Get Ready for the Transition to IPv6…and Avoid Becoming Obsolete

Much of our current thinking about networking for physical security systems lags behind the advances of technology. Because advancements come more rapidly every year, it is no longer sufficient to base our thinking on “the latest technology.”
We have to take technology trends into account if we wish to deploy systems that will have useful lives of 5 to 10 years, and which can use and be used by new technology as it arrives in the coming decade.
In the late 1990s, there was much activity in the Internet standards community. The dot-com boom was rolling, use of the Internet was expanding, and commerce-based cryptography and security standards were just being developed. Many network protocols were devised, refined and/or standardized during this time. Among these was IPv6, the solution to IPv4 address limitation as well as a logical evolution of the Internet for many reasons.
Most of today’s discussions about IPv6 are limited to its new addressing scheme and hardly touch on the network landscape into which IPv6 is expected to be deployed. Understanding the nature of this broader network landscape is critical to keep from deploying or expanding obsolete network designs — because no security end-user wants to be stuck with obsolete or out-of-date technology.

More Devices, Data, Connections and Network Services
A little more than a decade ago, the security industry was connecting sensors, controllers and computers to each other via RS232, RS-485 and coax connections, using mostly proprietary methods. These are now considered “legacy device connections,” because the industry has switched to connecting intelligent devices, controllers and computers (what IT calls network “nodes”) to a common network based on independent standards — where some or none of the nodes have legacy device connections. Thus, networking is an increasingly critical component of electronic physical security systems, and a consequence is that industry trends for computer and networking equipment are rapidly changing the capacities and communication capabilities of our security systems.
Computer and networking technology is evolving at an increasingly rapid rate. For an example that’s easy to relate to, see the graphic on page 38, which depicts trends relating to computer hard drive advances. This graph is similar to network technology trends — except that the impact of computer disk drives is more visible to us than network trends. Notice the steep downward curve of the left-hand side of the graph — this is the cost trend. Notice the steep upward curve of the right-hand side of the graph — this is the capacity/capability trend. At the “We are Here Point” of the graph, we find that our current thinking — after decades of dealing with budget constraints and technology limitations — has not caught up with our actual position. Hard drive costs and capacities are no longer a constraint; in fact, they are more than keeping pace with the increasing data outputs of
multi-megapixel cameras. The number of network nodes (cameras, intercoms, card readers and so on) continues increasing, and although the network technology itself is advancing, our physical security network deployments are not keeping up with modern network practices.
The network infrastructure we deploy or upgrade today must support requirements of both today and tomorrow. Keeping up with those requirements includes establishing network design standards that take into account anticipated network growth for overall capacity and for specific application requirements, like those of high-megapixel security video. The planning is where IPv6 awareness comes into play.

Why Move to IPv6…and When?
There are many technical reasons to move to IPv6, including improved security and mobile device management that will become more important as the use of Internet communications and Internet-based services increases. Business reasons to move to IPv6 will continue to arise as the use of external information systems and cloud-based services continue to develop. At some point, new networked devices will begin using IPv6 as the dominant mechanism to connect to the network.
Although we can predict that IPv6 networking will be a requirement, it is hard to predict exactly when that will impact any particular security system network. Any number of business drivers will influence the timing of partial and then full IPv6 adoption for electronic physical security systems. Those drivers will appear in the IT domain, the Internet domain and the security domain.
In addition, disruptive technology appearing in any one of those domains could provide the impetus for quick IPv6 adoption for the business and for security operations, meaning that being ready for IPv6 adoption is important to you, the security end-user.
If legacy security systems and technologies are not assessed and their upgrade or replacement planned for, security departments can be caught without the budgetary means to implement partial or full IPv6 adoption for perhaps a full annual budget cycle or more.

IPv6 Readiness
Moving to IPv6 is not a sudden, one-shot transition — it is a move that must be planned and synchronized with IT’s plans and technology evolution. All current computer operating system software already supports IPv6, as do most business-class network switches and some security technologies — notably leading network camera brands. There is no reason for anyone to deploy network infrastructure today that is not IPv6-ready. Security executives must also begin transitioning to security technology that is IPv6-ready.
Here’s a sound approach to IPv6 deployment for security systems:
• Establish and maintain IPv6 compatibility in devices, systems and networks (in other words, test IPv6 compatibility as part of deployment).
• Begin using modern IPv4 network design including Domain Name Services (DNS), ZeroConf, network traffic management such as with Quality of Service (QoS), network management through logging and Simple Network Management Protocol (SNMP). These, along with IPv6, are part of the modern network landscape.
• Bring the network’s security in line with modern IT practices — this means using firewalls, policy enforcement devices, Transport Layer Security (TLS), and strong access control through credentialing, including device credentials (digital certificates used to verify the identity of the device connected to the network, including network cameras).
• Migrate to partial and then full IPv6 adoption as IT, business and security drivers warrant.
IPv6 has a complex address format (see below) in which manually managing IP addresses is simply not practical. Furthermore, IPv6 addressing was intended to be automatically managed and to be used with techniques that provide self-configuring networks, in order to lower network management costs and eliminate manual errors as much as possible.
However, IPv6’s use of automatic network configuration, service announcements (ZeroConf) and automatic configuration (UPnP), make some of the hackers’ tasks easier. That makes it even more important to use strong network security. Because these mechanisms reveal the existence of devices and the services they offer, and because these mechanisms are not authenticated, many IPv4 security systems networks (that also have these mechanisms) are more vulnerable than their managers suspect. While implementing network security in IPv4 networks is a good IPv6 readiness step, it is also a critical deployment requirement now.

