Transcript IPv6

Resilience features of IPv6
ENISA Stock Taking
Sławomir Górniak
European Network and Information Security Agency
Vilnius, 30th June 2009
ENISA’s role
Centre of excellence on security and
resilience issues
Trusted body, politically accountable to EU
Parliament and Council
At the disposal of MSs and EU bodies
In constant relationship with public and
private stakeholders
Has the mandate to express its technical
opinion in international forums.
Activities for 2008-2010
Multi-annual Thematic Programmes
Strategic priorities for ENISA
Implemented through a number of Work Packages
Current focus on:
Improving Resilience in European e-Communication
Networks
Developing and Maintaining co-operation between
Member States
Identifying Emerging Risks for creating trust and
confidence
Privacy and Trust in the Future Internet
ENISA Work Programme 2009
MTP1 – Improving resilience in European
e-Communication networks
WPK 1.1 – Good practices of regulatory and
policy issues
WPK 1.2 – Measures deployed by operators
and good practice guidelines
WPK 1.3 – Investigation of innovative actions
WPK 1.3 – Background Info
Objectives
Analyze current and emerging technologies used by network and
service providers to enhance the resilience of their operations
Scope
IP backbone technologies
Stakeholders
Equipment vendors, network operators, services providers
Research institutes and standardization bodies
Policy makers
Target Group
Regulators and Policy Makers
Operators
Vendors
MTP1 - Improving Resilience in
European e-Communication
networks
Collectively evaluate and improve resilience in European eCommunication networks
Stock taking
• Regulation
• Market/operators
• Technology
2008
Gap analysis
Develop
• Best practices
• Guidelines
2009
Promote
• Best practices
• Recommendations
2010
By 2010, the Commission and at least 50% of the Member
States have made use of ENISA recommendations in their
policy making process
Resilience
The ability of a system to provide & maintain an
acceptable level of service in face of faults
(unintentional, intentional, or naturally caused)
affecting normal operation.
About Resilience
Resilient are the networks that provide and
maintain an acceptable level of service in face of
faults affecting their normal operation.
The main aim of the resilience is for faults to be
invisible to users.
Perspectives of resilience of networks:
Availability
Performance
Definition of Availability
Availability is the probability that an item will be able to
perform its designed functions
Availability =
Reliability
Reliability + Recovery
Quantification of availability
Percent
Availability
N-Nines
Downtime Time
Minutes/Year
99%
2-Nines
5,000 Min/Yr
99.9%
3-Nines
500 Min/Yr
99.99%
4-Nines
50 Min/Yr
99.999%
5-Nines
5 Min/Yr
99.9999%
6-Nines
.5 Min/Yr
Performance metrics
Measure the performance of their networks at
different levels.
per-port metrics
end-user metrics
Performance metrics are as follows:
Connectivity
Delay (both round-trip and one-way)
Packet loss
Jitter or delay variation
Application response time
Measurable SLA metrics
Key Performance Indicators
Reflect the performance
of network.
Key Performance
Indicators (KPIs) are:
Mapped directly from the
Performance metrics.
Are a formula of several
Performance metrics.
Risks to resilience
Flash crowd events
Cyber attacks
Outages
to
other
services, affecting the
network
Natural disasters
System/Logical
failings
Risk Mitigation
Network resilience is an
issue of risk management.
Mitigation of identified risks
involves technical measures
such as:
Resilient design;
Resilient transmission media;
Resilient equipment;
…and Technologies which
might improve Resilience.
Resilient Technologies
IP backbone technologies.
Technologies which might improve
Resilience:
MPLS
IPv6
DNSSEC
S-BGP
Other ?
Selected Technologies
MPLS
OSI Layer 2.5 technology.
Used by operators in IP backbones, replacing
Frame Relay and ATM.
IPv6
OSI Layer 3 technology replacing IPv4.
Action Plan for the deployment of Internet
Protocol version 6 (IPv6) in Europe.
DNSSEC
A technology improving the security of Domain
Resolution Service.
