oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button

IPv6 and IPsec in the Enterprise Today
Pages: 1, 2, 3

Tulloch: Which parts of the world are experiencing the most growth in IPv6 deployments? Why?

Dixon: Asian countries have the greatest deployment and growth of deployment now because of three factors: strong government support for transition, many more people going online, and a rapid adoption of wireless and small network devices in their online population (cellphones, PDAs, VoIP phones, gaming consoles). Japan, South Korea, Taiwan, and China are the ones heavily on board with IPv6 for all types of networking. I would expect the growth of IPv6 approximates the growth of online users, but it will be even greater as IPv4 services in Asian countries convert. Based on figures from Internet World Stats, Asia has 3.6 billion total population, and Europe and North America have about 1.1 billion combined. If Asia continues a 200% increase in online users in the next five years, it will have 40% of its population online, 1.47 billion people, about 500 million more than Europe and North America combined (896 million).

I made several assumptions in that calculation and it could be wrong. It would be better to measure devices online rather than people, for example. But you can see that IPv6 growth will be more significant in Asia for many reasons. I would expect them to be using only IPv6-capable products. So in many cases they would not want to pay the cost of providing legacy IPv4 connectivity to what will be an increasingly small fraction of users. As I mentioned earlier, new allocations simply won't be available for new networks they deploy. So IPv4 service, if available, would go through multiple layers of NAT and consequently have numerous application compatibility issues.

Tulloch: What difficulties are companies finding in moving from IPv4 to IPv6? How are they overcoming these difficulties?

Dixon: There is the initial learning curve required to adopt a new networking technology. We might think that IPv6 deployment in Europe and North America would be strong as IPv4 providers add IPv6 service. The IPv6 prefix allocations in Europe and North American registries seem to indicate this. However, it is hard to define a business model where you make more money for essentially the same service (end-user connectivity). An October 2005 presentation by the Cooperative Association for Internet Data Analysis (CAIDA) reported that many major internet service providers in North America and Europe may not have the financial resources necessary for investment in infrastructure to push IPv6 to the consumer (see this PDF).

If this is true, then small companies will start using IPv6 internally, and configure 6-to-4 gateways with a firewall to the IPv4 internet service provider. For getting ISP-routed IPv6 service, it seems industry partnerships will be needed to help ISPs fund the network investment. This would be based on easily marketable new applications that require IPv6, like efficient multicast music or video streaming and peer-to-peer video chat.

Tulloch: Can you point administrators thinking of planning IPv6 deployments to any good resources, online or otherwise?

Dixon: I have found two books to be incredibly useful:

Otherwise, Microsoft provides a ton of free guides, for example how to set up a test lab, how to assess application compatibility, etc.

Tulloch: What about IPsec usage in the enterprise? There seems to be a solid move afoot to use IPsec to secure internal traffic on enterprise networks as opposed to traditional VPN remote-access uses. Why this shift in thinking?

Dixon: Two things are happening. First, it's a realization that servers on the internal IPv4 network need to have much higher protections against network attacks. IT security professionals are using IPv4 IPsec to help meet Sarbanes-Oxley, HIPAA, FISMA, and other regulatory compliance requirements that mandate tighter controls and auditing for access to data. Server hardening and firewalls just don't reduce the attack surface sufficiently because reconnaissance and attacks are directed at ports that must be accessible for required applications and services. So by using IPsec (for IPv4 or IPv6), only trusted client machines are allowed TCP/IP network access to the server. IPsec adds a whole new layer of defense, mutually authenticated machine trust, to normal user authentication. Further, it strongly protects every packet against man-in-the-middle attacks. This dramatically reduces the potential sources from which an attack can reach the applications on the server. This function of IPsec performs only authentication and authorization of traffic. It doesn't have to encrypt the traffic unless you require encryption. You can even extend the idea of protecting the server to protecting all clients as well. Thus only trusted machines can gain network access to other trusted machines. You can even define a specific group of client machines and authorize only that group of machines for access to a specific server. Clients and servers can have dynamic IP addresses. So IPsec is serving a simple host firewall, only IPsec authentication is used to allow trusted machines inbound access through the firewall. For the highest level of control over host access, you would use an IPsec policy in combination with a host firewall policy.

Second, IT admins are realizing that IPv4 IPsec is already available in their Windows 2000 and later platforms. So there is no additional client license cost. And it is fairly easy to use. By that I mean, administrators centrally manage IPsec configurations (called policies) in Active Directory, and assign it using normal Group Policy; it authenticates using Windows domain trust (Kerberos, and works cross-forest), many types of PKI certificates, or a preshared key; and it is transparent to the applications, and works over the existing IPv4 network. If you are encrypting traffic then affordable client and server IPsec acceleration network cards are available, such as the Intel Pro 100 S adapter family.

The best case study is Microsoft deploying IPsec to 210,000 domain members to protect these machines from about 100,000 non-domain internal systems, visitors, attackers, and potential breaches in perimeter security. Windows IPsec transport mode is capable of being used through PPTP or L2TP/IPsec VPN tunnels as well as over 802.1x authenticated network connections for both wireless and wired. Sometimes people want to choose between 802.1x or IPsec. But they do different things. IPsec protects access to the internal host and each packet end-to-end in ways defined for that host and application traffic. While 802.1x is great for controlling access to the internal network, not all buildings have 802.1x-capable switches. And 802.1x controls don't protect against authenticated machines and users (e.g. a worm or malicious user) attacking internal systems. So host-based IPsec gives them a way to tightly lock down access to sensitive data servers, encrypt if necessary, audit host access, and require machines to be members of their managed domains.

Pages: 1, 2, 3

Next Pagearrow