Скачать презентацию SYZYGY Engineering Internet Protocol version 6 and Network Скачать презентацию SYZYGY Engineering Internet Protocol version 6 and Network

f11b7103cbb59a0665fd2ed7ec66b500.ppt

  • Количество слайдов: 32

SYZYGY Engineering Internet Protocol version 6 and Network Centric Operations Key Concepts Will Ivancic SYZYGY Engineering Internet Protocol version 6 and Network Centric Operations Key Concepts Will Ivancic SYZYGY Engineering ivancic@syzygyengineering. com © 2004 Syzygy Engineering – Will Ivancic

Network Design Triangle Maturity Policy Security Qo. S $$$ Cost $$$ Protocols Architecture Mobility Network Design Triangle Maturity Policy Security Qo. S $$$ Cost $$$ Protocols Architecture Mobility SYZYGY Engineering Scalability Bandwidth 2 © 2004 Syzygy Engineering – Will Ivancic

Policy Source: http: //minhdo. bitterjerksociety. org/gallery/page_03. htm SYZYGY Engineering 3 Policy Source: http: //minhdo. bitterjerksociety. org/gallery/page_03. htm SYZYGY Engineering 3

IPv 6 Functional Capabilities • Expanded Addressing and Routing • Simplified Header Format • IPv 6 Functional Capabilities • Expanded Addressing and Routing • Simplified Header Format • Extension Headers and Options – Options are placed in separate headers after the core routing information – Options do not necessarily have to be processed in core network (speed) • Authentication and Encryption Support – Required in ALL implementations of IPv 6! © 2004 Syzygy Engineering – Will Ivancic SYZYGY Engineering • Autoconfiguration • Source Routing Support – Ad Hoc Network – Route Optimization for Mobility • Simple and Flexible Transition – – Incremental Upgrade Incremental Deployment Easy Addressing ( Low Startup Costs • Quality of Service Capabilities – Real-Time Traffic – Traffic Class – Flow labels 4

IPv 4 & IPv 6 Qo. S Fields IPv 4 Header 20 bytes Version IPv 4 & IPv 6 Qo. S Fields IPv 4 Header 20 bytes Version IHL Type of Service Identification Time to Live Total Length Flag s Protocol Fragment Offset Header Checksum Source Address Destination Address Legend Options SYZYGY Engineering IPv 6 Header, 40 bytes fixed Version Traffic Class Payload Length Flow Label Next Header Hop Limit Source Address Padding field’s name kept from IPv 4 to IPv 6 fields not kept in IPv 6 Destination Address Name & position changed in IPv 6 New field in IPv 6 5 © 2003 Cisco Systems, Inc. All rights reserved – Steve Pollock

Addressing Architecture SYZYGY Engineering • Unicast – Unspecified 0: : 0 – Loopback 0: Addressing Architecture SYZYGY Engineering • Unicast – Unspecified 0: : 0 – Loopback 0: : 1 – User Local Addresses • Link Local • Site Local prefix 1111111010 prefix 1111111011 Deprecated • Unique Local IPv 6 Unicast prefix FC 00: : /7 • Analogous to IPv 4 Private Address Space • provides for 2. 2 trillion addresses • Anycast • Multicast Nice Explaination of Anycast for IPv 4 at http: //www. net. cmu. edu/pres/anycast/Deploying%20 IP%20 Anycast. ppt prefix 1111 6 © 2004 Syzygy Engineering – Will Ivancic

Address Allocation Policy /23 2001 /32 /48 SYZYGY Engineering /64 0410 Interface ID Registry Address Allocation Policy /23 2001 /32 /48 SYZYGY Engineering /64 0410 Interface ID Registry ISP prefix Site prefix interface identifier (64 bits) LAN prefix • 128 -bit addresses: – 340, 282, 366, 920, 938, 463, 374, 607, 431, 768, 211, 456 (340 duodecillion) – Over a million addresses for every person on the planet!, – But not really due to inefficiency of address allocations • Administered by IANA to Regional Registries: ARIN, APNIC, RIPE, LACNIC • The allocation process is under reviewed by the Registries: –IANA allocates 2001: : /16 to registries –Each registry gets a /23 prefix from IANA –Formerly, all ISP were getting a /35 –With the new policy, Registry allocates a /32 prefix to an IPv 6 ISP –Then the ISP allocates a /48 prefix to each customer (or potentially /64) 7 © 2003 Cisco Systems, Inc. All rights reserved – Steve Pollock

