IPv6 for the Enterprise

2,666 views
2,550 views

Published on

HP Technology Forum, Las Vegas, 2008

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,666
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
134
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • IPv6 for the Enterprise

    1. 1. IPv6 for the Enterprise John Rhoton (john.rhoton@hp.com) Distinguished Technologist June 2008
    2. 2. Agenda <ul><li>IPv6 Overview </li></ul><ul><li>IPv6 Adoption </li></ul><ul><li>IPv6 Opportunities </li></ul><ul><li>IPv6 Risks/Threats </li></ul><ul><li>IPv6 Preparation </li></ul><ul><ul><li>1595 State of IPv6 Inside HP, Industry and Government </li></ul></ul><ul><ul><li>1710 Getting Started with IPv6 </li></ul></ul><ul><ul><li>1631 Enterprise Preparation for IPv6 </li></ul></ul><ul><ul><li>1598 IPv6 and Applications Porting – Hands on </li></ul></ul><ul><ul><li>1751 Challenges in Managing IPv6 Networks </li></ul></ul>
    3. 3. <ul><li>IPv6 Overview </li></ul><ul><li>IPv6 Adoption </li></ul><ul><li>IPv6 Opportunities </li></ul><ul><li>IPv6 Risks/Threats </li></ul><ul><li>IPv6 Preparation </li></ul>Agenda
    4. 4. Mysteries, Myths and Misconceptions <ul><li>What is IPv6? </li></ul><ul><li>Great solution! What’s the problem? </li></ul><ul><li>Why not just NAT? </li></ul><ul><li>中国 , 日本 , 대한민국 , 臺灣 , 新加坡 , भारत , ร ราชอาณาจักรไทย </li></ul><ul><li>ETA 2020 </li></ul><ul><li>What’s the business case? </li></ul><ul><li>No worries – it will just happen automatically </li></ul>June 9, 2009
    5. 5. What is IPv6? <ul><li>Internet Protocol (IP) is the network protocol that underpins the Internet </li></ul><ul><li>IPv6 is version 6 of the Internet Protocol (IP) </li></ul><ul><li>The current version (IPv4) was designed in the 1970s and standardized in 1981. </li></ul><ul><li>IPv4 address space will eventually &quot;runs out“. This will occur at a global level... </li></ul><ul><li>IPv6 also solves many problems IPv4 such as security, auto-configuration, and extensibility. </li></ul>June 2008
    6. 6. Need for IP address space Aren’t 4’294’967’296 addresses enough? <ul><li>Uneven and inefficient distribution!! </li></ul><ul><li>US-Centric </li></ul><ul><ul><li>India has 3 Class B </li></ul></ul><ul><ul><li>HP has 2 Class A </li></ul></ul><ul><li>Emerging Service Providers </li></ul><ul><ul><li>China Mobile has over 380 million subscribers </li></ul></ul><ul><ul><ul><li>Subscriber growth: 2 million/month </li></ul></ul></ul><ul><ul><li>Several operators have over 16 million </li></ul></ul><ul><ul><li>How can they all be simultaneously data-enabled? </li></ul></ul>ARIN advised IPv6 migration – May 2007 Class IP Address Pool A 2 24 ~16’777’216 B 2 16 ~65’536 C 2 8 ~256
    7. 7. The booming Internet <ul><li>Traditional Internet desktops </li></ul><ul><li>Data-enabled mobile phones </li></ul><ul><li>Consumer appliances </li></ul><ul><li>Embedded systems </li></ul><ul><li>Sensors </li></ul><ul><li>RFID </li></ul>
    8. 8. NAT Problems <ul><li>Overhead of unnecessary translation </li></ul><ul><li>Protocol incompatibilities </li></ul><ul><ul><li>E.g. IPsec </li></ul></ul><ul><li>Breaks peer-to-peer applications </li></ul><ul><ul><li>Instant messaging </li></ul></ul><ul><ul><li>Interactive games </li></ul></ul><ul><ul><li>VoIP </li></ul></ul><ul><ul><li>Real-time collaboration and sharing </li></ul></ul><ul><ul><ul><li>Netmeeting, BitTorrent, Groove </li></ul></ul></ul><ul><li>Limits implementation of application servers </li></ul><ul><ul><li>How far can you distribute your web-services? </li></ul></ul><ul><ul><li>Grid computing </li></ul></ul><ul><li>Building work-arounds for everything NAT breaks is an unnecessary and inefficient effort! </li></ul>
