BASIL_NETWORKS


Designed & Made
in America (DMA)

ABOUTABOUTPRODUCTSSERVICESSUPPORTCONTACTARTICLESBLOG
BASIL Networks BN'B | Internet of Things (IoT) -Security, Privacy, Safety-Platform Development Project Part-3

BASIL Networks BN'B

The BASIL Networks Public Blog contains information on Product Designs, New Technologies. Manufacturing, Technology Law, Trade Secretes & IP, Cyber Security, LAN Security, Product Development Security

Internet of Things (IoT) -Security, Privacy, Safety-Platform Development Project Part-3

saltuzzo | 24 November, 2016 09:26

Part 3: IPv4, IPv6, DHCP, SLAAC and Private Networks:
The Automatic Assignment of IP Internet Addressing

In all chaos there is a cosmos, in all disorder a secret order - Carl Jung

Part 1 Introduction - Setting the Atmosphere for the Series (September 26, 2016) 
Part 2 IPv4 & IPv6
- The Ins and Outs of IP Internet Addressing (November 11, 2016)
Part 4 Network Protocols - Network, Transport & Application (January 10, 2017)
Part 5 Network Protocols - Network, Transport & Application -Continued (Aug 17, 2017)
Part 6 Network Protocols - Network, Transport & Application -Continued -Ethernet Protocol (Sept 21, 2017)
Part 7 Network Protocols - Network, Transport & Application -Continued -The CRC-32 and Checksums (Nov 23, 2017)
Part 8 IoT Core Platform - SoC Core Processor of Embedded Systems (Jan 12, 2018)
Part 9 IoT Core Platform - SoC Core Processor of Embedded Systems -Vulnerabilities (Mar 16, 2018)
Part 10 IoT Core Platform - SoC Core Processor of Embedded Systems -Documentation Management (Apr 5, 2018)
Part 11 IoT Core Platform - SoC Core Processor of Embedded Systems -Documentation Management Processes (June 27, 2018)
Part 12 IoT Core Platform
- SoC Core Processor of Embedded Systems -Documentation Management Processes (July 29, 2018)

 

Lets Get Started: Quick Review to Set the Atmosphere for Part 3
From Part-2 we discussed the simple side of the two IP addressing schemes that are easily understood in this new "Information Highway" era.  It is easy to see how we can trace a physical address location from point A to point B with a simple numerical addressing scheme.  Also In Part-2 for simplicity we used Class A, B, C, D for the point to point directions.  In reality IPv4 classes have been frowned upon since the 80''s following the release of RFC-1519 CIDR (Class Inter-Domain Routing) in 1993 and with the creation of  IPv6 the new scheme is considered a classless scheme.  Instead of classes IPv6 is identified by a Global ID and SubNet ID assigned to a Interface Device ID or EUI.  This part of the series we will go one step further to characterized the IP address and associate it with a unique physical identifier for the source and destination IP addresses.  Before we get deeper into network technology it would be easier to look at the IP address as a point to point direction with the ability at the to funnel data through 1 to 65535 doors, rooms better yet ports as shown in Figure 3.0.  IP address ports have been categorized for specific types of data transfers like Port 80 is primarily used with your Internet browser and sends/receives data through port 80 of the IP address.  We presented ports lightly in part-2, the complete list of port assignments can be found at Ports.  This will be addressed in more detail in the Security and hardware design of the series.


  Figure 3.0   IP Address Available Ports

When we look at a network and all the different types of devices connected with all the different software applications that transport data over the network, it is reasonable to try and categorize devices and software applications by protocol where the IP scheme is defined as a transport agent for these communications protocols, this is true for both IPv4 and IPv6.  We will briefly introduce a few of these communication protocols used in order to get a better understanding how hardware and software coincide, the protocols we will introduce are Unicast,  Multicast and Broadcast.  Unicast type protocol as it appears is a single host sending to single host receiving data packets.  Multicast protocol is a protocol  that allows a single device to communicate with specific hosts and devices on a network, hence from one or many selected addresses or many selected to many other selected addresses.  Broadcast protocol is sending packets from a single device to many other devices on a network, all hosts on a single subnet and/or all subnet's.  This will be covered in the security and software design section of this series.  There are many other protocol type requests that are part of the previously mentioned and some of them we will cover in this part.  The intent is to accumulated the required network understanding relate to the design of the core platform IoT hardware, firmware and software.

