Einbrüche, Viren, Trojaner, machen auch unter IPv6 nicht Halt. Als Marktführer im Bereich Unified-Threat-Management (UTM) entwickelt Fortinet umfassende Sicherheitslösungen zur Bekämpfung solcher Bedrohungen - für IPv4 und IPv6 Netzwerke. Der Workshop orientierte Vortrag zeigt die Notwendigkeit von umfassenden Security Lösungen bei der Migration zu IPv6 auf.
2. Drivers for IPv6
• Basic Demand Drivers
• More network appliances but lack of IPv4 addresses to support
• Control OpEx for network and IT
• Elimination of complex NAT networks
• Strong intrinsic security
• Better support for mobility applications
• Greater flexibility and simplicity
• New Opportunities to Improve Business Performance Business
process improvements
• New business opportunities
• More addresses for objects – enhanced automation and productivity
• Machine-to-Machine (M2M) telematics / *Internet of Things*
• IPv6 connection to anything
2
3. IPv6 – its time for preparing the step
... and basically – we run out
of IPv4 addresses
to stay competitive, we must
open the door for IPv6
and use its foremost
Snapshot
June 3rd 2011
4. Migration Complexities
Deployment Considerations
• Compatibility issues between IPv4 and IPv6
• Vendor interoperability issues with IPv6
• Potential security issues
• Network management considerations
• Existing hardware may not handle IPv6 traffic efficiently
• Router memory and CPU limitations may preclude IPv6
deployment
• Technology refresh cycles can be exploited to deploy IPv6
capabilities
• Global public routing practices continue to evolve
4
5. The most important targets of IPv6
• Larger IP address space
• IP Adresses are 128 bits (instead of 32 bits)
• Advanced header structure
• Improved processing capability thru Subsegmenting of essential
and optional headerfields (in ExtensionHeaders)
• Different IPv6 Addresses
• Public IPv4 addresses correspond with Global Unicast Addresses
• Private IPv4 addresses correspond with Site Local Unicast
Addresses
• Special Address types for usage of IPv4 and IPv6 in parallel
• Support of autoconfiguration
• Should follow Plug-and-Play principle
• Improved security
• 2 additional ExtensionHeaders are foreseen (Encapsulation
Security Payload Header und Authentication Header)
• Both can be used in IPv4 as well
6. Principle Design Consideration
• “Dual stack when you can – Tunnel when you must –
Translate when no other option works”
• Create a virtual team of IT representatives from every L9
Religious
area of IT to ensure coverage for OS, Apps, Network L8
and Operations/Management Political
L7
• Now is your time to build a network your way – don’t Application
carry the IPv4 mindset forward with IPv6 unless it L6
Presentation
makes sense L5
Session
• Design Consistency with IPv4 L4
Transport
• Design should work across all WAN clouds, LAN, L3
Enterprises, Data Center, Campus, etc Network
L2
• Deploy it – at least in a lab – IPv6 won’t bite Data Link
L1
• Consider the human factor, keep it simple! Physical
6
9. IPv6 Address Types – well-known Multicast
• Interface-local scope • Link-local scope
• FF01::1 all-nodes • FF02::1 all-nodes
• FF01::2 all-routers • FF02::2 all-routers
• Site-local scope • FF02::5 OSPFIGP
• FF05::1:3 all-routers • FF02::9 RIP-routers
• FF05::1:3 all DHCP servers • FF02::B Mobile Agents
• FF02::6A all snoopers
• FF02::1:2 all DHCP agents
• FF01::101 / all-NTP Server on the same node as sender
• FF02::101 / all-NTP Server on the same link as sender
• FF05::101 / all-NTP Server on the same site as sender
• FF0E::101 / all-NTP Server in the internet
Global Unicast Addresses correspond with Public IPv4 addresses
Site Local Unicast Addresses correspond with Private IPv4 addresses
9
11. Fortinet IPv6 Strategy
• Feature Parity on all function with
IPv4 and IPv6 on higher layers
• Application unaware weather it runs on
IPv4 or IPv6
• IPv6 Firewalling 3+ years
integrated
• Stepwise extension to a complete
functionality on IPv6
• Almost completed now
12. Today implemented for IPv4 & IPv6
• Stateful Firewalling and Routing
• Serviceobjects (eg ICMPv6), IPv6 Addressobjects
• Dynamic Routing, OSPF / RIP / BGP
• AntiVirus Scanning
• http(s), ftp, smtp(s), imap(s), pop3(s), Instant-Messaging, nntp
• Intrusion Prevention
• Signature based IPS/IDS and DoS-Protection
• URL Filtering
• Data Leak Prevention
• Management of the device via IPv6
• eg SSH or https via IPv6 for devicemanagement
12
13. Today implemented for IPv4 & IPv6
• Bandwidth Management
• Shaping, QoS
• IPSec (IKEv1 & IKEv2)
• DNS (AAAA Record)
• IPv4 over IPv6 Tunneling
• IPv6 over IPv4 Tunneling (eg Tunnelbroker like SixXS)
• SIP ALG (Application Gateway)
• Carrier-grade SIP-ALG. SIP-Fuzzing Protection, Pinholing, Rate-Control
etc.
• Application Control
• Logging and Reporting of Datatraffic, Reporting on FortiAnalyzer
13
14. Protection on all Layers - UTM
• Combined Methods on different layers
• Allow, but don’t trust all application
• Content of the application
• Support for IPv4 und IPv6
14
15. Forehand Planning is the key
• Vision for the business or the adoption driver
• IPv6 Training
• IP architecture that supports the vision -> IPv6 addressing
scheme + design
• Evaluate infrastructure readiness to support the IPv6
implementation of the architecture
• Drive requirements and define purchasing strategy
• Align with other initiatives to accelerate readiness
• Define timeline
Overnight Adoption is Limiting and Expensive
15