IPv6

Dec. 2, 2011
Get Ready for the Transition…and Avoid Becoming Obsolete

Much of our current thinking about networking for physical security systems lags behind the advances of technology. Because advancements come more rapidly every year, it is no longer sufficient to base our thinking on “the latest technology.”
We have to take technology trends into account if we wish to deploy systems that will have useful lives of 5 to 10 years, and which can use and be used by new technology as it arrives in the coming decade.
In the late 1990s, there was much activity in the Internet standards community. The dot-com boom was rolling, use of the Internet was expanding, and commerce-based cryptography and security standards were just being developed. Many network protocols were devised, refined and/or standardized during this time. Among these was IPv6, the solution to IPv4 address limitation as well as a logical evolution of the Internet for many reasons.
Most of today’s discussions about IPv6 are limited to its new addressing scheme and hardly touch on the network landscape into which IPv6 is expected to be deployed. Understanding the nature of this broader network landscape is critical to keep from deploying or expanding obsolete network designs — because no security end-user wants to be stuck with obsolete or out-of-date technology.

More Devices, Data, Connections and Network Services
A little more than a decade ago, the security industry was connecting sensors, controllers and computers to each other via RS232, RS-485 and coax connections, using mostly proprietary methods. These are now considered “legacy device connections,” because the industry has switched to connecting intelligent devices, controllers and computers (what IT calls network “nodes”) to a common network based on independent standards — where some or none of the nodes have legacy device connections. Thus, networking is an increasingly critical component of electronic physical security systems, and a consequence is that industry trends for computer and networking equipment are rapidly changing the capacities and communication capabilities of our security systems.
Computer and networking technology is evolving at an increasingly rapid rate. For an example that’s easy to relate to, see the graphic on page 38, which depicts trends relating to computer hard drive advances. This graph is similar to network technology trends — except that the impact of computer disk drives is more visible to us than network trends. Notice the steep downward curve of the left-hand side of the graph — this is the cost trend. Notice the steep upward curve of the right-hand side of the graph — this is the capacity/capability trend. At the “We are Here Point” of the graph, we find that our current thinking — after decades of dealing with budget constraints and technology limitations — has not caught up with our actual position. Hard drive costs and capacities are no longer a constraint; in fact, they are more than keeping pace with the increasing data outputs of
multi-megapixel cameras. The number of network nodes (cameras, intercoms, card readers and so on) continues increasing, and although the network technology itself is advancing, our physical security network deployments are not keeping up with modern network practices.
The network infrastructure we deploy or upgrade today must support requirements of both today and tomorrow. Keeping up with those requirements includes establishing network design standards that take into account anticipated network growth for overall capacity and for specific application requirements, like those of high-megapixel security video. The planning is where IPv6 awareness comes into play.

Why Move to IPv6…and When?
There are many technical reasons to move to IPv6, including improved security and mobile device management that will become more important as the use of Internet communications and Internet-based services increases. Business reasons to move to IPv6 will continue to arise as the use of external information systems and cloud-based services continue to develop. At some point, new networked devices will begin using IPv6 as the dominant mechanism to connect to the network.
Although we can predict that IPv6 networking will be a requirement, it is hard to predict exactly when that will impact any particular security system network. Any number of business drivers will influence the timing of partial and then full IPv6 adoption for electronic physical security systems. Those drivers will appear in the IT domain, the Internet domain and the security domain.
In addition, disruptive technology appearing in any one of those domains could provide the impetus for quick IPv6 adoption for the business and for security operations, meaning that being ready for IPv6 adoption is important to you, the security end-user.
If legacy security systems and technologies are not assessed and their upgrade or replacement planned for, security departments can be caught without the budgetary means to implement partial or full IPv6 adoption for perhaps a full annual budget cycle or more.

