|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Overcoming IPv6 Security Threat
Thanks to everyone who helped out. cheers joe baptista http://www.circleid.com/articles/2533.asp Overcoming IPv6 Security Threat September 12, 2002 | By Joe Baptista Technology rags and industry pundits see IPv6 (Internet Protocol version 6) as the future of networking, but Daniel Golding a participant of the North American Network Operators' Group (NANOG) thinks it's a "solution in search of a problem". Many others have argued IPv6 is a problem in itself and it is unlikely the protocol will gain wide acceptance in the short term. IPv6 does solve many of the problems with the current version of IPv4 (Internet Protocol version 4). Its purpose is to expand address space and fix the IPv4 address depletion problem, which many techies claim, was due to mismanagement. The industry's goal is to use the very large address allocation pool in IPv6 to expand the capabilities of the Internet to enable a variety of peer-to-peer and mobile applications including cellular phone technology and home networking. IPv6, a suite of protocols for the network layer, uses IPv4 gateways to interconnect IPv6 nodes and comes prepackaged with some popular operating systems. This includes almost all Unix flavors, some Windows versions and Mac OS. Some vendors offer upgrades to older operating systems. Trumpet Software International in Tasmania Australia manufactures a Trumpet Winsock version that upgrades old Windows 95/98 and NT systems to the current IPv6 standard. IPv6 has suffered bad press over privacy issues. Jim Fleming, the inventor of IPv8, a competing protocol, sees many hazards and privacy flaws in existing IPv6 implementations. IPv6 address space in some cases uses an ID (identifier) derived from your hardware or phone "that allows your packets to be traced back to your PC or cell-phone" said Fleming. Potential abuse to user privacy exists as a hardware ID wired into the IPv6 protocol can be used to determine the manufacturer, make and model number, and value of the hardware equipment being used. Fleming warns users to think twice before they buy themselves a used Laptop computer and inherit all the prior surfing history of the previous user! IPv6 uses 128 bits to provide addressing, routing, and identification information on a computer interface or network card. The 128 bits are divided into the left 64 and the right 64. Some IPv6 systems use the right 64 bits to store an IEEE defined global identifier (EUI64). This identifier is composed of company id value assigned to a manufacturer by the IEEE Registration Authority. The 64-bit identifier is a concatenation of the 24-bit company identification value and a 40-bit extension identifier assigned by the organization with that company identification assignment. The 48-bit MAC address of your network interface card may also be used to make up the EUI64. In the early stages of IPv6 development, Bill Frezza a General Partner with the venture capital firm, Adams Capital Management warned software developers that if privacy issues are not properly addressed, the migration to IPv6 "will blow up in their face"! Leah Gallegos agrees that while "expanding the address space is necessary the use of the address for ID and tracking is horrific". Gallegos the operator of the top-level domain .BIZ and a Director of the Top Level Domain Association cautions network administrators that they should refuse to implement IPv6 unless these issues are properly addressed. Privacy concerns prompted the creation of new standards, which provide privacy extensions to IPv6 devices. Thomas Narten and Track Draves of Microsoft Research published a procedure to ensure privacy of IPv6 users. Narten, IBM's technical lead on IPv6 and an Area Director for the Internet Engineering Task Force (IETF), agrees "IPv6 address can, in some cases, include an identifier derived from a hardware address". But Narten points out that a hardware address is not required. "In cases where using a permanent identifier is a problem", said Narten "RFC 3041 addresses should be used". RFC 3041 titled "Privacy Extensions for Stateless Address Autoconfiguration in IPv6" was published this past January 2001 by the IETF. It is an algorithm developed jointly by Narten and Draves which generates randomized interface identifiers and temporary addressees during a user session. This would eliminate the concerns privacy advocates have with IPv6. Unfortunately RFC 3041 is not widely implemented. But Narten expects major vendors to incorporate his privacy standard and offered that Microsoft implemented privacy extensions "and apparently intends to make it part of their standard stuff". Narten also assisted in the drafting of recommendations for some second and third generation cellular phones recently approved for publication by the Internet Engineering Steering Group. That document recommends that RFC 3041 be implemented as part of cellular phone technology but he did not know what direction cell phones manufacturers were taking. "I suspect that client vendors will generally implement it because of the potential bad PR if they don't" said Narten. Another obstacle raised by NANOG operators is that there is currently no commercial demand for IPv6 at this time. Dave Israel, a Data Network Engineer and regular participant on NANOG lists, sees no immediate demand for IPv6 services. "The only people who ask me about IPv6", said Israel "are people who have heard something about it from some tech-magazine and want the newest thing". Israel says he sees no commercial demand for a v6 backbone. Daniel Golding, another NANOG participant agrees, "v6 deployment is being encouraged by some countries, and the spread of 3G (cellular technology) is helping things along, but we have yet to see really widespread v6 deployments anywhere". Golding sees major backbone networks deploying IPv6 when it makes economic sense for them to do so. "Right now", said Golding "there is no demand and no revenue upside. I don't expect this to change in the near future". Most on NANOG agree the roadblock seems to be a lack of ISPs that offer IPv6 services. Stephen Sprunk, a Network Design Consultant with Cisco's Advanced Services group sees the "greater adoption of always-on broadband access will be the necessary push" to get IPv6 off the ground. "Enterprise networks will not be the driver for ISPs to go to IPv6" said Sprunk and "NAT is too entrenched". Network Address Translation (NAT) is a method of connecting multiple computers to the Internet (or any other IP network) using one IPv4 address. Vint Cerf senior vice president of architecture & technology at WorldCom has been using IPv6 for about four years. IPv6 has been a key element for some of WorldCom's Government customers. Cerf thinks IPv6 supporters have a lot of work ahead to achieve successful deployment of the protocol. He expects "that over the next several years we will see a lot of consumer devices set up to work with IPv6" and "cell phones are likely candidates, as are radio-enabled PDAs". -EOF The dot.GOD Registry, Limited http://www.dot-god.com/
|