The Dutch National Cyber Security Centre has put a new version (2.0) of their IPv6 white paper online. It is written in cooperation with a number of experts from public and private organizations. Dennis Silva and I also helped out and our article “Niets doen is geen optie”, published in Computable 04-06-2012, was used as one of the references. This article was based on our own IPv6 white paper that we wrote last year and it provided interesting input for discussions on what transition scenarios are feasible and what risks they come with.
It was great to be part of this and I’m proud to see our names, and the company’s, being mentioned in the list of references and contributors. 🙂
The paper is published here: http://www.ncsc.nl/dienstverlening/expertise-advies/kennisdeling/whitepapers/ip-versie-6-ipv6.html
In this version of the IPv6 paper, there is more focus on security risks of migration scenarios. Depletion of the IPv4 address space means that everyone at some point has to decide on an IPv6 strategy. With every scenario, whether it is ‘doing nothing’ or going for a full native IPv6 implementation, comes risk. For instance, 6in4 tunnels can provide unwanted access into secured networks and the default enabled IPv6 in many OSes can provide unnoticed connectivity between nodes that are thought to be isolated.
This is a presentation I worked on which outlines IPv6 in Mission Critical Environments; typical environments of customers of Schuberg Philis.
IP version 6 (IPv6, see RFC2460) is a new version of the Internet Protocol, designed as the successor to IP version 4 (IPv4) [RFC-791]. The new Internet protocol was designed in the 1990’s and, rather than using the 32-bit addressing system, it uses a 128-bit system. That gives us 2128 or 340,282,366,920,938,463,463,374,607,431,768,211,456 IP addresses and is enough for the Internet to continue to grow. Because of the rapid IPv4 address exhaustion it is imperative that the world starts using the new protocol version now. The old and new protocols are not directly compatible; an IPv4 device is not able to communicate with an IPv6 device. Therefore a number of steps have to be taken before world wide deployment can be realized. Technology has to be updated, personnel has to be trained and above all: awareness has to be created.
What happened to IPv5?
Many people not familiar with the matter often ask this, what seems a very logical, question. The protocols that operate at the Network Layer of the OSI model of computer networking, like IPv4, IPv6, ICMP, ICMPv6, IGMP, IPSec etc., have been assigned protocol numbers. Protocol number 5 could not be used as the successor to number 4 because the Experimental Streaming Protocol Version 2 (ST2, see RFC1819) had already been assigned to it.
How is IPv6 different?
The changes from IPv4 to IPv6 fall primarily into the following categories:
Expanded Addressing Capabilities
IPv6 increases the IP address size from 32 bits to 128 bits, to support more levels of addressing hierarchy, a much greater number of addressable nodes, and simpler auto-configuration of addresses. The scalability of multicast routing is improved by adding a “scope” field to multicast addresses. And a new type of address called an “anycast address” is defined, used to send a packet to any one of a group of nodes.
Header Format Simplification
Some IPv4 header fields have been dropped or made optional, to reduce the common-case processing cost of packet handling and to limit the bandwidth cost of the IPv6 header.
Improved Support for Extensions and Options
Changes in the way IP header options are encoded allows for more efficient forwarding, less stringent limits on the length of options, and greater flexibility for introducing new optionsin the future.
Flow Labeling Capability
A new capability is added to enable the labeling of packets belonging to particular traffic “flows” for which the sender requests special handling, such as non-default quality of service or “real-time” service.
Authentication and Privacy Capabilities
Extensions to support authentication, data integrity, and (optional) data confidentiality are specified for IPv6.