ipv6 for the enterprise

© 2008 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice Produced in cooperation

with:

HP Technology Forum & Expo 2008

IPv6 for the Enterprise

John Rhoton ([email protected])Distinguished TechnologistJune 2008

Agenda• IPv6 Overview• IPv6 Adoption• IPv6 Opportunities• IPv6 Risks/Threats• IPv6 Preparation

1595 State of IPv6 Inside HP, Industry and Government1710 Getting Started with IPv61631 Enterprise Preparation for IPv61598 IPv6 and Applications Porting – Hands on1751 Challenges in Managing IPv6 Networks

• IPv6 Overview• IPv6 Adoption• IPv6 Opportunities• IPv6 Risks/Threats• IPv6 Preparation

Agenda

Mysteries, Myths and Misconceptions• What is IPv6?• Great solution! What’s the problem?• Why not just NAT?• 中国 , 日本 , 대한민국 , 臺灣 , 新加坡 , भारत,รราชอาณาจกัรไทย

• ETA 2020• What’s the business case?• No worries – it will just happen automatically

4 May 3, 2023

5 June 2008

What is IPv6?• Internet Protocol (IP) is the network

protocol that underpins the Internet• IPv6 is version 6 of the Internet Protocol (IP)• The current version (IPv4) was designed in

the 1970s and standardized in 1981.• IPv4 address space will eventually "runs

out“. This will occur at a global level...• IPv6 also solves many problems IPv4 such

as security, auto-configuration, and extensibility.

Need for IP address spaceAren’t 4’294’967’296 addresses enough?• Uneven and inefficient

distribution!!• US-Centric

− India has 3 Class B− HP has 2 Class A

• Emerging Service Providers− China Mobile has over 380

million subscribers• Subscriber growth:

2 million/month− Several operators have over 16

million− How can they all be

simultaneously data-enabled?

Class IP Address Pool

A 224~16’777’216

B 216~65’536

C 28~256

ARIN advised IPv6 migration – May 2007

The booming Internet• Traditional Internet

desktops• Data-enabled mobile

phones• Consumer appliances• Embedded systems• Sensors• RFID

NAT Problems• Overhead of unnecessary translation• Protocol incompatibilities

− E.g. IPsec• Breaks peer-to-peer applications

− Instant messaging− Interactive games− VoIP− Real-time collaboration

and sharing• Netmeeting, BitTorrent, Groove

• Limits implementation of application servers− How far can you distribute your web-services?− Grid computing

Building work-arounds for everything NAT breaks is an unnecessary and inefficient effort!

Mobile IP

Data Flow

Binding Update

Physical Movement

Mobile IPTunnel

Foreign Network

Home Network

Mobile Node

Mobile Node

Correspondent Node

Home Agent

Additional Benefits• Availability

− Anycast reduces single-point-of-failures− Removal of NAT− Authenticated access inhibits Denial of Service attacks

• Agility− Improved Host and Router Discovery− Flexible Renumbering and Autoconfiguration

• Better Traffic Flow− Efficient and Extensible IP datagram− Efficient Route Computation and Aggregation− Efficient IPv6 Header Compression −IP Header Flow Label to support quality of service

• Even when all data is encrypted


Agenda

E-Business

MobileTelephony

Adoption: Where are we really?

Innovators Early Adopters

Late Majority

LaggardsEarly Majority

Bowling Alley

Tornado

Main Street

Early Market

Internet

Wireless

Data

IPv6

Mobile Applications

US DoD Mandate 2008

13 June 2008

IPv6 Drivers• Customers are driving the requirement

−US Federal Government Procurement Mandate June 2008 Issued by the Office of Management and Budget (OMB)• IPv6 support required for networked products – new purchases

−Several governments have similar mandates (in Asia (Japan, China CNGI, Korea, EU)−3GPP has mandated exclusive use of IPv6 for IMS (IP Multimedia Subsystems). Industry sector like Intelligent Transport System, Digital video broadcasting, smart home consortia have all recommended the use (sometime exclusively) of IPv6. −Convergence to ALL-IP (NGN (Next Generation Networks), FMC (Fixed to Mobile Convergence), Triple Play and Wireless), non computer devices/ embedded devices, sensors, building safety and security all will require IPv6 as network infrastructure.

