Ittechtips.com’s Blog

With the thousands of IPv6 controlled lights dimming over the 2008 Olympics, the long march on the road to IPv6 continues as the Olympic IPv6 Workout enters history. The early objective of full commercial deployment for 2008 proved elusive and more realistic goals were set and met with success. Not wasting any time, the starting shot toward commercial deployment followed on the heels of the closing ceremony with the august 25th NDRC announcement urging the vigorous promotion of a commercial trial, increasing the number of IPv6 trial users to 500,000 by 2010 and to start mass production of IPv6 equipment. A logical next phase, indeed, as the IPv6 only CNGI has a 40 city coverage and massive bandwidth, but is still underutilized, while the old commercial IPv4 internet is sometimes bursting at the seams. Even in China it takes time to see the ISP’s seriously start the transition on their commercial networks.

Exactly five years ago, in august 2003, NDRC launched the bidding process for CNGI which was deployed a year later and included all major carriers and CERnet, China’s Education and Research Network. It would be prudent to assume that the new objective of 500,000 trial users by 2010 will be achieved; after all, with 210 million internet users, China pole vaulted past the USA, not to mention that China also holds the number one title in mobile with 560 million subscribers.

Does this mean that the USA is hopelessly behind in IPv6 deployment as has been so often postulated? Not so sure. Prodded more than a little bit by the DoD and DoC mandates and even more so by the 20 billion dollar of Networx contracts, all major ISP’s in the USA have announced full commercial support of IPv6 by 2009-2010. The well publicised Comcast cable network IPv6 deployment, the Bechtel corporate IPv6 initiative or the Archrock sensor network products extend the effort beyond the traditional ISP environment and into the whole ecosystem.

Japan who is the undisputed leader in domestic commercial IPv6 deployment and IPv6 enabled end devices, has not yet started a real effort to translate this early advantage into successful export product lines. There is also still a chance that Europe will surprise everybody as they now offer a most competitive telecom market place. A total outsider could even surprise everybody.

The IPv6 finish line could be reached in another four years in London, let the Games continue.

We have recently observed a version of a possibly legitimate application, uTorrent opening IPv6 attack vectors on Microsoft hosts by automatically enabling IPv6, activating IPv6 tunneling  (Teredo in this case), and disabling host security controls that Microsoft wisely patched to prevented unsolicited incoming tunnel traffic. Though IPv6 tunneling is a great way to enable peer-to-peer (P2P), machine-to-machine (M2M),   applications that need bi-directional end-to-end (E2E) connections, doing it without proper security controls presents a serious security risk. This application, with a bit of good security engineering, could leverage IPv6 tunneling in a less risky manner to provide assured E2E connections the way Apple does it in their “Back to my Mac” application. Since IPv6-capable systems are installed in almost every computer network woldwide, and IPv6 knowledge is becoming more widespread, there has been a recent increase of malicious (or just bad) code that enables IPv6 on a compromised host, creating a potentially undetected channel for an attacker to exploit. Hacker community sites are already offering tools such as relay6, 6tunnel, nt6tunnel, netcat6, VoodooNet, etc. that can be used to create IPv6 covert channels.

The most important risk mitigation step is educating security professionals about the threats and defenses against IPv6-based attacks. After education, Command Information recommends the following steps:

•       Place IPv6-capable guards (Firewall, network access control) into critical networks

•       Turn on native (dual stack) IPv6, turn off IPv6 tunneling through configuration management

•       Audit (DIACAP, FISMA) network infrastructure and computers for IPv6 security compliance

•       Tune an IDS and covert channel detection tools for emerging IPv6 threats (Cloudshield DPI, Snort 3.0, etc)

•       Change all IA tool acquisitions policy to address acquiring IPv6-capable IA tools

•       ‘Blackhole’ traffic going to tunnel endpoints and poison DNS queries for tunnel service in order to prevent unauthorized tunnels from connecting

You may have heard about China showcasing their IPv6 network at the 2008 Olympics with streaming video, network surveillance cameras, and other IPv6-based applications. So you understand what’s going on, here’s a few key points on the Olympics and IPv6:

• In 2003, before the US government launched IPv6 as an “unfunded mandate”, the National Development Reform Commission (NDRC) launched China’s IPv6 program by setting up the China Next-generation Internet (CNGI) program with initial funding of 1.4 billion yuan (US$169 million) to support development of  the IPv6 next-generation Internet networks
• The goal of China Next-Generation Internet (CNGI) program launched in 2003 was to “establish the world’s biggest IPv6 network as soon as possible.”
• China Mobile Communications Corporation (China Mobile), China Netcom Corporation (China Netcom), China Telecommunications Corporation (China Telecom) and China United Telecommunications Co., Ltd. (China Unicom) finished the CNGI IPv6 backbone in 2006, covering 39 network nodes in 20 cities nationwide.
• China Education and Research Network 2 (CERNET2) (Similar to the US Internet2) is the first major research network built from the ground up with native Internet Protocol Version 6 (IPv6) technology. CERNET2 connects more than 200 universities and government institutions
• In CERNET2 and CNGI, half of the key equipment, including routers, was provided by Chinese telecom equipment makers Huawei Technologies and Tsinghua Bit-Way.
• CNGI’s backbone, wireless hotspots, and mobile wireless IPv6 networks will be put into use and showcased heavily during 2008 Olympics Games.
• China, the biggest country by population in the world, is an active advocator of IPV6, to meet the demand of fast growing online economy.
• China wants to leverage IPv6 Internet technology to turn it into an innovator in the information technology market

 Some key applications you can see deployed:  (My analysis)

