January 2006 Newsletter
p1.jpg
Intro
 

IPv6 started out the New Year with a bang – it was featured in an entire day of panels at the Consumer Electronics Show (CES) in Las Vegas, the largest trade show in America, with more than 140,000 attendees. The day of our IPv6 presentations was near the Feast of the Epiphany, which is a celebration of an "epiphany," or revelation, between two different cultures. This proved to be the case at the CES – this was a meeting of technology evangelists bringing the IPv6 message to a crowd of retail market executives who said, "I don't care about the details of the technology – how can this make me money in consumer electronics?"
The daylong IPv6 Session, entitled, "The New Internet (IPv6), and how to make money with it," sought to answer precisely that question. Five panels covered IPv6's role in new business models, home networking, home entertainment, the home office, networked home security and mobile online platforms. Panelists included Rex Wong, CEO of DaveTV; Sinead O'Donovan, Product Unit Manager of Microsoft; Christine Arrington, Principal Analyst of the Acacia Research Group; Dale Geesey, VP of v6 Transition; Alan Knitowski, Chairman of Caneum; Mitch Arimaki, Director of Panasonic R&D Corp. of North America; Chenyl Chiu, Project Engineer of Panasonic Communications; Mickey McManus, CEO of Maya; Chris Harz, VP of IPv6 Summit; Kevin O'Donnell, President of TrueLight Entertainment; Limor Shafman, President of Keystone TechGroup; Mark Bayliss, CEO of Visual Link; John Barrett, Director of Research of Parks Associates; Scott Holmes, Managing Partner of United Future; Luan Dang, Vice Chairman of Caneum; Matt Walton, Chairman of EIC; Alex Ramia, VP of Innofone; and David Hunter, Manager of Advanced Technology of Panasonic Communications.
We have all heard, "What IPv6 applications can be bought today?" One of the real highlights of the Session was the live demonstration by Panasonic of several of its IPv6-enabled products that are available for the US market, including a trio of video security cameras with powerline connections and an inexpensive server to connect the entire home. It was a thrill to see the vidcams plugged into a normal home power strip to get both power and IPv6 signal – the clear, live picture was displayed on the big screen. Another highlight was the listing by Microsoft of a long list of really great features in the upcoming Vista OS that will be available for users of IPv6 — and only for users of IPv6.
This issue of 6Sense has several articles of interest. William Dixon, President of v6 Security, writes about how to restore end-to-end security with IPsec-aware firewalls. Bill Kine, Product Manager of Spirent Communications, writes about doing advanced testing on IPv6 networks that reflects real world and worst-case conditions. Ian Hameroff, CISSP Product Manager of Windows Server Core Networking at Microsoft, wrote about server and domain isolation for in-depth secure networks. K. Arvind, Ph.D., Architect/Consulting Engineer at the Office of the CTO of Enterasys Networks, elegantly recounts and summarizes the presentations and themes of the recent US IPv6 Summit. His analysis of the extent to which IPv6 will affect us all is reflected in his title, "The IPv6 Juggernaut is Beginning to Move." In the spirit of Janus, the gatekeeper (after whom this month is named), I wrote an article that both looks back on the past year and forward to the year ahead. Finally, the v6 Transition team outlines some of its services.
Many thanks to the presenters and participants at the CES IPv6 day. The production of IPv6-enabled products and services for consumer markets will play a major role in the successful adoption of the New Internet, and we will continue to outreach to this community. Many thanks also to the authors of our articles. All of you are making contributions that will reach far horizons. We hope that you, the reader, enjoy this issue, and await your comments and contributions of future articles.
P.S. My goal in publishing 6Sense, for what will be two years in two months, has been to help build pride, partnership and possibility in the IPv6 community and to create the IPv6 industry for the United States and its allies and Coalition Partners. I'd like to help kick this community and industry building into higher gear. One way is to make you what I think is a great and monetarily free offer. I'd like you to join LinkedIn, the leading social networking online community, and invite me to connect with you. If you mention you subscribe to 6Sense, I promise to accept your invitation. By connecting with me, you have access with one introduction to some 200 people (increasing to at least 2,000 by the end of the year), with two introductions to 100,000+ people, and with three to more than 1.4 million people.
There are about 10,000 subscribers to 6Sense. If each of you joined me on LinkedIn, we would massively increase the quality and quantity of connections, and potentially the collaboration and cooperation in the IPv6 community. As of Jan. 17, 2006, there were only 453 out of 4.4 million people who had the words "IPv6" anywhere in their LinkedIn profiles or top 50 interests. I'd like to increase that number to more than 10,000 by the end of 2006, and the only way to do that is for 6Sense readers to join. Try it, and if you don't like it, just delete your account. Use it as little or as much as you want. But give it a try, and help make the IPv6 community more active and close-knit in 2006.

