Moderator: Welcome to part two of Conversations with Cisco, a WashingtonPost.com Viewpoints series.

Today we have with us Dave West, Director of the Federal Center of Excellence at Cisco. Good afternoon, Dave. Thank you for being with us. We are hoping to learn from your experience as one of Cisco’s experts in IPv6 who is assisting Federal agencies as the pressure mounts to meet the meet the 2008 deadline set by OMB.

Let's get started...

_______________________

Dalles, Tex.: Is there a white paper on the basics of IP V6?

Dave West , Cisco: You will find lots of whitepapers on IPv6 at http://www.cisco.com/en/US/tech/tk872/tsd_technology_support_protocol_home.html
There's also a lot of information at www.cisco.com/go/fedipv6

_______________________

San Diego, Calif.: I need help understanding the implications of v6 on my network, can Cisco help?

Dave West , Cisco: The transition from IPv4 to IPv6 will take a long time, you will need to have a solid transition plan in place before you begin. Cisco can work with you to develop a transition plan, beginning with an assessment of your current network. Cisco can also work with you on transition testing and implementation services.

_______________________

Raleigh, N.C.: I understand Cisco has an IPv6 Assessment tool, what does this tool do and what is the deliverable I receive?

Dave West , Cisco: Cisco has developed an IPv6 Network Assessor Tool that can provide you with a detailed view of your current networks IPv6 Capability, using this agentless tool your network staff can begin to fully understand the implications of the transition.

_______________________

Raleigh, N.C.: I heard the Network Assessor tool will be free?

Dave West , Cisco: The IPv6 Capability Assessment Services is delivered by Cisco Engineers and there is a cost associated with this service.

_______________________

Washington, D.C.: The current IP security deployment is at the edge. Do you believe that IPv6 and new security technologies and products such as centrally managed Host Based Security Systems (HBSS) that include a firewall, IDS and IPS on the host will provide the architectural changes needed to deploy true end-to-end security?

Dave West , Cisco: The paradigm of defense in depth isn’t going away. I think there should be a balance. You don’t want to begin the battle with hand to hand combat, meaning the enemy is already inside your gates. You want to build on your defense in depth where v6 host security provides another tool in security tool box.

_______________________

Boston, Mass.: I recently read an artilce in MIT’s Technology Review that said IPv6 will actually increase security problems because all the new hardware and software to be deployed will contain substantial numbers of new bugs that will have to be identified, tracked down and fixed. Is that right?

Dave West , Cisco: A move to anything new introduces potential threats. However, with careful planning and a well thought out introduction you minimize the threat potential. But, the potential benefits of IPv6, as long as validated, tested, could evolve our approach to security and may provide significant benefit in our overall security posture in the long run. There is always risk but you can minimize risk at the beginning and in time build services on applications and in the network that in fact enhance security through the use of IPv6 protocol.

_______________________

Washington, D.C.: Since IPv6 has IPSEC built into the protocol, isn't it inherently more secure than IPv4?

Dave West , Cisco: IPv6 security has a few different facets data plane security, host to host authentication/security and network infrastructure security. For data plane security, IPSEC can be used for authentication of routing updates and other control plane messages sent between routers. Host to host security, IPSEC can provide authentication and confidentiality of the data being sent, but keep in mind this will render deep packet inspection (IDS/IPS/Firewall) useless as the packet contents can be encrypted which requires host based IDS (HIDS). While IPSEC adds some native security features, security requires an architectural approach as opposed to a point product or protocol.

_______________________

Washington, D.C.: Didn't Cisco do a whitepaper on IPv6 Security? I can’t find it anymore...

Dave West , Cisco: Yes, See the: IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation http://www.cisco.com/web/about/security/security_services/ciag/documents/v6-v4-threats.pdf

_______________________

San Diego, Calif.: Do Cisco partners have access to the IPv6 Assessment Tool?

Dave West , Cisco: There is a certification process the partners must go through prior to gaining access to the IPv6 Network Assessor tool.

_______________________

Washington, D.C.: Is the evaluation free?

Dave West , Cisco: The IPv6 Scorecard is a free deliverable and can be performed by your Cisco Account team.

_______________________

Arlington, VA: Are the PIX 525s v6 compliant, or do we need to move to the ASAa?

Dave West , Cisco: Yes, the 525s are v6 compliant. At the same time, the ASA is the evolution from the 525, so migration to the ASA should be considered anyway.

_______________________

Arlington, VA: What is Cisco's strategy from a gateway transition device perspective so as to avoid the cost of dual stack administration?

Dave West , Cisco: In general, it is possible (all though not recommended) to do NAT-PT to permit a v4 device to talk to a v6 device. However, the end goal is a v6 network, which implies that dual stack used as an effective transition mechanism.

_______________________

San Francisco, Calif.: Who can I contact to get the IPv6 Assessment done for my network?

Dave West , Cisco: You can send an email to ipv6_assessment_and_migration@cisco.com or contact your Cisco Account team.

_______________________

Seatte, Wash.: What impact do new IPv6 features such as neighbor discovery, stateless auto-configuration and other new routing features have on security of an IPv6 transport core

Dave West , Cisco: Neighbor discovery and stateless auto config are methods to get addressess assigned to an end host. They replaced or augmented some of the IPv4 protocols that also had security challenges. So we've replaced some of the challenges that exist in IPv4 w/ challenges in IPv6. There are some initiatives under way to mitigate those threats. Features such as Secure Neighbor Discovery and DHCPv6 will be tools that are used in your overall security architecture.

_______________________

Washington, D.C.: What are the chances that privacy extensions will be implemented?

Dave West , Cisco: The use of privacy extensions is likely to be a local policy issue. There are both good and bad things that should be examined prior to implementation.

_______________________

Washington, D.C.: If ICMP is still viewed as a dangerous protocol, what are the ramifications of blocking it just like in IPv4 networks today?

Dave West , Cisco: ICMP plays a very important role in an IPv6 network. ICMP is used for Duplicate Address Detection and for multicast. Without the proper ICMP packets, many dynamic features that are built into IPv6 are crippled.

_______________________

Washington, D.C.: How can improper IPv6 headers exist in packets?

Dave West , Cisco: The use of IPv6 headers is dependent upon the host IPv6 stack. It is possible that certain conditions are not checked. Also, headers can be manipulated and/or inserted during flight.

_______________________

Atlanta, GA: Can the routing header be blocked to avoid security concerns?

Dave West , Cisco: The use of the routing header can be detected and blocked, but first ensure that your network does not need the functionality that it provides.

_______________________

Moderator: It looks like we were just about out of time here. Dave, thank you for your time and answering our questions.

Dave West , Cisco:

_______________________

Moderator: It looks like we were just about out of time here. Dave, thank you for your time and for answering our questions.

Dave West , Cisco: Thanks, it was great to be here. For more information on the topics we discussed and others, our audience members can visit www.cisco.com/go/fedipv6. We've posted a wealth of resources and tools there that should be of help.