    9. 9. Mobile IP Data Flow Binding Update Physical Movement Mobile IP Tunnel Foreign Network Home Network Mobile Node Mobile Node Correspondent Node Home Agent
    10. 10. Additional Benefits <ul><li>Availability </li></ul><ul><ul><li>Anycast reduces single-point-of-failures </li></ul></ul><ul><ul><li>Removal of NAT </li></ul></ul><ul><ul><li>Authenticated access inhibits Denial of Service attacks </li></ul></ul><ul><li>Agility </li></ul><ul><ul><li>Improved Host and Router Discovery </li></ul></ul><ul><ul><li>Flexible Renumbering and Autoconfiguration </li></ul></ul><ul><li>Better Traffic Flow </li></ul><ul><ul><li>Efficient and Extensible IP datagram </li></ul></ul><ul><ul><li>Efficient Route Computation and Aggregation </li></ul></ul><ul><ul><li>Efficient IPv6 Header Compression </li></ul></ul><ul><ul><li>IP Header Flow Label to support quality of service </li></ul></ul><ul><ul><ul><li>Even when all data is encrypted </li></ul></ul></ul>
    11. 11. <ul><li>IPv6 Overview </li></ul><ul><li>IPv6 Adoption </li></ul><ul><li>IPv6 Opportunities </li></ul><ul><li>IPv6 Risks/Threats </li></ul><ul><li>IPv6 Preparation </li></ul>Agenda
    12. 12. Adoption: Where are we really? E-Business Mobile Telephony Laggards Bowling Alley Tornado Main Street Early Market Internet Wireless Data IPv6 Mobile Applications US DoD Mandate 2008 Innovators Early Adopters Late Majority Early Majority
    13. 13. IPv6 Drivers <ul><li>Customers are driving the requirement </li></ul><ul><ul><li>US Federal Government Procurement Mandate June 2008 Issued by the Office of Management and Budget (OMB) </li></ul></ul><ul><ul><ul><li>IPv6 support required for networked products – new purchases </li></ul></ul></ul><ul><ul><li>Several governments have similar mandates (in Asia (Japan, China CNGI, Korea, EU) </li></ul></ul><ul><ul><li>3GPP has mandated exclusive use of IPv6 for IMS (IP Multimedia Subsystems). Industry sector like Intelligent Transport System, Digital video broadcasting, smart home consortia have all recommended the use (sometime exclusively) of IPv6. </li></ul></ul><ul><ul><li>Convergence to ALL-IP (NGN (Next Generation Networks), FMC (Fixed to Mobile Convergence), Triple Play and Wireless), non computer devices/ embedded devices, sensors, building safety and security all will require IPv6 as network infrastructure. </li></ul></ul><ul><li>HP is taking an aggressive leadership stance on the IPv6 enablement dates </li></ul>June 2008
    14. 14. HP took an early Lead with IPv6 <ul><li>1993 </li></ul><ul><ul><li>HP helped define the IP Next Generation protocol in the IETF </li></ul></ul><ul><li>1995 </li></ul><ul><ul><li>First Public HP IPv6 demos & experiments </li></ul></ul><ul><li>1996 </li></ul><ul><ul><li>HP 6bone connection active </li></ul></ul><ul><li>1999 </li></ul><ul><ul><li>HP Founding member of the IPv6 Forum </li></ul></ul><ul><ul><li>Jim Bound CTO and member of the Board of Directors of IPv6 Forum </li></ul></ul><ul><ul><li>Yanick Pouffary IPv6 Forum Fellow </li></ul></ul><ul><li>2000 </li></ul><ul><ul><li>First HP IPv6-enabled server products </li></ul></ul><ul><li>2001 </li></ul><ul><ul><li>HP