Transcript Campus IPv6 Deployment

Campus IPv6 Deployment
Phillip Deneault
WPI Network Security Officer
1
Ground Rules
• IPv6 is not the same as IPv4
• Deployment IPv6 will not be the same as
deployment of IPv4
– Universities have in place policies, expected
behaviors, security bolt-ons, well-developed tools, etc
• Successful deployment (‘Going native’) will
require:
– Communication to all parties involved
– Understanding the requirements
– Mindful execution
2
Communication
• Management needs to be engaged to understand
both the monetary requirements and the
benefits
• Networking needs to work with Security and
Security needs to work with Networking.
– Both sides can never be allowed to be happy and get
their way all the time.
• Sysadmins need to be engaged to make sure their
systems are deployed maintaining the same level
of security and robustness they had before
– Load Balancing, Blacklists, Host-level firewalls, etc
3
Understanding the Requirements
You have an expectation of how IPv4 fits into
your business and operating procedures and
these will not perfectly fit into an IPv6
network
4
Understanding the Requirements
• Many of these differences come from:
– Auto-configuration of addresses
• Policy enforcement (i.e. Abuse Tracking)
– Reliance on the scarcity of IPv4 addresses
• Auditing (i.e. Vulnerability Assessment)
– Lack of ‘Feature Parity’
• Procurement (i.e. IPv4 vs. IPv6 vendor support)
– Transitional Technologies
• Support (i.e. Network Troubleshooting)
5
Mindful Execution
1. Get an IPv6 Allocation
– Two types of addresses
• ISP allocation
• Provider Independent
– Provider Independent
• ARIN (http://www.getipv6.info/index.php/How_do_I_get_IPv6_from_ARIN)
• /40 or larger
– ISP allocation
• Internet2/Local Connector
• Don’t get less than a /48
6
Mindful Execution
1a. Check for support throughout your network
equipment
–
Network
•
•
–
Security
•
–
Firewalls - IDS/IPS - Flow Monitoring – Logging
Applications
•
–
–
–
Router - Switches - Hubs - Bandwidth Management
DHCP - DNS - NTP- WINS
WWW - SMTP
This will turn up technical/policy/process problems
Keyword: ‘Feature Parity’
Pitfalls: Blanket ‘Yes’ answers
7
Mindful Execution
2a. Announce the Address Space
–
Check for basic connectivity
2b. Evaluate Transitional Technologies
–
–
It might make sense to deploy something while trying to
‘Go Native’
More on this in a moment
2c. Develop DNS resources
–
–
–
Network Registration system might trip you up
Start with an exception list if necessary
http://www.getipv6.info/index.php/DNS_and_Naming_Issues
2d. Statically define a few non-essential machines
–
Graduate to some essential machines (www)
8
Mindful Execution
3. Deploy to Clients
– At this point, you will have ‘Gone Native’
– You should be comfortable with your
infrastructure, procedures, and security before
you flip the switch.
• You might be making trade-offs with accessibility if you
aren’t
4. Sometime, this side of never, get rid of IPv4
9
“Transitional Technologies”
• A series of protocols for tunneling IPv6 over IPv4 to
enable accessibility
– 6to4 and Teredo
• On by default in Windows Vista/7, OSX 10.4 and up
• All these technologies function on similar principles
–
–
–
–
Client auto-configures with v6 address
Client queries for relays
Client sends IPv6 packet inside an IPv4 packet
Relay strips off IPv4 packet and forwards on IPv6 packet.
10
“Transitional Technologies”
• You need to decide what to do with these technologies if you
haven’t yet
– Choose to ignore
• They will bypass your firewall
• They will cause odd network issues in certain situations
• They will send traffic to relays you don’t control
– Choose to block
• Easy (IP protocol 41 and UDP port 3544)
• Eliminates IPv6 accessibility
• Not sustainable unless IPv6 is deployed natively in the short term
– Choose to run your own relay
• Control what leaves your network
• Control your own relay
• Might be a good idea if you think native deployment is going to
take a long time
11
Checklist
• Communication to all parties involved
–
–
–
–
Engage management
If you are networking, engage your security people
If you are security, engage your networking people
Coordinate with server admins, they need to support IPv6 too
• Understanding the requirements and issues
–
–
–
–
–
Work on making your infrastructure support IPv6 now
Evaluate current tools you have and options
Add requirements during procurement phases and RFPs
Plan for replacement tools if necessary
Pester your vendors for features you will need (“Feature parity”)
• Mindful execution
– Think about address assignment methods and DNS conventions
– Start small and work up to big
– Decide what to do about transitional technologies
12
Resources
• ARIN IPv6 Wiki - Lots of Getting Started documentation
– http://www.getipv6.info/index.php/Main_Page
• Top 10 Tasks for IPv6 Application Developers
– http://www.networkworld.com/community/blog/top-10-tasks-ipv6application-developers
• Test your IPv6 Connectivity!
– http://test-ipv6.com/
• NIST Special Publication 800-119 - Guidelines for the Secure
Deployment of IPv6
– http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf
• April 28th - SANS SEC546 IPv6 Essentials for EDUs
– https://www.sans.org/registration/ivc.php?lid=23818
Thanks for listening – feedback welcome - [email protected]
13