Support for IPv6 Readiness
Technology that supports IPv6 is currently available in the marketplace. It is easily within the development reach of any vendor offering network products over the next decade. IPv6 readiness can and should be achieved in a practical manner, today. There are a growing number of IPv6 information sources:
• In October 2011, HP launched a series of consulting services aimed at helping businesses migrate to IPv6 networks as the importance of shifting away from IPv4 grows. AT&T provides both guidance documents and strategy on converting to IPv6 at
http://tinyurl.com/ATT-campaign-IPv6.
• In July 2010, the U.S. Department of Defense (DoD) released version 5.0 of its 100-page document entitled, “IPv6 Standard Profiles for IPv6 Capable Products,” available at www.BPforIP.com/dod-ipv6. This is a technical document written for IT personnel, which provides an excellent example of defining IPv6 networks and qualifications for the networking products to be used to build them.
• A regional Internet registry (RIR) is an organization that manages the allocation and registration of Internet number resources — including Internet IP addresses — within a particular region of the world. The Réseaux IP Européens Network Coordination Centre (RIPE NCC), headquartered in Amsterdam, Netherlands, is the RIR for Europe, the Middle East and parts of Central Asia. RIPE NCC has established a news and education website supporting IPv6 adoption at www.ipv6actnow.org. While focused on IPv6 adoption within its region, the website provides a substantial amount of plain-language information and guidance that is applicable to IPv6 readiness anywhere.

IPv6 Planning
For security systems technology, preparing for IPv6 involves:
• Determining the IPv6-ready status of currently-deployed security technology;
• Identifying the deployed technologies that will likely be impacted by IPv6 enabled solutions;
• Knowing where IPv6 is on security technology vendor roadmaps;
• Leveraging modern network services to established well-managed security system networks; and
• Paralleling the IPv6 readiness of the IT department.
Determining the IPv6-ready status for products means supporting IPv6 addressing and related protocols — especially security protocols. There is no reason not to start asking vendors about their IPv6-ready status and IPv6 roadmap.

Rodney Thayer is an independent network researcher who focuses on network attack and defense issues as they relate to business infrastructure. Current security research (exploit development) includes product and infrastructure evaluations, and training/lecturing on computer security topics. Mr. Thayer’s background is in engineering, deployment, and evaluation of computer and network security solutions. He has experience in implementing a variety of network protocols and solutions including early IPSec and SSL systems.

Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. He is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788. Mr. Bernard is also a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).

21st Century Networking Practices

Bonjour – a protocol by Apple implementing Zero Configuration Networking (see ZeroConf).
Domain Name Services (DNS) – use of names, called “fully qualified domain names” (FQDN), instead of using hard-coded IPv4 addresses. This means using names styled like cam12.bldg03.example.com instead of 192.168.1.54. Names are easier to remember than numbers (that’s why web servers have names like www.Google.com), and when IP addresses are automatically generated, using domain names becomes more important.
Simple Network Management Protocol (SNMP) – A standards-based protocol and data representation scheme used to manage network devices. For example, to troubleshoot a video problem, a technician might look at the “ifInOctets” (a standard SNMP data “object”) in a video management system (VMS) and the “ifOutOctets” value in a video camera to confirm data is, in fact, flowing out of the network at the camera and into the VMS from the network (the VMS server and camera must both support SNMP, of course). Network management software can automatically monitor and provide alerts on non-optimal network device conditions using SNMP.
Syslog – short for “system log,” is a standards-based protocol used by many enterprise-class network devices to send status and alert messages about themselves.
Dynamic Host Control Protocol (DHCP) – a standards-based protocol to allocate IP addresses to network devices. Originally, computing devices — which now include cameras — were called “hosts” and connected to “servers” across the Internet or other network. DHCP eliminates the need to manually set a device’s IP address. DHCP can be combined with “Dynamic DNS” to facilitate a valid FQDN to be associated with a dynamically assigned address.
Policy Enforcement Devices – network appliances that monitor network traffic and ensure that company policies are complied with regarding network usage and that malicious traffic is blocked from leaving or entering the network.
Quality of Service – an Internet Protocol (IP) feature that facilitates labeling network traffic for purposes of setting its transmission priority.
Transport Layer Security (TLS) – a protocol that allows client/server applications to communicate across a network in a way designed to prevent eavesdropping and tampering. It is the protocol most commonly used for HTTPS (HTTP Secure) web browser connections.
Universal Plug and Play (UPnP) – a mechanism for devices to automatically establish network services. Originally intended for use in a home network, UPnP includes the capability for reconfiguration of network devices, such as firewalls, to allow additional network traffic protocol by Microsoft implementing Zero Configuration Networking (see ZeroConf). UPnP is deployed today in products from Microsoft, Apple, and other vendors.
ZeroConf – Zero Configuration Networking, a network discovery mechanism whereby a device, such as an intelligent door access controller, can announce its presence on the network so that its managing access control server can connect to it automatically. It includes automatic assignment of IP addresses. Use of ZeroConf and related protocols can facilitate very simple installation procedures where it is possible to “just plug it in and it all works.” IPv6, because of its sophisticated but unwieldy-for-humans addresses, relies on automated mechanisms like ZeroConf to facilitate provisioning networks with correct device addresses. Bonjour by Apple and UPnP by Microsoft are two examples of ZeroConf protocols.

