Although we can predict that IPv6 networking will be a requirement, it is hard to predict exactly when that will impact any particular security system network. Any number of business drivers will influence the timing of partial and then full IPv6 adoption for electronic physical security systems. Those drivers will appear in the IT domain, the Internet domain and the security domain.
In addition, disruptive technology appearing in any one of those domains could provide the impetus for quick IPv6 adoption for the business and for security operations, meaning that being ready for IPv6 adoption is important to you, the security end-user.
If legacy security systems and technologies are not assessed and their upgrade or replacement planned for, security departments can be caught without the budgetary means to implement partial or full IPv6 adoption for perhaps a full annual budget cycle or more.
Moving to IPv6 is not a sudden, one-shot transition — it is a move that must be planned and synchronized with IT’s plans and technology evolution. All current computer operating system software already supports IPv6, as do most business-class network switches and some security technologies — notably leading network camera brands. There is no reason for anyone to deploy network infrastructure today that is not IPv6-ready. Security executives must also begin transitioning to security technology that is IPv6-ready.
Here’s a sound approach to IPv6 deployment for security systems:
• Establish and maintain IPv6 compatibility in devices, systems and networks (in other words, test IPv6 compatibility as part of deployment).
• Begin using modern IPv4 network design including Domain Name Services (DNS), ZeroConf, network traffic management such as with Quality of Service (QoS), network management through logging and Simple Network Management Protocol (SNMP). These, along with IPv6, are part of the modern network landscape.
• Bring the network’s security in line with modern IT practices — this means using firewalls, policy enforcement devices, Transport Layer Security (TLS), and strong access control through credentialing, including device credentials (digital certificates used to verify the identity of the device connected to the network, including network cameras).
• Migrate to partial and then full IPv6 adoption as IT, business and security drivers warrant.
IPv6 has a complex address format (see below) in which manually managing IP addresses is simply not practical. Furthermore, IPv6 addressing was intended to be automatically managed and to be used with techniques that provide self-configuring networks, in order to lower network management costs and eliminate manual errors as much as possible.
However, IPv6’s use of automatic network configuration, service announcements (ZeroConf) and automatic configuration (UPnP), make some of the hackers’ tasks easier. That makes it even more important to use strong network security. Because these mechanisms reveal the existence of devices and the services they offer, and because these mechanisms are not authenticated, many IPv4 security systems networks (that also have these mechanisms) are more vulnerable than their managers suspect. While implementing network security in IPv4 networks is a good IPv6 readiness step, it is also a critical deployment requirement now.
Support for IPv6 Readiness
Technology that supports IPv6 is currently available in the marketplace. It is easily within the development reach of any vendor offering network products over the next decade. IPv6 readiness can and should be achieved in a practical manner, today. There are a growing number of IPv6 information sources:
• In October 2011, HP launched a series of consulting services aimed at helping businesses migrate to IPv6 networks as the importance of shifting away from IPv4 grows. AT&T provides both guidance documents and strategy on converting to IPv6 at http://tinyurl.com/ATT-campaign-IPv6.
• In July 2010, the U.S. Department of Defense (DoD) released version 5.0 of its 100-page document entitled, “IPv6 Standard Profiles for IPv6 Capable Products,” available at www.BPforIP.com/dod-ipv6. This is a technical document written for IT personnel, which provides an excellent example of defining IPv6 networks and qualifications for the networking products to be used to build them.