launched industry leading IPv6 and Mobile IPv6 solution demos </li></ul></ul><ul><li>2002 </li></ul><ul><ul><li>HP chairs North American IPv6 Task Force and is Technology Director. </li></ul></ul><ul><ul><li>NAv6TF influences Whitehouse U.S. Cyber Security Office to promote IPv6 leading to US DoD mandating the integration of IPv6 to be ready by Oct 2008 (June 2003) </li></ul></ul><ul><ul><li>HP IT launched a world wide IPv6 test bed </li></ul></ul><ul><li>2003 </li></ul><ul><ul><li>Participating in North American IPv6 interoperability Network Pilot - Moonv6 </li></ul></ul><ul><ul><li>HP helped define IPv6 ready logo </li></ul></ul><ul><ul><li>HP OpenView Network Node Manager IPv6 support </li></ul></ul><ul><ul><li>Internal HP IPv6 initiative </li></ul></ul><ul><li>2004 </li></ul><ul><ul><li>NAv6TF works with White House Office of Management (OMB) leading to June 2005 OMB mandate </li></ul></ul><ul><ul><li>HP IPv6 servers acquire IPv6 ready logo </li></ul></ul><ul><ul><li>HP ProCurve IPv6 VLANs support </li></ul></ul><ul><li>2005 </li></ul><ul><ul><li>HP was among the first printer companies to release an IPv6 product </li></ul></ul><ul><ul><li>NAv6TF works with OMB to produce OMB IPv6 transition guidance </li></ul></ul><ul><li>2006 </li></ul><ul><ul><li>HP Printer first vendor on the US DoD IPv6 Approved Product list </li></ul></ul><ul><ul><li>HP StorageWorks Division provides a customer statement of support committing support of IPv6 per the US OMB mandate </li></ul></ul><ul><li>2007 </li></ul><ul><ul><li>HP Network Automation (HPNA) (Opsware Network Automation System software) </li></ul></ul><ul><ul><ul><li>IPv4 and IPv6 devices discovery </li></ul></ul></ul>June 2008 <ul><ul><li>1595: State of IPv6 inside HP, Industry and Government </li></ul></ul>
    15. 15. HP IPv6 support <ul><li>HP is implementing IPv6 support in stages with the goal of ensuring a smooth transition and deployment where IPv6-updated products can take advantage of IPv6, without impacting existing functionality. </li></ul><ul><li>HP supports IPv6 across many of its product lines today. </li></ul><ul><li>HP platforms support transition mechanisms and gateways to interoperate with IPv4. </li></ul><ul><li>HP has already delivered IPv6 products across: </li></ul><ul><ul><li>HP Business Critical Server and ProLiant platforms (HP-UX, Tru64 UNIX®, OpenVMS, NonStop Server, Linux, and Microsoft® Windows) </li></ul></ul><ul><ul><li>ProCurve high-end switches through its ProVision ASIC offers full support for IPv6 in hardware; ProCurve Switch series 8200, 6200, 5400 and 3500 </li></ul></ul><ul><ul><li>HP Enterprise JetDirect and LaserJet printers; </li></ul></ul><ul><ul><li>HP Business Technology Optimization Network Management Center platform and Opsware Network Automation System software, now called HP Network Automation (HPNA) </li></ul></ul>June 2008
    16. 16. <ul><li>IPv6 Overview </li></ul><ul><li>IPv6 Adoption </li></ul><ul><li>IPv6 Opportunities </li></ul><ul><li>IPv6 Risks/Threats </li></ul><ul><li>IPv6 Preparation </li></ul>Agenda
    17. 17. The Path to IPv6 in the Enterprise <ul><li>IPv6 Security </li></ul><ul><ul><li>Network Monitoring and Management Infrastructure </li></ul></ul><ul><li>Mobility and Remote Access </li></ul><ul><li>Isolated IPv6-oriented applications </li></ul><ul><li>… </li></ul><ul><li>… </li></ul><ul><li>… </li></ul><ul><li>… </li></ul><ul><li>Mission-critical applications </li></ul>
