Upload
ngohanh
View
217
Download
0
Embed Size (px)
Citation preview
2
Businesscon*nuity(esp.4G,IoT)IPv6inIPv4onlynetwork(Securityrisks)Economicdecision–InvestinIPv6VsProlongIPv4IPv6isgrowingrapidlyResourcesandbestprac*cesavailablePolicyandregulatorysupport
IPv6migration:TheWhy?questionsofstakeholders
Convincingdecisionmakersinstakeholders–Amajorchallenge
Whoarethesestakeholders?
-Ministry,Regulatoryauthority,e-Governmentagencies,Telecomserviceproviders,Contentdevelopersandproviders,Standardizationagencies,IPaddressallocationagencies,
Developmentagencies,AcademiaandTrainingProviders,Telecomresearchorganizations,Datacentreproviders,Internetexchangeproviders,Equipmentimporters,Typeapprovalagencies,Enterpriseswithownnetworks,EndUsers……..
4
Singapore:IPv6Adop(onGuideReport-I
ReportpreparedbyanalysysmasonandTechMahindraforIDASingaporeavailableathGp://www.ida.gov.sg/images/content/Technology/Technology_Level1/ipv6/download/IPv6Adop(onGuideforSingapore.pdf
5
Focusareasiden-fiedinthereport Planning
Network Applica-ons
Skills
Services/products
Singapore:IPv6AdoptionGuideReport-II
Countryexperiences
LaoPDR
Mongolia
Cambodia
Bhutan(2017)
TrainingonIPv6deploymentandIPv6InfrastructureSecuritySpecializedtechnicaladvicetointerestedtelecomoperatorsRecommendationsonIPv6deployment
8
IPv6migration-ExperiencesStakeh
olde
rengagem
enta
ndstocktake • Currentstatus
andplansofgovernmentagenciesandenterprises,telecomoperators),contentdevelopersanddevicemanufacturersonthestatusofIPv6deploymentandfutureplan• Engagingstakeholdersinacommondialogue• Survey
Policy,TaskForce,Regula(
onand
Roadm
ap • IncludeIPv6
adop-onaspartofthena-onaltelecommunica-on/ICTpolicy• IPv6taskforce• IPv4toIPv6na-onalroadmap• Standardsandinteroperability• IXPsforIPv6peering
Governmen
tleade
rship • Setdeadlines
fordeploymentofIPv6withinallGovernmentAgenciesandprocurementprocesses• Monitoringmechanism
TelecomIndu
stryand
Business • Enterprise
publicfacingcontentneedstosupportIPv6• Startmigra-ontoIPv6withintheirinternalnetworks• Recommenda-ons/guidelinesforIPv6addressplans• EquipmentwhichistypeapprovedneedstobeIPv6capableasfaraspossible• Prepareanimplementa-onplanforIPv6intheirownnetworks• Transi(ontechnologies
IPv6Security
• DevelopanIPv6SecurityGuidelineinconsulta-onwiththeIPv6taskforce
HumanCapacity
Building • Buildhuman
capacityonIPv6transi-onmechanismincludingsecurity
Source:RoadmapassistancesbyAPNICandITU
9
Keyelementsofgovernmentaction•Establishingorsuppor(ngna(onalIPv6transi(ontaskforces(o`eninconjunc(onwithmul(stakeholdergroupsorRIRs);•Establishingna(onal“roadmaps”withbenchmarksand(metablesforIPv6deployment;•Manda(ngthatgovernmentagenciesadoptIPv6technologyfortheirnetworks,websitesorservices;•Promo(ngtheuseofIPv6ingovernment-fundededuca(onal,scienceandresearchnetworks;and•Promo(ngoverallawarenessofthetransi(onthroughsedngupwebsites,hos(ngworkshopsorforums,andsednguptrainingprogrammes.
