Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

香港六合彩 » SlideShare


Published on




Published in: Technology
  • Be the first to comment

  • Be the first to like this

香港六合彩 » SlideShare

  1. 1. Issues of SAAG(ing?) Interest in the USGIPv6 V1.0 Profile. Doug Montgomery ( and Sheila Frankel ( NIST / Information Technology Laboratory
  2. 2. Topics Addressed <ul><li>What are we talking about? </li></ul><ul><ul><li>USG IPv6 Profile and Testing Program </li></ul></ul><ul><li>Why are we doing this? </li></ul><ul><li>What have we done? </li></ul><ul><li>What we think it means? </li></ul><ul><li>What general issues remain? </li></ul><ul><li>Issues of potential SAAG interest. </li></ul><ul><li>How can you help? </li></ul><ul><ul><li>Submit your comments … in writing! </li></ul></ul>
  3. 3. USG Policy Drivers <ul><li>OMB - Policy M-05-22 & FAQ </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li>All Agencies – Plan for IPv6 adoption. Deploy & use “IPv6 capable/compliant” products in “core” networks by June 2008. </li></ul></ul><ul><ul><ul><li>Requires agencies to “ensure orderly and secure transition” </li></ul></ul></ul><ul><ul><ul><li>FAQ: “Agencies should verify …capability through testing …are required to maintain security during and after adoption …” </li></ul></ul></ul><ul><ul><li>NIST – “The National Institute for Standards and Technology (NIST) will develop, as necessary, a standard to address IPv6 compliance for the Federal government.” </li></ul></ul><ul><ul><li>OMB & GSA – “Additionally, as necessary, the General Services Administration and the Federal Acquisition Regulation Council will develop a suitable FAR amendment for use by all agencies.” </li></ul></ul><ul><li>FAR Case 2005-041, Internet Protocol Version 6 (IPv6) </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li>“ OMB further requires, to the maximum extent practicable, all new IT procurements include IPv6 capable products and systems. “ </li></ul></ul><ul><li>DoD Policy for Enterprise-wide Deployment of IPv6 </li></ul><ul><ul><li> </li></ul></ul>
  4. 4. DRAFT USGIPv6-V1.0 <ul><li>Status / Plans </li></ul><ul><li>Circulated for USG IPv6WG Review – 2006-12-22 </li></ul><ul><li>USG comments resolved and circulated for public comment – 2007-2-1. </li></ul><ul><ul><li>30 day public comment period ended March 3 rd . </li></ul></ul><ul><ul><li>~500 comments from ~50 sources. </li></ul></ul><ul><li>Public comments resolved and final document to be published ASAP. </li></ul><ul><ul><li>~ March. </li></ul></ul><ul><li>Issue plans for the development of a testing program. </li></ul><ul><ul><li>~ March </li></ul></ul><ul><ul><li>More on this later ….. </li></ul></ul>
  5. 5. USGIPv6-V1 Overview <ul><li>Scope and Application </li></ul><ul><ul><li>Recommendation from NIST – but in isolation is policy free . </li></ul></ul><ul><ul><ul><li>Applicable to “non classified Federal IT systems”. </li></ul></ul></ul><ul><ul><li>Strategic planning document to guide acquisition of IPv6 technologies for operational deployments. </li></ul></ul><ul><ul><ul><li>Other uses/time-frames are cautioned. </li></ul></ul></ul><ul><ul><li>Defines minimal low-bar of capabilities to: </li></ul></ul><ul><ul><ul><li>Deliver expected functionality </li></ul></ul></ul><ul><ul><ul><li>Insure interoperability </li></ul></ul></ul><ul><ul><ul><li>Enable secure operation </li></ul></ul></ul><ul><ul><ul><li>Protect early investments </li></ul></ul></ul><ul><ul><li>Technical basis for further refinement and other uses: </li></ul></ul><ul><ul><ul><li>Agency / mission specific technical requirements. </li></ul></ul></ul><ul><ul><ul><ul><li>Everything that is not mentioned is optional. </li></ul></ul></ul></ul><ul><ul><ul><li>Agency / USG acquisition / deployment policies. </li></ul></ul></ul><ul><li>Defines “USGIPv6-V1 Compliant” hosts, routers, NPDs. </li></ul><ul><ul><li>Provides technical basis for product testing and certification program. </li></ul></ul>
