|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Overcoming IPv6 Security Threat
no fair, i dropped some posts to that discussion, i want my credits too! :) On Thu, 12 Sep 2002, Joe Baptista wrote: > Thanks to everyone who helped out. > > cheers > joe baptista > > > >http://www.circleid.com/articles/2533.asp > > > >Overcoming IPv6 Security Threat > > > >September 12, 2002 | By Joe Baptista > > > >Technology rags and industry pundits see IPv6 (Internet Protocol version > >6) as the future of networking, but Daniel Golding a participant of the > >North American Network Operators' Group (NANOG) thinks it's a "solution in > >search of a problem". Many others have argued IPv6 is a problem in itself > >and it is unlikely the protocol will gain wide acceptance in the short > >term. > > > >IPv6 does solve many of the problems with the current version of IPv4 > >(Internet Protocol version 4). Its purpose is to expand address space and > >fix the IPv4 address depletion problem, which many techies claim, was due > >to mismanagement. The industry's goal is to use the very large address > >allocation pool in IPv6 to expand the capabilities of the Internet to > >enable a variety of peer-to-peer and mobile applications including > >cellular phone technology and home networking. > > > >IPv6, a suite of protocols for the network layer, uses IPv4 gateways to > >interconnect IPv6 nodes and comes prepackaged with some popular operating > >systems. This includes almost all Unix flavors, some Windows versions and > >Mac OS. Some vendors offer upgrades to older operating systems. Trumpet > >Software International in Tasmania Australia manufactures a Trumpet > >Winsock version that upgrades old Windows 95/98 and NT systems to the > >current IPv6 standard. > > > >IPv6 has suffered bad press over privacy issues. Jim Fleming, the inventor > >of IPv8, a competing protocol, sees many hazards and privacy flaws in > >existing IPv6 implementations. IPv6 address space in some cases uses an ID > >(identifier) derived from your hardware or phone "that allows your packets > >to be traced back to your PC or cell-phone" said Fleming. Potential abuse > >to user privacy exists as a hardware ID wired into the IPv6 protocol can > >be used to determine the manufacturer, make and model number, and value of > >the hardware equipment being used. Fleming warns users to think twice > >before they buy themselves a used Laptop computer and inherit all the > >prior surfing history of the previous user! > > > >IPv6 uses 128 bits to provide addressing, routing, and identification > >information on a computer interface or network card. The 128 bits are > >divided into the left 64 and the right 64. Some IPv6 systems use the right > >64 bits to store an IEEE defined global identifier (EUI64). This > >identifier is composed of company id value assigned to a manufacturer by > >the IEEE Registration Authority. The 64-bit identifier is a concatenation > >of the 24-bit company identification value and a 40-bit extension > >identifier assigned by the organization with that company identification > >assignment. The 48-bit MAC address of your network interface card may also > >be used to make up the EUI64. > > > >In the early stages of IPv6 development, Bill Frezza a General Partner > >with the venture capital firm, Adams Capital Management warned software > >developers that if privacy issues are not properly addressed, the > >migration to IPv6 "will blow up in their face"! Leah Gallegos agrees that > >while "expanding the address space is necessary the use of the address for > >ID and tracking is horrific". Gallegos the operator of the top-level > >domain .BIZ and a Director of the Top Level Domain Association cautions > >network administrators that they should refuse to implement IPv6 unless > >these issues are properly addressed. > > > >Privacy concerns prompted the creation of new standards, which provide > >privacy extensions to IPv6 devices. Thomas Narten and Track Draves of > >Microsoft Research published a procedure to ensure privacy of IPv6 users. > >Narten, IBM's technical lead on IPv6 and an Area Director for the Internet > >Engineering Task Force (IETF), agrees "IPv6 address can, in some cases, > >include an identifier derived from a hardware address". But Narten points > >out that a hardware address is not required. "In cases where using a > >permanent identifier is a problem", said Narten "RFC 3041 addresses should > >be used". > > > >RFC 3041 titled "Privacy Extensions for Stateless Address > >Autoconfiguration in IPv6" was published this past January 2001 by the > >IETF. It is an algorithm developed jointly by Narten and Draves which > >generates randomized interface identifiers and temporary addressees during > >a user session. This would eliminate the concerns privacy advocates have > >with IPv6. > > > >Unfortunately RFC 3041 is not widely implemented. But Narten expects major > >vendors to incorporate his privacy standard and offered that Microsoft > >implemented privacy extensions "and apparently intends to make it part of > >their standard stuff". Narten also assisted in the drafting of > >recommendations for some second and third generation cellular phones > >recently approved for publication by the Internet Engineering Steering > >Group. That document recommends that RFC 3041 be implemented as part of > >cellular phone technology but he did not know what direction cell phones > >manufacturers were taking. "I suspect that client vendors will generally > >implement it because of the potential bad PR if they don't" said Narten. > > > >Another obstacle raised by NANOG operators is that there is currently no > >commercial demand for IPv6 at this time. Dave Israel, a Data Network > >Engineer and regular participant on NANOG lists, sees no immediate demand > >for IPv6 services. "The only people who ask me about IPv6", said Israel > >"are people who have heard something about it from some tech-magazine and > >want the newest thing". Israel says he sees no commercial demand for a v6 > >backbone. > > > >Daniel Golding, another NANOG participant agrees, "v6 deployment is being > >encouraged by some countries, and the spread of 3G (cellular technology) > >is helping things along, but we have yet to see really widespread v6 > >deployments anywhere". Golding sees major backbone networks deploying IPv6 > >when it makes economic sense for them to do so. "Right now", said Golding > >"there is no demand and no revenue upside. I don't expect this to change > >in the near future". > > > >Most on NANOG agree the roadblock seems to be a lack of ISPs that offer > >IPv6 services. Stephen Sprunk, a Network Design Consultant with Cisco's > >Advanced Services group sees the "greater adoption of always-on broadband > >access will be the necessary push" to get IPv6 off the ground. "Enterprise > >networks will not be the driver for ISPs to go to IPv6" said Sprunk and > >"NAT is too entrenched". Network Address Translation (NAT) is a method of > >connecting multiple computers to the Internet (or any other IP network) > >using one IPv4 address. > > > >Vint Cerf senior vice president of architecture & technology at WorldCom > >has been using IPv6 for about four years. IPv6 has been a key element for > >some of WorldCom's Government customers. Cerf thinks IPv6 supporters have > >a lot of work ahead to achieve successful deployment of the protocol. He > >expects "that over the next several years we will see a lot of consumer > >devices set up to work with IPv6" and "cell phones are likely candidates, > >as are radio-enabled PDAs". > > > >-EOF > > The dot.GOD Registry, Limited > http://www.dot-god.com/ >
|