2017 IEEE Dynamics of Systems, Mechanisms and Maсhines (Dynamics) (Omsk, Russia)
14 Nov–16 Nov 2017
The Organization of Arrangements Set to Ensure
Enterprise IPV6 Network Secure Work By Modern
Switching Equipment Tools
(Using the Example of a Network Attack on a
Default Gateway)
A. M. Shabalin
Omsk State Technical University
Omsk , Russia
Abstract—The article issue is the enterprise
information protection within the internet of things
concept. The aim of research is to develop arrangements
set to ensure secure enterprise IPv6 network operating.
The object of research is the enterprise IPv6 network.
The subject of research is modern switching equipment as
a tool to ensure network protection. The research task is
to prioritize functioning of switches in production and
corporation enterprise networks, to develop a network
host protection algorithm, to test the developed algorithm
on the Cisco Packet Tracer 7 software emulator. The
result of research is the proposed approach to IPv6-
network security based on analysis of modern switches
functionality, developed and tested enterprise network
host protection algorithm under IPv6-protocol with an
automated network SLAAC-configuration control, a set
of arrangements for resisting default enterprise gateway
attacks, using ACL, VLAN, SEND, RA Guard security
technology, which allows creating sufficiently high level of
networks security
Keywords—default gateway; host; network security;
attacks; protocols; network; IPv6-protocol ; switches;
routers ; IP network; host protection algorithm
I. INTRODUCTION
Recently not only computers, but also many other devices
acquired an Internet access possibility. This formed the basis
of popular nowadays Internet of things concept, where the
defining term is host, which refers to any source of
information device, the information recipient or both at the
same time.
According to Cisco estimates 50 billion different devices
will be connected to the Internet by 2020. Today in many
large cities in Europe and in the United States information
technologies are widely used in a variety of industries, for
which organization is primarily necessary to ensure the
E. A. Kaliberda
Omsk State Technical University
Omsk , Russia
secure interaction of smart devices (sensors). In order to
effectively solve this problem, network equipment
manufacturers are developing new protocols and technologies
for protecting information transferring from such devices.
In the 1990s a Purdue University (USA) under the
Theodor J. Williams guidance has developed Purdue
Enterprise Reference Architecture (PERA), which is a
reference model for a secure enterprise architecture based on
Computer-Integrated Manufacturing (CIM), a production
approach to the computers using to manage the entire
production process. Such integration allows individual
production components to exchange information with each
other and initiate certain actions. Although production can be
less prone to errors due to computer integration its main
advantage is the ability to create safe automated production
processes. Usually CIM relies on management, based on the
input signals from sensors in real-time mode. Firstly, ISA-
99.29 standards, and then IEC 62448, which define how to
build technological and corporation enterprise network in
order to ensure reliable and secure data transmission, were
developed on the basis of this model. The standard can be
represented in several interacted levels form: technological
(production) network, operating area (SCADA network),
demilitarized area (DMZ) and corporation (office) network.
Besides, the standard describes theoretical principles for
levels interaction with each other, but does not give necessary
means of security for using at a particular level.
One of the modern protocols representatives is IPv6. It
replaced IPv4 protocol and have new possibilities in
comparison, which simultaneously generate new problems
with security. [6]. IPv6 network security problems are solved
by developers in different ways: the ability to protect the
network based on distributed trust management (Trust-ND) is
considered [7]; the MITM attack test systems to help users
aware the security risks and then design a defending tool
using DNSSEC to avoid session hijack attack are developed
[8]. The most effective are comprehensive security measures
 2017 IEEE Dynamics of Systems, Mechanisms and Maсhines (Dynamics) (Omsk, Russia)
based on a reducing vulnerabilities impact methods, or end-
to-end connectivity model using host security system with
perimeter protection device, for example [9]. Besides, a set of
privacy policy rules is used in the model to facilitate the
management of confidential security relations[10]. However,
none of the proposed approaches gives the proper level of
network protection from cyber attacks.
II. PROBLEM STATEMENT
Different network equipment developers solve the
problems with choosing implement instruments for security
