Tag Archive for IPv6

| June 12, 2012
Comments Off on Security Considerations for IPv6

Security Considerations for IPv6

Security Considerations for IPv6For those who missed the Internet Society (ISOC) announcement that World IPv6 Launch day arrived on June 6. (I blogged about World IPv6 day, back in March) Carl Herberger, VP of Security at Radware (RDWR) recently wrote at Help Net Security that he sees World IPv6 Launch day as much more hype than an operational change.

Internet Society logoMany high-profile organizations have hooked their plans on change over to the ISOC launch date. Supporters include Google (GOOG), Facebook (FB), Microsoft (MSFT) Bing, Yahoo (YHOO), and Akamai (AKAM).  Mr. Herberger points out that many companies have already leveraged IPv6 WAN connectivity. Most mobile providers who have adopted LTE 4G infrastructures have built them for mobile devices, Mobile devices will connect to the Internet with IPv6 addresses by default. He argues that since a 4G phone must also be 3G and IPv4 compatible, the 5G providers have not done much. The service providers have woven IPv6 into the existing IPv4 Internet much to the chagrin of the initial IPv6 designers.

IPv6 Pandora’s Box

Bottom line: Because IPv4 is not going away any time soon, we will essentially live in perpetuity with both designs. A new dawn? Or the beginning of the end? The Radware VP thinks it’s neither, he calls the interoperability issues between IPv4 and IPv6, a Pandora’s Box of opportunity for those of the nefarious persuasion.

So, what are the three main takeaways from World IPv6 Launch day?

Take away #1

Dog and catIPv6 will first be implemented on the WAN, IPv4 will continue to stay in the LAN for years to come – Google, Facebook, DNS, CDN providers, and many, if not most ISP’s are all moving to default IPv6 WAN connectivity. However, nearly no one has made the transition to IPv6 on the LAN. Mr. Herberger adds that rapid IPv6 deployment on the Internet WAN operations side and the very slow rollout of IPv6 on the LAN side will wreak havoc on perimeter security. He believes that there are huge problems associated with IPv4 and IPv6 cohabitating.

Take away #2

IPv6 & IPv4 don’t cohabitate well – IPv6 and IPv4 make insecure bedfellows. There are no predefined standards in the way to handle the cohabitation of IPv4 with IPv6.  The transition mechanisms to ease the transitioning of the Internet from its first IPv4 infrastructure to IPv6 have not been standardized yet. The Internet Engineering Task Force (IETF) has working groups and discussions through the IETF Internet-Drafts and Requests for Comments processes to develop these methods. Some basic IPv6 transition mechanisms have been defined; however, nothing has yet emerged as a proposed uniform standard. As such, the article states, the world is awash with a plethora of IPv4 to IPv6 (and vice versa) Transition Mechanisms such as:

  • Encapsulating IPv4 in IPv6 (or 4in6)
  • Encapsulating IPv6 in IPv4 (or 6in4)IPv6 tunnel
  • IPv6 over IPv4 (6over4)
  • DS-Lite
  • 6rd
  • 6to4
  • ISATAP
  • NAT64 / DNS64
  • Teredo
  • SIIT.

If you are familiar with network perimeter security devices, one of the things they do well is deep packet inspection and Stateful aware analysis. However, one of the dirty little secrets is that nearly none of today’s technologies have the capability to inspect encrypted traffic such as SSL  or the ability to inspect tunneling protocols such as L2TP, PPTP, etc. What IPv4 and IPv6 transition does is effectively exacerbate these “Achilles heels” in security detection capabilities by introducing a whole new class of nearly undetectable transmissions. The author warns Don’t be fooled by a vendor’s claim that they inspect a v4 packet in v6 or vice versa, because even if true for one or two methodologies, the ways to carry out this task are almost immeasurable today. This is really a true community-wide problem and one that must be addressed.

