Tag Archive for IPv6

| October 22, 2010
Comments Off on IPv4 Doomsday Pushed Back

IPv4 Doomsday Pushed Back

IPv4 Doomsday Pushed BackThe American Registry for Internet Numbers (ARIN) announced (10-20-2010) that Interop returned its unneeded Internet Protocol version 4 (IPv4) address space. The ARIN Press Release explains that Interop was originally allocated a /8 before ARIN’s existence and the availability of smaller address blocks.

Another press release indicates that Interop founder Dan Lynch acquired the addresses block to allow for unfettered Interoperability Testing between TCP/IP equipment vendors in the formative years of the Internet. Interop will continue to use a small part of the original grant to continue Interop’s 25-year mission to foster industry-wide interoperability while returning the rest of the address block to ARIN for the greater good of the Internet community. The organization recently realized it was only using a small part of its address block and that returning the rest to ARIN would be for the greater good of the Internet community.

ARIN will accept the returned space and not reissue it for a short period, per existing operational procedure. After the hold period, ARIN will follow global policy at that time and return it to the global free pool or distribute the space to those organizations in the ARIN region with documented need, as appropriate.

With less than 5% of the IPv4 address space left in the global free pool, ARIN warns that Interop’s return will not significantly extend the life of IPv4. ARIN continues to emphasize the need for all Internet stakeholders to adopt the next generation of Internet Protocol, IPv6.

rb-

As the original poster at Slashdot points out, if any of the other IPv4 /8 address holders return their unused addresses, the IPv4 exhaustion date would be pushed back even further. I wonder what some of these companies plan on doing with all of these IP addresses?

  • HP has 32 million publicly routable addresses (16 million of its own and 16 million from DEC which HP acquired when it ingested Compaq) most of which seem to be used to handle VoIP calls to India for sales and support calls.
  • Is Ford going to install a IPv4/IPv6 gateway on all the cars with My Ford Touch, an upgrade of Sync, its in-car Internet service with Microsoft?
  • How is the USPS using it 16 million IP addresses?

Some IPv4 /8 Address Holders

PrefixDesignationDate
003/8General Electric Company 1994-05
004/8 Level 3 Communications, Inc.1992-12
008/8 Level 3 Communications, Inc.1992-12
009/8IBM 1992-08
012/8 AT&T Bell Laboratories 1995-06
013/8Xerox Corporation 1991-09
015/8Hewlett-Packard Company 1994-07
016/8 Digital Equipment Corporation 1994-11
017/8Apple Computer Inc. 1992-07
018/8MIT 1994-01
019/8Ford Motor Company 1995-05
034/8 Halliburton Company 1993-03
035/8MERIT Computer Network 1994-04
040/8Eli Lily & Company 1994-06
048/8Prudential Securities Inc. 1995-05
054/8Merck and Co., Inc. 1992-03
056/8 US Postal Service 1994-06
The allocation of IPv4 address space to various registries is listed at www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml.

This gadget was developed by Takashi Arano, Intec NetCore

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| September 18, 2010
Comments Off on D-Link Raises Net Security Bar

D-Link Raises Net Security Bar

D-Link Raises Net Security Bar Help Net Security reports that D-Link (TSEC dlink) has upgraded its products to rival some of the “enterprise-level” devices I see at client sites. The vendor has enhanced its router security to a higher level of protection to guard against hacking, worms, viruses, and other malicious Web attacks. by incorporating DNSSEC, IPv6, and CAPTCHA.

DNSSEC is a suite of Internet Engineering Task Force (IETF) specifications (Core DNSSEC RFCs are RFC 4033, RFC 4034, and RFC 4035) that adds security to the DNS to offer assurance that the information received from a Domain Name Server is authentic according to the article. The security extensions are designed to protect the DNS from man-in-the-middle and cache poisoning attacks, which can occur when hackers corrupt DNS data stored on recursive name servers to redirect queries to malicious sites.

DNSSEC applies digital signatures to DNS data to authenticate the data’s origin and verify its integrity as it moves across the Internet and can give users an effective means of verification that their applications, such as Web or email, are using the correct addresses for servers they want to reach.

D-Link is also providing additional security and future-proofing its routers, by migrating to IPv6 certification according to Help Net Security. With the growing number of Internet-capable devices on the market, the pool of IPv4 addresses has dropped to six percent and is expected to run out sometime in 2011. While this is a major motivation for IPv6, other improvements are also realized.