system in different ways. In most cases the following
instruments are used: intrusion detection systems (IDS/IPS),
switches, routers, access points, firewalls and a number of
software and hardware platforms.
The authors of this article consider that it is necessary to
dwell on switches, the main access level devices which
provide host connection in corporation and production
enterprise networks. It seems relevant to determine the
priorities and tasks of the modern switches operation in
different enterprise segments, because switches are the main
network access level equipment and representing one of the
most important barriers in modern network security systems,
and this means they have to solve various tasks.
The main work emphasis is on the implementation of
security system applicable to IPv6 protocol, which is starting
widespread ubiquitously, and information about its
vulnerability to attacks has not been systemized yet. The task
of this research is to analyze new cyberattack opportunities
provided by IPv6 protocol functionality and the subsequent
protecting host algorithm and a recommended for protection
host arrangements set development using the example of a
known attack on the enterprise default gateway.
III. THEORY
According to the enterprise activity analysis, the
following arrangements should be realized:
1) zoning, enterprise division by “cell – guild - factory”
principle;
2) controlled access, security policy and identification
services organization;
3) physical security, maintenance of intellectual cameras
work;
4) industrial cybersecurity, monitoring the detection of
threats, incidents and event organization.
Production enterprise network is doing the main
production process. There are conveyers, machines, sensors
in it, i.e. production which must be controlled by IT tools.
Corporation enterprise network is an office network, where
employees use computers, laptops and tablets to manage and
monitor production network. Unification of these networks
proceeds through operational and demilitarized zones.
14 Nov–16 Nov 2017
Switches is the kind of network devices which
functioning both in corporation and production enterprise
networks and respectively different by priorities and
functional tasks. That is why it is necessary to identify the
TABLE I. COMPARING SWITCHES OPERATING TASKS AND PRIORITIES
IN THE CORPORATION AND PRODUCTION ENTERPRISE NETWORKS
Tasks and
priorities of Corporation network Production
switches switches network switches
functioning
1.The main
Intellectual property Trouble-free
functioning
protection operation
purpose
А) Confidentiality A) Availability
2.Priority ranking B) Integrity B) Integrity
C) Availability C) Confidentiality
3. Device refresh
rate
Constant Scheduled
4.Operating
Are not required Extreme conditions
conditions
most important of them from the safety and reliable host
point of view in different enterprise segments.
How it can be seen from the table, different networks
have different priorities. If in corporation network it is
necessary to direct all resources on authorized success
security and information leak prevention, in production
network segment switches should provide data transmission
in “24/7” mode. Respectively switch reaction on threats
should be different. In case of a corporation network
everything that is not allowed must be prohibited, so any
unauthorized activity is immediately stopped. In production
segment switch must be guided by the “no harm to
production” principle. This means to continue network data
transmission from sensors despite the threats. Exactly in
connection with this difference enterprise network segments
are diametrically opposite.
Network device configuration is constantly updated in
accordance with enterprise privacy policy, but there are
differences. It is recommended to do an online device
updating in corporation network, so the faster switch
configuration is updated, the sooner privacy policy will be
applied. There is no possibility of constant production
network updating in case of a continuous production process
and this means that the updates should be carried out
according to the schedule during the hours of routine
maintenance.
Certain conditions also exist for the switches operation in
networks. Corporation network has office working conditions
and switches are established on simple 19 inch indoor rack
where the temperature, humidity, etc. are usual, whereas in
production segment extreme characteristics may be observed:
temperature from ultra-high to ultra-low, humidity, dust, rain,
snow, hoarfrost presence, the whole climatic conditions
variety which characterizes the production.
Thus, it is necessary to select switches focusing not only
on their performance characteristics, but also on the
functionality provided by this equipment while designing an
 2017 IEEE Dynamics of Systems, Mechanisms and Maсhines (Dynamics) (Omsk, Russia)
14 Nov–16 Nov 2017