  6. 6. Relationship to Other Efforts <ul><li>Support OMB/GSA policies </li></ul><ul><ul><li>Provide a basis through which OMB and GSA can further refine either emerging acquisition and deployment policies. </li></ul></ul><ul><ul><ul><li>Avoid policy confusion – allow policy sources to define “USG IPv6 Capable” and FAR in terms of our profile. </li></ul></ul></ul><ul><ul><ul><li>Fill in the technical pieces necessary to support these policies and their time frames. </li></ul></ul></ul><ul><ul><ul><ul><li>E.g., Provide interim specification of Network Protection Devices (firewalls and IDS systems) vital to ensure the security of Federal IT systems under OMB deployment strategy. </li></ul></ul></ul></ul><ul><li>Leverage DoD / IETF / Industry Efforts </li></ul><ul><ul><li>DISR, IETF Node Requirements, IPv6Ready, NSA, ICSA profiles and testing programs carefully analyzed. </li></ul></ul><ul><ul><li>USGv6V1.0 is a synthesis / intersection of these efforts mixed with USG specific requirements. </li></ul></ul><ul><ul><li>Long term goal is to get to a point where a distinct USG profile / testing program is unnecessary. </li></ul></ul>
  7. 7. What the Profile Defines <ul><li>Sub profiles for 3 types of devices </li></ul><ul><ul><li>3. Host Profile </li></ul></ul><ul><ul><li>4. Router Profile </li></ul></ul><ul><ul><li>5. Network Protection Device Profile </li></ul></ul><ul><li>12 Functional Categories of Capabilities </li></ul><ul><ul><li>6.1 Base </li></ul></ul><ul><ul><li>6.2 Routing </li></ul></ul><ul><ul><li>6.3 Quality of Service </li></ul></ul><ul><ul><li>6.4 Transition </li></ul></ul><ul><ul><li>6.5 Link Technology </li></ul></ul><ul><ul><li>6.6 Addressing </li></ul></ul><ul><ul><li>6.7 IPsec </li></ul></ul><ul><ul><li>6.8 Application Environment </li></ul></ul><ul><ul><li>6.9 Network Management </li></ul></ul><ul><ul><li>6.10 Multicasting </li></ul></ul><ul><ul><li>6.11 Mobility </li></ul></ul><ul><ul><li>6.12 Network Protection Devices </li></ul></ul><ul><ul><ul><li>6.12.1 Source of requirements </li></ul></ul></ul><ul><ul><ul><li>6.12.2 Common requirements for network protection devices </li></ul></ul></ul><ul><ul><ul><li>6.12.3 Firewall requirements </li></ul></ul></ul><ul><ul><ul><li>6.12.4 Intrusion detection and prevention system requirements </li></ul></ul></ul>
  8. 8. General Issues? <ul><li>Development of Testing Program </li></ul><ul><ul><li>Expect industry/USG meeting on the topic in May at NIST. </li></ul></ul><ul><li>Linkages to USG Policies </li></ul><ul><ul><li>Working with OMB / GSA to define linkages and time frames. </li></ul></ul><ul><li>Final USGv6-V1 Profile </li></ul><ul><ul><li>Resolve ~500 comments and publish. </li></ul></ul><ul><ul><li>Define profile use / maintenance cycles. </li></ul></ul>
  9. 9. Issues of SAAG Interest? <ul><li>General </li></ul><ul><ul><li>Specsmanship </li></ul></ul><ul><ul><ul><li>Detailed profiling of IETF normative requirements is challenging. </li></ul></ul></ul><ul><ul><ul><ul><li>This issue is particularly acute in the IPsec area. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Poison pill technique? </li></ul></ul></ul></ul><ul><ul><li>Device profiles? </li></ul></ul><ul><ul><ul><li>How many / types of conformance classes of IPv6 implementations? </li></ul></ul></ul><ul><ul><ul><li>USGv6: Hosts, Routers, Network Protection Devices (NPDs) </li></ul></ul></ul><ul><ul><ul><li>IETF: Hosts, Routers </li></ul></ul></ul><ul><ul><ul><li>Why would we need more? </li></ul></ul></ul><ul><ul><ul><ul><li>Allow some IPv6 devices to not implement IPsec, SNMP, DHCP. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Grandfather existing implementations … </li></ul></ul></ul></ul><ul><ul><ul><li>Why did we need 3? </li></ul></ul></ul>
