This August 04 issue
of 6Sense, the newsletter by and for the global
IPv6 community is our shortest of the year because
this is the big vacation month for our community.
It includes a friendly, relatively painless introduction
to IPv6 mobility by IPv6 Summit staffer Chris
Harz, my observations on the emerging
leaders in IPv6, and Doug Roberts' succinct overview
of IPSec. As always if you want to submit an article,
please contact me at email@example.com
and if you want to be removed from the 6Sense list
Next IPv6 Summit
VA - Plans are underway for the next US IPv6 Summit
to be held December 9 & 10 at the Hyatt Regency
Hotel in Reston Virginia. The hotel is conveniently
located just 15 minutes from Washington Dulles Airport
and 30 minutes from downtown Washington, DC. The Hyatt
Regency is newly renovated with spacious meeting space
and complete wireless connectivity in the atrium and
sleeping rooms. For our attendees who will be commuting
to the area, parking at the hotel is free.
The Hyatt Regency is located in the Reston Town Center,
a beautiful area filled with shops, restaurants, and
during the winter, an ice skating rink. In addition
to the on-site dining offered by the hotel, over 10
restaurants are within walking distance.
The US IPv6 Summit is expected to be our biggest
summit yet! With exhibitors already confirming sponsorships
and attendees inquiring about dates. We plan to sell
all our attendee passes and all our exhibit sponsorships.
This year we are doing things a little different
for our exhibitors. We are very excited to have introduced
different levels of sponsorship to accommodate both
large and small companies, as well as non-profit.
For details about how to sponsor the US IPv6 Summit
please visit our website at: http://www.usipv6.com/sponsorships.
Our attendees can count on hearing what we believe
to be the most valuable speakers in the world IPv6
community presenting a myriad of topics with updated
information for global discussions of IPv6. If you
would like to learn more about attending the US IPv6
conference, please visit our website at: http://www.usipv6.com.
Thank you and we look forward to seeing you in December!
and Travel Details | Sponsorship
Protocol Security (IPSec)
Doug Roberts, Interpeak, Inc.
During the recently held USIPv6 Summit, Interpeak's
co-founder and CTO Lennart Bang discussed the role
of IPSec within the context of IPv6. This presentation
can be viewed
IPSec enables the set up of virtual private networks
(VPNs), secure mobile communications by way of Mobile
IP and other dedicated private communications.
Lennart covered the typical aspects of IPSec, including:
Given where IPSec sits in the TCP/IP stack, squarely
in the IP layer, an efficient implementation is critical
in the absence of any IPSec hardware acceleration.
Interpeak's TCP/IP stack, called IPNET, includes IPSec
and the IPSec module supports both hardware acceleration
and a software implementation, when product manufacturing
costs are to be kept low. Moreover, IPNET is implemented
as a true dual IPv4 IPv6 stack, with common transports
(TCP and UDP) shared between the common IPv4/v6 layer.
In other words, IPNET is implemented as a single stack
and the IPSec module can handle interleaved IPv4 and
IPv6 packet flows.
A Security Association (SA) is defined for a particular
communication and is kept in the SA data base (SADB)
within the IP layer. SAs define the selected algorithms
and keys used for a particular communication session.
These SAs can be established manually or automatically
through a network application for key exchange. Not
all implementers elect to use the IETF standard, known
as Internet Key Exchange (IKE) so a useful feature
of IPSec is to provide a standard API. IETF has one
called PF_Keyv2 and is incorporated within IPNET.
PF_Key defines socket extensions useable by various
applications to set up IPSec's SAs.
Good security assumes that the keys are updated often
during the communication session. Interpeak's IKE
not only does this, but does so in advance of the
key expiring, sparing a period of inactivity while
a new key is negotiated.
At this point we can set up a security association
and automatically establish digital keys to be used
by the authentication and encryption algorithms. Ok,
so what actually happens?
A Security Policy (SP) is defined for a particular
SA. This amounts to selecting what to let pass into
the system and what to block. A Security Policy can:
Bypass and not process any AH and ESP options
Apply AH and ESP processing to the packet
Discard the packet
Automatic key exchange setup, such as with IKE
As useful as IPSec is, other applications require
Secure Socket Library (SSL) for secure web transaction
Secure Shell (SSH) for secure terminal sessions
and file transfer
SNMPv3 for securely managing network elements
Firewall for dynamically opening and closing
In the generalized network element, one, two or all
of these methods may be required.
