1

IP V 6 : - IPng short for Internet Protocol next generation, a new version of the Internet Protocol (IP)
currently being reviewed in IETF standards committees. The official name of IPng is IPv6, where the v6
stands for version 6. The current version of IP is version 4, so it is sometimes referred to as IPv4.

IPv6 Features

The Following Are The Features Of The Ipv6 Protocol:

New header format

Large address space

Efficient and hierarchical addressing and routing infrastructure
Stateless and stateful address configuration
Built-in security
Better support for QoS
New protocol for neighboring node interaction
Extensibility

The following sections discuss each of these new features in detail.

New Header Format

The IPv6 header has a new format that is designed to keep header overhead to a minimum. This is achieved by moving
both non-essential fields and optional fields to extension headers that are placed after the IPv6 header. The streamlined
IPv6 header is more efficiently processed at intermediate routers.

IPv4 headers and IPv6 headers are not interoperable. IPv6 is not a superset of functionality that is backward compatible
with IPv4. A host or router must use an implementation of both IPv4 and IPv6 in order to recognize and process bo th
header formats. The new IPv6 header is only twice as large as the IPv4 header, even though IPv6 addresses are four
times as large as IPv4 addresses.

Large Address Space

IPv6 has 128-bit (16-byte) source and destination IP addresses. Although 128 bits can express over 3.4"e1038 possible
combinations, the large address space of IPv6 has been designed to allow for multiple levels of subnetting and address
allocation from the Internet backbone to the individual subnets within an organization.

Even though only a small number of the possible addresses are currently allocated for use by hosts, there are plenty of
addresses available for future use. With a much larger number of available addresses, address-conservation techniques,
such as the deployment of NATs, are no longer necessary.

Efficient and Hierarchical Addressing and Routing Infrastructure

IPv6 global addresses used on the IPv6 portion of the Internet are designed to create an efficient, hierarchical, and
summarizable routing infrastructure that is based on the common occurrence of multiple levels of Internet service
providers. On the IPv6 Internet, backbone routers have much smaller routing tables, corresponding to the routing
infrastructure of global ISPs. For more information, see "Aggregatable Global Unicast Addresses."

Stateless and Stateful Address Configuration

To simplify host configuration, IPv6 supports both stateful address configuration, such as address configuration in the
presence of a DHCP server, and stateless address configuration (address configuration in the absence of a DHCP server).
With stateless address configuration, hosts on a link automatically configure themselves with IPv6 addresses for the link
(called link-local addresses) and with addresses derived from prefixes advertised by local routers. Even in the absence of
a router, hosts on the same link can automatically configure themselves with link-local addresses and communicate
without manual configuration.

Built-In Security
 2
Support for IPsec is an IPv6 protocol suite requirement. This requirement provides a standards-based solution for
network security needs and promotes interoperability between different IPv6 implementations.

Better Support for QoS

New fields in the IPv6 header define how traffic is handled and identified. Traffic identification using a Flow Label field in
the IPv6 header allows routers to identify and provide special handling for packets belonging to a flow, a series of packets
between a source and destination. Because the traffic is identified in the IPv6 header, support for QoS can be achieved
even when the packet payload is encrypted through IPsec.

New Protocol for Neighboring Node Interaction

The Neighbor Discovery protocol for IPv6 is a series of Internet Control Message Protocol for IPv6 (ICMPv6) messages
that manage the interaction of neighboring nodes (nodes on the same link). Neighbor Discovery replaces the b roadcast-
based Address Resolution Protocol (ARP), ICMPv4 Router Discovery, and ICMPv4 Redirect messages with efficient
multicast and unicast Neighbor Discovery messages.

Extensibility

IPv6 can easily be extended for new features by adding extension headers after the IPv6 header. Unlike options in the
IPv4 header, which can only support 40 bytes of options, the size of IPv6 extension headers is only constrained by the
size of the IPv6 packet.

Types of IPv6 Addresses

There are three types of IPv6 addresses:

1. Unicast

A unicast address identifies a single interface within the scope of the type of unicast address. With the
appropriate unicast routing topology, packets addressed to a unicast address are delivered to a single interface.
To accommodate load-balancing systems, RFC 2373 allows for multiple interfaces to use the same address as
long as they appear as a single interface to the IPv6 implementation on the host.

2. Multicast

A multicast address identifies multiple interfaces. With the appropriate multicast routing topology, packets
addressed to a multicast address are delivered to all interfaces that are identified by the address.
3. Anycast

An anycast address identifies multiple interfaces. With the appropriate routing topology, packets addressed to an
anycast address are delivered to a single interface, the nearest interface that is identified by the address. The
nearest interface is defined as being closest in terms of routing distance. A multicast address is used for one-to-
many communication, with delivery to multiple interfaces. An anycast address is used for one-to-one-of-many
communication, with delivery to a single interface.In all cases, IPv6 addresses identify interfaces, not nodes. A
node is identified by any unicast address assigned to one of its interfaces.

