Upload
john-rhoton
View
3.947
Download
4
Embed Size (px)
DESCRIPTION
HP Technology Forum, June 2009, Las Vegas
Citation preview
Produced in cooperation with:
HP Technology Forum & Expo 2009
© 2009 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
IPv6 for the Enterprise
John Rhoton ([email protected])
Distinguished TechnologistHP EDS CTO Office
June 2009
Agenda• IPv6 Overview• IPv6 Adoption• IPv6 Opportunities• IPv6 Risks/Threats• IPv6 Preparation
• IPv6 Overview• IPv6 Adoption• IPv6 Opportunities• IPv6 Risks/Threats• IPv6 Preparation
Agenda
Mysteries, Myths and Misconceptions• What is IPv6?• Great solution! What’s the problem?• Why not just NAT?
• 中国 , 日本 , 대한민국 , 臺灣 , 新加坡 , भा�रत,รราชอาณาจั�กรไทย
• ETA 2020• What’s the business case?• No worries – it will just happen automatically
4 April 8, 2023
5 June 2008
What is IPv6?• Internet Protocol (IP) is the network
protocol that underpins the Internet• IPv6 is version 6 of the Internet Protocol (IP)• The current version (IPv4) was designed in
the 1970s and standardized in 1981.• IPv4 address space will eventually "runs
out“. This will occur at a global level...• IPv6 also solves many problems IPv4 such
as security, auto-configuration, and extensibility.
Need for IP address spaceAren’t 4’294’967’296 addresses enough?
• Uneven and inefficient distribution!!
• US-Centric− India has 3 Class B
− HP has 2 Class A
• Emerging Service Providers− China Mobile has over 415
million subscribers• Subscriber growth:
2 million/month
− Several operators have over 16 million
− How can they all be simultaneously data-enabled?
Class IP Address Pool
A 224~16’777’216
B 216~65’536
C 28~256
ARIN advised IPv6 migration – May 2007
The booming Internet• Traditional Internet
desktops• Data-enabled mobile
phones• Consumer appliances• Embedded systems• Sensors• RFID
IANA Pool Exhaustion
8 April 8, 2023
NAT Problems• Overhead of unnecessary translation• Protocol incompatibilities
− E.g. IPsec• Breaks peer-to-peer applications
− Instant messaging− Interactive games− VoIP− Real-time collaboration
and sharing• Netmeeting, BitTorrent, Groove
• Limits implementation of application servers− How far can you distribute your web-services?− Grid computing
Building work-arounds for everything NAT breaks is an unnecessary and inefficient effort!
10 Oct 21, 2008 HP CONFIDENTIAL
Mobile IP
Data Flow
Binding Update
Physical Movement
Mobile IPTunnel
Foreign Network
Home Network
Mobile Node
Mobile Node
Correspondent Node
Home Agent
Additional Benefits• Availability
− Anycast reduces single-point-of-failures
− Removal of NAT
− Authenticated access inhibits Denial of Service attacks
• Agility− Improved Host and Router Discovery− Flexible Renumbering and Autoconfiguration
• Better Traffic Flow− Efficient and Extensible IP datagram
− Efficient Route Computation and Aggregation
− Efficient IPv6 Header Compression
−IP Header Flow Label to support quality of service • Even when all data is encrypted
• IPv6 Overview• IPv6 Adoption• IPv6 Opportunities• IPv6 Risks/Threats• IPv6 Preparation
Agenda
E-Business
MobileTelephony
Adoption: Where are we really?
Innovators Early
Adopters
Late
Majority
LaggardsEarly
Majority
Bowling Alley
Tornado
Main Street
Early Market
Internet
Wireless
Data
IPv6
Mobile Applications
US DoD Mandate 2008
15
IPv6 Adoption Curve• 2008 Survey by BT:
• 2009 Lot of IPv6 planning going on at the corporate level
http://www.indeed.com/q-ipv6-jobs.html
16 June 2008
IPv6 Drivers• Customers are driving the requirement
−US Federal Government Procurement Mandate June 2008 Issued by the Office of Management and Budget (OMB)• IPv6 support required for networked products – new purchases
−Several governments have similar mandates (in Asia (Japan, China CNGI, Korea, EU)
−3GPP has mandated exclusive use of IPv6 for IMS (IP Multimedia Subsystems). Industry sector like Intelligent Transport System, Digital video broadcasting, smart home consortia have all recommended the use (sometime exclusively) of IPv6.
−Convergence to ALL-IP (NGN (Next Generation Networks), FMC (Fixed to Mobile Convergence), Triple Play and Wireless), non computer devices/ embedded devices, sensors, building safety and security all will require IPv6 as network infrastructure.