So, now that we are able to get from point A to Point B and we are standing in from of the house and it would be nice to identify the actual house uniquely that makes it different from all the other houses.  Relating this to the IP address the house will be assigned another identifying characteristic, say the builders name and the builders type of house and the number built to date.  In network terms this is call the  MAC (Media Access Control) address, great another acronym.  IPv4 and IPv6 address is a scheme or direction to get from Point A to Point B while the MAC address is the PII (Personal Identifiable Information) of the house.  In computer terms the MAC is the Machine ID that is unique to every device connected to the Internet.  To start with the right terminology the MAC acronym has bee formally changed to EUI  (Extended Unique Identifier), OK, yet another acronym to keep track of.

Some basic IP masking terminology to keep in mind.  Many times in the networking environment you will notice an IP address line 192.168.1.0/8 where the /8 is the number of bits to mask as part of the absolute address.  This relates to the IP address of 192.168.001.0 and a mask of 255.255.255.000.  So the total 32 bit address would be 192.168.001.xxx, where xxx is the users devices address between 0 - 255 addresses.  In bit form the mask would be 11111111.11111111.11111111.00000000.  The 1's indicate the absolute part of the address, 192.168.1.  The /#bits always starts at the high end (left to right) of the address for both IPv4 and IPv6.  Lets summarize some of the acronyms we have,  Table 1.0 lists the new acronyms used with the IP schemes so far, by the way, the Internet Technology arena has an acronym for everything as we will see.

Acronym Name Description  - Stands For Protocol
WAN Wide Area Network IPv4 and IPv6
LAN Local Area Network IPv4
ULA Unique Local Address- Private Network IPv6
NAT Network Address Translation IPv4
P2P Pear to Pear or Point to Point IPv4 and IPv6
MAC Media Access Control IPv4 and IPv6
EUI Extended Unique Identifier (label change from MAC) Ipv6
IP Port IP has 65535 Ports IPv4 and IPv6

Table 3.0   Review of Some Basic IP Acronyms

MAC (Media Access Control), EUI (Extended Unique Identifier) address:
Ins & Outs of a Device/Access Control Identifiers

Before we get into the IPv6 technical details we have to cover some information about all devices attached to the Internet.  We discussed IPv4 and IPv6 addressing schemes which are just different addressing schemes, directions P2P only.  The MAC address is a "hardware identification" address, has been formally renamed to EUI (Extended Unique Identifier)  to conform with IPv6.  The EUI is not just the destination point IP address scheme used as directions between two points but a unique hardware address ID that separates it from all other hardware.  All devices connected to the Internet are required to have a MAC/EUI address.  The MAC-48/EUI-48 address is a 48 bit physical hardware address, (248 = 281,474,976,710,656 possible addresses), that is part of the NIC (Network Interface Controller) that is assigned by the manufacture of the controller and is supposed to be unique.  All smart phones, computers, tablets, any device that is connected to the Internet has a MAC/EUI address.  NIC manufactures request a block of  addresses at IEEE for their devices each address of the 24 bit block it is used only once.  The 48 bit EUI-48 address format as shown in Figure 3.1 and is split into two 24 bit blocks, the first 24 bit block is the unique Company/Manufacturer ID and the second 24 bit block is the unique physical hardware ID.  The EUI-48 address is considered a permanent burnt in address for the hardware and are handled differently between the two IP schemes as we will see.  The 24 bit blocks indicate that there allowed 16,777,216 manufacturers and each manufacturer may manufacture 16,777,216 controllers.  With IPv6 addressing we have 340x1036 addresses available which means that we will run out of EUI-48 addresses at some future date and considering IoT devices and the huge market it may be sooner than later.  Granted many NICs are now in the trash and out of circulation this will just prolong the inevitable.  We will see why this is important when we discuss IPv6 and the EUI-48 and EUI-64.  Although the EUI-48 address is considered permanent, with today's technology there are ways to change your EUI address, for now lets consider it permanent.  We will get into changing EUI-48 and EUI-64 in the security part of the series, at this point we are still addressing understanding the characteristics or modes of the IP schemes.


