syzygy engineering internet protocol version 6 and network centric operations key concepts will...

SYZYGY Engineering

Internet Protocol version 6 and Network Centric Operations

Key ConceptsWill Ivancic

SYZYGY [email protected]

© 2004 Syzygy Engineering – Will Ivancic

2

SYZYGY Engineering

Network Design Triangle

Policy

ArchitectureProtocols

Security

$$$ Cost $$$

Mobility Scalability

Maturity

BandwidthQoS


3

SYZYGY Engineering

Policy

Source: http://minhdo.bitterjerksociety.org/gallery/page_03.htm

4

SYZYGY Engineering

IPv6 Functional Capabilities

• Expanded Addressing and Routing

• Simplified Header Format• Extension Headers and

Options – Options are placed in separate

headers after the core routing information

– Options do not necessarily have to be processed in core network (speed)

• Authentication and Encryption Support– Required in ALL

implementations of IPv6!

• Autoconfiguration• Source Routing Support

– Ad Hoc Network– Route Optimization for Mobility

• Simple and Flexible Transition– Incremental Upgrade– Incremental Deployment– Easy Addressing (– Low Startup Costs

• Quality of Service Capabilities– Real-Time Traffic– Traffic Class– Flow labels


5

SYZYGY Engineering

IPv4 & IPv6 QoS Fields

Version IHLType of Service

Total Length

IdentificationFlag

sFragment

Offset

Time to Live

ProtocolHeader

Checksum

Source Address

Destination Address

Options Padding

Version Traffic Class Flow Label

Payload LengthNext

HeaderHop Limit

Source Address

Destination Address

IPv4 Header 20 bytesIPv4 Header 20 bytes IPv6 Header, 40 bytes fixedHeader, 40 bytes fixed

field’s name kept from IPv4 to IPv6

fields not kept in IPv6

Name & position changed in IPv6

New field in IPv6Leg

end

© 2003 Cisco Systems, Inc. All rights reserved – Steve Pollock

6

SYZYGY Engineering

Addressing Architecture

• Unicast– Unspecified 0::0– Loopback 0::1– User Local Addresses

• Link Local prefix 1111111010• Site Local prefix 1111111011

• Unique Local IPv6 Unicast prefix FC00::/7 • Analogous to IPv4 Private Address Space• provides for 2.2 trillion addresses

• Anycast• Multicast prefix 11111111


Deprecated

Nice Explaination of Anycast for IPv4 athttp://www.net.cmu.edu/pres/anycast/Deploying%20IP%20Anycast.ppt

7

SYZYGY Engineering

Address Allocation Policy

• 128-bit addresses:– 340,282,366,920,938,463,463,374,607,431,768,211,456 (340 duodecillion)– Over a million addresses for every person on the planet!, – But not really due to inefficiency of address allocations

• Administered by IANA to Regional Registries: ARIN, APNIC, RIPE, LACNIC

• The allocation process is under reviewed by the Registries: –IANA allocates 2001::/16 to registries–Each registry gets a /23 prefix from IANA–Formerly, all ISP were getting a /35–With the new policy, Registry allocates a /32 prefix to an IPv6 ISP–Then the ISP allocates a /48 prefix to each customer (or potentially /64)

• 128-bit addresses:– 340,282,366,920,938,463,463,374,607,431,768,211,456 (340 duodecillion)– Over a million addresses for every person on the planet!, – But not really due to inefficiency of address allocations

• Administered by IANA to Regional Registries: ARIN, APNIC, RIPE, LACNIC

• The allocation process is under reviewed by the Registries: –IANA allocates 2001::/16 to registries–Each registry gets a /23 prefix from IANA–Formerly, all ISP were getting a /35–With the new policy, Registry allocates a /32 prefix to an IPv6 ISP–Then the ISP allocates a /48 prefix to each customer (or potentially /64)

2001 0410

ISP prefix

Site prefix

LAN prefix

/32 /48 /64

Registry

/23

Interface ID

interfaceidentifier(64 bits)


8

SYZYGY Engineering

Hierarchical Addressing & Aggregation

–Larger address space enables (demands):Aggregation of prefixes announced in the global routing table.