12
GovernmentspromotingIPv6deployment(examples)
Promo(onofIPv6IPv6deploymentanduseInteragencyTaskForceFunding
13
Singapore:IPv6TransitionProgramme
Source:hGp://www.ida.gov.sg/Technology/20110414104645.aspx
The IPv6 Transi(on Programme is a na(onal effort spearheaded by IDA in itsroleasthena(onalplannerforInfocommdevelopment,toaddresstheissueofIPv4 (Internet Protocol version 4) exhaus(on and to facilitate the smoothtransi(on of the Singapore Infocomm ecosystem to IPv6 (Internet Protocolversion6).Developed by the Singapore IPv6 Task Force, it involves a two-prongedapproachtodriveIPv6adop(oninthena(onaswellasencouragetheefficientuseoftheremainingpoolofIPv4addressestominimisetherisksofdeple(on
Developingreferencespecifica(onsandtransi(onguides
Engagingstakeholders
DevelopingIPv6capabili(es
EstablishinganIPv6Marketplace
SedngupIPv6industryexemplars
Others
15
PreambleNTP-2012recognisesfuturis(crolesofInternetProtocolVersion6(IPv6)anditsapplica(onsindifferentsectorsofIndianeconomy.Objec,vesAchievesubstan(altransi(ontonewInternetProtocol(IPv6)inthecountryinaphasedand(meboundmannerby2020andencourageanecosystemforprovisionofasignificantlylargebouquetofservicesonIPplalorm.TelecomEnterpriseDataServices,IPv6CompliantNetworksandFutureTechnologiesTorecognizetheimportanceofthenewInternetProtocolIPv6tostartofferingnewIPbasedservicesonthenewprotocolandtoencouragenewandinnova(veIPv6basedapplica(onsindifferentsectorsoftheeconomybyenablingpar(cipatoryapproachofallstakeholders.Toestablishadedicatedcentreofinnova(ontoengageinR&D,specializedtraining,developmentofvariousapplica(onsinthefieldofIPv6.Thiswillalsoberesponsibleforsupporttovariouspoliciesandstandardsdevelopmentprocessesinclosecoordina(onwithdifferentinterna(onalbodies.
India:NTP2012andIPv6
17
GovernmentspromotingIPv6deployment(exampleIndia)
GovernmentOrganisa,ons:• TheGovernmentorganisa(onsshouldprepareadetailedtransi(onplanfor
completetransi(ontoIPv6(dualstack)byDecember2017basedonthenetworkcomplexity&equipment/technologicallifecycles.TheplanshouldbepreparedlatestbyDecember2013andaccordinglytherequiredbudgetaryprovisionsshouldbemadeintheirdemandforgrant.
• Forthispurpose,itisrecommendedthatadedicatedtransi(onunitineachorganisa(onshouldbeformedimmediatelytofacilitateen(retransi(on.
• AllnewIPbasedservices(likecloudcompu(ng,datacentresetc.)tobeprovisionedfor/bytheGovernmentorganisa(onsshouldbeondualstacksuppor(ngIPv6trafficwithimmediateeffect.
• ThepublicinterfaceofallGovernmentprojectsfordeliveryofci(zencentricservicesshouldbedualstacksuppor(ngIPv6trafficlatestby01-01-2015.ThereadinessofGovernmentprojectsinturnwillactasacatalystforprivatesectortransi(onfromIPv4toIPv6.
18
Governmentspromo,ngIPv6deployment(exampleIndia)
GovernmentOrganisa,ons:• TheGovernmentorganisa(onsshouldprocureequipmentswhicharealsoIPv6
Ready(DualStack)andgofordeploymentofIPv6ready(DualStack)networkswithendtoendIPv6supportedapplica(ons.TheequipmentshouldbeeitherTECcer(fiedorIPv6ReadyLogocer(fied.
• TheGovernmentorganisa(onsshouldgoforIPv6basedinnova(veapplica(onsintheirrespec(veareaslikesmartmetering,smartgrid,smartbuilding,smartcityetc.
