SPECIAL SECTION ON SECURE COMMUNICATION FOR THE NEXT GENERATION 5G AND

IOT NETWORKS

Received January 19, 2020, accepted February 5, 2020, date of publication February 18, 2020, date of current version February 27, 2020.
Digital Object Identifier 10.1109/ACCESS.2020.2974659

Dual-Stack Network Management Through

One-Time Authentication Mechanism
YI-CHIH KAO 1 , JUI-CHUN LIU 1 , YI-QUAN KE 1, SHI-CHUN TSAI 2, (Senior Member, IEEE),
AND YI-BING LIN 2 , (Fellow, IEEE)
1 Information Technology Service Center, National Chiao Tung University, Hsinchu 30010, Taiwan
2 Department of Computer Science, National Chiao Tung University, Hsinchu 30010, Taiwan
Corresponding author: Yi-Chih Kao ([email protected])
This work was financially supported by the Center for Open Intelligent Connectivity from the Featured Areas Research Center Program
within the framework of the Higher Education Sprout Project by the Ministry of Education (MOE) in Taiwan.

ABSTRACT The exhaustion of IPv4 addresses has led to the rapid implementation of IPv6. However,
the design of IPv6 is incompatible with that of its predecessor IPv4 and slows down the development of the
IPv4-to-IPv6 migration. Several transitioning mechanisms have been proposed to attain the compatibility
of IPv4 and IPv6 to bridge the gap between these two heterogeneous protocols. The two protocols would
need to coexist continually before IPv6 completely takes over IPv4. However, the existing captive portal
authentication systems generally do not support IPv4/IPv6 dual-stack authentication and lack one-time dual-
stack authentication solutions. Upgrading the authentication system has become an urgent problem to be
addressed. This study presents dual-stack network management strategies using a novel one-time authen-
tication mechanism for large and complex dual-stack network environments. The proposed authentication
system resolves the inconvenience of separate IPv4 and IPv6 authentication and effectively improves the
compatibility of the two protocols. Furthermore, authenticating both IPv4 and IPv6 increases the traceability
of traffic logs when security attacks occur. The proposed solution is deployed in a campus dormitory
environment, and the feasibility and stability are successfully verified.

INDEX TERMS Authentication, dual-stack, IPv6, management.

I. INTRODUCTION encryption to enhance confidentiality and keep transmitted

A. THE EMERGENCE OF IPV6 contents from eavesdropping. Another essential feature of
The exhaustion of IPv4 addresses has become a real- IPsec is the provision of Virtual Private Network (VPN)
ity. To maintain network services, the introduction of functionality, enabling a more secure and reliable VPN in
IPv6 addresses is an inevitable step. As the successor of IPv6. At the same time, QoS uses the Flow Label field of
IPv4, IPv6 increases the address length of IPv4 by four times, the IPv6 header to meet the low latency requirements of
expanding it from the current 32 bits (4 bytes) to 128 bits multimedia applications (e.g., VoIP and video) and provide
(16bytes). As a result, IPv6 offers 3.4 × 1038 address spaces, highly efficient network transmission quality.
which is a significant increase from the 4.29 × 109 address IPv6 is widely used nowadays, according to the statis-
space of IPv4, providing a massive number of IP addresses tics report from Google [2], the global IPv6 deployment
for exploitation. Besides, IPv6 offers notable improvements and adoption rate reached 25% in 2018. According to
in terms of Internet Protocol Security (IPSec) and Quality of the data from Taiwan Network Information Center [3],
Service (QoS). The built-in IPsec in IPv6 provides two secu- the IPv6 deployment and adoption rate of Taiwan has
rity mechanisms for data transmission: authentication and increased from 0.38% (67th place in the global ranking) in
encryption. By adding a mandatory Authentication Header, November 2017 to 34.93% (7th place in the global ranking)
the integrity and non-repudiation of the packet transmission in January 2019.
are ensured by the Encapsulating Security Payload on packets
B. IPV4/IPV6 DUAL-STACK
The associate editor coordinating the review of this manuscript and Currently, the majority of network hardware and soft-
approving it for publication was Ilsun You . ware systems are operating under IPv4. Once the network

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see http://creativecommons.org/licenses/by/4.0/
34706 VOLUME 8, 2020
Y.-C. Kao et al.: Dual-Stack Network Management Through One-Time Authentication Mechanism

