, IPv6, DHCP, SLAAC and Private Networks:
The Automatic Assignment of IP Internet Addressing

In all chaos there is a cosmos, in all disorder a secret order - Carl Jung

Part 1 Introduction - Setting the Atmosphere for the Series (September 26, 2016) 
Part 2 IPv4  IPv6
- The Ins and Outs of IP Internet Addressing (November 11, 2016)
Part 4 Network Protocols - Network, Transport & Application (January 10, 2017)
Part 5 Network Protocols - Network, Transport & Application -Continued (Aug 17, 2017)
Part 6 Network Protocols - Network, Transport & Application -Continued -Ethernet Protocol (Sept 21, 2017)
Part 7 Network Protocols - Network, Transport & Application -Continued -The CRC-32 and Checksums (Nov 23, 2017)
Part 8 IoT Core Platform - SoC Core Processor of Embedded Systems (Jan 12, 2018)
Part 9 IoT Core Platform - SoC Core Processor of Embedded Systems -Vulnerabilities (Mar 16, 2018)
Part 10 IoT Core Platform - SoC Core Processor of Embedded Systems -Documentation Management (Apr 5, 2018)
Part 11 IoT Core Platform - SoC Core Processor of Embedded Systems -Documentation Management Processes (June 27, 2018)
Part 12 IoT Core Platform - IoT Core Platform - Product Design -Creating Conceptual Design Documentation (July 29, 2018)
Part 13 IoT Core Platform - Peripheral Interface Devices - Peripheral Design From the Beginning (Oct 7, 2018)
Part 14 IoT Core Platform - Peripheral I/O Development - Analog Input Peripheral Device Design (Oct 29, 2018)
Part 15 IoT Core Platform - Peripheral I/O Development - Analog Input Peripheral Device Design (Dec 7, 2018)

Lets Get Started: Quick Review to Set the Atmosphere for Part 3
From Part-2 we discussed the simple side of the two IP addressing schemes that are easily understood in this new "Information Highway" era.  It is easy to see how we can trace a physical address location from point A to point B with a simple numerical addressing scheme.  Also In Part-2 for simplicity we used Class A, B, C, D for the point to point directions.  In reality IPv4 classes have been frowned upon since the 80''s following the release of RFC-1519 CIDR (Class Inter-Domain Routing) in 1993 and with the creation of  IPv6 the new scheme is considered a classless scheme.  Instead of classes IPv6 is identified by a Global ID and SubNet ID assigned to a Interface Device ID or EUI.  This part of the series we will go one step further to characterized the IP address and associate it with a unique physical identifier for the source and destination IP addresses.  Before we get deeper into network technology it would be easier to look at the IP address as a point to point direction with the ability at the to funnel data through 1 to 65535 doors, rooms better yet ports as shown in Figure 3.0.  IP address ports have been categorized for specific types of data transfers like Port 80 is primarily used with your Internet browser and sends/receives data through port 80 of the IP address.  We presented ports lightly in part-2, the complete list of port assignments can be found at Ports.  This will be addressed in more detail in the Security and hardware design of the series.


  Figure 3.0   IP Address Available Ports

When we look at a network and all the different types of devices connected with all the different software applications that transport data over the network, it is reasonable to try and categorize devices and software applications by protocol where the IP scheme is defined as a transport agent for these communications protocols, this is true for both IPv4 and IPv6.  We will briefly introduce a few of these communication protocols used in order to get a better understanding how hardware and software coincide, the protocols we will introduce are Unicast,  Multicast and Broadcast.  Unicast type protocol as it appears is a single host sending to single host receiving data packets.  Multicast protocol is a protocol  that allows a single device to communicate with specific hosts and devices on a network, hence from one or many selected addresses or many selected to many other selected addresses.  Broadcast protocol is sending packets from a single device to many other devices on a network, all hosts on a single subnet and/or all subnet's.  This will be covered in the security and software design section of this series.  There are many other protocol type requests that are part of the previously mentioned and some of them we will cover in this part.  The intent is to accumulated the required network understanding relate to the design of the core platform IoT hardware, firmware and software.

So, now that we are able to get from point A to Point B and we are standing in from of the house and it would be nice to identify the actual house uniquely that makes it different from all the other houses.  Relating this to the IP address the house will be assigned another identifying characteristic, say the builders name and the builders type of house and the number built to date.  In network terms this is call the  MAC (Media Access Control) address, great another acronym.  IPv4 and IPv6 address is a scheme or direction to get from Point A to Point B while the MAC address is the PII (Personal Identifiable Information) of the house.  In computer terms the MAC is the Machine ID that is unique to every device connected to the Internet.  To start with the right terminology the MAC acronym has bee formally changed to EUI  (Extended Unique Identifier), OK, yet another acronym to keep track of.

Some basic IP masking terminology to keep in mind.  Many times in the networking environment you will notice an IP address line 192.168.1.0/8 where the /8 is the number of bits to mask as part of the absolute address.  This relates to the IP address of 192.168.001.0 and a mask of 255.255.255.000.  So the total 32 bit address would be 192.168.001.xxx, where xxx is the users devices address between 0 - 255 addresses.  In bit form the mask would be 11111111.11111111.11111111.00000000.  The 1's indicate the absolute part of the address, 192.168.1.  The /#bits always starts at the high end (left to right) of the address for both IPv4 and IPv6.  Lets summarize some of the acronyms we have,  Table 1.0 lists the new acronyms used with the IP schemes so far, by the way, the Internet Technology arena has an acronym for everything as we will see.

Acronym Name Description  - Stands For Protocol
WAN Wide Area Network IPv4 and IPv6
LAN Local Area Network IPv4
ULA Unique Local Address- Private Network IPv6
NAT Network Address Translation IPv4
P2P Pear to Pear or Point to Point IPv4 and IPv6
MAC Media Access Control IPv4 and IPv6
EUI Extended Unique Identifier (label change from MAC) Ipv6
IP Port IP has 65535 Ports IPv4 and IPv6

Table 3.0   Review of Some Basic IP Acronyms

MAC (Media Access Control), EUI (Extended Unique Identifier) address:
Ins & Outs of a Device/Access Control Identifiers

Before we get into the IPv6 technical details we have to cover some information about all devices attached to the Internet.  We discussed IPv4 and IPv6 addressing schemes which are just different addressing schemes, directions P2P only.  The MAC address is a "hardware identification" address, has been formally renamed to EUI (Extended Unique Identifier)  to conform with IPv6.  The EUI is not just the destination point IP address scheme used as directions between two points but a unique hardware address ID that separates it from all other hardware.  All devices connected to the Internet are required to have a MAC/EUI address.  The MAC-48/EUI-48 address is a 48 bit physical hardware address, (248 = 281,474,976,710,656 possible addresses), that is part of the NIC (Network Interface Controller) that is assigned by the manufacture of the controller and is supposed to be unique.  All smart phones, computers, tablets, any device that is connected to the Internet has a MAC/EUI address.  NIC manufactures request a block of  addresses at IEEE for their devices each address of the 24 bit block it is used only once.  The 48 bit EUI-48 address format as shown in Figure 3.1 and is split into two 24 bit blocks, the first 24 bit block is the unique Company/Manufacturer ID and the second 24 bit block is the unique physical hardware ID.  The EUI-48 address is considered a permanent burnt in address for the hardware and are handled differently between the two IP schemes as we will see.  The 24 bit blocks indicate that there allowed 16,777,216 manufacturers and each manufacturer may manufacture 16,777,216 controllers.  With IPv6 addressing we have 340x1036 addresses available which means that we will run out of EUI-48 addresses at some future date and considering IoT devices and the huge market it may be sooner than later.  Granted many NICs are now in the trash and out of circulation this will just prolong the inevitable.  We will see why this is important when we discuss IPv6 and the EUI-48 and EUI-64.  Although the EUI-48 address is considered permanent, with today's technology there are ways to change your EUI address, for now lets consider it permanent.  We will get into changing EUI-48 and EUI-64 in the security part of the series, at this point we are still addressing understanding the characteristics or modes of the IP schemes.


