• Like
  • Save
Enterprise Preparation for IPv6
Upcoming SlideShare
Loading in...5
×
 

Enterprise Preparation for IPv6

on

  • 3,699 views

HP Technology Forum, June 2009, Las Vegas

HP Technology Forum, June 2009, Las Vegas

Statistics

Views

Total Views
3,699
Views on SlideShare
3,431
Embed Views
268

Actions

Likes
0
Downloads
123
Comments
0

3 Embeds 268

http://ipv6.net 259
http://www.slideshare.net 8
http://v6.blekkenhorst.org 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • This session is aimed at IT managers and architects who have a basic familiarity with networking and need to assess the impact of IPv6 and/or plan for its eventual adoption. Recent reports of IPv4 address exhaustion have made many IT managers take notice. IPv6 may be technically better than IPv4 but until now most corporations have been slow to even consider a major network overhaul. They are waiting for a business case before investing in a new technology. Unfortunately, this has put them in a very precarious situation. The case for IPv6 is not an immediate return on financial investment. Rather it is a necessary step to reduce risk. Poor preparation leaves enterprises exposed to significant procurement and redesign costs when IPv6 crosses a critical threshold of adoption and displaces IPv4 in any critical points or interfaces of the enterprise. A single important customer or supplier can force a degree of IPv6 implementation. That point in time is visibly approaching. A more urgent risk already leaves critical enterprise resources vulnerable today: the default enablement of IPv6 in the most popular platforms on the market. Vista, Windows Server 2008 and most Linux distributions use IPv6 internally and automatically establish connectivity which can subvert the most powerful IPv4-based enterprise protection. Corporate networks can only be protected with a comprehensive security approach that includes IPv6. Implementing IPv6 is not a trivial exercise. It requires a complete audit of all network components, an analysis of all networked applications, a thorough dual-stack transition plan and an opportunity assessment of new protocol benefits. Fortunately, there is no urgent need for most organizations to fully embrace IPv6 at this time. The cost and effort of minimal preparation is almost negligible. On the other hand, the impact of a critical security incident, the need to write off a major equipment purchase or to fundamentally redesign a network can be devastating. The business case for widespread corporate IPv6 adoption may not yet be compelling. But we have certainly reached the time for all enterprises to consider IPv6 and assess its impact. Ignoring it any longer is alarmingly irresponsible.
  • http://www.ietf.org/html.charters/mip6-charter.html
  • The IPv6 family of protocols were designed to support a range of new functionally, examples of which are listed below. All the designs were optimized for use on 64-bit hardware and software. · Addressing: The size of an IP address increases from 32 bits in IPv4 to 128 bits in IPv6. This provides enough IP addresses such that for the foreseeable future, all nodes can have their own global unique address, enabling true peer-to-peer communication. The IPv6 addressing scheme uses hierarchically assigned addresses. This structure provides a logical separation of "who you are" (interface ID) from "where you are connected to" (prefix) thus allowing a more efficient routing. · Support for Renumbering: IPv6 brings network level support for renumbering (changing IP addresses across a network). IPv6 addresses can have lifetimes associated with them. As the lifetime of the old address expires, a new address can be automatically configured. Renumbering IPv6 Hosts is easy, just add a new Prefix to the Router and reduce the Lifetime of the old prefix. As nodes depreciate the old prefix the new Prefix will start to be used for new connections. Renumbering is designed to happen! Thus providing an end of ISP “lock in” and improved competition. · Management: IPv6 makes getting on the network is as simple as plugging a cable into your computer. IPv6 nodes automatically configure themselves using IPv6 stateless auto-configuration or a version of the dynamic host configuration protocol (DHCPv6), all without human intervention. These features make for true plug-&-play network access, putting the IT director in control and r e-focus network operation staff on running the network. · Mandated Security: Security is an add-on in IPv4 – clearly unacceptable for today’s e-commerce. IPv6 brings mandated standard security, at the network level, boosting the prospects for e-commerce. All traffic running over IP can be secured. · Efficient Mobility-support: Built-in mobility support. Every network is mobile ready . Very little infrastructure is required. Each IPv6 node can act as a correspondent and redirect packets to the new address of the mobile node. · QoS: The IPv6 packet format contains a new 20-bit traffic-flow identification field that lays the foundation for quality-of-service (QoS) functions, such as bandwidth reservation, in an open, interoperable manner. This is practically impossible in using standard Ipv4 technologies.
  • http://www.btgtm.com/BTGlobalTelecomNewsGTMA/Article.asp?ArticleCode=40065132&EditionCode=91632210 Critical for Comcast to be able to manage its cable modems and set top boxes after all of the IPv4 addresses are used up. 25% plan to have IPv6 in production within 2 years 10% of respondents are currently deploying or have deployed IPv6. An additional 15% of respondents plan to deploy IPv6 within the next two years. 50% do not have a clear strategy
  • massively scalable internet architecture underneath the compute cloud platform (since cloud platforms are completely internet based and assume sound internet infrastructure) use of mobile ipv6 to migrate or transition virtual machines across geographical boundaries / affinities inherent security between compute elements by way of IPSec in v6 aid dynamic allocation of capacity by autoconfiguring virtual machines based on demand fluctuation use of extension headers for new capabilities for cloud services However: Extension headers are problematic for hardware-based packet-forwarding/-classification engines, FYI. Also, in keeping with the end-to-end principle as expressed by Salter, et. al., the utility and desirability of extension headers in the underlying transport is contraindicated. Overencryption is actually a serious and growing security problem, as it degrades the ability to classify and detect undesirable network traffic. Autoconfiguration of computing/networking/application/service resources is orthogonal to the underlying layer-3 transport. Workload mobility <> VM mobility. Where IPv6 comes into play is that it is the solution, such as it is, for IPv4 address exhaustion. IPv6 plus LISP is probably the best solution we currently have on the table to both address exhaustion and routing-table bloat in the DFZ (which is only going to increase as more and more entities are multi-homed, not to mention the additional memory/ASIC requirements for carrying 128-bit IPv6 addresses in the RIB and mapping them into the FIB). Mobility, the rise of spimes, and M2M all require copious and flexible addressing, and a world of NAT isn’t going to the the optimal solution. Renumbering, autoconfiguration?
  • http://seclists.org/lists/honeypots/2002/Oct-Dec/0105.html http://project.honeynet.org/scans/scan25/sol/NCSU/main.html http://pcworld.about.com/od/securit1/Denial-of-Service-Attacks-Inte.htm RP Murphy : DefCon : IPv6 Covert Channels James Hoagland : Blackhat : Teredo/IPv6-related flaw in Vista Joe Klein: 2001 10/1/2001 DOS bot Ipv4.ipv6.tcp.connec*on 2003 9/26/2003 Worm W32/Raleka!worm 2004 7/6/2004 Worm W32/Sdbot‐JW 2005 2/18/2005 Worm W32/Sdbot‐VJ 8/24/2005 Trojan Troj/LegMir‐AT 9/5/2005 Trojan Troj/LegMir‐AX 2006 4/28/2006 Trojan W32/Agent.ABU!tr.dldr 2007 1/2/2007 Trojan Cimuz.CS 4/10/2007 Trojan Cimuz.EL 5/4/2007 Trojan Cimuz.FH 11/5/2007 Worm W32/Nofupat 11/15/2007 Trojan Trojan.Astry 12/1/2007 Rootkit W32/Agent.EZM!tr.dldr 12/16/2007 Trojan W32/Agent.GBU!tr.dldr 12/29/2007 Worm W32/VB‐DYF 2008 4/22/2008 Trojan Troj/PWS‐ARA 5/29/2008 Trojan Generic.dx!1DAEE3B9 http://www.securecomputing.net.au/News/117402,ipv6-insecurity-is-a-clear-and-present-danger.aspx
  • Sun ’s socket scrubber https://sdlc4e.sun.com/ECom/EComActionServlet;jsessionid=B39AB3694679C27E9F99934A8F86CA16
  • Procurement Follow lead of DoD ROI - Begin to consider. Will be hard to quantify in the initial stages but as product availability shifts the numbers are going to change The challenge is to be ready. The deadline is 2000 but we do not know if it is 1994 or November 1999. Timeline mainly influenced by stubbornness and influence of DoD et al on the industry. Cisco close to ready. Microsoft will probably be 2005/2006 timeframe with apps. Others will follow lead. Don’t invest heavily. Take precautions so that you are not caught off-guard.

