Enterprise Preparation for IPv6

Produced in cooperation with:

HP Technology Forum & Expo 2009

© 2009 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice

IPv6 for the Enterprise

John Rhoton ([email protected])

Distinguished TechnologistHP EDS CTO Office

June 2009

Agenda• IPv6 Overview• IPv6 Adoption• IPv6 Opportunities• IPv6 Risks/Threats• IPv6 Preparation

• IPv6 Overview• IPv6 Adoption• IPv6 Opportunities• IPv6 Risks/Threats• IPv6 Preparation

Agenda

Mysteries, Myths and Misconceptions• What is IPv6?• Great solution! What’s the problem?• Why not just NAT?

• 中国 , 日本 , 대한민국 , 臺灣 , 新加坡 , भा�रत,รราชอาณาจั�กรไทย

• ETA 2020• What’s the business case?• No worries – it will just happen automatically

4 April 8, 2023

5 June 2008

What is IPv6?• Internet Protocol (IP) is the network

protocol that underpins the Internet• IPv6 is version 6 of the Internet Protocol (IP)• The current version (IPv4) was designed in

the 1970s and standardized in 1981.• IPv4 address space will eventually "runs

out“. This will occur at a global level...• IPv6 also solves many problems IPv4 such

as security, auto-configuration, and extensibility.

Need for IP address spaceAren’t 4’294’967’296 addresses enough?

• Uneven and inefficient distribution!!

• US-Centric− India has 3 Class B

− HP has 2 Class A

• Emerging Service Providers− China Mobile has over 415

million subscribers• Subscriber growth:

2 million/month

− Several operators have over 16 million

− How can they all be simultaneously data-enabled?

Class IP Address Pool

A 224~16’777’216

B 216~65’536

C 28~256

ARIN advised IPv6 migration – May 2007

The booming Internet• Traditional Internet

desktops• Data-enabled mobile

phones• Consumer appliances• Embedded systems• Sensors• RFID

IANA Pool Exhaustion

8 April 8, 2023

NAT Problems• Overhead of unnecessary translation• Protocol incompatibilities

− E.g. IPsec• Breaks peer-to-peer applications

− Instant messaging− Interactive games− VoIP− Real-time collaboration

and sharing• Netmeeting, BitTorrent, Groove

• Limits implementation of application servers− How far can you distribute your web-services?− Grid computing

Building work-arounds for everything NAT breaks is an unnecessary and inefficient effort!

10 Oct 21, 2008 HP CONFIDENTIAL

Mobile IP

Data Flow

Binding Update

Physical Movement

Mobile IPTunnel

Foreign Network

Home Network

Mobile Node

Mobile Node

Correspondent Node

Home Agent

Additional Benefits• Availability

− Anycast reduces single-point-of-failures

− Removal of NAT

− Authenticated access inhibits Denial of Service attacks

• Agility− Improved Host and Router Discovery− Flexible Renumbering and Autoconfiguration

• Better Traffic Flow− Efficient and Extensible IP datagram

− Efficient Route Computation and Aggregation

− Efficient IPv6 Header Compression

−IP Header Flow Label to support quality of service • Even when all data is encrypted


Agenda

E-Business

MobileTelephony

Adoption: Where are we really?

Innovators Early

Adopters

Late

Majority

LaggardsEarly

Majority

Bowling Alley

Tornado

Main Street

Early Market

Internet

Wireless

Data

IPv6

Mobile Applications

US DoD Mandate 2008

15

IPv6 Adoption Curve• 2008 Survey by BT:

• 2009 Lot of IPv6 planning going on at the corporate level

http://www.indeed.com/q-ipv6-jobs.html

16 June 2008

IPv6 Drivers• Customers are driving the requirement

−US Federal Government Procurement Mandate June 2008 Issued by the Office of Management and Budget (OMB)• IPv6 support required for networked products – new purchases

−Several governments have similar mandates (in Asia (Japan, China CNGI, Korea, EU)

−3GPP has mandated exclusive use of IPv6 for IMS (IP Multimedia Subsystems). Industry sector like Intelligent Transport System, Digital video broadcasting, smart home consortia have all recommended the use (sometime exclusively) of IPv6.

−Convergence to ALL-IP (NGN (Next Generation Networks), FMC (Fixed to Mobile Convergence), Triple Play and Wireless), non computer devices/ embedded devices, sensors, building safety and security all will require IPv6 as network infrastructure.