Clearly, in the presence of IPv6, whatever security
solution that is called for, it must function over
both IPv4 and IPv6. Given that IPv6 defines socket
extensions, applications should seamlessly use these
extensions. For example:
A secure web server over TCP/IPv6
Telnet fred, where the dns client/server know
about AAAA frames and returns the correct IPv6
Stateful firewall, where a port passes a response
packet through to the requester application and
then closes the port to any additional packets
TO THIS ARTICLE
Introduction to IPv6 Mobility
Most of the IPv6 community consists of network professionals
who enjoy highly detailed articulations of IPv6 functions
that can seem obnubilatory to the rest of us (I've
always suspected that's why they use so many clouds
in their PowerPoints). This article is for the rest
of us - an introduction to some of the benefits of
the New Internet.
First, let's address the need for having a mobile
Internet. The number of mobile devices in the world
is mushrooming - there are close to 1.5 billion of
them already. The trend is for more and more of these
to use packet switching instead of being circuit switched,
so that IP-based communications looks like it will
dominate the future.
The problem with using the Internet for all these
devices is that they move around a lot, and the Internet
is not really set up for that - the old Internet (version
4) essentially assumes that any user (or node) is
always attached at the same point in space - which
is identified by its IP address. If the node packs
up and moves away, datagrams for that user will still
go to the same place - reaching a dead end. Only if
the user notifies the system that he has a new address
(and goes through the re-initialization rituals) will
he/she be able to get datagrams routed there. The
kind of seamless mobility that cellphone users expect
when they move from town to town or country to country
is not readily possible with the old Internet.
It was for just that type of seamless mobility that
Mobile IPv6, or MIPv6, was developed, to allow the
user to leave home but still retain his/her connections
and bonafides while traveling. The way this works
is that a traveling user sends information about his/her
location to a home agent (a special router) on the
home link. Thereafter the home agent intercepts messages
meant for the user, and instead of letting them be
sent via the user's ISP to the (now empty) home address
point, it redirects these messages to the new location.
This mechanism is transparent to any and all applications
the user may be employing, as it is handled purely
at the IP layer (level 3), so no new versions of applications
need to be developed to make this function. Since
the user still has the same home address, the application
keeps using that for its traffic management.
What happens under Mobile IPv6 is that the user gets
a so-called "care-of address" whenever he/she
attaches to the Internet at a new location while traveling.
The user thus has a second, temporary address which
identifies where he/she currently is. The home agent
gets updates on these temporary addresses and redirects
mail for the user to them. The association of the
home address of a mobile user with a particular care-of
address, along with the remaining lifetime of that
association, is called binding. Registering your care-of
address with your home agent is home registration.
How does the mobile user get his/her care-of address?
While traveling, he/she will bump into the nearest
local router, which is sending news of its presence
via so-called router advertisements. The user then
automatically gets a care-of address that relates
to this router and incorporates some of its ID - this
is "stateless address autoconfiguration"
(the address can also be assigned by a DHCP server,
for "stateful address autoconfiguration").
As soon as the user's terminal has attached itself
to the new router, it notifies the home agent of this
(with a "binding update") and the home agent
gives it a thumbs-up (with a "binding acknowledgement").
After this, the mobile user sends packets directly
to desired correspondent destinations. The source
address on each packet is set to the care-of address,
but also includes the home address, so the correspondent
node (whom the user is sending the packet to) can
send return packets to the home address, from which
they get re-routed to the mobile user, in a type of
rough triangle. To speed things up, the mobile user
can send a binding update to the correspondent node,
after which the two can communicate directly back
As soon as the mobile user notes that he/she has
received no router advertisements for a while, it
can assume that this default router is no longer available,
and choose another router from which he/she is getting
advertisements. The user thus goes through areas "discovering"
routers to communicate with. As soon as the user's
equipment detects the new router, it sends a binding
update to its home agent and to any correspondent
nodes with which it wants to stay in direct touch
(which will have the user in a binding update list,
to keep track of current location). In this sense,
the mobile user's terminal is also advertising its
presence - it could be stationary and have a series
of mobile routers come by and discover it, one after
Next we'll explore how IPv6 "link local"
communications in an area function, and how they can
be used for applications such as a "walled garden"
theme parks or other forms of location based entertainment.
TO THIS ARTICLE
The Other Next Generation Aspect of IPv6:
New Leaders in Industry and Government Step Up and
Swing for the Fences
by Alex Lightman,
CEO, IPv6 Summit, Inc.