enterprise network. Such functionality should correspond to

the above priorities and switches work tasks in various
segments of enterprise network.
In the IoT concept the leading role belongs to IPv6
network protocol, because decreasing IPv4 address space is
not able to close all sensors and devices, which must have
public addresses without mentioning other host (computers,
tablets, phones).
It should be noted that although IPv6 protocol is
positioned as more modern, it has a number of security
problems. Built-in IPsec functionality certainly enhances its
protection, but not all devices in IoT concept have enough
productivity to use its advantages. At the same time, a huge
public addresses space leads to the additional opportunities
for cybercriminals to organize various attacks.
In the article the most popular attack on the default
gateway is considered. Its essence: The intruder’s computer
imitates legitimate DHCP-server sending incorrect
 2017 IEEE Dynamics of Systems, Mechanisms and Maсhines (Dynamics) (Omsk, Russia)
14 Nov–16 Nov 2017

Beginning

VLAN
Increasing
attacking
priority level The RA
successful high priority of Unsuccessful Guard,
attack legitimate router attack SEND

Representing
as legitimate
router The
successful access control lists Unsuccessful
attack (ACL) attack

RA-messages
fragmentation
The additionally
successful monitoring Unsuccessful
attack channel state firewall attack

Stable
Control over functioning
the device End of the host

Fig.1. Algorithm of protecting hosts

information to the host. After that all data is sent to the suggest the following host protecting from organized attacks
attacker’s computer. This classic IPv4-based attack is known algorithm.
and some manufacturers have made DHCP-Snooping
function resisting this type of attack successfully. However IV. EXPERIMENT RESULTS
applying to the IoT concept this type of attack can lead not
The conducted experiments showed that only a combination
only to data leakage, but also to the shutdown of production.
of various technologies allows achieving the required
The main difficulties arise when using addressing devices,
information security level. That is why the authors of the
ibecause their specific functioning adds the advantages to the
article recommend the following organization of
attackers in organizing of this attack type.
arrangements set to protect the host from the default gateway
IPv6 Stateless Address Auto configuration (IPv6 attacks:
SLAAC) is one of the additions to the IPv6 protocol
1. Changing router preference (priority) status to a high;
functional. It came to the classical DHCP-service aid in order
to simplify the receipt of IPv6 addresses by host. Technology 2. To use switches access control lists (ACL);
solves the basic automatic host network parameters
configuration issues using a router. It receives a RS-request 3. Еnterprise Virtual Local Area Network (VLAN)
and provides to the addressee a network IPv6 address part organization on switches;
and the default gateway address with a help of RA-answer. 4. Trusted port appointment by RA Guard switch function
Thus, as we know that attacker imitates a legitimate options;
router and organizes certain types of attacks on default 5. Encryption setup of transmitting traffic on switches and
gateway having IPv6 SLAAC new functional, it is possible to host by send-technology means.
 2017 IEEE Dynamics of Systems, Mechanisms and Maсhines (Dynamics) (Omsk, Russia)
Fig.2. Enterprise computer network model in Cisco Packet Tracert 7.0
Results of studying modern security switches
functionality, as well as specified measures set application
allow to develop an algorithm for protecting host operation
from the attacks on the enterprise production network default
gateway. (Fig. 1).
Attacks specifity and the methodology of reacting to them
are presented below:
1. Kind of attack: Increasing attacking priority level.
Routers have a priority (Preference) with three values:
Low, Medium, High. By managing these values on a
multiple routers network, the administrator can create
fault-tolerant system, where in the event of a high priority
router failure the SLAAC role will be assumed by the
medium priority router, insured by low priority router. By
default this parameter is set to the medium value. That
means in networks where there is the only one router the
attacker has the opportunity to intercept its initiative by
priorityincreasing. If the legitimate router has high
priority, it will be equal with the attacker and the host will
accept the offer from the router, sending its network offer
first. As a result, the attacking router can still obtain
control over the transmitting device.
2. Kind of attack: requesting network information from a
legitimate router and then representing for him. The host
sends RS-requests and the router answers with RA-
messages. Here the attacking router send an RS-message
to the legitimate router, appearing as a usual host, and
receives an RA-message where router IPv6, MAC
14 Nov–16 Nov 2017
addresses and priorities are contained. Then the attacking
router assigns a clarified IPv6 address, sends an RA-
message where identifies itself as a legitimate router.
Moreover, the attacker turns off checking duplicate IPv6
addresses function on its device, thereby creating a
precedent: two devices with the same IPv6 addresses and
different MAC addresses appearing in the network. The
host, receiving such a message, believes that the default
gateway MAC address has changed, so it updates IPv6
cache, and the attacker achieves its goal again: data from
the device is sending to the attacker router. To prevent
this type of attack, it is possible to organize access control
lists (ACL) on the switch by prohibiting all ports except
authorized ones to send an RA-message. But this
protection method is not perfect.
3. Kind of attack: RA-messages fragmentation. The ACL
checks an entire packet, analyzing whether it is relating to
the prohibited directive. If an attacker sends RA-message
breaking it into fragments before, they will not be handled
