IPV6 in Distributed Virtual Private

¶ … IPv6 in Distributed Virtual Private Networks (VPNs) The many benefits of upgrading an organizations' network, specifically its Virtual Private Networks (VPNs) from IPv4 to IPv6 make the costs associated with the transition recoverable from increased network stability, auto-configuration, security, mobility, increase and quality-of-service and multicast capability (Cisco 2007). First, in terms of scalability, address range for IPv6-based networks is 128-bits, giving the organization much greater security as well (Fink, 1999).

Second, the security concerns regarding using DHCP to assign IP addresses using IPv4 today can be alleviated with the stateless reconfiguration capability of IPv6 (Lehtovirta, J 2006). With many of the systems throughout the company administered remotely using IPSec-based VPNs, the opportunity to move to more secure VPNs due to IPSec-mandated end-to-end security using IPv6 also adds in greater levels of security as well.

The increasing use of wireless connections by members of the it staff to monitor and maintain it systems also will now be possible using Mobile IP with Direct Routing (Cisco 2007). The increased support for protocols specifically for multicast routing are also supported in IPv6 which could make marketing's many webinars and online initiatives more efficiently delivered as well. Most significant regarding the upgrade from IPv4 to IPv6, the need also exists to update the many network-based applications in the it organization as well.

The use of IPv6s' backward compatibility options also protects the investments in existing networking applications as well. The intent of this paper is to evaluate the migration to IPv6 for VPNs and remote communications. Defining Virtual Private Networks and their role in security While there are many different and at times conflicting definitions of what a Virtual Private Network (VPN) is, there is consensus that its role is to enable the connections of components of one network over another network.

These connections from one network to another are accomplished through the use of tunnels, which are secured connections from one computer or network to another. Figure 1 shows an example of both the conceptual and logical equivalents of VPNs based on IPv6 protocols for securing the transit Internetwork. Source: (Cisco Tutorial 2007) Figure 1: Comparing the conceptual and logical equivalents of VPNs based on IPv6 VPNs support both IPv4 and IPv6 with VPNs running the SSL protocol being the dominant configuration in use.

From the research completed for this analysis, it is clear that IPv4's dominance in IPSec-based VPN configurations was necessary due to shortcomings in security. The emergence of SSL-based VPNs has been augmented by the enhanced security and message lengths possible using the IPv6 protocol. VPNs by definition rely on the Data Link layer of the OSI Model to provide ATM and Frame Relay connections, in addition to support for Multi-Protocol Label Switching (MPLS) and Link-Layer Encryption (L2TP or PPTP).

On the Network Layer, VPNs support the IPSec protocol, in addition to managing address validation and best bath optimization through a network. This approach to configuring these layers of the OSI Model with IPv4-based connections was necessary due to security audits showing potential vulnerabilities in networks. The SSL protocol is designed as part of the Transport and Application layers of the OSI Model and shares design objectives with IPv6 in securing adhoc and infrastructure wireless network over VPNs. Comparative Analysis of IPSEC vs.

SSL-based VPN The performance and security differences between IPv4 and IPv6 are influencing the use of IPSec and SSL. The increased field length size of IPv6 has streamlined the use and maintenance of VPNs built on each of these each protocol (IPSec and SSL), yet has significantly increased the flexibility and security of implementation for the latter protocol. This section completes a comparison of the protocols relative to the topologies supported, security models used for both session authentication and confidentiality.

In addition, the major differences in how Quality of Service (QoS) and Service Level Agreements (SLAs) are managed are also discussed. The scalability aspects of each protocol are also compared, in addition to both site-to-site and remote access support from a management perspective is included. Provisioning and service deployment as part of VPN management is also included in the following table. Differences in VPN Client support and transparency are also profiled.

Table 1, Technical Analysis of Differences between IPv4-based IPSec and IPv6-based SSL VPNs highlight the differences on each of these technical dimensions. The key differences center on scalability and transparency to the user. Scalability of IPv6-based SSL is entirely dependent on the underlying Internet traffic, while in IPv4-IPSec, through optimized routing of point-to-point connections including the use of algorithms are used to maximize speed.