The IPv6 specification now specifies certain security measures that were not defined in IPv4, such as IPSec. IPSec is a method of authenticating and encrypting data transferred between pairs of hosts. Although it was possible to implement IPSec with IPv4, it was not part of the specification. IPSec is now a requirement, not an option, in the IPv6 specification.

CAPTCHAD-Link has previously implemented a Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) to improve security. CAPTCHA is a challenge-response test that ensures that a response during a user login is not computer-generated but instead is truly entered by a human hand, by requiring a user to manually enter a small amount of text displayed in an image to help prevent automated registration and fraud.

rb-

I looked at a production switch today that was still running only CatOS 9.0 (EOL 2009), they might be better protected with a new D-Link.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| June 20, 2010
Comments Off on Facebook Adds IPv6

Facebook Adds IPv6

Facebook Adds IPv6NetworkWold is reporting that Facebook began offering “experimental, non-production” support for IPv6 on June 10,2010. With more than 350 million active users. 65 million of them accessing the site through mobile devices, Facebook is planning its deployment of native IPv6 to its network backbone. The social network says it wants to support both IPv4 and IPv6-aware clients. In a presentation at the Google IPv6 Implementors Conference, Facebook’s network engineers said it was “easy to make [the] site available on v6.”

FacebookFacebook said it deployed dual-stack IPv4 and IPv6 support on its routers, and that it made no changes to its hosts to support IPv6. FB also said it was supporting an emerging encapsulation mechanism known as Locator/ID Separation Protocol (LISP), which separates Internet addresses from endpoint identifiers to improve the scalability of IPv6 deployments. “Facebook was the first major Web site on LISP (v4 and v6),” Facebook engineers said during their presentation. They also said that using LISP allowed them to deploy IPv6 services quickly with no extra cost. Facebook’s IPv6 services are available at www.v6.facebook.com, m.v6.facebook.com, www.lisp6.facebook.com, and m.lisp6.facebook.com.

John Curran, president, and CEO of the American Registry for Internet Numbers (ARIN) has been urging Web site operators to deploy IPv6. Curran set a deadline of Jan. 1, 2012, when all public-facing Web sites must support IPv6 or risk providing visitors with lower-grade connectivity. The remaining pool of unallocated IPv4 addresses could be depleted as early as December due to unprecedented levels of broadband and wireless adoption in the Asia-Pacific region, experts say.

ARIN logoRichard Jimmerson, CIO at the American Registry for Internet Numbers (ARIN), told NetworkWorld, “It’s moving so fast now that it’s hard for us to be current on it any longer,” ARIN provides IPv4 addresses to carriers in North America. “We’ve gone through 10 /8s since the beginning of this year,” Jimmerson says. “To put that in perspective, in all of 2009, we only went through eight /8s. It’s very possible that the IANA free pool will deplete in December or January at the earliest.”

The article reports that demand for IPv4 addresses remains flat in North America, there has been a huge surge in the Asia-Pacific region this year that is likely to stay strong. “The Asia-Pacific region has very large economies that are underserved by IP addresses such as India, China, and other places,” Jimmerson told NetworkWorld. “They are really seeing a big surge in broadband deployment and wireless data handset deployment, and that translates into having to have unique IP address space. That trend is likely to continue.”

rb-

Just last week, I was speaking with a potential client about getting ready for IPv6 on their network. They had not even talked yet with their ISP about getting IPv6 traffic to them, let alone how they were going to deal with IPv6 in and out of the network.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| February 26, 2010
Comments Off on IPv6 Malware

IPv6 Malware

IPv6 MalwareIn a December 2009 report, The Future of Threats and Threat Technologies: How the Landscape Is Changing, anti-malware vendor Trend Micro, predicts that IPv6 changes to the Internet infrastructure will widen the playing field for cyber-criminals.

Trend MicroOne of the changes Trend Micro predicts is the IPv6 Malware Experimentation Stage. The anti-virus firm points out that many weaknesses were discovered in IPv4 during the mid-to-late-1990s as the Internet came into its own. The vendor predicts IPv6 will have a similar pattern of growth.

As the IPv6 user base expands, weaknesses will be discovered in the IPv6 protocol and its implementation. The anti-virus firm believes that the current low IPv6 adoption rate and the increased awareness of IPv4 exhaustion will delay any wide-scale IPv6 malware beyond 2010. However, as users start to explore IPv6, so will the cyber-criminals. The vendor says that users can expect to find some proof-of-concept elements in IPv6 during 2010. Possible IPv6 abuse includes new covert channels or Command and Control (C&C) for botnets.