    18. 18. Remote Access <ul><li>IPsec Tunnel </li></ul><ul><ul><li>Dual-factor authentication </li></ul></ul><ul><ul><li>Full network access </li></ul></ul><ul><li>Reverse Proxies </li></ul><ul><ul><li>Limited Application access </li></ul></ul><ul><ul><li>Application-specific authentication </li></ul></ul><ul><li>SSL/VPN </li></ul><ul><li>IPsec Transport </li></ul>
    19. 19. Dedicated Networks <ul><li>Factory Automation </li></ul><ul><li>Supply Chain Management </li></ul><ul><ul><li>RFID </li></ul></ul><ul><li>Sensor networks (e.g. monitoring systems) </li></ul><ul><ul><li>Require mobility, ad-hoc networking, security and a large number of simple devices </li></ul></ul><ul><li>VoIP/Multimedia services </li></ul><ul><ul><li>Requires global access, multicast, QoS, mobility </li></ul></ul><ul><li>Partner Extranets </li></ul>June 9, 2009
    20. 20. <ul><li>IPv6 Overview </li></ul><ul><li>IPv6 Adoption </li></ul><ul><li>IPv6 Opportunities </li></ul><ul><li>IPv6 Risks/Threats </li></ul><ul><li>IPv6 Preparation </li></ul>Agenda
    21. 21. Return on Investment? <ul><li>Long-term </li></ul><ul><ul><li>Greater efficiency </li></ul></ul><ul><ul><li>Better resilience </li></ul></ul><ul><ul><li>Facilitates new technologies </li></ul></ul><ul><li>Short-term </li></ul><ul><ul><li>Increased costs </li></ul></ul><ul><ul><li>Little visible benefit </li></ul></ul>June 9, 2009 But there is another perspective …
    22. 22. Risk Management <ul><li>Data Risks </li></ul><ul><ul><li>Valuable corporate resources exposed </li></ul></ul><ul><ul><ul><li>In unmonitored networks </li></ul></ul></ul><ul><li>Application Risks </li></ul><ul><ul><li>Reliability in an IPv6 environment </li></ul></ul><ul><li>Financial Risks </li></ul><ul><ul><li>Costs of gradual deployment versus </li></ul></ul><ul><ul><li>Sudden urgent response to unexpected event </li></ul></ul>June 9, 2009
    23. 23. Rogue Devices / Networks <ul><li>Unauthorized IPv6 devices </li></ul><ul><ul><li>Windows Vista, Linux </li></ul></ul><ul><li>Unauthorized Networks </li></ul><ul><ul><li>Internal tunnels </li></ul></ul><ul><li>Compromised Perimeter </li></ul><ul><ul><li>External tunnels </li></ul></ul><ul><li>Monitoring </li></ul><ul><li>Traffic Inspection </li></ul>What you don’t know will hurt you
    24. 24. Hacker Tools <ul><li>IPv6-enhanced versions of old tools </li></ul><ul><ul><li>halfscan6 </li></ul></ul><ul><ul><li>netcat6 </li></ul></ul><ul><ul><li>NMAP </li></ul></ul><ul><ul><li>Ethereal </li></ul></ul><ul><ul><li>Snort </li></ul></ul><ul><ul><li>TCPDump </li></ul></ul><ul><li>6to4DDos </li></ul><ul><li>Relayers (can be misused for tunnels and redirects) </li></ul><ul><ul><li>relay6, 6tunnel, nt6tunnel, asybo </li></ul></ul>http://seclists.org/lists/honeypots/2002/Oct-Dec/0105.html http://project.honeynet.org/scans/scan25/sol/NCSU/main.html
    25. 25. IPv6 Transition Exposure <ul><li>IPv6 is available </li></ul><ul><li>IPv6 is in use </li></ul><ul><li>IPv6 is on many private networks </li></ul><ul><li>Corporate Security </li></ul><ul><ul><li>does not monitor IPv6 </li></ul></ul><ul><li>Corporate IT </li></ul><ul><ul><li>is not familiar with IPv6 </li></ul></ul><ul><li>This is irresponsible! </li></ul>