environment is upgraded to IPv6, the end-to-end related improperly implemented dual-stack authentication may sac-
connections, routers, switches, firewalls, intrusion detection rifice the manageability and security of IPv4 and IPv6 traffic.
systems, and web applications must support IPv6 to main- The rest of this paper is organized as follows. Section II
tain normal network functions. However, the complexity and overviews the techniques and literature related to IPv4 and
uncertainty of these network components often make users IPv6 address allocation, as well as authentication in dual-
hesitate. stack network environments. Section III describes the current
IPv6 is expected to replace the role of IPv4 on the Internet authentication system architecture deployed across a campus
completely. Until then, these two heterogeneous protocols dormitory and outlines a novel one-time authentication mech-
still need to coexist for a long time. Given the differences anism for our dual-stack network environment.
in the design of these protocols, numerous IPv4/IPv6 transi- Section IV presents the experiments conducted to ver-
tioning mechanisms have been developed. The most common ify the functionality and stability of the proposed one-time
techniques include dual-stack, tunneling, and translation. authentication architecture. Finally, Section V provides con-
Since tunneling and translation have performance bottle- clusions and suggestions for future work.
necks [4], they are only short-term solutions. Only the dual-
stack approach can gradually evolve from IPv4 dominant II. BACKGROUND AND RELATED WORK
network to IPv4/IPv6 dual-stack network, finally reaching This section overviews the existing techniques related to
an entirely IPv6-based network. Therefore, this study mainly address allocation in dual-stack networks, namely, DHCP
focuses on the dual-stack technique. Option 82 and IPv6 Address Auto-Configuration. Also,
With the continuous development of IPv6, effectively the IPv4 and IPv6 transitioning mechanisms are briefly intro-
authenticating the identity of users has become a research duced. Finally, previous studies on Media Access Control
subject. Nevertheless, the majority of current captive por- (MAC) based authentication and dual-stack authentication
tals are designed based on IPv4 and cannot fully support mechanisms are surveyed.
IPv6 [13]. Therefore, when a device accesses the network
with IPv4 and IPv6 addresses, the IPv4 address needs to A. DHCP OPTION 82
pass authentication, whereas the IPv6 address can access the As defined in RFC3046 [5], DHCP Option 82 is the Relay
network without any authentication [12]. Since the majority Agent Information Option in the DHCP packet. When Option
of authentication systems lack effective control mechanisms 82 is enabled in the network, a network device (DHCP client)
over the IPv4/IPv6 dual-stack access, they can only authen- can send a DHCP request to the DHCP server. In this case,
ticate one type of protocol at a time, either IPv4 or IPv6. the switch (DHCP relay agent) injects additional information
Such authentication systems carry out authentication twice called Relay Agent Information specifying the details about
at the user’s IPv4 and IPv6, respectively [11], [13]. That the switch and port to which the client is connected. When
is, after IPv4 has been authenticated, the user has to be the DHCP server receives the packet, it parses the Option
authenticated again if he/she needs to access IPv6 applica- 82 information to identify which IPv4 address to be assigned
tions. Similarly, for IPv6, the user has to be authenticated to this client. Hence, DHCP servers can be configured to
once again if he/she needs to access IPv4 applications. Such always assign the same IPv4 address to the devices on a
inconvenience may deter users from migrating to IPv6. Even specific port. Note this way is more convenient for the net-
worse, the incapability of some authentication systems to work administrator to manage specific areas by providing
authenticate IPv6 addresses can result in security concerns, particular sets of dynamic IPs from the DHCP pool and
necessitating an effective dual-stack authentication mecha- minimize IP conflict or collision occurrences.
nism to overcome these problems.
B. IPV6 ADDRESS AUTO-CONFIGURATION
There are two types of IPv6 network address configura-
C. DUAL-STACK NETWORK MANAGEMENT tion approaches: static and dynamic. Stateful and State-
In large and complex network environments such as a cam- less Address Auto-Configuration [6] are examples of the
pus dormitory, effectively managing IPv4 and IPv6 network dynamic address configuration approaches. The State-
services could be a nightmare for network administrators. ful DHCPv6 inherits auto-configuration service from the
Therefore, this paper proposes a series of dual-stack network IPv4 DHCP. Since the IPv6 address is assigned via DHCPv6,
management strategies to ensure controllability over a large the correspondence between IPv6 and MAC addresses is
number of users. First, we discuss the existing techniques recorded and maintained in a binding table that is updated
for IPv4 and IPv6 address allocation. Then, we propose a periodically. Hence, this configuration approach is called
novel dual-stack authentication mechanism for environments Stateful.
where IPv4 and IPv6 coexist. This mechanism enables effi- The Stateless Address Auto-Configuration (SLAAC) is
cient and convenient one-time authentication. The capability another auto-configuration approach. The information of the
of tracking and monitoring the IPv4 and IPv6 of authenti- IPv6 prefix and the default gateway is obtained from the
cated users is achieved by combining the strategies mentioned router advertisement (RA) packet, and the IEEE defined
above, which helps mitigating security attacks. Note that an 64-bit extended unique identifier (EUI-64) is used to allow

VOLUME 8, 2020 34707

 Y.-C. Kao et al.: Dual-Stack Network Management Through One-Time Authentication Mechanism