Figure 3.1 MAC-48 Now Called EUI-48 Address Format

In IPv4 the EUI-48 address is kept local to the actual computer or devices on the private network LAN, the IPv4 router does not route the EUI across WAN Internet, therefore it is possible to have duplicate EUI addresses in two different global IP address locations LAN since the EUI for IPv4 LANs never gets to the Global Internet.  There are a minimum times when the EUI is collected in an Server-Client application, however the possibility of duplicate EUI-48 addresses in a P2P application is not likely to happen.  The EUI-48 may be obtained on any device address in an IPv4 LAN locally by the devices OS (Operating System) issuing an ARP (Address Resolution Protocol) request.  The ARP -a  192.168.2.100 requests data packet is the hardware EUI-48 for the source and target machines and the associated IP addresses.  Each devices OS keeps an internal cache buffer of the EUI and IP associations for all the devices on the LAN.  Regardless of the Operating System being used, Windows, Unix,  Linux they all incorporate an ARP protocol request command as specified in RFC 826.  The IP & EUI combined creates an unique address.  There is also a new format of EUI-48 address for IPv6 it is EUI-64 which will be covered in the IPv6 section.  We will cover more on EUI in the security parts of the series.

IPv4 Routers: The Ins, Outs and Limitations
We have all used IPv4 Internet for a long time now, so it would be easier to relate to IPv6 by securing our understanding of IPv4 and identify the limits then we will move to IPv6.  Our intent in this section is to understand the IPv4 network configuration limitations and how these limitations are addressed and fixed in the IPv6 networks.  Figure 3.2 shows a typical IPv4 Router which includes features to handle the NAT, DHCPv4, Firewall and of course MAC-48 (EUI-48) address filtering allowing programmable control of the devices connected to the Internet.  Control of devices with the IPv4 router is a simple transaction of taking a single IP address from a LAN device like 192.168.2.20 and translating it to the ISP WAN address connecting that single device to the Internet.  Simple, right?; OK, what about say 10 devices on the LAN all wanting to browse the web or upload/download files at the same time.  What happens when many devices try to transfer data to the Internet they all  have to go through the NAT bridge first, then through the firewall to see if that LAN address is allowed passage, then to a single WAN address.  All this traffic from a 10 lane highway narrows down to two single lane bridges, the NAT and Firewall to get the WAN.  Obviously this starts to create a bottleneck or a funnel effect for the traffic since all Internet service providers regulate the throughput traffics (DownLink/UpLink) as shown in Figure 3.3.  For a home and small home office environment this is generally not a problem simply because home users generally adapt to the speeds of the Internet connection and accept the delays.  However for a small office with say 10 or more people working on the Internet daily this starts to become a problem and business efficiency is effected.  For larger companies that have many people on-line constantly this becomes a serious throughput issue.

IPv4 Routers and DHCP:
DHCP (Dynamic Host Configuration Protocol) servers perform a useful task for adding devices to the LAN automatically.   As we stated earlier for a LAN every device must have a unique IP address as well as a unique MAC(EUI) address in order for the LAN to communicate with other devices connected to the network.  With out the DHCP the individual responsible for the network would have to manually keep track and assign all of the IP address for each device and insure its uniqueness.  We see now that the DHCP server eliminates the need for manual efforts to maintain LAN IP addresses.  The DHCP server is generally configured with a block of available addresses like 192.168.2.10 - 192.168.2.40 for a block of 30 devices (10-40) for the DCHP to automatically assigned IP addresses in that range.  After the 30 addresses are used up the DHCP server will not allow any more connections until one of the devices on the LAN is turned off and that IP address becomes available to assign to another device.  From this we see that a device may have different IP addresses from the DHCP server.  This is fine for devices like a smart phone or tablet that is nor always in the LAN area for connection.  However, for a web server or e-mail server this becomes a problem since fixed servers require port forwarding from the WAN↔NAT↔LAN-Server.  Once the range of IP addresses allotted to the DHCP server are used up the user will have to select an IP address outside the DHCP configuration and manually activate the device connection on the NIC.  For IPv4 there is only one DHCP server on the LAN so this becomes an easy task and conflicts are avoided.  The DHCP server or an assigned static IP address function the same via both hard wired through the RJ45 or through WiFi.  However, if there were multiple DHCP' servers on the network this now becomes an issue when devices supply conflicting information.  It can also be hard to get a system to have the same address across reboots with DHCP since it is a first come first serve allocation process.

IPv4 Routers and MAC(EUI) Addresses:
For IPv4 the hardware EUI-48 address and IP are on the private LAN through NAT and may only be accessed on the private LAN side through the devices OS (Operating System) issuing  an ARP request.  Many of the IPv4 routers still address the EUI-48 as MAC ID so in this section we will use both together to get use to using EUI.  This  MAC(EUI-48) is also used in the IPv4 router for MAC(EUI) filtering which allows selective devices on the LAN access to the LAN.  When a MAC(EUI) address is set the MAC(EUI) filter will only allow the those MAC(EUI) addresses use of the LAN and other MAC(EUI) addresses of devices that are setup in the filter this includes Internet access.  In IPv4 routers just the MAC-48 (EUI-48) address is entered in a list in the routers non-volatile memory, no IP addresses are associated with the MAC address since they may be any IP address assigned by the DHCP server or manually assigned Static address.  The MAC filtering is only effective on the private LAN in IPv4 router and as stated it is not routed to the Internet WAN.  All NICs connected to the LAN are retrieved via the ARP protocol and stored locally in each computer by the Operating System running on the device or computer.  This is one of the differences between IPv4 and IPv6 schemes as we will in the following sections.

