Presentation is loading. Please wait.

Presentation is loading. Please wait.

SYZYGY Engineering Internet Protocol version 6 and Network Centric Operations Key Concepts Will Ivancic SYZYGY Engineering

Similar presentations


Presentation on theme: "SYZYGY Engineering Internet Protocol version 6 and Network Centric Operations Key Concepts Will Ivancic SYZYGY Engineering"— Presentation transcript:

1 SYZYGY Engineering Internet Protocol version 6 and Network Centric Operations Key Concepts Will Ivancic SYZYGY Engineering © 2004 Syzygy Engineering – Will Ivancic

2 SYZYGY Engineering 2 Network Design Triangle PolicyArchitectureProtocols Security $$$ Cost $$$ Mobility Scalability Maturity Bandwidth QoS © 2004 Syzygy Engineering – Will Ivancic

3 SYZYGY Engineering 3 Policy Source:

4 SYZYGY Engineering 4 IPv6 Functional Capabilities Expanded Addressing and Routing Simplified Header Format Extension Headers and Options –Options are placed in separate headers after the core routing information –Options do not necessarily have to be processed in core network (speed) Authentication and Encryption Support –Required in ALL implementations of IPv6! Autoconfiguration Source Routing Support –Ad Hoc Network –Route Optimization for Mobility Simple and Flexible Transition –Incremental Upgrade –Incremental Deployment –Easy Addressing ( –Low Startup Costs Quality of Service Capabilities –Real-Time Traffic –Traffic Class –Flow labels © 2004 Syzygy Engineering – Will Ivancic

5 SYZYGY Engineering 5 IPv4 & IPv6 QoS Fields VersionIHL Type of Service Total Length Identification Flag s Fragment Offset Time to Live Protocol Header Checksum Source Address Destination Address OptionsPadding VersionTraffic ClassFlow Label Payload Length Next Header Hop Limit Source Address Destination Address IPv4 Header 20 bytes Header, 40 bytes fixed IPv6 Header, 40 bytes fixed field’s name kept from IPv4 to IPv6 fields not kept in IPv6 Name & position changed in IPv6 New field in IPv6 Legend © 2003 Cisco Systems, Inc. All rights reserved – Steve Pollock

6 SYZYGY Engineering 6 Addressing Architecture Unicast –Unspecified 0::0 –Loopback 0::1 –User Local Addresses Link Local prefix Site Local prefix Unique Local IPv6 Unicast prefix FC00::/7 Analogous to IPv4 Private Address Space provides for 2.2 trillion addresses Anycast Multicast prefix © 2004 Syzygy Engineering – Will Ivancic Deprecated Nice Explaination of Anycast for IPv4 at

7 SYZYGY Engineering 7 Address Allocation Policy 128-bit addresses: – 340,282,366,920,938,463,463,374,607,431,768,211,456 (340 duodecillion) – Over a million addresses for every person on the planet!, – But not really due to inefficiency of address allocations Administered by IANA to Regional Registries: ARIN, APNIC, RIPE, LACNIC The allocation process is under reviewed by the Registries: –IANA allocates 2001::/16 to registries –Each registry gets a /23 prefix from IANA –Formerly, all ISP were getting a /35 –With the new policy, Registry allocates a /32 prefix to an IPv6 ISP –Then the ISP allocates a /48 prefix to each customer (or potentially /64) 128-bit addresses: – 340,282,366,920,938,463,463,374,607,431,768,211,456 (340 duodecillion) – Over a million addresses for every person on the planet!, – But not really due to inefficiency of address allocations Administered by IANA to Regional Registries: ARIN, APNIC, RIPE, LACNIC The allocation process is under reviewed by the Registries: –IANA allocates 2001::/16 to registries –Each registry gets a /23 prefix from IANA –Formerly, all ISP were getting a /35 –With the new policy, Registry allocates a /32 prefix to an IPv6 ISP –Then the ISP allocates a /48 prefix to each customer (or potentially /64) ISP prefix Site prefix LAN prefix /32 /48/64 Registry /23 Interface ID interface identifier (64 bits) © 2003 Cisco Systems, Inc. All rights reserved – Steve Pollock

8 SYZYGY Engineering 8 Hierarchical Addressing & Aggregation –Larger address space enables (demands): Aggregation of prefixes announced in the global routing table. Helps improve routing speed. Efficient and scalable routing. –Larger address space enables (demands): Aggregation of prefixes announced in the global routing table. Helps improve routing speed. Efficient and scalable routing. ISP 2001:0410::/32 Customer no 2 IPv6 Internet 2001::/ :0410:0002:/ :0410:0001:/48 Customer no 1 Only announces the /32 prefix © 2003 Cisco Systems, Inc. All rights reserved – Steve Pollock

9 SYZYGY Engineering 9 Site Multihoming ISP - A 2001:A010::/32 IPv6 Internet 2001::/16 ISP - C is not allowed to advertise ISP - A’s routes Corporation Only announces the /32 prefix Syzygy Engineering ISP - B 2001:B010::/32 ISP - C 2001:C010::/ :A010:0001:/ :B010:0001:/ :C010:0001:/48

10 SYZYGY Engineering 10 Policy Proposal : Provider-independent IPv6 Assignments for End Sites Direct assignments from ARIN to end-user organizations – Criteria To qualify for a direct assignment, an organization must: not be an IPv6 LIR; and qualify for an IPv4 assignment or allocation from ARIN under the IPv4 policy currently in effect. – Initial assignment size Organizations that meet the direct assignment criteria are eligible to receive a direct assignment. The minimum size of the assignment is /48. Organizations requesting a larger assignment must provide documentation justifying the need for additional subnets. These assignments shall be made from a distinctly identified prefix and shall be made with a reservation for growth of at least a /44. – Subsequent assignment size Additional assignments may be made when the need for additional subnets is justified. When possible, assignments will be made from an adjacent address block.

