Previous | Table of Contents | Next |
In IPv6, optional IP layer information is encoded in separate extension headers that are placed between the IPv6 basic header and the higher-layer protocol header. An IPv6 packet may carry zero, one, or more such extension headers, each identified by the next header field of the preceding header and each containing an even multiple of 64 bits (see Exhibit 6). A fully compliant implementation of IPv6 includes support for the following extension headers and corresponding options:
Exhibit 6. IPv6 Extension Header Examples.
With the exception of the hop-by-hop option, extension headers are only examined or processed by the intended destination nodes. The contents of each extension header determine whether or not to proceed to the next header and, therefore, extension headers must be processed in the order that they appear in the packet.
The priority and flow label fields in the IPv6 header are used by a source to identify packets needing special handling by network routers. The concept of a flow in IP is a major departure from IPv4 and most other connectionless protocols; flows are sometimes referred to as a form of connectionless virtual circuit because all packets with the same flow label are treated similarly and the network views them as associated entities.
Special handling for nondefault quality of service is an important capability for supporting applications that require guaranteed throughput, end-to-end delay, and jitter, such as multimedia or real-time communication. These QOS parameters are an extension of IPv4s TOS capability.
The priority field allows the source to identify the desired priority of a packet. Values 0 through 7 are used for congestion-controlled traffic, or traffic that backs off in response to network congestion, such as TCP segments. For this type of traffic, the following priority values are recommended:
Values 8 through 15 are defined for noncongestion-controlled traffic, or traffic that does not back off in response to network congestion, such as real-time packets being sent at a constant rate. For this type of traffic, the lowest priority value (8) should be used for packets that the sender is most willing to have discarded under congestion conditions (e.g., high-fidelity video traffic) and the highest value (15) should be used for those packets that the sender is least willing to have discarded (e.g., low-fidelity audio traffic).
The flow label is used by a source to identify packets needing nondefault QOS. The nature of the special handling might be conveyed to the network routers by a control protocol, such as the RSVP, or by information within the flow packets themselves, such as a hop-by-hop option. There may be multiple active flows from a source to a destination, as well as traffic that is not associated with any flow (i.e., flow label = 0). A flow is uniquely identified by the combination of a source address and a nonzero flow label. This aspect of IPv6 is still in the experimental stage and future definition is expected.
In the early days of TCP/IP, the ARPANET user community was small and close, and security mechanisms were not the primary concern. As the number of TCP/IP hosts grew, and the user community became one of strangers (some nefarious) rather than friends, security became more important. As critical and sensitive data travels on todays Internet, security is of paramount concern.
Although many of todays TCP/IP applications have their own devices, security should be implemented at the lowest possible protocol layer. IPv4 has few, if any, security mechanisms, and authentication and privacy at lower protocol layers is largely absent. IPv6 builds two security schemes into the basic protocol.
The first mechanism is the IP authentication header (RFC 1826), an extension header that can provide integrity and authentication for IP packets. Although many different authentication techniques are supported, use of the keyed message digest 5 (MD5, described in RFC 1321) algorithm is required to ensure interoperability. Use of this option can eliminate a large number of network attacks, such as IP address spoofing. This option is also valuable in overcoming some of the security weaknesses of IP source routing.
IPv4 provides no host authentication. It can only supply the sending hosts address as advertised by the sending host in the IP datagram. Placing host authentication information at the Internet layer in IPv6 provides significant protection to higher-layer protocols and services that currently lack meaningful authentication processes.
Previous | Table of Contents | Next |