Docsity
Docsity

Prepara i tuoi esami
Prepara i tuoi esami

Studia grazie alle numerose risorse presenti su Docsity


Ottieni i punti per scaricare
Ottieni i punti per scaricare

Guadagna punti aiutando altri studenti oppure acquistali con un piano Premium


Guide e consigli
Guide e consigli


Computer Network and Cloud Technologies, Appunti di Sicurezza delle reti

IPv4, IPv6, Routing, Cloud, NFV, Virtualization, Docker, Kubernetes, Containers, MPLS, QoS, optical newtork + Laboratories IPv6, virtualization and Docker

Tipologia: Appunti

2022/2023

In vendita dal 23/01/2024

pietro_armenante_14
pietro_armenante_14 🇮🇹

15 documenti

1 / 79

Toggle sidebar

Questa pagina non è visibile nell’anteprima

Non perderti parti importanti!

bg1
Politecnico di Torino
Department of Control and Computer Engineering
Master’s degree in Cybersecurity
Computer Network and Cloud Technologies
Pietro Armenante
I Semester, University Year 2023/2024
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f

Anteprima parziale del testo

Scarica Computer Network and Cloud Technologies e più Appunti in PDF di Sicurezza delle reti solo su Docsity!

Politecnico di Torino

Department of Control and Computer Engineering

Master’s degree in Cybersecurity

Computer Network and Cloud Technologies

Pietro Armenante

I Semester, University Year 2023/

Indice

  • 1 IPv4 Addressing and Static Routing
    • 1.1 IP addressing classes
    • 1.2 IP routing
      • 1.2.1 IPv4 Multicast
  • 2 Routing
    • 2.1 Non-adaptive algorithms
    • 2.2 Adaptive algorithms
      • 2.2.1 Centralized routing
      • 2.2.2 Isolated routing
      • 2.2.3 Distributed routing
    • 2.3 Static vs dynamic
    • 2.4 Hierarchical Routing
    • 2.5 Internet Routing Architecture
    • 2.6 Summary of routing protocols
      • 2.6.1 IGP
      • 2.6.2 EGP
  • 3 IPv6
    • 3.1 IPv6 address space
      • 3.1.1 Multicast addresses
      • 3.1.2 Unicast addresses
      • 3.1.3 Anycast Addresses
    • 3.2 Packet header format
    • 3.3 Interfacing with lower level
      • 3.3.1 IPv6 multicast transmission
      • 3.3.2 Neighbor Discovery and Address Resolution
    • 3.4 ICMPv6
    • 3.5 Device configuration in IPv6
    • 3.6 The road to IPv6
  • 4 Principles of VLAN design and operation
  • 5 Cloud Computer Models and Technologies
    • 5.1 Business drivers for Cloud Computing
      • 5.1.1 Cloud Computing benefits
    • 5.2 Basic concepts and terminology
    • 5.3 Parties in cloud
    • 5.4 Cloud characteristics
    • 5.5 Cloud deployment models
    • 5.6 Cloud delivery models
      • 5.6.1 Infrastructure-as-a-Service (IaaS)
      • 5.6.2 Platform-as-a-Service (PaaS)
      • 5.6.3 Software-as-a-Service
      • 5.6.4 Comparing cloud delivery models
      • 5.6.5 Other cloud services
  • 6 Vitualization Technology
    • 6.1 Virtual Machines (VMs)
    • 6.2 Hypervisor and Virtual Machine Monitor (VMM)
      • 6.2.1 Type 1 hypervisor (Bare Metal Virtualization)
      • 6.2.2 Type 2 hypervisor (residence/hosted virtualization)
    • 6.3 Virtualization techniques
    • 6.4 Types of virtualization
      • 6.4.1 Server virtualization
      • 6.4.2 Desktop virtualization
      • 6.4.3 Storage virtualization
      • 6.4.4 Application virtualization
      • 6.4.5 Popular Hypervisor
  • 7 Lightweight virtualization & Containers
    • 7.1 Cgroups and namespaces
    • 7.2 Containers
      • 7.2.1 Containers vs VMs
      • 7.2.2 Microservices
    • 7.3 Docker
      • 7.3.1 Docker tools and terms
    • 7.4 Kubernetes
      • 7.4.1 Rolling Deployments
      • 7.4.2 Service Discovery
      • 7.4.3 Load Balancing
      • 7.4.4 Health Checking
      • 7.4.5 Cluster Networking
      • 7.4.6 Autoscaling
      • 7.4.7 Declarative Configuration
      • 7.4.8 Kubernetes Design Overview
      • 7.4.9 Clusters and Pods
      • 7.4.10 Kubernetes Deployments
      • 7.4.11 Exposing your application: Kubernetes Services
      • 7.4.12 Pod Management: Kubernetes Node Agents
      • 7.4.13 Control and Schedule: Kubernetes Control Plane
  • 8 Network Functions Virtualization
    • 8.1 NFV Framework
  • 9 MPLS
    • 9.1 MPLS header
    • 9.2 LSP setup
    • 9.3 Routing Protocols
      • 9.3.1 Traffic Engineering
      • 9.3.2 Fast Fault Recovery
      • 9.3.3 Label Stack Hierarchy and PHP
    • 9.4 IPv6: network transition
  • 10 The Optical Internet
  • 11 Multimedia Networking and Quality of Service
  • 12 Laboratory
    • 12.1 Laboratory 1 - IPv6 on routers
      • 12.1.1 Configure IPv6 addresses
      • 12.1.2 Static routing
      • 12.1.3 Verification of proper operation
    • 12.2 Laboratory 2 - Computing Virtualization with KVM
      • 12.2.1 Physical and logical setup
      • 12.2.2 Prepare the lab environment
      • 12.2.3 Customize the disk image with your personal data
      • 12.2.4 Network configuration
      • 12.2.5 Use a router VM to exchange traffic between two VMs
    • 12.3 Laboratory 3 - Docker
      • 12.3.1 Familiarizing with Docker
      • 12.3.2 Isolation
  • 12.3.3 Docker Network Configuration
  • 12.3.4 Creating a custon image with Dockerfiles
  • 12.3.5 Using Docker Compose to coordinate multiple containers