  10. 10. Issues of SAAG Interest? <ul><li>General </li></ul><ul><ul><li>Network Protection Device Profiles </li></ul></ul><ul><ul><ul><li>Capability / behavior specifications for Firewalls, IDS/IPS systems. </li></ul></ul></ul><ul><ul><ul><li>Seeming void in the industry. </li></ul></ul></ul><ul><ul><ul><ul><li>We would have loved to cite consensus standards. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>We did consult “requirements” as we could find them (NSA, ICSA, etc). </li></ul></ul></ul></ul><ul><ul><ul><li>Received Comment – “remove from USG profile and submit to the IETF”. </li></ul></ul></ul><ul><ul><ul><ul><li>USG has operational deployment policies (June 2008) that can’t wait for this right now. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Not sure if the IETF considers NPD specifications within their scope. </li></ul></ul></ul></ul>
  11. 11. Issues of SAAG Interest? <ul><li>IPsec </li></ul><ul><ul><li>Old or new IPsec/IKE? and when? </li></ul></ul><ul><ul><ul><li>USGv6 Arch: Arch-v2/2401(M), Arch-v3/4301(S+) </li></ul></ul></ul><ul><ul><ul><li>USGv6 IKE: IKE-v1/2409(M), IKE-v2/4306(S+) </li></ul></ul></ul><ul><ul><ul><li>When can IPsec-v3/IKE-v2 be M? </li></ul></ul></ul><ul><ul><ul><li>When could IPsec-v2/IKE-v1 be M-? </li></ul></ul></ul><ul><ul><li>AH mandated or optional? </li></ul></ul><ul><ul><ul><li>USGv6: AH-v2/2402(O), AH-v3/4302(O). </li></ul></ul></ul><ul><ul><ul><li>Seems to be some disagreement in the industry about AH utility/advisability? </li></ul></ul></ul><ul><ul><ul><ul><li>IETF: AH(O) in Arch-v3/4301, but AH(M) in Node-Reqs/4294. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Concerns about unused/tested protocol, operational concerns. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Other protocols that require AH? (OSPFv3). </li></ul></ul></ul></ul>
  12. 12. Issues of SAAG Interest? <ul><li>IPsec </li></ul><ul><ul><li>Algorithms: </li></ul></ul><ul><ul><ul><li>USGv6 3DES-CBC(M): </li></ul></ul></ul><ul><ul><ul><ul><li>IETF: (M-) for Crypt-ESP-AH/4305 and Crypt-IKEv2/4307. </li></ul></ul></ul></ul><ul><ul><ul><li>USGv6 AES-CBC-128(M): </li></ul></ul></ul><ul><ul><ul><ul><li>IETF: (S+) for Crypt-ESP-AH/4305 and Crypt-IKEv2/4307, (S) for Crypt-IKEv1/4109. </li></ul></ul></ul></ul><ul><ul><ul><li>USGv6 Null-Auth(O): </li></ul></ul></ul><ul><ul><ul><ul><li>IETF: (M) in Crypto-Algs-ESP-AH/4305, but (O) in draft-manral-ipsec-rfc4305-bis-errata-03.txt </li></ul></ul></ul></ul><ul><ul><ul><li>USGv6 AES-GCM/AES-GMAC(O): </li></ul></ul></ul><ul><ul><ul><ul><li>Need understanding of status in industry / DoD. </li></ul></ul></ul></ul><ul><ul><li>IKEv2 </li></ul></ul><ul><ul><ul><li>USGv6 NAT-T(M): but UDP-encap/3948 is (O)? </li></ul></ul></ul><ul><ul><ul><li>USGv6 DPD/3706(O): Required/preferred for IKEv2? </li></ul></ul></ul>
  13. 13. Issues of SAAG Interest? <ul><li>Base Protocol / Addressing: </li></ul><ul><ul><li>SEND/CGA: </li></ul></ul><ul><ul><ul><li>USGv6: SEND/3971(S+), CGA/3972(S+) </li></ul></ul></ul><ul><ul><ul><li>Consistent with DoD …but, consistent with reality? </li></ul></ul></ul><ul><ul><li>Privacy Addresses </li></ul></ul><ul><ul><ul><li>USGv6: PA/3401(S) </li></ul></ul></ul><ul><ul><ul><li>Some thoughts abound that an IP address is Personally Identifying Information (PII), maybe privacy addresses will be universally mandated? </li></ul></ul></ul>
  14. 14. A Different View of Things …
  15. 15. … more terse view.
  16. 16. How Can You Help? <ul><li>Submit comments on the draft USGIPv6 profile! </li></ul><ul><ul><li>[email_address] . </li></ul></ul><ul><li>Participate in upcoming forums. </li></ul><ul><ul><li>GSA/OMB “USG IPv6 industry day” – in planning. </li></ul></ul><ul><ul><li>NIST – IPv6 Testing Forum – in planning - ~May 4 th @ NIST. </li></ul></ul><ul><li>Encourage / Embrace User Group Participation </li></ul><ul><ul><li>In industry profiles, testing plans, etc. </li></ul></ul>