Figure 3.1 MAC-48 Now Called EUI-48 Address Format

In IPv4 the EUI-48 address is kept local to the actual computer or devices on the private network LAN, the IPv4 router does not route the EUI across WAN Internet, therefore it is possible to have duplicate EUI addresses in two different global IP address locations LAN since the EUI for IPv4 LANs never gets to the Global Internet.  There are a minimum times when the EUI is collected in an Server-Client application, however the possibility of duplicate EUI-48 addresses in a P2P application is not likely to happen.  The EUI-48 may be obtained on any device address in an IPv4 LAN locally by the devices OS (Operating System) issuing an ARP (Address Resolution Protocol) request.  The ARP -a  192.168.2.100 requests data packet is the hardware EUI-48 for the source and target machines and the associated IP addresses.  Each devices OS keeps an internal cache buffer of the EUI and IP associations for all the devices on the LAN.  Regardless of the Operating System being used, Windows, Unix,  Linux they all incorporate an ARP protocol request command as specified in RFC 826.  The IP & EUI combined creates an unique address.  There is also a new format of EUI-48 address for IPv6 it is EUI-64 which will be covered in the IPv6 section.  We will cover more on EUI in the security parts of the series.

IPv4 Routers: The Ins, Outs and Limitations
We have all used IPv4 Internet for a long time now, so it would be easier to relate to IPv6 by securing our understanding of IPv4 and identify the limits then we will move to IPv6.  Our intent in this section is to understand the IPv4 network configuration limitations and how these limitations are addressed and fixed in the IPv6 networks.  Figure 3.2 shows a typical IPv4 Router which includes features to handle the NAT, DHCPv4, Firewall and of course MAC-48 (EUI-48) address filtering allowing programmable control of the devices connected to the Internet.  Control of devices with the IPv4 router is a simple transaction of taking a single IP address from a LAN device like 192.168.2.20 and translating it to the ISP WAN address connecting that single device to the Internet.  Simple, right?; OK, what about say 10 devices on the LAN all wanting to browse the web or upload/download files at the same time.  What happens when many devices try to transfer data to the Internet they all  have to go through the NAT bridge first, then through the firewall to see if that LAN address is allowed passage, then to a single WAN address.  All this traffic from a 10 lane highway narrows down to two single lane bridges, the NAT and Firewall to get the WAN.  Obviously this starts to create a bottleneck or a funnel effect for the traffic since all Internet service providers regulate the throughput traffics (DownLink/UpLink) as shown in Figure 3.3.  For a home and small home office environment this is generally not a problem simply because home users generally adapt to the speeds of the Internet connection and accept the delays.  However for a small office with say 10 or more people working on the Internet daily this starts to become a problem and business efficiency is effected.  For larger companies that have many people on-line constantly this becomes a serious throughput issue.

IPv4 Routers and DHCP:
DHCP (Dynamic Host Configuration Protocol) servers perform a useful task for adding devices to the LAN automatically.   As we stated earlier for a LAN every device must have a unique IP address as well as a unique MAC(EUI) address in order for the LAN to communicate with other devices connected to the network.  With out the DHCP the individual responsible for the network would have to manually keep track and assign all of the IP address for each device and insure its uniqueness.  We see now that the DHCP server eliminates the need for manual efforts to maintain LAN IP addresses.  The DHCP server is generally configured with a block of available addresses like 192.168.2.10 - 192.168.2.40 for a block of 30 devices (10-40) for the DCHP to automatically assigned IP addresses in that range.  After the 30 addresses are used up the DHCP server will not allow any more connections until one of the devices on the LAN is turned off and that IP address becomes available to assign to another device.  From this we see that a device may have different IP addresses from the DHCP server.  This is fine for devices like a smart phone or tablet that is nor always in the LAN area for connection.  However, for a web server or e-mail server this becomes a problem since fixed servers require port forwarding from the WAN↔NAT↔LAN-Server.  Once the range of IP addresses allotted to the DHCP server are used up the user will have to select an IP address outside the DHCP configuration and manually activate the device connection on the NIC.  For IPv4 there is only one DHCP server on the LAN so this becomes an easy task and conflicts are avoided.  The DHCP server or an assigned static IP address function the same via both hard wired through the RJ45 or through WiFi.  However, if there were multiple DHCP' servers on the network this now becomes an issue when devices supply conflicting information.  It can also be hard to get a system to have the same address across reboots with DHCP since it is a first come first serve allocation process.

IPv4 Routers and MAC(EUI) Addresses:
For IPv4 the hardware EUI-48 address and IP are on the private LAN through NAT and may only be accessed on the private LAN side through the devices OS (Operating System) issuing  an ARP request.  Many of the IPv4 routers still address the EUI-48 as MAC ID so in this section we will use both together to get use to using EUI.  This  MAC(EUI-48) is also used in the IPv4 router for MAC(EUI) filtering which allows selective devices on the LAN access to the LAN.  When a MAC(EUI) address is set the MAC(EUI) filter will only allow the those MAC(EUI) addresses use of the LAN and other MAC(EUI) addresses of devices that are setup in the filter this includes Internet access.  In IPv4 routers just the MAC-48 (EUI-48) address is entered in a list in the routers non-volatile memory, no IP addresses are associated with the MAC address since they may be any IP address assigned by the DHCP server or manually assigned Static address.  The MAC filtering is only effective on the private LAN in IPv4 router and as stated it is not routed to the Internet WAN.  All NICs connected to the LAN are retrieved via the ARP protocol and stored locally in each computer by the Operating System running on the device or computer.  This is one of the differences between IPv4 and IPv6 schemes as we will in the following sections.

IPv4_Router_Block_Diagram
Figure 3.2  Typical IPv4 Router Functional Block Diagram

IPv4 LAN Capabilities: Overview
IPv4 LAN bridge has three blocks of private IP addressing issued by IANA that the user may choose from as stated in Part-2.  NAT is considered a private LAN and IANA has assigned the following IP ranges, (010.000.000.000-010.255.255.255), (172.016.000.000-172.031.255.255) and (192.168.000.000-192.168.255.255) for that purpose. These assigned addresses fall into the Internet black hole and will not be acknowledged on the Internet.  Table 3.1 shows the configuration settings and the number of devices for those settings.  The IPv4 router has the ability to handle a huge amount of connected devices.  Lets see what happens in the IPv4 network under NAT when many users access the Internet at the same time.  As we see adding devices to the LAN especially if they are to communicate on the WAN globally can easily end up to be a bottleneck of traffic shown in Figure 3.3 below.  