1 IPv4 Addressing and Static Routing

Let’s start with some terminology:

  • IP address, a sequence of 32 bits that identify hosts and router interfaces;
  • Network part, the high order bits of the IP address (the part on the left);
  • Host part, the low order bits of the IP address (the part on the right);
  • IP network, set of IP devices whose interfaces have the same network part of the IP address and that are connected to the same physical network.

In the figure the IP network is the set of IP, for example, that identifies the devices on the first net (the one on the left), which are 223.1.1.1, 223.1.1.2 and 223.1.1.3. The network part is represented by 223.1.1, while the host part is represented by the last bit of the IP address.

There are some IP addresses which are considered as special because they can’t be assigned to a specific host, but they represent something more:

  • some value + all 0s is the (sub)network ID;
  • all 1s is the limited broadcast (local net) and it’s called like that because it is never forwarded across a router (it remains in the local net);
  • some value + all 1s is the directed broadcast for the specific net, for example the directed broadcast address of the 192.0.2.0/24 network is 192.0.2.255 (the host part of the address is all 1s);
  • 127 + anything (often 1) is the loopback sequence used for debugging;
  • all 0s is the wildcard address, it represents all the hosts in the network and it is used to reach any kind of destination (sometimes, in routing table, if the IP address doesn’t match with any of the IP address in the table, this address is considered the right one to send the packet because it is the shortest match; in this case is called default route).

1.1 IP addressing classes

In the past, the IP addressing classes were divided into 3 ”classes”:

  • Class A has 8 bits in the network part and the other are used for the host one;
  • Class B has 16 bits in the network part and the other are used for the host one;
  • Class C has 24 bits in the network part and the other are used for the host one;

Which are the differences between these 3 classes? Class A can be assigned to 2^2 4 different hosts, class B can be assigned to 2^1 6 different hosts and class C can be assigned to 2^8 different hosts. First bits are used to represent the class (0 for class A, 10 for class B and 110 for class C). This way of addressing is simple because we have predefined number of hosts and network, but that’s also the reason why we don’t use it anymore. If I need to represent 140 hosts, I need 9 bits, I can’t use class C for one single bit, so I have to choose the class B. As we can see, this is a waste of bits. The actual IP addressing is called CIDR, Classes InterDomain Routing. In this case, it is possible to choose the number of bits to use to describe the hosts, so as to be more flexible and optimize bits. Of course, it is important to know how many bits are reserved either to the network part or to the host part. The address format can be one of those:

