Chinese IPv6 in CIO

The 15 July 2006 issue of CIO magazine featured China Builds a Better Internet by Ben Worthen. I have multiple problems with this article, but I also think it's great to publicize what the world outside the US is doing! Here are some excerpts and commentary.

[I]n research labs throughout China, engineers are busy working on another project that the Chinese government plans to unveil at the Olympics: China's Next Generation Internet (CNGI), a faster, more secure, more mobile version of the current one...

CNGI is the centerpiece of China's plan to steal leadership away from the United States in all things Internet and information technology.

The strategy, outlined in China's latest five-year plan, calls for the country to transition its economy from one based almost entirely on manufacturing to one that produces its own scientific and technological breakthroughs—using a new and improved version of today's dominant innovation platform, the Internet. "CNGI is the culmination of this revolutionary plan" to turn China into the world's innovation capital, says Wu Hequan, vice president of the Chinese Academy of Engineering and the chairman of the CNGI Expert Committee.

There is nothing more inherently secure about IPv6 compared to IPv4. As I've argued before, I think security will degrade when IPv6 is adopted. It might improve as people become familiar with it, but expect chaos in the short-to-medium term.

This is only the first of many "secure" adjectives used to describe IPv6 in this article, unfortunately.

If China gets too big a head start, U.S. CIOs could be in the unfamiliar position of having to play catch up to the rest of the world—while paying as much as 30 percent more to manage their networks, according to estimates by the National Institute of Standards and Technology. Worse, organizations that lag behind the world in IPv6 adoption will be more vulnerable to hackers and other security threats.

Here we have a security and cost argument -- you'll see that again. Uh-oh, CIOs take notice. I think this paragraph refers to a report summarized well by Network World. This report, by NIST, seems less enthusiastic than the CIO article.

China, which is expected to surpass the United States as the world's biggest Internet user later this year, has just 2 percent of the world's IP addresses, or around 60 million—about as many as Stanford University...

Given that China will have almost twice as many broadband users as the United States by the end of 2007, the sense of injustice among China's Internet officials is palpable. "When 26 Chinese share one Internet protocol address, while each American possesses six IP addresses…this is the quandary facing China in the IPv4 era," Zhao Houlin, director of the International Telecommunications Union, said in 2005. The bottom line for China, says Jiang Lintao, chief engineer at the China Academy of Telecommunications Research, is that "We cannot survive without IPv6."

Wow, that's a great way to think about the problem facing China!

Parts of this sidebar are comical.

Benefits: Improved security. Longer IP addresses mean that each device has a unique identifier. This will allow for device and user-level authentication—meaning spammers and hackers can’t hide behind constantly shifting IP addresses, as they do today. The security paradigm will have to change from firewall-centric to application-centric, but once it does the Internet will be a much safer place.

How is the first part of this even remotely true?

Paul Francis weighs in with an alternative point of view below.

Some Internet experts, such as Paul Francis, a computer science professor at Cornell University who also happened to invent NAT devices, say that upgrading networks to IPv6 will cost so much and take so long that engineers will develop workarounds -- be it improvements to NAT devices or something new -- that solve the problems with IPv4, keeping the current Internet in place forever.

I was glad to read Mr. Francis' comments. Contrast them with the following.

But most people familiar with IPv6 say that the protocol has too much promise and can save CIOs too much money for it not to be adopted. Plus, most equipment makers are already selling IPv6-capable equipment today, meaning you could be building a next-generation network without even knowing it.

"In the next 10 years everyone will [begin] moving to IPv6," says Robert Atkinson, president of the Information Technology and Innovation Foundation, a technology policy think tank. "That is not in doubt."
(emphasis added)

Not in doubt? With a ten-year window, who will check on this? Maybe I will if this blog is still around!

Finally, this sidebar mentioned military issues.

