There have been many drivers cited for IPv6 deployment around the world, from political agendas to address shortages to enabling future applications. The expanded IPv6 address pool solves the current problem of how to support the vast and rapidly-growing population of new Internet users, while National Research Networks, national NetCentric Defense Departments, and transportation Tele-matics are all looking at future potentials. The open question is how those issues and efforts affect the environment that a federal network manager faces today. At the end of the day the business case for IPv6 deployment has to be built on meeting local agency needs.
Building that case requires thinking beyond today to: WHAT IF...
- someone repackages a NetCentric defense technology to improve civilian business productivity?
- mobility becomes the normal mode of network interaction?
- the network-connected PDA/phone/portable media player is used to deliver a daily agency update news-clip, serve as VoD training platform, or hold virtual team meetings?
- the entire agency inventory of appliances and vehicles is online for logistics management, including asset awareness, power reduction and location when applicable, and maintenance scheduling?
- emergency responders have access to a wide array of sensors around an incident scene to assess and control video, weather, traffic, and utilities flow, and that data is also fed to control centers that can analyze the situation and adjust the response staging to the impacted area, saving time and lives?
- escalating fuel prices drive a Federal-wide telework policy resulting in the immediate demand for a remote IP subnet for each employee?
washingtonpost.com: Welcome to part two of Conversations with Cisco, a WashingtonPost.com Viewpoints series.
Today we have with us Dave West, Director of the Federal Center of Excellence at Cisco. Good afternoon, Dave. Thank you for being with us. We are hoping to learn from your experience as one of Cisco’s experts in IPv6 who is assisting Federal agencies as the pressure mounts to meet the meet the 2008 deadline set by OMB.
Let's get started...
Dalles, Tex.: Is there a white paper on the basics of IP V6?
Dave West , Cisco: You will find lots of whitepapers on IPv6 at http://www.cisco.com/en/US/tech/tk872/tsd_technology_support_protocol_home.html
There's also a lot of information at www.cisco.com/go/fedipv6
San Diego, Calif.: I need help understanding the implications of v6 on my network, can Cisco help?
Dave West , Cisco: The transition from IPv4 to IPv6 will take a long time, you will need to have a solid transition plan in place before you begin. Cisco can work with you to develop a transition plan, beginning with an assessment of your current network. Cisco can also work with you on transition testing and implementation services.
Raleigh, N.C.: I understand Cisco has an IPv6 Assessment tool, what does this tool do and what is the deliverable I receive?
Dave West , Cisco: Cisco has developed an IPv6 Network Assessor Tool that can provide you with a detailed view of your current networks IPv6 Capability, using this agentless tool your network staff can begin to fully understand the implications of the transition.
Raleigh, N.C.: I heard the Network Assessor tool will be free?
Dave West , Cisco: The IPv6 Capability Assessment Services is delivered by Cisco Engineers and there is a cost associated with this service.
Washington, D.C.: The current IP security deployment is at the edge. Do you believe that IPv6 and new security technologies and products such as centrally managed Host Based Security Systems (HBSS) that include a firewall, IDS and IPS on the host will provide the architectural changes needed to deploy true end-to-end security?
Dave West , Cisco: The paradigm of defense in depth isnít going away. I think there should be a balance. You donít want to begin the battle with hand to hand combat, meaning the enemy is already inside your gates. You want to build on your defense in depth where v6 host security provides another tool in security tool box.
Boston, Mass.: I recently read an artilce in MITís Technology Review that said IPv6 will actually increase security problems because all the new hardware and software to be deployed will contain substantial numbers of new bugs that will have to be identified, tracked down and fixed. Is that right?
Dave West , Cisco: A move to anything new introduces potential threats. However, with careful planning and a well thought out introduction you minimize the threat potential. But, the potential benefits of IPv6, as long as validated, tested, could evolve our approach to security and may provide significant benefit in our overall security posture in the long run. There is always risk but you can minimize risk at the beginning and in time build services on applications and in the network that in fact enhance security through the use of IPv6 protocol.