• TheGovernmentorganisa(onsshoulddevelopadequateskilledIPv6trainedhumanresourceswithintheorganisa(onthroughperiodictrainingsoveraperiodofonetothreeyearstohaveaseamlesstransi(onwithminimumdisrup(on.
• TheIPv6shouldbeincludedinthecurriculumoftechnicalcoursesbeingofferedbyvariousins(tutes/collegesacrossthecountry.
19
GovernmentspromotingIPv6deployment(exampleIndia)
ServiceProviders:EnterpriseCustomers• Allnewenterprisecustomerconnec(ons(bothwirelessandwireline)providedbyService
Providersonora`er01-01-2014shallbecapableofcarryingIPv6trafficeitherondualstackoronna(veIPv6.
• Regardingtheexis(ngenterprisecustomerswhicharenotIPv6ready,theServiceProvidersshalleducateandencouragetheircustomerstoswitchovertoIPv6.
RetailCustomers(Wireline)• Allnewretailwirelinecustomerconnec(onsprovidedbyServiceProvidersonora`er01-01-2017
shallbecapableofcarryingIPv6trafficeitherondualstackoronna(veIPv6.• TheServiceProvidersshallendeavortoprogressivelyreplace/upgradetheServiceProviders
ownedCPEswhicharenotIPv6readyasperthefollowing(melines:• Replacement/upgrada(onof25%ofCPEsbyDecember2014.• Replacement/upgrada(onof50%ofCPEsbyDecember2015.• Replacement/upgrada(onof75%ofCPEsbyDecember2016.• Replacement/upgrada(onof100%ofCPEsbyDecember2017.RegardingthecustomerownedCPEswhicharenotIPv6ready,theServiceProvidersshalleducateandencouragetheircustomerstoreplace/upgradesuchCPEstoIPv6readyones.
20
GovernmentspromotingIPv6deployment(exampleIndia)
RetailCustomers(Wireless)• AllnewLTEcustomerconnec(onsprovidedbyServiceProviderswitheffectfrom01-01-2017shall
becapableofcarryingIPv6trafficeitherondualstackoronna(veIPv6.• AllnewGSM/CDMAcustomerconnec(onsprovidedbyServiceProvidersonora`er01-01-2017
shallbecapableofcarryingIPv6trafficeitherondualstackoronna(veIPv6Content&Applica(onProviders:• Allcontents(e.g.websites)andapplica(onsprovidersshouldendeavourtoadoptIPv6(dualstack)
by01-01-2017.’
• Thecompletefinancialecosystemincludingpaymentgateways,financialins(tu(ons,banks,insurancecompaniesetc.shouldendeavourtoadoptIPv6(dualstack)by01-01-2017.’
• Theen(re‘.in’domainshouldendeavourtoadoptIPv6(dualstack)by01-01-2017.’
21
GovernmentspromotingIPv6deployment(exampleIndia)
EquipmentManufacturers:• Allmobilephonehandsets/datacarddongles/tabletsandsimilardevicesusedforinternetaccess
suppor(ngGSM/CDMAversion2.5GandabovesoldinIndiaonora`er30-06-2014shallbecapableofcarryingIPv6trafficeitherondualstack(IPv4v6)oronna(veIPv6.
• AllwirelinebroadbandCPEssoldinIndiaonora`er01-01-2014shallbecapableofcarryingIPv6trafficeitherondualstackoronna(veIPv6.
CloudCompu(ng/DataCentres:• Allpubliccloudcompu(ngservice/datacentresprovidersshouldendeavourtoadoptIPv6(dual
stack)latestby01-01-2017.
