Sean Siler Program Manager for IPv6 Deployment and Field Readiness at Microsoft [email_address] Sometimes our titles can be a little confusing, even titles like ‘Lead PM’ don’t mean “in charge’, there are multiple ‘Lead PMs’ on a project sometimes. I am a singular entity, however. I am the PM responsible to leading IPv6 Deployments for all of Microsoft’s customers worldwide. I work very closely with Ben Schultz, whom some of you may know from UNH-IOL, he works for us now and is responsible for working with Enterprises to find what changes the PG needs to make to ease IPv6 migrations. Today we are going to discuss IPv6 in a way that you may not be used to. We’re not going to talk about a bajillion addresses or look at header diagrams, because frankly most of you don’t care. What we are going to talk about is what your network does today, and what you want it to do in the near future. What we are going to talk about, ladies and gentlemen, is Business Value. <CLICK>
Graphic: Shows man sitting in front of a laptop computer Presenter’s Comments below: I mean, let’s face it, that’s what you care about when making a decision, right? You don’t implement a new technology because it’s cool or new or because it has a neat name, you make implement technologies that will provide Business Value to your organization. CxO level executives have been asking “What is the Business Value of IPv6” for a good while, and techies keep responding with answers like ‘unlimited addresses’ and ‘increased security’ and ‘because OMB says so.’ Answers like this………………………………………………….are bad
We are going to start by talking about applications because that is the value behind IPv6. If I came into your organization tonight and made v6 start magically working everywhere, what would your users see different tomorrow? NOTHING. IPv6 is just a protocol; it’s just plumbing. It’s not until applications start taking advantage of the new functionality provided by v6 that users will see a difference. Applications are the key to IPv6 ROI.
Graphic shows: Two circles which represent computer applications which have a line between them with a NAT (Network Address Translation) in the way blocking them from communicating with one another. Presenter’s Comments below: Applications expect full unfettered end-to-end connectivity on any and all necessary ports. This usually isn’t a problem inside the network, but can be problematic for client-server or peer-to-peer apps on either side of a NAT (Network Address Translation) or Firewall. If I put a Firewall in between the applications, it requires a detailed understanding of what ports the application requires to operate. If I put a NAT in between the applications, the application usually breaks. (There are ways around this, but it is exceedingly difficult and beyond most users) Some people will say “What about Skype? They are a peer-to-peer app, and they work through NATs just fine!” Well, let’s take a look at Skype and see how it works…
Skype is a peer-to-peer VoIP application which is totally proprietary – in other words, the details in this slide are best guesses from exhibited network behavior. I am not in any way attempting to show any Skype secrets here, and all of this was obtained off of the Internet. Let’s see what a Skype client does when you turn it on. It….. <CLICK> What is all this? This is the mess that a machine has to go through to figure out if it is behind a NAT, and if it is, successfully navigate its way out of the NAT in a way that is fairly seamless to the user. I say ‘fairly seamless’ because there are some things that are very visible here – if a Skype machine is picked up to e a SuperNode. SuperNodes are user workstations on the Skype Network that have been selected to proxy calls and data transfers from other network members. This proxying is why Skype isn’t truly a peer-to-peer application – because NAT won’t let it be.
(Note: This slide was designed as a “slide show” and the word Skype is on top of another text box if not viewing slide show. Presenter’s Comments below: This does not mean that Skype is a bad product or is poorly written. On the contrary, the engineers who designed Skype did a phenomenal job! The point is that they had to figure out how to make it work, secure it, and write the code all on their own. The technology necessary to make Skype work is now protected Intellectual Property. Could your engineers duplicate this task with the same degree of success? Skype and a plethora of similar applications are being shoved through ‘other ports’ (like 80, 443) because they are expected to be open on a home user’s NAT device or firewall. With Secure Shell (SSH) users can redirect just about anything over port 80. You do not know if these applications are being used in your environment today. You cannot audit them. You cannot stop them. Unless they are using standard, tested encryption protocols, you do not know how the security of a product stacks up. You have to check every application individually, and that increases application compatibility testing costs. Should networks require this much of their application developers just to operate? Every application is now responsible for its own communications channel, its own data transfer facilities, and its own security. This leads to more complex/fragile/stovepiped applications, it increases development costs, and decreases security. This, ladies and gentlemen, is the cost of writing applications for a 30 year old IP stack.