Washington, D.C.: Since IPv6 has IPSEC built into the protocol, isn't it inherently more secure than IPv4?
Dave West , Cisco: IPv6 security has a few different facets data plane security, host to host authentication/security and network infrastructure security. For data plane security, IPSEC can be used for authentication of routing updates and other control plane messages sent between routers. Host to host security, IPSEC can provide authentication and confidentiality of the data being sent, but keep in mind this will render deep packet inspection (IDS/IPS/Firewall) useless as the packet contents can be encrypted which requires host based IDS (HIDS). While IPSEC adds some native security features, security requires an architectural approach as opposed to a point product or protocol.
Washington, D.C.: Didn't Cisco do a whitepaper on IPv6 Security? I canít find it anymore...
Dave West , Cisco: Yes, See the: IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation http://www.cisco.com/web/about/security/security_services/ciag/documents/v6-v4-threats.pdf
San Diego, Calif.: Do Cisco partners have access to the IPv6 Assessment Tool?
Dave West , Cisco: There is a certification process the partners must go through prior to gaining access to the IPv6 Network Assessor tool.
Washington, D.C.: Is the evaluation free?
Dave West , Cisco: The IPv6 Scorecard is a free deliverable and can be performed by your Cisco Account team.
Arlington, VA: Are the PIX 525s v6 compliant, or do we need to move to the ASAa?
Dave West , Cisco: Yes, the 525s are v6 compliant. At the same time, the ASA is the evolution from the 525, so migration to the ASA should be considered anyway.
Arlington, VA: What is Cisco's strategy from a gateway transition device perspective so as to avoid the cost of dual stack administration?
Dave West , Cisco: In general, it is possible (all though not recommended) to do NAT-PT to permit a v4 device to talk to a v6 device. However, the end goal is a v6 network, which implies that dual stack used as an effective transition mechanism.
San Francisco, Calif.: Who can I contact to get the IPv6 Assessment done for my network?
Dave West , Cisco: You can send an email to firstname.lastname@example.org or contact your Cisco Account team.
Seatte, Wash.: What impact do new IPv6 features such as neighbor discovery, stateless auto-configuration and other new routing features have on security of an IPv6 transport core
Dave West , Cisco: Neighbor discovery and stateless auto config are methods to get addressess assigned to an end host. They replaced or augmented some of the IPv4 protocols that also had security challenges. So we've replaced some of the challenges that exist in IPv4 w/ challenges in IPv6. There are some initiatives under way to mitigate those threats. Features such as Secure Neighbor Discovery and DHCPv6 will be tools that are used in your overall security architecture.
Washington, D.C.: What are the chances that privacy extensions will be implemented?
Dave West , Cisco: The use of privacy extensions is likely to be a local policy issue. There are both good and bad things that should be examined prior to implementation.
Washington, D.C.: If ICMP is still viewed as a dangerous protocol, what are the ramifications of blocking it just like in IPv4 networks today?
Dave West , Cisco: ICMP plays a very important role in an IPv6 network. ICMP is used for Duplicate Address Detection and for multicast. Without the proper ICMP packets, many dynamic features that are built into IPv6 are crippled.
Washington, D.C.: How can improper IPv6 headers exist in packets?
Dave West , Cisco: The use of IPv6 headers is dependent upon the host IPv6 stack. It is possible that certain conditions are not checked. Also, headers can be manipulated and/or inserted during flight.
Atlanta, GA: Can the routing header be blocked to avoid security concerns?
Dave West , Cisco: The use of the routing header can be detected and blocked, but first ensure that your network does not need the functionality that it provides.
washingtonpost.com: It looks like we were just about out of time here. Dave, thank you for your time and answering our questions.
Dave West , Cisco:
washingtonpost.com: It looks like we were just about out of time here. Dave, thank you for your time and for answering our questions.
Dave West , Cisco: Thanks, it was great to be here. For more information on the topics we discussed and others, our audience members can visit www.cisco.com/go/fedipv6. We've posted a wealth of resources and tools there that should be of help.