Take away #3

ConfusedMeet your old vulnerability – Same as the new vulnerability! Much of our defense is single-threaded, and should an adversary be able to pass through your perimeter defenses, many of the ‘older’ vulnerabilities would find a receptive home having passed through the ‘corporate scrubbers.’Moreover, just think of the new opportunities available to more nefarious organizations that don’t have your interests in mind. This ‘transition mechanism’ essentially becomes an effective ‘unscrubbed’ gateway or tunnel for all newly developed organized crime-designed, state-sponsored, and Hacktivist-motivated attacks.

Moreover, most of us will be largely blind to these realities unless we are acting now to make certain that our gateways are designed with all encapsulated traffic being detected and mitigated. Anomaly detection takes center stage here and signature tools will leave you wanting.

The Radware VP concludes that this problem requires action on behalf of security professionals to solve; you HAVE to do something different because the inertia path will leave you vulnerable.

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| May 15, 2012
Comments Off on Internet of Things

Internet of Things

Internet of ThingsThe Internet of Things is a world where everything can be both analog and digitally approached. It reformulates our relationship with objects – things- as well as the objects themselves.  Any object that carries an RFID tag relates not only to you but also through being read by an RFID reader nearby, to other objects, relations or values in a database. In this world, you are no longer alone, anywhere.

The Machines Are Talking a Lot

The Machines Are Talking a LotCisco’s Visual Networking Index Global Mobile Data Traffic Forecast Update, 2011-2016 reports that Internet traffic continues to grow at unprecedented rates. Cisco says that the second leading source of internet traffic will be the Internet of Things devices.

The networking giant says the source will be from machine-to-machine communications, or “M2M.” Brian Bergstein at MIT‘s Technology Review says to think of sensors in cars and in appliances, surveillance cameras, smart electric meters, and devices still to come, monitoring the world and reporting to each other and to centralized computers what they’re detecting. The chart below, reprinted from the Cisco report, shows just how extreme the jump in machine-to-machine communications could be. Cisco says M2M will grow, on average, 86 percent a year, reaching 508 petabytes a month, or half a billion gigabytes by 2016.

Related articles

New ARM chip for Internet of Things

ARM logoARM (ARMH), the semiconductor company whose chip technology powers most modern smartphones, has come up with a chip for the Internet of things (IoT). Om Malik at GigaOM reports that the Cortex-M0+ is an energy-efficient chip, optimized for use in everything from connected lighting to power controls to other home appliances. In a press release, the company explains:

The 32-bit Cortex-M0+ processor … consumes just 9µA/MHz … around one-third of the energy of any 8 or 16-bit processor available today, while delivering much higher performance …[to] enable the creation of smart, low-power microcontrollers to provide … wirelessly connected devices, a concept known as the ‘Internet of Things.’

At GigaOM’s Mobilize 2011 event ThingM CEO Mike Kuniavsky said that “ubiquitous network connectivity, cloud-based services, cheap assembly of electronics, social design, open collaboration tools, and low-volume sales channels create an innovation ecosystem that is the foundation for an Internet of things.”

GigaOM says Freescale and NXP (NXPI), both are major suppliers to the automotive and home automation industries have signed up for the new ARM Internet of Things chip technology. Freescale and NXP have locations in the Farmington Hills, MI area.

Related articles

A new chip for the Internet of Things

Atheros logoOm Malik at GigaOm recently noted that Atheros, a division of Qualcomm (QCOM) launched a new very low power consuming Wi-Fi chip. The AR4100P, is focused on the “Internet of Things.” He predicts that soon, there might be Wi-Fi in everything around us, including Samsung’s (005930) Wi-Fi-enabled washing machines, which Malik wrote about earlier.

According to the blog, the new “highly integrated 802.11n single-stream Wi-Fi system-in-package with integrated dual IPv4 IPv6 networking stack” is focused on smart home and building controls and appliances. Atheros and other chip companies such as ARM are betting that the Internet of Things will prove to be a new giant market opportunity.

rb-

The new Atheros chip also includes an IPv6 stack as well as 802.11n to give end-to-end control of your home appliances.