Characteristics of IPv6
Vast addresses space
Simplified header
Site multihoming
IP mobility
Multicast functionality
Address autoconfiguration
Jumbograms
Mandatory support for IPsec
IPv6 – resilience features
More addresses available
Improved global reachability and flexibility
No need for Network Address Translation
Pragmatic fix for IPv4
Security as side effect
Host reconnaissance
Security as side effect!
IPv6 – resilience features
Simpler header
Routing efficiency
No broadcasts
No requirement for processing checksums
Header extension mechanisms
Flow labels
Addresses distribution allows prefix aggregation
Smaller Routing Table
IPv6 – resilience features
Site Multihoming
Multihoming to several Internet service providers (ISPs)
No need for Autonomous Systems
Transport sessions survive “rehoming”
IP Mobility
Route Optimization
Small latency compared to IPv4
Under consideration for 4G
Fragmentation
Only by sending host
IPv6 – resilience features
IP Sec
IPsec is already an extension for
IPv4
Authentication Header (AH)
• source authentication, connectionless
integrity, and protection against replay
Encapsulating Security Payload
(ESP)
• confidentiality, source authentication,
connectionless integrity, and replay
protection
Tunnel/transport mode
IPv6 – resilience issues
Ubiquitous connectivity
NAT (again!)
Stateless auto-configuration
Privacy (correlation of traffic information)
Security (DAD based DoS attack)
Address spoofing
Application layer attacks
DoS attacks
Limited monitoring possible
Findings of ENISA stocktaking
Information Exchanges, Guidelines
Repositories are not widely used
Private – Public Partnerships must be
promoted
MPLS is well established
DNSSEC technology greatly enhances
networks resilience. Policies and
guidelines are needed
IPv6 needs incentives
No need for regulations but for policies
and recommendations
IPv6 - survey findings
Deployment status
27% already deployed
55% plan to deploy before 2011
18% declare no interest
82% of ISPs either have deployed or have
plans to deploy IPv6
IPv6 - survey findings
Main key drivers
20% customer demand
20% network resilience
60% vast address space
20% technical innovation
IPv6 deployment is driven mainly by
increasing demand on IP addresses
IPv6 - survey findings
Deployment options
Dual stack routers
Tunnelling over IPv4/MPLS
Key Performance Indicators
No improvement of resilience expected
Lack of operational experience
Customer reactions
No real demand for IPv6
IPv6 – France Telecom Orange
case study
1995 – tests with first available devices
1997 – prefix allocated by RIPE
1997 – first interconnection through 6bone
2005 – experiments with French backbone
Currently
Two drivers – lack of addresses and internal connectivity
By 2010 connectivity for Internet, VoIP, IPTV
Build on existing infrastructure
Phase 1 – introduction, 2008
Phase 2 – migration, 2009-2010
Phase 3 – production, 2010-
IPv6 - recommendations
Ensure availability of IPv6 networks
Raise awareness of resilience features of
IPv6 among ISPs and managers
Train and educate network engineers
Encourage exploitation of available
expertise
ENISA and resilience
– next steps
DNSSEC
Good practices guide for deploying DNSSEC
Guide for awareness raising on DNS resilience
Guide for developing policy and practices statements for
TARs
Priorities of research on current and emerging
network trends
Assessment of the impact of new technologies
Identification of need for research
Gaps in available standardisation
Video – ENISA and resilience
ENISA-FORTH Summer School
2nd Summer School on Network and Information
Security (NIS'09)
"Privacy and Trust in a Networked World“
14-18 September 2009, Crete, Greece
http://www.nis-summer-school.eu/
Thank You
Sławomir Górniak,
European Network and Information Security Agency
Technical Competence Department
Email: [email protected]
References
http://www.enisa.europa.eu/sta
http://www.youtube.com/user/enisasta
http://www.enisa.europa.eu/sta/files/resilience_featu
res.pdf
http://www.enisa.europa.eu/doc/pdf/resilience_tech_
report.pdf