Enterprise Preparation for IPv6 Enterprise Preparation for IPv6 Presentation Transcript

  • IPv6 for the Enterprise John Rhoton ( [email_address] ) Distinguished Technologist HP EDS CTO Office June 2009
  • Agenda
    • IPv6 Overview
    • IPv6 Adoption
    • IPv6 Opportunities
    • IPv6 Risks/Threats
    • IPv6 Preparation
    • IPv6 Overview
    • IPv6 Adoption
    • IPv6 Opportunities
    • IPv6 Risks/Threats
    • IPv6 Preparation
    Agenda
  • Mysteries, Myths and Misconceptions
    • What is IPv6?
    • Great solution! What’s the problem?
    • Why not just NAT?
    • 中国 , 日本 , 대한민국 , 臺灣 , 新加坡 , भारत , ร ราชอาณาจักรไทย
    • ETA 2020
    • What’s the business case?
    • No worries – it will just happen automatically
    June 19, 2009
  • What is IPv6?
    • Internet Protocol (IP) is the network protocol that underpins the Internet
    • IPv6 is version 6 of the Internet Protocol (IP)
    • The current version (IPv4) was designed in the 1970s and standardized in 1981.
    • IPv4 address space will eventually "runs out“. This will occur at a global level...
    • IPv6 also solves many problems IPv4 such as security, auto-configuration, and extensibility.
    June 2008
  • Need for IP address space Aren’t 4’294’967’296 addresses enough?
    • Uneven and inefficient distribution!!
    • US-Centric
      • India has 3 Class B
      • HP has 2 Class A
    • Emerging Service Providers
      • China Mobile has over 415 million subscribers
        • Subscriber growth: 2 million/month
      • Several operators have over 16 million
      • How can they all be simultaneously data-enabled?
    ARIN advised IPv6 migration – May 2007 Class IP Address Pool A 2 24 ~16’777’216 B 2 16 ~65’536 C 2 8 ~256
  • The booming Internet
    • Traditional Internet desktops
    • Data-enabled mobile phones
    • Consumer appliances
    • Embedded systems
    • Sensors
    • RFID
  • IANA Pool Exhaustion June 19, 2009
  • NAT Problems
    • Overhead of unnecessary translation
    • Protocol incompatibilities
      • E.g. IPsec
    • Breaks peer-to-peer applications
      • Instant messaging
      • Interactive games
      • VoIP
      • Real-time collaboration and sharing
        • Netmeeting, BitTorrent, Groove
    • Limits implementation of application servers
      • How far can you distribute your web-services?
      • Grid computing
    • Building work-arounds for everything NAT breaks is an unnecessary and inefficient effort!
  • Oct 21, 2008 HP CONFIDENTIAL
  • Mobile IP Data Flow Binding Update Physical Movement Mobile IP Tunnel Foreign Network Home Network Mobile Node Mobile Node Correspondent Node Home Agent
  • Additional Benefits
    • Availability
      • Anycast reduces single-point-of-failures
      • Removal of NAT
      • Authenticated access inhibits Denial of Service attacks
    • Agility
      • Improved Host and Router Discovery
      • Flexible Renumbering and Autoconfiguration
    • Better Traffic Flow
      • Efficient and Extensible IP datagram
      • Efficient Route Computation and Aggregation
      • Efficient IPv6 Header Compression
      • IP Header Flow Label to support quality of service
        • Even when all data is encrypted
    • IPv6 Overview
    • IPv6 Adoption
    • IPv6 Opportunities
    • IPv6 Risks/Threats
    • IPv6 Preparation
    Agenda
  • Adoption: Where are we really? E-Business Mobile Telephony Laggards Bowling Alley Tornado Main Street Early Market Internet Wireless Data IPv6 Mobile Applications US DoD Mandate 2008 Innovators Early Adopters Late Majority Early Majority
  • IPv6 Adoption Curve
    • 2008 Survey by BT:
    • 2009 Lot of IPv6 planning going on at the corporate level
      • http://www.indeed.com/q-ipv6-jobs.html