RFC 2373 does not define a broadcast address. All types of IPv4 broadcast addressing are performed in IPv6
using multicast addresses. For example, the subnet and limited broadcast addresses from IPv4 are replaced with
the link-local scope all-nodes multicast address of FF02::1.

Links and Subnets

Similar to IPv4, an IPv6 subnet prefix (subnet ID) is assigned to a single link. Multiple subnet IDs can be assigned to the
same link. This technique is called multinetting.

Special IPv6 Addresses

The following are special IPv6 addresses:

Unspecified address

The unspecified address (0:0:0:0:0:0:0:0 or ::) is only used to indicate the absence of an address. It is equivalent to the
IPv4 unspecified address of 0.0.0.0. The unspecified address is typically used as a source address for packets attempting
 3
to verify the uniqueness of a tentative address. The unspecified address is never assigned to an interface or used as a
destination address.

Loopback address

The loopback address (0:0:0:0:0:0:0:1 or ::1) is used to identify a loopback interface, enabling a node to send packets
to itself. It is equivalent to the IPv4 loopback address of 127.0.0.1. Packets addressed to the loopback address must
never be sent on a link or forwarded by an IPv6 router.

IPv6 and DNS

Enhancements to the Domain Name System (DNS) for IPv6 are described in RFC 1886 and consist of the following new
elements:

Host address (AAAA) resource record

IP6.INT domain for reverse queries

The Host Address (AAAA) Resource Record

A new DNS resource record type, AAAA (called "quad A"), is used for resolving a fully qualified domain name to an IPv6
address. It is comparable to the host address (A) resource record used with IPv4. The resource record type is named
AAAA (Type value of 28) because 128-bit IPv6 addresses are four times as large as 32-bit IPv4 addresses. The following
is an example of a AAAA resource record:

host1.microsoft.com IN AAAA FEC0::2AA:FF:FE3F:2A1C

A host must specify either a AAAA query or a general query for a specific host name in order to receive IPv6 address
resolution data in the DNS query answer sections.

The IP6.INT Domain

The IP6.INT domain has be en created for IPv6 reverse queries. Also called pointer queries, reverse queries determine a
host name based on the IP address. To create the namespace for reverse queries, each hexadecimal digit in the fully
expressed 32-digit IPv6 address becomes a separate level in inverse order in the reverse domain hierarchy.

For example, the reverse lookup domain name for the address FEC0::2AA:FF:FE3F:2A1C (fully expressed as
FEC0:0000:0000:0000:02AA: 00FF:FE3F:2A1C)
is:C.1.A.2.F.3.E.F.F.F.0.0.A.A.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.C.E.F.IP6.INT.The DNS support described in RFC 1886
represents a simple way to both map host names to IPv6 addresses and provide reverse name

IPv6 packet format

The structure of an IPv6 packet header.

 4
The IPv6 packet is composed of two main parts: the header and the payload.

The header is in the first 40 octets (320 bits) of the packet and contains:

Version - version 6 (4-bit IP version).

Traffic class - packet priority (8-bits). Priority values are divided into ranges: traffic where the source
provides congestion control and non-congestion control traffic.
Flow label - QoS management (20 bits). Originally created for giving real-time applications special
service, but currently unused.
Payload length - payload length in bytes (16 bits). When cleared to zero, the option is a "Jumbo
payload" (hop-by-hop).
Next header - Specifies the next encapsulated protocol. The values are compatible with those
specified for the IPv4 protocol field (8 bits).
Hop limit - replaces the time to live field of IPv4 (8 bits).
Source and destination addresses - 128 bits each.

The payload can be up to 64KiB in size in standard mode, or larger with a "jumbo payload" option.

Fragmentation is handled only in the sending host in IPv6: routers never fragment a packet, and hosts are
expected to use PMTU discovery.

The protocol field of IPv4 is replaced with a Next Header field. This field usually specifies the transport
layer protocol used by a packet's payload.

Addressing

128-bit length :- The primary change from IPv4 to IPv6 is the length of network addresses. IPv6 addresses
are 128 bits longwhereas IPv4 addresses are 32 bits; where the IPv4 address space contains roughly 4 billion
addresses, IPv6 has enough room for 3.41038 unique addresses.
IPv6 addresses are typically composed of two logical parts: a 64-bit (sub-)network prefix, and a 64-bit host
part, which is either automatically generated from the interface's MAC address or assigned sequentially

Notation :- IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each
group is separated by a colon (:). For example, 2001:0db8:85a3:08d3:1319:8a2e:0370:7334 is a valid IPv6
address.

