1 / 32

Internet Protocol version 6 and Network Centric Operations Key Concepts

Internet Protocol version 6 and Network Centric Operations Key Concepts. Will Ivancic SYZYGY Engineering ivancic@syzygyengineering.com. © 2004 Syzygy Engineering – Will Ivancic. Policy. Architecture. Protocols. Security. $$$ Cost $$$. Mobility. Scalability. Maturity. Bandwidth. QoS.

langer
Download Presentation

Internet Protocol version 6 and Network Centric Operations Key Concepts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet Protocol version 6and Network Centric OperationsKey Concepts Will IvancicSYZYGY Engineeringivancic@syzygyengineering.com © 2004 Syzygy Engineering – Will Ivancic

  2. Policy Architecture Protocols Security $$$ Cost $$$ Mobility Scalability Maturity Bandwidth QoS Network Design Triangle © 2004 Syzygy Engineering – Will Ivancic

  3. Policy Policy Drives Everything! Policy Can Make or Break IPv6! Source: http://minhdo.bitterjerksociety.org/gallery/page_03.htm

  4. Expanded Addressing and Routing Simplified Header Format Extension Headers and Options Options are placed in separate headers after the core routing information Options do not necessarily have to be processed in core network (speed) Authentication and Encryption Support Required in ALL implementations of IPv6! Autoconfiguration Source Routing Support Ad Hoc Network Route Optimization for Mobility Simple and Flexible Transition Incremental Upgrade Incremental Deployment Easy Addressing ( Low Startup Costs Quality of Service Capabilities Real-Time Traffic Traffic Class Flow labels IPv6 Functional Capabilities © 2004 Syzygy Engineering – Will Ivancic

  5. IPv4 & IPv6 QoS Fields IPv4 Header 20 bytes IPv6 Header, 40 bytes fixed field’s name kept from IPv4 to IPv6 fields not kept in IPv6 Name & position changed in IPv6 New field in IPv6 Legend © 2003 Cisco Systems, Inc. All rights reserved – Steve Pollock

  6. Deprecated Addressing Architecture • Unicast • Unspecified 0::0 • Loopback 0::1 • User Local Addresses • Link Local prefix 1111111010 • Site Local prefix 1111111011 • Unique Local IPv6 Unicast prefix FC00::/7 • Analogous to IPv4 Private Address Space • provides for 2.2 trillion addresses • Anycast • Multicast prefix 11111111 Nice Explaination of Anycast for IPv4 at http://www.net.cmu.edu/pres/anycast/Deploying%20IP%20Anycast.ppt © 2004 Syzygy Engineering – Will Ivancic

  7. Address Allocation Policy /48 /64 /23 /32 • 128-bit addresses: • 340,282,366,920,938,463,463,374,607,431,768,211,456 (340 duodecillion) • Over a million addresses for every person on the planet!, • But not really due to inefficiency of address allocations • Administered by IANA to Regional Registries: ARIN, APNIC, RIPE, LACNIC • The allocation process is under reviewed by the Registries: • IANA allocates 2001::/16 to registries • Each registry gets a /23 prefix from IANA • Formerly, all ISP were getting a /35 • With the new policy, Registry allocates a /32 prefix to an IPv6 ISP • Then the ISP allocates a /48 prefix to each customer (or potentially /64) 2001 0410 Interface ID Registry interface identifier (64 bits) ISP prefix Site prefix LAN prefix © 2003 Cisco Systems, Inc. All rights reserved – Steve Pollock

  8. ISP 2001:0410::/32 Customerno 2 Customerno 1 IPv6 Internet 2001::/16 Hierarchical Addressing & Aggregation • Larger address space enables (demands): Aggregation of prefixes announced in the global routing table. • Helps improve routing speed. • Efficient and scalable routing. Only announces the /32 prefix 2001:0410:0001:/48 2001:0410:0002:/48 © 2003 Cisco Systems, Inc. All rights reserved – Steve Pollock

  9. Corporation ISP - A 2001:A010::/32 ISP - B 2001:B010::/32 ISP - C 2001:C010::/32 IPv6 Internet 2001::/16 Site Multihoming Only announces the /32 prefix 2001:A010:0001:/48 2001:B010:0001:/48 2001:C010:0001:/48 ISP - C is not allowed to advertise ISP - A’s routes Syzygy Engineering

  10. Policy Proposal 2005-1: Provider-independent IPv6 Assignments for End Sites • 6.5.8. Direct assignments from ARIN to end-user organizations • 6.5.8.1. Criteria • To qualify for a direct assignment, an organization must: not be an IPv6 LIR; and • qualify for an IPv4 assignment or allocation from ARIN under the IPv4 policy currently in effect. • 6.5.8.2. Initial assignment size • Organizations that meet the direct assignment criteria are eligible to receive a direct assignment. The minimum size of the assignment is /48. Organizations requesting a larger assignment must provide documentation justifying the need for additional subnets. • These assignments shall be made from a distinctly identified prefix and shall be made with a reservation for growth of at least a /44. • 6.5.8.3. Subsequent assignment size • Additional assignments may be made when the need for additional subnets is justified. When possible, assignments will be made from an adjacent address block.

