Tag Archive for IPV4

| June 12, 2012
Comments Off on Security Considerations for IPv6

Security Considerations for IPv6

Security Considerations for IPv6For those who missed the Internet Society (ISOC) announcement that World IPv6 Launch day arrived on June 6. (I blogged about World IPv6 day, back in March) Carl Herberger, VP of Security at Radware (RDWR) recently wrote at Help Net Security that he sees World IPv6 Launch day as much more hype than an operational change.

Internet Society logoMany high-profile organizations have hooked their plans on change over to the ISOC launch date. Supporters include Google (GOOG), Facebook (FB), Microsoft (MSFT) Bing, Yahoo (YHOO), and Akamai (AKAM).  Mr. Herberger points out that many companies have already leveraged IPv6 WAN connectivity. Most mobile providers who have adopted LTE 4G infrastructures have built them for mobile devices, Mobile devices will connect to the Internet with IPv6 addresses by default. He argues that since a 4G phone must also be 3G and IPv4 compatible, the 5G providers have not done much. The service providers have woven IPv6 into the existing IPv4 Internet much to the chagrin of the initial IPv6 designers.

IPv6 Pandora’s Box

Bottom line: Because IPv4 is not going away any time soon, we will essentially live in perpetuity with both designs. A new dawn? Or the beginning of the end? The Radware VP thinks it’s neither, he calls the interoperability issues between IPv4 and IPv6, a Pandora’s Box of opportunity for those of the nefarious persuasion.

So, what are the three main takeaways from World IPv6 Launch day?

Take away #1

Dog and catIPv6 will first be implemented on the WAN, IPv4 will continue to stay in the LAN for years to come – Google, Facebook, DNS, CDN providers, and many, if not most ISP’s are all moving to default IPv6 WAN connectivity. However, nearly no one has made the transition to IPv6 on the LAN. Mr. Herberger adds that rapid IPv6 deployment on the Internet WAN operations side and the very slow rollout of IPv6 on the LAN side will wreak havoc on perimeter security. He believes that there are huge problems associated with IPv4 and IPv6 cohabitating.

Take away #2

IPv6 & IPv4 don’t cohabitate well – IPv6 and IPv4 make insecure bedfellows. There are no predefined standards in the way to handle the cohabitation of IPv4 with IPv6.  The transition mechanisms to ease the transitioning of the Internet from its first IPv4 infrastructure to IPv6 have not been standardized yet. The Internet Engineering Task Force (IETF) has working groups and discussions through the IETF Internet-Drafts and Requests for Comments processes to develop these methods. Some basic IPv6 transition mechanisms have been defined; however, nothing has yet emerged as a proposed uniform standard. As such, the article states, the world is awash with a plethora of IPv4 to IPv6 (and vice versa) Transition Mechanisms such as:

  • Encapsulating IPv4 in IPv6 (or 4in6)
  • Encapsulating IPv6 in IPv4 (or 6in4)IPv6 tunnel
  • IPv6 over IPv4 (6over4)
  • DS-Lite
  • 6rd
  • 6to4
  • ISATAP
  • NAT64 / DNS64
  • Teredo
  • SIIT.

If you are familiar with network perimeter security devices, one of the things they do well is deep packet inspection and Stateful aware analysis. However, one of the dirty little secrets is that nearly none of today’s technologies have the capability to inspect encrypted traffic such as SSL  or the ability to inspect tunneling protocols such as L2TP, PPTP, etc. What IPv4 and IPv6 transition does is effectively exacerbate these “Achilles heels” in security detection capabilities by introducing a whole new class of nearly undetectable transmissions. The author warns Don’t be fooled by a vendor’s claim that they inspect a v4 packet in v6 or vice versa, because even if true for one or two methodologies, the ways to carry out this task are almost immeasurable today. This is really a true community-wide problem and one that must be addressed.

Take away #3

ConfusedMeet your old vulnerability – Same as the new vulnerability! Much of our defense is single-threaded, and should an adversary be able to pass through your perimeter defenses, many of the ‘older’ vulnerabilities would find a receptive home having passed through the ‘corporate scrubbers.’Moreover, just think of the new opportunities available to more nefarious organizations that don’t have your interests in mind. This ‘transition mechanism’ essentially becomes an effective ‘unscrubbed’ gateway or tunnel for all newly developed organized crime-designed, state-sponsored, and Hacktivist-motivated attacks.

Moreover, most of us will be largely blind to these realities unless we are acting now to make certain that our gateways are designed with all encapsulated traffic being detected and mitigated. Anomaly detection takes center stage here and signature tools will leave you wanting.

The Radware VP concludes that this problem requires action on behalf of security professionals to solve; you HAVE to do something different because the inertia path will leave you vulnerable.

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| April 30, 2011
Comments Off on IPv4 Address Grey Market Emerges

IPv4 Address Grey Market Emerges

IPv4 Address Grey Market Emerges

The UK’s Register reports that depletion of the world’s IPv4 address space is spawning a new development in the Internet address space, IPv4 address trading. According to the Register, German Python developer Martin von Loewis launched a site called Tradipv4.com in March. The site is offering IPv4 addresses for $3 for v4 addresses in American Registry for Internet Numbers (ARIN)  and $4 for those in the Asia Pacific Network Information Center (APNIC) region.

