Enterasys - Secure Networks

Background

For nearly 30 years, IPv4 has provided a gateway to the Internet for millions of people. IPv4 creators based the protocol on an address length of 32 bits, capable of supporting a potential 4.3 billion network hosts, surely enough to cater for the computing needs of the whole world. In reality, the number of usable addresses is significantly less. According to IETF RFC 3194, there are roughly 250 million usable addresses for hosts. The continued phenomenal growth of the Internet is such that there will be an estimated 950 million Internet users by the end of 2004, and with the U.S. Census Bureau estimating that the world’s population will reach 9 billion people by the year 2050, this obviously requires an Internet protocol that can scale to allow the world population Internet access. This need is compounded by the aggressive roll-out of high-speed broadband access, integrated IP telephony services and the pervasive use of networked devices such as PDAs, cell phones and Wi-Fi devices, which will mean many devices per user, as opposed to today where users traditionally have just one device. Strategies to extend the capabilities of IPv4 include the provision of software features that enhance the scalability of IPv4 addresses and extend its lifetime. Technologies such as Network Address Translation (NAT) and Classless Inter-domain Routing (CIDR) have been developed and deployed to increase the number of network users on a network without the need for additional IPv4 addresses. However, these techniques are only short-term fixes and bring with them a different set of problems. For example, NAT inhibits host-to-host communications, one of the founding design principles of the Internet design.

Lack of IP address space has become a strategic issue across the world, especially in Asia and some parts of Europe where access to blocks of IP addresses is severely limited. When IP addresses were originally handed out, the United States had the most advanced computer technology infrastructure; therefore, it is no surprise that it holds approximately 75 percent of all IP addresses. Consider the fact that China, the most populous country in the world, has the same number of official IP addresses as the Massachusetts Institute of Technology. This highlights the massive disparity in the distribution of IPv4 addresses. While it is not anticipated that IPv4 will run out of addresses in the very near future, there are significant drivers pushing for the implementation of a new protocol, one that resolves not just the areas of address depletion but other critical limitations of IPv4 including efficient packet handling, ease of networking, authentication and security. This new protocol is IPv6.

IPv6 Benefits

• IPv6 extends IPv4’s theoretical limit of 4.3 billion addresses to 340 trillion, trillion, trillion.
  — Internet devices will grow by an order of magnitude over the following years.
  — It is estimated that available IPv4 addresses will expire sometime between 2006 and 2010.
• For the enterprise network, IPv6 provides improvements over IPv4— Increased security, mobility, QoS, and scalability
• IPv6 will become the de facto standard for the Internet in the future (although IPv4 and IPv6 will co-exist for the foreseeable future).

Introducing IPv6

In the early 1990s the Internet Engineering Task Force (IETF) formed the Internet Protocol Next Generation (IPng) Working Group whose remit was to create a more scalable Internet protocol and address several other issues surrounding IPv4 addresses. Introducing several major modifications, IPv6 not only extends the address length to 128 bits, but also changes the IP header format and the way header information is processed. The present standard for IPv6 is based upon RFC 2460.

IPv6 quadruples the number of network address bits from 32 for IPv4 to a 128-bit long address: 3.4 x 1038 or 340 trillion, trillion, trillion addresses. This number represents more than enough unique addresses for every network device on the planet today and in the future. While a larger address space enhances global scalability, IPv6 provides additional benefits including:

• Simplified header format for efficient packet handling. The IPv6 header has a new simplified format, which has a fixed length of 40 bits, compared to IPv4 in which the header can be either 20, 40 or 60 bits wide. In IPv6, option fields are placed in extension headers that are placed after the IPv6 header. If the optional fields aren't used, the extension headers aren't necessary, and packet size is reduced.