Unblocking IPv6 Applications: Safely Connecting Through Host and Edge Firewalls with IPsec
 

Host firewalls have become required to defend against constant attacks from untrusted systems on the Internet and on internal networks. But they threaten the end-to-end benefits IPv6 provides to applications. To enable inbound connections, firewalls currently open holes for an application, which also opens the application and the host to untrusted attack. This paper explains how the IETF design for IP Security (IPsec) policy and Internet Key Exchange (IKEv1 and IKEv2) moderate inbound network access to the host. Thus they enable the host firewall to open holes which can be accessed only by trusted and authorized peers. IPsec-aware firewalls can provide tightly controlled access based on source identity and specific upper-level protocol connection details passed during the IKE negotiation.
Using IPsec no longer requires a ubiquitous public key infrastructure. IKEv2 provides flexible identification and authentication methods, including email addresses, passwords, tokens, non-infrastructure public keys, and Kerberos credentials. Therefore, by combining host IPsec policy with firewall access policy, IKEv2 can be used to negotiate IPsec secure connections for temporary, adhoc application groups, as well as for long-lived communities of trusted hosts. The firewalled hosts in these groups are resilient to untrusted network attacks while providing authorized, secure connectivity for IPv6 applications end-to-end through their host firewalls. A scenario using secure host-to-host file sharing is examined, indicating the points of integration necessary for a seamless user experience. Results of testing this model are presented using Windows XP SP2, along with references to more detailed testing guides and opportunities.
Since many business and home networks are connected to the Internet through edge firewalls, there needs to be an IPv6 solution for edge firewall traversal. This paper reviews mechanisms for traversing the gateway contained in the recently updated IETF IPsec Architecture (RFC4301) and IKEv2 protocols. However, IPv6 hosts are not currently required to implement all of the features necessary for using IKEv1 or IKEv2 and IPsec to traverse the gateway and host firewall. A consensus within the IPv6 community is needed in order to solidify the details for achieving these scenarios and thus update the standardized requirements for IPv6 hosts. If the IPv6 community does not provide a consensus solution to host firewall traversal, then the IPv6 end-to-end benefits for Internet applications may be lost. Similarly, interoperability for a given scenario (such as file sharing) will be difficult to achieve among IPv6 devices, appliances and hosts when deployed within internal networks.

IPv6 Testing – Let's Get Real
 

IPv6 is here to stay. Progressive vendors have already delivered operational IPv6 hardware and software. These implementations have been tested by several different organizations, including Federal agencies (Moonv6 and other similar endeavors), universities and independent test labs. In most cases, the products have successfully passed these tests. From these tests, we can confidently conclude that IPv6 packets can generally be created, forwarded and processed by several different equipment manufacturers.
It is now time to move to the next phase of IPv6 testing. The basic functionality has been verified in labs throughout the world. However, these tests have typically taken place in highly isolated and static environments with no other extraneous variables. Now is the time to introduce realism to IPv6 testing. In fact, the next phase of testing should also see how devices perform under adverse conditions and worst-case scenarios.
Real networks are constantly changing entities. Users often move, traffic patterns are unpredictable and failures consistently occur at the most inconvenient times and locations. This is the type of environment that must be emulated in the lab in order to determine how a device will function in the real world.