Starting IPv4 Address Ending IPv4 Address IPv4 SubNet Mask LAN Host Bits Number of Devices
192.168.000.000 192.168.000.000 255.255.255.000 8 256
192.168.000.000 192.168.001.000 255.255.254.000 9 512
192.168.000.000 192.168.003.000 255.255.252.000 10 1024
192.168.000.000 192.168.007.000 255.255.248.000 11 2048
192.168.000.000 192.168.015.000 255.255.240.000 12 4096
192.168.000.000 192.168.031.000 255.255.224.000 13 8192
172.016.000.000 172.032.255.255 255.224.000.000 20 1,048,576
010.000.000.000 010.255.255.255 255.000.000.000 24 6,777,215

Table 3.1  Typical IPv4 LAN Addressing Capabilities

Consider each arrow represents a single packet of information (about 1500 bytes) trying to all get to the global Internet to send to the destination.  This also doubles when we are also trying to receive data to many devices connected at the same time.  This is one of the main issues with IPv4 especially for web sites which have to handle large amounts of data in both directions with many users.  Also for ISP connections like DSL that have 1 Megabits/sec (1Mbps) for both Downlink/Uplink this can have a very slow response.  Many cable ISP connections average 5Mbs for both Downlink/Uplink, this is a bit better.  As an example a typical home/SOHO network is like 10Mbps/3Mbps Dn/Up links.   For an average family of four, two children, two adults we would have, four smart phones, four desktop or laptops, Game stations two, Home theater connected. OK two are on game stations, two are on laptops or desktops and watching streaming videos and browsing the Internet.  That is a total of four smart phones, two game stations, two workstations all on at the same time.  That means that total throughput for the network is 2+2+1 = 5 on line would reduce the speed, hence:  10Mbps/5 = 2 Mbps  Dnlink and 3/5 = 600K up link.  For DSL it would be 200Kbps Dn/Up total.  For streaming video, this is at the critical speed and if there is any large transfer for the network you will see intermitting still pictures.

      
Figure 3.3  Typical IPv4 Router Traffic Bottle Neck

IPv6 EUI-48, EUI-64 addresses
Now that we understand how the MAC-48 (EUI-48) address interacts with IPv4 we will cover how the EUI-48 address interacts with the IPv6 addressing scheme.  We will take a short refresher from Part-2 on the IPv6 address format.  IPv6 is a 128 bit address protocol scheme shown in Figure 3.4 and is grouped into eight 16 bit blocks (two octets) that use hexadecimal format (0000-FFFF) separated by a colon.  This gives eight groups of 16 bits in hex format as FD76:938C:03FF:51D3:0000:0000:00D3:000E.  This does get cumbersome at times so to help with the formatting IPv6 has format shortcuts for displaying the address such as, 0000:0000:0000:0000:0000:0000:408:833 may be written as ::408:833.  Leading 0s are also reduced so for the IP address 00EF:0938:00FF:0513:0000:0000:000D:000E may be written as EF:938:FF:513:0:0:D:E.  The size of IPv6 is huge, the largest number for 128 bits (2128) or 340x1036 (340 billion, billion, billion, billion) or 340 Undecillion addresses.

IPv6_Format
Figure 3.4  IPv6 Address Scheme 128 bit Format

OK, what does this have to do with the MAC address? Everything.   The MAC acronym has been formally changed to EUI (Extended Unique Identifier) to accommodate the IPv6 formatting scheme and the full labeling are EUI-48 for IPv4 and EUI-64 for IPv6.  The IPv6 EUI-64 Figure 3.5 has added an additional 16 bits to the format, the OUI (Organisational Unique Identifier) is still 24 bits and hardware Interface ID is extended by 16 bits to yield a 40 bit Hardware Interface IDentifier.


Figure 3.5 EUI-64 Extended Unique Identifier Format

Since IPv4 will be around for some time a conversion methodology was created to use both EUI formats seamlessly.  To convert a EUI-48 to EUI-64 we split the EUI-48 into two 24 bit blocks, flip the most significant octet second least significant bit1=1 (Locally Administered ID) shown in Figure 3.6, insert the 2 octets (16 bit)  FF FE between the two 24 bit blocks then represent the standard IPv6 address hex format as shown in Figure 3.7.  The EUI-48 ID of  AC:DE:49:23:45:67 maps to a EUI-64  AEDE:49FF:FE23:4567.  The flipped bit is to identify the EUI as a physical hardware burned in ID.  At this time it is important to realize that a devices EUI-64 address is incorporated into the IPv6 128 bit address and used by the host router to automatically configure the device to communicate over the IPv6 Network.  The remaining control bits shown in Figure 3.6 are used to identify specific IPv6 addressing functions.  We will address this in the security and hardware communications section of the series.


Figure 3.6 Mapping EUI  Locally Administered ID  b1=1

So the Ethernet EUI-48 address AC:DE:49:23:45:67 converts to AEDE:49FF:FE23:4567 for the lower 64 bits of an IPv6 EUI-64 address shown in Figure 3.7, called the "Interface Device IDentifier" to be sent to the host router for an IPv6 address assignment and configuration.  If this was in a ULA network say FE80::/64 it would become   FE80::ACDE:48FF:FE23:45676   


Figure 3.7 Mapping EUI-48 To EUI-64 Locally Fixed Hardware ID

All smart phones transmit the EUI-64 address when connected to the Internet and may be tracked easily with IP tracking software, another discussion in the Security part of the series.  The IPv4 and IPv6 addressing schemes differences in that the EUI-48 in IPv4 is kept on the private LAN and not routed out by the router to the Internet.  In IPv6 the EUI-64 is routed by the end users local router to the ISP global router, assigned an IPv6 address and configured outside the users private network.  This means that all devices on IPv6 point to point are identified outside the private network and the user no longer has private control over the devices configuration activities.  As we progress through the series we will be identifying these unique differences and create a methodology to implement into our core platform that will allow more user control.

OK, lets summarize at this point, the reason being is IPv6 tends to become more difficult to keep in perspective from this point on.  We have covered in this part, the changing of terminology from MAC (Media Access Controller) to EUI (External Unique Identifier), How EUI-48 and EUI-64 are formatted, the IPv4 router capabilities and how they relate to the EUI-48 LAN through NAT.  We covered the depth of IPv4 device control and the IPv4 firewall again using NAT.  We also created a table for the IPv4 LAN number of addressing capabilities of an IPv4 private LAN. As shown  which has been handling company sizes from a single employee to fortune 500 companies with very large number of networks devices.  We showed that every Device IDentifier regardless of the IP scheme has an associated IP address when connected to a network.  In IPv6 we use the EUI-64 as part of the full 128 bit IPv6 address, if this device was attached to a ULA private network say FE80::/64 it would become FE80::ACDE:48FF:FE23:4567.  The new item here is that the EUI is now part of the IPv6 full address regardless if it is on a private or global network.

IPv6 DHCPv6, SLAAC vs Stateful (Manual Device Assignments):
Handling Devices on the Private & Global Internet Bus

This section is where IPv6 separates itself from IPv4, we loose some features and gain some features. The main feature we loose is NAT, IPv6 has way too many addresses (340 x 1036) and has been stated that NAT is not needed any more.  We will get back to that later in the series.  The elimination of NAT creates another concern.  The ULA (Unique Local Address) discussed in part-2 is a "real private network" that is not routed to the global Internet.  The default ULA is FE80:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx The majority of routers that incorporate IPv6 also incorporate IPv4 as a dual mode router, the user selects the mode to setup either IPv4 or IPv6 not both.  Since NAT is not designed in on IPv6 it is safe to say NAT is only used with IPv4 mode is selected for setup. This is different from the IPv6-Ipv4 Dual-Stack scheme that uses a translator to switch schemes and has been assigned by IANA and ICANN to handle the transition from IPv4 to IPv6 upgrades.  We have created a couple of block diagrams to show the functionality differences of IPv4 Figure 3.8 and IPv6 Figure 3.9 routers. It becomes clear that the IPv6 router is more complex when attaching devices to the Internet, however the IPv6 ULA private network functions similar to the IPv4 LAN except for the facet that there is no NAT to connect a device to the Internet.  This does create an issue about device control and we will be addressing that in detail as we design the core IoT platform as the series progresses.

