1. Field of the Invention
The present invention relates to computer networking, and particularly to an authentication method for stateless address allocation in IPv6 networks.
2. Description of the Related Art
The idea of Internet Protocols was conceived in the mid-1970s at the Defense Advanced Research Projects Agency (DARPA) when there was a need for building a packet-switched network that would enable communication between dissimilar computer systems at research institutions. The Internet Protocol version 4 (IPv4), which had hitherto served as the core of the present Internet, was specified in RFC 791 and mainly functions to provide connectionless, best-effort delivery of datagrams through an Internetwork. It also provides fragmentation and reassembly of datagrams to support data links having different maximum transmission unit (MTU) sizes. The IPv4 is based on a 32-bit address format and associated packet structure.
Specified in the RFC 2460 and designed to address shortcomings in IPv4, the Internet Protocol version 6 (IPv6), the so-called “the next-generation Internet protocol,” provides a more flexible and powerful framework upon which next generation network applications and services would be deployed. One of the main drivers for designing the new protocol was the shrinking of address space in IPv4, which was designed in the early 80's and had laid the foundation for the Internet. However, the IPv4 protocol was based on 32 bits and could only provide 232 (or 4.3 billion) IP addresses, which is projected to be used up by Internet hosts in the next few years. While IP address conservation techniques, such as Network address translation (NAT) and Classless Inter-domain Routing (CIDR), have served the Internet community in prolonging the time when the whole address space would be fully consumed, analysts have argued that NAT operation is antithetical to the end-to-end principle of data transfer in the Internet. In addition, the NAT's philosophy does not encourage the proliferation of applications (such as P2P) that require that communication nodes are fully transparent to one another.
Some of the enhancements in the IPv6 over IPv4 are increased address space, mandatory security, and provision of stateless auto-configuration, a technique by which a new node forms its own address without the assistance of a DHCP server or manual configuration by a network administrator. Stateless address auto-configuration (SLAAC) works by the following sequence: (i) a node forms a link-local address; (ii) the node ascertains the uniqueness of its link-local address by performing duplicate address detection (DAD) check; (iii) the node obtains a network-prefix value from the neighboring routers; and (iv) the node forms its global-site local address from the network-prefix information obtained from router advertisements.
The node generates its link-local address by concatenating its link-local prefix FE80/64 bits with its 64-bits interface ID. The 64-bit interface ID is generated from the node's 48-bit MAC address by inserting a 16-bit ‘FF-FE’ string between the third byte and the fourth byte and then setting the uniqueness bit (the uniqueness bit is the second bit of the leftmost octet, and it identifies the distinctiveness of the MAC address—it is typically set to 1 if the MAC address is unique). For instance, an IPv6 node with a MAC address 00-12-6B-3A-9E-9A would create a temporary link-local address by inserting FF-FE in the middle of the 48-bit MAC address and setting the uniqueness bit to give an interface ID of 0212:6 BFF:FE3A:9E9A, and then concatenating the link-local prefix with the interface ID, which results in a link-local address of FE80::0212:6 BFF:FE3A:9E9A. In order to confirm that the assigned link-local address is unique, and hence the usability of the address on the local link, the node undergoes a duplicate address detection process by sending a message to the corresponding solicited-node multicast address. This solicited-node multicast address is formed by concatenating a fixed leftmost of 104 bits with 24 bits that is taken from the rightmost part of the link-local address.
Thus, the solicited-node multicast address for FE80::0212:6 BFF:FE3A:9E9A is FF02::1:FF3A:9E9A. If there is a neighbor advertisement (NA) response to this neighbor solicitation message, this indicates that the link-local address is already in use by another node and cannot be used by the soliciting node. Duplicate addresses should not be experienced very often during the auto-configuration process, since the interface identifier, which forms part of the address, is obtained from a unique MAC address. However, if the IPv6 node does not get a neighbor advertisement message in response to its neighbor solicitation message, it proceeds to obtain network-prefix information by sending a router solicitation (RS) message to all the routers on its link on the destination multicast address FF02::2. The router advertisement (RA) containing the network prefix is sent by the routers (for example, with a prefix 3FFE:A00:1::164 in the source address) to the all-nodes multicast FF02::1 (all-nodes multicast address). Thus, the new node can form its globally-unique address by appending the network-prefix information to its interface identifier. The globally-unique address can be used by the node to communicate on the Internet.
While the aforementioned stateless address auto-configuration (SLAAC) approach allows instant plugging in of a node, guarantees immediate communication with other nodes, and eliminates the costs of procuring and maintaining DHCP servers, it opens up ways for malicious nodes in the network to disallow many upcoming nodes from initializing their network interfaces, a form of denial of service. Other security implications include the potential for duplicate address detection attack, Man-in-the-middle attack, Sniffing, bogus-on-link prefix attack, and parameter spoofing attack.
Thus, an authentication method for stateless address allocation in IPv6 networks solving the aforementioned problems is desired.