• Helps improve routing speed.• Efficient and scalable routing.

–Larger address space enables (demands):Aggregation of prefixes announced in the global routing table.

• Helps improve routing speed.• Efficient and scalable routing.

ISP

2001:0410::/32

Customerno 2

IPv6 Internet

2001::/16

2001:0410:0002:/48

2001:0410:0001:/48

Customerno 1

Only announces the /32 prefix


9

SYZYGY Engineering

Site Multihoming

ISP - A

2001:A010::/32

IPv6 Internet

2001::/16

ISP - C is not allowed to advertise ISP - A’s routes

Corporation

Only announces the /32 prefix

Syzygy Engineering

ISP - B

2001:B010::/32

ISP - C

2001:C010::/32

2001:A010:0001:/48

2001:B010:0001:/48

2001:C010:0001:/48

10

SYZYGY Engineering

Policy Proposal 2005-1: Provider-independent IPv6 Assignments for End Sites

• 6.5.8. Direct assignments from ARIN to end-user organizations– 6.5.8.1. Criteria

• To qualify for a direct assignment, an organization must: not be an IPv6 LIR; and

• qualify for an IPv4 assignment or allocation from ARIN under the IPv4 policy currently in effect.

– 6.5.8.2. Initial assignment size• Organizations that meet the direct assignment criteria are eligible to

receive a direct assignment. The minimum size of the assignment is /48. Organizations requesting a larger assignment must provide documentation justifying the need for additional subnets.

• These assignments shall be made from a distinctly identified prefix and shall be made with a reservation for growth of at least a /44.

– 6.5.8.3. Subsequent assignment size• Additional assignments may be made when the need for additional

subnets is justified. When possible, assignments will be made from an adjacent address block.

11

SYZYGY Engineering

Restoring an End-to-End Architecture

End-to-End Connectivity Restores the “Promise”of Multimedia Collaboration

NAT/PAT Breaks Peer-to-PeerNAT/PAT Breaks Peer-to-Peer

Elimination of NAT Bottleneck

Restores End-to-End

Elimination of NAT Bottleneck

Restores End-to-End

Peer-to-Peer Applications needGlobal Addresses when YouConnect to:

IP TelephonyEnterprise, Mobile and Residential

IP Video ConferencingEnhanced Instant MessagingDistributed Gaming

Peer-to-Peer Applications needGlobal Addresses when YouConnect to:

IP TelephonyEnterprise, Mobile and Residential

IP Video ConferencingEnhanced Instant MessagingDistributed Gaming

IPv4Internet

IPv6Internet

IPv6Internet


12

SYZYGY Engineering

Transition and Operations Costs

Cost DifferenceBetween IPv4 / IPv6Operations

Title of TalkSource: PC of Japan

Transition Cost

13

SYZYGY Engineering

IP Address Status in China

Total IPv4 address (unit 1)

41

1300

Total IPv4 address Chinese Population

(unit 1 million)

3,746,3045,409,280

7,555,584

13,269,504

21,534,208

29,002,240

41,456,128

01997 1998 1999 2000 2001 2002 2003

Data source: CNNIC, Dec.2003“IPv6 is good for China and China is good for IPv6. China brings the scale needed for IPv6. IPv6 killer application will occur in China firstly" - Latif Ladid--IPv6 Forum President

14

SYZYGY Engineering

IPv6 Transition Plan

Unclassified, For Official Use Onlyhttps://disronline.disa.mil/a/DISR/docs/secure/DoD-IPv6_Transition_Plan_v1_0_3-24-05_update1.pdf