by access control lists, but they will be transferred to the
host, which will put them together and will change its
network information, i.e. the switch will not block this
data as it cannot compile and examine the entire package,
so it will pass to the host. In this situation, the defending
side may suggest to use additionally monitoring channel
state firewall and to add a rule on the switch: if an IPv6
fragment or packet top-level information cannot be read
(no corresponding header), it is discarded.
 2017 IEEE Dynamics of Systems, Mechanisms and Maсhines (Dynamics) (Omsk, Russia)
These types of attacks and countermeasures were tested
on the Cisco Packet Tracer 7.0 software emulator and also on
Cisco company access level switches (Fig. 2).
Modern switches provide a number of additional
functions which can be successfully used in countering
attacks on the default gateway:
1. Virtual Local Area Network organization (VLAN) [7].
This classic network segmenting method in combination
with MAC-based filtering (Port-security) allows to install
different host in isolated virtual networks. This will stop
transmitting messages from attacking computer with the
connected host ports. This approach cannot be considered
perfect either, because it has certain drawbacks making
the network configurations more complicated in whole,
namely: any connection to the host and determining the
same addresses function are blocked, and this leads to the
necessity for additional configuration of the proxy server
nd dad for duplicate search system working.
2. Enabling the switch function Router Advertisement Guard
(RA Guard) [8], helping administrator to define the
various policies applied to the ports. Every policy is
connected to the device role, host or router; so the devices
connected to the host port are considered as a host,
whereas devices, connected to the router port are
considered as routers. This division leads to ensuing
results: the host can communicate with the other host, but
it cannot send RA-messages. The fact that RA Guard
function does not solve the problem with fragmented
packages deserves special mention.
3. Enabling the router function Secure Neighbor Discovery
(SEND) [9], which allows encrypting all messages that
host and router exchanging. The disadvantage of this
technology is the fact that both routers and host taking
part in the encrypted information exchange, so device
resources have additional loading. And if the router can
try to cope with this, the smart sensors in the enterprise
are likely to be deprived of necessary hardware resources
to encrypt and decrypt the received and transmitted
information.
V. THE DISCUSSION OF RESULTS
It can be seen from the collected in the Packet Tracer
model how an attack on the enterprise production network
main gateway allows to imitate a legitimate router and to
organize forwarding information from sensors and network
computers to a fake registration server. After that it is not
difficult for an intruder to do a distortion of information sent
on legitimate registration server with the subsequent
shutdown of the production.
Therefore, it is necessary to pay special attention to
counteracting attacks on the company's production network
default gateway.
However, we should not forget that the main production
network switch task is uninterrupted operation throughout the
entire production process, so the priority of its functioning is
14 Nov–16 Nov 2017
accessibility, not security. This leads to the contradiction: on
the one hand, it is necessary to organize an appropriate
security level for data transmission from hosts, on the other
hand, we can not overload the switching devices with
additional security functions, as the ACL and SEND
technologies, for example, consume large hardware resources
of network equipment, and the network segmentation using
VLAN makes the network configuration more complex and
less flexible.
Consequently, for the security organization in the
enterprise production network it is extremely important to
make not an unsystematic conglomeration of listed
technologies, but their well-thought-out implementation in
accordance with the solution of tasks based on particular
enterprise activities analysis, including:
 enterprise resources;
 specific device hazards;
 threat occurrence probability;
 threat vectors that can be used to attack.
As a result of this problem studying, the authors suggest
to discuss ways of applying the protection arrangements
described above selectively, depending on the host types and
the specific industries tasks where the algorithm can be
realized.
VI. CONCLUSION
Thus, the concept of IoT, improving the production
process, adds a number of significant problems to the
organization of the information transmitting security within
the enterprise. One of the important tasks about its ensuring
is splitting it into functional zones and choosing the network
equipment for different zones, taking into account their
specificity. The situation of the enterprise protection is
complicated because of using IPv6 protocol, whose
vulnerability issues are beginning to be seriously studied only
now. This is connected primarily to the new functionality of
this protocol and to the huge amount of supported address
space.
The conducted studies results are:
1. Suggested approach to IPv6 network security, including
defining the main goal and ranking priorities in the
switches operation, and the analysis of an updating
frequency and operating conditions of their functioning in
the enterprise production and corporation networks;
2. Developed arrangements set to confront the enterprise
default gateway attack, including priority management
and traffic encryption on a legitimate router and the
access control lists application, confidential ports and
enterprise production network segmentation on the
switches.
3. Developed algorithm for protecting hosts in an IPv6
network, making resisting cybercriminals, using the IPv6
 2017 IEEE Dynamics of Systems, Mechanisms and Maсhines (Dynamics) (Omsk, Russia)
14 Nov–16 Nov 2017

