IPv6 and You

Typically, we think of network IP addresses as a technical topic — not something a security director or security operations manager would be too concerned about. Not so fast…there are several reasons why the envisioned upgrade to the Internet’s main communications protocol, from the current IPv4 (Internet Protocol version 4) to IPv6, warrants attention with regard to physical security systems and their networks.

The World IPv6 Day tests — organized by the Internet Society and held on June 8, 2011 — were a large-scale experiment aimed at identifying problems associated with implementing IPv6, and getting a “sneak peek” at what the upgrade to IPv6 might look like across the Internet. This was not a single pass-or-fail scenario. It was a joint test by about 400 companies (including Google, Yahoo, Microsoft, Verizon, Facebook and others you know) to “turn on” IPv6 in their Internet servers and in the Internet backbone, to find out just what might happen as some Internet users tried to connect to the servers using IPv6, while the bulk of Internet users continued using IPv4.

It is necessary for the Internet to move to IPv6 addressing because IPv4 Internet addresses are running out, and some regions of the Internet have already run out of IPv4 addresses and have moved to IPv6. (Please see www.bpforip.com/article_ipv6.html for maps, charts and a 6-minute video about the differences between IPv4 and IPv6.) IPv4 and IPv6 are not directly compatible — the difference has been compared to having two separate Internets. Users and companies assigned IPv6 addresses by their Internet Service Providers will not be able to connect to services that only use IPv4. Likewise, businesses that can only obtain IPv6 addresses (this starts first in Asia and eventually happens in the United States) will not be able to transact with customers on IPv4-only networks. This is not a theoretical situation. Case in point: in March of this year, Nortel Networks, the bankrupt networking hardware vendor, sold 666,624 IPv4 addresses to Microsoft for $7.5 million.

Yes, workarounds exist that can buy time and enable IPv4 systems and devices to interact with IPv6 systems and devices. But they impose constraints that cut off many benefits that come along with IPv6 capabilities, such as lowered network and system performance. They also require putting money into technology that will be thrown away in just a few years.
It is a situation where “doing it right the first time” makes sense from just about every perspective. That includes what we do with our networked security systems and devices.

Security Systems Impact

IPv4 has 4.3 billion IP addresses, while IPv6 has 340 trillion trillion trillion addresses. IPv6 fits the vision of an Internet where “any device could connect directly to any other device in the world.”

For security practitioners, devices on your security network need that direct device-to-device, system-to-system, and system-to-device level of capability and interoperability. You will need it if you want to engage in the level of real-time risk analysis and real-time communications and notification responses (via the corporate network and the Internet) that will be called for during the next decade. It is a given that your current security systems technology is almost completely unready for this near-term future.

Look at the impact that cell phone video and text messaging have on policing, and on capturing safety and security incidents that appear on the Internet and TV. Consider the role that text messaging, mobile e-mail and cell phone communications play in day-to-day security operations. For many universities, a fair portion of the student population is likely to know about a campus violence situation before Security can get its wits wrapped around it, thanks to text messaging, Twitter, and so on. This was not the case eight years ago.

Sad News for Security Practitioners

Now realize that the rate of technological change and related social change is continually accelerating, meaning that the differences in communications technologies, and in security response, will be completely different again — but in only four years.

This is why the success of World IPv6 Day is not necessarily good news for security practitioners, whose systems capabilities are largely dependent on what the security industry has to offer. The security industry has a history of not fully understanding and not keeping up with changes in computer and networking technology. For corporate security practitioners, this also means that many of your future security systems capabilities will be provided by your IT department — not by security industry vendors.

World IPv6 Day Test Results

As a result of World IPv6 Day tests, we now know that the IPv6 Internet can co-exist peacefully with the IPv4 Internet. The use of IPv4 on the Internet will not be negatively affected by the growth of IPv6 use. That means over the next decade, they will work side-by-side as the older IPv4 Internet slowly fades away.

This also means that the rate of IPv6 adoption can proceed without major concerns for negatively impacting IPv4 Internet usage. That is why IPv6 adoption will happen faster, not slower. A faster rate of IPv6 adoption means that the security industry will fall further behind more quickly. The reason for this is that the security industry mainly thinks that the transition away from IPv4 is basically about IP addresses.

IPv6 Isn’t Just About Addresses

The move to IPv6 is not just about IP addresses — it is about many things that will ultimately affect how well or how poorly security practitioners address their organization’s risk picture via electronic security systems.

IPv6 is a member of a group of next-generation Internet protocols and standards intended to provide significantly improved network capabilities around security, interoperability, reliability, high performance, scalability and manageability — to name a few. To understand this picture requires considering the meaning of the word “infrastructure” — the unseen “structure below” that makes the visible aspects of systems work.

For example, the goal of the transportation systems engineer is a velvety smooth train ride that occurs right on schedule. The quality of steel of the tracks, the specifications of the rails and earthwork below it, the capabilities of the switching systems and all the rest of the transportation systems infrastructure are not visible to us — but we depend on all of it. Similarly, the goal of computing and networking is reliable intelligent information exchange and communication. The technical details are invisible to us, but we require all of it to let “anything talk to anything” in the ways that we want and need.

