IPV6 in Distributed Virtual Private

¶ … IPv6 in Distributed Virtual Private Networks (VPNs)

The many benefits of upgrading an organizations' network, specifically its Virtual Private Networks (VPNs) from IPv4 to IPv6 make the costs associated with the transition recoverable from increased network stability, auto-configuration, security, mobility, increase and quality-of-service and multicast capability (Cisco 2007). First, in terms of scalability, address range for IPv6-based networks is 128-bits, giving the organization much greater security as well (Fink, 1999). Second, the security concerns regarding using DHCP to assign IP addresses using IPv4 today can be alleviated with the stateless reconfiguration capability of IPv6 (Lehtovirta, J 2006).

With many of the systems throughout the company administered remotely using IPSec-based VPNs, the opportunity to move to more secure VPNs due to IPSec-mandated end-to-end security using IPv6 also adds in greater levels of security as well.

The increasing use of wireless connections by members of the it staff to monitor and maintain it systems also will now be possible using Mobile IP with Direct Routing (Cisco 2007). The increased support for protocols specifically for multicast routing are also supported in IPv6 which could make marketing's many webinars and online initiatives more efficiently delivered as well.

Most significant regarding the upgrade from IPv4 to IPv6, the need also exists to update the many network-based applications in the it organization as well. The use of IPv6s' backward compatibility options also protects the investments in existing networking applications as well. The intent of this paper is to evaluate the migration to IPv6 for VPNs and remote communications.

Defining Virtual Private Networks and their role in security

While there are many different and at times conflicting definitions of what a Virtual Private Network (VPN) is, there is consensus that its role is to enable the connections of components of one network over another network. These connections from one network to another are accomplished through the use of tunnels, which are secured connections from one computer or network to another. Figure 1 shows an example of both the conceptual and logical equivalents of VPNs based on IPv6 protocols for securing the transit Internetwork.

Source: (Cisco Tutorial 2007)

Figure 1: Comparing the conceptual and logical equivalents of VPNs based on IPv6

VPNs support both IPv4 and IPv6 with VPNs running the SSL protocol being the dominant configuration in use. From the research completed for this analysis, it is clear that IPv4's dominance in IPSec-based VPN configurations was necessary due to shortcomings in security. The emergence of SSL-based VPNs has been augmented by the enhanced security and message lengths possible using the IPv6 protocol.

VPNs by definition rely on the Data Link layer of the OSI Model to provide ATM and Frame Relay connections, in addition to support for Multi-Protocol Label Switching (MPLS) and Link-Layer Encryption (L2TP or PPTP). On the Network Layer, VPNs support the IPSec protocol, in addition to managing address validation and best bath optimization through a network. This approach to configuring these layers of the OSI Model with IPv4-based connections was necessary due to security audits showing potential vulnerabilities in networks. The SSL protocol is designed as part of the Transport and Application layers of the OSI Model and shares design objectives with IPv6 in securing adhoc and infrastructure wireless network over VPNs.

Comparative Analysis of IPSEC vs. SSL-based VPN

The performance and security differences between IPv4 and IPv6 are influencing the use of IPSec and SSL. The increased field length size of IPv6 has streamlined the use and maintenance of VPNs built on each of these each protocol (IPSec and SSL), yet has significantly increased the flexibility and security of implementation for the latter protocol. This section completes a comparison of the protocols relative to the topologies supported, security models used for both session authentication and confidentiality. In addition, the major differences in how Quality of Service (QoS) and Service Level Agreements (SLAs) are managed are also discussed. The scalability aspects of each protocol are also compared, in addition to both site-to-site and remote access support from a management perspective is included. Provisioning and service deployment as part of VPN management is also included in the following table. Differences in VPN Client support and transparency are also profiled. Table 1, Technical Analysis of Differences between IPv4-based IPSec and IPv6-based SSL VPNs highlight the differences on each of these technical dimensions. The key differences center on scalability and transparency to the user. Scalability of IPv6-based SSL is entirely dependent on the underlying Internet traffic, while in IPv4-IPSec, through optimized routing of point-to-point connections including the use of algorithms are used to maximize speed.

Table 1: Technical Analysis of Differences between IPSec and SSL

IPv4-based VPNs using IPSec

IPv6-based VPNs using SSL ology

Site-to-site VPN; mainly configured in a hub-and-spoke design

Remote-access VPN

Security

Session authentication

Authenticates through digital certificate or preshared key

Drops packets that do not conform to the security policy

Authenticate through the use of digital certificates; drops packets if a fatal alert is received

Confidentiality

Uses a flexible suite of encryption and tunneling mechanisms at the IP network layer

Encrypts traffic use the public key infrastructure (PKI)

QoS and SLAs

Does not address QoS and SLAs directly; yet the IPSec VPNs can be configured to preserve packet classification for QoS within an IPSec tunnel

Both QoS and SLAs do not apply to SSL deployments; the service providers network traffic is unaware of SSL traffic or its relative level

Scalability

Acceptable scalability in most hub-and-spoke configurations and deployments

Scalability for IPSec-based networks when there are large, meshed IPSec VPN deployments across a very large number of users (over 10,000); support for key management and peering configuration.

