Archive for IPv6

RB | February 26, 2010
No comments

IPv6 Malware

Trend Micro, in a December 2009 report, The Future of Threats and Threat Technologies: How the Landscape Is Changing (PDF) predicts that changes to the Internet infrastructure will widen the playing field for cybercriminals. One of the changes Trend Micro predicts is the IPv6 Malware Experimentation Stage. The anti-virus firm points out that many weaknesses were discovered in IPv4 during the mid- to late-1990′s as the Internet came into its own. The vendor predicts IPv6 will have a similar pattern of growth.

As the IPv6 user base expands, weaknesses will be discovered in the IPv6 protocol and it’s implementation. The anti-virus firm believes that the current low IPv6 adoption rate and the increased awareness of IPv4 exhaustion, will delay any wide-scale IPv6 malware beyond 2010. However, as users start to explore IPv6, so will the cybercriminals. The vendor says that users can expect to find some proof-of-concept elements in IPv6 during 2010. Possible IPv6 abuse includes new covert channels or Command and Control (C&C) for botnets.

IPv6One attack vector that will open up as users start experimenting with IPv6, are  tunneling protocols according to Ben April  an Advanced Threat Researcher at Trend Micro. April points out on the Trend Micro Malware Blog that the 6to4 (RFC 3056) and Teredo (RFC 4380) tunneling protocols pose threats to networks  as they transition to IPv6. April says that neither protocol claims to offer any significant security protection. According to the blog, 6to4 tunneling requires that the user endpoint exist in a publicly routable IP space and be directly reachable by any 6to4 serving device with the risk of having to trust traffic coming from any address claiming to support the protocol for full functionality. 6to4 can also support routes to networks behind the endpoint. Endpoints have an IPv6 address which includes the IPv4 address of the endpoint converted to hex. According to April, a server on the IPv6 Internet  should also be fortified against both IPv4 and IPv6 threats. 6to4 comes with an entire RFC (RFC 396) devoted to security considerations.

The Teredo RFC goes so far as to call itself the IPv6 Provider of Last Resort. The blog says this label comes primarily from the crazy stunts required to successfully traverse multiple NAT gateways. Unlike 6to4, however, only one host can exist behind the endpoint. April points out the risks that Teredo creates by tunneling from the public Internet to a host inside a NATed environment. This creates the need for a well-protected host. This protocol also allows endpoint address leakage which would aid an attacker. Teredo encodes the IPv4 exit point of the NAT gateway, the UDP port used by the external NAT session, and the IPv4 address of the tunnel endpoint used by the client in a well-known slightly obfuscated way.

Fortinet logoOne answer to the IPv6 security issues could come from network security and unified threat management (UTM) provider Fortinet. In December 2009, the vendor announced that it had achieved 56 Gbps of IPv6 throughput on its FortiGate’-5140 multi-threat chassis-based system.  The 56 Gbps for IPv6 throughput based on its proprietary FortiASIC technologies that accelerate security processing of the FortiGate-5000 Series blades and modules. The  FortiASIC processors are security processors that accelerate the processing of network traffic focusing on security enforcement including firewall policies and other content inspection requirements.

The IPv6 performance of the equipment was benchmarked and validated with a BreakingPoint Elite resiliency testing chassis with multiple 10 GbE interfaces . Fortinet’s FortiOS  firmware has  fulfilled all requirements for IPv6 Phase-2 Core Support as a router product. This certification, awarded by the IPv6 Ready Logo Program.

As Trend Micro’s April says, ” IPv4 firewall rules don’t do anything to IPv6 traffic.”

Category: IPv6, Malware | Tags: ,
RB | February 2, 2010
No comments

YouTube Goes IPv6

YouTube. one of the most popular,biggest time-wasters and bandwidth hogs on the web is now IPv6 too. Hurricane Electric,whose IPv6 backbone. the largest in the world reports a 30x increase in  IPv6 traffic originating from YouTube.

“On Thursday, midday California time, we saw a large amount of inbound IPv6 traffic, which we knew came from Google,” Martin Levy, Director of IPv6 Strategy at Hurricane Electric told PCWorld in a recent article. “IPv6 traffic came into ISPs from all over the world when Google turned up its IPv6 traffic on YouTube,” Levy says. “IPv6 is being supported at many different Google data centers. We’re talking about a traffic spike that is 30-to-1 type ratios. In other words, 30 times more IPv6 traffic is coming out of Google’s data centers than before.”