• IPv6 Surveillance Cameras: IPv6 Network Cameras attach to a network just like a computer. IPv6 autoconfiguration automatically sets up the IP address and routing, and powerful Zero-Configuration (Zeroconf) software automates the camera setup and discovery of video streams so they can be viewed by a web browser or surveillance software. IPv6-based cameras are much easier to install then the older analog CCTV cameras, and can require less administration and network services than the first generation of IPv4-based cameras. The cameras are all connected using standard Ethernet cable or wireless LAN connections. IPv6-based multicasting via MPEG transmission over Real Time Protocol (RTP) allows multiple users to simultaneously view and share the camera output over the global Internet, while IPSec encryption ensures that only authorized viewers can access the cameras.
• IPv6 IPTV: IPv6 multicast is a powerful new tool for global IPTV broadcast. Each network or site can broadcast up to 4.3 billion content streams globally. Unlike older unicast technology that required huge server farms and high-capacity network connections to send video streams, multicasting allows even simple computers like laptops and network capable cameras to stream to millions of viewers. As IPv4 addresses are exhausted and the migration to IPv6 is forced, IPTV systems that are both IPv4 and IPv6-capable (dual stacked) will be the only systems capable of reaching the entire global audience.
• Automated Lights, Sensors, Controllers: Certain lights and systems at the Olympic park have been automated with a LonWorks network of controllers. Though LonWorks is not IPv6 or IPv6 capable, an application gateway / webserver has been hooked to the LonWorks controller to create IPv6 web services interfaces to the controller system. The gateway proxies web-services commands sent via IPv6 to LonWorks networking protocol and commands. The LonWorks-IPv6 gateway allows the automation system to be used as web service SOA-like components for building other applications and control dashboards.

In the last week of February, I visited Taiwan for the Apricot conference, talking about IPv6 deployment and Internet technology in general. The gentleman who invited me wanted me to convince the government to turn off IPv4 and turn on IPv6; in fact, I spoke with various people, including some of the premier schools in Taiwan, about turning on IPv6.

NCKU backbone network

The reason for doing so is apparent. As it has been widely reported, the IANA will give the last of the IPv4 address pool to the RIRs in 2009, and in 2010 - 2011, we are likely to see it deployed in business. That means that companies are increasingly choosing their options. One tells me they will simply find addresses that aren’t advertised and use them without permission. Others say that they expect to trade IPv4 address space as a commodity. Still others play to deploy IPv6 because it is a long-term solution that gives them more addresses. I support long-term thinking about business for the obvious reason; they will spend the money eventually, so why waste money trying to delay what I consider inevitable?

Not that I consider IPv6 to be a perfect solution. Product support is mixed, address management policy still doesn’t address multihoming and its impact on the route table, and we have not solved the traffic engineering issues any better than in IPv4. We’re still working on those (and invite collaboration). But I think IPv6 is, in fact, the best option on the table - far better than the layered NAT solutions some propose - for getting more addresses.

This week, I made the front page of the New York Times; I had exchanged email with the reporter from Taipei, and told him about broadband capacity and prices in Europe and Asia. Business requires two fundamental resources to encourage innovation: addresses with which to deploy new toys, and capacity to support their applications. The story’s crux is one I largely agree with: if we don’t at least keep up with the rest of the world in giving ourselves the tools to remain competitive, we will, in time, fall behind competitively. In the US, we are behind now, significantly. Another time, I will talk about Fiber to the Home (or at least the curb, with Ethernet to the home), and why that is important.

But for now, turning on IPv6 in our IPv4 networks and applications is something we should do. We need to work through the deployment issues and get it turned on and in use, so that we don’t lose ground in the years to come.

That famous line from Jerry McGuire seems to come at me almost every week from at least one of my students. Why, you ask? Because everyone in class wants to know whether studying for and getting their CCNA certification will make them more money, and help their careers, in the short and long term.

I can’t say whether you’ll make more money in your current job, or if getting your CCNA certification will help you get a new job, but having the letters CCNA on your resume can only help in your hunt for a new position, or assist you getting a better job than you have now.

Still, when looking for a new position you may not have any experience in networking other than your CCNA certification, but having this premiere certification sure looks good if you’re searching for a job in IT or as a network administrator in any number of industries (especially the finance or health care sectors).

If you’re thinking about getting your CCNA but are still on the fence, take a look at job web sites or your local newspaper to see what jobs are available. And if you’re looking at a career path in Information Technology, you won’t find one with more defined line for advancement and diversity of education. I know that there are more computer industry certifications out there than you can shake a stick at, but networking, especially the Cisco course curriculum, is one that is solid and very well respected in the Information Technology industry and by many corporations and enterprises. There are now three new CCNA disciplines that can hone your skills on the fastest growing parts if the IT industry, which includes security, wireless and voice over IP technologies.

So, take a peek at Dice, Monster, your local jobs wanted web site and even take a look at the U.S. Department of Labor, so see what you could be worth.

If you haven’t heard about it, take your browser over to Glass Door, an interesting site that tells what actual people make in the computer field and what they think about working in the industry and at their company (and even includes how much they make to do their job).

In one of my previous posts I talk about how I got to were I am today in the industry, but there’s another blog post on this site that can show you how getting your Cisco certification can enhance your career, what jobs each Cisco certification can help you get, and even how much you can expect to make with each certification (with some experience in a networking position).

What will you see from all this web surfing? That if you buckle down and get a Cisco certification you have a better than average change of making more money and having a better than average, and more enjoyable, job experience. Not to mention a great career potential path. So, what are you waiting for? Get cracking!