1.2.1 IPv4 Multicast

It has been introduced in IPv4 because it’s more simple and intuitive, but not used. We will see it in IPv6. In IPv6 broadcast in not used or not allowed, in IPv4 multicast is introduced to reduce broadcast in order to improve security. The destinastions of a multicast are caracterized by being part of a group (only hosts are part of the group, not routers). The way of sending packets is to send one packet which is replied to many others hosts when it comes to the router and to the hosts. So we need a protocol to join the group and some protocols that allow the router to know which host in which subnet are part of a specific group and then share this information to other routers. In order to optimize the architecture, ISP and content organizations has to be transparent each other in order to know what kind of data will be sent.

A set of IP address is dedicated for multicast: they are reserved IP (224.O.O.O - 239.255.255.255). Address identifies a host group and packet is delivered to all hosts in the group anywhere in the network. Nowadays it is possible to have more virtual interface in only one physical interface (in only one host). Remember that with DHCP it is possible to change IP on an hosts. Hosts join and leave dynamically a group. IEEE 802 protocol: if a packet arrive to an host, the traffic is discarded at layer 2 if MAC is different to the destination MAC, or is discarded at layer 3 if IP is different to the destination IP. Discarding a packet in layer 2 is faster than in level 3 because layer 2 works physical level, while layer 3 works at kernel level. This protocol improve network optimization. In the MAC address the 8th bit indicate that the address is an automatic configuration (it is 0) or manually (it is 1). This is a kind of debugging bit, so it has to be controlled carefully if 1. Routers discover host groups on each LAN (Internet Group Management Protocol (IGMP)), routers announce host groups to others (multicast routing protocols) and routers build a distribution tree for each host group (to all LANs with at least a member).

2 Routing

Routing: the network layer must determine the path that packets take follow via routing algorithms. The routing function is implemented in network layer control plane. Since it occurs on larger time scales (of the order of seconds), is usually implemented in software. It is also called proactive routing, it is independent of actual traffic, determine reachable destinations, compute best route (depends on the metric we use, money, time, number of hosts, etc.), commonly referred to as “routing”. Forwarding: When a router receives a packet, it must transfer it to the appropriate one output connection. Forwarding is one of the functions implemented in the data plane. Since which occurs on a very small time scale (of the order of a few nanoseconds), is usually implemented in hardware. It is also called on-the-fly routing, it is realized when handling each packet, based on local information, routing/forwarding table, output of proactive routing or signaling, a.k.a. route. There are mainly three kind of on-the-fly routing algorithms:

  • routing by network address, in routing table I have the destination IP and the destination port;
  • label swapping, the decision is based on a label (assigned to packet with specific characteristics), if a packet have a specific label it goes in a specific direction;
  • source routing, process that specify the path based on the source of traffic, so in routing table I have source IP and destination port (the advantage is that I can analyze the traffic in different way depending on the path the packets pass).

Each protocol architecture adopts one or more. The forwarding phases are routing (on-the-fly) with the output port selection and the possible next-hop selection, switching: transfer to output port and eventually transmission. Proactive routing algorithms can be classified as:

  • non-adaptive algorithms (static);
  • adaptive algorithms (dynamic).

2.1 Non-adaptive algorithms

As the word says, in case of problems, the non-adaptive algorithms can’t solve the problem itself and it can’t adapt to the situation. It has a fixed directory routing which can be the static one or given by a manual configuration. Also flooding and derivates are considered as non-adaptive algorithms. Selective flooding is useful because sometimes it’s important that the packets arrive to the destination (so to have the guarantee that the packets arrive).

The pro of this kind of way of working is that the administrator has full control, but the cons are that it is error prone and it does not adapt to topology changes. That’s the reason why, it is possible to perform che load balancing: it is possible to specify two different values depending on the fact that there aren’t problems on the network or there are problems (kind of backup route), like the red path in the figure.