John Maxwell, in his best-selling book The 21
Irrefutable Laws of Leadership, says that the
20th law is The Law of Explosive Growth: To add growth,
lead followers - to multiply, lead leaders. In August
2004 we are seeing the emergence of new leaders in
IPv6, in government and industry, even in the midst
of what looks like a very quiet month. We in the IPv6
community will succeed to the extent that we create
and support successful, flexible leaders. Here are
my picks for people worthy of widespread support.
Who would you add to this? Feel free to write and
tell me at firstname.lastname@example.org
and I'll summarize in the Sept. 6Sense.
August starts off with a productive week for IPv6,
with several sessions at the Internet Engineering
Task Force (IETF) just completed at the Sheraton near
San Diego Airport. The rest of the month will be the
quiet before the storm, as key players in industry,
military, and homeland security take vacations, knowing
that when they return the transition to IPv6 will
get seriously underway in the USA and its Coalition
Partners. The DISA IPv6 Transition Office has developed
a great logo, which we hope to get authorization to
show in the next 6Sense, as well as a logo for the
6Star Partner Program that will recognize the many
and diverse contributions of companies, universities,
and nonprofits to the further development and diffusion
While the DoD has tracked IPv6 internally and has
not needed outside prompting, and as the work of the
IETF moves forward in defining the IPv6 standard,
the IPv6 Forum starts to wind down. Credited with
bringing IPv6's existence to the attention of large
companies and to civilian government agencies, the
receding IPv6 Forum makes way for a new generation
of IPv6 leaders to emerge. The initial leaders of
IPv6 worked inside companies adding IPv6 to their
hardware, especially routers, and, to a lesser extent,
software and communications offerings. The original
pioneers have done their work cheerleading and briefing
less technical officials with "big picture"
advantages for America and other countries. Now the
next generation of IPv6 leadership will turn to those
who will define and design the vast networks for IPv6.
These new IPv6 leaders include:
Dr. Charles (Chuck) Lynch, Director of the
Defense Information Systems Agency (DISA) IPv6 Transition
Office and the one of the first (perhaps only) person
in the US government funded and authorized to focus
on the broader DoD IPv6 transition - and the co-author
(with his Eagle Scout son) of the proposal to the
Boy Scouts of America to add a merit badge for Internet
Dr. Osama Mowafi, CTO of SI International
(Nasdaq: SINT), leader of the team that received the
first US government contract for IPv6 and, as one
of the invisible visionaries of the future transition
to ubiquitous IPv6 deployment, one of the few people
to have to crunch the numbers on how many trillions
of v6 addresses will be needed for all imaginable
government and other needs.
John Crain, Chief Technical Officer (CTO)
of the Internet Corporation for Assigned Names and
Numbers, who will be managing ICANN's upgrading of
the root servers for IPv6 over the next six months
(I asked if he would do it sooner - he said things
were working fine now and it was important not to
"tear" anything, and that adding v6 carefully
Leigh Huang, Program Manager, Program Manager
in Windows Networking and Device Technologies Group
at Microsoft, who is leading both the internal and
external IPv6 initiatives at the company - let's face
it - that will have the greatest single impact on
the quality, quantity, and velocity of IPv6 implementations
related to PC users. As 6Wi-Fi comes to market, Leigh's
experience as an 802.11 entrepreneur and her MIT network
will also serve her well.
Some of the original IPv6 pioneers are still leading
the community into the future while balancing commercial
challenges, while opening the door for new leaders.
Nokia deserves special kudos for supporting highly
dedicated professionals, like IETF IPv6 Working Group
co-chair Robert Hinden; IPv6 ad hoc networking
guru Charles Perkins; and mobile phone innovator
and Research Manager John Loughney, all of
whom share their hard won experience with the IPv6
community. Nokia's Head of International Cooperation,
Dr. Mikko Uusitalo is, by stroke of good fortune,
chairman of the World Wireless Research Forum, as
well as a supporter of IPv6 and the only WWRF official
to present at an IPv6 Summit.
Wish these eight the best of luck: on their shoulders
(and that of their colleagues) rides the success of
IPv6 in the US. If they ask for help, give it to them
if you want to accelerate the IPv6 transition. A sneak
peek into 6Star possibilities: start thinking about
viral applications that will get IPv6 addresses out
there, and see if you can do better than Microsoft's
And again, feel free to write me at email@example.com
and tell me who you think the emerging leaders of
IPv6 are, and why you admire them.
TO THIS ARTICLE