• HP is taking an aggressive leadership stance on the IPv6 enablement dates
17 June 2008
HP took an early Lead with IPv6• 1993
− HP helped define the IP Next Generation protocol in the IETF
• 1995 − First Public HP IPv6 demos &
experiments• 1996
− HP 6bone connection active• 1999
− HP Founding member of the IPv6 Forum
− Jim Bound CTO and member of the Board of Directors of IPv6 Forum
− Yanick Pouffary IPv6 Forum Fellow• 2000
− First HP IPv6-enabled server products
• 2001 − HP launched industry leading IPv6
and Mobile IPv6 solution demos• 2002
− HP chairs North American IPv6 Task Force and is Technology Director.
− NAv6TF influences Whitehouse U.S. Cyber Security Office to promote IPv6 leading to US DoD mandating the integration of IPv6 to be ready by Oct 2008 (June 2003)
− HP IT launched a world wide IPv6 test bed
• 2003 − Participating in North American IPv6
interoperability Network Pilot - Moonv6− HP helped define IPv6 ready logo− HP OpenView Network Node Manager IPv6
support− Internal HP IPv6 initiative
• 2004 − NAv6TF works with White House Office of
Management (OMB) leading to June 2005 OMB mandate
− HP IPv6 servers acquire IPv6 ready logo− HP ProCurve IPv6 VLANs support
• 2005− HP was among the first printer companies
to release an IPv6 product− NAv6TF works with OMB to produce OMB
IPv6 transition guidance• 2006
− HP Printer first vendor on the US DoD IPv6 Approved Product list
− HP StorageWorks Division provides a customer statement of support committing support of IPv6 per the US OMB mandate
• 2007− HP Network Automation (HPNA) (Opsware
Network Automation System software) • IPv4 and IPv6 devices discovery
18 June 2008
HP IPv6 support• HP is implementing IPv6 support in stages with the goal of
ensuring a smooth transition and deployment where IPv6-updated products can take advantage of IPv6, without impacting existing functionality.
• HP supports IPv6 across many of its product lines today. • HP platforms support transition mechanisms and gateways to
interoperate with IPv4.• HP has already delivered IPv6 products across:
− HP Business Critical Server and ProLiant platforms (HP-UX, Tru64 UNIX®, OpenVMS, NonStop Server, Linux, and Microsoft® Windows)
− ProCurve high-end switches through its ProVision ASIC offers full support for IPv6 in hardware; ProCurve Switch series 8200, 6200, 5400 and 3500
− HP Enterprise JetDirect and LaserJet printers;− HP Business Technology Optimization Network Management Center
platform and Opsware Network Automation System software, now called HP Network Automation (HPNA)
• IPv6 Overview• IPv6 Adoption• IPv6 Opportunities• IPv6 Risks/Threats• IPv6 Preparation
Agenda
The Path to IPv6 in the Enterprise• IPv6 Security
−Network Monitoring and Management Infrastructure
• Mobility and Remote Access• Isolated IPv6-oriented applications• …• …• …• …• Mission-critical applications
Remote Access• IPsec Tunnel
−Dual-factor authentication
−Full network access
• Reverse Proxies−Limited Application
access
−Application-specific authentication
• SSL/VPN• IPsec Transport
Dedicated Networks• Factory Automation• Supply Chain Management
−RFID
• Sensor networks (e.g. monitoring systems)−Require mobility, ad-hoc networking, security
and a large number of simple devices
• VoIP/Multimedia services−Requires global access, multicast, QoS, mobility
• Partner Extranets
22 April 8, 2023
Beijing Olympics 2008
23 April 8, 2023
• Surveillance• Sensors• Lighting
Synergies between IPv6 and Cloud• Massive scalability
−Hierarchical internal address space of provider
−Avoid connection brokers (ALG/NAT)
• No “need” for NAT• Always connected user experience Mobile IPv6• Customer connectivity• “Easier” implementation• Unified Communications
24 April 8, 2023
• IPv6 Overview• IPv6 Adoption• IPv6 Opportunities• IPv6 Risks/Threats• IPv6 Preparation
Agenda
Return on Investment?• Long-term
−Greater efficiency
−Better resilience
−Facilitates new technologies
• Short-term−Increased costs
−Little visible benefit
26 April 8, 2023
But there is another perspective …
Risk Management• Data Risks
−Valuable corporate resources exposed• In unmonitored networks
• Application Risks−Reliability in an IPv6 environment
• Financial Risks−Costs of gradual deployment versus
−Sudden urgent response to unexpected event
27 April 8, 2023
Rogue Devices / Networks
• Unauthorized IPv6 devices−Windows Vista, Linux
• Unauthorized Networks−Internal tunnels
• Compromised Perimeter−External tunnels
• Monitoring• Traffic Inspection
What you don’t know will hurt you
Public Internet
PrivateNetwork
Victim
HijackedComputer
Intruder
Private LAN
Public Network
Hacker Tools and Attacks
• IPv6-enhanced versions of old tools−Halfscan6, netcat6, NMAP, Ethereal, Snort, TCPDump
• 6to4DDos• Relayers (can be misused for tunnels and
redirects)−relay6, 6tunnel, nt6tunnel, asybo
• Attacks−2003: W32.HLLW.Raleka
−2005: Troj/Legmir-AT
−2007: W32/Agent.EZM!tr.dldr"Last year IPv6 didn't register in scale, but now it's emerging as a concern on the security side. Attackers are going to try it or use it as a transport mechanism for botnets. IPv6 has become a problem on the operational side.“
Arbor Networks CTO Rob Malan
IPv6 Transition Exposure• IPv6 is available• IPv6 is in use• IPv6 is on many private networks
• Corporate Security−does not monitor IPv6
• Corporate IT−is not familiar with IPv6
• This is irresponsible!