  • Count to infinity, if the last connection breaks, the error notification is sent to the neighbors, who send it to the neighbor, up to the source node: the last one will only become aware of the error after a long time in which it will continue to work despite it the fault (as well as the subsequent nodes).
  • Bouncing effect, it refers to a phenomenon in which data packets or information are routed cyclically or continuously between a limited set of nodes or paths in the network. This can occur when a routing algorithm cannot find a definitive route to deliver data or when network state information changes rapidly.

Remember that the main problem for DV are the transitories up to the final table. If something happens in this period, this time will be increased. Some partial solutions to these problems are:

  • Split horizon, the phase of the announcing of DV is divided in each interface of a single node. If in node A arrive an info about node B, it is meaningless to send the message again to node B, but I’m gonna send it just in the other interfaces. C will say to D only about A and B through C2 and it will say to A and B about D through C1. So, a router does not advertise routes back to the neighbor from which it learned the route. This prevents a router from propagating incorrect routing information to the same router from which it received it. If the connection between A and B breaks, in this case, C will not notify B of reaching A, avoiding count to infinity and loops between two nodes. In actual implementations, route has to expire, so that DV can be updated in case of malfunctions or adjustments in the network. Unluckily, it doesn’t solve issues in Mesh network: if a shared connection go down, there will be again bouncing effect and count to infinity.
  • Path hold down, if link L fails, all destinations reachable through link L are considered unreachable for a certain period of time. In this solution, nodes can use a period of quarantine to avoid communication with a certain node for a certain period of time. However, let’s assume that the timer and quarantine are used only by B: the quarantine can be a problem, even if there’s another

connection from C to A, because B will not send packet to A from C cause of the quarantine. Every information about A for B are gonna be discarded during the quarantine until the timer. We have to wait till the end of the quarantine to add a new route to the destination. In general, sometimes it is possible to set a threshold number that cannot be passed in terms of cost: for example, if I set a threshold number of 20, once the route from A to B is counted to have more than 20 in terms of cost, it will be discarded.

  • Route poisoning, when a router detects that a route is no longer reachable, it advertises the route to its neighbors with an infinite metric (of course, it is a value which is said to be the infinite one), effectively poisoning the route and informing others that it’s no longer a valid path.

There’s the possibility to use together split horizon and poison reverse: it helps to ensure that if a router learns about a route through a neighbor, and that route subsequently becomes unreachable, the router advertises the route back to the neighbor with an infinite metric. Even if its is more aggressive, there’s the only advantage of not needing to wait for route expiration. To sum up, these kind of algorithms are simple to implement, the protocols simple to deploy and they need a very little configuration. However they have exponential worst case complexity and convergence time, complex troubleshooting, large routing traffic (and storage) and they are not suitable for large complex networks.

Path vector is in the middle between distance vector and link state adding in the information to send also the node to pass to arrive to a specific destination. It eliminates loops but increases the number of information to send.

In a link-state routing algorithm the network topology and all connection costs are available in input to the algorithm: in this way all nodes have an identical and complete view of the network and each node running the LS algorithm gets the same results. Even though the quantity of the link state of a single node is smaller that DV, each node has to store all the link state of all the nodes.

The algorithms used in this case is the Dijkstra algorithm: it has a low complexity of L log(N ) where L is the number of links and N is the number of nodes. It is a ”shortest path first” algorithm,

  • Strictly Hierarchical Routing, routers have no knowledge/visibility outside their own area/do- main/zone. When the destination of a packet is not in the area, it is forwarded towards an edge router (limited routing effectiveness). Higher layer routers have area/domain/zone level view. This kind of architecture has sub-optimal paths (caused by the fact that a router inside the domain which wants to communicate with an external one, only knows about the edge one) and loss of connectivity due to faults.
  • Loosely Hierarchical Routing, routers have high level knowledge of the outside. It grats less sca- lability, routers have to store and exchange more information. Does not require strictly hierarchical addressing, all host in domain B do not need a common identifier, possible in IPv4.