Contents

Overall Transition Strategy

IPv6 Transition Governance

Acquisition and Procurement of IPv6 Capabilities

Networking and Infrastructure

Addressing

Information Assurance

Pilots, Testing and Demonstrations

Applications

Standards

Training

15

SYZYGY Engineering

IPv6 Transition Plan

https://disronline.disa.mil/a/DISR/docs/secure/DoD_IPv6_Transition_Plan_v2_Final.pdf

16

SYZYGY Engineering

Potential Showstoppers to Fully IP-based Tactical Operations Today

Further research in the following areas is required in order to enhance the IPv6 protocol suite to support Network Enabled Command:– Embedding/ Encapsulation of legacy systems by means of interoperable

gateways– Potential of Anycast Addressing to foster SOA,

• Service Discovery protocols such as IPSec Discovery need standardization;– Global IP Security Architecture needs to encompass both deployable and

highly dynamic domains supporting all kinds of host and network mobility,• Scalable Tactical PKI, e.g. CA and distributed Sub-CAs;

– Optimization of MANET routing mechanisms,• Need to find a compromise between low routing overhead of reactive routing

and instant route availability of proactive routing,• True multicast routing in the mobile domain;

– QoS that considers the heterogeneous (e.g. in terms of bandwidth and latency) and dynamic availability of communication links,

– Work on standardized service interoperability profiles;– IPv6 (multicast) enabled applications.

17

SYZYGY Engineering

v4/v6 Co-Existence Strategy?

Source: Sinead O’Donovan,Product Unit Manager Windows Networking Microsoft

18

SYZYGY Engineering

Key Technology Enablers

• Zero Configuration in rapidly deployed and mobile networks – DNS, DHCP and KEY

Servers

• PKI, IKE and Key Management and Applications


19

SYZYGY Engineering

Peer-to-Peer Networking

• Voice, Video and Data• Issues:

– Security (particularly in DoD and Corporate Networks)

– Control

• End-to-End relative to Peer-to-Peer– End-to-End allows direct

communication once peer’s address is known

– Typical IPv4 with NAT requires Peer-to-Peer server and may require application software (IM, KAZA, etc)

Firewall and router w/NAT

Firewall and router w/NAT

Internet

Peer-to-PeerService

(IM, KaZa, etc)

Typical IPv4Peer-to-Peer

Communications

Firewall androuter

No NAT

Internet

Peer-to-PeerService

(IM, KaZa, etc)

Firewall androuter

No NAT

Client/Server Model Peer-to-Peer Communication

1

3

Peer-to-Peer Server is not required

2


20

SYZYGY Engineering

New “IPv6 Capable” Definition –

• A product must meet the IPv6 base requirements (defined in “DoD IPv6 Standard Profiles for IPv6 Capable Products”) and support requirements for one (or more) product categories.– e.g. Workstations, routers, switches, security devices, firewalls, etc...

• And support the IPv6 version of any IPv6 protocol functional categories required for its function within the DoD Global Information Grid (GIG)

• Official Site – (May require Certificate or Common Access Card to obtain accesshttp://jitc.fhu.disa.mil/adv_ip/register/register.html– Otherwise tryhttp://jitc.fhu.disa.mil/adv_ip/register/docs/disr_ipv6_product_profile_draft.pdf

21

SYZYGY Engineering

What is Mobility?

• Transportable– Telecommuter– Traveler– Relatively static once

connected– Single point of

connection– Connectivity

• IPv6 Autoconfiguration• VPN

• Mobile– Mobile Devices

• PDAs

• Cell Phones

– Mobile Networks• Trains

• Planes

• Automobiles

– Connectivity• Mobile-IP

• Networks in Motion (NEMO)

• Ad Hoc Networks


22

SYZYGY Engineering

Mobile Networking Solutions

• Routing Protocols Route Optimization Convergence Time Sharing Infrastructure – who owns the network?

• Mobile-IP Route Optimization Convergence Time Sharing Infrastructure Security – Relatively Easy to Secure

• Domain Name Servers Route Optimization Convergence Time Reliability

Source – Will Ivancic

23

SYZYGY Engineering

Mobility at What Layer?

