6sense - Generating New Possibilities in the New Internet.
A U G U S T  2 0 0 4
Volume 1 Number 5
 

This August 04 issue of 6Sense, the newsletter by and for the global IPv6 community is our shortest of the year because this is the big vacation month for our community. It includes a friendly, relatively painless introduction to IPv6 mobility by IPv6 Summit staffer Chris Harz, my observations on the emerging leaders in IPv6, and Doug Roberts' succinct overview of IPSec. As always if you want to submit an article, please contact me at alex@usipv6.com and if you want to be removed from the 6Sense list click here.

Alex Lightman, Publisher

 

The Next IPv6 Summit

Reston, VA - Plans are underway for the next US IPv6 Summit to be held December 9 & 10 at the Hyatt Regency Hotel in Reston Virginia. The hotel is conveniently located just 15 minutes from Washington Dulles Airport and 30 minutes from downtown Washington, DC. The Hyatt Regency is newly renovated with spacious meeting space and complete wireless connectivity in the atrium and sleeping rooms. For our attendees who will be commuting to the area, parking at the hotel is free.

The Hyatt Regency is located in the Reston Town Center, a beautiful area filled with shops, restaurants, and during the winter, an ice skating rink. In addition to the on-site dining offered by the hotel, over 10 restaurants are within walking distance.

The US IPv6 Summit is expected to be our biggest summit yet! With exhibitors already confirming sponsorships and attendees inquiring about dates. We plan to sell all our attendee passes and all our exhibit sponsorships.

This year we are doing things a little different for our exhibitors. We are very excited to have introduced different levels of sponsorship to accommodate both large and small companies, as well as non-profit. For details about how to sponsor the US IPv6 Summit please visit our website at: http://www.usipv6.com/sponsorships.

Our attendees can count on hearing what we believe to be the most valuable speakers in the world IPv6 community presenting a myriad of topics with updated information for global discussions of IPv6. If you would like to learn more about attending the US IPv6 conference, please visit our website at: http://www.usipv6.com.

Thank you and we look forward to seeing you in December!

More Info

Hotel and Travel Details | Sponsorship Information

 

Internet Protocol Security (IPSec)
by Doug Roberts, Interpeak, Inc.

During the recently held USIPv6 Summit, Interpeak's co-founder and CTO Lennart Bang discussed the role of IPSec within the context of IPv6. This presentation can be viewed here [PDF].

IPSec enables the set up of virtual private networks (VPNs), secure mobile communications by way of Mobile IP and other dedicated private communications.

Lennart covered the typical aspects of IPSec, including:

  • Tunnel (network to network security) and transport (end to end security) modes

  • Authenticated Headers (AH) and Encapsulating Security Payload (ESP)

  • Mandatory for IPv6 and optional for IPv4

  • Protection for:

    • Authentication (MD5, SHA-1, RIPE-Md)

    • Private Data - encryption (DES, 3DES, CAST-128, BLOWFISH, AES, NULL)

    • Integrity Checking

    • Replay Protection

Given where IPSec sits in the TCP/IP stack, squarely in the IP layer, an efficient implementation is critical in the absence of any IPSec hardware acceleration. Interpeak's TCP/IP stack, called IPNET, includes IPSec and the IPSec module supports both hardware acceleration and a software implementation, when product manufacturing costs are to be kept low. Moreover, IPNET is implemented as a true dual IPv4 IPv6 stack, with common transports (TCP and UDP) shared between the common IPv4/v6 layer. In other words, IPNET is implemented as a single stack and the IPSec module can handle interleaved IPv4 and IPv6 packet flows.

Key Exchange
A Security Association (SA) is defined for a particular communication and is kept in the SA data base (SADB) within the IP layer. SAs define the selected algorithms and keys used for a particular communication session. These SAs can be established manually or automatically through a network application for key exchange. Not all implementers elect to use the IETF standard, known as Internet Key Exchange (IKE) so a useful feature of IPSec is to provide a standard API. IETF has one called PF_Keyv2 and is incorporated within IPNET. PF_Key defines socket extensions useable by various applications to set up IPSec's SAs.

Good security assumes that the keys are updated often during the communication session. Interpeak's IKE not only does this, but does so in advance of the key expiring, sparing a period of inactivity while a new key is negotiated.

Security Policies
At this point we can set up a security association and automatically establish digital keys to be used by the authentication and encryption algorithms. Ok, so what actually happens?

A Security Policy (SP) is defined for a particular SA. This amounts to selecting what to let pass into the system and what to block. A Security Policy can:

  • Bypass and not process any AH and ESP options

  • Apply AH and ESP processing to the packet

  • Discard the packet

  • Automatic key exchange setup, such as with IKE

Other Security
As useful as IPSec is, other applications require alternate solutions.

  • Secure Socket Library (SSL) for secure web transaction

  • Secure Shell (SSH) for secure terminal sessions and file transfer

  • SNMPv3 for securely managing network elements

  • Firewall for dynamically opening and closing network ports

In the generalized network element, one, two or all of these methods may be required.

