[ISN] The move on to IPv6
InfoSec News
isn at c4i.org
Fri Dec 17 03:24:45 EST 2004
http://www.computerworld.com/securitytopics/security/story/0,10801,98298,00.html
Opinion by Cody Christman
Verio
DECEMBER 16, 2004
COMPUTERWORLD
Despite the success of Internet Protocol Version 4 (IPv4), at the age
of 31, this current protocol is due for a significant technology
makeover.
The original design of IP wasn't intended for many of today's Internet
uses. The fathers of the Internet couldn't foresee today's typical
Wi-Fi Web surfer at the local coffee shop conducting a secure
transaction over a browser.
Most security precautions were ignored in the development of IPv4, and
they have continued to be a challenge for application developers since
then. The IPsec security protocol was an afterthought, and Network
Address Translation (NAT) -- which has been widely deployed to solve
the address-depletion problem and for perceived security benefits --
makes true end-to-end, secure applications difficult to deploy.
In IPv6, however, IPsec support is mandated, allowing devices to
securely authenticate remote nodes and encrypt communication with
them.
In addition, NAT is eliminated in IPv6, allowing all nodes to
communicate with one another using globally routable addresses. Since
IPv6 offers almost infinite address space, NAT isn't needed. This
brings back the end-to-end nature for which the Internet was designed
in the first place. Other features built into IPv6 help to augment
security, such as autoconfiguration, quality of service (QoS) and
mobility. These security features help to create a new business model
-- one of secure, end-to-end communications between almost any types
of devices, fixed or mobile.
This is in contrast to today's IPv4 networks, where NAT generally
reduces communication to one-way (outbound), and encryption, when
available, is usually implemented on global address segments while LAN
segments remain unencrypted and unsecured.
The U.S. Department of Defense has embraced IPv6 for the
above-mentioned reasons. In June 2003, the DOD announced its plan to
complete transition to IPv6 by fiscal 2008, and as of Oct. 1, 2003,
all network assets developed, procured or acquired are to be
IPv6-capable.
The DOD concluded that IPv6 adoption is necessary to meet the agency's
requirements for mobility and end-to-end security. The DOD's IT budget
is the government's largest at $25 billion per year, giving an
enormous boost to network security and IPv6.
The DOD has adopted a net-centric technical vision. According to this
vision, future combat systems demand ubiquity (IPv6-centricity),
mobility and ad hoc networking and security. For example, from a
networking standpoint, the soldier is viewed as a site -- a network of
onboard systems providing integrated real-time data. Weapon firing and
supply data would be fed back to commanders as well as precise
position information.
Health information such as a soldier's heart rate, blood pressure and
temperature would also be relayed. The soldier could also receive
positioning data about friends and foes to increase situational
awareness and save lives. The data security (authentication and
encryption) requirements in this model are an obvious necessity.
Unlike today's military model of autonomous systems and a broadcast
information push, the net-centric vision relies on bidirectional,
end-to-end secure communications enabled by IPv6.
For businesses and consumers, there are an unforeseeable number of new
applications and devices that can be networked in a secure fashion.
IPv6 is already making an impact in the field of home networking,
including appliance management, multimedia entertainment and home
security. Such applications, especially home security tools, demand
end-to-end authentication and encryption. With IPv6, Digital
Subscriber Line and cable modem subscribers can set up home networks
and monitor and control devices securely from any remote location.
Wireless network cameras can be easily deployed to monitor a
residence, and electronic locks can be installed to remotely lock or
unlock doors.
Businesses will be able to leverage the security, mobility and QoS
features of IPv6. For example, the IP flow-label QoS feature built
directly into IPv6 will help improve the quality of encrypted voice
over IP calls. In addition, traveling salespeople can wirelessly
transfer information and documents safely from remote locations to
their headquarters, even while roaming through different Wi-Fi hot
spots.
Some argue that IPv6 proponents use v4 address-depletion scare tactics
to promote the new protocol. Though address-space depletion is a real
issue, there are many other forces driving IPv6 deployment. True
end-to-end security, which is enabled by IPv6 but doesn't exist in
IPv4 as it's often implemented today, is the future of the Internet.
Time to get ready
Even if businesses don't have immediate plans to implement IPv6,
preparing for the inevitable transition now as opposed to later will
only decrease the burden on IT administrators. This process doesn't
have to be daunting if a thoughtful approach is taken. Plans should
accommodate an implementation spanning a maximum of three to four
years. When IPv6 gains momentum, migration to the new protocol will be
swift, and those who haven't planned ahead risk finding themselves at
a disadvantage.
Having plans in place will also simplify the auditing processes for
hardware, software (shrink-wrapped and internally developed) and
operating systems on IPv6 compatibility. As long as vendor-support
contracts have been maintained, this process shouldn't be too painful
or expensive. Most hardware will already be compliant, and software
and operating system upgrades can follow normal maintenance cycles
within the transition window.
If precautions aren't taken, the transition from IPv4 to IPv6 could be
cause for network security concerns. Without proper perimeter
security, hackers could use IPv6 to gain access to a LAN, which could
compromise both IPv6 and IPv4 network assets. Therefore, the same care
taken to write and implement an IPv4 security policy should be taken
with IPv6, even with all its benefits. Introducing IPv6 into a
network, like any other new protocol, requires that firewall
configurations and other security measures be well thought-out and
tested.
Finally, there are several IPv4/IPv6 interoperability mechanisms
available to businesses to assist in the transition. They fall into
three major categories: dual-stack, tunneling and translation.
A dual-stack transition is the generally preferred method when devices
are both IPv4- and IPv6-aware, allowing the two protocols to coexist
in the same network.
Tunneling techniques allow the transport of IPv6 traffic over an IPv4
infrastructure -- as much of the Internet is today.
The final interoperability method -- protocol translation -- may be
required in some instances, but is generally not recommended because
it's basically an IPv4/IPv6 NAT. The interoperability method or
combination of methods will depend on each business' environment and
network requirements. IPv6 offers several alternatives to choose from
that should suit any need. These tools, along with a well thought-out
and executed migration plan, will lead to a smooth transition to IPv6.
Cody Christman is director of product engineering at Verio Inc., an
Englewood, Colo.-based provider of Internet access, Web site hosting
and other network services.
More information about the ISN
mailing list