Table 1: Technical Analysis of Differences between IPSec and SSL IPv4-based VPNs using IPSec IPv6-based VPNs using SSL ology Site-to-site VPN; mainly configured in a hub-and-spoke design Remote-access VPN Security Session authentication Authenticates through digital certificate or preshared key Drops packets that do not conform to the security policy Authenticate through the use of digital certificates; drops packets if a fatal alert is received Confidentiality Uses a flexible suite of encryption and tunneling mechanisms at the IP network layer Encrypts traffic use the public key infrastructure (PKI) QoS and SLAs Does not address QoS and SLAs directly; yet the IPSec VPNs can be configured to preserve packet classification for QoS within an IPSec tunnel Both QoS and SLAs do not apply to SSL deployments; the service providers network traffic is unaware of SSL traffic or its relative level Scalability Acceptable scalability in most hub-and-spoke configurations and deployments Scalability for IPSec-based networks when there are large, meshed IPSec VPN deployments across a very large number of users (over 10,000); support for key management and peering configuration.

Entirely dependent on network traffic; SSL is not impacted by server provider network Management Site-to-Site support Remote Access Support Provisioning Reduces operational expense through a centralized network-level provisioning Does not apply; service provider traffic does not see SSL traffic Service Deployment Is a protocol compatible with other ones located through an existing IP network Does not apply; service provider traffic does not see SSL traffic VPN Client Is required for client-initiated IPSec VPN deployment Relies on a Web browser to complete sessions Place in network Local loop, edge and off-net Transparency Transparency to applications Works only with applications coded for SSL Wireless Not easily accomplished as this protocol relies on point-to-point connections Support for QoS, non-QoS and enterprise-wide connectivity through wireless Market Comparative Analysis of IPv4-based IPSec vs.

IPv6-based SSL VPNs When both protocols are compared and contrasted by their support of applications, encryption, authentication, overall security, support for users, accessibility, costs, complexity, ease of use, and scalability, which are the most critical concerns for it departments implementing VPNs, several key insights emerge. Table 2, Comparing it Management Key Concerns by Protocol, highlights these major differences. First, it's clear that despite the relatively high price of IPv6-based SSL relative to IPv-based IPSec VPNs, the ease of use it delivers is considered worth the investment by many organizations.

Additionally, the following factors also emerge supporting the continued use of IPv4 on the IPSec protocol: Regulatory compliance to HIPAA and SOX force the sustaining and enhancement of this integration standard. The IPSec protocol is used specifically in those configurations that require a high level of auditing and tracking of financial transactions, precisely aligning to the point-to-point integration approach this security standard enforces. Integration and compatibility with legacy applications specifically those with a heavy reliance on the TCP/IP commands for system management, file management and user management.

These commands include ftp, lpr, ping, telnet and other TCP/IP commands used for managing systems. Enhanced security levels including authentication on remote-access demand command sequences, primarily due to the point-to-point security protocol that IPSec has as part of its inherent architecture. Advancements in the IPv4-dominated IPSec VPNs at the transport level definition and optimization. Route and point-to-point optimization provide a higher level of system control than is possible in purely random-based approaches to gaining access to servers for authentication of traffic.

Wide-Area Network (WAN) integration across Frame Relay and ATM architectures.

Table 2: Comparing it Management Key Concerns by Protocol IPv6-based SSL VPNs IPv4-based IPSec VPNs Applications Web-enabled applications, including file sharing and e-mail All IP-based services Encryption Strong but variable - highly dependent on the encryption levels supported in the browser Strong and consistent - often tied to a specific implementation and implemented for a specific network type Authentication Is configurable and variable by design; supports either one- or two-way authentication using tokens or digital certificates Stronger of the two protocols' authentication approaches using tokens and digital certificates to manage security functions Overall Security Moderate - any device can be used for creating holes in the network Strong - tied to specific devices and implementations including web servers Users Sales, Marketing, Executives, Customers, and Partners Human Resources, Finance, it Staff, Engineering, Operations Accessibility Casual access to broadly distributed databases are commonplace Formal access with well-defined and controller user base authentication Cost High fixed cost implementations and low variable costs Moderate fixed costs and high variable costs as client software is required Complexity Moderate Levels High Levels Ease of Use Very High - SSL integrates directly with Web Browsers Moderate - Requires users to launch and get the application connected Scalability High - the SSL protocol can be easily deployed once tight levels of integration are in place.