Clearly, in the presence of IPv6, whatever security solution that is called for, it must function over both IPv4 and IPv6. Given that IPv6 defines socket extensions, applications should seamlessly use these extensions. For example:

  • A secure web server over TCP/IPv6

  • Telnet fred, where the dns client/server know about AAAA frames and returns the correct IPv6 address

  • Stateful firewall, where a port passes a response packet through to the requester application and then closes the port to any additional packets

LINK TO THIS ARTICLE

An Introduction to IPv6 Mobility
by Chris Harz

Most of the IPv6 community consists of network professionals who enjoy highly detailed articulations of IPv6 functions that can seem obnubilatory to the rest of us (I've always suspected that's why they use so many clouds in their PowerPoints). This article is for the rest of us - an introduction to some of the benefits of the New Internet.

First, let's address the need for having a mobile Internet. The number of mobile devices in the world is mushrooming - there are close to 1.5 billion of them already. The trend is for more and more of these to use packet switching instead of being circuit switched, so that IP-based communications looks like it will dominate the future.

The problem with using the Internet for all these devices is that they move around a lot, and the Internet is not really set up for that - the old Internet (version 4) essentially assumes that any user (or node) is always attached at the same point in space - which is identified by its IP address. If the node packs up and moves away, datagrams for that user will still go to the same place - reaching a dead end. Only if the user notifies the system that he has a new address (and goes through the re-initialization rituals) will he/she be able to get datagrams routed there. The kind of seamless mobility that cellphone users expect when they move from town to town or country to country is not readily possible with the old Internet.

It was for just that type of seamless mobility that Mobile IPv6, or MIPv6, was developed, to allow the user to leave home but still retain his/her connections and bonafides while traveling. The way this works is that a traveling user sends information about his/her location to a home agent (a special router) on the home link. Thereafter the home agent intercepts messages meant for the user, and instead of letting them be sent via the user's ISP to the (now empty) home address point, it redirects these messages to the new location.

This mechanism is transparent to any and all applications the user may be employing, as it is handled purely at the IP layer (level 3), so no new versions of applications need to be developed to make this function. Since the user still has the same home address, the application keeps using that for its traffic management.

What happens under Mobile IPv6 is that the user gets a so-called "care-of address" whenever he/she attaches to the Internet at a new location while traveling. The user thus has a second, temporary address which identifies where he/she currently is. The home agent gets updates on these temporary addresses and redirects mail for the user to them. The association of the home address of a mobile user with a particular care-of address, along with the remaining lifetime of that association, is called binding. Registering your care-of address with your home agent is home registration.

How does the mobile user get his/her care-of address? While traveling, he/she will bump into the nearest local router, which is sending news of its presence via so-called router advertisements. The user then automatically gets a care-of address that relates to this router and incorporates some of its ID - this is "stateless address autoconfiguration" (the address can also be assigned by a DHCP server, for "stateful address autoconfiguration").

As soon as the user's terminal has attached itself to the new router, it notifies the home agent of this (with a "binding update") and the home agent gives it a thumbs-up (with a "binding acknowledgement"). After this, the mobile user sends packets directly to desired correspondent destinations. The source address on each packet is set to the care-of address, but also includes the home address, so the correspondent node (whom the user is sending the packet to) can send return packets to the home address, from which they get re-routed to the mobile user, in a type of rough triangle. To speed things up, the mobile user can send a binding update to the correspondent node, after which the two can communicate directly back and forth.

As soon as the mobile user notes that he/she has received no router advertisements for a while, it can assume that this default router is no longer available, and choose another router from which he/she is getting advertisements. The user thus goes through areas "discovering" routers to communicate with. As soon as the user's equipment detects the new router, it sends a binding update to its home agent and to any correspondent nodes with which it wants to stay in direct touch (which will have the user in a binding update list, to keep track of current location). In this sense, the mobile user's terminal is also advertising its presence - it could be stationary and have a series of mobile routers come by and discover it, one after the other.

Next we'll explore how IPv6 "link local" communications in an area function, and how they can be used for applications such as a "walled garden" theme parks or other forms of location based entertainment.

LINK TO THIS ARTICLE

The Other Next Generation Aspect of IPv6:
New Leaders in Industry and Government Step Up and Swing for the Fences
by Alex Lightman, CEO, IPv6 Summit, Inc.

John Maxwell, in his best-selling book The 21 Irrefutable Laws of Leadership, says that the 20th law is The Law of Explosive Growth: To add growth, lead followers - to multiply, lead leaders. In August 2004 we are seeing the emergence of new leaders in IPv6, in government and industry, even in the midst of what looks like a very quiet month. We in the IPv6 community will succeed to the extent that we create and support successful, flexible leaders. Here are my picks for people worthy of widespread support. Who would you add to this? Feel free to write and tell me at alex@usipv6.com and I'll summarize in the Sept. 6Sense.