We see that the IPv6 ULA function is a separate function that is not routed to the Global Internet.  The WiFi connections for the ULA are separated from the Wifi for the Global Internet.  The eight port managed switch insure that ULA is not routed to the Global Internet.  The router configuration allows the user to select the ULA and Global configuration.  Routers usually have four or eight RJ45 ports for hard wire and maybe other external switches to increase the number of wired connections.  The EUI-64 addresses for devices connected to the ULA are maintained in a cache by the connected devices operating system.  In IPv4 we used ARP(Address Resolution Protocol) request in IPv6 we use a NDP (Neighbor Discovery Protocol) that is very similar in nature that is also works only on the ULA network and is not routed to other networks.  The IPv6 DHCPv6 server works similar to the DCHPv4 server in IPv4 routers except in IPv6 the ULA device addresses are not routed to other networks or the Internet.


Figure 3.8  Typical IPv4 Router Functional Block Diagram

 

IPv6_Router_Block
Figure 3.9  Typical IPv6 Router Functional Block Diagram

IPv6 DHCPv6 and Manual Device Assignments:
From the above routers functional block diagrams we see that for IPv4 LAN and IPv6 ULA networks allow both DCHP servers and manually assigned Static IP addresses for the private network.  This allows the private network to communicate with a huge number of attached devices.  The ULA becomes a true protected private network when working in a development environment such that the local private servers will only be accessible to devices on the ULA network, outside Internet networks are completely isolated.  The DHCPv6 server becomes very helpful for connecting new devices over WiFi  connections. Both Static IP and Dynamic IP may share the same network by assigning a range to the DHCPv6 server.  Static IP's on the ULA are useful for network servers for client server application software and is easier to manage with fixed static IP addresses.  To get the Associated IP/EUI for each device we issue a NDP (Neighbor Discovery Protocol) RA(Router Advertisement) request and the return is a listing of EUI-64 to IPv6 addresses for each device connected to the ULA network.  Devices may be added to the ULA private network without any communications with the ISP global router.  What we need is a network control switch that will just transfer the EUI-64 to the global Internet which will assign two IP addreses to a single device, one for the isolated private ULA network and one for the SLAAC on the Global Internet.  This wil be addressed in the platform design section of the series.

IPv6 SLAAC Device Assignments:
Here is where everything changes, the global Internet device configuration function called SLAAC (StateLess Address AutoConfiguration).  To make this as simple it as possible, look at autoconfiguration as DCHP is local private network function and SLAAC is the Global Internet function. SLAAC works similar to DHCP in that it requires a EUI-64 to assign an IP address to the EUI-64, however the ISP controls the IP assignment.  The local router at the end users site allows the ULA network user to have complete control over the devices connected to the ULA network. However, SLAAC requires that the ISP subnet router have control over the device configuration and IP assignments.  This is much different than the IPv4 router that allows the user to control access through the MAC(EUI) address.  With IPv6 we hand that control over to the ISP which means the end user has less control over devices.  For those who run a SOHO business and have on-line servers this become more difficult since we would need a fixed IPv6 address with some type of port forwarding to control the access to the server and the end users router would have to have EUI filtering to insure the server is accessed by the end uses router and not by any unknown router.  It would make sense that the ISP would also be capable of assigning a block of Static IPv6 addresses from their subnet router to perform this function.  This would allow the local end users router to control the EUI to IP locally as well as port forwarding to say a web server or e-mail server or security devices, this is a Stateful or manual function.  This would not be a good practice for a larger group of desktops or laptops to run on Static IP's since as we have seen the number of devices increase easily in a short period of time. A small block of static IPv6 addresses like less than 24 would be easy to handle manually.  The ISP that I have worked with all charge a nominal monthly fee for a block of static IP addresses, considering the addressing capability of IPv6 fixed IP's should not be an issue.  This will be an important topic when we get to the security and firewall section of the series.

The process for SLAAC is straight forward, the ISP network routers send out a RA (Router Advertisment) which is a function in the NDP (Neighbor Discovery Protocol).  This request happens periodically to insure the network is assigning IP addresses to EUI-64 devices efficiently and keeping track of who is connected to the network.  This is very similar to DHCP servers that drop and reassign IPs depending who is connected to the network. the difference is this is the global network and not a small private network.  What has to happen here is the ISP router needs the EUI-64 to complete the full IPv6 address.  The IP-64 should be a unique ID address and traditionally the bottom 64 bits of the IPv6 address is generated from the EUI-64 ID.

This section gets to be a bit more technical, so to bring it down a notch or two before diving into the pond, look at all IPv6 commands, requests are stimuli and of course the is a response to these stimuli.  There are two sources for the stimuli, the devices operating system and the ISP router, just like clicking on say a file explorer application, the response are a listing of attributes about the storage, directories and files.  Same for the IPv6 network requests, stimulus and response, with that in mind lets move forward.  With IPv6, a DHCP server is not necessary because the ISP global subnet router handles the assignments and automatic configuration.  The process for this IPv6 function is called SLAAC (StateLess Address AutoConfiguration).  As we lightly mentioned in Part-2 it is a mechanism that when a device is connected to IPv6 it is auto configured by the host router and is able to start communicating immediately.  This is accomplished by the IPv6 routers sending out a RA (Router Advertisements) that mask bottom 64 bits (all 0s) of an IPv6 address, and hosts (ISP) router generates the bottom 64 bits themselves in order to form a complete address.  This relates an IPv6 address with a Interface Hardware ID and is used to insure the P2P data transfer completed.  Alternatively, a host may also generate its IPv6 address using a random number so its MAC(EUI) address remains hidden from the rest of the Internet.  Creating EUI-64 addresses randomly and hide the hardware EUI-64 from the Internet.  This is part of the EUI-64 control bits which we will cover this in the security and firewall section of the series. So far only the very expensive routers like Cisco® and other in that category have the more advanced capabilities and are way out of the price margin for home/or SOHO use.  When this happens a simple connection like VoIP from the home network continue over the wireless network to any destination away from the home, it just uses the static/fixed IP address over IPv6.  Carriers like Verizon, Sprint, and many other are already switching to VoIP service to move to Multihoming.  So as we are experiencing network technology is full of acronyms and this is just the beginning.  This is why we are starting at the very basic to get the concepts in perspective, then a new acronym will be easier to handle, just like programming, there are groups of common commands with different pseudonyms however they all perform the same function.

We will cover SOHO servers under IPv6 like web,e-mail and database type servers.  Servers are relatively straight forward with IPv4, a static IP and port forwarding through NAT.  The ISP is required to have some type of dashboard for the DNS (Domain Name System) hosting service.  This sets up a A record for IPv4 and the AAAA record for IPv6 to point to a specific IP address so the entire Internet will be able to access the server by domain name, through ICANN and IANA.  This allows the SOHO to control their own server and control the access.  This also fits into the security and control sections of the series.

 

Summary:
The IPv6 specification is now 20 years old so any major changes are not likely to happen any time soon.  As for NAT you would think after 20 years of discussion and not implemented it is not going to happen.  That does not mean it will not be featured and translated in devices some other way for convenience, control and security.  We have presented a basic entry level introduction to the both Internet Protocol schemes we are using today.  As we stated Network Technology is full of acronyms to categorize network operations and we have just touched the surface, Table-3.  I talked with my ISP the other day and discussed the IPv6 Fixed IP block of addresses and the number of devices I can attach to the Internet with SLAAC.  The IPS offers /56 block of IP connections using SLAAC. The /56 means the bottom 8 bits of the SubNet and 64 bits for the Interface Device ID are the end users selection.  The ISP also offers a block of  IPv6 Static IP addresses for a nominal fee in blocks of 5, 12, 24 addresses.  The static IP addresses will allow for port forwarding for on-line servers at the end users site.