  11. Restoring an End-to-End Architecture End-to-End Connectivity Restores the “Promise”of Multimedia Collaboration NAT/PAT Breaks Peer-to-Peer IPv4 Internet IPv6 Internet Peer-to-Peer Applications needGlobal Addresses when YouConnect to: IP Telephony Enterprise, Mobile and Residential IP Video Conferencing Enhanced Instant Messaging Distributed Gaming Elimination of NAT Bottleneck Restores End-to-End © 2003 Cisco Systems, Inc. All rights reserved – Steve Pollock

  12. Transition and Operations Costs Transition Cost Cost Difference Between IPv4 / IPv6 Operations Title of TalkSource: PC of Japan

  13. (unit 1 million) 41,456,128 1300 29,002,240 21,534,208 13,269,504 7,555,584 5,409,280 3,746,304 41 0 1997 1998 1999 2000 2001 2002 2003 Total IPv4 address Chinese Population IP Address Status in China Total IPv4 address (unit 1) IPv6 is the Only Solution “IPv6 is good for China and China is good for IPv6. China brings the scale needed for IPv6. IPv6 killer application will occur in China firstly" - Latif Ladid--IPv6 Forum President Data source: CNNIC, Dec.2003

  14. IPv6 Transition Plan • Contents • Overall Transition Strategy • IPv6 Transition Governance • Acquisition and Procurement of IPv6 Capabilities • Networking and Infrastructure • Addressing • Information Assurance • Pilots, Testing and Demonstrations • Applications • Standards • Training Unclassified, For Official Use Only https://disronline.disa.mil/a/DISR/docs/secure/DoD-IPv6_Transition_Plan_v1_0_3-24-05_update1.pdf

  15. IPv6 Transition Plan https://disronline.disa.mil/a/DISR/docs/secure/DoD_IPv6_Transition_Plan_v2_Final.pdf

  16. Potential Showstoppers to Fully IP-based Tactical Operations Today Further research in the following areas is required in order to enhance the IPv6 protocol suite to support Network Enabled Command: • Embedding/ Encapsulation of legacy systems by means of interoperable gateways • Potential of Anycast Addressing to foster SOA, • Service Discovery protocols such as IPSec Discovery need standardization; • Global IP Security Architecture needs to encompass both deployable and highly dynamic domains supporting all kinds of host and network mobility, • Scalable Tactical PKI, e.g. CA and distributed Sub-CAs; • Optimization of MANET routing mechanisms, • Need to find a compromise between low routing overhead of reactive routing and instant route availability of proactive routing, • True multicast routing in the mobile domain; • QoS that considers the heterogeneous (e.g. in terms of bandwidth and latency) and dynamic availability of communication links, • Work on standardized service interoperability profiles; • IPv6 (multicast) enabled applications.

  17. v4/v6 Co-Existence Strategy? Source: Sinead O’Donovan,Product Unit Manager Windows Networking Microsoft

  18. Zero Configuration in rapidly deployed and mobile networks DNS, DHCP and KEY Servers PKI, IKE and Key Management and Applications Key Technology Enablers © 2004 Syzygy Engineering – Will Ivancic

  19. Peer-to-Peer Networking Client/Server Model Peer-to-Peer Communication • Voice, Video and Data • Issues: • Security (particularly in DoD and Corporate Networks) • Control • End-to-End relative to Peer-to-Peer • End-to-End allows direct communication once peer’s address is known • Typical IPv4 with NAT requires Peer-to-Peer server and may require application software (IM, KAZA, etc) Typical IPv4 Peer-to-Peer Communications Peer-to-Peer Service (IM, KaZa, etc) 1 2 Internet 3 Firewall and router w/NAT Firewall and router w/NAT Peer-to-Peer Server is not required Peer-to-Peer Service (IM, KaZa, etc) Internet Firewall and router No NAT Firewall and router No NAT © 2004 Syzygy Engineering – Will Ivancic