the host to assign a unique 64-bit IPv6 interface identifier to for each IP address to gain access to one or more network
itself. EUI-64 automatically configures the IPv6 address of resources. The productivity of users can be decreased sig-
the host based on the MAC address of the original interface nificantly due to many separate authentication procedures.
plus a fixed prefix. In other words, a complete IPv6 address Hence, we explore several dual-stack authentication mech-
in SLAAC is formed by the RA-assigned prefix and the anisms to find a better technique that solves this problem.
automatically generated interface ID by EUI-64. This plug- The framework proposed by Bennett III et al. [10] authen-
and-play feature helps simplify the host configuration and ticates user devices through discovering their IP versions to
reduce the burden of end-users. determine whether they are authorized to access data via
IPv4, IPv6, or both. If authorization information indicates
C. IPV4 AND IPV6 TRANSITIONING MECHANISM that the user can only access the data through IPv4 instead
The commonly used IPv4 and IPv6 transitioning mech- of IPv6, the authentication device only triggers the necessary
anisms include dual-stack, tunneling, and translation. steps to authenticate IPv4. Thus additional resources are not
Dual-stack is the most popular and widely used one that consumed to authenticate the user device’s IPv6 and vice
turns an IPv4-capable device into supporting IPv4 and versa. However, this solution has not been tested in a working
IPv6 simultaneously. A dual-stack-capable device not only environment, and there exist performance concerns when
enables IPv4 and IPv6 to coexist but also ensures their inter- applied to complex network environments.
operability and backward compatibility. Tunneling encap- Sanguanpong and Koht-Arsa [11] proposed a mechanism
sulates an IPv4 header outside the IPv6 packet, allowing called Dual Address Discovery (DAD) to avoid duplicate
IPv6-capable network devices at both ends to communicate authentication under the dual-stack network environment.
via the IPv4 tunnel and providing IPv6 virtual connections By embedding two image tags in the login page, where one
over the IPv4 physical network. IPv4/IPv6 translation is of the DNS maps to the IPv4 address, and the other maps to
similar to the network address translation, which utilizes a the IPv6 address, then these two separate protocols are bound
router or a default gateway at the IPv4 or IPv6 border to together with an identical hash code. Once the user obtains
convert the IPv4 header to the IPv6 header or vice versa, both IPv4 and IPv6 addresses, the authentication server can
allowing IPv4 and IPv6 network devices to communicate associate IPv4 and IPv6 with the same hash code, thereby
with each other. authenticating the two protocols at the same time. Such an
approach can effectively save time by preventing repeated
D. MAC AUTHENTICATION authentication. While the architecture of DAD is relatively
MAC authentication is an approach authenticating a device simple and easy to deploy, there are still some problems to
based on its MAC address that must match a predefined IP be solved. For example, it requires the users to have both
address. Kao et al. [7] summarized the specific process of IPv4 and IPv6 addresses during the authentication process
MAC authentication: if a user device fails the authentication, to achieve one-time authentication. If users complete the
it will be redirected to the captive portal where the user authentication in a pure IPv4 environment and then transfer
has to enter his/her credentials, which will be stored in the to a dual-stack environment, the authentication procedure
database together with the device’s MAC address. When the must be repeated to let the authentication server to associate
user connects to the Internet via the same device next time, IPv4 and IPv6. Sanguanpong et al. did not elaborate on the
the user device will automatically pass the identity authenti- system architecture of their tested environment, nor did they
cation after verifying its MAC address stored in the database. verify and evaluate its performance, stability, and feasibility
The authentication mechanism based on software-defined in a working network environment.
networking proposed by Lu et al. [8] contains an authen- According to the method designed by Lin [12], the authen-
tication table module that maintains a sheet for storing the tication system controls the address allocation process of
collected users’ device information. The sheet is indexed the second IP address after the first one is authenti-
by the MAC address to avoid duplicate entries. The ver- cated. Then, the authentication system stores both IPv4 and
ification module parses all packet-in ICMPv6 packets to IPv6 addresses, along with other information in the user infor-
filter out Neighbor Discovery Protocol (NDP) packets to mation table, and manages dual-stack users’ network access
check whether the source MAC and IPv6 addresses match according to the stored control policy. This approach solves
the information stored in the authentication table. Despite the problem that any randomly configured address can access
exploiting MAC address as the key value, the approach the service through a network device without authentication.
proposed by Lu et al. only offers an authentication mech- For example, when the portal authenticates an IPv4 user,
anism for IPv6 without considering IPv4/IPv6 dual-stack the user information is added to the database, and the RA
authentication. is sent to the user to notify him/her about the IPv6 address
configuration method. Similarly, after the authentication of
E. DUAL-STACK AUTHENTICATION MECHANISM IPv6, the user information is added to the database, and a
As mentioned by Huang et al. [9], many users may access DHCPv4 discovery message is sent to the user to notify the
multiple network resources during a work session. Thus, user user about the IPv4 address configuration method, thereby
devices have to be authenticated via separate login procedures achieving the access control of the dual-stack user. However,

34708 VOLUME 8, 2020

Y.-C. Kao et al.: Dual-Stack Network Management Through One-Time Authentication Mechanism

TABLE 1. Summary of dual-stack authentication mechanisms.