From this discussion we begin to see that IPv4 firewall is no longer suitable for IPv6 and clearly shows that a new interface technology is required in order to maintain device control and some advanced firewall topology for the IoT devices connected. What is inevitable is that IPv6 will change the secuirty policies that are present in IPv4.

 

Acronym Name Description  - Stands For Protocol
WAN Wide Area Network IPv4 and IPv6
LAN Local Area Network IPv4
ULA Unique Local Address - Private Network
IPv6
NAT Network Address Translation IPv4
P2P Pear to Pear or Point to Point IPv4 and IPv6
DHCPv4 Dynamic Host Configuration Protocol IPv4
DHCPv6 Dynamic Host Configuration Protocol IPv6
SLAAC StateLess Address AutoConfiguration IPv6
Stateful Stateful Manual Configuration IPv6
MAC Media Access Control IPv4 and IPv6
EUI Extended Unique Identifier (new MAC) Ipv6
ARP Address Resolution Protocol IPv4
NDP Neighbor Discovery Protocol (new APR) IPv6
Unicast Single end to end data packet transfer IPv4 and IPv6
Broadcast Single to Many data packet transfer IPv4 and IPv6
Multicast Single/Many to Many in network IPv4 and IPv6

Table 3.3  Update of Table 1.0 Basic IP Acronyms

The next part of the series we will address the Global and ULA private networks and the protocols used to configure and control devices on IPv6. This will bring us another step forward to characterizing our IoT core platform to connect as a dual mode IPv4 or IPv6 network device.


Part 1 Introduction - Setting the Atmosphere for the Series (September 26, 2016) 
Part 2 IPv4  IPv6
- The Ins and Outs of IP Internet Addressing (November 11, 2016)
Part 4 Network Protocols - Network, Transport & Application (January 10, 2017)
Part 5 Network Protocols - Network, Transport & Application -Continued (Aug 17, 2017)
Part 6 Network Protocols - Network, Transport & Application -Continued -Ethernet Protocol (Sept 21, 2017)
Part 7 Network Protocols - Network, Transport & Application -Continued -The CRC-32 and Checksums (Nov 23, 2017)
Part 8 IoT Core Platform - SoC Core Processor of Embedded Systems (Jan 12, 2018)
Part 9 IoT Core Platform - SoC Core Processor of Embedded Systems -Vulnerabilities (Mar 16, 2018)
Part 10 IoT Core Platform - SoC Core Processor of Embedded Systems -Documentation Management (Apr 5, 2018)
Part 11 IoT Core Platform - SoC Core Processor of Embedded Systems -Documentation Management Processes (June 27, 2018)
Part 12 IoT Core Platform - IoT Core Platform - Product Design -Creating Conceptual Design Documentation (July 29, 2018)
Part 13 IoT Core Platform - Peripheral Interface Devices - Peripheral Design From the Beginning (Oct 7, 2018)
Part 14 IoT Core Platform - Peripheral I/O Development - Analog Input Peripheral Device Design (Oct 29, 2018)
Part 15 IoT Core Platform - Peripheral I/O Development - Analog Input Peripheral Device Design (Dec 7, 2018)


Publishing this series on a website or reprinting is authorized by displaying the following, including the hyperlink to BASIL Networks, PLLC either at the beginning or end of each part.
BASIL Networks, PLLC - Internet of Things (IoT) - Security, Privacy, Safety - The Information Plaground Part-3: IPv4,IPv6 DHCP, SLAAC and Private Networks: (November 25, 2016)

For Website Link: cut and paste this code:

<p><a href="https://basilnetworks.com/Blog/index.php?op=ViewArticle&articleId=4&blogId=1" target="_blank"> BASIL Networks, PLLC - Internet of Things (IoT) - Security, Privacy, Safety - Platform Development Project Part-3 - IPv4,IPv6 DHCP, SLAAC and Private Networks: (November 25, 2016)</p>

 

Sal (JT) Tuzzo - Founder CEO/CTO BASIL Networks, PLLC.
Sal may be contacted directly through this sites Contact Form or
through LinkedIn

Internet of Things (IoT) -Security, Privacy, Safety-Platform Development Project Part-2

saltuzzo | 11 November, 2016 09:24

Part 2: IPv4 and IPv6:
The Ins and Outs of IP Internet Addressing

“Creativity expands the mind, stretches it beyond ordinary human comprehension, resulting in the mind being elastic and capable of transcending and discerning complex ideas.” - Michael Bassey Johnson

Part 1 Introduction - Setting the Atmosphere for the Series (September 26, 2016)
Part 3 IPv4, IPv6 DHCP, SLAAC and Private Networks - The Automatic Assignment of IP Addressing (November 24, 2016)
Part 4 Network Protocols - Network, Transport & Application (January 10, 2017)
Part 5 Network Protocols - Network, Transport & Application -Continued (Aug 17, 2017)
Part 6 Network Protocols - Network, Transport & Application -Continued -Ethernet Protocol (Sept 21, 2017)
Part 7 Network Protocols - Network, Transport & Application -Continued -The CRC-32 and Checksums (Nov 23, 2017)
Part 8 IoT Core Platform - SoC Core Processor of Embedded Systems (Jan 12, 2018)
Part 9 IoT Core Platform - SoC Core Processor of Embedded Systems -Vulnerabilities (Mar 16, 2018)
Part 10 IoT Core Platform - SoC Core Processor of Embedded Systems -Documentation Management (Apr 5, 2018)
Part 11 IoT Core Platform - SoC Core Processor of Embedded Systems -Documentation Management Processes (June 27, 2018)
Part 12 IoT Core Platform - IoT Core Platform - Product Design -Creating Conceptual Design Documentation (July 29, 2018)
Part 13 IoT Core Platform - Peripheral Interface Devices - Peripheral Design From the Beginning (Oct 7, 2018)
Part 14 IoT Core Platform - Peripheral I/O Development - Analog Input Peripheral Device Design (Oct 29, 2018)
Part 15 IoT Core Platform - Peripheral I/O Development - Analog Input Peripheral Device Design (Dec 7, 2018)

Lets Get Started: Quick Review to Set the Atmosphere for Part 2
From Part 1 we see there are many categories to address with IoT devices.  We will cover the legal aspects mentioned in Part 1 in our Law and Technology Blog section at another time.  Since this is an IoT design series, our objective is to create a core IoT device development platform from the basics to the complex, complete ready to be implemented, incorporating complete security and end user control, both IPv6 and IPv4 compatible.  BASIL Networks, PLLC always encourages education and growth through understanding the sciences.

As stated in the Part 1, the diminishing of IPv4 Internet addresses was the catalyst for the development of IPv6.  The connection issue with both versions have created a lot of difficulties in understanding the uniqueness between IPv4 and IPv6, what parts of IPv4 will be discontinued, how this affects the privacy of IPv4 and IPv6 customer base.  Where this becomes an issue is converting the home and SOHO network which is primarily IPv4 over to IPv6.  IPv6 20th anniversary RFC1883 IPv6 Specification was published January, 1996 and to date 2016 about 15% of the total global Internet has converted to IPv6, the USA being over 35% at this time.  To put that in perspective, in the USA the government set forth a mandate that all DoD and civilian providers upgrade to IPv6 by 2008.  Well that has been eight years ago and the majority of the ISP (Internet Service Providers) have upgraded at least several of their servers so they met the requirements.  However, the majority of the businesses, SOHO and family home networks are still running IPv4 networks.  There are many published articles outlining the pros and cons about making the transition at this time, it has only been 20 years.  We will address how this transition will affect the privacy of the home and SOHO networks and how much time remains before a mandatory change is imminent.  We are still in the fact gathering educational stage of this series to categorize the unique characteristics of IPv6 and IPv4 in order to create our TSD (Technical Specification Document) used as a guide to design our core IoT development platform.