• HP is taking an aggressive leadership stance on the IPv6 enablement dates

14 June 2008

HP took an early Lead with IPv6• 1993

− HP helped define the IP Next Generation protocol in the IETF• 1995

− First Public HP IPv6 demos & experiments• 1996

− HP 6bone connection active• 1999

− HP Founding member of the IPv6 Forum − Jim Bound CTO and member of the Board of Directors of IPv6 Forum − Yanick Pouffary IPv6 Forum Fellow

• 2000 − First HP IPv6-enabled server products

• 2001 − HP launched industry leading IPv6 and Mobile IPv6 solution demos

• 2002 − HP chairs North American IPv6 Task Force and is Technology Director. − NAv6TF influences Whitehouse U.S. Cyber Security Office to promote IPv6 leading to US DoD mandating the integration of IPv6 to be ready by Oct 2008 (June 2003) − HP IT launched a world wide IPv6 test bed

• 2003 − Participating in North American IPv6 interoperability Network Pilot - Moonv6− HP helped define IPv6 ready logo− HP OpenView Network Node Manager IPv6 support− Internal HP IPv6 initiative

• 2004 − NAv6TF works with White House Office of Management (OMB) leading to June 2005 OMB mandate− HP IPv6 servers acquire IPv6 ready logo− HP ProCurve IPv6 VLANs support

• 2005− HP was among the first printer companies to release an IPv6 product− NAv6TF works with OMB to produce OMB IPv6 transition guidance

• 2006 − HP Printer first vendor on the US DoD IPv6 Approved Product list− HP StorageWorks Division provides a customer statement of support committing support of IPv6 per the US OMB mandate

• 2007− HP Network Automation (HPNA) (Opsware Network Automation System software)

• IPv4 and IPv6 devices discovery

1595: State of IPv6 inside HP, Industry and Government

15 June 2008

HP IPv6 support• HP is implementing IPv6 support in stages with the goal of

ensuring a smooth transition and deployment where IPv6-updated products can take advantage of IPv6, without impacting existing functionality.

• HP supports IPv6 across many of its product lines today. • HP platforms support transition mechanisms and gateways to

interoperate with IPv4.• HP has already delivered IPv6 products across:

− HP Business Critical Server and ProLiant platforms (HP-UX, Tru64 UNIX®, OpenVMS, NonStop Server, Linux, and Microsoft® Windows)

− ProCurve high-end switches through its ProVision ASIC offers full support for IPv6 in hardware; ProCurve Switch series 8200, 6200, 5400 and 3500

− HP Enterprise JetDirect and LaserJet printers;− HP Business Technology Optimization Network Management Center

platform and Opsware Network Automation System software, now called HP Network Automation (HPNA)


Agenda

The Path to IPv6 in the Enterprise• IPv6 Security

−Network Monitoring and Management Infrastructure• Mobility and Remote Access• Isolated IPv6-oriented applications• …• …• …• …• Mission-critical applications

Remote Access• IPsec Tunnel

−Dual-factor authentication

−Full network access• Reverse Proxies

−Limited Application access

−Application-specific authentication

• SSL/VPN• IPsec Transport

Dedicated Networks• Factory Automation• Supply Chain Management

−RFID• Sensor networks (e.g. monitoring systems)

−Require mobility, ad-hoc networking, security and a large number of simple devices

• VoIP/Multimedia services−Requires global access, multicast, QoS, mobility

• Partner Extranets

19 May 3, 2023


Agenda

Return on Investment?• Long-term

−Greater efficiency−Better resilience−Facilitates new technologies

• Short-term−Increased costs−Little visible benefit

21 May 3, 2023

But there is another perspective …

Risk Management• Data Risks

−Valuable corporate resources exposed• In unmonitored networks

• Application Risks−Reliability in an IPv6 environment

• Financial Risks−Costs of gradual deployment versus−Sudden urgent response to unexpected event

22 May 3, 2023

Rogue Devices / Networks

• Unauthorized IPv6 devices−Windows Vista, Linux

• Unauthorized Networks−Internal tunnels

• Compromised Perimeter−External tunnels

• Monitoring• Traffic Inspection

What you don’t know will hurt you

Public Internet

PrivateNetwork

Victim

HijackedComputer

Intruder

Private LAN

Public Network

Hacker Tools• IPv6-enhanced versions of old tools

−halfscan6−netcat6−NMAP−Ethereal−Snort−TCPDump

• 6to4DDos• Relayers (can be misused for tunnels and

redirects)−relay6, 6tunnel, nt6tunnel, asybohttp://seclists.org/lists/honeypots/2002/Oct-Dec/

0105.htmlhttp://project.honeynet.org/scans/scan25/sol/NCSU/main.html

IPv6 Transition Exposure• IPv6 is available• IPv6 is in use• IPv6 is on many private networks

• Corporate Security−does not monitor IPv6

• Corporate IT−is not familiar with IPv6

• This is irresponsible!