TelecomServiceProvider-Migration
Exis(ngNetwork:AuditandAssessment
Exis(ngNetwork
Op(miza(on
ProcuringIPv6Address
Space
DevelopingIPv6Address
Plan
DeploymentonNetwork
SeekingIPv6Transit
EnablingCustomers/End-Users
Source:Dr.PhilipSmith,RoadmapsassistancesbyAPNICandITU
23
IPv6relatedstandards(Non–exhaustive)
Table 8: List of IETF RFCs related to IPv6 SecurityIETFRFC
Title
IETFRFC3964(2004)IETFRFC4593(2006)IETFRFC4795(2007)IETFRFC4861(2007)IETFRFC4942(2007)IETFRFC5942(2010)IETFRFC5969(2010)IETFRFC6106(2011)IETFRFC6333(2011)IETFRFC6434(2011)
SecurityConsiderationsfor6to4.GenericThreatstoRoutingProtocols.Link-LocalMulticastNameResolution(LLMNR).NeighborDiscoveryforIPversion6(IPv6).IPv6Transition/CoexistenceSecurityConsiderations.IPv6SubnetModel:TheRelationshipbetweenLinksandSubnetPrefixes.IPv6RapidDeploymentonIPv4Infrastructures(6rd)–ProtocolSpecification.IPv6RouterAdvertisementOptionsforDNSConfiguration.Dual-StackLiteBroadbandDeploymentsFollowingIPv4Exhaustion.IPv6NodeRequirements.
IETFRFC6618(2012) MobileIPv6SecurityFrameworkUsingTransportLayerSecurityforCommunicationbetweentheMobileNodeandHomeAgent
IETFRFC6686(2013) ProblemStatementforRenumberingIPv6HostswithStaticAddressesinEnterpriseNetworks
IETFRFC6879(2013) IPv6EnterpriseNetworkRenumberingScenarios,Considerations,andMethods
IETFRFC6883(2013) IPv6GuidanceforInternetContentProvidersandApplicationServiceProviders
IETFRFC6889(2013) AnalysisofStateful64TranslationIETFRFC6946(2013) ProcessingofIPv6"Atomic"FragmentsIETFRFC6980(2013) SecurityImplicationsofIPv6FragmentationwithIPv6NeighborDiscoveryIETFRFC7059(2013) AComparisonofIPv6-over-IPv4TunnelMechanismsIETFRFC7113(2014) ImplementationAdviceforIPv6RouterAdvertisementGuard(RA-Guard)IETFRFC7123(2014) SecurityImplicationsofIPv6onIPv4NetworksIETFRFC7283(2014) HandlingUnknownDHCPv6MessagesIETFRFC7368(2014) IPv6HomeNetworkingArchitecturePrinciplesIETFRFC7381(2014) EnterpriseIPv6DeploymentGuidelinesIETFRFC7526(2015) DeprecatingtheAnycastPrefixfor6to4RelayRoutersIETFRFC7527(2015)IETFRFC7610/BCP199(2015)IETFRFC7707(2016)IETFRFC7721(2016)IETFRFC7739(2016)IETFRFC7824(2016)
EnhancedDuplicateAddressDetectionDHCPv6-Shield:ProtectingagainstRogueDHCPv6ServersNetworkReconnaissanceinIPv6NetworksSecurityandPrivacyConsiderationsforIPv6AddressGenerationMechanismsSecurityImplicationsofPredictableFragmentIdentificationValuesPrivacyConsiderationsforDHCPv6
24
IPv6InfrastructureSecurity(ITU-TX.1037)
NetworkDevices(Router,Switch,NATdevice)
Clients,servers,andotherenddevices(EndNodes,DHCP,DNS)
SecuritydevicessuchasfirewallsandIDSDevices(IntrusionDetec(onSystem,Firewall)
25
KeyissuestoconsiderinBhutan
• Policy,legisla(onandregula(oncluster• Ins(tu(on,stakeholderengagementandcoordina(oncluster• Technology(hardwareandso`ware),standards,typeapproval,
infrastructure,andinteroperabilitycluster• Securitycluster• Assessment,pilot,tes(nganddeploymentcluster• Knowledge,awarenessandskillscluster• Procurementandfinancialcluster
BhutanTelecommunica,onsandBroadbandPolicy2014
DevelopIPv6migra(onplan