IPv4_Router_Block_Diagram
Figure 3.2  Typical IPv4 Router Functional Block Diagram

IPv4 LAN Capabilities: Overview
IPv4 LAN bridge has three blocks of private IP addressing issued by IANA that the user may choose from as stated in Part-2.  NAT is considered a private LAN and IANA has assigned the following IP ranges, (010.000.000.000-010.255.255.255), (172.016.000.000-172.031.255.255) and (192.168.000.000-192.168.255.255) for that purpose. These assigned addresses fall into the Internet black hole and will not be acknowledged on the Internet.  Table 3.1 shows the configuration settings and the number of devices for those settings.  The IPv4 router has the ability to handle a huge amount of connected devices.  Lets see what happens in the IPv4 network under NAT when many users access the Internet at the same time.  As we see adding devices to the LAN especially if they are to communicate on the WAN globally can easily end up to be a bottleneck of traffic shown in Figure 3.3 below.  

Starting IPv4 Address Ending IPv4 Address IPv4 SubNet Mask LAN Host Bits Number of Devices
192.168.000.000 192.168.000.000 255.255.255.000 8 256
192.168.000.000 192.168.001.000 255.255.254.000 9 512
192.168.000.000 192.168.003.000 255.255.252.000 10 1024
192.168.000.000 192.168.007.000 255.255.248.000 11 2048
192.168.000.000 192.168.015.000 255.255.240.000 12 4096
192.168.000.000 192.168.031.000 255.255.224.000 13 8192
172.016.000.000 172.032.255.255 255.224.000.000 20 1,048,576
010.000.000.000 010.255.255.255 255.000.000.000 24 6,777,215

Table 3.1  Typical IPv4 LAN Addressing Capabilities

Consider each arrow represents a single packet of information (about 1500 bytes) trying to all get to the global Internet to send to the destination.  This also doubles when we are also trying to receive data to many devices connected at the same time.  This is one of the main issues with IPv4 especially for web sites which have to handle large amounts of data in both directions with many users.  Also for ISP connections like DSL that have 1 Megabits/sec (1Mbps) for both Downlink/Uplink this can have a very slow response.  Many cable ISP connections average 5Mbs for both Downlink/Uplink, this is a bit better.  As an example a typical home/SOHO network is like 10Mbps/3Mbps Dn/Up links.   For an average family of four, two children, two adults we would have, four smart phones, four desktop or laptops, Game stations two, Home theater connected. OK two are on game stations, two are on laptops or desktops and watching streaming videos and browsing the Internet.  That is a total of four smart phones, two game stations, two workstations all on at the same time.  That means that total throughput for the network is 2+2+1 = 5 on line would reduce the speed, hence:  10Mbps/5 = 2 Mbps  Dnlink and 3/5 = 600K up link.  For DSL it would be 200Kbps Dn/Up total.  For streaming video, this is at the critical speed and if there is any large transfer for the network you will see intermitting still pictures.

      
Figure 3.3  Typical IPv4 Router Traffic Bottle Neck

IPv6 EUI-48, EUI-64 addresses
Now that we understand how the MAC-48 (EUI-48) address interacts with IPv4 we will cover how the EUI-48 address interacts with the IPv6 addressing scheme.  We will take a short refresher from Part-2 on the IPv6 address format.  IPv6 is a 128 bit address protocol scheme shown in Figure 3.4 and is grouped into eight 16 bit blocks (two octets) that use hexadecimal format (0000-FFFF) separated by a colon.  This gives eight groups of 16 bits in hex format as FD76:938C:03FF:51D3:0000:0000:00D3:000E.  This does get cumbersome at times so to help with the formatting IPv6 has format shortcuts for displaying the address such as, 0000:0000:0000:0000:0000:0000:408:833 may be written as ::408:833.  Leading 0s are also reduced so for the IP address 00EF:0938:00FF:0513:0000:0000:000D:000E may be written as EF:938:FF:513:0:0:D:E.  The size of IPv6 is huge, the largest number for 128 bits (2128) or 340x1036 (340 billion, billion, billion, billion) or 340 Undecillion addresses.