2.5 Internet Routing Architecture

Routing protocols are located between layer 4 and layer 3. A routing protocol is a protocol for routers to exchange information on the network to determine the best route to each destination based on routing algorithms. They define metric(s), their encoding in packets, specific timing and configurable parameters. We define a routing domain a set of routers deploying the same routing protocol and connected to a portion of the network. A router may belong to multiple routing domains if it uses multiple rou- ting protocols. We say that it can redistribute information learned with a protocol through another one (redistribution). If 2 domain are in the same administrative domain, the redistribution is done to optimize the communication and without any kind of filters; if 2 domains are not in the same admini- strative domain, there will be some policies about what to send and how to send information (there’s the possibility to hide some kind of information). These policies are defined by administrator using filters, metric conversion and information source priority. We define an autonomous system (AS) a set of subnets grouped base on topology and organizational criteria. In general, an ISP can have one or more AS which are not shared with others ISP. A single AS can have one or more routing domains which have their routing protocol. Why do we use this kind of architecture?

  • Addressing and routing tightly coordinated, possibly multiple internal routing domains;
  • Controlled AS interfacing;
  • Administration ,autonomous internal routing choices and negotiated external routing choices (not necessarily shorter path, but it in based on policies which reflects agreements among ASs);
  • Scalability, not all information propagated everywhere.

An AS is identified by two byte number assigned by IANA (Internet Assigned Numbers Authority). Private number range (64512-65534) have a controlled routing information exchange. How can two or more AS communicate each other? The protocol they use is BGP (Border Gateway Protocol). In particular, if two different ASs have to communicate each other, we call it eBGP (external BGP), else if two or more routers of a single AS have to communicate each other, we call it iBGP (internal BGP). Exterior Routing is not necessarily shorter path, but it in based on policies which reflects agreements among ASs. The network structure is hierarchical:

  • Tier 1 ISPs (Sprint, ATT) can reach any network on the Internet without purchasing connectivity, they peer with all other Tier 1 ISPs;
  • Tier 2 ISPs (regional or national coverage such as Telecom, Vodafone, etc.) peer with other ISPs and purchase connectivity from Tier 1 ISPs;
  • Tier 3 ISPs do not peer and access the Internet only through lines purchased from other ISPs.

The way multiple networks exchange messages with each other is called peering links or IXPs (Internet Exchanges Point) or NAPs (Neutral Access Point), a meeting point where multiple ISPs can peer together using BGP. Nowadays, it’s not anymore so strict that tier 3 communicate with 2 which comumnicate with 1 which communicate each other. More and more global content providers (Google, Microsoft) are emerging that build the their distribution networks to be able to bypass Tier 1 and regional ISPs, providing the service directly connectivity.

2.6 Summary of routing protocols

There are mainly two kind of protocols:

  • Interior Gateway Protocol (IGP), intra-domain routing, it distributes topological information and choose the best route based on that topological information;
  • Exterior Gateway Protocol (EGP), inter-domain routing, it distributes AS information and it decides based on policies to find the preferred route.

2.6.1 IGP

IGP can be based on DV or LS. Let’s start from DV. There are mainly two kind of protocols:

  • RIP (Routing Information Protocol), the metric used to characterize the cost is the hop count, no guarantees about the condition of each link. The maximum number of hops is 15 because the transitories are still acceptable and it uses periodic updatae messages every 30 seconds. With this characteristics, the maximum convergence time is 3 min.
  • IGRP (Interior Gateway Routing Protocol) and them E-IGRP (Enhanced IGRP), similar to RIP with the only difference that is a proprietary protocol (CISCO). The main advantage of proprietary protocol is the quality, IGRP offers several attractive features (people pay for proprietary protocol, so it’s expected to have many features and high quality in comparison with an open source protocol). like delay, bandwidth, reliability, etc. and it used the multipath routing that is using more than one metric to decide which is the best path.

Going to link state, there are mainly:

  • OSPF (Open Shortest Path First), it is a kind of hierarchical routing where routing domains are divided into ares. Mainly there are the egde area and the backbone area where the boarder router aggregate the information of the edge area they control. A hierarchical routing helps the LS to reduce the amount of information to control and share.
  • Integrated IS-IS, it is an extention of OSPF protocol with a hierarchical routing with different levels of routers.

