View
223
Download
1
Category
Tags:
Preview:
Citation preview
IPv6 Migration Issues: Transition Techniques, Security
and Cost Estimation
ALTTC BSNL
1. Introduction2. Transition Techniques3. Security issues4. Cost Estimation5. Transition cost and penetration curve6. Theoretical consideration 7. Summary
Agenda
IPv4 ◦ in use for almost 30 years◦ has supported the Internet’s growth over the last decade .
IPv6 based network would be technically superior to IPv4 based network.
Increase IPv6 address space and its header structure :◦ will enable to develop new application, ◦ Will be more secure, ◦ have ease of mobility and renumbering, ◦ end to end connectivity ◦ Efficient and will provide other benefits
Introduction
Transition MechanismIPv6
No fixed day to convert; no need to convert all at once.
Transition Options: Dual Stack
IPv6-IPv4 Tunnel
IPv6-IPv4 Translation
IPv4 IPv6
DRIVER
APPLICATION
TCP/UDPIPv4 IPv6
IPv6 Network
IPv4IPv6 Network Tunnel
IPv4 Network
IPv6 Network
Translator
Transition MechanismIPv6
6/4 Dual Stack Hosts and Network
IPv6
This allows all the end hosts and intermediate network devices (like routers, switches, modems etc.) to have both IPv4 and IPv6 addresses and protocol stack.
If both the end stations support IPv6, they can communicate using IPv6; otherwise they will communicate using IPv4.
This will allow both IPv4 and IPv6 to coexist and slow transition from IPv4 to IPv6 can happen.
6/4 Dual Stack Hosts and Network
IPv6
Tunneling IP6 via IP4This allows encapsulating IPv6 packets in IPv4 packets for transport over IPv4 only network.This will allow IPv6 only end stations to communicate over IPv4 only networks.
IP6-IP4 TranslationIPv6
This allows communication between IPv4 only and IPv6 only end stations.
The job of the translator is to translate IPv6 packets into IPv4 packets by doing address and port translation and vice versa.
IPv6 SecurityIPv6
IPv4 was not designed with security in mind. Packet Sniffing: Due to network topology, IP packets sent from a source to a specific destination can also be read by other nodes, which can then get hold of the payload (for example, passwords or other private information).IP Spoofing: IP addresses can be very easily spoofed both to attack those services whose authentication is based on the sender’s address (as the rlogin service or several WWW servers).Connection Hijacking: Whole IP packets can be forged to appear as legal packets coming from one of the two communicating partners, to insert wrong data in an existing channel.
IPv6 SecurityIPv6
In IPv4, Security is implemented in:
Applications – HTTPS, IMAPS, SSH etc.
IPsec tunnels
Security in IPv6IPv6
IPv4 - NAT breaks end-to-end network security
IPv6 - Huge address range – No need of NAT
Security in IPv6IPv6
Reconnaissance In IPv6:
Default subnets in IPv6 have 264
addresses
Scan with 10 Mpps will take more than 50 000 years
Ping sweeps on IPv6 networks are not possible
Security in IPv6IPv6
Viruses and Worms In IPv6:
Viruses and Email, IM worms: IPv6 brings no change.
Other worms:IPv4: reliance on network scanningIPv6: not so easy Worm developers will adapt to IPv6
IPv4 best practices around worm detection and mitigation remain valid.IPS systems and Anti-viruses will not change.
IPv6 IPsecIPv6
Applies to both IPv4 and IPv6:– Mandatory for IPv6– Optional for IPv4Applicable to use over LANs, across public &
private WANs, & for the InternetIPSec is a security framework– Provides suit of security protocols– Secures a pair of communicating entities
–Two different modes Transport mode (host-to- host) Tunnel Mode (Gateway-to-Gateway or Gateway-to-host)
IPv6 IPsec ProtocolIPv6
Services Provided by IPsec
Authentication – ensure the identity of an entity (integrity) and replay protection
Confidentiality – protection of data from unauthorized disclosure
Key Management – generation, exchange, storage, safeguarding, etc. of keys in a public key cryptosystem
IPv6 IPsec ProtocolIPv6
IPSec Services
Authentication: AH (Authentication Header - RFC 4302)Confidentiality: ESP (Encapsulating Security Payload - RFC 4303)Key management: IKEv2 (Internet Key Exchange - RFC4306)
When two computers (peers) want to communicate
using IPSec, they mutually authenticate with each other first and then negotiate how to encrypt and digitally sign traffic they exchange. These IPSec communication sessions are called security associations (SAs).