11 SYZYGY Engineering 11 Restoring an End-to-End Architecture End-to-End Connectivity Restores the “Promise” of Multimedia Collaboration NAT/PAT Breaks Peer-to-Peer Elimination of NAT Bottleneck Restores End-to-End Elimination of NAT Bottleneck Restores End-to-End Peer-to-Peer Applications need Global Addresses when You Connect to: IP Telephony Enterprise, Mobile and Residential IP Video Conferencing Enhanced Instant Messaging Distributed Gaming Peer-to-Peer Applications need Global Addresses when You Connect to: IP Telephony Enterprise, Mobile and Residential IP Video Conferencing Enhanced Instant Messaging Distributed Gaming IPv4 Internet IPv6 Internet IPv6 Internet © 2003 Cisco Systems, Inc. All rights reserved – Steve Pollock

12 SYZYGY Engineering 12 Transition and Operations Costs Cost Difference Between IPv4 / IPv6 Operations Title of TalkSource: PC of Japan Transition Cost

13 SYZYGY Engineering 13 IP Address Status in China Total IPv4 address (unit 1) Total IPv4 address Chinese Population (unit 1 million) 3,746,304 5,409,280 7,555,584 13,269,504 21,534,208 29,002,240 41,456, Data source: CNNIC, Dec.2003 “IPv6 is good for China and China is good for IPv6. China brings the scale needed for IPv6. IPv6 killer application will occur in China firstly" - Latif Ladid--IPv6 Forum President

14 SYZYGY Engineering 14 IPv6 Transition Plan Unclassified, For Official Use Only https://disronline.disa.mil/a/DISR/docs/secure/DoD-IPv6_Transition_Plan_v1_0_ _update1.pdf Contents Overall Transition Strategy IPv6 Transition Governance Acquisition and Procurement of IPv6 Capabilities Networking and Infrastructure Addressing Information Assurance Pilots, Testing and Demonstrations Applications Standards Training

15 SYZYGY Engineering 15 IPv6 Transition Plan https://disronline.disa.mil/a/DISR/docs/secure/DoD_IPv6_Transition_Plan_v2_Final.pdf

16 SYZYGY Engineering 16 Potential Showstoppers to Fully IP-based Tactical Operations Today Further research in the following areas is required in order to enhance the IPv6 protocol suite to support Network Enabled Command: –Embedding/ Encapsulation of legacy systems by means of interoperable gateways –Potential of Anycast Addressing to foster SOA, Service Discovery protocols such as IPSec Discovery need standardization; –Global IP Security Architecture needs to encompass both deployable and highly dynamic domains supporting all kinds of host and network mobility, Scalable Tactical PKI, e.g. CA and distributed Sub-CAs; –Optimization of MANET routing mechanisms, Need to find a compromise between low routing overhead of reactive routing and instant route availability of proactive routing, True multicast routing in the mobile domain; –QoS that considers the heterogeneous (e.g. in terms of bandwidth and latency) and dynamic availability of communication links, –Work on standardized service interoperability profiles; –IPv6 (multicast) enabled applications.

17 SYZYGY Engineering 17 v4/v6 Co-Existence Strategy? Source: Sinead O’Donovan,Product Unit Manager Windows Networking Microsoft

18 SYZYGY Engineering 18 Key Technology Enablers Zero Configuration in rapidly deployed and mobile networks –DNS, DHCP and KEY Servers PKI, IKE and Key Management and Applications © 2004 Syzygy Engineering – Will Ivancic

19 SYZYGY Engineering 19 Peer-to-Peer Networking Voice, Video and Data Issues: –Security (particularly in DoD and Corporate Networks) –Control End-to-End relative to Peer-to-Peer –End-to-End allows direct communication once peer’s address is known –Typical IPv4 with NAT requires Peer-to-Peer server and may require application software (IM, KAZA, etc) Firewall and router w/NAT Firewall and router w/NAT Internet Peer-to-Peer Service (IM, KaZa, etc) Typical IPv4 Peer-to-Peer Communications Firewall and router No NAT Internet Peer-to-Peer Service (IM, KaZa, etc) Firewall and router No NAT Client/Server Model Peer-to-Peer Communication 1 3 Peer-to-Peer Server is not required 2 © 2004 Syzygy Engineering – Will Ivancic