3 IPv

The main reason why IPv6 was created is because the number of available address was close to finish in IPv4. So, the number of bits used to identify an host in IPv6 is increased to 128, giving the possibility to not finish the possible addresses again (we can say that 2^128 possible addresses are a number that is actually close to the infinite). The notation in IPv6 is composed by 8 hexadecimal numbers separated by ”:”, for example 1080:0000:0000:0007:0200:A There are two rules to follow:

  • the first one is that leading 0s in each digit group can be omitted, 1080:0:0:7:200:A00C:3423:A
  • the second one is that all-0s hextets can be substituted by ”::”, but only once, FEDC:0000:0876:45FA:0562:0000:3DAF is transformed into FEDC::0876:45FA:0562:0000:3DAF:BB

The address is composed by two parts:

  • the first part is called prefix and is the substituted of the address/netmask pair;
  • the second part is the interface ID which identifies the device in the network.

These two parts have a variable length, but mainly we say that the length of the prefix part is 64, so the other part is 64 as well because 2^6 4 is a very huge number that can identify many devices. The address is also written as prefix/N where N is the prefix length. Let’s consider this address: FEDC:0123:8700::100/40. The complete address is composed of the prefix transformed into binary ( bits) and the remaining part of 0s identifying the interface ID. There are no address classes. Some terminology:

  • a subnetwork is a set of hosts with same prefix;
  • a link is a physical network;
  • on-link hosts have the same prefix, direct communication;
  • off-link hosts have different prefix, communication through a router.

3.1 IPv6 address space

IPv6, the next-generation Internet Protocol, offers a significantly larger address space compared to IPv4. This expanded address space allows for various addressing types, including unicast, multicast, and anycast addresses. Each serves a different purpose in IPv6 networks. They are unicast addresses, multicast addresses and anycast addresses.

3.1.1 Multicast addresses

Multicast addresses in IPv6 are used for one-to-many or many-to-many communication. They allow a sender to send a packet to a group of recipients simultaneously. Multicast addresses begin with the prefix FF00::/8. The remaining bits in the address identify the multicast group. A packet sent to a multicast group always has a unicast source address. A multicast address can never be the source address. Unlike IPv4, there is no broadcast address in IPv6. Instead, IPv6 uses multicast, including an all-IPv devices well-known multicast address and a solicited-node multicast address. There are various predefined multicast addresses for specific purposes, such as all-nodes, all-routers, and solicited-node addresses. These addresses are further divided into:

  • well-known multicast (FF00::/12), predefined or reserved multicast addresses for assigned groups of devices (e.g., routers)
  • transient (FF10::/12), dynamically assigned by multicast apps;
  • solicited-node Multicast (FF02:0:0:0:0:1:FF00::/104), similar to IP broadcast address in ARP. It is used with the protocol that replace ARP in IPv6. Transient is the normal multicast address (used with the same rules as it happens in IPv4)

The most general IPv6 multicast address is defined as following: where:

  • The prefix is FF00::/8.
  • The flag can have multiple values, based on the value of the flag bits.
  • The scope is used to indicate where the address is valid and unique.
  • group ID.

3.1.2 Unicast addresses

A unicast address uniquely identifies an interface on an IPv6 device. A packet sent to a unicast address is received by the interface that is assigned to that address. Similar to IPv4, a source IPv6 addresses must be a unicast address. Remember that IPv6 does not include a broadcast address because broadcast is not supported cause of security improvment. In IPv4 there are 2 ways of unicast, which are the public one and the private one.

There are many kind of unicast addresses. The first one we are going to discuss are the global uni- cast addresses, also known as aggregatable global unicast addresses. They are globally routable and reachable. They are equivalent to IPv4 public addresses. The generic structure of a GUA has three fields:

  • The Global Routing Prefix is the prefix or network portion of the address assigned by the provider, such as an ISP, to the customer site.

source address to indicate the absence of an address. It cannot be assigned to an interface. Used in duplicate address detection in ICMPv6.

3.1.3 Anycast Addresses

The Anycast Addresses are not presented in IPv4, it a multi-multi communication. Address that can be assigned to more than one interface (typically different devices). Multiple devices can have the same anycast address. It is supported by IPv6 but used only by some specific company with specific QoS communication.