Application Impact• Socket calls (see RFC 3493, RFC 3542)• Are numeric IP addresses manipulated, stored or cached?• Colon-separator used between hostnames and port

numbers?• Accept, parse or manipulate user-provided URLs or

hostnames?− Might contain a numeric IPv6 address) (See RFC 2732)

• Sequential enumeration of address space?− e.g. ping-sweep to scan a subnet

• Assumption that host or interface only has one IP address?• Direct use of layered networking protocols (e.g. DHCP,

ARP, DNS, RIP, OSPF…)?• SNMP collection of IPv4/IPv6 data?

26 May 3, 2023

1598: IPv6 and Applications Porting – Hands on

Potential Triggers• Large-scale security attack• Technical impasse• Address space shortage• Service-provider transition• New geographical market• Government mandate• Supplier/customer/partner requirement

27 May 3, 2023

Financial impact• Investment protection

−Write off new purchases?• Purchasing criteria can include

−Stated IPv6 support−IPv6 Logo certification−IPsec, Mobile IP, transition mechanisms …

• Ensure minimal training and awareness• Accelerated deployment costs more than

gradual adoption!

28 May 3, 2023


Agenda

Phased Deployment1. Audit

−Discovery−Policy Enforcement−Network Monitoring

2. Enablement−Network Management−Connectivity

• Internal-Internal• Internal-External• External-Internal

−Application Enablement3. Transition

30 May 3, 2023

Discovery• Requirements

−Security−Asset tracking

• Node discovery−Address space enumeration−Harvesting−Sniffing

• Router discovery−Topology mapping

31 May 3, 2023

1751: Challenges in Managing IPv6 Networks

32

Application audit/support• Scan custom software

−Checkv4.exe – Microsoft−IPv6finder

• Open Source software, developed by HP−Sun ’s socket scrubber

• Check with vendors for IPv6 support in commercial products

• Test in your own environment!

1598: IPv6 and Applications Porting – Hands on

Getting started with IPv6• Windows XP, 2003, Mobile: Included but requires

activation−New dual-stack in Vista, Windows Server 2008

• Linux: Included and activated in recent kernels/distributions

• HP-UX / Tru64 / OpenVMS / NSK: Include advanced IPv6 functionality

• Access Points / Hubs / Switches: Most relay IPv6 without problems

• Works over wireless (e.g. 802.11b) and wired connections• IPv6 autoconfigures IP addresses• Trivial to set up on a LAN

−30 minutes

1710: Getting Started with IPv6

Preparation and PlanningIPv6 is inevitable. The key to success is timing.

• Prepare−Assess Security and Management requirements−Assess transition mechanisms−Train staff for roll-out and support−Procure only IPv6 compliant components

• Plan−Analyze the ROI−Identify suitable pilots / early adopters

• Applications• User communities

−Obtain IPv6 prefixes−Inventory custom applications

Summary• IPv6 is about more than Address Space• IPv6 adoption is beginning now

−HP is a leader in IPv6• IPv6 is still IP

−New Network Security Model−End-to-end security−Improved Availability

• The market must begin to plan for IPv6 now−It is easy to enable IPv6 in a simple environment

• You can ignore IPv6 but that won’t stop it!

36 June 2008

IPv6 at HP Technology Forum• We have put together a series of sessions covering the iPV6 topic:

−1595 State of IPv6 Inside HP, Industry and Government−1710 Getting Started with IPv6−1631 Enterprise Preparation for IPv6−1598 IPv6 and Applications Porting – Hands on−1751 Challenges in Managing IPv6 Networks

37 June 2008

•What is IPv6?•Why do I need IPv6 when IPv4 is working fine for me?•What are the features and benefits of IPv6?•Are there any alternatives to IPv6?•What do I need to do to be ready for the future?•What is the meaning of IP capable?•How do I transition to IPv6?•What is the HP history with IPv6?

IPv6 FAQs

HP IPv6 Frequently Asked Questions

www.hp.com/network/ipv6

38 June 2008

IPv6 resources• www.IPv6forum.com international IPv6 Forum• www.ipv6ready.org IPv6 Forum IPv6 Ready Logo

information−IPv6 Ready Logo white paper

http://www.ipv6forum.com/dl/white/IPv6_Ready_Logo_White_Paper_Final.pdf

• www.nav6tf.org North America IPv6 task force• www.eu.IPv6tf.org European Task IPv6 Force www.v6pc.jp/en/index.phtml Japan IPv6 Promotion

council• IPv6 Security Link: www.seanconvery.com/ipv6.html• HP IPv6 Link: www.hp.com/network/ipv6

Other questions: [email protected]