• HP is taking an aggressive leadership stance on the IPv6 enablement dates

17 June 2008

HP took an early Lead with IPv6• 1993

− HP helped define the IP Next Generation protocol in the IETF

• 1995 − First Public HP IPv6 demos &

experiments• 1996

− HP 6bone connection active• 1999

− HP Founding member of the IPv6 Forum

− Jim Bound CTO and member of the Board of Directors of IPv6 Forum

− Yanick Pouffary IPv6 Forum Fellow• 2000

− First HP IPv6-enabled server products

• 2001 − HP launched industry leading IPv6

and Mobile IPv6 solution demos• 2002

− HP chairs North American IPv6 Task Force and is Technology Director.

− NAv6TF influences Whitehouse U.S. Cyber Security Office to promote IPv6 leading to US DoD mandating the integration of IPv6 to be ready by Oct 2008 (June 2003)

− HP IT launched a world wide IPv6 test bed

• 2003 − Participating in North American IPv6

interoperability Network Pilot - Moonv6− HP helped define IPv6 ready logo− HP OpenView Network Node Manager IPv6

support− Internal HP IPv6 initiative

• 2004 − NAv6TF works with White House Office of

Management (OMB) leading to June 2005 OMB mandate

− HP IPv6 servers acquire IPv6 ready logo− HP ProCurve IPv6 VLANs support

• 2005− HP was among the first printer companies

to release an IPv6 product− NAv6TF works with OMB to produce OMB

IPv6 transition guidance• 2006

− HP Printer first vendor on the US DoD IPv6 Approved Product list

− HP StorageWorks Division provides a customer statement of support committing support of IPv6 per the US OMB mandate

• 2007− HP Network Automation (HPNA) (Opsware

Network Automation System software) • IPv4 and IPv6 devices discovery

18 June 2008

HP IPv6 support• HP is implementing IPv6 support in stages with the goal of

ensuring a smooth transition and deployment where IPv6-updated products can take advantage of IPv6, without impacting existing functionality.

• HP supports IPv6 across many of its product lines today. • HP platforms support transition mechanisms and gateways to

interoperate with IPv4.• HP has already delivered IPv6 products across:

− HP Business Critical Server and ProLiant platforms (HP-UX, Tru64 UNIX®, OpenVMS, NonStop Server, Linux, and Microsoft® Windows)

− ProCurve high-end switches through its ProVision ASIC offers full support for IPv6 in hardware; ProCurve Switch series 8200, 6200, 5400 and 3500

− HP Enterprise JetDirect and LaserJet printers;− HP Business Technology Optimization Network Management Center

platform and Opsware Network Automation System software, now called HP Network Automation (HPNA)


Agenda

The Path to IPv6 in the Enterprise• IPv6 Security

−Network Monitoring and Management Infrastructure

• Mobility and Remote Access• Isolated IPv6-oriented applications• …• …• …• …• Mission-critical applications

Remote Access• IPsec Tunnel

−Dual-factor authentication

−Full network access

• Reverse Proxies−Limited Application

access

−Application-specific authentication

• SSL/VPN• IPsec Transport

Dedicated Networks• Factory Automation• Supply Chain Management

−RFID

• Sensor networks (e.g. monitoring systems)−Require mobility, ad-hoc networking, security

and a large number of simple devices

• VoIP/Multimedia services−Requires global access, multicast, QoS, mobility

• Partner Extranets

22 April 8, 2023

Beijing Olympics 2008

23 April 8, 2023

• Surveillance• Sensors• Lighting

Synergies between IPv6 and Cloud• Massive scalability

−Hierarchical internal address space of provider

−Avoid connection brokers (ALG/NAT)

• No “need” for NAT• Always connected user experience Mobile IPv6• Customer connectivity• “Easier” implementation• Unified Communications

24 April 8, 2023


Agenda

Return on Investment?• Long-term

−Greater efficiency

−Better resilience

−Facilitates new technologies

• Short-term−Increased costs

−Little visible benefit

26 April 8, 2023

But there is another perspective …

Risk Management• Data Risks

−Valuable corporate resources exposed• In unmonitored networks

• Application Risks−Reliability in an IPv6 environment

• Financial Risks−Costs of gradual deployment versus

−Sudden urgent response to unexpected event

27 April 8, 2023

Rogue Devices / Networks

• Unauthorized IPv6 devices−Windows Vista, Linux

• Unauthorized Networks−Internal tunnels

• Compromised Perimeter−External tunnels

• Monitoring• Traffic Inspection

What you don’t know will hurt you

Public Internet

PrivateNetwork

Victim

HijackedComputer

Intruder

Private LAN

Public Network

Hacker Tools and Attacks

• IPv6-enhanced versions of old tools−Halfscan6, netcat6, NMAP, Ethereal, Snort, TCPDump

