We have recently observed a version of a possibly legitimate application, uTorrent opening IPv6 attack vectors on Microsoft hosts by automatically enabling IPv6, activating IPv6 tunneling  (Teredo in this case), and disabling host security controls that Microsoft wisely patched to prevented unsolicited incoming tunnel traffic. Though IPv6 tunneling is a great way to enable peer-to-peer (P2P), machine-to-machine (M2M),   applications that need bi-directional end-to-end (E2E) connections, doing it without proper security controls presents a serious security risk. This application, with a bit of good security engineering, could leverage IPv6 tunneling in a less risky manner to provide assured E2E connections the way Apple does it in their “Back to my Mac” application. Since IPv6-capable systems are installed in almost every computer network woldwide, and IPv6 knowledge is becoming more widespread, there has been a recent increase of malicious (or just bad) code that enables IPv6 on a compromised host, creating a potentially undetected channel for an attacker to exploit. Hacker community sites are already offering tools such as relay6, 6tunnel, nt6tunnel, netcat6, VoodooNet, etc. that can be used to create IPv6 covert channels.

The most important risk mitigation step is educating security professionals about the threats and defenses against IPv6-based attacks. After education, Command Information recommends the following steps:

•       Place IPv6-capable guards (Firewall, network access control) into critical networks

•       Turn on native (dual stack) IPv6, turn off IPv6 tunneling through configuration management

•       Audit (DIACAP, FISMA) network infrastructure and computers for IPv6 security compliance

•       Tune an IDS and covert channel detection tools for emerging IPv6 threats (Cloudshield DPI, Snort 3.0, etc)

•       Change all IA tool acquisitions policy to address acquiring IPv6-capable IA tools

•       ‘Blackhole’ traffic going to tunnel endpoints and poison DNS queries for tunnel service in order to prevent unauthorized tunnels from connecting

You may have heard about China showcasing their IPv6 network at the 2008 Beijing Olympics with streaming video, network surveillance cameras, and other IPv6-based applications. So you understand what’s going on, here’s a few key points on the Olympics and IPv6:

• In 2003, before the US government launched IPv6 as an “unfunded mandate”, the National Development Reform Commission (NDRC) launched China’s IPv6 program by setting up the China Next-generation Internet (CNGI) program with initial funding of 1.4 billion yuan (US$169 million) to support development of  the IPv6 next-generation Internet networks. 
• The goal of China Next-Generation Internet (CNGI) program launched in 2003 was to “establish the world’s biggest IPv6 network as soon as possible.”
• CNGI is sponsored, supported by, and connects 8 Chinese major ministries including  NDRC (National Development and Reform Commission),  MOST (Ministry of Science and Technology), MII (Ministry of Information Industry), SCIO (The State Council Informatization Office),  MOE (Ministry of Education), CAS (China Academy of Science), CAE (Chinese Academy of Engineering), NNSFC (National Natural Science Foundation of China).
• China Mobile Communications Corporation (China Mobile), China Netcom Corporation (China Netcom), China Telecommunications Corporation (China Telecom) and China United Telecommunications Co., Ltd. (China Unicom) finished the CNGI IPv6 backbone in 2006, covering 39 network nodes in 20 cities nationwide.
• China Education and Research Network 2 (CERNET2) (Similar to the US Internet2) is the first major research network built from the ground up with native Internet Protocol Version 6 (IPv6) technology. CERNET2 connects more than 200 universities and government institutions
• In CERNET2 and CNGI, half of the key equipment, including routers, was provided by Chinese telecom equipment makers Huawei Technologies and Tsinghua Bit-Way.
• CNGI’s backbone, wireless hotspots, and mobile wireless IPv6 networks will be put into use and showcased heavily during 2008 Olympics Games.
• China, the biggest country by population in the world, is an active advocator of IPV6, to meet the demand of fast growing online economy. China has almost 10 /8 IPv4 blocks assigned already to support almost 160million Internet connections. That’s about 1/8th of the assignments in the US.
• China wants to leverage IPv6 Internet technology to turn it into an innovator in the information technology market