  • IPv6 Drivers
    • Customers are driving the requirement
      • US Federal Government Procurement Mandate June 2008 Issued by the Office of Management and Budget (OMB)
        • IPv6 support required for networked products – new purchases
      • Several governments have similar mandates (in Asia (Japan, China CNGI, Korea, EU)
      • 3GPP has mandated exclusive use of IPv6 for IMS (IP Multimedia Subsystems). Industry sector like Intelligent Transport System, Digital video broadcasting, smart home consortia have all recommended the use (sometime exclusively) of IPv6.
      • Convergence to ALL-IP (NGN (Next Generation Networks), FMC (Fixed to Mobile Convergence), Triple Play and Wireless), non computer devices/ embedded devices, sensors, building safety and security all will require IPv6 as network infrastructure.
    • HP is taking an aggressive leadership stance on the IPv6 enablement dates
    June 2008
  • HP took an early Lead with IPv6
    • 1993
      • HP helped define the IP Next Generation protocol in the IETF
    • 1995
      • First Public HP IPv6 demos & experiments
    • 1996
      • HP 6bone connection active
    • 1999
      • HP Founding member of the IPv6 Forum
      • Jim Bound CTO and member of the Board of Directors of IPv6 Forum
      • Yanick Pouffary IPv6 Forum Fellow
    • 2000
      • First HP IPv6-enabled server products
    • 2001
      • HP launched industry leading IPv6 and Mobile IPv6 solution demos
    • 2002
      • HP chairs North American IPv6 Task Force and is Technology Director.
      • NAv6TF influences Whitehouse U.S. Cyber Security Office to promote IPv6 leading to US DoD mandating the integration of IPv6 to be ready by Oct 2008 (June 2003)
      • HP IT launched a world wide IPv6 test bed
    • 2003
      • Participating in North American IPv6 interoperability Network Pilot - Moonv6
      • HP helped define IPv6 ready logo
      • HP OpenView Network Node Manager IPv6 support
      • Internal HP IPv6 initiative
    • 2004
      • NAv6TF works with White House Office of Management (OMB) leading to June 2005 OMB mandate
      • HP IPv6 servers acquire IPv6 ready logo
      • HP ProCurve IPv6 VLANs support
    • 2005
      • HP was among the first printer companies to release an IPv6 product
      • NAv6TF works with OMB to produce OMB IPv6 transition guidance
    • 2006
      • HP Printer first vendor on the US DoD IPv6 Approved Product list
      • HP StorageWorks Division provides a customer statement of support committing support of IPv6 per the US OMB mandate
    • 2007
      • HP Network Automation (HPNA) (Opsware Network Automation System software)
        • IPv4 and IPv6 devices discovery
    June 2008
  • HP IPv6 support
    • HP is implementing IPv6 support in stages with the goal of ensuring a smooth transition and deployment where IPv6-updated products can take advantage of IPv6, without impacting existing functionality.
    • HP supports IPv6 across many of its product lines today.
    • HP platforms support transition mechanisms and gateways to interoperate with IPv4.
    • HP has already delivered IPv6 products across:
      • HP Business Critical Server and ProLiant platforms (HP-UX, Tru64 UNIX®, OpenVMS, NonStop Server, Linux, and Microsoft® Windows)
      • ProCurve high-end switches through its ProVision ASIC offers full support for IPv6 in hardware; ProCurve Switch series 8200, 6200, 5400 and 3500
      • HP Enterprise JetDirect and LaserJet printers;
      • HP Business Technology Optimization Network Management Center platform and Opsware Network Automation System software, now called HP Network Automation (HPNA)
    June 2008
    • IPv6 Overview
    • IPv6 Adoption
