http://www.computerworld.com/securitytopics/security/story/0,10801,98298,00.html Opinion by Cody Christman Verio DECEMBER 16, 2004 COMPUTERWORLD Despite the success of Internet Protocol Version 4 (IPv4), at the age of 31, this current protocol is due for a significant technology makeover. The original design of IP wasn't intended for many of today's Internet uses. The fathers of the Internet couldn't foresee today's typical Wi-Fi Web surfer at the local coffee shop conducting a secure transaction over a browser. Most security precautions were ignored in the development of IPv4, and they have continued to be a challenge for application developers since then. The IPsec security protocol was an afterthought, and Network Address Translation (NAT) -- which has been widely deployed to solve the address-depletion problem and for perceived security benefits -- makes true end-to-end, secure applications difficult to deploy. In IPv6, however, IPsec support is mandated, allowing devices to securely authenticate remote nodes and encrypt communication with them. In addition, NAT is eliminated in IPv6, allowing all nodes to communicate with one another using globally routable addresses. Since IPv6 offers almost infinite address space, NAT isn't needed. This brings back the end-to-end nature for which the Internet was designed in the first place. Other features built into IPv6 help to augment security, such as autoconfiguration, quality of service (QoS) and mobility. These security features help to create a new business model -- one of secure, end-to-end communications between almost any types of devices, fixed or mobile. This is in contrast to today's IPv4 networks, where NAT generally reduces communication to one-way (outbound), and encryption, when available, is usually implemented on global address segments while LAN segments remain unencrypted and unsecured. The U.S. Department of Defense has embraced IPv6 for the above-mentioned reasons. In June 2003, the DOD announced its plan to complete transition to IPv6 by fiscal 2008, and as of Oct. 1, 2003, all network assets developed, procured or acquired are to be IPv6-capable. The DOD concluded that IPv6 adoption is necessary to meet the agency's requirements for mobility and end-to-end security. The DOD's IT budget is the government's largest at $25 billion per year, giving an enormous boost to network security and IPv6. The DOD has adopted a net-centric technical vision. According to this vision, future combat systems demand ubiquity (IPv6-centricity), mobility and ad hoc networking and security. For example, from a networking standpoint, the soldier is viewed as a site -- a network of onboard systems providing integrated real-time data. Weapon firing and supply data would be fed back to commanders as well as precise position information. Health information such as a soldier's heart rate, blood pressure and temperature would also be relayed. The soldier could also receive positioning data about friends and foes to increase situational awareness and save lives. The data security (authentication and encryption) requirements in this model are an obvious necessity. Unlike today's military model of autonomous systems and a broadcast information push, the net-centric vision relies on bidirectional, end-to-end secure communications enabled by IPv6. For businesses and consumers, there are an unforeseeable number of new applications and devices that can be networked in a secure fashion. IPv6 is already making an impact in the field of home networking, including appliance management, multimedia entertainment and home security. Such applications, especially home security tools, demand end-to-end authentication and encryption. With IPv6, Digital Subscriber Line and cable modem subscribers can set up home networks and monitor and control devices securely from any remote location. Wireless network cameras can be easily deployed to monitor a residence, and electronic locks can be installed to remotely lock or unlock doors. Businesses will be able to leverage the security, mobility and QoS features of IPv6. For example, the IP flow-label QoS feature built directly into IPv6 will help improve the quality of encrypted voice over IP calls. In addition, traveling salespeople can wirelessly transfer information and documents safely from remote locations to their headquarters, even while roaming through different Wi-Fi hot spots. Some argue that IPv6 proponents use v4 address-depletion scare tactics to promote the new protocol. Though address-space depletion is a real issue, there are many other forces driving IPv6 deployment. True end-to-end security, which is enabled by IPv6 but doesn't exist in IPv4 as it's often implemented today, is the future of the Internet. Time to get ready Even if businesses don't have immediate plans to implement IPv6, preparing for the inevitable transition now as opposed to later will only decrease the burden on IT administrators. This process doesn't have to be daunting if a thoughtful approach is taken. Plans should accommodate an implementation spanning a maximum of three to four years. When IPv6 gains momentum, migration to the new protocol will be swift, and those who haven't planned ahead risk finding themselves at a disadvantage. Having plans in place will also simplify the auditing processes for hardware, software (shrink-wrapped and internally developed) and operating systems on IPv6 compatibility. As long as vendor-support contracts have been maintained, this process shouldn't be too painful or expensive. Most hardware will already be compliant, and software and operating system upgrades can follow normal maintenance cycles within the transition window. If precautions aren't taken, the transition from IPv4 to IPv6 could be cause for network security concerns. Without proper perimeter security, hackers could use IPv6 to gain access to a LAN, which could compromise both IPv6 and IPv4 network assets. Therefore, the same care taken to write and implement an IPv4 security policy should be taken with IPv6, even with all its benefits. Introducing IPv6 into a network, like any other new protocol, requires that firewall configurations and other security measures be well thought-out and tested. Finally, there are several IPv4/IPv6 interoperability mechanisms available to businesses to assist in the transition. They fall into three major categories: dual-stack, tunneling and translation. A dual-stack transition is the generally preferred method when devices are both IPv4- and IPv6-aware, allowing the two protocols to coexist in the same network. Tunneling techniques allow the transport of IPv6 traffic over an IPv4 infrastructure -- as much of the Internet is today. The final interoperability method -- protocol translation -- may be required in some instances, but is generally not recommended because it's basically an IPv4/IPv6 NAT. The interoperability method or combination of methods will depend on each business' environment and network requirements. IPv6 offers several alternatives to choose from that should suit any need. These tools, along with a well thought-out and executed migration plan, will lead to a smooth transition to IPv6. Cody Christman is director of product engineering at Verio Inc., an Englewood, Colo.-based provider of Internet access, Web site hosting and other network services. _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Fri Dec 17 2004 - 01:25:50 PST