It’s more than just fiscal costs, too. It’s about opportunity costs. What are we missing? If end-to-end connectivity had remained ubiquitous from 1997 until today, how might the Internet look and how might our applications be impacted? One thing is for sure: There are applications that might have been; that might have changed things, but for a lack of end-to-end connectivity.
Graphic: There are two pictures. One for IPv4 and one for IPv6. The pictures demonstrate that IPv4 is very heavy on the application layer. The IPv6 picture reverses that and shows that the application layer is actually the smallest one. Presenter’s Comments below: Our friends over at Command Information summed up IPv4 application issues well using this slide. IPv4 provides a dumb network that intentionally and actively breaks end to end connectivity. This forces applications to increase in size as they must individually deal with security, mobility, NAT traversal, and peer-to-peer code, among others things. IPv6, on the other hand, provides an intelligent network with built-in services that any application can call on to provide for standardized security, mobility, end-to-end connectivity, etc. This allows applications to be smaller and faster, decreases development time and costs, increases security, and provides an ideal environment to leverage Service Oriented Architecture. This is one of the key benefits of v6 – because the network is smarter, the applications have a lot of stress taken off of them.
Graphic: The graphic shows dollar signs. Presenter’s Comments below: To summarize the Applications section: our cars, stoves, refrigerators, and washing machines have all been radically upgraded in the last 30 years, but – other than speed increases – networks have effectively remained the same dumb IPv4 packet forwarding devices they were in 1970, and our applications are paying for it. Every application in use today might be smaller, faster, and/or more secure if it were designed to run on IPv6.
Ok, so we have discussed applications, what about the networks themselves? How can the network be made more efficient? While IPv6 provides lots of small improvements in the way a network operates, the big improvement comes with something called ‘Seamless Networks’. It is really difficult to imagine seamless networks today, because we are so far away from it. Let’s take a look and see if we can make it clearer.
Graphics: The pictures here show 3 different circles each representing a different network and pictures of brick walls to indicate “firewalls” between each. Presenter’s Comments below: Here are networks today. They work fine on individually, but if you need to access information in another network, or move users or machines between networks, or merge networks, things turn ugly quickly. Quick question: How many of you in here log into more than one user account on a daily basis to get your job done? You see? That’s this slide in action! One network can’t talk to another so you create an account in both. That increases management costs! That isn’t the network of the future! We never saw that on Star Trek!
Graphics: 2 squares represent 2 different applications and 3 circles represent 3 networks. Here’s another question for you: in Star Trek, how many networks were there on the Enterprise? We don’t know. There might have been one or one thousand. They were seamless, you see. Applications in any network could be accessed from any other network. As far out as this may sound, it is very nearly here today through the vision of Seamless Networks along with Federated Identity.
It can be fairly difficult to imagine what this might look like in a non-Star-Trek world, so let’s run through an example in the not so distant future to see how first responders can benefit from Seamless Networking. As you watch this, think about the applicability to accessing data in any of you own networks as well. Let’s take a look at “Fire in a Tunnel” http://www.youtube.com/watch?v=RU21YO6XF_o Wow. I love that video! That is what IPv6 is all about. That is Seamless Networks in action. We can’t do anywhere close to that today, but a lot of companies are working to make this video a reality. The key thing is that to make seamless networks a reality, <CLICK>
Graphics: 4 different cartoon figures all interconnected. Two people using digital scanning equipment, Laptop trying to authenticate, a lock (for encryption) and locks from many computers spanning the globe. Presenter’s Comments below: …you must have IPv6. The overlapping address space that exists with RFC 1918 addresses in networks today explicitly prohibits this type of seamless networking from occurring. IPv6 is the foundation for the secure, interoperable, reliable and scalable network of the future. One of the questions that people of think about when they start to understand the big picture, thought… <CLICK>
… is how they will manage security in a v6 world, and how secure the protocol is. How many of you have heard that IPv6 is more secure than IPv4? And what makes v6 more secure than v4? (IPsec most likely answer) I’m not surprised. A lot of people have heard that. And I have a secret for you and for them, too. <CLICK>
IPv6 is no more secure than IPv4. That probably sounds a little weird coming from me, an IPv6 supporter, but its true. There are a couple of things that help reduce the attack surface as compared to v4 (like Secure Neighbor Discovery or SeND) but overall the security is about the same. There is a corollary to this rule, however. <CLICK> IPv6 is no LESS secure than IPv4. Lots of very smart people have worked for a very long time to make sure that IPv6 is every bit as secure as v4. You do not lose any security by deploying v6. The key is that IPv6 can be deployed in a more secure manner than IPv4 because of IPsec. It’s not that there are any architectural changes in IPsec, because there aren’t. The difference is in how it is deployed. IPv4 uses lots of NAT, and NAT changes the Source and Destination fields in the header. IPsec doesn’t like this, thus IPsec isn’t used through a firewall or NAT much in IPv4. (There is NAT-T, but very few companies have deployed it) This means we simply TRUST that we are connecting to the server we think we are, or we leave security to the application layer. In the end, security suffers.