RA must be placed in the lower layer (Gateway) of the IPv6 coexist, they lack flexibility in operation. For exam-
network architecture. A typical network does not have an ple, Lin’s solution relies on RA and requires authentication
appropriate environment and resources to implement a large equipment supporting RA, which is not suitable for a network
amount of authentication equipment. Therefore, this method environment managed centrally only by the upper L3 authen-
is not suitable for centralized network environments managed tication server. The studies by Sanguangpong et al. and Wang
only by the upper layer-3 authentication server. adopt the method of embedding the same hash code, requiring
Wang [13] obtained the IPv4 and IPv6 association of the both the IPv4 and IPv6 addresses to be present while conduct-
user by parsing DHCP packets. In the IPv4 environment, ing user authentication to achieve one-time authentication.
the MAC address in the DHCP packet can be used to asso-
ciate the IPv4 address of the user. In the IPv6 environ- III. PROPOSED FRAMEWORK
ment, the DHCP Unique Identifier (DUID) identifies the This section describes the structure of the authentication sys-
DHCPv6 device in the DHCPv6 packet, thus binding the user tem deployed in a campus dormitory. It illustrates the address
DUID with the IPv6 address. The DNS server redirects all auto-configuration process applied to this versatile dormitory
requests of the user to the authenticated portal page to attain environment considering the convenience and security of
one-time IPv4/IPv6 dual-stack authentication when the user dorm users in terms of network service. Furthermore, this
obtains the IP address. If an unauthenticated user uses IPv4 to section presents the proposed one-time dual-stack authentica-
access the portal, he/she will be redirected to the login portal tion mechanism with its functional modules and demonstrates
together with an encrypted message. Then, a JavaScript code its ability to trace security attacks within the considered
actively triggers the user to access another login portal with domain.
IPv6 carrying the same encrypted message. When the portal
obtains the user’s IPv4 and IPv6 addresses simultaneously, A. AUTHENTICATION SYSTEM ARCHITECTURE
the binding of the user’s IP addresses is achieved. The architecture of the deployed authentication system is
As pointed out in [13], traditional methods for binding illustrated in Fig. 1. The main components of the authen-
user MAC and IP addresses for authentication have sev- tication system include a Core Router, an Authentication
eral problems in the dual-stack environment. First, when the Server (Auth Server), an Internal Router, Layer 3 Switches
authentication equipment is deployed between the layer-3 (L3 Switch), a DHCP Server, Layer 2 Switches (L2 Switch),
switch and the internal network, the user MAC address may and End User Devices. The Core Router (Fig. 1(a)) serves
be dropped by the routing equipment in-between, preventing as the gateway of the entire architecture for external con-
the IPv4/IPv6 association of the same user being created. nections. The Auth Server (Fig. 1(b)) is responsible for
Second, if the stateful auto-configuration is adopted in the determining whether the underlying traffic is from an authen-
DHCPv6 address configuring process, the message passed ticated user. The Internal Router (Fig. 1(c)) is responsible for
through the DHCPv6 relay does not contain the MAC address the congregation of network cables from the L3 Switches
information, and no IPv4/IPv6 association would be estab- (Fig. 1(d)). The DHCP Server (Fig. 1(e)) is connected to
lished. the L3 Switch to provide IP addresses automatically. For the
Table 1 summarizes the reviewed dual-stack authentica- network distributing cables of each dormitory, the L3 Switch
tion mechanisms. Even though some of these authentica- acts as a gateway connecting to each room’s network ports
tion mechanisms can achieve authentication when IPv4 and via L2 Switch (Fig. 1(f)) to serve the End User Devices

VOLUME 8, 2020 34709

 Y.-C. Kao et al.: Dual-Stack Network Management Through One-Time Authentication Mechanism

to the MAC and IP addresses of a particular device when the

lease time has not expired. If another device is connected to
a port that has a predefined binding rule, the DHCP relay
identifier will not match, preventing the new device from
obtaining an IP address from the DHCP server. To overcome
this problem, we give a novel approach called MAC Proxy
is applied, which makes the MAC address of the switch port
act as a proxy client for binding an IP address. It improves
interoperability by binding the MAC address of the switch
port in Option 82, instead of binding the MAC address of a
user device. It allows IP addresses to be immediately released
and returned to the address pool when DHCP clients are no
longer using the IP addresses. When another DHCP client
sends a request, the DHCP server can assign the released IP
addresses to other clients. Without MAC Proxy, IP addresses
may be occupied for the entire lease time, and other DHCP
clients would have to wait until the address lease time expires

