IPv6 Migration Issues: Transition Techniques, Security

and Cost Estimation

ALTTC BSNL

1. Introduction2. Transition Techniques3. Security issues4. Cost Estimation5. Transition cost and penetration curve6. Theoretical consideration 7. Summary

Agenda

IPv4 ◦ in use for almost 30 years◦ has supported the Internet’s growth over the last decade .

IPv6 based network would be technically superior to IPv4 based network.

Increase IPv6 address space and its header structure :◦ will enable to develop new application, ◦ Will be more secure, ◦ have ease of mobility and renumbering, ◦ end to end connectivity ◦ Efficient and will provide other benefits

Introduction

Transition MechanismIPv6

No fixed day to convert; no need to convert all at once.

Transition Options: Dual Stack

IPv6-IPv4 Tunnel

IPv6-IPv4 Translation

IPv4 IPv6

DRIVER

APPLICATION

TCP/UDPIPv4 IPv6

IPv6 Network

IPv4IPv6 Network Tunnel

IPv4 Network

IPv6 Network

Translator

Transition MechanismIPv6

6/4 Dual Stack Hosts and Network

IPv6

This allows all the end hosts and intermediate network devices (like routers, switches, modems etc.) to have both IPv4 and IPv6 addresses and protocol stack.

If both the end stations support IPv6, they can communicate using IPv6; otherwise they will communicate using IPv4.

This will allow both IPv4 and IPv6 to coexist and slow transition from IPv4 to IPv6 can happen.

6/4 Dual Stack Hosts and Network

IPv6

Tunneling IP6 via IP4This allows encapsulating IPv6 packets in IPv4 packets for transport over IPv4 only network.This will allow IPv6 only end stations to communicate over IPv4 only networks.

IP6-IP4 TranslationIPv6

This allows communication between IPv4 only and IPv6 only end stations.

The job of the translator is to translate IPv6 packets into IPv4 packets by doing address and port translation and vice versa.

IPv6 SecurityIPv6

IPv4 was not designed with security in mind. Packet Sniffing: Due to network topology, IP packets sent from a source to a specific destination can also be read by other nodes, which can then get hold of the payload (for example, passwords or other private information).IP Spoofing: IP addresses can be very easily spoofed both to attack those services whose authentication is based on the sender’s address (as the rlogin service or several WWW servers).Connection Hijacking: Whole IP packets can be forged to appear as legal packets coming from one of the two communicating partners, to insert wrong data in an existing channel.

IPv6 SecurityIPv6

In IPv4, Security is implemented in:

Applications – HTTPS, IMAPS, SSH etc.

IPsec tunnels

Security in IPv6IPv6

IPv4 - NAT breaks end-to-end network security

IPv6 - Huge address range – No need of NAT

Security in IPv6IPv6

Reconnaissance In IPv6:

Default subnets in IPv6 have 264

addresses

Scan with 10 Mpps will take more than 50 000 years

Ping sweeps on IPv6 networks are not possible

Security in IPv6IPv6

Viruses and Worms In IPv6:

Viruses and Email, IM worms: IPv6 brings no change.

Other worms:IPv4: reliance on network scanningIPv6: not so easy Worm developers will adapt to IPv6

IPv4 best practices around worm detection and mitigation remain valid.IPS systems and Anti-viruses will not change.

IPv6 IPsecIPv6

Applies to both IPv4 and IPv6:– Mandatory for IPv6– Optional for IPv4Applicable to use over LANs, across public &

private WANs, & for the InternetIPSec is a security framework– Provides suit of security protocols– Secures a pair of communicating entities

–Two different modes Transport mode (host-to- host) Tunnel Mode (Gateway-to-Gateway or Gateway-to-host)

IPv6 IPsec ProtocolIPv6

Services Provided by IPsec

Authentication – ensure the identity of an entity (integrity) and replay protection

Confidentiality – protection of data from unauthorized disclosure

Key Management – generation, exchange, storage, safeguarding, etc. of keys in a public key cryptosystem

IPv6 IPsec ProtocolIPv6

IPSec Services

Authentication: AH (Authentication Header - RFC 4302)Confidentiality: ESP (Encapsulating Security Payload - RFC 4303)Key management: IKEv2 (Internet Key Exchange - RFC4306)

When two computers (peers) want to communicate

using IPSec, they mutually authenticate with each other first and then negotiate how to encrypt and digitally sign traffic they exchange. These IPSec communication sessions are called security associations (SAs).