Just because the security risks of v6 are similar to v4 doesn’t mean that your security architects can continue with the status quo, however. Threat assessments, network defensive procedures, and attack response procedures all need to be updated, just to name a few. And none of this – NONE OF IT – is intuitive to even the most seasoned IPv4 engineer. Your engineers will need training to fully understand what they are dealing with. Just to put things in perspective, I am 100% comfortable with IPv4. I have worked with IPv6 extensively for two years and I am now at probably 70% of where I was – although I haven’t had the extensive hands on that had in v4, either. You really need to get your people up to speed, and Security Architects are number 1 on the list. Get them training today. If you don’t know where to send them, send me an email and I will let you know. After Security Architects, then come Network Architects, then, later on, come Network Admins.
I know that the words peer to peer probably send a shiver up your spine. I would bet that none of you would willing allow P2P applications in your networks today. I would like for that to change in the future. The main reason is that we are talking about two different things. <CLICK> The terms ‘peer-to-peer’ and ‘Napster’ cannot be used interchangeably. While Napster and Kazaa are examples of P2P applications, they do not define the genre. They are simply early adopters of the technology. These are examples of *unmanaged* applications that use P2P for their distributed nature. It’s not that you don’t want unmanaged P2P apps in your Enterprise, YOU DON’T WANT *UNMANAGED* APPS! P2P apps can be centralized and managed; your organization can leverage the power of P2P and make it work for you. Lets take a look at how your organization might benefit from P2P apps in just one example; software distribution.
Graphic: This shows one main circle with 12 smaller circles attached to it, each by their own thread. They do not connect to one another. Presenter’s Comments below: Installing patches or other software today requires centralized servers that are highly available and eats up lots of bandwidth, which is why large installs are usually scheduled in small batches in the middle of the night. This approach doesn’t always scale well to Global operations where ‘middle of the night’ doesn’t mean a lot, and leads to some machines slipping through the net and not getting updates. Additionally if machines are turned off or do not have network connectivity, they again may miss these updates. Installations may be taking place across slow WAN links, which greatly impact network performance, or have a hierarchy of installation servers, where keeping appropriate data in synch becomes more complicated.
Graphic: Shows one main circle which has 12 smaller circles around it. The larger circle is only connected to 2 of the smaller circles and they connect to one another—six on one side and six on the other. Presenter’s Comments below: In a peer to peer enabled network and application, data only needs to be transferred to a few nodes on the network. From there workstations can leverage the distributed nature of computing to copy the necessary bits from one machine to another. This would take place only after machines are authenticated to one another, of course, and could even work across disconnected networks (for example, take a fully patched domain-joined workstation to the airport, find a co-worker coming back from a trip who doesn’t have the latest updates, they get the updates automatically from your patched machine) How will you control this type of system? Through distributed security. Leveraging built in firewalls, reporting, and policy control, you have the ability to centrally manage which applications are – and aren’t – allowed into your network. This also works exceedingly well at finding areas of very high bandwidth and utilizing them (for example downloading a patch just once across a slow WAN link then using peer-to-peer to distribute the patch over a 1Gbps LAN) For years Industry Pundits have remarked that we started using dumb terminals, went to Client-Server based computing, and now are going back to dumb-terminals because Client-Server is too difficult or expensive. I submit that Client-Server has been too difficult because WE have broken it. We haven’t used its full potential. P2P uses the power of the client to help manage the network. And remember, through Authentication, distributed security, and managed applications, this is nothing at all like what your 16 year old is using at home to download songs illegally.