IPv6_Format
Figure 3.4  IPv6 Address Scheme 128 bit Format

OK, what does this have to do with the MAC address? Everything.   The MAC acronym has been formally changed to EUI (Extended Unique Identifier) to accommodate the IPv6 formatting scheme and the full labeling are EUI-48 for IPv4 and EUI-64 for IPv6.  The IPv6 EUI-64 Figure 3.5 has added an additional 16 bits to the format, the OUI (Organisational Unique Identifier) is still 24 bits and hardware Interface ID is extended by 16 bits to yield a 40 bit Hardware Interface IDentifier.


Figure 3.5 EUI-64 Extended Unique Identifier Format

Since IPv4 will be around for some time a conversion methodology was created to use both EUI formats seamlessly.  To convert a EUI-48 to EUI-64 we split the EUI-48 into two 24 bit blocks, flip the most significant octet second least significant bit1=1 (Locally Administered ID) shown in Figure 3.6, insert the 2 octets (16 bit)  FF FE between the two 24 bit blocks then represent the standard IPv6 address hex format as shown in Figure 3.7.  The EUI-48 ID of  AC:DE:49:23:45:67 maps to a EUI-64  AEDE:49FF:FE23:4567.  The flipped bit is to identify the EUI as a physical hardware burned in ID.  At this time it is important to realize that a devices EUI-64 address is incorporated into the IPv6 128 bit address and used by the host router to automatically configure the device to communicate over the IPv6 Network.  The remaining control bits shown in Figure 3.6 are used to identify specific IPv6 addressing functions.  We will address this in the security and hardware communications section of the series.


Figure 3.6 Mapping EUI  Locally Administered ID  b1=1

So the Ethernet EUI-48 address AC:DE:49:23:45:67 converts to AEDE:49FF:FE23:4567 for the lower 64 bits of an IPv6 EUI-64 address shown in Figure 3.7, called the "Interface Device IDentifier" to be sent to the host router for an IPv6 address assignment and configuration.  If this was in a ULA network say FE80::/64 it would become   FE80::ACDE:48FF:FE23:45676   


Figure 3.7 Mapping EUI-48 To EUI-64 Locally Fixed Hardware ID

All smart phones transmit the EUI-64 address when connected to the Internet and may be tracked easily with IP tracking software, another discussion in the Security part of the series.  The IPv4 and IPv6 addressing schemes differences in that the EUI-48 in IPv4 is kept on the private LAN and not routed out by the router to the Internet.  In IPv6 the EUI-64 is routed by the end users local router to the ISP global router, assigned an IPv6 address and configured outside the users private network.  This means that all devices on IPv6 point to point are identified outside the private network and the user no longer has private control over the devices configuration activities.  As we progress through the series we will be identifying these unique differences and create a methodology to implement into our core platform that will allow more user control.

OK, lets summarize at this point, the reason being is IPv6 tends to become more difficult to keep in perspective from this point on.  We have covered in this part, the changing of terminology from MAC (Media Access Controller) to EUI (External Unique Identifier), How EUI-48 and EUI-64 are formatted, the IPv4 router capabilities and how they relate to the EUI-48 LAN through NAT.  We covered the depth of IPv4 device control and the IPv4 firewall again using NAT.  We also created a table for the IPv4 LAN number of addressing capabilities of an IPv4 private LAN. As shown  which has been handling company sizes from a single employee to fortune 500 companies with very large number of networks devices.  We showed that every Device IDentifier regardless of the IP scheme has an associated IP address when connected to a network.  In IPv6 we use the EUI-64 as part of the full 128 bit IPv6 address, if this device was attached to a ULA private network say FE80::/64 it would become FE80::ACDE:48FF:FE23:4567.  The new item here is that the EUI is now part of the IPv6 full address regardless if it is on a private or global network.