Application Impact• Socket calls (see RFC 3493, RFC 3542)• Are numeric IP addresses manipulated, stored or cached?• Colon-separator used between hostnames and port
numbers?• Accept, parse or manipulate user-provided URLs or
hostnames?− Might contain a numeric IPv6 address) (See RFC 2732)
• Sequential enumeration of address space?− e.g. ping-sweep to scan a subnet
• Assumption that host or interface only has one IP address?• Direct use of layered networking protocols (e.g. DHCP,
ARP, DNS, RIP, OSPF…)?• SNMP collection of IPv4/IPv6 data?
31 April 8, 2023
Potential Triggers• Large-scale security attack• Technical impasse• Address space shortage• Service-provider transition• New geographical market• Government mandate• Supplier/customer/partner requirement
32 April 8, 2023
Financial impact• Investment protection
−Write off new purchases?
• Purchasing criteria can include−Stated IPv6 support
−IPv6 Logo certification
−IPsec, Mobile IP, transition mechanisms …
• Ensure minimal training and awareness• Accelerated deployment costs more than
gradual adoption!
33 April 8, 2023
• IPv6 Overview• IPv6 Adoption• IPv6 Opportunities• IPv6 Risks/Threats• IPv6 Preparation
Agenda
Phased Deployment1. Audit
−Discovery
−Policy Enforcement
−Network Monitoring
2. Enablement−Network Management
−Connectivity• Internal-Internal
• Internal-External
• External-Internal
−Application Enablement
3. Transition
35 April 8, 2023
Discovery• Requirements
−Security
−Asset tracking
• Node discovery−Address space enumeration
−Harvesting
−Sniffing
• Router discovery−Topology mapping
36 April 8, 2023
37
Application audit/support• Scan custom software
−Checkv4.exe – Microsoft
−IPv6finder• Open Source software, developed by HP
−Sun ’s socket scrubber
• Check with vendors for IPv6 support in commercial products
• Test in your own environment!
Preparation and PlanningIPv6 is inevitable. The key to success is timing.
• Prepare−Assess Security and Management requirements−Assess transition mechanisms−Train staff for roll-out and support−Procure only IPv6 compliant components
• Plan−Analyze the ROI−Identify suitable pilots / early adopters
• Applications• User communities
−Obtain IPv6 prefixes−Inventory custom applications
Summary• IPv6 is about more than Address Space• IPv6 adoption is beginning now
−HP is a leader in IPv6
• IPv6 is still IP−New Network Security Model
−End-to-end security
− Improved Availability
• The market must begin to plan for IPv6 now− It is easy to enable IPv6 in a simple environment
• You can ignore IPv6 but that won’t stop it!
40 June 2008
•What is IPv6?•Why do I need IPv6 when IPv4 is working fine for me?•What are the features and benefits of IPv6?•Are there any alternatives to IPv6?•What do I need to do to be ready for the future?•What is the meaning of IP capable?•How do I transition to IPv6?•What is the HP history with IPv6?
IPv6 FAQs
HP IPv6 Frequently Asked Questions
www.hp.com/network/ipv6
41 June 2008
IPv6 resources• www.IPv6forum.com international IPv6 Forum• www.ipv6ready.org IPv6 Forum IPv6 Ready Logo
information−IPv6 Ready Logo white paper
http://www.ipv6forum.com/dl/white/IPv6_Ready_Logo_White_Paper_Final.pdf
• www.nav6tf.org North America IPv6 task force• www.eu.IPv6tf.org European Task IPv6 Force www.v6pc.jp/en/index.phtml Japan IPv6 Promotion
council• IPv6 Security Link: www.seanconvery.com/ipv6.html
• HP IPv6 Link: www.hp.com/network/ipv6
More information• Presentation will be posted to:
−http://www.slideshare.net/rhoton
• HP Resources−www.hp.com/network/ipv6
• Any other questions?−http://www.linkedin.com/in/rhoton