IPv6 IPsec ProtocolIPv6

IPSec Services

S/MIMES-HTTP

IPTCP

Application approach

SMTPFTP

TCP

HTTP

ESPAH

IPNetwork approach

IPv6 IPsec ProtocolIPv6

IPSec AH

Next Header Length Reserved

Security Parameters Index

Authentication Data (variable number of 32-bit words)

IPv6 AH Header Format

IPv6 HeaderHop-by-Hop

RoutingAuthentication

HeaderOther Headers

Higher Level Protocol Data

IPv6 AH Packet Format

IPv6 IPsec ProtocolIPv6

IPsec ESP

ESP Format

Security Parameters Index (SPI)

Initialization Vector (optional)

Replay Prevention Field (incrementing count)

Payload Data (with padding)

Authentication checksum

IPv6 IPsec Protocol

Implementations

Linux-kernel 2.6.x onwardsCisco IOS-12.4(4)T onwardsWindows Vista onwards

Security Issues in IPv6IPv6

IPsec Key Exchange Protocol not yet fully Standardized

Scanning possible – If IP address assignment is poorly designed

No protection against all denial of service attack

(DoS attacks difficult to prevent in most cases)

No many firewalls in market with V6 capability

Cost estimates are primarily based on likely development and deployment Scenarios.

H/w, software, services and other miscellaneous expanses.

Each organization/or user throughout the internet will incur some cost in transition

Primarily in the form of labor and capital expenditures.

Expenditure will vary greatly across and within stake holder groups depending on their existing infrastructure and IPv6 related needs.

ISPs has to incur largest transition cost.

Individual users will incur the minimum cost

Cost Estimation

• Description of stakeholder groups

Infrastructure vendors, Application vendors, ISPs and Internet users.

◦Infrastructure vendors : manufacturers of computer networking hardware (e.g.,

routers, firewalls, and servers) and systems software (e.g., operating system) that supply the components of computer networks. Major companies in this category include Microsoft, IBM, Juniper, Cisco, and Hewlett Packard.

Methodology

◦ Application vendors: include suppliers of e-mail, file transfer protocol (FTP) and Web server software, and database software, such as enterprise resource planning (ERP) and product data management (PDM) software. SAP, Oracle, and Peoplesoft are some of the largest companies in this group.

◦ ISPs are companies that provide Internet connectivity to customers, larger companies, some institutional users, and national and regional. e.g., BSNL, Tata telecommunication , AirTel, Vodafone, Idea etc.

◦ Internet users Corporate, institutional, and government organizations, independent users including small businesses and residential households.

Stakeholders

Cost Categories◦ Labor resources will account for the bulk of the transition costs

◦ Memory and hardware : Some additional physical resources, such as increased memory capacity for routers and other message-forwarding hardware.

◦ These expenses are treated as negligible in the cost analysis because it is quite small compared to the labor resources required.

◦ Labor resources needed for the transition are linked to three general business activities within the Internet supply chain—product development, Internet provisioning services, and internal network operations.

◦ other cost: Additionally, several other cost categories, such as network testing and standards and protocol development, span multiple business activities and thus several take holder groups.

Description Of Cost Categories And Estimation Approach

The penetration curves represent the estimated share of infrastructure products and applications that are IPv6 capable and the share of networks that are IPv6 enabled at a given time.

This implies that costs will be distributed over time as

stakeholders gradually engage in transition activities.

As networking staff are trained and the system is reconfigured.

Lower costs associated with testing and monitoring are then experienced after the enabling date.

Quantitative Estimation Approach

The penetration curves

likely deployment/adoption rates for the four major stakeholder groups. The infrastructure (Inf) and applications (App) vendors’ curves represent the path over which vendor groups will offer IPv6-capable products to customers.

The penetration of IPv6 is likely to be a gradual process and will probably never reach 100 percent of applications or users.

These four curves are the key penetration metrics for the cost analysis because they capture the timing of expenditures.

For vendors, R&D expenditures to integrate IPv6 into their products are the primary expenditure category associated with the transition from IPv4 to IPv6.

Penetration

Users’ Transition Costs Over Time

Stockholder Relative cost

Hardware software Labor

HW vendor Low 10% 10% 80%

Software vendor

Low /medium

10% 10% 80%

Internet user (Large)

Medium 10% 20% 70%

Internet user (small)

Low 30% 40% 30%

ISPs High 15% 15% 70%

Internet users incur approximately 90 percent of IPv6 transition costs. Vendors and ISPs account for the remaining costs.

Transition cost break down

item H/W, S/W & service providers

ISPs Enterprise users

laborsR&D M L

Train Networking /IT employees

H H H

Designing IPv6 transition strategy

M H M/H

Implementation transition

M M/H M/H

Others

Ipv6 address block L L L

Lost employee productivity

M M

Security intrusions H H

Inter operability issues

M M/H M/H

Overview of relative IPv6 cost

The type of internet use or type of service being offered by each organization

The transition mechanism that the organization intends to implement( e.g tunneling. Dual-stack, translation, or a combination).

The organization-specific infrastructure comprised of servers, routers, firewalls, billing stems and standard and customize network etc.

The level of security required during the transition.

Timing of transition.

Factors influencing the Cost

Application layer

TCP/UDP TCP/UDP

IPv6 IPv4

Network interface layer

Dual stack structure

Thanks