August starts off with a productive week for IPv6, with several sessions at the Internet Engineering Task Force (IETF) just completed at the Sheraton near San Diego Airport. The rest of the month will be the quiet before the storm, as key players in industry, military, and homeland security take vacations, knowing that when they return the transition to IPv6 will get seriously underway in the USA and its Coalition Partners. The DISA IPv6 Transition Office has developed a great logo, which we hope to get authorization to show in the next 6Sense, as well as a logo for the 6Star Partner Program that will recognize the many and diverse contributions of companies, universities, and nonprofits to the further development and diffusion of IPv6.

While the DoD has tracked IPv6 internally and has not needed outside prompting, and as the work of the IETF moves forward in defining the IPv6 standard, the IPv6 Forum starts to wind down. Credited with bringing IPv6's existence to the attention of large companies and to civilian government agencies, the receding IPv6 Forum makes way for a new generation of IPv6 leaders to emerge. The initial leaders of IPv6 worked inside companies adding IPv6 to their hardware, especially routers, and, to a lesser extent, software and communications offerings. The original pioneers have done their work cheerleading and briefing less technical officials with "big picture" advantages for America and other countries. Now the next generation of IPv6 leadership will turn to those who will define and design the vast networks for IPv6. These new IPv6 leaders include:

Dr. Charles (Chuck) Lynch, Director of the Defense Information Systems Agency (DISA) IPv6 Transition Office and the one of the first (perhaps only) person in the US government funded and authorized to focus on the broader DoD IPv6 transition - and the co-author (with his Eagle Scout son) of the proposal to the Boy Scouts of America to add a merit badge for Internet skill(!).

Dr. Osama Mowafi, CTO of SI International (Nasdaq: SINT), leader of the team that received the first US government contract for IPv6 and, as one of the invisible visionaries of the future transition to ubiquitous IPv6 deployment, one of the few people to have to crunch the numbers on how many trillions of v6 addresses will be needed for all imaginable government and other needs.

John Crain, Chief Technical Officer (CTO) of the Internet Corporation for Assigned Names and Numbers, who will be managing ICANN's upgrading of the root servers for IPv6 over the next six months (I asked if he would do it sooner - he said things were working fine now and it was important not to "tear" anything, and that adding v6 carefully was essential).

Leigh Huang, Program Manager, Program Manager in Windows Networking and Device Technologies Group at Microsoft, who is leading both the internal and external IPv6 initiatives at the company - let's face it - that will have the greatest single impact on the quality, quantity, and velocity of IPv6 implementations related to PC users. As 6Wi-Fi comes to market, Leigh's experience as an 802.11 entrepreneur and her MIT network will also serve her well.

Some of the original IPv6 pioneers are still leading the community into the future while balancing commercial challenges, while opening the door for new leaders. Nokia deserves special kudos for supporting highly dedicated professionals, like IETF IPv6 Working Group co-chair Robert Hinden; IPv6 ad hoc networking guru Charles Perkins; and mobile phone innovator and Research Manager John Loughney, all of whom share their hard won experience with the IPv6 community. Nokia's Head of International Cooperation, Dr. Mikko Uusitalo is, by stroke of good fortune, chairman of the World Wireless Research Forum, as well as a supporter of IPv6 and the only WWRF official to present at an IPv6 Summit.

Wish these eight the best of luck: on their shoulders (and that of their colleagues) rides the success of IPv6 in the US. If they ask for help, give it to them if you want to accelerate the IPv6 transition. A sneak peek into 6Star possibilities: start thinking about viral applications that will get IPv6 addresses out there, and see if you can do better than Microsoft's http://www.threedegrees.com. And again, feel free to write me at alex@usipv6.com and tell me who you think the emerging leaders of IPv6 are, and why you admire them.

LINK TO THIS ARTICLE

 

PRODUCED BY:
IPv6 Summit, Inc.
CONTENTS

Publisher's Intro

The Next IPv6 Summit

Internet Protocol Security (IPSec)
Doug Roberts, Interpeak, Inc.

An Introduction to IPv6 Mobility
Chris Harz

The Other Next Generation Aspect of IPv6: New Leaders in Industry and Government Step Up and Swing for the Fences
Alex Lightman, CEO, IPv6 Summit, Inc.

UPCOMING EVENT:

U.S. IPv6 Summit 2004 - Reston, VA

The next IPv6 Summit event in the US is scheduled for December 9 & 10 in Reston, Virginia.

MORE INFO

All rights reserved. Views expressed here are solely those of the authors and/or their employers and do not necessarily reflect the perspective of IPv6 Summit, Inc.

If you would like to submit an article for consideration, please email newsletter@usipv6.com for submission details.

Unsubscribe:
Click here to opt-out of future 6sense Newsletters.

© 2004 6sense. All Rights Reserved. 6sense Newsletter published by IPv6 Summit, Inc.