Hierarchical Addressing & Aggregation SYZYGY Engineering Customer no 1 2001: 0410: 0001: /48 ISP Hierarchical Addressing & Aggregation SYZYGY Engineering Customer no 1 2001: 0410: 0001: /48 ISP Only announces the /32 prefix 2001: 0410: : /32 Customer no 2 IPv 6 Internet 2001: : /16 2001: 0410: 0002: /48 –Larger address space enables (demands): Aggregation of prefixes announced in the global routing table. • Helps improve routing speed. • Efficient and scalable routing. 8 © 2003 Cisco Systems, Inc. All rights reserved – Steve Pollock

Site Multihoming ISP - A 2001: A 010: : /32 2001: A 010: 0001: Site Multihoming ISP - A 2001: A 010: : /32 2001: A 010: 0001: /48 SYZYGY Engineering Only announces the /32 prefix 2001: B 010: 0001: /48 Corporation 2001: C 010: 0001: /48 ISP - B IPv 6 Internet 2001: B 010: : /32 2001: : /16 ISP - C 2001: C 010: : /32 ISP - C is not allowed to advertise ISP - A’s routes 9 Syzygy Engineering

Policy Proposal 2005 -1: Provider-independent IPv 6 Assignments for End Sites SYZYGY Engineering • Policy Proposal 2005 -1: Provider-independent IPv 6 Assignments for End Sites SYZYGY Engineering • 6. 5. 8. Direct assignments from ARIN to end-user organizations – 6. 5. 8. 1. Criteria • To qualify for a direct assignment, an organization must: not be an IPv 6 LIR; and • qualify for an IPv 4 assignment or allocation from ARIN under the IPv 4 policy currently in effect. – 6. 5. 8. 2. Initial assignment size • Organizations that meet the direct assignment criteria are eligible to receive a direct assignment. The minimum size of the assignment is /48. Organizations requesting a larger assignment must provide documentation justifying the need for additional subnets. • These assignments shall be made from a distinctly identified prefix and shall be made with a reservation for growth of at least a /44. – 6. 5. 8. 3. Subsequent assignment size • Additional assignments may be made when the need for additional subnets is justified. When possible, assignments will be made from an adjacent address block. 10

Restoring an End-to-End Architecture SYZYGY Engineering End-to-End Connectivity Restores the “Promise” of Multimedia Collaboration Restoring an End-to-End Architecture SYZYGY Engineering End-to-End Connectivity Restores the “Promise” of Multimedia Collaboration NAT/PAT Breaks Peer-to-Peer IPv 4 Internet Peer-to-Peer Applications need Global Addresses when You Connect to: IP Telephony Enterprise, Mobile and Residential IP Video Conferencing Enhanced Instant Messaging Distributed Gaming © 2003 Cisco Systems, Inc. All rights reserved – Steve Pollock IPv 6 Internet Elimination of NAT Bottleneck Restores End-to-End 11

Transition and Operations Costs SYZYGY Engineering Transition Cost Difference Between IPv 4 / IPv Transition and Operations Costs SYZYGY Engineering Transition Cost Difference Between IPv 4 / IPv 6 Operations Source: PC of Japan 12

IP Address Status in China SYZYGY Engineering (unit 1 million) Total IPv 4 address IP Address Status in China SYZYGY Engineering (unit 1 million) Total IPv 4 address (unit 1) 1300 41, 456, 128 29, 002, 240 21, 534, 208 13, 269, 504 7, 555, 584 5, 409, 280 3, 746, 304 0 1997 1998 1999 2000 2001 2002 2003 41 Total IPv 4 address Chinese Population “IPv 6 is good for China and China is good for IPv 6. China brings the scale needed for IPv 6 killer application will occur in China firstly" - Latif Ladid--IPv 6 Forum President Data source: CNNIC, Dec. 2003 13

IPv 6 Transition Plan SYZYGY Engineering Contents Overall Transition Strategy IPv 6 Transition Governance IPv 6 Transition Plan SYZYGY Engineering Contents Overall Transition Strategy IPv 6 Transition Governance Acquisition and Procurement of IPv 6 Capabilities Networking and Infrastructure Addressing Information Assurance Pilots, Testing and Demonstrations Applications Standards Training Unclassified, For Official Use Only https: //disronline. disa. mil/a/DISR/docs/secure/Do. D-IPv 6_Transition_Plan_v 1_0_3 -24 -05_update 1. pdf 14

IPv 6 Transition Plan SYZYGY Engineering https: //disronline. disa. mil/a/DISR/docs/secure/Do. D_IPv 6_Transition_Plan_v 2_Final. pdf IPv 6 Transition Plan SYZYGY Engineering https: //disronline. disa. mil/a/DISR/docs/secure/Do. D_IPv 6_Transition_Plan_v 2_Final. pdf 15