C. DUAL-STACK AUTHENTICATION MECHANISM

The automatic address allocation is extensively used in the
considered campus dormitory to provide the flexibility of
FIGURE 1. Proposed authentication system architecture.
managing and maintaining network services from a central-
ized position without the need for manual configuration.
(Fig. 1(g)). Instead of connecting all L3 Switches directly to When a user tries to initiate an Internet connection after
the Auth Server to enable the backbone network, the proposed obtaining IPv4 and IPv6 addresses, he/she has to be authenti-
architecture utilizes a router to accommodate the traffic of cated before accessing the Internet. In this scenario, the user is
each L3 Switch. Thus, the Auth Server only needs to manage redirected to the captive portal responsible for the user access
upward and downward network interfaces, making the net- control to verify the user identity.
work architecture relatively simple and easy to manage. To authenticate IPv4 and IPv6 addresses effectively and
seamlessly, one needs a robust dual-stack authentication
B. AUTOMATIC ADDRESS ALLOCATION STRATEGIES mechanism. In the following paragraphs, the workflow
1) MOTIVATION of the traditional dual-stack authentication mechanism is
The network environment of university dormitories is often first described to understand its flaw and inefficiency. The
versatile and sophisticated, designed to accommodate a large proposed one-time dual-stack authentication mechanism is
number of students. Students come and go every year. Thus, explained later to emphasize its advantages.
the configuration of the university network is constantly
changing. To help network administrators to manage such 1) TRADITIONAL DUAL-STACK
a complex environment, it requires the implementation of AUTHENTICATION WORKFLOW
a convenient yet secure address auto-configuration process. Fig. 2 shows the traditional dual-stack authentication mech-
In the dormitory, we deploy DHCP Option 82 to provide anism. In the beginning, a user attempts to initiate the first
IPv4 addresses based on switch ports, while SLAAC is for HTTP connection through IPv4 (Fig. 2(a)), the Auth Server
allocating IPv6 addresses. finds that the user’s IPv4 address has not been authenticated
By exploiting DHCP and SLAAC to allocate IPv4 and according to the packet source IP (Fig. 2(b)). The unauthen-
IPv6 addresses automatically, the problem of manually set- ticated user is then redirected to the login page (Fig. 2(c)),
ting up the network configuration for thousands of users is where he/she is required to enter the account name and
avoided, which not only simplifies the host configuration pro- password to be authenticated (Fig. 2(d)). After recogniz-
cess but also relieves the burden of end-users. Furthermore, ing the user’s IPv4 as authenticated (Fig. 2(e)), the Auth
with Option 82, every switch port is mapped to a specific Server grants the user access to the network service via IPv4
IP address. It can enhance the manageability of network (Fig. 2(f)). Upon completing the IPv4 authentication, the user
services. The use of Option 82 can also protect users against can attempt to initiate the connection via IPv6 (Fig. 2(g)).
security attacks such as spoofing and forging of IP and MAC In this case, the Auth Server finds that the user’s IPv6 address
addresses, making the network environment more secure. has not been authenticated according to the packet source IP
(Fig. 2(h)). The unauthenticated user is hence redirected to
2) MAC PROXY the login page again (Fig. 2(i)), where he/she has to re-enter
The network configuration of a dormitory is often dynamic, the account name and password for authentication (Fig. 2(j)).
which creates the issue that a switch port might already bound After recognizing the user’s IPv6 as authenticated (Fig. 2(k)),

34710 VOLUME 8, 2020

Y.-C. Kao et al.: Dual-Stack Network Management Through One-Time Authentication Mechanism

FIGURE 2. Traditional dual-stack authentication mechanism workflow [1]. FIGURE 3. One-time dual-stack authentication mechanism workflow [1].

the MAC address displayed in the ARP table still belongs to

the Auth Server grants the user access to the network ser- the user device.
vice via IPv6 (Fig. 2(l)). Similarly, if the user first passes When the L3 Switch receives the request message, it first
IPv6 authentication, he/she still has to be authenticated again enquires about the ARP and NDP tables accordingly and
when using IPv4. sends back the response to the Auth Server. The Auth Server
then compares the obtained content with the user IP and MAC
2) DEPLOYING THE ONE-TIME DUAL-STACK addresses. If the MAC address matches the information stored
AUTHENTICATION MECHANISM IN in the Auth Server, the user is authenticated successfully; if
CAMPUS DORMITORY the MAC address does not match, the authentication fails.
In the campus dormitory framework, the L3 Switch is a This approach solves the problem that the upper-layer authen-
gateway maintaining IPv4 and MAC addresses mapping in tication device of the L3 Switch cannot read the user MAC
the Address Resolution Protocol (ARP) table, as well as address, and establishes a flexible and easy-to-deploy dual-
IPv6 and MAC addresses mapping in the NDP table. Hence, stack authentication mechanism.
the L3 Switch has the user information, including IPv4, IPv6,
and MAC addresses. Since the user’s MAC address is unique 3) ONE-TIME DUAL-STACK AUTHENTICATION WORKFLOW
and fixed, the Auth Server can obtain the user information According to the one-time dual-stack authentication mech-
through the Simple Network Management Protocol (SNMP), anism workflow shown in Fig. 3, the L3 Switch records
making it a MAC-based authentication mechanism. the underlying user information to the ARP and NDP tables
This study proposes a cross-layer-3 MAC authentication (Fig. 3(a)). The Auth Server can then obtain ARP and NDP
solution suitable for dual-stack environments that allows the tables from the L3 Switch via SNMP (Fig. 3(b)). When a
Auth Server to query the L3 Switch periodically through the user attempts to initiate the first HTTP connection via IPv4
SNMP protocol to obtain the user devices’ IPv4, IPv6, and (Fig. 3(c)), the Auth Server compares the packet source IP
MAC addresses stored in the ARP and NDP tables. It should with that in the ARP table to obtain the MAC address of
be noted that although the MAC address of the user device is the user and finds that the user’s MAC address has not
replaced by that of the switch port when applying MAC Proxy been authenticated (Fig. 3(d)). The unauthenticated user is
as mentioned previously, the switch port’s MAC address then redirected to the login page (Fig. 3(e)), where he/she
is only transmitted as a proxy in the DHCP relay. Thus, is required to enter the account name and password to be

VOLUME 8, 2020 34711

 Y.-C. Kao et al.: Dual-Stack Network Management Through One-Time Authentication Mechanism

FIGURE 4. Modules of the proposed authentication system.

