130 likes | 273 Views
Campus IPv6 Deployment. Phillip Deneault WPI Network Security Officer. Ground Rules. IPv6 is not the same as IPv4 Deployment IPv6 will not be the same as deployment of IPv4 Universities have in place policies, expected behaviors, security bolt-ons, well-developed tools, etc
E N D
Campus IPv6 Deployment Phillip Deneault WPI Network Security Officer
Ground Rules • IPv6 is not the same as IPv4 • Deployment IPv6 will not be the same as deployment of IPv4 • Universities have in place policies, expected behaviors, security bolt-ons, well-developed tools, etc • Successful deployment (‘Going native’) will require: • Communication to all parties involved • Understanding the requirements • Mindful execution
Communication • Management needs to be engaged to understand both the monetary requirements and the benefits • Networking needs to work with Security and Security needs to work with Networking. • Both sides can never be allowed to be happy and get their way all the time. • Sysadmins need to be engaged to make sure their systems are deployed maintaining the same level of security and robustness they had before • Load Balancing, Blacklists, Host-level firewalls, etc
Understanding the Requirements You have an expectation of how IPv4 fits into your business and operating procedures and these will not perfectly fit into an IPv6 network
Understanding the Requirements • Many of these differences come from: • Auto-configuration of addresses • Policy enforcement (i.e. Abuse Tracking) • Reliance on the scarcity of IPv4 addresses • Auditing (i.e. Vulnerability Assessment) • Lack of ‘Feature Parity’ • Procurement (i.e. IPv4 vs. IPv6 vendor support) • Transitional Technologies • Support (i.e. Network Troubleshooting)
Mindful Execution • Get an IPv6 Allocation • Two types of addresses • ISP allocation • Provider Independent • Provider Independent • ARIN (http://www.getipv6.info/index.php/How_do_I_get_IPv6_from_ARIN) • /40 or larger • ISP allocation • Internet2/Local Connector • Don’t get less than a /48
Mindful Execution 1a. Check for support throughout your network equipment • Network • Router - Switches - Hubs - Bandwidth Management • DHCP - DNS - NTP- WINS • Security • Firewalls - IDS/IPS - Flow Monitoring – Logging • Applications • WWW - SMTP • This will turn up technical/policy/process problems • Keyword: ‘Feature Parity’ • Pitfalls: Blanket ‘Yes’ answers
Mindful Execution 2a. Announce the Address Space • Check for basic connectivity 2b. Evaluate Transitional Technologies • It might make sense to deploy something while trying to ‘Go Native’ • More on this in a moment 2c. Develop DNS resources • Network Registration system might trip you up • Start with an exception list if necessary • http://www.getipv6.info/index.php/DNS_and_Naming_Issues 2d. Statically define a few non-essential machines • Graduate to some essential machines (www)
Mindful Execution 3. Deploy to Clients • At this point, you will have ‘Gone Native’ • You should be comfortable with your infrastructure, procedures, and security before you flip the switch. • You might be making trade-offs with accessibility if you aren’t 4. Sometime, this side of never, get rid of IPv4
“Transitional Technologies” • A series of protocols for tunneling IPv6 over IPv4 to enable accessibility • 6to4 and Teredo • On by default in Windows Vista/7, OSX 10.4 and up • All these technologies function on similar principles • Client auto-configures with v6 address • Client queries for relays • Client sends IPv6 packet inside an IPv4 packet • Relay strips off IPv4 packet and forwards on IPv6 packet.
“Transitional Technologies” • You need to decide what to do with these technologies if you haven’t yet • Choose to ignore • They will bypass your firewall • They will cause odd network issues in certain situations • They will send traffic to relays you don’t control • Choose to block • Easy (IP protocol 41 and UDP port 3544) • Eliminates IPv6 accessibility • Not sustainable unless IPv6 is deployed natively in the short term • Choose to run your own relay • Control what leaves your network • Control your own relay • Might be a good idea if you think native deployment is going to take a long time
Checklist • Communication to all parties involved • Engage management • If you are networking, engage your security people • If you are security, engage your networking people • Coordinate with server admins, they need to support IPv6 too • Understanding the requirements and issues • Work on making your infrastructure support IPv6 now • Evaluate current tools you have and options • Add requirements during procurement phases and RFPs • Plan for replacement tools if necessary • Pester your vendors for features you will need (“Feature parity”) • Mindful execution • Think about address assignment methods and DNS conventions • Start small and work up to big • Decide what to do about transitional technologies
Resources • ARIN IPv6 Wiki - Lots of Getting Started documentation • http://www.getipv6.info/index.php/Main_Page • Top 10 Tasks for IPv6 Application Developers • http://www.networkworld.com/community/blog/top-10-tasks-ipv6-application-developers • Test your IPv6 Connectivity! • http://test-ipv6.com/ • NIST Special Publication 800-119 - Guidelines for the Secure Deployment of IPv6 • http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf • April 28th - SANS SEC546 IPv6 Essentials for EDUs • https://www.sans.org/registration/ivc.php?lid=23818 Thanks for listening – feedback welcome - deneault@wpi.edu