IPv6 IPsec ProtocolIPv6
IPSec Services
S/MIMES-HTTP
IPTCP
Application approach
SMTPFTP
TCP
HTTP
ESPAH
IPNetwork approach
IPv6 IPsec ProtocolIPv6
IPSec AH
Next Header Length Reserved
Security Parameters Index
Authentication Data (variable number of 32-bit words)
IPv6 AH Header Format
IPv6 HeaderHop-by-Hop
RoutingAuthentication
HeaderOther Headers
Higher Level Protocol Data
IPv6 AH Packet Format
IPv6 IPsec ProtocolIPv6
IPsec ESP
ESP Format
Security Parameters Index (SPI)
Initialization Vector (optional)
Replay Prevention Field (incrementing count)
Payload Data (with padding)
Authentication checksum
IPv6 IPsec Protocol
Implementations
Linux-kernel 2.6.x onwardsCisco IOS-12.4(4)T onwardsWindows Vista onwards
Security Issues in IPv6IPv6
IPsec Key Exchange Protocol not yet fully Standardized
Scanning possible – If IP address assignment is poorly designed
No protection against all denial of service attack
(DoS attacks difficult to prevent in most cases)
No many firewalls in market with V6 capability
Cost estimates are primarily based on likely development and deployment Scenarios.
H/w, software, services and other miscellaneous expanses.
Each organization/or user throughout the internet will incur some cost in transition
Primarily in the form of labor and capital expenditures.
Expenditure will vary greatly across and within stake holder groups depending on their existing infrastructure and IPv6 related needs.
ISPs has to incur largest transition cost.
Individual users will incur the minimum cost
Cost Estimation
• Description of stakeholder groups
Infrastructure vendors, Application vendors, ISPs and Internet users.
◦Infrastructure vendors : manufacturers of computer networking hardware (e.g.,
routers, firewalls, and servers) and systems software (e.g., operating system) that supply the components of computer networks. Major companies in this category include Microsoft, IBM, Juniper, Cisco, and Hewlett Packard.
Methodology
◦ Application vendors: include suppliers of e-mail, file transfer protocol (FTP) and Web server software, and database software, such as enterprise resource planning (ERP) and product data management (PDM) software. SAP, Oracle, and Peoplesoft are some of the largest companies in this group.
◦ ISPs are companies that provide Internet connectivity to customers, larger companies, some institutional users, and national and regional. e.g., BSNL, Tata telecommunication , AirTel, Vodafone, Idea etc.
◦ Internet users Corporate, institutional, and government organizations, independent users including small businesses and residential households.
Stakeholders
Cost Categories◦ Labor resources will account for the bulk of the transition costs
◦ Memory and hardware : Some additional physical resources, such as increased memory capacity for routers and other message-forwarding hardware.
◦ These expenses are treated as negligible in the cost analysis because it is quite small compared to the labor resources required.
◦ Labor resources needed for the transition are linked to three general business activities within the Internet supply chain—product development, Internet provisioning services, and internal network operations.
◦ other cost: Additionally, several other cost categories, such as network testing and standards and protocol development, span multiple business activities and thus several take holder groups.
Description Of Cost Categories And Estimation Approach
The penetration curves represent the estimated share of infrastructure products and applications that are IPv6 capable and the share of networks that are IPv6 enabled at a given time.
This implies that costs will be distributed over time as
stakeholders gradually engage in transition activities.
As networking staff are trained and the system is reconfigured.
Lower costs associated with testing and monitoring are then experienced after the enabling date.
Quantitative Estimation Approach
The penetration curves
likely deployment/adoption rates for the four major stakeholder groups. The infrastructure (Inf) and applications (App) vendors’ curves represent the path over which vendor groups will offer IPv6-capable products to customers.
The penetration of IPv6 is likely to be a gradual process and will probably never reach 100 percent of applications or users.
These four curves are the key penetration metrics for the cost analysis because they capture the timing of expenditures.
For vendors, R&D expenditures to integrate IPv6 into their products are the primary expenditure category associated with the transition from IPv4 to IPv6.
Penetration
Users’ Transition Costs Over Time
Stockholder Relative cost
Hardware software Labor
HW vendor Low 10% 10% 80%
Software vendor
Low /medium
10% 10% 80%
Internet user (Large)
Medium 10% 20% 70%
Internet user (small)
Low 30% 40% 30%
ISPs High 15% 15% 70%
Internet users incur approximately 90 percent of IPv6 transition costs. Vendors and ISPs account for the remaining costs.
Transition cost break down
item H/W, S/W & service providers
ISPs Enterprise users
laborsR&D M L
Train Networking /IT employees
H H H
Designing IPv6 transition strategy
M H M/H
Implementation transition
M M/H M/H
Others
Ipv6 address block L L L
Lost employee productivity
M M
Security intrusions H H
Inter operability issues
M M/H M/H
Overview of relative IPv6 cost
The type of internet use or type of service being offered by each organization
The transition mechanism that the organization intends to implement( e.g tunneling. Dual-stack, translation, or a combination).
The organization-specific infrastructure comprised of servers, routers, firewalls, billing stems and standard and customize network etc.
The level of security required during the transition.
Timing of transition.
Factors influencing the Cost
Application layer
TCP/UDP TCP/UDP
IPv6 IPv4
Network interface layer
Dual stack structure
Thanks
Recommended