Friday, September 16, 2005

IPv6 as a Technology Refresh

I've written about government and IPv6 before. The article OMB: No new money for IPv6 by David Perera includes the following:

"Federal agencies have all the money they need to make a mandatory transition to the next generation of IP, a top Office of Management and Budget official said today.

'The good news, you have all the money you need. [IP Version 6] is a technology refresh' said Glenn Schlarman, information policy branch chief in OMB's Office of Information and Regulatory Affairs. Schlarman spoke at a Potomac Forum event on IPv6. 'You have to adapt, reallocate,' he added."

Moving from IPv4 to IPv6 is like transitioning from horse-drawn buggies to internal combustion engine-driven automobiles. Both carry passengers but the complexities, opportunities, and risks associated with cars make the upgrade far more than a "technology refresh."

The biggest single problem with IPv6 is network administrators are not familiar with it. 24 years after IP was presented in RFC 791 there are still people who do not understand the networks for which they are responsible. IPv6 is going to confuse this situation by an order of magnitude. Training is the only way to have a chance to successfully implement IPv6. Unfortunately, OMB is mandating from on high but not providing resources to get administrators trained to handle these new protocols.

I expect a wave of new intrusions during and after the transition to IPv6. Not only with the IPv6 network stacks will be directly exploited, but common misconfigurations will plague enterprises for years.

2 comments:

Anonymous said...

Considering that DoD is "light years" ahead of other Federal Agencies, I don't think anyone other than DoD stands a chance to even implement IPv6 on network backbones. I'm actually going to be working IPv6 Transition for a DoD Agency - I'll let you know how it goes. Hmmm, I wonder how OMB's own IPv6 migration plan is progressing.... wait exactly how big is OMB's network and do they actually run their own network or just tell everyone else how run their networks.

I figure if I start now I'll be a couple of years ahead of industry and have marketable skils, I did the same for INFOSEC, I mean Network Security - sorry for the slip up, I'll do better next time [note: Rich hates the INFOSEC term].

Thomas

Anonymous said...

At the University of Southampton we have deployed a fully working dual stack environment for IPv4 and IPv6.We have already started looking very seriously at the security implications of IPv6 networks including intrusion detection. I have personally used a modified Snort that includes IPv6 support, although this feature is not yet available from the official Snort release (Marty did say it would come after frag5!).

Areas that we have had a closer look at is the continued support of overlapping fragments (why would anyone want this other than the obvious???) and the possibility that networking devices might have resources consumed by a high number of extension headers (IPv6 has no upper limit on how many extension headers may exist). Tools are actively being developed that are able to test these scenarios.

Chas Tomlin

System Administrator
School of Electronics and Computer Science
University of Southampton