Here’s my analysis of some key applications you can see deployed:

• IPv6 Surveillance Cameras: IPv6 Network Cameras attach to a network just like a computer. IPv6 autoconfiguration automatically sets up the IP address and routing, and in some cameras Zero-Configuration (Zeroconf) software automates the camera setup and discovery of video streams so they can be viewed by a web browser or surveillance software. IPv6-based cameras are much easier to install then the older analog CCTV cameras, and can require less administration and network services than the first generation of IPv4-based cameras. The cameras are all connected using standard Ethernet cable or wireless LAN connections. IPv6-based multicasting via MPEG transmission over Real Time Protocol (RTP) allows multiple users to simultaneously view and share the camera output over the global Internet, while IPSec encryption ensures that only authorized viewers can access the cameras. From this diagram of the surveillance system it looks like the system isn’t using all native IPv6 surveillance cameras (Like those made by Axis, Panasonic, or Augusta Systems), but from the diagram it looks like some are older CCTV analog cameras using an IPv6 capable video server/gateway. Are they using any of the advanced multicasting or zeroconf capabilities? I’ve asked Liu Dong of BII (one of the integrators for the Olympics) and am waiting to hear back. For specific information on the Olympic surveillance system see:  http://www.biigroup.com/visual.asp
• IPTV: IPv6 multicast is a powerful new tool for global IPTV broadcast. Each network or site can broadcast up to 4.3 billion content streams globally. Unlike older unicast technology that required huge server farms and high-capacity network connections to send video streams, multicasting allows even simple computers like laptops and network capable cameras to stream to millions of viewers. As IPv4 addresses are exhausted and the migration to IPv6 is forced, IPTV systems that are both IPv4 and IPv6-capable (dual stacked) will be the only systems capable of reaching the entire global audience. Are they using this advanced IPv6 multicasting capability in the Olympics for streaming video, or just IPv6 unicast IPTV? The IPTV video on demand at http://ipv6.beijing2008.cn/en/video/ is being served from an IPv4-only video file server. I’ve asked Liu Dong of BII if they are using IPv6 IPTV anywhere else and am waiting to hear…
• Automated Lights, Sensors, Controllers: Certain lights and systems at the Olympic park have been automated with an Echelon LonWorks network of controllers. Though LonWorks is not IPv6 or IPv6 capable, it appears that an application gateway / webserver has been hooked to the LonWorks controller to create IPv6 web services interfaces to the controller system. IF this is the caase, the gateway proxies web-services commands sent via IPv6 to LonWorks networking protocol and commands. A LonWorks-IPv6 gateway allows the automation system to be used as web service SOA-like components for building other applications and control dashboards. For specific information on the automation system deployed at the olympics see: http://www.biigroup.com/intelligent.asp   Thanks to Hiroshi Esaki of the IPv6 Forum in Japan for filling me in on the details of this system.
• IPv6 Website: The official Olympic website at http://en.beijing2008.cn/ is not IPv6 capable or dual stacked (It has no AAAA IPv6 DNS record associated with it), but a secondary site is set up just for IPv6: http://ipv6.beijing2008.cn/en/ I’m not sure why they didn’t dual-stack the main site also. The IPTV video on demand on the IPv6 website is served by an IPv4 server at files.beijing2008.cn (This video server address has no IPv6 DNS record - so you can’t reach it via IPv6)

Overall, this is a phenomenal effort to integrate IP networking into so many systems and showcase it in a significant global venue. I hope this is the beginning of a trend to fully converge more of these systems on the next-generation IPv6-based Internet!

When I first began hearing about IPv6, a number of questions popped into my mind.  Not surprisingly, they are the same questions most people have.   Being here at Command Information, I’m lucky to have ready access to some of the top experts in the field.   So I pulled together a list of some of the most frequently asked IPv6 questions and asked around.   Here’s a summary of what I learned:

QUESTION: When will the IPv4 address crunch start to hurt?  1 year?  Five years?    

