6Sense: Generating New Possibilities in the New Internet.
Produced by: IPv6 Summit, Inc.

Is Your Firewall Ready for Voice Over IPv6?
IPv6 Network Security – a Practical Approach
Zlata Trhulj, Agilent Technologies

IPv6 Network Security Challenges
 
Developing and deploying IPv6-capable network security devices and services is one of the key challenges faced by network equipment manufacturers, network operators and ISPs worldwide.
 
Industry debate on IPv6 security is heating up: millions have been awarded for next-generation security research. Independent academic and commercial forums, industry standards bodies, large corporations and military organizations are all engaged in a full debate over emerging network security architectures, new firewall models and end-to-end encryption methods. Along with interoperability and reliability, security is regarded as the key prerequisite for long-term IPv6 adoption. The requirement to support hybrid (dual-stack) IPv4 and IPv6 environments introduces a whole new level of complexity, no longer making the Internet “simple.” Hundreds of millions of hosts and services worldwide run IPv4 and will continue to do so for a long time. And last but not least, it is no longer just data application traffic carried over the Internet: Voice over IP (VoIP) is here today, driven by a clear consumer demand for converged network services.
 
Facing this emerging complexity, what should a security appliance vendor, a service provider or a large corporation do today? The emerging IP networking world is faced with combinations of IPv4, IPv6, IPv4 and v6, data and voice, network attacks (DoS), and legacy issues such as network address translation (NAT) for IPv4, all in the one equation.
 
The practical approach is to begin by effectively emulating L4-7 traffic carried in IP networks today, then ensuring that current security devices and architectures support this traffic mix effectively. Key points to consider when evaluating the availability and performance of security appliances include:

  • Longer IPv6 addresses: Firewall rule sets and Access Control Lists must work with IPv6 addresses. How will firewall performance degrade when handling the IPv6 address? How will this impact the overall network architecture?

  • IPv6 variable-length headers: IPv6 header parsing is more complex. Encryption and authentication header sections must be parsed and filtered, as they can affect routing and filtering decisions. In some instances, an integrated network security device may also need to perform encryption / decryption or calculation of message authentication codes to be able to filter application-layer headers and content. Additional processing requirements such as these will impact firewall performance.

  • IPv6 and IPv4 concurrent processing
    IPv6-capable firewalls need to keep state tables for both IPv4 and IPv6 TCP connections and UDP sessions. Application-aware firewalls must now track IPv4 and IPv6 transactions simultaneously. Added complexity arises from translation and tunneling (for example, IPv4 over IPv6 or IPv6 over IPv4). What about encryption and authentication? Does IPSec run across both stacks? Consider that some applications (i.e. telnet) may have different security applied over IPv4 and IPv6. Does transitioning to IPv6 create back doors for attacking the IPv4 network? Performance degradation during simultaneous IPv6 and IPv4 operations must be quantified and considered in a holistic approach to network design.

  • Concurrent processing of data applications and Voice over IPv6
    Besides handling applications such as HTTP, FTP, POP3, etc., firewalls must be able to interpret Voice over IPv6 signaling protocols, in order to dynamically open and close ports for the VoIP traffic, as well as track to assure that ports are open only for the duration of the call. Firewall policies must be rigorously tested on how effectively they protect exchanges between VoIP gateways (secured behind firewalls) and end devices. In some cases, firewalls can be used to separate voice and data traffic, to ensure appropriate policies are applied. VoIP traffic must not only be secured, but vendors must ensure that latency, jitter and packet loss for VoIP traffic are not affected by firewall traversal. How does firewall performance degrade when handling both data and voice traffic simultaneously? Over IPSec? In a hybrid IPv4/IPv6 environment?

  • IPv6 DoS attacks
    Any security weaknesses introduced by IPv6 will be quickly exploited. Resiliency to well-known Denial of Service attacks must be retested for IPv6 – for example, ICMPv6 flood attacks. Just as hackers were able to use packet fragmentation to “hide” DoS attack packets to penetrate low-performing IPv4 firewalls, they will use IPv6/v4 and IPv4/v6 tunneling to try to hide application-layer attacks within complex handcrafted packets.

  • Test plan design and application intelligence
    Existing test scripts for IPv4 alone will no longer work. It may be impractical or impossible to re-use existing layer 4-7 test equipment if there is no underlying support for IPv6, or if IPv6 support is not fully integrated. At the same time, firewalls are gaining more and more “application intelligence,” making development of test scripts tedious and cumbersome. Proof-of-concept labs must carefully redesign their test plans and rethink their test environments for dual-stack evaluation and increasing complexities.

High Availability and Performance of IPv6-Capable Firewall Appliances
 
The IPv6 firewall test scenarios used in some of the latest public test events were generally aimed at testing and demonstrating basic firewall capability to handle Access Control Lists and IPv6 operation for data and Voice applications (SIP). Firewall performance measurement is generally more complex and context-dependent than functional testing. Functional testing verifies that a firewall is capable of processing IPv6 traffic, however, more sophisticated performance testing is required to ensure that the operation of a firewall device will be maintained in a realistic network scenario. In the case of Voice over IPv4/v6, basic firewall performance metrics include: Concurrent Call Capacity, Call Connection Latency, and Call Setup, Teardown and Completed Call Rates.
 
Some factors that will impact firewall performance include the number of filter rules used, whether or not SPI, NAT, port forwarding, virtual firewalling or application-layer filtering have been enabled, and the performance degradation caused by high-bandwidth DoS attacks (again, with added complexity in dual-stack IPv4/IPv6 environments). It is vital for network operators and service providers to independently test firewall performance using a blend of real (stateful) L4-7 application traffic according to their own expected firewall configurations and anticipated mixes of users and services.
 
What Can You Do Today?
 
IPv6 and Voice over IPv6 are here to stay, along with hybrid IPv4/IPv6 networks that will be around for a long time. Secure communications are paramount, so start planning and experimenting early, learn about firewall architectures well before deployment, model and emulate your network with a realistic mix of applications and user profiles and validate as many corner cases as you can before deployment. Reach out to your community and exchange information, educate and learn from your customers, suppliers and end users. Talk to your test vendors, and work within the communities of independent test labs. A few good tools designed independently will help, such as Agilent’s NetworkTester!
 
Industry Example:
Moonv6 Phase 3 – First Public Validation of Firewall Performance for IPv6 an Voice over IPv6
 
At the public Moonv6 phase II testing in March ’04, Agilent’s NetworkTester enabled firewall vendors, for the first time, to demonstrate their solutions were IPv6-ready. At the Moonv6 phase III in Nov ’04, the NetworkTester took the firewall demonstration “up a notch,” by emulating integrated Voice over IPv6 (SIP and H.323) at the same time as application protocols such as HTTP, SMTP, and POP3, allowing users to simulate IPv6-capable hosts and services running hundreds of thousands of real data transactions and Voice over IPv6 calls simultaneously. You can read the full story at http://www.agilent.com/about/newsroom/presrel/2004/15nov2004c.html.
 
Agilent Technologies N4190A NetworkTester and N2X
 
To find out how the Agilent N4190A NetworkTester can help speed up your development of IPv6- and VoIP-capable routers and firewalls, please visit http://www.agilent.com/comms/networktester.