Entirely dependent on network traffic; SSL is not impacted by server provider network

Management

Site-to-Site support

Remote Access Support

Provisioning

Reduces operational expense through a centralized network-level provisioning

Does not apply; service provider traffic does not see SSL traffic

Service Deployment

Is a protocol compatible with other ones located through an existing IP network

Does not apply; service provider traffic does not see SSL traffic

VPN Client

Is required for client-initiated IPSec VPN deployment

Relies on a Web browser to complete sessions

Place in network

Local loop, edge and off-net

Transparency

Transparency to applications

Works only with applications coded for SSL

Wireless

Not easily accomplished as this protocol relies on point-to-point connections

Support for QoS, non-QoS and enterprise-wide connectivity through wireless

Market Comparative Analysis of IPv4-based IPSec vs. IPv6-based SSL VPNs

When both protocols are compared and contrasted by their support of applications, encryption, authentication, overall security, support for users, accessibility, costs, complexity, ease of use, and scalability, which are the most critical concerns for it departments implementing VPNs, several key insights emerge. Table 2, Comparing it Management Key Concerns by Protocol, highlights these major differences. First, it's clear that despite the relatively high price of IPv6-based SSL relative to IPv-based IPSec VPNs, the ease of use it delivers is considered worth the investment by many organizations. Additionally, the following factors also emerge supporting the continued use of IPv4 on the IPSec protocol:

Regulatory compliance to HIPAA and SOX force the sustaining and enhancement of this integration standard. The IPSec protocol is used specifically in those configurations that require a high level of auditing and tracking of financial transactions, precisely aligning to the point-to-point integration approach this security standard enforces.

Integration and compatibility with legacy applications specifically those with a heavy reliance on the TCP/IP commands for system management, file management and user management. These commands include ftp, lpr, ping, telnet and other TCP/IP commands used for managing systems.

Enhanced security levels including authentication on remote-access demand command sequences, primarily due to the point-to-point security protocol that IPSec has as part of its inherent architecture.

Advancements in the IPv4-dominated IPSec VPNs at the transport level definition and optimization. Route and point-to-point optimization provide a higher level of system control than is possible in purely random-based approaches to gaining access to servers for authentication of traffic.

Wide-Area Network (WAN) integration across Frame Relay and ATM architectures.

Table 2: Comparing it Management Key Concerns by Protocol

IPv6-based SSL VPNs

IPv4-based IPSec VPNs

Applications

Web-enabled applications, including file sharing and e-mail

All IP-based services

Encryption

Strong but variable - highly dependent on the encryption levels supported in the browser

Strong and consistent - often tied to a specific implementation and implemented for a specific network type

Authentication

Is configurable and variable by design; supports either one- or two-way authentication using tokens or digital certificates

Stronger of the two protocols' authentication approaches using tokens and digital certificates to manage security functions

Overall Security

Moderate - any device can be used for creating holes in the network

Strong - tied to specific devices and implementations including web servers

Users

Sales, Marketing, Executives, Customers, and Partners

Human Resources, Finance, it Staff, Engineering, Operations

Accessibility

Casual access to broadly distributed databases are commonplace

Formal access with well-defined and controller user base authentication

Cost

High fixed cost implementations and low variable costs

Moderate fixed costs and high variable costs as client software is required

Complexity

Moderate Levels

High Levels

Ease of Use

Very High - SSL integrates directly with Web Browsers

Moderate - Requires users to launch and get the application connected

Scalability

High - the SSL protocol can be easily deployed once tight levels of integration are in place.

Very High - IPSec works at the protocol level, independent of applications, therefore scalability is best-in-class

Comparing the technological and operational benefits specifically in the areas of client access options, access control, client-side security, installation, and client configuration highlights just how differentiated the IPv4-based IPSec vs. IPv6 -based SSL protocols are from each other. In analyzing these differences, Table 3: Comparing Technological and Operational benefits of IPv6-based SSL and IPv4-based IPSec VPNS, was created. Starting first with the client access options, IPv6-based SSL can support a clientless interface through its browser at longer address lengths, support for semi-clientless through Java and ActiveX clients developed in AJAX, and also in a full client configuration. This flexibility in use of the IPv6-based SSL protocol is leading to significantly higher levels of adoption overall. IPv4-based IPSec has a single client access option that needs to be pre-installed on every system. Requiring a full client software application translates into higher levels of it maintenance, yet at the same time greater flexibility in creating highly customized security parameters.