If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons(::). For
example, 2001:0db8:0000:0000:0000:0000:1428:57ab can be shortened to 2001:0db8::1428:57ab.

Thus, the addresses below are all valid and equivalent

2001:0db8:0000:0000:0000:0000:1428:57ab
2001:0db8:0000:0000:0000::1428:57ab
2001:0db8:0:0:0:0:1428:57ab
2001:0db8:0:0::1428:57ab
2001:0db8::1428:57ab
2001:db8::1428:57ab

Network notation:-

IPv6 networks are written using CIDR notation.

An IPv6 network (or subnet) is a contiguous group of IPv6 addresses the size of which must be a power of
two; the initial bits of addresses, which are identical for all hosts in the network, are called the network's
prefix.
 5
A network is denoted by the first address in the network and the size in bits of the prefix (in decimal),
separated with a slash. For example, 2001:0db8:1234::/48 stands for the network with addresses
2001:0db8:1234:0000:0000:0000:0000:0000 through 2001:0db8:1234:ffff:ffff:ffff:ffff:ffff

Because a single host can be seen as a network with a 128-bit prefix, host addresses are sometimes followed
with /128.

CHAP, SPAP, and PAP authentication methods :-

CHAP

The Challenge Handshake Authentication Protocol (CHAP) is a challenge/response authentication protocol

that uses the industry-standard Message Digest 5 (MD5) hashing scheme to encrypt the response. CHAP is
used by various vendors of network access servers and clients. A server running Routing and Remote Access
supports CHAP so that remote access clients that require CHAP are authenticated. Because CHAP requires
the use of a reversibly encrypted password, you should consider using another authentication protocol such
as Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) version 2.

Note

If your password expires, CHAP cannot change passwords during the authentication process.

You cannot use Microsoft Point-to-Point Encryption (MPPE) with CHAP.

For instructions on setting authentication methods, see Configure VPN authentication methods.

Top of page
 6
SPAP

The Shiva Password Authentication Protocol (SPAP) is a reversible encryption mechanism employed by
Shiva. When a computer running Windows XP Professional connects to a Shiva LAN Rover, it uses SPAP,
as does a Shiva client that connects to a server running Routing and Remote Access. This form of
authentication is more secure than plaintext but less secure than CHAP or MS-CHAP.

Important

When you enable SPAP as an authentication protocol, the same user password is always sent in the
same reversibly encrypted form. This makes SPAP authentication susceptible to replay attacks, where an
attacker captures the packets of the authentication process and replays the responses to gain authenticated
access to your intranet. The use of SPAP is discouraged, especially for virtual private network connections.

Note

If your password expires, SPAP cannot change passwords during the authentication process.

Make sure your network access server (NAS) supports SPAP before you enable it on a remote access
policy on an Internet Authentication Service (IAS) server.

You cannot use Microsoft Point-to-Point Encryption (MPPE) with SPAP.

Top of page

PAP

Password Authentication Protocol (PAP) uses plaintext passwords and is the least secure authentication
protocol. It is typically negotiated if the remote access client and remote access server cannot negotiate a
more secure form of validation.

To enable PAP-based authentication, you must do the following:

1. Enable PAP as an authentication protocol on the remote access server. PAP is disabled by default.
2. Enable PAP on the appropriate remote access policy. PAP is disabled by default.
3. Enable PAP on the remote access client.
Note

By disabling PAP on ISA Server, plaintext passwords are never sent by the dial-up client. Disabling
support for PAP increases authentication security, but remote VPN clients who only support PAP cannot
connect.

If your password expires, PAP cannot change passwords during the authentication process.

You cannot use Microsoft Point-to-Point Encryption (MPPE) with PAP.

PPP Authentication Protocols: Password Authentication Protocol

(PAP) and Challenge Handshake Authentication Protocol (CHAP)
(Page 1 of 3)
 7
PPP was designed to provide layer two connectivity over a variety of serial links and other physical
layer technologies, some of which have much more of a concern about security than others. For
example, suppose you hook two machines in your computer lab together with a serial cable and
want to run PPP between them. When one of these initiates a PPP link with the other, you don't
really need to worry about who's calling. On the other hand, consider an Internet Service
Provider using PPP for remote dial-in users. They generally want to allow only their customers to
connect, not just anyone.

The PPP protocol suite was designed to include the use of an optional authentication protocol for
links where authentication is important. During basic link setup by LCP, devices can negotiate the
use of an authentication protocol. If they agree, after the LCP link is set up a series of
authentication messages are sent to verify the identity of the device initiating the link. Only if
authentication is successful can the link configuration proceed.

The PPP suite initially defined two different authentication protocols: the Password Authentication
Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).