SLAAC functionality to launch enterprise production

network default gateway attacks, possible;
4. Approbation of the developed algorithm on the Cisco
access level switches and the Cisco Packet Tracer 7.0
software emulator was carried out. The results showed
that after presented arrangements complex application,
the enterprise production network switches became
resistant to attacks based on default gateway substitution
and IPv6 packets fragmentation.

REFERENCES
[1] White paper: Cisco VNI Forecast and Methodology, 2015-2020.
Available at: http://www.cisco.com/c/en/us/solutions/collateral/service-
provider/visual-networking-index-vni/complete-white-paper-c11-
481360.html.
[2] M. Bornheim and M. Fletcher, "Public Safety Digital Transformation:
The Internet of Things (IoT) and Emergency Services," EENA 112, 03
03 2016. Available at: http://www.eena.org/download.asp?item_id=170.
[3] T. Williams, "The Purdue enterprise reference architecture," in
Computers in industry, vol 24 (2), 1994, pp.141–158.
[4] S. Kalpakjian and S. Schmid, "Manufacturing engineering and
technology (5th ed.)," in Prentice Hall, 2006, p. 1192
[5] The 62443 series of standards. Industrial Automation and Control
Systems Security. Available at:
http://isa99.isa.org/Public/Information/The-62443-Series-Overview.pdf
[6] C. Min, "Research on network security based on IPv6 architecture,"
IEEE Transl. Electronics and Optoelectronics (ICEOE), vol. 3 , рр: 415–
417, July 2011
[7] S. Praptodiyono, M. M. Kadhum, R. K. Murugesan and A. Osman,
"Improving Security of Duplicate Address Detection on IPv6 Local
Network in Public Area," IEEE Transl. Modelling Symposium (AMS),
vol.6, pp. 123–128, Sept. 2015
[8] W. Liu, P. Ren, D. Sun, Yi Zhao and K. Liu, " Study on attacking and
defending techniques in IPv6 networks," IEEE Transl. Digital Signal
Processing (DSP), vol. 6, рр: 48–53, July 2015
[9] H. A. Dawood and K. F. Jassim, "Mitigating IPv6 Security
Vulnerabilities," IEEE Transl. Advanced Computer Science
Applications and Technologies (ACSAT), vol. 6, рр: 304–309, June
2014
[10] R. Choudhary and A. Sekelsky, "Securing IPv6 network infrastructure:
A new security model," IEEE Transl. Technologies for Homeland
Security (HST), vol. 7, рр: 500–506, nov. 2010
[11] IPv6 Stateless Address Autoconfiguration. RFC 2462. Available at:
https://tools.ietf.org/html/rfc2462.
[12] IEEE’s 802.1Q standard 2005 version. Available at:
http://standards.ieee.org/getieee802/download/802.1Q-2005.pdf.
[13] IPv6 RA Guard. Available at:
http://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/IPv6/configuration/15-2s/ip6-15-2s-book/ip6-ra-guard.html.
[14] Secure Neighbor Discovery (SEND). RFC 3971. Available at:
https://tools.ietf.org/html/rfc3971.
2017 IEEE Dynamics of Systems, Mechanisms and Maсhines (Dynamics) (Omsk, Russia)
14 Nov–16 Nov 2017