IPv6 tunneling protocols pose threats

IPv6One attack vector that will open up as users start experimenting with IPv6, are tunneling protocols according to Ben April an Advanced Threat Researcher at Trend Micro. Mr. April points out on the Trend Micro Malware Blog that the 6to4 (RFC 3056) and Teredo (RFC 4380) tunneling protocols pose threats to networks as they transition to IPv6.

Trend’s April says that neither protocol claims to offer any significant security protection. According to the blog, 6to4 tunneling requires that the user endpoint exist in a publicly routable IP space and be directly reachable by any 6to4 serving device with the risk of having to trust traffic coming from any address claiming to support the protocol for full functionality. 6to4 can also support routes to networks behind the endpoint. Endpoints have an IPv6 address which includes the IPv4 address of the endpoint converted to hex. According to April, a server on the IPv6 Internet should also be fortified against both IPv4 and IPv6 threats. 6to4 comes with an entire RFC (RFC 396) devoted to security considerations.

The Teredo RFC goes so far as to call itself the IPv6 Provider of Last Resort. The blog says this label comes primarily from the crazy stunts required to successfully traverse multiple NAT gateways. Unlike 6to4, however, only one host can exist behind the endpoint. April points out the risks that Teredo creates by tunneling from the public Internet to a host inside a NATed environment. This creates the need for a well-protected host. This protocol also allows endpoint address leakage which would aid an attacker. Teredo encodes the IPv4 exit point of the NAT gateway, the UDP port used by the external NAT session, and the IPv4 address of the tunnel endpoint used by the client in a well-known slightly obfuscated way.

Fortinet logoOne answer to the IPv6 security issues could come from network security and unified threat management (UTM) provider Fortinet. In December 2009, the vendor announced that it had achieved 56 Gbps of IPv6 throughput on its FortiGate’-5140 multi-threat chassis-based system. The 56 Gbps for IPv6 throughput is based on its proprietary FortiASIC technologies that accelerate security processing of the FortiGate-5000 Series blades and modules. The FortiASIC processors are security processors that accelerate the processing of network traffic focusing on security enforcement including firewall policies and other content inspection requirements.

The IPv6 performance of the equipment was benchmarked and validated with a BreakingPoint Elite resiliency testing chassis with multiple 10 GbE interfaces. Fortinet’s FortiOS firmware has fulfilled all requirements for IPv6 Phase-2 Core Support as a router product. This certification, awarded by the IPv6 Ready Logo Program.

As Trend Micro’s April says, “IPv4 firewall rules don’t do anything to IPv6 traffic.”

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , ,
| February 2, 2010
Comments Off on YouTube Goes IPv6

YouTube Goes IPv6

 YouTube, one of the most popular, biggest time-wasters and bandwidth hogs on the web is now IPv6 too. Hurricane Electric, whose IPv6 backbone is the largest in the world, reports a 30x increase in IPv6 traffic originating from YouTube. Martin Levy, Director of IPv6 Strategy at Hurricane Electric told PCWorld in a recent article

On Thursday, midday California time, we saw a large amount of inbound IPv6 traffic, which we knew came from Google .. IPv6 traffic came into ISPs from all over the world when Google turned up its IPv6 traffic on YouTube.” Levy continued, “IPv6 is being supported at many different Google data centers. We’re talking about a traffic spike that is 30-to-1 type ratios. In other words, 30 times more IPv6 traffic is coming out of Google’s data centers than before.

The YouTube IPv6 traffic appears to be production, as opposed to a test because it has remained steady since it started and is following normal usage patterns, Levy told PCWorld, “This IPv6 traffic is mimicking classic end-user bandwidth shaping … It’s not machine driven; it’s human eyeball driven.”

Industry observers hailed the YouTube upgrade as a sign of the growing momentum for the next-generation Internet protocol, “This is not some IPv6-enabled scientific site…This is the mainstream media” Levy observes.

NetworkWorld reports that Google is anticipating IPv6 traffic growth as more devices such as LTE handsets and set-top boxes ship with IPv6 support. Google already supports IPv6 with its Search, Alerts, Docs, Finance, Gmail, Health, iGoogle, News, Reader, Picasa, Maps, Wave, Chrome, and Android products.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , ,
« Older Entries   Recent Entries »