authenticated (Fig. 3(f)). After the Auth Server recognizes the 2) AUTHENTICATION MODULE
IPv4 and MAC addresses as authenticated (Fig. 3(g)), the user The Authentication Module can utilize a local database,
can use the network service via IPv4 (Fig. 3(h)). When the RADIUS, LDAP, or other approaches for user authentica-
user attempts to use IPv6 to initiate the connection (Fig. 3(i)), tion. If a user is authenticated successfully, the user account,
the Auth Server compares the packet source IP with that IPv4/IPv6 addresses, MAC address, and other information
in the NDP table to obtain the MAC address of the user is recorded in the authenticated IP and MAC tables. For
and find that the user’s MAC address has been authenticated an unauthenticated IP address with an authenticated MAC
(Fig. 3(j)). Therefore, the IPv6 packet is not blocked, and the address, this module would utilize the account information
user is allowed to use the network service via IPv6 without used in the MAC authentication, and add the IP address into
logging again (Fig. 3(k)). Similarly, if a user first passes the authenticated IP table.
IPv6 authentication, the Auth Server can identify whether the
IPv4 address has passed the authentication using the recorded 3) FLOW CONTROL MODULE
MAC address and ARP table. Further authentication for the The Flow Control Module determines whether the user is
IPv4 address is not required. authenticated based on the packet source IP. If the source IP
is unauthenticated, the Flow Control Module will contact the
4) SUMMARY
Authentication Module to check whether the MAC address
of the IP has been authenticated. If yes, the Flow Control
The traditional authentication architecture requires separate
Module would add this IP to the authenticated IP table.
authentication for IPv4 and IPv6. Some systems only authen-
Otherwise, the user would be redirected to the login page for
ticate either IPv4 or IPv6, making users vulnerable to security
authentication. If no packet is received from an IP address
attacks. In contrast, the proposed authentication mechanism
stored in the authenticated IP table for a certain period, the IP
first uses SNMP to obtain the user identity information
address would be removed.
from the ARP and NDP tables. It then uses the recorded
MAC address to authenticate the identity and completes the E. IPV4 AND IPV6 TRAFFIC TRACEABILITY AGAINST
authentication for IPv4 and IPv6 at the same time. When the SECURITY ATTACKS
connection is initiated by another protocol again, the second Considering the series of steps for providing dual-stack net-
login is not required. Hence, the user remains unaware of the work service mentioned earlier in this section, the trace-
authentication process. ability of user IPv4 and IPv6 traffic is further enhanced
since not only IPv4 but also IPv6 within the system are
D. AUTHENTICATION SYSTEM MODULES authenticated. In case of a security incident, the network
As illustrated in Fig. 4, the authentication system consists of traffic could be traced immediately by cross-checking authen-
the MAC Identification Module, Authentication Module, and tication and threat logs to find potential attackers based on
Flow Control Module. the source IP. Malicious attacks could then be blocked via
the next-generation firewall or the web application firewall.
1) MAC IDENTIFICATION MODULE The risk of security attacks through penetrating network
vulnerabilities due to the lack of authentication for IPv6 is
The MAC Identification Module is established based on the
limited.
SNMP protocol. It is responsible for obtaining the ARP and
NDP tables from the user’s gateway via SNMP. The ARP and IV. IMPLEMENTATION AND
NDP tables provide the mapping of IPv4 and IPv6 to MAC PERFORMANCE EVALUATION
addresses, respectively, enabling the Authentication Module The proposed one-time dual-stack authentication mecha-
to verify the user information. nism is currently deployed in the authentication system of a

34712 VOLUME 8, 2020

Y.-C. Kao et al.: Dual-Stack Network Management Through One-Time Authentication Mechanism

FIGURE 5. Test PC information in the user information test.

FIGURE 6. Unauthenticated IPv4 user in the user information test.

FIGURE 7. Unauthenticated IPv6 user in the user information test.

university dormitory network. Under this environment, 2) ONE-TIME AUTHENTICATION TEST

we perform a series of functional experiments by logging into This subsection describes the process of verifying the one-
the authentication system from a personal computer (PC) to time dual-stack authentication capability of the proposed
verify the feasibility of the proposed one-time authentication authentication system to ensure sparing the login for the sec-
architecture within a dual-stack environment. Furthermore, ond protocol after successfully authenticating the first pro-
the stability of the system was evaluated by monitoring the tocol. Following the user information test, the unauthorized
system traffic for some time. test PC was redirected to the login page to pass the authen-
tication by entering the account name and password. The
1) USER INFORMATION TEST IPv6 authentication logs presented in Fig. 8 indicate that the
To test whether the proposed authentication system can obtain test PC’s IPv6 and MAC addresses were authenticated via
relevant user information via SNMP, we used the ipconfig RADIUS. Therefore, when the user tried to initiate another
command to obtain the IPv4, IPv6, and MAC addresses of connection via IPv4, the authentication system found that
the test PC. Fig. 5 shows that the IPv4 address, IPv6 address, the MAC address had already been authenticated, and there
and the physical address (i.e., MAC address) are 140.x.x.245, was no need for further authentication, as indicated by the
2001:288:4001:x:x:x:x:d362, and B8:6B:23:x:x:13, respec- IPv4 authentication logs presented in Fig. 9.
tively. We then looked up the unauthenticated user list at the
system backstage to find relevant login records. As expected, 3) MAC AUTHENTICATION TEST
the authentication server obtained the test PC’s information To test whether the system used the stored test PC’s MAC
stored in the ARP and NDP tables from the L3 Switch via address for authentication, we reconnected the network to
SNMP. Figs. 6 and 7 illustrate the unauthenticated user list obtain a new set of IPv4 and IPv6 addresses and viewed the
of the test PC’s IPv4 and IPv6 addresses, respectively. The newly obtained IP and MAC addresses using the ipconfig
figures show the information of requiring authentication on command. Fig. 10 shows the IPv4 address, IPv6 address, and
the server. MAC address are, 140.x.x.218, 2001:288:4001:x:x:x:x:6bd0,

VOLUME 8, 2020 34713

 Y.-C. Kao et al.: Dual-Stack Network Management Through One-Time Authentication Mechanism

FIGURE 8. IPv6 authentication logs in the one-time authentication test.