Potential Showstoppers to Fully IP-based SYZYGY Engineering Tactical Operations Today Further research in the Potential Showstoppers to Fully IP-based SYZYGY Engineering Tactical Operations Today Further research in the following areas is required in order to enhance the IPv 6 protocol suite to support Network Enabled Command: – Embedding/ Encapsulation of legacy systems by means of interoperable gateways – Potential of Anycast Addressing to foster SOA, • Service Discovery protocols such as IPSec Discovery need standardization; – Global IP Security Architecture needs to encompass both deployable and highly dynamic domains supporting all kinds of host and network mobility, • Scalable Tactical PKI, e. g. CA and distributed Sub-CAs; – Optimization of MANET routing mechanisms, • Need to find a compromise between low routing overhead of reactive routing and instant route availability of proactive routing, • True multicast routing in the mobile domain; – Qo. S that considers the heterogeneous (e. g. in terms of bandwidth and latency) and dynamic availability of communication links, – Work on standardized service interoperability profiles; – IPv 6 (multicast) enabled applications. 16

v 4/v 6 Co-Existence Strategy? Source: Sinead O’Donovan, Product Unit Manager Windows Networking Microsoft v 4/v 6 Co-Existence Strategy? Source: Sinead O’Donovan, Product Unit Manager Windows Networking Microsoft SYZYGY Engineering 17

Key Technology Enablers SYZYGY Engineering • Zero Configuration in • PKI, IKE and Key Key Technology Enablers SYZYGY Engineering • Zero Configuration in • PKI, IKE and Key rapidly deployed and Management and Applications mobile networks – DNS, DHCP and KEY Servers 18 © 2004 Syzygy Engineering – Will Ivancic

Peer-to-Peer Networking • Voice, Video and Data • Issues: – Security (particularly in Do. Peer-to-Peer Networking • Voice, Video and Data • Issues: – Security (particularly in Do. D and Corporate Networks) – Control • End-to-End relative to Peer-to-Peer – End-to-End allows direct communication once peer’s address is known – Typical IPv 4 with NAT requires Peer-to-Peer server and may require application software (IM, KAZA, etc) © 2004 Syzygy Engineering – Will Ivancic SYZYGY Engineering Client/Server Model Peer-to-Peer Communication Typical IPv 4 Peer-to-Peer Communications Peer-to-Peer Service (IM, Ka. Za, etc) 1 2 Internet 3 Firewall and router w/NAT Peer-to-Peer Server is not required Peer-to-Peer Service (IM, Ka. Za, etc) Internet Firewall and router No NAT 19

New “IPv 6 Capable” Definition – SYZYGY Engineering • A product must meet the New “IPv 6 Capable” Definition – SYZYGY Engineering • A product must meet the IPv 6 base requirements (defined in “Do. D IPv 6 Standard Profiles for IPv 6 Capable Products”) and support requirements for one (or more) product categories. – e. g. Workstations, routers, switches, security devices, firewalls, etc. . . • And support the IPv 6 version of any IPv 6 protocol functional categories required for its function within the Do. D Global Information Grid (GIG) • Official Site – (May require Certificate or Common Access Card to obtain access http: //jitc. fhu. disa. mil/adv_ip/register. html – Otherwise try http: //jitc. fhu. disa. mil/adv_ip/register/docs/disr_ipv 6_product_profile_draft. pdf 20

What is Mobility? • Transportable – Telecommuter – Traveler – Relatively static once connected What is Mobility? • Transportable – Telecommuter – Traveler – Relatively static once connected – Single point of connection – Connectivity • IPv 6 Autoconfiguration • VPN SYZYGY Engineering • Mobile – Mobile Devices • PDAs • Cell Phones – Mobile Networks • Trains • Planes • Automobiles – Connectivity • Mobile-IP • Networks in Motion (NEMO) • Ad Hoc Networks 21 © 2004 Syzygy Engineering – Will Ivancic

Mobile Networking Solutions SYZYGY Engineering • Routing Protocols – Route Optimization – Convergence Time Mobile Networking Solutions SYZYGY Engineering • Routing Protocols – Route Optimization – Convergence Time – Sharing Infrastructure – who owns the network? • Mobile-IP – – Route Optimization Convergence Time Sharing Infrastructure Security – Relatively Easy to Secure • Domain Name Servers – Route Optimization – Convergence Time – Reliability 22 Source – Will Ivancic