IPv6 DHCPv6, SLAAC vs Stateful (Manual Device Assignments):
Handling Devices on the Private & Global Internet Bus

This section is where IPv6 separates itself from IPv4, we loose some features and gain some features. The main feature we loose is NAT, IPv6 has way too many addresses (340 x 1036) and has been stated that NAT is not needed any more.  We will get back to that later in the series.  The elimination of NAT creates another concern.  The ULA (Unique Local Address) discussed in part-2 is a "real private network" that is not routed to the global Internet.  The default ULA is FE80:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx The majority of routers that incorporate IPv6 also incorporate IPv4 as a dual mode router, the user selects the mode to setup either IPv4 or IPv6 not both.  Since NAT is not designed in on IPv6 it is safe to say NAT is only used with IPv4 mode is selected for setup. This is different from the IPv6-Ipv4 Dual-Stack scheme that uses a translator to switch schemes and has been assigned by IANA and ICANN to handle the transition from IPv4 to IPv6 upgrades.  We have created a couple of block diagrams to show the functionality differences of IPv4 Figure 3.8 and IPv6 Figure 3.9 routers. It becomes clear that the IPv6 router is more complex when attaching devices to the Internet, however the IPv6 ULA private network functions similar to the IPv4 LAN except for the facet that there is no NAT to connect a device to the Internet.  This does create an issue about device control and we will be addressing that in detail as we design the core IoT platform as the series progresses.

We see that the IPv6 ULA function is a separate function that is not routed to the Global Internet.  The WiFi connections for the ULA are separated from the Wifi for the Global Internet.  The eight port managed switch insure that ULA is not routed to the Global Internet.  The router configuration allows the user to select the ULA and Global configuration.  Routers usually have four or eight RJ45 ports for hard wire and maybe other external switches to increase the number of wired connections.  The EUI-64 addresses for devices connected to the ULA are maintained in a cache by the connected devices operating system.  In IPv4 we used ARP(Address Resolution Protocol) request in IPv6 we use a NDP (Neighbor Discovery Protocol) that is very similar in nature that is also works only on the ULA network and is not routed to other networks.  The IPv6 DHCPv6 server works similar to the DCHPv4 server in IPv4 routers except in IPv6 the ULA device addresses are not routed to other networks or the Internet.


Figure 3.8  Typical IPv4 Router Functional Block Diagram

 

IPv6_Router_Block
Figure 3.9  Typical IPv6 Router Functional Block Diagram

IPv6 DHCPv6 and Manual Device Assignments:
From the above routers functional block diagrams we see that for IPv4 LAN and IPv6 ULA networks allow both DCHP servers and manually assigned Static IP addresses for the private network.  This allows the private network to communicate with a huge number of attached devices.  The ULA becomes a true protected private network when working in a development environment such that the local private servers will only be accessible to devices on the ULA network, outside Internet networks are completely isolated.  The DHCPv6 server becomes very helpful for connecting new devices over WiFi  connections. Both Static IP and Dynamic IP may share the same network by assigning a range to the DHCPv6 server.  Static IP's on the ULA are useful for network servers for client server application software and is easier to manage with fixed static IP addresses.  To get the Associated IP/EUI for each device we issue a NDP (Neighbor Discovery Protocol) RA(Router Advertisement) request and the return is a listing of EUI-64 to IPv6 addresses for each device connected to the ULA network.  Devices may be added to the ULA private network without any communications with the ISP global router.  What we need is a network control switch that will just transfer the EUI-64 to the global Internet which will assign two IP addreses to a single device, one for the isolated private ULA network and one for the SLAAC on the Global Internet.  This wil be addressed in the platform design section of the series.

IPv6 SLAAC Device Assignments:
Here is where everything changes, the global Internet device configuration function called SLAAC (StateLess Address AutoConfiguration).  To make this as simple it as possible, look at autoconfiguration as DCHP is local private network function and SLAAC is the Global Internet function. SLAAC works similar to DHCP in that it requires a EUI-64 to assign an IP address to the EUI-64, however the ISP controls the IP assignment.  The local router at the end users site allows the ULA network user to have complete control over the devices connected to the ULA network. However, SLAAC requires that the ISP subnet router have control over the device configuration and IP assignments.  This is much different than the IPv4 router that allows the user to control access through the MAC(EUI) address.  With IPv6 we hand that control over to the ISP which means the end user has less control over devices.  For those who run a SOHO business and have on-line servers this become more difficult since we would need a fixed IPv6 address with some type of port forwarding to control the access to the server and the end users router would have to have EUI filtering to insure the server is accessed by the end uses router and not by any unknown router.  It would make sense that the ISP would also be capable of assigning a block of Static IPv6 addresses from their subnet router to perform this function.  This would allow the local end users router to control the EUI to IP locally as well as port forwarding to say a web server or e-mail server or security devices, this is a Stateful or manual function.  This would not be a good practice for a larger group of desktops or laptops to run on Static IP's since as we have seen the number of devices increase easily in a short period of time. A small block of static IPv6 addresses like less than 24 would be easy to handle manually.  The ISP that I have worked with all charge a nominal monthly fee for a block of static IP addresses, considering the addressing capability of IPv6 fixed IP's should not be an issue.  This will be an important topic when we get to the security and firewall section of the series.

