IPv6 Is Out There. Is Your Network Ready For It?
By Extreme Networks, Inc.

The transition to IPv6 is well under way with the help of methods that allow the coexistence of IPv6 networks with IPv4 networks. As IPv6 progresses through early adoption, it will be deployed more frequently in large networks worldwide.

Because IPv6 traffic is already present on most networks, new security threats exist whether enterprises and service providers choose to adopt IPv6 in the short-term or wait for critical mass. The challenge is to evaluate the implications of this transitional period and plan accordingly.

Extreme Networks addresses these concerns with a product architecture and network operating system that were built ground-up for IPv6. However, Extreme recognizes that supporting IPv6 is only the first step to a sound implementation. Wire-speed performance, IPv6 security and network integrity have also been anticipated for both native IPv6 and networks in transition from IPv4. A well thought out CLI is in place that integrates IPv4 and IPv6 management. The ExtremeWare® XOS™ modular operating system makes the transitional issues non-network-impacting and provides a solid end-to-end solution for transitioning to IPv6.

New concerns
IPv6 is a reality in many client operating systems. MAC-OS, Linux and Windows 2000/XP devices are capable of communicating using IPv6. As with IPv4, these clients can attack the network by spreading worms and viruses. Wire-speed IPv6 ACLs are the first step to protect your network - you will need these in your equipment.

When enabling IPv6, you will not be able to simply block all ICMPv6 packets, a common practice used in IPv4. Critical operations of the IPv6 protocol rely on the availability of ICMPv6. The IP infrastructure protocols need protection as well. Auto-configuration and discovery capabilities, DHCPv6 and ICMPv6, are all potential targets or even vehicles for attacks, as their IPv4 counterparts have been. It is important to have edge infrastructure in place that offers finer ACL granularity through deeper packet inspection, looking at specific protocol fields.

IP Address Security
Leading networking vendors have been adding IP address security features to IPv4 for some time, protecting the infrastructure and services from IP protocol-specific attacks. Some of these features allow the enforcement of DHCP usage, offering protection from hackers hijacking IP addresses, rogue DHCP servers, random source/destination addresses or simple DHCP IP address pool depletion attacks. Gratuitous ARP protection alerts and prevents against man-in-the-middle attacks where the attacker pretends to be part of the infrastructure. IPv6 allows for equivalent attacks. Imagine rogue router advertisements for man-in-the middle or even continuous reconfiguration of client / server addresses based on auto-configuration.

Your network infrastructure must take IP address security to IPv6. Specifically, new address management and new protocol support capabilities are needed. Denial of Service (DoS) protection must be present in your network infrastructure to protect a device's management module from attacks.

Security applications circumvented
Transitional methods applied to IPv6 may prevent some security options that are based on network analysis. This includes network insight gained from leading security appliances such as filtering and logging appliances, firewalls, etc.

Some Ethernet switching equipment comes equipped with network DoS detection, alerting you of offending attacks such as TCP SYN attacks as packets transport protocols change. Tactics for containing threats in an IPv4 world will have to extend to IPv6

Early engagement of your network infrastructure and security vendors will ensure experience with and timely delivery of equivalent features for IPv6.

Performance impact
Performance may be impacted as a result of transitional technologies required for IPv6/IPv4 coexistence. Coexistence may require dual stack functionality and encapsulation of IPv6 into IPv4 packets for tunneling across an IPv4 network. Most vendors supporting line-rate forwarding of IPv4 traffic will not maintain this level of performance in an IPv6 environment. Few vendors have anticipated this change with equipment architecture that properly addresses the performance requirements of a transitional phase to IPv6.

Chasing an evolving technology
IPv6 continues to evolve as early implementations flush out security, stability and interoperability issues. Consequently, the path to maturity will come at the expense of frequent changes.

The challenge is to maintain network availability while mitigating risks associated with IPv6 running on the network today. New switching equipment must have the performance to implement transitional technologies, provide security at the edge of the network and yet have the flexibility to adapt to changing standards.

Infrastructure built ground up for IPv6?
The network OS requires a ground-up design to address a dual-stack IPv4/IPv6 environment. Many vendors have chosen to address IPv6 by shoe horning the new protocol into a monolithic architecture that is ill-equipped to address the feature breadth and management requirements of a transitional network. Since networks are typically transitional, the OS must continue to fully support IPv4 features. It must also have the ability to turn off IPv6 completely when required for security purposes.

Network Management is also a challenge. CLI design must be completely integrated for IPv4 and IPv6. Many vendors have resorted to poorly integrated CLIs for IPv6.

A network OS must have the flexibility to adapt to inevitable changes in IPv6 strategy and implementation. This requires a modular and highly available architecture to address the changes with minimal network impact.

Why Extreme Networks?
Not only was Extreme Networks an early pioneer in the development of IPv6, but it was also the first in the industry to provide hardware assisted forwarding and interworking/tunneling in Ethernet core switches. Extreme Networks has leveraged this early success to design next-generation ASICs (4GNSS) and an operating system - ExtremeWare XOS - that are optimized for IPv6 performance and security. This technology mix safely addresses the spread of IPv6 traffic today and enables a gradual transition to IPv6 moving forward.

Flexible Architecture
With Extreme Networks fourth generation ASICS (4GNSS), IPv6 has been designed in from the beginning. Layer 2 wire-speed forwarding is available at the edge including protocol-based VLANs and ACLs. Layer 3 fast path processing can be used at the core. An end-to-end fast path solution provides exceptional performance for getting started, setting up IPv6 islands and utilizing transitional methods.
4GNSS is highly flexible, providing network processor-like programmability to support rapidly evolving networks. This built-in programmability with respect to packet inspection, data rewrite and frame handling allows for very short development cycles when compared to lengthy ASIC re-spins.

Next-Generation Operating System
The Extreme Networks next-generation operating system, ExtremeWare XOS, was designed from the ground up for dual-stack performance. Even when operating with IPv4 only, ExtremeWare XOS will harden the network to IPv6 attacks and allow tunneled IPv6 traffic to safely traverse the network.

ExtremeWare XOS simplifies the transition from IPv4 to IPv6 from a network management perspective. IPv6 has been cleanly integrated with the IPv4 CLI for ease of use and adoption.

ExtremeWare XOS serves as an infrastructure for IP address security. As equivalents to ARP and DHCP attacks of IPv4 begin to take shape in IPv6 networks, the OS will allow dynamic loading of modules to address these new threats.

ExtremeWare XOS is built on a powerful POSIX kernel that enables modularity and portable extensions. This flexibility protects individual software processes and allows a seamless, hitless upgrade of individual software modules. Dynamically upgradeable software modules address changes to standards, upgrades to security policies, and inclusion of new functionality. This modular approach delivers a resilient, multi-threaded operating system that increases network uptime and can securely and gracefully evolve alongside IPv6.

© 2005 Extreme Networks, Inc. All rights reserved.

Extreme Networks, the Extreme Networks logo, ExtremeWare, and ExtremeWare XoS are either registered trademarks or trademarks of Extreme Networks, Inc. in the United States and/or other countries. Specifications are subject to change without notice.