Mobility at What Layer? SYZYGY Engineering • Layer-2 (Radio Link) – Fast and Efficient Mobility at What Layer? SYZYGY Engineering • Layer-2 (Radio Link) – Fast and Efficient – Proven Technology within the same infrastructure • Cellular Technology Handoffs • Wi. Fi handoffs • Layer-3 (Network Layer) – Slower Handover between varying networks – Layer-3 IP address provides identity – Security Issues • Need to maintain address • Layer-4 (Transport Layer) – Research Area – Identity not tied to layer-3 IP address – Proposed Solutions • HIP – Host Identity Protocol • SCTP – Stream Control Transport Protocol 23 © 2004 Syzygy Engineering – Will Ivancic

Location Identifier SYZYGY Engineering Hello Bob, I am in Cleveland, Ohio HQ Keeps Track Location Identifier SYZYGY Engineering Hello Bob, I am in Cleveland, Ohio HQ Keeps Track of Alice. What is the Weather like in Where is Alice’s Cleveland? Location Manager? Internet Alice (Mobile Node) Hello Alice Bob (Corresponding Node) © 2004 Syzygy Engineering – Will Ivancic Headquarters (Location Manager) 24

Securing Networks SYZYGY Engineering • Constraints/Tools – Policy • Security Policy • Education • Securing Networks SYZYGY Engineering • Constraints/Tools – Policy • Security Policy • Education • Enforcement – Architecture – Protocols • Must be done up front to be done well 25 © 2004 Syzygy Engineering – Will Ivancic

Security SYZYGY Engineering Security Bandwidth Utilization Security Performance Tunnels and more Tunnels Performance Security Security SYZYGY Engineering Security Bandwidth Utilization Security Performance Tunnels and more Tunnels Performance Security User turns OFF Security to make system usable! • Thus, we need more bandwidth to ensure security. • • ENCRYPTION ON THE RF LINK ENCRYPTION AT THE NETWORK LAYER VIRTUAL PRIVATE NETWORK ORIGINAL PACKET HEADER PAYLOAD 26 Source – Will Ivancic

Realities of ROI and Security SYZYGY Engineering • Network Security itself does not provide Realities of ROI and Security SYZYGY Engineering • Network Security itself does not provide any type of ROI – it is about cost management • Example – You buy a Picasso straight from the artist and a safe to store it in. The safe adds no value to the painting – only helps prevent its loss (i. e. a cost to you) • An organization that fails to adequately prepare a robust security solution faces potential loss from: – – Lost productivity/Lost e-commerce revenue Regulatory penalties Tort litigation Long-term business loss from lost customer confidence 27 Source – Yurie Rich Command. Information

IPsec SYZYGY Engineering In non-static environments such as mobile and ad hoc networks, your IPsec SYZYGY Engineering In non-static environments such as mobile and ad hoc networks, your address no longer identifies you! 28 Source – Merike Kaeo merike@doubleshotsecurity. com

GIG - Black Core SYZYGY Engineering 29 GIG - Black Core SYZYGY Engineering 29

GIG - Striped Core SYZYGY Engineering 30 GIG - Striped Core SYZYGY Engineering 30

Flow Label SYZYGY Engineering • Used by host to request special handling for certain Flow Label SYZYGY Engineering • Used by host to request special handling for certain packets • Unique flow is identified by source address and non-zero flow label – Expected use is per-flow end-to-end Qo. S • RSVP, Video, Gaming, VOIP – Without the flow label the classifier must use transport next header value and port numbers • Less efficient (need to parse the option headers) • May be impossible (due to fragmentation or IPsec ESP) • Layer violation may hinder introduction of new transport protocols • IPv 6 nodes not providing flow-specific treatment MUST ignore the field when receiving or forwarding a packet • Immature Technology – Research Area The Flow Label field is useless, unless it is actually used! 31 © 2004 Syzygy Engineering – Will Ivancic

Flow Label Security Considerations SYZYGY Engineering • The IPsec protocol, as defined in [IPSec, Flow Label Security Considerations SYZYGY Engineering • The IPsec protocol, as defined in [IPSec, AH, ESP], does not include the IPv 6 header's Flow Label in any of its cryptographic calculations – In the case of tunnel mode, it is the outer IPv 6 header's Flow Label that is not included • Modification of the Flow Label by a network node has no effect on IPsec end-to-end security – It cannot cause any IPsec integrity check to fail. – As a consequence, IPsec does not provide any defense against an adversary's modification of the Flow Label (i. e. , a man-in-the-middle attack). 32 © 2004 Syzygy Engineering – Will Ivancic