Right now, our security systems capabilities are far behind broadly deployed consumer technology. A single text message can jump across dozens of systems to appear on Facebook, Twitter, countless blogs and a thousand or more cell phones all in an instant.

That’s how fast risk picture changes should come to us — not just in one place, but across all the parts of our security operations that need to assess, respond and keep management informed.

The dynamics of a workplace violence incident, a civil unrest disturbance or criminal violence can change dramatically in less than a minute. When a bullet from a firefight in a neighboring parking lot flies through a manufacturing plant wall and into an HVAC duct, bringing contaminating particles that cause the shutdown of a manufacturing line — this was a real incident at the southern U.S.-Mexico border — how do you know NOT to take the usual step of sending that line’s employees out into the parking lot for a break while your engineers figure out what happened?

To take advantage of real-time technology capabilities that exist now means developing a standards-based security systems infrastructure that is highly interoperable with computers, networks and Internet-based systems in a way that is easy to manage, operate and expand. Not to have that level of technology limits our threat detection, response and risk management capabilities.

IPv6 is about the whole set of systems and network protocols providing systems and device communications capabilities that we need to put to use to increase security operations effectiveness and reduce operations costs — it’s not just about IP addresses.

Who Is Where?

Security systems need to be using a whole set of protocols that exist in both IPv4 and IPv6 networking. An example of the difference between where security technology is today, and where it should be, is a feature found in many access control systems called the “Who Is Where” report (or something similar). It can be used to help locate key employee or visitor personnel for safety or security reasons. For example, in a personal medical emergency, are CPR-trained personnel present in an area or on a floor close to where they are needed? Where are the co-workers of the injured visitor?

For this capability to actually work, dual card readers have to be installed in the areas to be covered, so that the “in” and “out” status of personnel can be accurately determined. Additionally, the company culture has to ensure that personnel actually use the card readers as intended. Except for very high security facilities, the financial and cultural costs are too high for this to be feasible.

For most companies, it is not feasible to establish a reliable presence information capability using card access alone. Today, however, computing and communications technology infrastructure exists that provides multiple points of presence information per individual, such as computers (instant messaging, e-mail, calendar info, Skype calls), desk phones, mobile phones and conference call/meeting management systems.

An IT protocol exists for interoperability around presence information — the Extensible Messaging and Presence Protocol (XMPP). The existence of this protocol highlights what the security industry typically does not do — embrace IT standards for their security operations capabilities. For the most part, the industry incumbents wait until customers and integrators are demanding compatibility or compliance, and then they provide it. Rarely is forward-thinking initiative applied to answer the question: How can we help our end-users do a better job with security given all of the new information technologies and their capabilities?

Continuing with the presence technology example, personnel with special security and safety training or roles could register multiple points of presence with a security system that would maintain an updated status available for emergency security and safety use. The standards to do this are nearly a decade old. Where are our security applications?

More than Half a Decade Behind

About five years ago at the Naval Postgraduate school in Monterey, Calif., Captain Adrian D. Arnold submitted a 172-page published thesis titled, “XML Tactical Chat (XTC): Extensible Messaging and Presence Protocol for Command and Control Applications,” in which he writes, “Current chat and instant messaging (IM) solutions within the DoD have created problems with information security and interoperability. Though Extensible Message and Presence Protocol (XMPP) is the only mandated chat and IM protocol in the DoD, the majority of the military still operates alternate non-standard solutions that prevent interoperability and lack appropriate security assurances.”

This is typical for the security industry, whose products minimally support key IT protocols and which often require specific network configurations that limit deployment options. Security practitioners, consultants, convergence engineers and IT personnel need to understand this situation and its impact on security technology planning.

Security Management Challenges

It is continually being stated that our world is changing faster and faster in ways both good and bad. This applies to the economic climate, the state of political unrest, the corporate environment and in other aspects that impact the assets we must protect, and the threats we must deal with.

This article is the first in a series that will present a picture of the “next generation of computer and networking technology” — of which IPv6 is just one part — and relates it to the challenges that security managers and executives face as they endeavor to increase security capabilities, reduce security costs and establish an acceptable risk picture for their organizations. These articles will discuss technical capabilities planning, technology budgets and timelines, how and about what to collaborate with IT, and explaining all of this to management — no matter what your current starting point is. Stay tuned.

Rodney Thayer is an independent network researcher who focuses on network attack and defense issues as they relate to business infrastructure. Current security research (exploit development) includes product and infrastructure evaluations, and training/lecturing on computer security topics. Mr. Thayer’s background is in engineering, deployment, and evaluation of computer and network security solutions. He has experience in implementing a variety of network protocols and solutions including early IPSec and SSL systems.



Ray Bernard, PSP, CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS). He is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788. Mr. Bernard is also a member of the Subject Matter Expert Faculty of the Security Executive Council.