20 SYZYGY Engineering 20 New “IPv6 Capable” Definition – A product must meet the IPv6 base requirements (defined in “DoD IPv6 Standard Profiles for IPv6 Capable Products”) and support requirements for one (or more) product categories. –e.g. Workstations, routers, switches, security devices, firewalls, etc... And support the IPv6 version of any IPv6 protocol functional categories required for its function within the DoD Global Information Grid (GIG) Official Site –(May require Certificate or Common Access Card to obtain access –Otherwise try

21 SYZYGY Engineering 21 What is Mobility? Transportable –Telecommuter –Traveler –Relatively static once connected –Single point of connection –Connectivity IPv6 Autoconfiguration VPN Mobile –Mobile Devices PDAs Cell Phones –Mobile Networks Trains Planes Automobiles –Connectivity Mobile-IP Networks in Motion (NEMO) Ad Hoc Networks © 2004 Syzygy Engineering – Will Ivancic

22 SYZYGY Engineering 22 Mobile Networking Solutions Routing Protocols – Route Optimization –  Convergence Time –  Sharing Infrastructure – who owns the network? Mobile-IP –  Route Optimization – Convergence Time – Sharing Infrastructure – Security – Relatively Easy to Secure Domain Name Servers – Route Optimization –  Convergence Time –  Reliability Source – Will Ivancic

23 SYZYGY Engineering 23 Mobility at What Layer? Layer-2 (Radio Link) –Fast and Efficient –Proven Technology within the same infrastructure Cellular Technology Handoffs WiFi handoffs Layer-3 (Network Layer) –Slower Handover between varying networks –Layer-3 IP address provides identity –Security Issues Need to maintain address Layer-4 (Transport Layer) –Research Area –Identity not tied to layer-3 IP address –Proposed Solutions HIP – Host Identity Protocol SCTP – Stream Control Transport Protocol © 2004 Syzygy Engineering – Will Ivancic

24 SYZYGY Engineering 24 Location Identifier Internet Alice (Mobile Node) Headquarters (Location Manager) HQ Keeps Track of Alice. Bob (Corresponding Node) Where is Alice’s Location Manager? I am in Cleveland, Ohio Hello Alice Hello Bob, I am in Cleveland, Ohio What is the Weather like in Cleveland? © 2004 Syzygy Engineering – Will Ivancic

25 SYZYGY Engineering 25 Securing Networks Constraints/Tools –Policy Security Policy Education Enforcement –Architecture –Protocols Must be done up front to be done well © 2004 Syzygy Engineering – Will Ivancic

26 SYZYGY Engineering 26 Security Security  Bandwidth Utilization  Security  Performance  Tunnels Tunnels Tunnels and more Tunnels Performance  Security   User turns OFF Security to make system usable! Thus, we need more bandwidth to ensure security. PAYLOADHEADER ORIGINAL PACKET HEADER VIRTUAL PRIVATE NETWORK HEADER ENCRYPTION AT THE NETWORK LAYER HEADER ENCRYPTION ON THE RF LINK Source – Will Ivancic

27 SYZYGY Engineering 27 Realities of ROI and Security Network Security itself does not provide any type of ROI – it is about cost management Example – You buy a Picasso straight from the artist and a safe to store it in. The safe adds no value to the painting – only helps prevent its loss (i.e. a cost to you) An organization that fails to adequately prepare a robust security solution faces potential loss from: –Lost productivity/Lost e-commerce revenue –Regulatory penalties –Tort litigation –Long-term business loss from lost customer confidence Source – Yurie Rich CommandInformation

28 SYZYGY Engineering 28 IPsec In non-static environments such as mobile and ad hoc networks, your address no longer identifies you! Source – Merike Kaeo

29 SYZYGY Engineering 29 GIG - Black Core

30 SYZYGY Engineering 30 GIG - Striped Core

31 SYZYGY Engineering 31 Flow Label Used by host to request special handling for certain packets Unique flow is identified by source address and non-zero flow label –Expected use is per-flow end-to-end QoS RSVP, Video, Gaming, VOIP –Without the flow label the classifier must use transport next header value and port numbers Less efficient (need to parse the option headers) May be impossible (due to fragmentation or IPsec ESP) Layer violation may hinder introduction of new transport protocols IPv6 nodes not providing flow-specific treatment MUST ignore the field when receiving or forwarding a packet Immature Technology – Research Area © 2004 Syzygy Engineering – Will Ivancic The Flow Label field is useless, unless it is actually used!

32 SYZYGY Engineering 32 Flow Label Security Considerations The IPsec protocol, as defined in [IPSec, AH, ESP], does not include the IPv6 header's Flow Label in any of its cryptographic calculations –In the case of tunnel mode, it is the outer IPv6 header's Flow Label that is not included Modification of the Flow Label by a network node has no effect on IPsec end-to-end security –It cannot cause any IPsec integrity check to fail. –As a consequence, IPsec does not provide any defense against an adversary's modification of the Flow Label (i.e., a man-in-the-middle attack). © 2004 Syzygy Engineering – Will Ivancic


Download ppt "SYZYGY Engineering Internet Protocol version 6 and Network Centric Operations Key Concepts Will Ivancic SYZYGY Engineering"

Similar presentations


Ads by Google