According to one well-regarded model, the expected exhaustion of the IPv4 space, based on current use, is 19-Nov-2011 – just three and a half years away. But long before that event occurs there will be certain websites that will only be reachable with IPv6.   To track IPv4 address exhaustion, see this website: http://www.potaroo.net/tools/ipv4/index.html

For more detail, see David Green’s blog posts: IPv6 is a Business Continuity Issue and The Analysis Behind “IPv6 Is a Business Continuity Issue”

For fun, watch IPv6 tech geeks sing about The Day The Routers Died…

QUESTION:  What mobile phone models are IPv6 capable today?  

Read the rest of this entry »

It has been a busy week or so!

A full week ago, DNS turned 25! Conveniently, later in the week, ICANN’s board approved opening up the DNS space to arbitrary TLDs (adding to the traditional .com .net .edu .edu .info … etc.). Luckily, with a fairly high bar for entry, to limit ability of phishers to abuse this new space - although this also raises questions about where all that money will be going …

Also last week, Cisco Live was happening in Orlando - and had a record # of IPv6 related sessions! These sessions included talks on security, routing protocols, real world deployment experiences … and, of course, Cisco answers to most of the mentioned concerns :). (I was there, and saw a couple of familiar faces (former students, clients and coworkers) as well as meeting some great people from Cisco who I have exchanged emails with in the past but had not yet met) ((Oh, and seeing the Bare Naked Ladies (natch, the band), the Blue Man Group and Ben Stein were a great bonus!))

Back to that IPv6 D-Day thing … so, today is June 30th, 2008. And with little fanfare, the OMB522 deadline has arrived. Did this change the world?

Of course not - but it *is* a step in the right direction, representing the US government making something of a dedicated effort (with varying levels of real world applicability) in having their ginormous IT infrastructure being future-ready. That is a Good Thing!!

In fact, increasingly more people agree it is an absolutely critical thing - factoring in stats from The IPv4 Address Report:

Projected IANA Unallocated Address Pool Exhaustion: 05-Jan-2011
Projected RIR Unallocated Address Pool Exhaustion: 18-Nov-2011

(See previous comments on the meanings of these numbers, no need to re-hash that here :)!)

SO - with OMB522 (cough) completed, what’s next?
Fantastic question … the short answer is (sadly?) nothing.
The longer answer is that it is up to the representatives appointed to the OMB by the next administration.

While IPv6 admittedly doesn’t have the same political pull as war, terrorism, economics, “global warming”, social security, tax reform, the future of (medicare | entitlement spending | the decline of the US Dollar | campaign finance reform | energy independence | national broadband deployment) it would be nice to have some hints from either candidate on their opinions on the further advancement of IPv6 (not just in being able to route packets, but to actually use it … and then the real benefit - when services that take advantage of something IPv6 offers become available / in use).

Just a few thoughts from someone who is mid-vacation.
/TJ

PS - More here, from our CEO

Fred Whettling,  Patrick Grossetete. amd Ciprian Popoviciu’s book, “Glogal IPv6 Stategies“  is dead-on on the business case studies, adoption strategies, and network evolution planning. Every CIO and Sr. Network Engineer should read this book to realize that the next-generation network future is here now and should be leveraged as a business differentiator. In 2010-2012, every global enterprise and government will have a choice - be in denial or leverage the IPv6 change. The author’s analysis in late 2007 (pages 346-351) of our Command Labs R&D facility as an innovation driver explains our sudden uptake in business in mid 2008 as industry and government begins to embrace the IPv6 evolution. The Internet must evolve to become easier to manage, support machine to machine (M2M) services, mobile services, and scale to global & beyond scope. I’m encouraged to see that Patrick, Ciprian, and Fred were able to forecast the requirements for global Internet scaling and put together a serious business analysis of how to architect the future of the Internet for the next 100 years. For every business that relies on e-commerce, networked business systems, is expanding into new global markets, and has customer facing Internet sites, the IPv6 transition is a business continuity and competitive advantage issue they must address. If you’re a CIO, manage a company that relies on e-commerce, or are an IT leader, you should read this book and digest the advice - the Internet is evolving - will your enterprise lead or follow?