Another significant technological difference between IPv6 and IPv4', specifically from an it standpoint, is the client-side security integration possible using IPv4 versus IPv6. The fact that IPv6 can specifically integrate with a variety of web-based applications and provide security and authentication through the use of digital certificates has lead to its adoption throughout many areas it wasn't initially designed for. In effect the breadths of integration options for IPv6-based SSL VPNs are creating entirely new classes of users. Another factor that leads it departments to favor IPv6-based SSL over IPv4-based IPSec is the support for auto-updates through configuration, and the fact there is very little it support required to keep a secured IPv6-based SSL-based network up and running from the client side. Conversely, there is often a significant level of it administration and support required for IPSec-based configurations.

Table 3: Comparing Technological and Operational benefits of SSL and IPSec VPNS

Technological Benefit

Category

IPv6-based SSL VPNs

IPv4-based IPSec VPNs

Client Access Options

Three options:

Clientless (browser)

Semi-clientless (auto downloadable Java or ActiveX agent)

Full Client (statically installed)

One option: full client (statically installed) for network-level connection

Access Control

Very granular - per use and per application

Very little granularity - typically permit or deny

Client-side security

Tight integration with a wide variety of client types

Tight integration with only PCs

Operational Benefit

Installation

Often doesn't require installation

Requires installation on every client machine

Client configuration

Native abilities to auto-update

Requires third-party software to facilitate auto-updates

Evaluating the differences between IPv4 and IPv6 it's valuable to consider the various user segments and their uses of these protocols for their specific needs and requirements. The needs of those employees who are traveling the majority of time, often working with customers and in sales and sales support roles are often called road warriors, and have significantly different needs than it administrators and field engineers. Table 4: Comparing the Use of IPv4 versus IPv6 VPNs by Type of User, presents an analysis of the needs of road warriors, channel partners and executives, in addition to field engineers and it administrators regarding their application requirements including typical applications used, remote access frequency, and selection of IPv4 versus IPv6.

Power users are those types of users who require VPNs over 70% of the time to do their jobs.

Table 4: Comparing the Use of IPv6 versus IPv4 VPNs by Type of User

Type of User Power User? (meaning using VPNs 70% or more of the time on their jobs) Typical Applications Relative number of employees Remote access frequency IPv4 or IPv6 Comments Road Warriors

E-mail and front-office suites including CRM and ERP applications including order management

Many

Very Often (over 80% of the time)

IPv6

SSL used extensively in this area as it negates firewall traversal; works will from locations that may block IPSec sessions and queries from clients (hotels, convention centers)

Partners

Extranet portals; ERP and supply chain applications; pricing and order status access

Many

IPv6; previous generation applications support IPv4 through legacy applications

IPSec legacy systems required partners to get login and password; administratively difficult to complete; SSL easier to administer; strong integration with portals

Executives

E-mail and front office suites of applications; multimedia

Very Few

IPv6

Ease of configuration and use; SSL typically has a less intrusive interface.

Table 4: Comparing the Use of IPv6 versus IPv4 VPNs by Type of User (continued)

Type of User Power User? (meaning using VPNs 70% or more of the time on their jobs) Typical Applications Relative number of employees Remote access frequency IPv4 or IPv6 Comments Field engineers

CAD/CAM and engineering applications; inventory and ERP queries only sporadically

Few

Not Often

IPv4 (IPv6 becoming more used in this are)

Bandwidth-intensive applications work best in Level 3 operation (OSI Model).

IPSec also is backward compatible with many other legacy field applications

IT Administrators

Diagnostic and monitoring through the use of VPNS; Extensive use of Telnet sessions to administer systems remotely; database access and queries

Very Few

Not Often

IPv4 (IPv6 is slowly making inroads into this area)

IPv4 running the IPSec VPN protocol is favored by this class of user due to the integration and extension to LANs and more network administration applications;

IPv6 running SSL is optimum for configuring it management portals

Another useful analytical approach to evaluating the differences between IPv4-dominated IPSec and the growth of IPv6-based SSL VPNs is in evaluating how actual companies today are using each protocol, and in the case of the industries shown in Table 5, how they are integrating these protocols together to ensure the highest levels of security by their specific need areas. For financial services firms for example, including the Royal Bank of Canada, the use of account validation for their commercial accounts. Financial Services are one of the key industries that continue using a combined approach to security over VPNs selectively using IPv4 and IPv6 depending on the specific business process requirement. Financial Services is also another industry that is taking a hybrid-based approach to managing security across their VPNs. In the case of Deloitte, the extensive use of IPv6 for managing commercial transactions is commonplace. This consulting firm relies on the use of IPv6-based SSL VPN sessions for enabling their consultants and partners who spend the majority of their time traveling, and working on clients' sites. In the public sector there is the critical need for ensuring a high level of confidentiality and security in posting and managing tickets, letters of compliance, and the tracking of enforcement strategies. Industries that require a hybrid approach to managing security include healthcare, where HIPAA reporting requirements make it critical to have IPv4 running IPSec-based VPN sessions, while outbound sales and service personnel need the convenience and security of IPv6 over SSL.