TradeIPv4IPv4 address trading, however, is still a grey market idea now. FireceTelecom reports that to make sure that unmanaged address transfers don’t compromise network operations or security, the Internet Society (ISOC) said that buyers and sellers should make sure any “transfers be affected per appropriate Regional Internet Registry (RIR) processes.” Citing its own estimate of prices reaching $11 per address, ISOC said, “We strongly urge that such transfers be affected per appropriate RIR processes.” Unmanaged address transfers will undermine network operations, and it could raise security issues since anonymous address spaces can be spoofed according to ISOC.

On their FAQ page, Tradeip4.com says its auctions can cover both the sale and lease of addresses, subject to RIR policies. Some of these policies, the site notes, have grey areas. For example, APNIC policy aims to discourage address transfer by applying what amounts to a 12-month embargo on the originating party receiving new addresses. However, Tradeip4.com dismisses this as irrelevant, since APNIC’s space is exhausted and no new blocks are being assigned according to FierceTelecom. Despite these concerns, Tradeip4.com, maintains that it can sell and lease IPv4 addresses and maintains that it follows RIR policies.

Internet SocietyThis is not just an SMB issue Microsoft (MSFT), recently bought Nortel’s IPv4 addresses (Which I wrote about here). Craig Labovitz, Chief Scientist for network security vendor Arbor Networks, told FierceTelecom that Nortel’s deal with Microsoft reflects how IPv4 depletion is becoming a more pressing issue, now that IPv4 is a scarce resource.

IPv4 addresses have not been a scarce resource and no one has had to pay more, but what really is starting to change is Microsoft spending money to buy Nortel’s IPv4 address space.  For the first time, there’s now a price associated with V4, and one you have a price you start having providers charge for it and start seeing people having a reason to care.

The Register article notes that the Canadian government, via its Industry Canada department, is also against the trade of IPv4 addresses, and it has weighed in on the sale of Nortel’s addresses to Microsoft. In a letter discussed on CircleID, Industry Canada expressed its support for the long-standing position that addresses are not property and therefore cannot be traded.

rb-

I see several problems with the  IPv4 grey market. Trading in IPv4 is just another sign of resistance to IPv6. Firms with a global view have to realize that the reallocation of a handful of IPv4 will not make a difference in an IPv6 world. Another issue could be the routability of an IPv4 address originally assigned to APIC and traded on the grey market to RIPE. Right now there is no guarantee that these types of addresses will be recognized. There are also political issues, the Canadian government opposes the IP grey market. Industry Canada has expressed its support for the long-standing position that addresses are not property and therefore cannot be traded.

The ISOC says IPv4 addresses are worth $11.00, MSFT paid $11.25 and ARIN addresses are now (04-30-11) trading $7.00 per IP. on tradeipv4.com so MSFT appears to have overpaid for the Nortel address range. The bigger issue is the change in the nature of an IP address.

What do you think?

Are grey market IPv4 addresses worth it?

Has your firm started its transition to IPv6?

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| April 17, 2011
Comments Off on Asia out of IPv4 addresses

Asia out of IPv4 addresses

Asia out of IPv4 addressesThe Asia Pacific Network Information Center (APNIC) has run out of free IPv4 addresses.  APNIC is the first of the Internet’s five regional Internet registries to deplete its free pool of IPv4 address space according to reports from Networks Asia. (I wrote about China’s IPv4 struggles here.)

APNIC’s news is another sign that CIOs and other IT executives need to begin migrating to IPv6.”For anybody who hasn’t figured out that it’s time to do IPv6, this is another wake-up call for them,”  Owen DeLong, an IPv6 evangelist at Hurricane Electric and a member of the board of ARIN told Networks Asia. Any CIO who isn’t planning for IPv6 is “driving toward a brick wall and closing your eyes and hoping that it’s going to disappear before you get there,” Mr. DeLong says ignoring IPv6 “is not the best strategy.”

Paul Wilson, Director General of APNIC tells Networks Asia that, if a business is thinking of doing on the Internet, they need to have a plan to transition to IPv6 in place. “If you want to do business with China in the future for example, you will be to be on IPv6 or you won’t be able to reach your customers,” Mr. Wilson said.

The Asia-Pacific region has been gobbling up the most IPv4 address space in recent years; APNIC has apparently distributed more than 32 million IPv4 addresses to network operators in this region in the last two months alone. APNIC has depleted its IPv4 address space “dramatically faster than people expected,” Mr. DeLong says. “My guess is that a lot of operators in the Asia-Pacific region realized the time of IPv4 depletion was drawing near and they rushed to get their applications in.” But countries in the region are doing well with their IPv6 transition plans Mr. Wilson said.

