SixID – Next Generation Directory Services for Secure End-to-End Direct Messaging

SixID is a radically new approach to identity management needed to deploy secure end-to-end direct messaging (which will become very common in the new IPv6 and 5G world). This (along with SixTalk) is our most revolutionary technology.

The first generation of the Internet was AKA “ARPANet” and used 8 bit addresses. It ran from 1969 to 1982, and was replaced by IPv4 in 1983.

The most widely used (second generation) Internet is based on IPv4 (version 4 of the Internet Protocol, in use since 1983) with Network Address Translation (NAT) and millions of private internets, each hiding behind a real (public) IPv4 address (see RFC 1918). IPv4 addresses are 32 bits long, for a maximum of about 3 billion allocatable addresses. But we have about 20 billion nodes connected to the IPv4 Internet today.

Public IPv4 addresses are like real telephone numbers that can be called from anywhere, and call any other real telephone number. Private IP addresses (which is what almost everyone has today) are like internal extension numbers (e.g. x101) behind a PBX. Extension x101 can call x102 and vice versa (in a given company), but to call an outside phone, you have to dial 9 first to grab one of the few real phone numbers. Incoming calls require you to select some internal user (e.g. “dial first three letters of person’s name”. Private IP addresses look like public addresses, and in fact used to be public addresses. But RFC 1918 repurposed them for use in private internets. Just like every business phone system might have an x101, the private address might be in thousands of private internets. It can only connect to outside public nodes via a NAT gateway.

The new (third generation) Internet is based on IPv6 (version 6 of the Internet Protocol), first specified in 1995. It has 128-bit addresses, with trillions of trillions of trillions of public addresses (enough for every grain of sand on earth to have one). This allows us to get rid of NAT and private addresses for the first time since the mid 1990s. This restores the flat (monolithic) address space of the early IPv4 Internet. Now any node with IPv6 can in theory connect directly to any other node with IPv6 (assuming no firewalls block the ports along the way).

Some 30% of global traffic is already going over IPv6. Most people that have it are not even aware that it is there. Most deployments include both IPv4 private addresses plus IPv6 public addresses. That is called Dual Stack. In the near future many networks will start shutting down IPv4 and run “pure IPv6” networks. We will used something called NAT64/DNS64 to access legacy IPv4-only sites, until we can get along with only IPv6, at which point IPv4 will go away.

IPv6 allows us to go beyond Client/Server where there are a limited number of centralized servers at telcos, ISPs and big companies. With IPv6 , any node (even your phone) can now both initiate and accept connections. For the first time since we started putting Internet access on phones, you will be able to run a server on your phone! More importantly, your phone can initiate connections directly to any other node and accept connections from any other node (if both have IPv6, as in 5G). There are enormous wins with such decentralized messaging, in terms of overall system capacity, reliability, and privacy.

IPv6 eliminates the distinction between the telco world and the Internet. 5G will just be another subsystem of the global Internet, like the world wide web, streaming video, etc. 5G is sometimes called the Grand Convergence of telephony and Internet. The old giant switches and other telco specific gear is going away. With 5G telephone is just another application running over TCP/IP.

One advantage is that all connections now involve only a single network link, so TLS can provide true end-to-end encryption and mutual strong authentication (both parties know for certain who the other party is). This involves use of a variant of TLS called PeerTLS, where both parties use a client cert (no server cert needed). Every node has both a client that can make outgoing connections, and a local personal server that can accept incoming connections.

DNS was created for a world with NAT and private internets, with a relatively small number of static server nodes. With NAT, I can only make a connection to a node that has a public address (for nodes outside of my private internet). With IPv6, there will be billions of highly mobile nodes. We need something very new and different to handle this. In order to also implement PKI based security, it also needs to allow you to register your IP addresses and client cert securely, and look up other people’s information – not by nodename (as in DNS) but by their SixID userID, email address, telephone number, etc.  That something is SixID.

IANA reviewed my concept and recognized it as something novel (not covered by any existing IETF protocols) and well designed from a security viewpoint (use of explicit TLS and strong authentication, etc). They have allocated port 4606 for SixID, like 25 is for SMTP, 143 is for IMAP and 80/443 is for HTTP/HTTPS.

I am working on a new app for Windows, MacOS and mobile devices called SixTalk (still very much in progress) that can do end-to-end direct messaging using VoIP for voice and video, SIMPLE for chat and FTPS for file transfer. I had to create SixID for this, but SixID will have many other applications for 5G, IoT, etc.

SixTalk is still in its early stages, but if you find this interesting we will be glad to discuss this with you.