FIGURE 9. IPv4 authentication logs in the one-time authentication test.

FIGURE 10. Test PC information in the MAC authentication test.

FIGURE 11. IPv6 authentication logs in the MAC authentication test.

FIGURE 12. IPv4 authentication logs in the MAC authentication test.

and B8:6B:23:x:x:13, respectively. Since the test PC’s 4) STABILITY TEST

MAC address had been authenticated previously, the newly The proposed authentication system is currently in use in
obtained IPv4 and IPv6 were seamlessly authenticated based a campus dormitory, and the system has been online for
on the MAC address, as shown in the IPv4 and IPv6 authen- over a year. We browsed the authentication system backstage
tication logs marked in red in Figs. 11 and 12, respectively. to select 1-week online user traffic randomly, as showed
There was no need to redirect the user to the login page again, in Fig. 13. From the figure note that the online user traffic
making the user unaware of the authentication process. of the authentication system fluctuates around 10,000 users

34714 VOLUME 8, 2020

Y.-C. Kao et al.: Dual-Stack Network Management Through One-Time Authentication Mechanism

FIGURE 13. Online user traffic.

FIGURE 14. SNMP CPU load.

per day, and the peak period is usually at midnight. This This work implements the one-time authentication mech-
phenomenon can be explained by the fact that dormitory anism based on SNMP that can acquire the user’s IPv4,
students tend to surf the Internet during this period. Figure 14 IPv6, and MAC addresses from the ARP and NDP tables and
illustrates the SNMP CPU load of the authentication system utilizes the MAC address for authentication. The proposed
for the same week as presented on the PRTG network mon- mechanism provides a functioning solution to resolve prob-
itor [14]. It shows that the trend of the SNMP CPU load lems related to IPv6 authentication. For future improvement,
is consistent with that of the online user traffic, i.e., it is artificial intelligence is a promising tool to perform log anal-
higher at midnight because of the increased number of users ysis and build predictive models for detecting abnormal dual-
at this time. In summary, the online users and CPU load stack traffic proactively. Furthermore, an automated intrusion
remain stable when using the proposed authentication sys- detection prevention system can be deployed to prevent mali-
tem, indicating that the system provides a practical dual-stack cious network behaviors by integrating the proposed solution
authentication solution for a large network environment. with the auto-blocking mechanism [15], [16].

ACKNOWLEDGMENT
V. CONCLUSION The authors would like to thank UGuard Technologies for
The IPv6 protocol has been evolving for many years. their help. This work benefits greatly from their insight
Nonetheless, many existing authentication systems lack and expertise. This article was presented in part at the
one-time authentication mechanisms in IPv4/IPv6 dual- Fourth International Symposium on Mobile Internet Security,
stack network environments. This paper reviews the exist- Taichung, Taiwan, October 2019.
ing authentication technologies and mechanisms of various
authentication methods. Based on the presented surveys, REFERENCES
the existing authentication systems would require a faster [1] J.-C. Liu, Y.-Q. Ke, Y.-C. Kao, S.-C. Tsai, and Y.-B. Lin, ‘‘A dual-stack
and more effective one-time authentication scheme when authentication mechanism through SNMP,’’ in Proc. 4th Int. Symp. Mobile
Internet Secur., 2019, pp. 1–13.
IPv6 gradually becomes popular. In many cases, the authen- [2] Google IPv6 Adoption Statistics. Accessed: Sep. 6, 2019. [Online]. Avail-
tications of IPv4 and IPv6 are considered separately, and able: https://www.google.com/intl/en/ipv6/statistics.html
some applications even fail to authenticate IPv6. Thus, simul- [3] Taiwan IPv6 Global Ranking. Accessed: Sep. 6, 2019. [Online]. Available:
https://ipv6now.twnic.net.tw/ipv6/index.html
taneously authenticating IPv4 and IPv6 becomes a highly [4] TWNIC. (2012). IPv6 Upgrade Implementation Technical Manual.
demanding functionality when providing network services. [Online]. Available: https://ipv6now.twnic.net.tw/ipv6/index.html

VOLUME 8, 2020 34715

 Y.-C. Kao et al.: Dual-Stack Network Management Through One-Time Authentication Mechanism