Tracking Internet Growth
To get an idea of the speed of technology adoption today, consider the time it took to obtain 50 million users, once these technologies became available to the general public: Radio: 38 years; Television:14 years; The Internet: just 4 years!
Internet Users: In 2010, there were 2.9 billion e-mail accounts, 25 percent of which were corporate accounts. As of October 2011, there were more than 2.3 billion Internet users — about a third of the world’s population — per the ITU (International Telecommunication Union), a United Nations Agency. These numbers keep growing daily.
Video: With the growth in network users comes new and updated network protocols and services. Network traffic management must improve to address new network traffic patterns based on network usage. For example, in 2010, video network traffic became the dominant type of Internet network traffic. Improvements in network video handling capabilities have positive implications for security video technology, including the feasibility of cloud-based video services. One example is the cloud-based video analytics service provided by Jemez Technology (www.jemeztechnology.com), which can work with low-resolution video streams from cameras and video management systems.
In 2005, YouTube had just launched, and the average broadband speed was less than 1 Mbps, and P2P file sharing was nearly two-thirds of consumer Internet traffic. Five years later, Internet video has surpassed P2P as the largest consumer Internet traffic category; YouTube traffic has already been surpassed by new forms of Internet video; and the global average broadband speed has now reached 7 Mbps. By 2015, the global average broadband speed is expected to reach 28 Mbps.
Data Storage: A zettabyte is equal to 1 billion terabytes. As of 2009, the Internet was estimated to hold nearly half a zettabyte of data. Internet data storage is distributed among the millions of data systems supporting web servers globally. During its 2011 Fiscal Year, just one manufacturer (Seagate) reported selling one-third of a zettabyte of hard drives. These levels of data storage would have been staggering to think of just 10 years ago, but will be considered “ordinary” before the end of the current decade.
Due to the exhaustion of IPv4 addresses, some parts of the world have already converted to IPv6. Why? In order to provide their populations with enough IP addresses to connect to all of this Internet data.
A positive impact for security video systems is that data storage technology will continue to drop in cost and improve in capabilities. Some end-users will remember the initial shock of learning that high-resolution video data storage from megapixel cameras would require one whole terabyte or more of capacity. With 4-terabyte consumer-rated hard drives currently selling at $200, and commercial-rated drives only slightly higher, such storage requirements have gone from the “shocking” category to “ho-hum.”
Business Networking: According to a June 2011 report from the Cisco Visual Networking Index initiative entitled “Entering the Zettabyte Era,” increased adoption of advanced video communications in enterprises will cause business IP traffic to more than double between 2010 and 2015. Furthermore, trends indicate that business video conferencing will grow six-fold by 2015.
The trends also mean that business networks will continue to expand (and will therefore need more IP addresses) to support higher traffic volumes, including improvements to support new types of video data transport. In this way, greater bandwidth can become available for security video, providing that security video is included in IT’s network expansion plans. The management of video data traffic on the network will become easier.
These trends mean that cloud-based services for security systems (an example of more IP addresses needed) will become increasingly more feasible as time goes forward, for security video as well as other security-related services.
Connected Devices: The number of networked devices continues to grow, and that growth will be fueled in the future by freely available IPv6 addresses. In 2010, the number of networked devices equaled the number of people in the world. The number of devices connected to IP networks will be twice as high as the global population in 2015; however, it must be remembered that what “connected device” means today is different from what it meant 10 years ago.
The advent of virtualization means that a single connected device may represent any number of virtual devices, and correspondingly will require a number of IP addresses. A 360-degree panoramic digital video camera (8 camera lenses and sensors in a single housing) could provide one IP address for its panoramic view, plus eight more IP addresses for each of the individual camera views. Under IPv6 networking, sending the nine video streams outside of the camera’s private network would be simpler than under IPv4, as no network address translation (NAT) technology or other addressing workaround would be required.