  20. New “IPv6 Capable” Definition – • A product must meet the IPv6 base requirements (defined in “DoD IPv6 Standard Profiles for IPv6 Capable Products”) and support requirements for one (or more) product categories. • e.g. Workstations, routers, switches, security devices, firewalls, etc... • And support the IPv6 version of any IPv6 protocol functional categories required for its function within the DoD Global Information Grid (GIG) • Official Site • (May require Certificate or Common Access Card to obtain access http://jitc.fhu.disa.mil/adv_ip/register/register.html • Otherwise try http://jitc.fhu.disa.mil/adv_ip/register/docs/disr_ipv6_product_profile_draft.pdf

  21. Transportable Telecommuter Traveler Relatively static once connected Single point of connection Connectivity IPv6 Autoconfiguration VPN Mobile Mobile Devices PDAs Cell Phones Mobile Networks Trains Planes Automobiles Connectivity Mobile-IP Networks in Motion (NEMO) Ad Hoc Networks What is Mobility? © 2004 Syzygy Engineering – Will Ivancic

  22. Mobile Networking Solutions • Routing Protocols •  Route Optimization •  Convergence Time •  Sharing Infrastructure – who owns the network? • Mobile-IP •  Route Optimization •  Convergence Time •  Sharing Infrastructure •  Security – Relatively Easy to Secure • Domain Name Servers •  Route Optimization •  Convergence Time •  Reliability Source – Will Ivancic

  23. Mobility at What Layer? • Layer-2 (Radio Link) • Fast and Efficient • Proven Technology within the same infrastructure • Cellular Technology Handoffs • WiFi handoffs • Layer-3 (Network Layer) • Slower Handover between varying networks • Layer-3 IP address provides identity • Security Issues • Need to maintain address • Layer-4 (Transport Layer) • Research Area • Identity not tied to layer-3 IP address • Proposed Solutions • HIP – Host Identity Protocol • SCTP – Stream Control Transport Protocol © 2004 Syzygy Engineering – Will Ivancic

  24. Hello Bob, I am in Cleveland, Ohio HQ Keeps Track of Alice. I am in Cleveland, Ohio What is the Weather like in Cleveland? Where is Alice’s Location Manager? Alice (Mobile Node) Hello Alice Bob (Corresponding Node) Headquarters (Location Manager) Location Identifier Internet © 2004 Syzygy Engineering – Will Ivancic

  25. Securing Networks • Constraints/Tools • Policy • Security Policy • Education • Enforcement • Architecture • Protocols • Must be done up front to be done well © 2004 Syzygy Engineering – Will Ivancic

  26. ENCRYPTION ON THE RF LINK ENCRYPTION AT THE NETWORK LAYER VIRTUAL PRIVATE NETWORK HEADER HEADER HEADER HEADER PAYLOAD ORIGINAL PACKET Security • Security  Bandwidth Utilization  • Security  Performance  • Tunnels Tunnels Tunnels and more Tunnels • Performance  Security   User turns OFF Security to make system usable! • Thus, we need more bandwidth to ensure security. Source – Will Ivancic

  27. Realities of ROI and Security • Network Security itself does not provide any type of ROI – it is about cost management • Example – You buy a Picasso straight from the artist and a safe to store it in. The safe adds no value to the painting – only helps prevent its loss (i.e. a cost to you) • An organization that fails to adequately prepare a robust security solution faces potential loss from: • Lost productivity/Lost e-commerce revenue • Regulatory penalties • Tort litigation • Long-term business loss from lost customer confidence Source – Yurie Rich CommandInformation

  28. IPsec In non-static environments such as mobile and ad hoc networks, your address no longer identifies you! Source – Merike Kaeo merike@doubleshotsecurity.com

  29. GIG - Black Core

  30. GIG - Striped Core

  31. Flow Label • Used by host to request special handling for certain packets • Unique flow is identified by source address and non-zero flow label • Expected use is per-flow end-to-end QoS • RSVP, Video, Gaming, VOIP • Without the flow label the classifier must use transport next header value and port numbers • Less efficient (need to parse the option headers) • May be impossible (due to fragmentation or IPsec ESP) • Layer violation may hinder introduction of new transport protocols • IPv6 nodes not providing flow-specific treatment MUST ignore the field when receiving or forwarding a packet • Immature Technology – Research Area The Flow Label field is useless, unless it is actually used! © 2004 Syzygy Engineering – Will Ivancic

  32. Flow LabelSecurity Considerations • The IPsec protocol, as defined in [IPSec, AH, ESP], does not include the IPv6 header's Flow Label in any of its cryptographic calculations • In the case of tunnel mode, it is the outer IPv6 header's Flow Label that is not included • Modification of the Flow Label by a network node has no effect on IPsec end-to-end security • It cannot cause any IPsec integrity check to fail. • As a consequence, IPsec does not provide any defense against an adversary's modification of the Flow Label (i.e., a man-in-the-middle attack). © 2004 Syzygy Engineering – Will Ivancic

More Related