The YouTube IPv6 traffic appears to be production, as opposed to a test because it has remained steady since it started and is following normal usage patterns, Levy told PCWorld, “This IPv6 traffic is mimicking classic end-user bandwidth shaping,”  “It’s not machine driven; it’s human eyeball driven.”

Industry observers hailed the YouTube upgrade as a sign of the growing momentum for the next generation Internet protocol, “This is not some IPv6-enabled scientific site…This is the mainstream media” Levy observes.

NetworkWorld reports that Google is anticipating IPv6 traffic growth as more devices such as LTE handsets and set-top boxes ship with IPv6 support. Google already supports IPv6 with its Search, Alerts, Docs, Finance, Gmail, Health, iGoogle, News, Reader, Picasa, Maps, Wave, Chrome and Android products.

Category: IPv6, Networking | Tags: ,
RB | November 7, 2009
No comments

IPv6 Growing Despite Economy

ipv6The American Registry for Internet Numbers (ARIN) reports that demands for IPv6 address space is growing.  According to the 10-19-09 article, Next-generation Internet defies recession on NetworkWorld, during the first nine months of 2009, ARIN  received 300 requests from carriers for blocks of IPv6 address space. This compares to 250 requests received in all of 2008 and 2007.

“We’re seeing an uptick in IPv6 address space requests; it’s a very significant aringrowth rate,” says John Curran, president and CEO of ARIN. “We’ve seen a slight slowdown in IPv4 address space requests…It’s probably dropped off 10% or 20% year over year.”

Curran says ARIN is beginning to see ISPs such as Comcast and Verizon Wireless put a great deal of effort into migrating from IPv4-based networks to those built using IPv6.

“ISPs are asking for IPv6 addresses so they can make their networks IPv6-enabled so they are ready [for the future],” Curran says. “We give each ISP enough IPv6 addresses to support 4 billion networks, and each network can contain trillions and trillions of hosts.”

Curran says the recession is not hampering carriers’ interest in IPv6. “IPv6 solves a problem that hasn’t happened yet. So seeing any demand is surprising, and it means that organizations are planning ahead,” Curran says. “The current weakness in the economy…is not dampening down IPv6 demand significantly because IPv6 is right around the corner for ISPs. We may be two years away from the IPv4 free pool of addresses running out, but two years if you’re an ISP is enough time to get one network deployed. Two years is within everyone’s planning horizon.”

ARIN plans several policy changes to push carriers towards IPv6 adoption. These include:

* Allowing ARIN to reduce the size of IPv4 address space allocations to carriers as the industry gets closer to IPv4 address depletion.

* Increasing access to IPv6 address space by removing the requirement for carriers to first demonstrate that they have hundreds of customers.

* Allowing carriers to run multiple, discrete IPv6 networks that don’t have to be connected to each other, such as community networks.

* Reconsideration of a current policy that requires the regional registries including ARIN to evenly divide up any IPv4 space they are able to recover.

This gadget has been developed by Takashi Arano, Intec NetCore

Category: IPv6, Networking | Tags: , , ,
RB | October 3, 2009
No comments

Smart Grid needs IPv6

ipv6 Cisco Systems is looking at IPv6 as a  a critical component in securing the next-generation electricity distribution system.   IPv6 is attractive to the Smart Grid initiative for two reason, the first being an abundance of IP addresses available in the expanded 128-bit address space for all the gizmos they hope to sell in a market which Cisco pegs at $20 billion a year. “IPv6 is an interesting discussion and one that occupies a lot of bandwidth at Cisco,” Marie Hattar, Cisco’s vice president of network systems ciscoand security solutions marketing, told InternetNews.com. “Some people say that for smaller deployments, we could get away with IPv4, but the smart grid has a number of parts.”

The second benefit to the Smart Grid is the security features in IPv6 which will add a layer of protection to the vulnerable electric grid management systems.  Security is also now top of mind as the Department of Homeland Security (DHS) is now investigating a report into potential threats to the West Coast power grid. Earlier this year, widely circulated reports noted that foreign entities—presumably from China—infiltrated the U.S. power grid on several occasions and have the ability to disrupt power distribution.