[5] M. Patrick. (2001). RFC 3046: DHCP Relay Agent Information Option. YI-QUAN KE received the B.S. degree in commu-
[Online]. Available: https://tools.ietf.org/html/rfc3046 nications engineering from Feng Chia University,
[6] S. Thomson. (2007). RFC 4862: IPv6 Stateless Address Autoconfiguration. in 2016. He is currently with the Information Tech-
[Online]. Available: https://tools.ietf.org/html/rfc4862 nology and Service Center, National Chiao Tung
[7] Y.-C. Kao, Y.-C. Chang, and R.-S. Chang, ‘‘EZ-Net BYOD service man- University. His research interests include network
agement in campus wireless networks,’’ J. Internet Technol., vol. 18, no. 4, communication and information security.
pp. 907–917, 2017.
[8] Y. Lu, M. Wang, and P. Huang, ‘‘An SDN-based authentication mechanism
for securing neighbor discovery protocol in IPv6,’’ Secur. Commun. Netw.,
vol. 2017, pp. 1–9, 2017.
[9] X.-Y. Huang, Z. Chen, Y.-F. Hu, and R. Cai, ‘‘Single login authentication
for users with multiple IPv4/IPv6 addresses,’’ U.S. Patent 9 467 456 B2,
Oct. 11, 2016.
[10] J. H. Bennett, III, J. R. Breau, B. B. Hirschman, T. D. Nebergall, and
F. C. Rogers, ‘‘Optimizing device authentication by discovering Internet
protocol version authorizations,’’ U.S. Patent 8 151 325 B1, Apr. 3, 2012.
[11] S. Sanguanpong and K. Koht-Arsa, ‘‘A design and implementation of dual-
stack aware authentication system for enterprise captive portal,’’ in Proc.
9th Int. Conf. Netw. Service Manage. (CNSM), Oct. 2013, pp. 118–121. SHI-CHUN TSAI (Senior Member, IEEE)
[12] T. Lin, ‘‘Method and apparatus for dual stack access,’’ received the B.S. and M.S. degrees from National
U.S. Patent 9 094 264 B2, Jul. 28, 2015. Taiwan University, Taiwan, in 1984 and 1988,
[13] D.-J. Wang, Design and Implementation of Authentication System for respectively, and the Ph.D. degree from the Uni-
IPv4/IPv6 Dual Stack Hosts. Beijing, China: China Academic Journal
versity of Chicago, USA, in 1996, all in com-
Electronic Publishing House, 2017.
puter science. He is currently a Professor with the
[14] PRTG Network Monitor. Accessed: Sep. 26, 2019. [Online]. Available:
https://www.paessler.com/prtg
Department of Computer Science, National Chiao
[15] S.-J. Fu, H.-W. Hsu, Y.-C. Kao, S.-C. Tsai, and C.-C. Tseng, ‘‘An auto- Tung University (NCTU), Taiwan. His research
blocking mechanism for firewall service,’’ in Proc. IEEE Conf. Depend- interests include computational complexity, algo-
able Secure Comput., Aug. 2017, pp. 531–532. rithms, cryptography, and software defined net-
[16] Y.-C. Kao, J.-C. Liu, Y.-H. Wang, Y.-H. Chu, S.-C. Tsai, and Y.-B. Lin, working and applications. Dr. Tsai is a member of ACM and SIAM.
‘‘Automatic blocking mechanism for information security with SDN,’’
J. Internet Service Inf. Secur., vol. 9, no. 1, pp. 60–73, 2019.

YI-BING LIN (Fellow, IEEE) received the bach-

elor’s degree from National Cheng Kung Univer-
sity, Taiwan, in 1983, and the Ph.D. degree from
YI-CHIH KAO received the Ph.D. degree in indus- the University of Washington, USA, in 1990. From
trial engineering and management from NCTU. 1990 to 1995, he was a Research Scientist with
He is currently the Director of the Network and Bellcore. He then joined National Chiao Tung
System Division, Information Technology Service University (NCTU), Taiwan, where he remains.
Center, National Chiao Tung University (NCTU). In 2010, he became a lifetime Chair Professor of
His research interests include cyber security, net- NCTU, and in 2011, the Vice President of NCTU.
work performance, software-defined networking, From 2014 to 2016, he was the Deputy Minister
and IT service design. with the Ministry of Science and Technology, Taiwan. Since 2016, he has
been appointed as the Vice Chancellor with the University System of Taiwan
(for NCTU, NTHU, NCU, and NYM). He is currently an Adjunct Research
Fellow with the Institute of Information Science, Academia Sinica, and
with the Research Center for Information Technology Innovation, Academia
Sinica. He is the coauthor of the books Wireless and Mobile Network
Architecture (Wiley, 2001), Wireless and Mobile All-IP Networks (John
Wiley, 2005), and Charging for Mobile All-IP Telecommunications (Wiley,
2008). He is also a member of board of directors, Chunghwa Telecom. He
is also a Fellow of AAAS, ACM, and IET. He is also a General or the
JUI-CHUN LIU received the B.S. degree in man- Program Chair for prestigious conferences, including ACM MobiCom 2002.
agement of information system from National He received numerous research awards, including 2005 NSC Distinguished
Chung Hsing University, in 2018. He is currently Researcher, 2006 Academic Award of Ministry of Education, 2008 Award
with the Information Technology and Service Cen- for Outstanding contributions in Science and Technology, Executive Yuen,
ter, National Chiao Tung University. His research 2011 National Chair Award, and TWAS Prize in Engineering Sciences,
interests are network communication and com- in 2011 (the Academy of Sciences for the Developing World). He serves on
puter networks. the editorial boards for the IEEE TRANSACTION ON VEHICULAR TECHNOLOGY. He
is also the Guest Editor for several journals, including the IEEE TRANSACTIONS
ON COMPUTERS.

34716 VOLUME 8, 2020