    26. 26. Application Impact <ul><li>Socket calls (see RFC 3493, RFC 3542) </li></ul><ul><li>Are numeric IP addresses manipulated, stored or cached? </li></ul><ul><li>Colon-separator used between hostnames and port numbers? </li></ul><ul><li>Accept, parse or manipulate user-provided URLs or hostnames? </li></ul><ul><ul><li>Might contain a numeric IPv6 address) (See RFC 2732) </li></ul></ul><ul><li>Sequential enumeration of address space? </li></ul><ul><ul><li>e.g. ping-sweep to scan a subnet </li></ul></ul><ul><li>Assumption that host or interface only has one IP address? </li></ul><ul><li>Direct use of layered networking protocols (e.g. DHCP, ARP, DNS, RIP, OSPF…)? </li></ul><ul><li>SNMP collection of IPv4/IPv6 data? </li></ul>June 9, 2009 <ul><ul><li>1598: IPv6 and Applications Porting – Hands on </li></ul></ul>
    27. 27. Potential Triggers <ul><li>Large-scale security attack </li></ul><ul><li>Technical impasse </li></ul><ul><li>Address space shortage </li></ul><ul><li>Service-provider transition </li></ul><ul><li>New geographical market </li></ul><ul><li>Government mandate </li></ul><ul><li>Supplier/customer/partner requirement </li></ul>June 9, 2009
    28. 28. Financial impact <ul><li>Investment protection </li></ul><ul><ul><li>Write off new purchases? </li></ul></ul><ul><li>Purchasing criteria can include </li></ul><ul><ul><li>Stated IPv6 support </li></ul></ul><ul><ul><li>IPv6 Logo certification </li></ul></ul><ul><ul><li>IPsec, Mobile IP, transition mechanisms … </li></ul></ul><ul><li>Ensure minimal training and awareness </li></ul><ul><li>Accelerated deployment costs more than gradual adoption! </li></ul>June 9, 2009
    29. 29. <ul><li>IPv6 Overview </li></ul><ul><li>IPv6 Adoption </li></ul><ul><li>IPv6 Opportunities </li></ul><ul><li>IPv6 Risks/Threats </li></ul><ul><li>IPv6 Preparation </li></ul>Agenda
    30. 30. Phased Deployment <ul><li>Audit </li></ul><ul><ul><li>Discovery </li></ul></ul><ul><ul><li>Policy Enforcement </li></ul></ul><ul><ul><li>Network Monitoring </li></ul></ul><ul><li>Enablement </li></ul><ul><ul><li>Network Management </li></ul></ul><ul><ul><li>Connectivity </li></ul></ul><ul><ul><ul><li>Internal-Internal </li></ul></ul></ul><ul><ul><ul><li>Internal-External </li></ul></ul></ul><ul><ul><ul><li>External-Internal </li></ul></ul></ul><ul><ul><li>Application Enablement </li></ul></ul><ul><li>Transition </li></ul>June 9, 2009
    31. 31. Discovery <ul><li>Requirements </li></ul><ul><ul><li>Security </li></ul></ul><ul><ul><li>Asset tracking </li></ul></ul><ul><li>Node discovery </li></ul><ul><ul><li>Address space enumeration </li></ul></ul><ul><ul><li>Harvesting </li></ul></ul><ul><ul><li>Sniffing </li></ul></ul><ul><li>Router discovery </li></ul><ul><ul><li>Topology mapping </li></ul></ul>June 9, 2009 <ul><ul><li>1751: Challenges in Managing IPv6 Networks </li></ul></ul>
    32. 32. Application audit/support <ul><li>Scan custom software </li></ul><ul><ul><li>Checkv4.exe – Microsoft </li></ul></ul><ul><ul><li>IPv6finder </li></ul></ul><ul><ul><ul><li>Open Source software, developed by HP </li></ul></ul></ul><ul><ul><li>Sun ’s socket scrubber </li></ul></ul><ul><li>Check with vendors for IPv6 support in commercial products </li></ul><ul><li>Test in your own environment! </li></ul><ul><ul><li>1598: IPv6 and Applications Porting – Hands on </li></ul></ul>