    • IPv6 Opportunities
    • IPv6 Risks/Threats
    • IPv6 Preparation
    Agenda
  • The Path to IPv6 in the Enterprise
    • IPv6 Security
      • Network Monitoring and Management Infrastructure
    • Mobility and Remote Access
    • Isolated IPv6-oriented applications
    • Mission-critical applications
  • Remote Access
    • IPsec Tunnel
      • Dual-factor authentication
      • Full network access
    • Reverse Proxies
      • Limited Application access
      • Application-specific authentication
    • SSL/VPN
    • IPsec Transport
  • Dedicated Networks
    • Factory Automation
    • Supply Chain Management
      • RFID
    • Sensor networks (e.g. monitoring systems)
      • Require mobility, ad-hoc networking, security and a large number of simple devices
    • VoIP/Multimedia services
      • Requires global access, multicast, QoS, mobility
    • Partner Extranets
    June 19, 2009
  • Beijing Olympics 2008
    • Surveillance
    • Sensors
    • Lighting
    June 19, 2009
  • Synergies between IPv6 and Cloud
    • Massive scalability
      • Hierarchical internal address space of provider
      • Avoid connection brokers (ALG/NAT)
    • No “need” for NAT
    • Always connected user experience Mobile IPv6
    • Customer connectivity
    • “ Easier” implementation
    • Unified Communications
    June 19, 2009
    • IPv6 Overview
    • IPv6 Adoption
    • IPv6 Opportunities
    • IPv6 Risks/Threats
    • IPv6 Preparation
    Agenda
  • Return on Investment?
    • Long-term
      • Greater efficiency
      • Better resilience
      • Facilitates new technologies
    • Short-term
      • Increased costs
      • Little visible benefit
    June 19, 2009 But there is another perspective …
  • Risk Management
    • Data Risks
      • Valuable corporate resources exposed
        • In unmonitored networks
    • Application Risks
      • Reliability in an IPv6 environment
    • Financial Risks
      • Costs of gradual deployment versus
      • Sudden urgent response to unexpected event
    June 19, 2009
  • Rogue Devices / Networks
    • Unauthorized IPv6 devices
      • Windows Vista, Linux
    • Unauthorized Networks
      • Internal tunnels
    • Compromised Perimeter
      • External tunnels
    • Monitoring
    • Traffic Inspection
    What you don’t know will hurt you
  • Hacker Tools and Attacks
    • IPv6-enhanced versions of old tools
      • Halfscan6, netcat6, NMAP, Ethereal, Snort, TCPDump
    • 6to4DDos
    • Relayers (can be misused for tunnels and redirects)
      • relay6, 6tunnel, nt6tunnel, asybo
    • Attacks
      • 2003: W32.HLLW.Raleka
      • 2005: Troj/Legmir-AT
      • 2007: W32/Agent.EZM!tr.dldr
    "Last year IPv6 didn't register in scale, but now it's emerging as a concern on the security side. Attackers are going to try it or use it as a transport mechanism for botnets. IPv6 has become a problem on the operational side.“ Arbor Networks CTO Rob Malan
  • IPv6 Transition Exposure
    • IPv6 is available
    • IPv6 is in use
    • IPv6 is on many private networks
    • Corporate Security
      • does not monitor IPv6
    • Corporate IT
      • is not familiar with IPv6
    • This is irresponsible!
  • Application Impact
    • Socket calls (see RFC 3493, RFC 3542)
    • Are numeric IP addresses manipulated, stored or cached?
    • Colon-separator used between hostnames and port numbers?
    • Accept, parse or manipulate user-provided URLs or hostnames?
      • Might contain a numeric IPv6 address) (See RFC 2732)
    • Sequential enumeration of address space?
      • e.g. ping-sweep to scan a subnet
    • Assumption that host or interface only has one IP address?
    • Direct use of layered networking protocols (e.g. DHCP, ARP, DNS, RIP, OSPF…)?