So this pretty much wraps up my presentation. I hope you have a better understanding now of why Microsoft is so excited about IPv6. There is so much potential here – potential to make you network run much better than it ever has. It won’t be easy, it won’t be a magic bullet, and it won’t happen tomorrow. But if you start testing today, you and your people will be ready to take advantage of v6 as soon as your network is. Questions?
<ul><li>Looks in registry (Host Cache) to determine Seed Supernodes </li></ul><ul><li>Send UDP packets to specified HC IP addresses and ports </li></ul><ul><li>Wait 5 seconds </li></ul><ul><li>Attempt TCP connection to specified HC IP addresses and ports </li></ul><ul><li>Attempt TCP connection to specified HC IP addresses over port 80 </li></ul><ul><li>Attempt TCP connection to specified HC IP addresses IP addresses over port 443 </li></ul><ul><li>If none of these work cycle through all of them 5 more times </li></ul><ul><li>Assuming connection made, test local workstation to determine available bandwidth and available CPU </li></ul><ul><li>If results are within specified (unpublished) parameters, report back to central servers that this machine is available to be a Supernode </li></ul><ul><li>Start encrypting traffic </li></ul>Applications: Skype Introduction Applications Seamless Networking Security Peer to Peer Closing/Q&A
Applications <ul><li>Skype: </li></ul>Introduction Applications Seamless Networking Security Peer to Peer Closing/Q&A Networks that don’t provide security services to applications:
Applications: Barrier to Entry <ul><li>Some applications simply die because lack of end to end make it too difficult to work. </li></ul><ul><li>“ The time has come to lower the curtain on Speak Freely. No further development or maintenance will be done, and no subsequent releases will be forthcoming. </li></ul><ul><li>The Internet of the near future will be something never contemplated when Speak Freely was designed, inherently hostile to such peer-to-peer applications.” </li></ul><ul><li>Speak Freely </li></ul><ul><li>End of Life Announcement </li></ul><ul><li>John Walker </li></ul><ul><li>January 15th, 2004 </li></ul>Introduction Applications Seamless Networking Security Peer to Peer Closing/Q&A
Applications: Flipping the Paradigm Introduction Applications Seamless Networking Security Peer to Peer Closing/Q&A
Applications: Summary <ul><li>Applications are negatively impacted by IPv4 </li></ul>Introduction Applications Seamless Networking Security Peer to Peer Closing/Q&A
Seamless Networks Introduction Applications Seamless Networking Security Peer to Peer Closing/Q&A 9 minute video clip called “Road Tunnel Fire Rescue with Wireless Sensor Networks” was shown here and may be accessed at: http://www.youtube.com/watch?v=RU21YO6XF_o
Security: IPsec <ul><li>IPv6 is no more secure than IPv4 </li></ul><ul><li>IPv6 is no less secure than IPv4 </li></ul><ul><li>IPv6 can be deployed in a more secure manner than IPv4 </li></ul>Introduction Applications Seamless Networking Security Peer to Peer Closing/Q&A
Security: Training <ul><li>Security models will change </li></ul><ul><li>Security Architects/Engineers need v6 training </li></ul><ul><li>Training needs will be extensive for senior architects – allocate training funds </li></ul>Introduction Applications Seamless Networking Security Peer to Peer Closing/Q&A
Peer to Peer isn’t evil <ul><li>Peer to Peer ≠ Napster or Kazaa </li></ul><ul><li>These are just ‘early adopters’ </li></ul><ul><li>Can be managed and leveraged in your organization </li></ul>Introduction Applications Seamless Networking Security Peer to Peer Closing/Q&A
Current Data Flow Introduction Applications Seamless Networking Security Peer to Peer Closing/Q&A Single Point of Failure Bandwidth Chokepoint Clients need connectivity Saturates slow links Long transfer times Scheduling can miss machines
Peer to Peer Data Flow Introduction Applications Seamless Networking Security Peer to Peer Closing/Q&A Highly available Distributed distribution Disconnected networks Leverages fastest networks Faster distribution Self healing Authentication Distributed Security Managed Applications
Closing Remarks Introduction Applications Seamless Networking Security Peer to Peer Closing/Q&A SEAN SILER PROGRAM MANAGER FOR IPV6 DEPLOYMENT SEAN.SILER @ MICROSOFT.COM