    33. 33. Getting started with IPv6 <ul><li>Windows XP, 2003, Mobile: Included but requires activation </li></ul><ul><ul><li>New dual-stack in Vista, Windows Server 2008 </li></ul></ul><ul><li>Linux: Included and activated in recent kernels/distributions </li></ul><ul><li>HP-UX / Tru64 / OpenVMS / NSK: Include advanced IPv6 functionality </li></ul><ul><li>Access Points / Hubs / Switches: Most relay IPv6 without problems </li></ul><ul><li>Works over wireless (e.g. 802.11b) and wired connections </li></ul><ul><li>IPv6 autoconfigures IP addresses </li></ul><ul><li>Trivial to set up on a LAN </li></ul><ul><ul><li>30 minutes </li></ul></ul><ul><ul><li>1710: Getting Started with IPv6 </li></ul></ul>
    34. 34. Preparation and Planning <ul><li>IPv6 is inevitable . The key to success is timing . </li></ul><ul><li>Prepare </li></ul><ul><ul><li>Assess Security and Management requirements </li></ul></ul><ul><ul><li>Assess transition mechanisms </li></ul></ul><ul><ul><li>Train staff for roll-out and support </li></ul></ul><ul><ul><li>Procure only IPv6 compliant components </li></ul></ul><ul><li>Plan </li></ul><ul><ul><li>Analyze the ROI </li></ul></ul><ul><ul><li>Identify suitable pilots / early adopters </li></ul></ul><ul><ul><ul><li>Applications </li></ul></ul></ul><ul><ul><ul><li>User communities </li></ul></ul></ul><ul><ul><li>Obtain IPv6 prefixes </li></ul></ul><ul><ul><li>Inventory custom applications </li></ul></ul>
    35. 35. Summary <ul><li>IPv6 is about more than Address Space </li></ul><ul><li>IPv6 adoption is beginning now </li></ul><ul><ul><li>HP is a leader in IPv6 </li></ul></ul><ul><li>IPv6 is still IP </li></ul><ul><ul><li>New Network Security Model </li></ul></ul><ul><ul><li>End-to-end security </li></ul></ul><ul><ul><li>Improved Availability </li></ul></ul><ul><li>The market must begin to plan for IPv6 now </li></ul><ul><ul><li>It is easy to enable IPv6 in a simple environment </li></ul></ul><ul><li>You can ignore IPv6 but that won’t stop it! </li></ul>
    36. 36. IPv6 at HP Technology Forum <ul><li>We have put together a series of sessions covering the iPV6 topic: </li></ul><ul><ul><li>1595 State of IPv6 Inside HP, Industry and Government </li></ul></ul><ul><ul><li>1710 Getting Started with IPv6 </li></ul></ul><ul><ul><li>1631 Enterprise Preparation for IPv6 </li></ul></ul><ul><ul><li>1598 IPv6 and Applications Porting – Hands on </li></ul></ul><ul><ul><li>1751 Challenges in Managing IPv6 Networks </li></ul></ul>June 2008
    37. 37. HP IPv6 Frequently Asked Questions June 2008 www.hp.com/network/ipv6 <ul><li>What is IPv6? </li></ul><ul><li>Why do I need IPv6 when IPv4 is working fine for me? </li></ul><ul><li>What are the features and benefits of IPv6? </li></ul><ul><li>Are there any alternatives to IPv6? </li></ul><ul><li>What do I need to do to be ready for the future? </li></ul><ul><li>What is the meaning of IP capable? </li></ul><ul><li>How do I transition to IPv6? </li></ul><ul><li>What is the HP history with IPv6? </li></ul>IPv6 FAQs
    38. 38. IPv6 resources <ul><li>www.IPv6forum.com international IPv6 Forum </li></ul><ul><li>www.ipv6ready.org IPv6 Forum IPv6 Ready Logo information </li></ul><ul><ul><li>IPv6 Ready Logo white paper http://www.ipv6forum.com/dl/white/IPv6_Ready_Logo_White_Paper_Final.pdf </li></ul></ul><ul><li>www.nav6tf.org North America IPv6 task force </li></ul><ul><li>www.eu.IPv6tf.org European Task IPv6 Force </li></ul><ul><li>www.v6pc.jp/en/index.phtml Japan IPv6 Promotion council </li></ul><ul><li>IPv6 Security Link: www.seanconvery.com/ipv6.html </li></ul><ul><li>HP IPv6 Link: www.hp.com/network/ipv6 </li></ul>June 2008 Other questions: john.rhoton@hp.com

    ×