IPv4 - IPv6: Information Highway Bubble
In this part of our IoT design series we will be covering the basics of the IP (Internt Protocol) addressing, how it works and why it is exposed to any that want to listen in on the global Internet “Information Highway”.   Do not worry about this being to technical to understand, for those that are just beginning to understand IP network technology we will relate this to things you already understand and do naturally. For those more technical including myself found this a refreshing review  hope you will to.

IANA and ICANN: Internet Core Basics
Everything on the Internet "Information Highway" is identified by a number, an IP address to on both ends is required for communications just like cell phone numbers, building addresses and so-on.  So information flows from Point A to Point B.  The TCP/IP (Transmit Control Protocol / Internet Protocol ) is a Point to Point (P2P) protocol.  

There are two major organizations that manage the Internet Protocol throughout the entire Internet, they are, IANA (Internet Assigned Numbers Authority) and ICANN (Internet Corporation of Assigned Names and Numbers).
IANA - Internet Assigned Numbers Authority manages all the IP addresses that are assigned to all the Internet Service Providers globally.   This insures that each IP address is unique in order to comply with the TCP/IP P2P protocol requirements.
ICANN - Internet Corporation of Assigned Names and Numbers manages all domain names associated with IANA IP number assignments.   This insures that a single IP address is assigned to a single domain name.

A Simply Analogy To Understanding The IP Address:
Before we get to technical with IPv4 and IPv6 lets look at something similar that we use and understand in our everyday lives.  Lets say you want to mail a package to a person in another state and what is interesting is that the house number and street name are the same as yours, however the package seems to be able to be delivered without issue.  Great, lets break this down to see how this is works.  To start we will assign some labels to the postage delivery path, here in the USA the ZIP Code is used, since each State has their own Postal ZIP Code this will get the package to a local county region from there the postal delivery agent identifies the street name and number and delivers the package.  Simple table below.

Address From Point A

Address To Point B

ZIP Code, State Prefix
ZIP Code, City Prefix
ZIP Code, County
Street Number and Street Name

ZIP Code, State Prefix
ZIP Code, City Prefix
ZIP Code, County
Street Number and Street Name

So now we have the P2P map for the delivery of the package.  We can easily convert this total delivery system to a numerical system and create four groups or classes for this new numerical system, Class A, B, C and D.  This is now a global number system that is independent of country.   Fortunately the global populous has been using the various postal systems for a several centuries now and have integrated it into their lives as a normal level of knowledge.  The global populous has also integrated usable technology into their lives a normal level of knowledge and now we are expanding that level with the integration of IPv4 and IPv6.  We use the Internet without thinking how it actually functions, the same as we mail a package.  Somewhere in the back of our minds we actually do understand how it works we just do not think about it, we just apply it.   The table below connects the dots for ZIP Codes and Class type networks and crosses that analogy bridge. As we see the Classes identify with groups of the IPv4 and IPv6 protocols and they are the same except for the number of numerical addresses for each group as we will clearly see.

Postal Map Class ID IPv4 IPv6

Zip Code, State Prefix
Zip Code, City Prefix
Zip Code, County
Street Number and Street Name

Class A
Class B
Class C
Class D

Prefix
GlobalID
SubnetID
InterfaceID

Prefix
GlobalID
SubnetID
InterfaceID

Ok we have now been able to reach the actual house of the destination for the package and delivered it.  Ok  so we open the package and find a gift for the kitchen, so lets go one step further and label the rooms in the house also with a numerical identity labeled PortID.  We will address the PortID later on. Lets focus on the addressing paqrt first, the PortID is an addon to the addressing.

Now relating this postal map and classes to the IP protocol addressing scheme seems to be a lot easier when there is an analogy to something we understand.   Since the Internet deployment of a 32 bit protocol yielding four billion (4,294,967,296 = 232) P2P communications, running out of addresses was not really considered probable at the time IPv4 was deployed.  Since the deployment of IPv4 in the late 70's early 80's took less than 10 years growth to realize the limitations of running out of addresses.  Well here we are today and IPv4 has less than 10% remaining addresses.  When we look at the whole world population and growth, this now seems a simple thought that we would run out of four billion address considering there are over 6 billion people on the planet, growth was the catalyst that started the development of IPv6.  Now that we are at this point lets look at the two protocols IPv4 and IPv6 and how they differ.

As we see the postal codes globally were developed on an as needed basis and each country created its own way of coding.  Well the world was populated by many before the "Information Highway" was organized and it was easy to see that a straight numerical system globally would be easier to manage.  The 32 bit addressing scheme for IPv4 protocol is grouped into four octets separated by periods (000-255 decimal, 00-FF hexadecimal).  IPv4 uses the decimal format of 000-255 instead of the hexadecimal that yields 255.123.255.255, classes A, B, C, and D.  As an example, this website is registered with ICANN as "basilnetworks.com" to the IPv4 address 64.139.76.51.  IPv4 represents each octet in decimal format however, as we transfer to IPv6 this changes to hexadecimal, and part of the IPv6 address for "basilnetworks.com becomes 408B:8C33 in hex format.  Figure 1.0 shows the IPv4 protocol addressing.  Considering today's number of registered domain names exceeds one billion and growing.

IPv4_Addressing
Figure 1.0 IPv4 basilnetworks.com IP Address

Switching to the IPv6 Address:
IPv6 is a 128 bit address protocol grouped into eight 16 bit blocks (two octets) that use hexadecimal format (0000-FFFF) separated by a colon.  This gives eight groups of 16 bits in hex format as FD76:938C:03FF:51D3:0000:0000:00D3:000E.  This does get cumbersome at times so to help with the formatting I has shortcuts for displaying the address such as, 0000:0000:0000:0000:0000:0000:408:833 may be written as ::408:833.  Leading 0's are also reduced so the I address IF:938:OFF:513:0000:0000:003:000 may be written as IF:938:FF:513:0:0:D:E.  The size of I is huge, the largest number for 128 bits (2128) or 340x1036 (340 billion, billion, billion, billion) addresses, a bit more addresses than IPv4.   Enough for many devices. Great, the addressing issue with the Internet is fixed so what changed in order to obtain this huge address?

IPv6_ClassAdr
Figure 2.0  IPv6 IP 128 Bit Address Assignments

IPv4 Network Address Translation (NAT) verses IPv6 Unique Local Addressing (ULA)
IPv4 Private Networks: LAN (Local Area Network)
Here is where it starts to differ and become a bit more technical.  IPv4 uses a technique called NAT (Network Address Translation), a technique of using only one global IP address and translating it to a local private block of addresses called a LAN (Local Area Network).  It was created to extend the address range of IPv4 as not to run out of addresses too soon.  NAT became the standard and allowed several devices to be controlled and still have access to the global Internet.  However, whenever you translate data in any form there are delays and software overhead to account for that creates shortcomings using NAT.  Today's new developments in technology such as VoIP and streaming video protocols etc. that require direct point to point global IP addresses create IPv4 limitations and are addressed with special software to identify that a NAT protocol is being used again, at the expense of throughput.  NAT is considered a private LAN and IANA has assigned the following IP ranges, (010.000.000.000-010.255.255.255), (172.016.000.000-172.031.255.255) and  (192.168.000.000-192.168.255.255).  These IANA mapped IP addresses have no response on the global Internet and go into the global Internet black hole.  This allows these LAN addresses to be router controlled transferring data to/from the global Internet or WAN (Wide Area Network).  LAN addresses 192.168.000.000-192.168.255.255 through NAT, (WAN↔NAT↔LAN) are generally used as the private internal network for the home, SOHO and business environment prior to IPv6.