• The streamlined IPv6 header provides more efficient processing at intermediate routers. Routers no longer do fragmentation in IPv6, thereby removing the processing issues caused by routers managing IPv4 fragmentation. Also there is no need to recalculate checksum. To improve performance still further, all the fields in IPv6 are 64 bits, taking advantage of the current generation of 64 bit processors.
• Hierarchical network architecture for routing efficiency. The Internet is hierarchical in nature and the IPv6 protocol is designed with this in mind. IPv6 global addresses are designed to create an efficient, hierarchical routing infrastructure with the ability to summarize routing tables. This will enable backbone routers to have much smaller routing tables in comparison to IPv4 tables resulting in a more stable network.
• Auto-configuration and plug-and-play support. With the rapid increase in the sheer number of devices on the Internet today, enhanced dynamic reconfigurability is becoming an absolute necessity. IPv6’s plug-and-play capabilities, such as Anycast address support and address auto-configuration, simplify host configuration by using addresses that are derived from prefixes advertised by local routers, and are indispensable features.
• Elimination of the need for Network Address Translation (NAT) and Application Layer Gateways (ALG). Network Address Translation has proven to be an effective way for many hosts to share a single or small group of public IPv4 addresses. The most critical deficiency of NAT-based architectures is the inability to allow host-to-host communications. A NAT access network simply does not allow client devices to run as servers because of the inability of NAT to map incoming connections to its clients’ private IP. One workaround to this solution is to deploy an Application Level Gateway (ALG) on the NAT for each service of interest. This can prove to be a costly solution for enabling just a few services through NATs. IPv6 has none of these limitations, allowing a much simpler implementation for applications such as Voice-over-IP and real-time videoconferencing.
• Embedded security with mandatory IPSec implementation. End-to-end security can be accomplished by deploying IPSec. However, in an IPv4 environment utilizing NATs, IPSec cannot be deployed end to end. While there are work-arounds to this implementation, they all have limitations and risks. IPSec is natively supported in IPv6 and thus any device that supports IPv6 can communicate using IPSec regardless of the device's operating system. Therefore, end-to-end security will be easier to build and deploy in an IPv6 world.
• Enhanced support for Mobile IP and mobile computing devices. Mobile IPv4 is the IETF standard for handling mobility of an IPv4 node across the Internet. However, implementation of Mobile IP is difficult and cumbersome. Within an IPv6 environment, Mobile IP design and deployment enjoys both the availability of addresses and extensibility provided by the IPv6 protocol. The simplification of mobile networking in IPv6 could enable Internet users to remain seamlessly connected and easily reachable when portable or mobile devices move from their home networks to other unaffiliated networks.
• Better support for Quality of Service (QoS). QoS is natively supported in IPv6. New fields in the IPv6 header define how traffic is identified and handled. QoS is vital for the support of applications like VoIP that require guaranteed throughput. Because the traffic is identified in the IPv6 header, support for QoS can be easily achieved even when the packet payload is encrypted with IPSec.

IPv6 Deployment Strategies

When it comes to deploying IPv6, it is likely that different geographies will evolve at different rates. The lack of address space in Asia is a key driver, and as such, countries like China, Korea and Japan will migrate to IPv6 more quickly than countries in Europe and North America. While the lack of address space is not so great an issue in the United States, another factor that will influence the adoption of IPv6 is the fact that the U.S. Department of Defense (DoD) has mandated that only IPv6-capable products can be developed, procured or acquired for the Global Information Grid project.

That being said, it is likely that IPv4 will be the dominant protocol for several more years to come. In all likelihood it will be 2009 before IPv6 packets account for significant amounts of Internet traffic.

Enterasys Secure Networks solutions include a rich and robust IPv6 feature set, implementing several techniques for deploying IPv6, while providing mechanisms that assure the coexistence and interoperability with existing IPv4-based infrastructures.

There are two main techniques for deploying IPv6 networks with IPv4 networks:

The first technique is the dual-stack network. This approach requires hosts and routers to implement both IPv4 and IPv6 protocols. This enables networks to support both IPv4 and IPv6 services and applications during the transition period in which IPv6 services emerge and IPv6 applications become available. At the present time, the dual-stack approach is a fundamental mechanism for introducing IPv6 in existing IPv4 architectures and is expected to be the most widely utilized migration strategy.

Dual-Stack Implementation

The second technique relies on tunneling. Tunneling enables the interconnection of IP clouds. For instance, separate IPv6 networks can be interconnected through a native IPv4 service by means of a tunnel. IPv6 packets are encapsulated by a border router before transportation across an IPv4 network and de-capsulated at the border of the receiving IPv6 network. Tunnels can be statically or dynamically configured, or implicit (6to4, 6over4).

IPv6 over IPv4 Tunnelling

IPv6 In an Enterasys Secure Networks Architecture

IPv6 protocols and Secure Networks will be tied together to leverage Enterasys’ strong network intelligence model to provide a distinct competitive advantage in an IPv6 IT world. Examples of how we can achieve this revolve around the use of IPv6 Multicast and Anycast addressing. It is possible to distribute policies to management agents using Anycast addresses to ensure accessing management through the nearest (presumably most efficient) interface. In particular, as Enterasys expands our Secure Networks solutions into core-related policies, it is possible to use Anycast addresses to distribute policies to routers. It is also possible for Multicast to be used to deliver policies to devices. Multicast holds tremendous promise for distributing Secure Networks policies to the appropriate set of devices, using the increased efficiencies of Multicast-over-Unicast delivery.

Summary

Enterasys Networks is focused on delivering a rich set of IPv6 products and solutions, allowing our customers to migrate in total confidence, assuring interoperability between existing IPv4 infrastructures, and offering various transition technologies. Enterasys Networks core routing and switching families provide our users with various options when implementing IPv6 for existing infrastructures and new implementations. For full details of Enterasys IPv6 solutions, please refer to the appropriate X-Pedition and Matrix product solution sets.