IPv6 Readiness
Moving to IPv6 is not a sudden, one-shot transition — it is a move that must be planned and synchronized with IT’s plans and technology evolution. All current computer operating system software already supports IPv6, as do most business-class network switches and some security technologies — notably leading network camera brands. There is no reason for anyone to deploy network infrastructure today that is not IPv6-ready. Security executives must also begin transitioning to security technology that is IPv6-ready.
Here’s a sound approach to IPv6 deployment for security systems:
• Establish and maintain IPv6 compatibility in devices, systems and networks (in other words, test IPv6 compatibility as part of deployment).
• Begin using modern IPv4 network design including Domain Name Services (DNS), ZeroConf, network traffic management such as with Quality of Service (QoS), network management through logging and Simple Network Management Protocol (SNMP). These, along with IPv6, are part of the modern network landscape.
• Bring the network’s security in line with modern IT practices — this means using firewalls, policy enforcement devices, Transport Layer Security (TLS), and strong access control through credentialing, including device credentials (digital certificates used to verify the identity of the device connected to the network, including network cameras).
• Migrate to partial and then full IPv6 adoption as IT, business and security drivers warrant.
IPv6 has a complex address format (see below) in which manually managing IP addresses is simply not practical. Furthermore, IPv6 addressing was intended to be automatically managed and to be used with techniques that provide self-configuring networks, in order to lower network management costs and eliminate manual errors as much as possible.
However, IPv6’s use of automatic network configuration, service announcements (ZeroConf) and automatic configuration (UPnP), make some of the hackers’ tasks easier. That makes it even more important to use strong network security. Because these mechanisms reveal the existence of devices and the services they offer, and because these mechanisms are not authenticated, many IPv4 security systems networks (that also have these mechanisms) are more vulnerable than their managers suspect. While implementing network security in IPv4 networks is a good IPv6 readiness step, it is also a critical deployment requirement now.

Support for IPv6 Readiness
Technology that supports IPv6 is currently available in the marketplace. It is easily within the development reach of any vendor offering network products over the next decade. IPv6 readiness can and should be achieved in a practical manner, today. There are a growing number of IPv6 information sources:
• In October 2011, HP launched a series of consulting services aimed at helping businesses migrate to IPv6 networks as the importance of shifting away from IPv4 grows. AT&T provides both guidance documents and strategy on converting to IPv6 at
http://tinyurl.com/ATT-campaign-IPv6.
• In July 2010, the U.S. Department of Defense (DoD) released version 5.0 of its 100-page document entitled, “IPv6 Standard Profiles for IPv6 Capable Products,” available at www.BPforIP.com/dod-ipv6. This is a technical document written for IT personnel, which provides an excellent example of defining IPv6 networks and qualifications for the networking products to be used to build them.
• A regional Internet registry (RIR) is an organization that manages the allocation and registration of Internet number resources — including Internet IP addresses — within a particular region of the world. The Réseaux IP Européens Network Coordination Centre (RIPE NCC), headquartered in Amsterdam, Netherlands, is the RIR for Europe, the Middle East and parts of Central Asia. RIPE NCC has established a news and education website supporting IPv6 adoption at www.ipv6actnow.org. While focused on IPv6 adoption within its region, the website provides a substantial amount of plain-language information and guidance that is applicable to IPv6 readiness anywhere.

IPv6 Planning
For security systems technology, preparing for IPv6 involves:
• Determining the IPv6-ready status of currently-deployed security technology;
• Identifying the deployed technologies that will likely be impacted by IPv6 enabled solutions;
• Knowing where IPv6 is on security technology vendor roadmaps;
• Leveraging modern network services to established well-managed security system networks; and
• Paralleling the IPv6 readiness of the IT department.
Determining the IPv6-ready status for products means supporting IPv6 addressing and related protocols — especially security protocols. There is no reason not to start asking vendors about their IPv6-ready status and IPv6 roadmap.

Rodney Thayer is an independent network researcher who focuses on network attack and defense issues as they relate to business infrastructure. Current security research (exploit development) includes product and infrastructure evaluations, and training/lecturing on computer security topics. Mr. Thayer’s background is in engineering, deployment, and evaluation of computer and network security solutions. He has experience in implementing a variety of network protocols and solutions including early IPSec and SSL systems.

Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. He is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788. Mr. Bernard is also a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).