IPsec: Securing Your Network Today to Prepare for Tomorrow
 

It was no surprise that security was a hot topic at last month's US IPv6 Summit. The new opportunities and risks that have been introduced by today's nearly ubiquitous network connectivity appear to only grow in scope with the adoption of IPv6. These sentiments were certainly present during the full-day security tutorial at the Summit.
Common questions like, "Do I really want my data center to be globally addressable?" or "how do I enable true end-to-end connectivity without giving up the IP address obscurity provided by my NAT?" have been echoed by many IT professionals during their IPv6 deployment planning. Compounding these challenges are regulatory requirements for greater data privacy protection which appear, on the surface, to be counter to the "seamless networking" vision that IPv6 can help make a reality.
These are important questions to ask, but they need not become roadblocks to IPv6 adoption.
The good news is there are tools and solutions already available to you — in the IPv4 world — that can help you prepare for a more secure IPv6 transition. One in particular is IPsec (Internet Protocol security) and a solution based on it called, "Server and Domain Isolation."

IPv6 and The Power of Intention: 2006 is Your Last Chance for Greenfield Leadership
 

Last January in 6Sense I wrote an article called "Goals and Wishes for IPv6 in 2006: The Groundwork Must Be in Place this Year". In that article I listed ten goals for 2005, each of which was a stretch goal. I'm pleased that I was able to participate in getting three of these achieved, #2, 4, and 7. See for yourself:
2. All federal agencies need to come up with IPv6 transition plans, and the Office of Management and Budget must mandate transition of all federal systems to IPv6 by 2011, at the latest. This will still put the US years behind Japan, Korea, and the European Union, and possibly even India and China, but it's better than no goal at all. Why must the federal government mandate IPv6? Because the federal government is still using Windows 95 and the Dept. of Defense had a mandate to use Windows 2000 until now departed DoD CIO John Stenbit changed the mandate: if there is no mandate to move to new systems, then the unwritten mandate will be to use ever older systems. The US federal government alone spends about $100 billion on IT, out of $1 trillion spent in the US annually for IT. Without that massive budget moving to create demand that covers 10% of the market, there will not be a critical mass large enough to get the entire IT industry moving to IPv6 products and services.
I got just what I asked for. It was a contentious issue — in the (probably) never to be published Dept. of Commerce IPv6 early draft, on page 54, under section 4.20, on, “Government’s Role in Development and Deployment,” it was concluded:
"Finally, government has an important role to play as a major consumer of IPv6 products and services, but it should not mandate adoption by industry or government agencies in the United States. Private sector decisions to purchase IPv6 products and services should be market driven, without influence from federal government mandates." On page 65, the point is made bluntly: "All stakeholders agreed that a mandate for IPv6 is not appropriate at this time."

The IPv6 Juggernaut is Beginning to Move
 

In an article that appeared in 6Sense a few months ago, I attempted to read the temperature of the IPv6 community, and concluded that IPv6 deployment did not lack momentum, though speed was not readily visible. The United States IPv6 Summit held at Reston, VA, in December, provided a good vantage point to observe and gather a perspective on where IPv6 has been headed since. Based on impressions gathered at this Summit, and general happenings in the IPv6 world, it appears that the IPv6 Juggernaut is now beginning to move!
STRONG MIND SHARE
The December 2005 United States IPv6 Summit attracted about 671 attendees from a variety of different sectors including the armed forces, various government agencies, industry, academia and some foreign nations including Japan and Taiwan. The conference drew speakers from the highest ranks of the US government, armed forces, business, and technology communities. The speakers included a congressman, a four-star admiral, senior decision makers from the US Department of Defense and civilian agencies, the president of IEEE-USA, the CEO of the National Academy of Arts and Sciences, and representatives of prominent businesses in the networking industry. It was clearly evident that IPv6 continues to gain mind share among those who wield considerable influence in shaping the course of things.
LEAD TURNING INTO LIABILITY
Hon. Congressman Tom Davis, who chaired the Congressional Committee hearings on IPv6 a few months ago, expressed continued support for IPv6 deployment in the US. He pointed out once again that governments in Asia have invested hundreds of millions of dollars in IPv6 deployment, while the US has not spent even a fraction of the amount spent by China. He warned that the lead garnered by the US in the original Internet is turning into a liability, leaving the country stuck with a legacy system.