3.2 Packet header format

During the transaction from IPv4 to IPv6 the header is changed, now it has a fixed length to 40 bytes and some fields have been removed or added. The ones removed are:

  • the Header Checksum is redundant because both Layer 2 data link technologies perform own check- sum and error control and upper-layer protocols such as TCP and UDP have their own checksums (note that in UDP, checksum becomes mandatory in IPv6);
  • and fragmentation because IPv6 routers do not fragment a packet unless they are the source of the packet (packets larger than MTU are dropped and an ICMPv6 Packet Too Big message is returned to source)

An important field in IPv6 header is the Next Header, similar to IPv4 “Protocol” field. It specifies the protocol carried in the data portion of the IPv6 packet. It is possible to add additional “Next Header” fields in header extensions to allow chaining. Protocols coded using same values as IPv4 (0: Hop by Hop option 6: TCP 17: UDP 43: Routing extension 44: Fragment header, 50: Encapsulating Security Payload 51: Authentication 60: Destination option, ..., 59: no next header). If I need to guarantee something else (like related to the security), it possible to keep the header at the minumum size and add some pieces creating a cascading IP header extending the original one. With

the next header you can identify the next service you are going to find. The extended header format will have the next header, the length and the extension data both for the header and for the data (different for every kind of data that are offered). If some device can’t use a specific service, it can skip this part of the packet looking at the next header and length. There’s no limit of concatenated headers, but the

chain of the header has to be put in a specific order because some service can influence the rest of the packet in order to guarantee the integrity of the data (if I put the encryption extension, I can’t use it in the first block of the chain because I will encrypt all the others not giving the opportunity to read the next blocks by the next services). Some significant next headers are:

  • Hop-by-Hop Extension Header is used to carry optional information that should be examined by every router along the path of the packet. Each option contains a set of Options Type, Options Length, and Options Value fields (TLV triplets). If present, it immediately follows the IPv header. As we said before, the extension will have the fields next header, length, option type, option length and the option data (extention both for header and data).
  • Routing Extension Header allows the source of the packet to specify the path to the destination, it has a list of one or more intermediate routers and it gives information about the source routing.
  • Fragment Extension Header is used when the source needs to divide the packet into fragments, each with its own main IPv6 header and a Fragment extension header. Unlike in IPv4, an IPv6 router does not fragment a packet unless it is the source of the packet
  • Authentication and Encapsulating Security Payload Extension Headers is used by IPsec, a suite of protocols for securing delivery of packets in IP networks. The Authentication Header (AH) is used to guarantee the authenticity and integrity of a packet, while the Encapsulating Security Payload (ESP) provides authentication, integrity, and encryption.

3.3 Interfacing with lower level

IPv6 packets are encapsulated in layer-2 frames. How is the destination MAC address set when an IPv packet is encapsulated?

  • IP unicast address like Procedural (protocol-based) discovery and Neighbor Discovery;
  • IP multicast address with Algorithmic mapping.

3.3.1 IPv6 multicast transmission

Which is the MAC address to send the packet? Instead of using the ARP protocol (which is not used anymore in IPv6) it is possible to find the MAC address in this way: starting from the IPv6 address, you can get the IP multicast that you can use to create the MAC address. How can you do it? 33-33-xx-xx- xx-xx is the reserved Ethernet MAC address when carrying an IPv6 multicast packet (RFC 7042), so the lower 32 bits of the MAC address (xx-xx-xx-xx) are copied from the lower 32 bits of the IPv6 multicast address.

Starting from this point, we can explain why in IPv6 broadcast doesn’t exist anymore, but it has been substitued by the multicast. There’s the possibility that in a subnet more hosts can have the same final 32 IP multicast address bits, so I can send packets to a limited group of hosts (instead of sending it to all the hosts of the network). If you know the IP address of the destionation, you can modify the MAC address of an interface in order to receive the packet (bad guy can do it). That’s one of the reason why multicast is safer then broadcast and it is not used anymore. Then, since multicast is more efficient in terms of resource usage, it conserves network resources and reduces the potential for misuse or abuse of those resources. Broadcast traffic can be exploited by attackers to send unwanted or malicious data to all devices, whereas multicast traffic is more controlled. Multicast allows a sender to send data to a specific group of receivers who have expressed an interest in receiving the data, rather than sending data to all devices on the network, which is what broadcast does. This selective communication reduces unnecessary traffic and potential security risks associated with broadcasting data to all devices. Broadcast traffic can flood the entire network, consuming bandwidth and resources, and potentially causing congestion and performance issues. In contrast, multicast traffic is limited to a specific group of devices that have joined the multicast group, which minimizes the impact on the overall network.