Thoughts on “The IPv4 Address Report”

Projected IANA Unallocated Address Pool Exhaustion:

22-Jan-2011
Projected RIR Unallocated Address Pool Exhaustion: 06-Dec-2011

There is lots of debate over the above projections, and a fair number of caveats as well. Let’s talk briefly about a couple of them …

1) Even assuming those projections hold true, does the Internet STOP in 01/11 … or 12/11? Of course not. What stops is the ability for (respectively) Registries and ISPs to get additional IPv4 allocations. The addresses already deployed continue working, but now in an environment being stifled by this architectural detail.

2) These are, of course, statistical projections … and predicting the future is always a bit of (cough) an art, yes? Things like a “trading market” for IPv4 addresses may emerge (hopefully not!), IPv6 deployment actually assisting stave off IPv4 depletion, etc. In short, it fails (as it must!) to account for “human nature”, and our never-ending ability to make statistical models fail :).

(For more about the numbers, the model, the caveats - go to the site!)

So … How would IPv6 help?

IPv6 offers - at the very least - a solution to the address space problem. If you are familiar with CI’s “Anatomy of an IPv6 Address” write-up (or similar sources) you already understand this. In short, having 128bits vs 32bits makes a world of difference.
(I like to point out that it is a little more accurate to think of the IPv6 address space as 64bits of network stuff (”prefix”) and 64bits of host stuff (”Interface ID”) … 64bits of network stuff still leaves us with something in the neighborhood of 80 Billion Billion (US Billions being used here) networks!).

This provides ample address space for current needs, as well as scaling for decades to come … but more to the point, these *globally routable* addresses being readily available will enable and encourage new styles of computing … the “network of peers” effect (or Network Centric Operations, if you prefer) are the next generation in many computing models (information sharing & collaboration, gaming, building/home automation, etc. etc. etc.).

While “My address space is bigger than yours” doesn’t quite have the *zing* of some of the other purported (and oft misrepresented) benefits of IPv6, it may actually be the “killer feature” that (finally) encourages widespread deployment.

Comments, questions, concerns, complaints … fire away!
/TJ

PS - Want a great resource for answering the “Why would I deploy IPv6″, well you can always just ask us - but you could also pick up this fantastic resource from our friends @ Cisco / Bechtel / Cisco Press … “Global IPv6 Strategies”

Who is trying to hack our IPv6 network today? Our chief IPv6 security engineer has noted several attacks lately, but none seem to be originating from inside the US. In the last week there has been reconnaissance and probing coming from a block of addresses assigned within China, and repeated login attempts on our web servers coming from addresses assigned in the EU. The attacks we have seen in the last few days have been fairly unsophisticated, but how do we catch the sophisticated hackers and cyber-warfare professionals who know how to recon and attack “low and slow” or exploit IPv6 connection features, especially when most IA infrastructure is only designed for IPv4?  We “low tune” an Intrusion Detection System (IDS) for IPv6-specific covert channels, attacks, tunneling, and network scanning techniques, then we scan over long periods of time to find the “slow attacks.” Yes naysayers - -  many of today’s IDS products actually can detect IPv6 - with the right software upgrade and/or a library of IPv6 attack signatures. Tools for IPv6 IA are here today - and with the proliferation of IPv6 technology in IT infrastructure today, everyone who wants secure networks had better get  IPv6 network IA  practices in place  - - soon!

If good network security isn’t your concern, we understand that the Brian Krebs, (http://blog.washingtonpost.com/securityfix/), is always looking to for a good story about security failures.