چکیده (انگلیسی):

A considerable amount of time will be needed before each system in the Internet can convert from
Internet Protocol version 4 (IPv4) to Internet Protocol version 6 (IPv6). Three strategies have been
proposed by the Internet Engineer Task Force (IETF) to help the transition from IPv4 to IPv6 which
are dual stack, header translation and tunneling. Tunneling is used when two computers using IPv6
want to communicate with each other and the packet will travel through a region that uses IPv4. To
pass through this region, IPv6 packet must be encapsulated in IPv4 packet to have an IPv4 address in
order to make it IPv4 routing compatible. Internet Protocol security (IPsec) in transport mode carries
the payload of the encapsulating packet as a plain data without any mean of protection. That is, two
nodes using IPsec in transport mode to secure the tunnel can spoof the inner payload; the packet will
be de-capsulated successfully and accepted. IETF mentioned this problem in many RFCs. According to
RFC 3964 there is no simple way to prevent spoofing attack in IPv6 over IPv4 tunnel and longer term
solutions would have to be deployed in both IPv4 and IPv6 networks to help identify the source of the
attack, a total prevention is likely impossible. This study proposed a new spoofing defense mechanism
based on IPsec’s protocol Encapsulated Security Payload (ESP). ESP’s padding area had been used to
write the IPv6 source address of the encapsulated packet. Simulation is conducted based on two
scenarios, one with spoofing attack and one without. The outcome proved that proposed mechanism
has managed to eliminate spoofing threat in IPv6 over IPv4 tunnel.