China’s NextGeneration Internet (CNGI) has U.S. national security implications as well. While the level of Chinese military involvement in CNGI is unclear, the People’s Liberation Army has designed its own IPv6 router, and a recent China IP Council white paper mentions that IPv6 networks have "military and intelligence" uses. Unrestricted Warfare, a widely translated treatise on military doctrine written by two People’s Liberation Army officers, calls for China to engage the West in nontraditional combat, and suggests tactics such as computer hacking and cyberterrorism.

Hmm, it's more like the PLA stole its own router. In any case, I think it's time for me to read Unrestricted Warfare, which I found here and here.

Finally, would you trust advice like this?

If China moves to an IPv6 network while the United States is still running IPv4, Internet traffic coming from China will be impossible to track back to its source, says James Mulvenon, deputy director of the Center for Intelligence Research and Analysis, which advises the U.S. intelligence community.

"Imagine if you are running an army network at Fort Hood and you detect hostile packets," he says. If the packets are coming from or through China, "you can’t tell anything about them. It turns China into a big anonymizer."

Welcome to 1989 (.pdf, Security Problems in the TCP/IP Protocol Suite). If you discount spoofing, welcome to the rise of botnets. Any exit host for which you cannot trace back is a "big anonymizer." Who cares if IPv4 or IPv6 is used?


Anonymous said…
Back in March there was a mailing list discussion on this article which presented very similar ideas to the one mentioned in your post.

This was my response, which seems to be along the same lines as yours.

Saying that IPv6 will lead to reduced anonymity seems to me a
substantial leap. Computers already have several unique identifiers
(e.g. Ethernet MAC addresses and serial numbers), but these do not
often escape the local network. What the article appears to be getting
at is that switching to IPv4 to IPv6 will remove some of the need to
deploy NAT boxes and proxies. These devices are typically not designed
to provide anonymity, and don't in any strong sense of the word, but
in reality they are an obstacle to practical traceability.

NAT and proxies perform several main roles:
- Reduce the number of global IP addresses needed
- Protect computers on the internal network
- Hide information about the structure of the internal network

Proxies also:
- Improve performance (in the case of caching proxies)
- Allow policy restrictions (e.g. blocking certain websites)

IPv6 reduces the shortage of global IP addresses, so the first reason
would no longer be important, but the others stand. For this reason I
don't think that IPv6 will herald the removal of NAT and proxies.

Without NAT and proxies, an IP address will uniquely identify a
computer at a particular time, but with dynamic addresses, the
computer using a particular address will change over time. The logs
for a RADIUS or DHCP server (if present) will say what computer was
using a particular address at a time, but even then, finding which
person is using that computer is a further problem.

NAT and proxies introduce a similar traceability obstacle to dynamic IP
addresses. Given an IP address you can still trace the user, but you
need to look at further information to complete the task. Many proxies
include the internal IP address of a requestor in the HTTP headers,
and you can stop there. NAT boxes and some proxies don't do this, but
might well keep logs, and these can be used to tell which computer
made a particular connection.

Dynamic IP addresses, NAT boxes and proxies do cause a practical
problem for law enforcement, since it means they have to request logs
from another party before continuing. Sometimes these logs may be
incomplete, poorly maintained or even missing. Even so, the anonymity
that this provides is weaker and more hit-and-miss than what systems
designed for anonymity (e.g. Tor) give.

For the purposes of anonymity, IPv6 just increases the size of the IP
address space. Whether this decreases anonymity online is more a
matter for policy than technology. With IPv4, traceability could be
improved by mandating log retention (as is being proposed by the EU),
IPv6 simply changes what logs are needed.

This and other issues of traceability are dealt with in Richard
Clayton's PhD thesis and I can recommend it to anyone interested in
this area:
Anonymous said…
This comment has been removed by a blog administrator.

Popular posts from this blog

Zeek in Action Videos

MITRE ATT&CK Tactics Are Not Tactics

New Book! The Best of TaoSecurity Blog, Volume 4