But counties with developing markets also had the advantage where they could leapfrog any potential problems and move straight to greenfield IPv6 infrastructure Wilson said. APNIC is holding 16.7 million IPv4 addresses (a /8 in network engineering terms) in reserve to distribute in tiny allotments of around 1,000 addresses each to new and emerging IPv6-based networks so they can continue to communicate with the largely IPv4-based Internet infrastructure.

RIPE [the European Internet registry] is going to be the next one to run out. I wouldn’t count on them making it until July[2011],” DeLong says. “I think ARIN (which doles out IPv4 and IPv6 address space to companies operating in North America,)  will make it to the end of this year; maybe we’ll run out in October or November[2011].

Upgrading to IPV6

Spock – the router is under here

According to Mr. Wilson, the move to IPv6 should be the last we will experience. “We should be afraid of a situation where we exhaust IPv6. If the move from Ipv4 was difficult, the next will be a disaster,” he said.

rb-

The regional Internet registries will have handed out most IPv4 address space by the end of 2011. Lots of organizations need to get on their transition plan. I have noted the need for IPv6 planning here, here, and here.

Related articles:

What do you think?

  • Is IPv6 a real topic in your organization?
  • Has your organization even formed a team to discuss IPv6 addresses?

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| April 4, 2011
Comments Off on IPv4 Address Worth $11.25

IPv4 Address Worth $11.25

IPv4 Address Worth $11.25Now that the last IPv4 addresses are gone, the Internet numbers are increasing in value. Microsoft is spending $7.5 million for 666,625 IPv4 addresses from Nortel (NRTLQ). As Google (GOOG) and Apple (AAPL) fight over Nortel’s 4G bones (which I noted earlier), DownloadSquad reports that Microsoft (MSFT) jumped all over Nortel’s stash of IPv4 addresses when they became available for purchase through bankruptcy proceedings.

NORTELMicrosoft ponied up $7.5 million for the Nortel pool, which works out to $11.25 per IP address. There were 13 other interested buyers, but only Microsoft and three others actually submitted bids according to DownloadSquad. With the last block of IPv4 addresses already issued (which I wrote about when it happened), snatching up over 666,000 IPv4 addresses in one fell swoop is a smart move by Microsoft.

rb-

Microsoft CEO Steve BallmerCould Ballmer‘s boys be planning a cloud-based IPv6 <–> IPv4 transition service?

Are they trying to jump-start an IPv4 address space underground economy?

As the authors say, we’ll just have to wait and see.

What do you think?

What is Redmond up to?

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| December 4, 2010
Comments Off on U.S. Running Out Of IPv4 Addresses

U.S. Running Out Of IPv4 Addresses

U.S. Running Out Of IPv4 AddressesInformationWeek says IPv4 addresses will run out by the end of 2011. The plethora of mobile devices and an increase in Internet services to the home have led to a shortage of Internet addresses, which could run out by the end of 2011 according to InformationWeek. “We now face an exhaustion of IPv4 addresses,” Lawrence Strickling, administrator of the U.S. National Telecommunications and Information Administration (NTIA), said in the meeting, Reuters reported. There’s only room for 4.3 billion IPv4 addresses and the U.S. owns more than 90 percent of public IP addresses globally. The U.S. has used about 94.5 percent of its public IP addresses.

smartphones are depleting the supply of available addressesThe recent surge in tablet computers like the Apple iPad and Research in Motion Blackberry smartphones are depleting the supply of available addresses. The remaining 5.5 percent of the IPv4 addresses will be distributed among the Regional Internet Registries by next summer Reuters reported. New IP-based technologies such as LTE and WiMax have also contributed to the dwindling number of IPv4 addresses. M2M devices and smart technologies in consumer products like refrigerators, dishwashers, and vehicles also decrease the number of addresses available. “Fortunately, IPv6 will support 340 trillion, trillion, trillion addresses,” Strickling is quoted in Reuters, and appealed to businesses to widely roll out and integrate IPv6.

The reason is that IPv6 is a much longer address, but it makes up a lot more possible numbers, said Todd Day, industry analyst, Mobile & Wireless Communications, Frost & Sullivan. “It’s similar to a phone number with many digits, so it’s like having a longer phone number.” Switching to IPv6 could be costly for businesses and the technology might not integrate well with what they are using. “Ultimately you have equipment that has to be replaced in order to support IPv6, you have software changes and upgrades in other pieces of equipment and testing and actual implementation costs,” Day said.

In spite of the challenges, the new protocol has its advantages, he said. “There are definitely a lot of benefits to IPv6,” Day said. “In the bigger picture, it allows for more security, video and voice streaming, and better quality of service.

rb-
This is not a U.S.-specific problem as InformationWeek would have their readers believe. This is a worldwide problem. John Curran President and CEO of ARIN pointed out in the article, “some other countries have already set their IPv4 depletion / IPv6 adoption plans.” Of course not in the US, there are so many other important issues for the Feds to worry about, like the noise level of TV commercials.

This gadget has been developed by Takashi Arano, Intec NetCore

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
« Older Entries   Recent Entries »