Many IPv4 routers are shipped with a default of 192.168.1.0 or a given IP in order to easily setup the router.  The IPv6 discussion is that since IPv6 allows enough IP addresses to handle devices NAT will no longer be required and will be discontinued.  We will get to how this is handled in the following paragraphs.

IPv6 Private Networks: ULA (Unique Local Address)
Private Networks in IPv6 are handled a bit different.  IPv6 however does have a LAN, but it is called ULA (Unique Local Address), the address is IANA mapped as anything above FDxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx, the “difference” being is that the ULA is completely isolated from the outside world and cannot be routed to the Internet like the LAN for IPv4.   The IPv6 ULA must always remain behind the routers global Internet transport mechanism.  IPV6 will be universally implemented over time and is moving towards the home family network environment slowly however this implementation will increase as providers upgrade to IPv6.  Providers like Comcast®, Cox®, Time Warner® and many others are already providing IPv6 connections to their customers.  Keep in mind the majority of home networks are still IPv4 and to requiring them to upgrade to IPv6 may cause other privacy issues as well as incompatible hardware and software issues at this time.  Figure 2.1 shows the IPv6 128 bit addressing format.  The L bit is the top octets least significant bit and determines the ULA or Global Internet mode.  The top eight bits are FC for Global Internet and FD for ULA.  Figure 2.0 above shows the IPv6 protocol address range is large enough to handle all the desired devices that may be connected globally to the Internet.

IPv6_ADR
Figure 2.1 IPv6 Protocol Address Range

At this point we should be asking about the privacy issues and device control with IPv6.  Since the IPv4 NAT is no longer required to translate a block of local addresses in the IPv6 protocol then the devices connected are either totally blocked using ULA or globally routed Internet devices.   The website IPv6 covers everything you ever want to know about IPv6, technical and general, we will be utilizing the technical data for the later parts of this series.

Many of the medium to large businesses have already made the conversion to IPv6, however many are still running IPv4/IPv6 dual system.  This dual-stack IPv6/IPv4 implementation outlined in RFC 2893 allows the IPv4 class for communications between the two protocols and is recognized as, the IPv4-mapped-IPv6 addresses.  Figure 2.2 shows the 128 bit IPv6-IPv4 class addresses which consists of an 80-bit prefix of zeros, the next 16 bits are one, and the remaining, least-significant 32 bits contain the standard IPv4 address mapping.  The basilnetworks.com IPv6 address would be ::FFFF:64.139.76.51.  The dual-stack implementation has been argued to introduce more security threats as hosts could be subject to attacks from both IPv4 and IPv6 however, it is the better implementation during the IPv4 to IPv6 conversion process.  On a browser to access an IPv6 site basilnetworks.com directly would look like http://[0:0:0:0:0:FFFF:64.139.76.51]/ notice the brackets enclosing the IPv6 address or for full IPv6 notation http://[0:0:0:0:0:FFFF:408b:4C33]/ (64.139.76.51 represented in hex=408B:4C33) and for IPv4 it would just be http://64.139.76.51/. This dual stack is the interim fix being used for the transition from IPv4 to IPv6.

IPv6_IPv4_Stack
Figure 2.2 IPv6-IPv4 Dual Stack Mapped Protocol Address Range

Network Privacy Conundrum: “The Big Deal”
As we see the addressing capabilities from IPv4 (32 bit) compared to IPv6 (128 Bit) are over 340x1036 larger.  The issue with the transition to IPv6 is the elimination of IPv4 NAT in the IPv6 protocol and the new requirements for privacy and security with this transition.  The TCP/IP is an OSI (Open System Interconnect) and is just a transport agent for data point to point.  The privacy and security is the responsibility of the user, the TCP/IP just transports data.

Device privacy, blocking the device from the global Internet within an IPv4 network is controlled by a firewall that is generally integrated into the router.  There are many choices for IPv4 routers on the market today and will be for some time.   Some ISP’s supply the routers like Comcast® while others allow you to supply your own.  Either way the majority of these IPv4 routers come with a decent if not robust firewall.  Blocking a single device like a printer from Internet access outside, the IPv4 LAN is an easy task for the IPv4 Firewall, just add the devices IP address to the firewall security policy for outbound and inbound traffic and only the devices connected to the LAN will have access to it while other devices that are on the LAN that are not blocked communicate are translated to have access to the global Internet.  If the user decides to allow the printer address to be routed to the global Internet just remove the security policy block from the firewall.  The router will complete the gateway communications from the LAN to/from the WAN.

The IPv6 class protocol does not include NAT as in IPv4, what IPv6 incorporates is a private network class called ULA (Unique Local Address) area network and this ULA is “not routable” to the global Internet like the IPv4 NAT-LAN is.  There is no NAT like IPv4 directly with IPv6 which brought up an interesting challenge to the Internet Engineering Task Force (IETF) to solve.  The challenge for the time being is answered by the use of the IPv6-IPv4 dual-stack until all the systems are upgraded to IPv6.   The dual-stack will remain in use for some time since less than 20% of the global Internet is IPv6.  The major players like Comcast®, Time Warner® etc. utilize the dual-stack IPv6-IPv4 class in order to accommodate the millions of user’s family and SOHO accounts that are using IPv4 networks.

Summary IPv4:
In IPv4 we used one IP address through NAT and were able to assign by the user without ISP involvement up to 255 devices for each subnet incorporating NAT and control whether these devices were to be blocked from the global Internet or not with a simple security policy through the integrated firewall.  NAT flexibility comes with a throughput issue since additional software overhead is required to translate the LAN to/from the WAN.  In IPv6 we are either on the global Internet “or” on the ULA private network which is not routable to the global Internet.   IPv6 routers that come with integrated firewalls are still being developed and are limited to accommodate the full capabilities of IPv6 at this time.  This will change over time as the demands to upgrade to IPv6 become more applicable.

The IPv6 ULA Challenge: User Control of the IPv6 IoT Devices
On a positive side using IPv6 ULA gives the "ultimate" protection to the private internal network eliminating access to the internal networks from outside hackers.  From this series point of view it eliminates one of the problems of outside control of IoT devices inside the home/SOHO network.  However, if any of the devices have a need to be on the global Internet network in any way, it will have to be on a separate network global IP address with no communications to the ULA private network.

On the not so positive side of the challenge, The IPv6 class protocol allows all devices to be connected to the global Internet, which is the intent of IPv6. Global Internet connected devices are given the ability to talk to each other and be monitored without having to translate addresses through a router (NAT) or special Application Level Gateway (ALG).  Having total device addressing publicly accessible is the future planning of IPv6 communications.  This is where privacy issues appear and have to be addressed.  Imagine someone in another country being able to view your environment or even the vulnerability of being hacked and having your thermostat turned off in sub zero weather in the middle of the night.

Summary IPv6: Device Control with IPv6 On-Line:
Ideally devices connected to IPv6 ULA will communicated to any other device or controller on the ULA and is completely isolated from the global Internet.  In order to actively control a device connected to IPv6 global Internet a separate firewall is required for the specific IP addresses in order to control access from other devices or unwanted hackers.  Keep in mind that those breaches you read about also have very expensive firewalls as well.  IPv6 firewalls for the home and SOHO are still being developed, some of the IPv6 routers available have limited firewall capabilities however, this is expected to change over time since the market is huge and competition will force the development of more robust firewalls.  We will cover firewalls and device control in the design series at a later date.  At this time we are just categorizing the issues we have to take into account for the development platform.