The process for SLAAC is straight forward, the ISP network routers send out a RA (Router Advertisment) which is a function in the NDP (Neighbor Discovery Protocol).  This request happens periodically to insure the network is assigning IP addresses to EUI-64 devices efficiently and keeping track of who is connected to the network.  This is very similar to DHCP servers that drop and reassign IPs depending who is connected to the network. the difference is this is the global network and not a small private network.  What has to happen here is the ISP router needs the EUI-64 to complete the full IPv6 address.  The IP-64 should be a unique ID address and traditionally the bottom 64 bits of the IPv6 address is generated from the EUI-64 ID.

This section gets to be a bit more technical, so to bring it down a notch or two before diving into the pond, look at all IPv6 commands, requests are stimuli and of course the is a response to these stimuli.  There are two sources for the stimuli, the devices operating system and the ISP router, just like clicking on say a file explorer application, the response are a listing of attributes about the storage, directories and files.  Same for the IPv6 network requests, stimulus and response, with that in mind lets move forward.  With IPv6, a DHCP server is not necessary because the ISP global subnet router handles the assignments and automatic configuration.  The process for this IPv6 function is called SLAAC (StateLess Address AutoConfiguration).  As we lightly mentioned in Part-2 it is a mechanism that when a device is connected to IPv6 it is auto configured by the host router and is able to start communicating immediately.  This is accomplished by the IPv6 routers sending out a RA (Router Advertisements) that mask bottom 64 bits (all 0s) of an IPv6 address, and hosts (ISP) router generates the bottom 64 bits themselves in order to form a complete address.  This relates an IPv6 address with a Interface Hardware ID and is used to insure the P2P data transfer completed.  Alternatively, a host may also generate its IPv6 address using a random number so its MAC(EUI) address remains hidden from the rest of the Internet.  Creating EUI-64 addresses randomly and hide the hardware EUI-64 from the Internet.  This is part of the EUI-64 control bits which we will cover this in the security and firewall section of the series. So far only the very expensive routers like Cisco® and other in that category have the more advanced capabilities and are way out of the price margin for home/or SOHO use.  When this happens a simple connection like VoIP from the home network continue over the wireless network to any destination away from the home, it just uses the static/fixed IP address over IPv6.  Carriers like Verizon, Sprint, and many other are already switching to VoIP service to move to Multihoming.  So as we are experiencing network technology is full of acronyms and this is just the beginning.  This is why we are starting at the very basic to get the concepts in perspective, then a new acronym will be easier to handle, just like programming, there are groups of common commands with different pseudonyms however they all perform the same function.

We will cover SOHO servers under IPv6 like web,e-mail and database type servers.  Servers are relatively straight forward with IPv4, a static IP and port forwarding through NAT.  The ISP is required to have some type of dashboard for the DNS (Domain Name System) hosting service.  This sets up a A record for IPv4 and the AAAA record for IPv6 to point to a specific IP address so the entire Internet will be able to access the server by domain name, through ICANN and IANA.  This allows the SOHO to control their own server and control the access.  This also fits into the security and control sections of the series.

 

Summary:
The IPv6 specification is now 20 years old so any major changes are not likely to happen any time soon.  As for NAT you would think after 20 years of discussion and not implemented it is not going to happen.  That does not mean it will not be featured and translated in devices some other way for convenience, control and security.  We have presented a basic entry level introduction to the both Internet Protocol schemes we are using today.  As we stated Network Technology is full of acronyms to categorize network operations and we have just touched the surface, Table-3.  I talked with my ISP the other day and discussed the IPv6 Fixed IP block of addresses and the number of devices I can attach to the Internet with SLAAC.  The IPS offers /56 block of IP connections using SLAAC. The /56 means the bottom 8 bits of the SubNet and 64 bits for the Interface Device ID are the end users selection.  The ISP also offers a block of  IPv6 Static IP addresses for a nominal fee in blocks of 5, 12, 24 addresses.  The static IP addresses will allow for port forwarding for on-line servers at the end users site.

From this discussion we begin to see that IPv4 firewall is no longer suitable for IPv6 and clearly shows that a new interface technology is required in order to maintain device control and some advanced firewall topology for the IoT devices connected. What is inevitable is that IPv6 will change the secuirty policies that are present in IPv4.

