• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
IPv6 Security Seminar - 3.10 reasons to think about i pv6 the tyranny of large numbers

IPv6 Security Seminar - 3.10 reasons to think about i pv6 the tyranny of large numbers



Presentation 3 by IPv6 Security Seminar from Progreso Networks

Presentation 3 by IPv6 Security Seminar from Progreso Networks



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    IPv6 Security Seminar - 3.10 reasons to think about i pv6 the tyranny of large numbers IPv6 Security Seminar - 3.10 reasons to think about i pv6 the tyranny of large numbers Presentation Transcript

    • 10 reasons tothink about IPv6Harish Pillayhpillay@redhat.com @harishpillayRed Hat Asia Pacific
    • The tyranny oflarge numbers
    • 1. Exhaustion• We are "out" of IPv4 allocations o Well, I am not, and you are not, but we are• Your IPv4 networks will continue to work, but how are you going to expand?• Try asking your ISP for a /22 for your new initiative in <cloud/ecommerce/portal/ smartapp/whatever> o CPF uses StarHub addresses o PUB uses Pacific Internet (only 16 addresses!).
    • (aside) we no longer need NAT
    • 2. IP address Auto-configuration• No, not for your office o You will use DHCP, for control• What about your mobile customers? o Their IP address changes when they move o Smartphones are moving all the time o "Moves" all the time (Your smartphone IP changed as you entered this building) o You need to track sessions in your server-side code o ... or force re-logins, and your customers hate that o You are the mercy of SingTel/StarHub/M1 ... and their roaming partners.
    • 3. Permanent Addresses(See #2 as well)• One device - One address o Identity o Reachability o Traceability• Consider your handphone number• Consider your credit card number• Regulated domains need auditability, having people change their end-point address imposes costs.
    • 4. IPSec is a first-class citizen• You still have to set it up o But no more figuring out if your two vendors have AH or ESP compatibility o If IPv6 supported, IPSec is supported, and in a consistent fashion o Office-to-office VPNs are easier.
    • 5. Subnetting is easy• Because address space expands, you can subnet on logical boundaries• No more guessing what expansion will be in 2 years time• Routing can reflect business departments• Be lazy, waste, waste, waste!• Need to run a test lab? Here is an IP block.
    • 6. End-to-end restored• No more multiplexing IP addresses o You can still do it, but you are not forced to do it• Think about how this helps tracking abuse• Your users run P2P? Your logs show it• Get a complaint? No more asking: o Firewall team o Proxy team o DHCP team o ...• Non-repudiation!
    • (did I mention that) we no longer need NAT
    • 7. Mobile IP: Save bandwidth!• For enterprises and end-users, see, eg: RFC 5172• For Telcos, triangular routing can eat up significant bandwidth (not your problem, of course)• Mobile IPv6 enables me to roam on a foreign network, with (possibly) lower latency.
    • 8. Regulatory reasons• Moving target• Who knows what IDA or GCIO or MAS will mandate tomorrow• Run your pilots o If it makes no sense, be ready to object o If it makes sense, get out in front• US govt requires IPv6 for all Gov infrastructure (2008). So does France, UK, Australia, Malaysia• Dont find out your next major task from the Straits Times!
    • 9. It is out in the wild ...... inside your LAN • Initially in Linux 2.1.8 (Nov 1996), but formally in 2.6.x • MS Vista SP1 • MacOS X 10.6 • Cisco • Juniper • Sun Solaris 10• All running IPv6 (and even Teredo tunnels)• Ban it, ignore it, or control it. In any case, you have to think about it.
    • 10. No more NATs!!!!!• Yep, I like to repeat myself• 500 different implementations, all broken in different ways• Made worse by transparent proxies, and caches• Who knows what is happening• NAT is not secure, it is an un-intended side- effect. First we NAT, then we punch holes, then we block holes, then we get shouted at, then we become Ministers ...
    • 11. Ah-huh points• localhost is ::1 (v4 its• Any site with a dedicated IPv4 address can get a whole /64 subnet of IPv6 addresses, ie 2^64 or 18,446,744,073,709,551,616 addresses! Waste, waste, waste. Its OK.• fe80::/64 is somewhat similar private IP 10.x/192.168.x but not entirely• 2000:: is the current prefix of globally routable v6 IPs• Gain experience from doing this at home• NATing is history• Get your IPv6 from APNIC not from your ISP
    • The Second GoldenAge of Networking is upon us. Go capture it.Comments?@harishpillay, hpillay@redhat.com