IP Address Ports:  How they are used with the IP Address
We are now ready to bring up the PortID again, remembering the package delivered to the house with a gift for the kitchen, you would want to keep it in the kitchen PortID.  A little about IP address ports, there are 65,535 of them for each IP address, that is like having a house with 65,535 nooks, rooms and little places to put things.  The complete list of port assignments can be found at PORTS.  Ports are used for directing data traffic of a specific type like when you download a file from the Internet using http port 80 or FTP port 21.  Since each IP address has 65,535 (216) ports each address has the capability handling multiple tasks like a web server on http is assigned PortID 80 and a mail server (POP3)  assigned PortID 110 which means data will only travel through the assigned PortID.  IP address ports usage form have not changed from IPv4 to IPv6, they are handled the same way with a slight modification on the IPv6 address notation due to the size.  IPv4 notation would address a PortID at the end of the address with a colon as  http://64.139.76.51:21 to access the FTP port on a server.  IPv6 PortID form is very similar http://[0:0:0:0:0:FFFF:408B:4C33]:21 to access the FTP PortID on a server we still use a colon  but it is after the bracketed enclosed IP address.  Ports are still accessed with a colon after the IP address.  As we see with ports they are like a water pipe that services many houses on a street, they may be turned on or off at any time.  PortIDs are used for many different device and server applications as we will cover during the design process for our IoT core platform.

The Family / SOHO IPv4 & IPv6 Networks: Overview
When we look at the typical IPv4 network that is in the home/SOHO environment being used by both family and business as shown in Figure 2.3 below we can easily see how fast the number of devices added to the network increases and if the business starts to grow the decision to add a private e-mail and web server is put on the table.  Private web and e-mail servers allow business protection at a legal level as well as an information protection level.  Many SOHO offices do not have a web server or an e-mail server in the home environment so without the SOHO servers shown in Figure 2.3, family and SOHO networks are the same. Many of the SOHO operations the web and e-mail servers are outsourced, generally to the ISP or some other web hosting platform.  With an IPv4 network device privacy is a simple task as we explained in the Network Privacy Conundrum section above.   The issue is all communications to the global Internet is performed via the LAN where family members and business requirements have shared access.  This shared access creates an interesting challenge since some family members browse social networks, web sites, gaming sites etc. that may or may not have good security guards to prevent a hacker from accessing the family members smart phones, tablets or desktops.  When we look at the majority of homes that have Internet connections we have the typical wireless setup shown in Figure 2.3.  The IPv4 WAN↔NAT↔LAN controls devices through Network Address Translation (NAT) in order to accommodate many devices on a single IP address, it is just added as needed and the Dynamic IP is assigned on the fly.  This IPv4 network is easy to setup and easy to control the devices you want to allow connection to the global Internet.  Figure 2.3 is a typical Wired and/or Wireless network.  The routers today usually have 4 or 8 local hard wired ports that may be used for direct connect to the device or through a switch to add more devices.  Each subnet in IPv4 will handle over 253 devices and are all time shared through one IP address, so if everyone is browsing the Internet at the same time, the throughput speed is divided by the number on-line. Normal throughput for household accounts with cable is in the 10Mbs/5Mbs DownStream/UpStream and 1Mbs/0.5Mbs for non-cable like DSL and Satellite.

There are two types of connections when you setup an Internet account with and ISP, a Static IP address or Dynamic IP address.  The Dynamic IP address is terminated and reissued over a time active period controlled by the ISP, during the renewal all Internet access is terminated usually for a few seconds.  The Static IP address is fixed IP like the IP address for basilnetworks.com (64.139.76.51) and will remain active indefinitely.  This is a recommended type IP for the standard IPv4 WAN connection and is better for running a separate web and e-mail server if it is decided on in the future.  For networks that are not going to run separate servers then any ISP service will work.  If you want to separate the business SOHO from the family which is also recommended to do, you will be required to get an additional IP address.  Generally the ISP would assign a couple of IP address to each account to accommodate this, if not then there would probably be a small additional charge for this.

There is still concern about IPv6 and how addresses are to be controlled and the amount of user interaction over the control of devices on the global Internet.   IPv4 gives the user a lot of control over devices through the IPv4 router and incorporates a separate DHCP (Dynamic Host Configuration Protocol) server.  There is DHCP in IPv6 as well it is labeled DHCPv6 along with a service for the global Internet which is called SLAAC (StateLess Address AutoConfiguration) protocol.  SLAAC allows a device connected to the global Internet to be assigned an address automatically at the global Internet level and start communicating immediately.  There is a manual configuration to this as well, StatefFul, manual address configuration.  This gets a bit more technical and it is the next step to understanding device control with IPv6.  Our next part will cover how IPv4 and IPv6 differ in handling these device protocols.

If this was an IPv6 network you would need a separated IP address for each device and would be linked and no NAT would be used.  The ISP would have to assign a block of IP addresses for each account or charge for each additional IP address as devices are added.  Here at BASIL Networks we have block of a 12 IP addresses that support several servers on-line.  We are using the IPv6-IPv4 gateway class through the ISP for this area.

IPv4_Network
Figure 2.3 IPv4 Typical Home/SOHO Network


Part 1 Introduction - Setting the Atmosphere for the Series (September 26, 2016)
Part 3 IPv4, IPv6 DHCP, SLAAC and Private Networks - The Automatic Assignment of IP Addressing (November 24, 2016)
Part 4 Network Protocols - Network, Transport & Application (January 10, 2017)
Part 5 Network Protocols - Network, Transport & Application -Continued (Aug 17, 2017)
Part 6 Network Protocols - Network, Transport & Application -Continued -Ethernet Protocol (Sept 21, 2017)
Part 7 Network Protocols - Network, Transport & Application -Continued -The CRC-32 and Checksums (Nov 23, 2017)
Part 8 IoT Core Platform - SoC Core Processor of Embedded Systems (Jan 12, 2018)
Part 9 IoT Core Platform - SoC Core Processor of Embedded Systems -Vulnerabilities (Mar 16, 2018)
Part 10 IoT Core Platform - SoC Core Processor of Embedded Systems -Documentation Management (Apr 5, 2018)
Part 11 IoT Core Platform - SoC Core Processor of Embedded Systems -Documentation Management Processes (June 27, 2018)
Part 12 IoT Core Platform - IoT Core Platform - Product Design -Creating Conceptual Design Documentation (July 29, 2018)
Part 13 IoT Core Platform - Peripheral Interface Devices - Peripheral Design From the Beginning (Oct 7, 2018)
Part 14 IoT Core Platform - Peripheral I/O Development - Analog Input Peripheral Device Design (Oct 29, 2018)
Part 15 IoT Core Platform - Peripheral I/O Development - Analog Input Peripheral Device Design (Dec 7, 2018)


Publishing this series on a website or reprinting is authorized by displaying the following, including the hyperlink to BASIL Networks, PLLC either at the beginning or end of each part of this series.

BASIL Networks, PLLC - Internet of Things (IoT) - Security, Privacy, Safety - The Information Plaground Part 2: IPv4 and IPv6: The Ins and Outs of IP Internet Addressing

For Website Link: cut and paste this code:

<p><a href="https://basilnetworks.com/Blog/index.php?op=ViewArticle&articleId=4&blogId=1" target="_blank"> BASIL Networks, PLLC - Internet of Things (IoT) - Security, Privacy, Safety - The Information Plaground Part-2 - IPv4 and IPv6: <i>The Ins and Outs of IP Internet Addressing</i></a> (November 11, 2016)</p>

 

Sal (JT) Tuzzo - Founder CEO/CTO BASIL Networks, PLLC.
Sal may be contacted directly through this sites Contact Form. or
through LinkedIn

 

«Previous   1 2 3 4 5 6 7 8  Next»
 
Powered by LifeType - Design by BalearWeb
Copyright© 1990-2018 BASIL Networks, PLLC. All rights reserved
webmaster