    • SNMP collection of IPv4/IPv6 data?
    June 19, 2009
  • Potential Triggers
    • Large-scale security attack
    • Technical impasse
    • Address space shortage
    • Service-provider transition
    • New geographical market
    • Government mandate
    • Supplier/customer/partner requirement
    June 19, 2009
  • Financial impact
    • Investment protection
      • Write off new purchases?
    • Purchasing criteria can include
      • Stated IPv6 support
      • IPv6 Logo certification
      • IPsec, Mobile IP, transition mechanisms …
    • Ensure minimal training and awareness
    • Accelerated deployment costs more than gradual adoption!
    June 19, 2009
    • IPv6 Overview
    • IPv6 Adoption
    • IPv6 Opportunities
    • IPv6 Risks/Threats
    • IPv6 Preparation
    Agenda
  • Phased Deployment
    • Audit
      • Discovery
      • Policy Enforcement
      • Network Monitoring
    • Enablement
      • Network Management
      • Connectivity
        • Internal-Internal
        • Internal-External
        • External-Internal
      • Application Enablement
    • Transition
    June 19, 2009
  • Discovery
    • Requirements
      • Security
      • Asset tracking
    • Node discovery
      • Address space enumeration
      • Harvesting
      • Sniffing
    • Router discovery
      • Topology mapping
    June 19, 2009
  • Application audit/support
    • Scan custom software
      • Checkv4.exe – Microsoft
      • IPv6finder
        • Open Source software, developed by HP
      • Sun ’s socket scrubber
    • Check with vendors for IPv6 support in commercial products
    • Test in your own environment!
  • Preparation and Planning
    • IPv6 is inevitable . The key to success is timing .
    • Prepare
      • Assess Security and Management requirements
      • Assess transition mechanisms
      • Train staff for roll-out and support
      • Procure only IPv6 compliant components
    • Plan
      • Analyze the ROI
      • Identify suitable pilots / early adopters
        • Applications
        • User communities
      • Obtain IPv6 prefixes
      • Inventory custom applications
  • Summary
    • IPv6 is about more than Address Space
    • IPv6 adoption is beginning now
      • HP is a leader in IPv6
    • IPv6 is still IP
      • New Network Security Model
      • End-to-end security
      • Improved Availability
    • The market must begin to plan for IPv6 now
      • It is easy to enable IPv6 in a simple environment
    • You can ignore IPv6 but that won’t stop it!
  • HP IPv6 Frequently Asked Questions June 2008 www.hp.com/network/ipv6
    • What is IPv6?
    • Why do I need IPv6 when IPv4 is working fine for me?
    • What are the features and benefits of IPv6?
    • Are there any alternatives to IPv6?
    • What do I need to do to be ready for the future?
    • What is the meaning of IP capable?
    • How do I transition to IPv6?
    • What is the HP history with IPv6?
    IPv6 FAQs
  • IPv6 resources
    • www.IPv6forum.com international IPv6 Forum
    • www.ipv6ready.org IPv6 Forum IPv6 Ready Logo information
      • IPv6 Ready Logo white paper http://www.ipv6forum.com/dl/white/IPv6_Ready_Logo_White_Paper_Final.pdf
    • www.nav6tf.org North America IPv6 task force
    • www.eu.IPv6tf.org European Task IPv6 Force
    • www.v6pc.jp/en/index.phtml Japan IPv6 Promotion council
    • IPv6 Security Link: www.seanconvery.com/ipv6.html
    • HP IPv6 Link: www.hp.com/network/ipv6
    June 2008
  • More information
    • Presentation will be posted to:
      • http://www.slideshare.net/rhoton
    • HP Resources
      • www.hp.com/network/ipv6
    • Any other questions?
      • http://www.linkedin.com/in/rhoton