 

Acronym Name Description  - Stands For Protocol
WAN Wide Area Network IPv4 and IPv6
LAN Local Area Network IPv4
ULA Unique Local Address - Private Network
IPv6
NAT Network Address Translation IPv4
P2P Pear to Pear or Point to Point IPv4 and IPv6
DHCPv4 Dynamic Host Configuration Protocol IPv4
DHCPv6 Dynamic Host Configuration Protocol IPv6
SLAAC StateLess Address AutoConfiguration IPv6
Stateful Stateful Manual Configuration IPv6
MAC Media Access Control IPv4 and IPv6
EUI Extended Unique Identifier (new MAC) Ipv6
ARP Address Resolution Protocol IPv4
NDP Neighbor Discovery Protocol (new APR) IPv6
Unicast Single end to end data packet transfer IPv4 and IPv6
Broadcast Single to Many data packet transfer IPv4 and IPv6
Multicast Single/Many to Many in network IPv4 and IPv6

Table 3.3  Update of Table 1.0 Basic IP Acronyms

The next part of the series we will address the Global and ULA private networks and the protocols used to configure and control devices on IPv6. This will bring us another step forward to characterizing our IoT core platform to connect as a dual mode IPv4 or IPv6 network device.


Part 1 Introduction - Setting the Atmosphere for the Series (September 26, 2016) 
Part 2 IPv4 & IPv6
- The Ins and Outs of IP Internet Addressing (November 11, 2016)
Part 4 Network Protocols - Network, Transport & Application (January 10, 2017)
Part 5 Network Protocols - Network, Transport & Application -Continued (Aug 17, 2017)
Part 6 Network Protocols - Network, Transport & Application -Continued -Ethernet Protocol (Sept 21, 2017)
Part 7 Network Protocols - Network, Transport & Application -Continued -The CRC-32 and Checksums (Nov 23, 2017)
Part 8 IoT Core Platform - SoC Core Processor of Embedded Systems (Jan 12, 2018)
Part 9 IoT Core Platform - SoC Core Processor of Embedded Systems -Vulnerabilities (Mar 16, 2018)
Part 10 IoT Core Platform - SoC Core Processor of Embedded Systems -Documentation Management (Apr 5, 2018)
Part 11 IoT Core Platform - SoC Core Processor of Embedded Systems -Documentation Management Processes (June 27, 2018)
Part 12 IoT Core Platform
- SoC Core Processor of Embedded Systems -Documentation Management Processes (July 29, 2018) 


Publishing this series on a website or reprinting is authorized by displaying the following, including the hyperlink to BASIL Networks, PLLC either at the beginning or end of each part.
BASIL Networks, PLLC - Internet of Things (IoT) - Security, Privacy, Safety - The Information Plaground Part-3: IPv4,IPv6 DHCP, SLAAC and Private Networks: (November 25, 2016)

For Website Link: cut and past this code:

<p><a href="https://basilnetworks.com/Blog/index.php?op=ViewArticle&articleId=4&blogId=1" target="_blank"> BASIL Networks, PLLC - Internet of Things (IoT) - Security, Privacy, Safety - Platform Development Project Part-3 - IPv4,IPv6 DHCP, SLAAC and Private Networks: (November 25, 2016)</p>

 

Sal (JT) Tuzzo - Founder CEO/CTO BASIL Networks, PLLC.
Sal may be contacted directly through this sites Contact Form or
through LinkedIn

Comments

Blog BN′B

viagra onde comprar | 05/09/2018, 23:52

Me sinto que este post está entre os mais importantes
entre muitos que eu vi sobre este tema. E estou feliz pela leitura do seu artigo. http://centrassia.ru/user/RKONick286/

Blog BN′B

Citra Hazelin | 14/08/2018, 04:20

Hmm it seems like your site ate my first comment (it was super long) so I guess I'll just sum it up what I wrote and say, I'm thoroughly enjoying your blog.

I too am an aspiring blog blogger but I'm still new to the whole thing.
Do you have any recommendations for novice blog writers?
I'd certainly appreciate it.

Blog BN′B

mobil avanza | 02/08/2018, 11:57

I like the valuable info you provide in your articles.
I will bookmark your weblog and check again here
regularly. I am quite sure I'll learn lots of new stuff right here!

Best of luck for the next!

Add comment

Rest assured, your post or comment has been received, and is simply waiting to be approved. Comments and posts are moderated to prevent spam - this results in a slight delay until you see it posted. Please check back soon. Thank you!

Complete Captcha to add comment 8229770 -Please enter the code shown and click Send.
 
Powered by LifeType - Design by BalearWeb
Copyright© 1990-2017 BASIL Networks, PLLC. All rights reserved
webmaster