Related articles
  • Marvell chip makes appliances and LED lights ‘smart’ (ces.cnet.com)

The Web Connected Smelly Robot

olly logoThe Internet of Things now has smell-o-vision from Olly. Olly takes services on the Internet and delivers their pings as smell according to his website. Whether it’s a tweet or a like on Instagram, Olly will be sure to let your nose know about it. Mint Foundry, a graduate design lab at Mint Digital dedicated to exploring the potential of web-connected objects developed Olly.

It is possible to change Olly’s smells in an instant. It has a removable section in the back which can be filled with any smell you like. It could be essential oils, a slice of fruit, your partner’s perfume, or even a drop of gin.

Olly is stackable, so if you have more than one, you can assign each one to a different service with a different smell. Connect one to Twitter and another to your calendar. Before you know it, you’ll have a networked Internet smell center claims the website.

Olly is not yet in production, but Mint is glad to offer the source files to anyone who’s got a 3D printer and a nose for adventure.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,
| March 22, 2012
2 comments

Flip the Switch on IPv6

Flip the Switch on IPv6World IPv6 day (Which I reported on here) took place in June 2011. Google (GOOG), Facebook, Yahoo (YHOO), and Akamai (AKAM) were among the participants in last year’s new networking dress rehearsal. apparently, everything went well last June.

Internet SocietyNathan Ingraham at The Verge recently noted that IPv6 is now ready for prime-time. The Internet Society announced that the IPv6 switch will be permanently flipped on June 6th, 2012.

The article says a number of major ISPs, networking hardware manufacturers, and web companies pledged support from day one. For starters, four of the biggest web properties will all enable IPv6 permanently:

Cisco logoFrom a hardware perspective, Cisco (CSCO) and D-Link (2332) both committed to enabling IPv6 across their range of home products by June.

GigaOM reports that Akamai (AKAM) and Limelight (LLNW) will also recruit other websites to join the initiative, by implementing IPv6 throughout their content delivery networks.

Several leading ISP’s will enable IPv6 to enough of their customer base that at least one percent of their residential subscribers who visit IPv6 enabled websites;

rb-

The internet is quickly running out of IP addresses, the last addresses in Internet Protocol version 4 were officially distributed early in 2011 Which I wrote about here.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| June 4, 2011
Comments Off on Google, Facebook and Yahoo Test IPv6

Google, Facebook and Yahoo Test IPv6

Google, Facebook and Yahoo Test IPv6A global trial of IPv6 is scheduled for June 8th 2011. Google (GOOG), Facebook, Yahoo (YHOO), and Akamai (AKAM) will reportedly take part in the IPv6 “test flight.” The Internet Society, a non-profit group that educates people and companies about net issues is coordinating World IPv6 Day. Those who sign up for the test will make their pages available via IPv6 for 24 hours to help iron out problems created by the switch to the new addressing scheme.

IPv6 good news

Internet Society logo“By providing an opportunity for the internet industry to collaborate to test IPv6 readiness we expect to lay the groundwork for large-scale IPv6 adoption and help make IPv6 ready for prime time,” said Leslie Daigle, chief Internet technology officer at the Internet Society in a statement.

“The good news is that internet users don’t need to do anything special to prepare for World IPv6 Day,” said Lorenzo Colitti, a network engineer at Google in a blog post. “Our current measurements suggest that the majority (99.95%) of users will be unaffected. However, in rare cases, users may experience connectivity problems, often due to misconfigured or misbehaving home network devices.”

According to Google, Vint Cerf, the program manager for the ARPA Internet research project chose a 32-bit address format for an experiment in packet network interconnection in 1977. For more than 30 years, 32-bit addresses have served us well, but now the Internet is running out of space. IPv6 is the only long-term solution, but it has not yet been widely deployed.  In November 2010 Mr. Cerf, one of the driving forces behind Google’s IPv6 efforts warned that the net faced “turbulent times” if it did not move quickly to adopt IPv6.

rb-

Vint Cerf wants you t use IPv6It will be interesting to see the number of participants. This all may just blow over the top because not enough of the right people in organizations see the need. I spoke to my Boss about this a while ago and I think one phone call has been made to our upstream ISP to see what they are doing. We probably won’t deal with it until there is a need for a point-to-point IP video conference with China or something and when it won’t work, then it is a crisis that gets addressed.

