Type of Document Dissertation Author Dunlop, Matthew William Author's Email Address email@example.com URN etd-03282012-151031 Title Achieving Security and Privacy in the Internet Protocol Version 6 Through the Use of Dynamically Obscured Addresses Degree PhD Department Electrical and Computer Engineering Advisory Committee
Advisor Name Title Tront, Joseph G. Committee Chair Koelling, Charles Patrick Committee Member Marchany, Randolph C. Committee Member Midkiff, Scott F. Committee Member Schaumont, Patrick Robert Committee Member Keywords
- Dynamic Addressing
- Moving Target Defense
Date of Defense 2012-03-15 Availability unrestricted AbstractSociety's increased use of network applications, such as email, social networking, and web browsing, creates a massive amount of information floating around in cyber space. An attacker can collect this information to build a profile of where people go, what their interests are, and even what they are saying to each other. For certain government and corporate entities, the exposure of this information could risk national security or loss of capital. This work identifies vulnerabilities in the way the Internet Protocol version 6 (IPv6) forms addresses. These vulnerabilities provide attackers with the ability to track a node’s physical location, correlate network traffic with specific users, and even launch attacks against users’ systems. A Moving Target IPv6 Defense (MT6D) that rotates through dynamically obscured network addresses while maintaining existing connections was developed to prevent these addressing vulnerabilities.
MT6D is resistant to the IPv6 addressing vulnerabilities since addresses are not tied to host identities and continuously change. MT6D leverages the immense address space of IPv6 to provide an environment that is infeasible to search efficiently. Address obscuration in MT6D occurs throughout ongoing sessions to provide continued anonymity, confidentiality, and security to communicating hosts. Rotating addresses mid-session prevents an attacker from determining that the same two hosts are communicating. The dynamic addresses also force an attacker to repeatedly reacquire the target node before he or she can launch a successful attack. A proof of concept was developed that demonstrates the feasibility of MT6D and its ability to seamlessly bind new IPv6 addresses. Also demonstrated is MT6D’s ability to rotate addresses mid-session without dropping or renegotiating sessions.
This work makes three contributions to the state-of-the-art IPv6 research. First, it fully explores the security vulnerabilities associated with IPv6 address formation and demonstrates them on a production IPv6 network. Second, it provides a method for dynamically rotating network addresses that defeats these vulnerabilities. Finally, a functioning prototype is presented that proves how network addresses can be dynamically rotated without losing established network connections. If IPv6 is to be globally deployed, it must not provide additional attack vectors that expose user information.
Filename Size Approximate Download Time (Hours:Minutes:Seconds)
28.8 Modem 56K Modem ISDN (64 Kb) ISDN (128 Kb) Higher-speed Access Dunlop_MW_D_2012.pdf 4.36 Mb 00:20:10 00:10:22 00:09:04 00:04:32 00:00:23
If you have questions or technical problems, please Contact DLA.