• Layer-2 (Radio Link)– Fast and Efficient– Proven Technology within the same infrastructure

• Cellular Technology Handoffs • WiFi handoffs

• Layer-3 (Network Layer)– Slower Handover between varying networks– Layer-3 IP address provides identity– Security Issues

• Need to maintain address

• Layer-4 (Transport Layer)– Research Area– Identity not tied to layer-3 IP address– Proposed Solutions

• HIP – Host Identity Protocol• SCTP – Stream Control Transport Protocol


24

SYZYGY Engineering

Location Identifier

Internet Alice(Mobile Node)

Headquarters(Location Manager)

HQ Keeps Track of

Alice.

Bob(Corresponding Node)

Where is Alice’sLocation

Manager?

I am inCleveland,

Ohio

Hello Alice

Hello Bob,I am in Cleveland,

Ohio

What is the Weather like in

Cleveland?


25

SYZYGY Engineering

Securing Networks

• Constraints/Tools– Policy

• Security Policy• Education• Enforcement

– Architecture – Protocols

• Must be done up front to be done well


26

SYZYGY Engineering

Security

• Security Bandwidth Utilization • Security Performance • Tunnels Tunnels Tunnels and more Tunnels• Performance Security

User turns OFF Security to make system usable!• Thus, we need more bandwidth to ensure security.

PAYLOADHEADER

ORIGINAL PACKET

HEADER

VIRTUAL PRIVATE NETWORK

HEADER

ENCRYPTION AT THE NETWORK LAYER

HEADER

ENCRYPTION ON THE RF LINK

Source – Will Ivancic

27

SYZYGY Engineering

Realities of ROI and Security

• Network Security itself does not provide any type of ROI – it is about cost management

• Example – You buy a Picasso straight from the artist and a safe to store it in. The safe adds no value to the painting – only helps prevent its loss (i.e. a cost to you)

• An organization that fails to adequately prepare a robust security solution faces potential loss from:– Lost productivity/Lost e-commerce revenue– Regulatory penalties– Tort litigation– Long-term business loss from lost customer confidence

Source – Yurie Rich CommandInformation

28

SYZYGY Engineering

IPsec

In non-static environments such as mobile and ad hoc networks, your address no longer identifies you!

Source – Merike Kaeo [email protected]

29

SYZYGY Engineering

GIG - Black Core

30

SYZYGY Engineering

GIG - Striped Core

31

SYZYGY Engineering

Flow Label

• Used by host to request special handling for certain packets

• Unique flow is identified by source address and non-zero flow label– Expected use is per-flow end-to-end QoS

• RSVP, Video, Gaming, VOIP

– Without the flow label the classifier must use transport next header value and port numbers

• Less efficient (need to parse the option headers)• May be impossible (due to fragmentation or IPsec ESP)• Layer violation may hinder introduction of new transport protocols

• IPv6 nodes not providing flow-specific treatment MUST ignore the field when receiving or forwarding a packet

• Immature Technology – Research Area


The Flow Label field is useless, unless it is actually used!

32

SYZYGY Engineering

Flow LabelSecurity Considerations

• The IPsec protocol, as defined in [IPSec, AH, ESP], does not include the IPv6 header's Flow Label in any of its cryptographic calculations – In the case of tunnel mode, it is the outer IPv6 header's Flow Label that is

not included

• Modification of the Flow Label by a network node has no effect on IPsec end-to-end security– It cannot cause any IPsec integrity check to fail.

– As a consequence, IPsec does not provide any defense against an adversary's modification of the Flow Label (i.e., a man-in-the-middle attack).


syzygy engineering internet protocol version 6 and network centric operations key concepts will...

Documents

ivancic syzygy engineering

ipv6 fields

ipv6 isp

ivancic slide

ipv6 legend

implementations of ipv6

bytes fixed ipv6 header

address allocation policy