• 6to4DDos• Relayers (can be misused for tunnels and

redirects)−relay6, 6tunnel, nt6tunnel, asybo

• Attacks−2003: W32.HLLW.Raleka

−2005: Troj/Legmir-AT

−2007: W32/Agent.EZM!tr.dldr"Last year IPv6 didn't register in scale, but now it's emerging as a concern on the security side. Attackers are going to try it or use it as a transport mechanism for botnets. IPv6 has become a problem on the operational side.“

Arbor Networks CTO Rob Malan

IPv6 Transition Exposure• IPv6 is available• IPv6 is in use• IPv6 is on many private networks

• Corporate Security−does not monitor IPv6

• Corporate IT−is not familiar with IPv6

• This is irresponsible!

Application Impact• Socket calls (see RFC 3493, RFC 3542)• Are numeric IP addresses manipulated, stored or cached?• Colon-separator used between hostnames and port

numbers?• Accept, parse or manipulate user-provided URLs or

hostnames?− Might contain a numeric IPv6 address) (See RFC 2732)

• Sequential enumeration of address space?− e.g. ping-sweep to scan a subnet

• Assumption that host or interface only has one IP address?• Direct use of layered networking protocols (e.g. DHCP,

ARP, DNS, RIP, OSPF…)?• SNMP collection of IPv4/IPv6 data?

31 April 8, 2023

Potential Triggers• Large-scale security attack• Technical impasse• Address space shortage• Service-provider transition• New geographical market• Government mandate• Supplier/customer/partner requirement

32 April 8, 2023

Financial impact• Investment protection

−Write off new purchases?

• Purchasing criteria can include−Stated IPv6 support

−IPv6 Logo certification

−IPsec, Mobile IP, transition mechanisms …

• Ensure minimal training and awareness• Accelerated deployment costs more than

gradual adoption!

33 April 8, 2023


Agenda

Phased Deployment1. Audit

−Discovery

−Policy Enforcement

−Network Monitoring

2. Enablement−Network Management

−Connectivity• Internal-Internal

• Internal-External

• External-Internal

−Application Enablement

3. Transition

35 April 8, 2023

Discovery• Requirements

−Security

−Asset tracking

• Node discovery−Address space enumeration

−Harvesting

−Sniffing

• Router discovery−Topology mapping

36 April 8, 2023

37

Application audit/support• Scan custom software

−Checkv4.exe – Microsoft

−IPv6finder• Open Source software, developed by HP

−Sun ’s socket scrubber

• Check with vendors for IPv6 support in commercial products

• Test in your own environment!

Preparation and PlanningIPv6 is inevitable. The key to success is timing.

• Prepare−Assess Security and Management requirements−Assess transition mechanisms−Train staff for roll-out and support−Procure only IPv6 compliant components

• Plan−Analyze the ROI−Identify suitable pilots / early adopters

• Applications• User communities

−Obtain IPv6 prefixes−Inventory custom applications

Summary• IPv6 is about more than Address Space• IPv6 adoption is beginning now

−HP is a leader in IPv6

• IPv6 is still IP−New Network Security Model

−End-to-end security

− Improved Availability

• The market must begin to plan for IPv6 now− It is easy to enable IPv6 in a simple environment

• You can ignore IPv6 but that won’t stop it!

40 June 2008

•What is IPv6?•Why do I need IPv6 when IPv4 is working fine for me?•What are the features and benefits of IPv6?•Are there any alternatives to IPv6?•What do I need to do to be ready for the future?•What is the meaning of IP capable?•How do I transition to IPv6?•What is the HP history with IPv6?

IPv6 FAQs

HP IPv6 Frequently Asked Questions

www.hp.com/network/ipv6

41 June 2008

IPv6 resources• www.IPv6forum.com international IPv6 Forum• www.ipv6ready.org IPv6 Forum IPv6 Ready Logo

information−IPv6 Ready Logo white paper

http://www.ipv6forum.com/dl/white/IPv6_Ready_Logo_White_Paper_Final.pdf

• www.nav6tf.org North America IPv6 task force• www.eu.IPv6tf.org European Task IPv6 Force www.v6pc.jp/en/index.phtml Japan IPv6 Promotion

council• IPv6 Security Link: www.seanconvery.com/ipv6.html

• HP IPv6 Link: www.hp.com/network/ipv6

More information• Presentation will be posted to:

−http://www.slideshare.net/rhoton

• HP Resources−www.hp.com/network/ipv6

• Any other questions?−http://www.linkedin.com/in/rhoton