At the 2009  Black Hat security conference, a security researcher detailed security vulnerabilities in smart grid meters. “If you think about hacking into a smart meter, it’s like hacking into your TV’s remote control — you still get your TV,” Hattar said. “The meters are a reporting mechanism but it’s not going to affect the electrical system.” Still, Hattar added that smart meter vendors are concerned about security and Cisco will work with them. “A key part is to build out an end-to-end framework that is secure,” Hattar said. “A lot has to do with isolation and not exposing the grid to points of entry that are hackable.”

“As utilities are looking to build out smart grid, it’s more effective to agree on a common protocol across the board as opposed to trying intermix different ones,”  Hatter says, “In many ways, this is like the early days of the Internet where we ultimately settled on IP. We see IP as the scalable protocol for smart grid and we’re working with a variety of vendors to advocate this and make this the key protocol of choice.”

Cisco is among the numerous IT vendors with initiatives for improving the power grid.  IBM is working with several of its partners on power grid issues through its Smart Planet program.

There’s likely to be subsidiary benefits to the smart grid, like furthering the cause of IPv6  since since tens of millions of users and new devices around the world will require connectivity. For example, with utilities adopting IP-enabled metering for thousands of homes connected to the network, there could be an issue with addressing over IPv4. On IPv6, thanks to its plentiful address availability, there are no addressing issues.

rb-

Not only is this a technological issue, but it is an energy policy issue. An electrical grid which can support Smart meters, will allow energy producers to better control the flow of electricity, which will increase the efficiency of the electrical grid, which will in turn decrease our dependence on fossil fuels. America needs to get off of electrical generation by fossil fuels and the this technology can speed the process, before it is to late and gasoline reaches $7.00 a gallon making the current recession seem like a walk in the park.

Category: IPv6, Networking | Tags: , ,
RB | July 28, 2009
No comments

Feds to Test IPv6

ipv6NetworkWord is reporting that the U.S. government has reportedly launch a comprehensive product testing program for IPv6. The new program, USGv6 Test Program , will be run by the National Institute of Standards and Technology (NIST) will require all network hardware and software vendors to pass IPv6 compliance and interoperability tests before they can sell their products to the U.S. federal government market. The NIST IPv6 test plan covers basic IPv6 functionality as well as related standards such as: IP Security (IPsec), Internet Key Exchange (IKEv2 ), Dynamic Host Configuration Protocol (DHCPv6), Open Shortest Path First (OSPFv3), Border Gateway Protocol (BGP4+) and multicast requirements in MLDv2 .

nistThe USGv6 program will allow vendors to run IPv6 compliance tests in their own labs as long as the labs are accredited by NIST, but they must run IPv6 interoperability testing in someone else’s lab. Erica Johnson, Director of the University of New Hampshire InterOperability Laboratory told NetworkWorld, “The way that the NIST profile is going to work is that conformance testing can be done in an accredited first-party [vendor], second-party [buyer] or third-party [independent] lab…But the interoperability testing must be done in a second-party or third-party lab.”

The time-frame for the USGv6 Test Program is tight. NIST is expected to publish this week [July 31] the final version of its IPv6 test specifications  aka Special Publication 500-273 and to finalize its test plan in November 2009. Testing labs are to be accredited before the end of the calendar year. Network vendors will have six months to get their routers, operating systems, firewalls and other security systems through IPv6 testing prior to the federal government’s July 2010 acquisition deadline.

By July 2010, federal agencies will be required to purchase only hosts, routers and network security systems that have been tested for IPv6 compliance. Vendors must issue a “Suppliers’ Declaration of Conformity” that states host and router products have been tested for IPv6 compliance and interoperability, while security products must undergo functional IPv6 testing. All of the testing must be done in NIST-accredited labs.

rb-

It’s about time – I have been including IPv6 requirements in RFP’s for over 6 years. It is amazing to watch the vendors tap-dance arounf what IPv6 compatibility means. Only some of these products from Cisco or Foundry Brocade are IPv6 compatible depending on the image you buy. I guess the real trick will be to get a”Suppliers’ Declaration of Conformity” if you are not a Fed.

Category: IPv6, Networking | Tags: , ,
« Older Entries   Recent Entries »

Switch to our mobile site