Does your organization have a plan for IPv6 migration?

View Results

Loading ... Loading ...
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| April 30, 2011
Comments Off on IPv4 Address Grey Market Emerges

IPv4 Address Grey Market Emerges

IPv4 Address Grey Market Emerges

The UK’s Register reports that depletion of the world’s IPv4 address space is spawning a new development in the Internet address space, IPv4 address trading. According to the Register, German Python developer Martin von Loewis launched a site called Tradipv4.com in March. The site is offering IPv4 addresses for $3 for v4 addresses in American Registry for Internet Numbers (ARIN)  and $4 for those in the Asia Pacific Network Information Center (APNIC) region.

TradeIPv4IPv4 address trading, however, is still a grey market idea now. FireceTelecom reports that to make sure that unmanaged address transfers don’t compromise network operations or security, the Internet Society (ISOC) said that buyers and sellers should make sure any “transfers be affected per appropriate Regional Internet Registry (RIR) processes.” Citing its own estimate of prices reaching $11 per address, ISOC said, “We strongly urge that such transfers be affected per appropriate RIR processes.” Unmanaged address transfers will undermine network operations, and it could raise security issues since anonymous address spaces can be spoofed according to ISOC.

On their FAQ page, Tradeip4.com says its auctions can cover both the sale and lease of addresses, subject to RIR policies. Some of these policies, the site notes, have grey areas. For example, APNIC policy aims to discourage address transfer by applying what amounts to a 12-month embargo on the originating party receiving new addresses. However, Tradeip4.com dismisses this as irrelevant, since APNIC’s space is exhausted and no new blocks are being assigned according to FierceTelecom. Despite these concerns, Tradeip4.com, maintains that it can sell and lease IPv4 addresses and maintains that it follows RIR policies.

Internet SocietyThis is not just an SMB issue Microsoft (MSFT), recently bought Nortel’s IPv4 addresses (Which I wrote about here). Craig Labovitz, Chief Scientist for network security vendor Arbor Networks, told FierceTelecom that Nortel’s deal with Microsoft reflects how IPv4 depletion is becoming a more pressing issue, now that IPv4 is a scarce resource.

IPv4 addresses have not been a scarce resource and no one has had to pay more, but what really is starting to change is Microsoft spending money to buy Nortel’s IPv4 address space.  For the first time, there’s now a price associated with V4, and one you have a price you start having providers charge for it and start seeing people having a reason to care.

The Register article notes that the Canadian government, via its Industry Canada department, is also against the trade of IPv4 addresses, and it has weighed in on the sale of Nortel’s addresses to Microsoft. In a letter discussed on CircleID, Industry Canada expressed its support for the long-standing position that addresses are not property and therefore cannot be traded.

rb-

I see several problems with the  IPv4 grey market. Trading in IPv4 is just another sign of resistance to IPv6. Firms with a global view have to realize that the reallocation of a handful of IPv4 will not make a difference in an IPv6 world. Another issue could be the routability of an IPv4 address originally assigned to APIC and traded on the grey market to RIPE. Right now there is no guarantee that these types of addresses will be recognized. There are also political issues, the Canadian government opposes the IP grey market. Industry Canada has expressed its support for the long-standing position that addresses are not property and therefore cannot be traded.

The ISOC says IPv4 addresses are worth $11.00, MSFT paid $11.25 and ARIN addresses are now (04-30-11) trading $7.00 per IP. on tradeipv4.com so MSFT appears to have overpaid for the Nortel address range. The bigger issue is the change in the nature of an IP address.

What do you think?

Are grey market IPv4 addresses worth it?

Has your firm started its transition to IPv6?

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
« Older Entries   Recent Entries »