Very High - IPSec works at the protocol level, independent of applications, therefore scalability is best-in-class Comparing the technological and operational benefits specifically in the areas of client access options, access control, client-side security, installation, and client configuration highlights just how differentiated the IPv4-based IPSec vs. IPv6 -based SSL protocols are from each other. In analyzing these differences, Table 3: Comparing Technological and Operational benefits of IPv6-based SSL and IPv4-based IPSec VPNS, was created.

Starting first with the client access options, IPv6-based SSL can support a clientless interface through its browser at longer address lengths, support for semi-clientless through Java and ActiveX clients developed in AJAX, and also in a full client configuration. This flexibility in use of the IPv6-based SSL protocol is leading to significantly higher levels of adoption overall. IPv4-based IPSec has a single client access option that needs to be pre-installed on every system.

Requiring a full client software application translates into higher levels of it maintenance, yet at the same time greater flexibility in creating highly customized security parameters. Another significant technological difference between IPv6 and IPv4', specifically from an it standpoint, is the client-side security integration possible using IPv4 versus IPv6. The fact that IPv6 can specifically integrate with a variety of web-based applications and provide security and authentication through the use of digital certificates has lead to its adoption throughout many areas it wasn't initially designed for.

In effect the breadths of integration options for IPv6-based SSL VPNs are creating entirely new classes of users. Another factor that leads it departments to favor IPv6-based SSL over IPv4-based IPSec is the support for auto-updates through configuration, and the fact there is very little it support required to keep a secured IPv6-based SSL-based network up and running from the client side. Conversely, there is often a significant level of it administration and support required for IPSec-based configurations.

Table 3: Comparing Technological and Operational benefits of SSL and IPSec VPNS Technological Benefit Category IPv6-based SSL VPNs IPv4-based IPSec VPNs Client Access Options Three options: Clientless (browser) Semi-clientless (auto downloadable Java or ActiveX agent) Full Client (statically installed) One option: full client (statically installed) for network-level connection Access Control Very granular - per use and per application Very little granularity - typically permit or deny Client-side security Tight integration with a wide variety of client types Tight integration with only PCs Operational Benefit Installation Often doesn't require installation Requires installation on every client machine Client configuration Native abilities to auto-update Requires third-party software to facilitate auto-updates Evaluating the differences between IPv4 and IPv6 it's valuable to consider the various user segments and their uses of these protocols for their specific needs and requirements.

The needs of those employees who are traveling the majority of time, often working with customers and in sales and sales support roles are often called road warriors, and have significantly different needs than it administrators and field engineers. Table 4: Comparing the Use of IPv4 versus IPv6 VPNs by Type of User, presents an analysis of the needs of road warriors, channel partners and executives, in addition to field engineers and it administrators regarding their application requirements including typical applications used, remote access frequency, and selection of IPv4 versus IPv6.

Power users are those types of users who require VPNs over 70% of the time to do their jobs.

Table 4: Comparing the Use of IPv6 versus IPv4 VPNs by Type of User Type of User Power User? (meaning using VPNs 70% or more of the time on their jobs) Typical Applications Relative number of employees Remote access frequency IPv4 or IPv6 Comments Road Warriors E-mail and front-office suites including CRM and ERP applications including order management Many Very Often (over 80% of the time) IPv6 SSL used extensively in this area as it negates firewall traversal; works will from locations that may block IPSec sessions and queries from clients (hotels, convention centers) Partners Extranet portals; ERP and supply chain applications; pricing and order status access Many IPv6; previous generation applications support IPv4 through legacy applications IPSec legacy systems required partners to get login and password; administratively difficult to complete; SSL easier to administer; strong integration with portals Executives E-mail and front office suites of applications; multimedia Very Few IPv6 Ease of configuration and use; SSL typically has a less intrusive interface.

Table 4: Comparing the Use of IPv6 versus IPv4 VPNs by Type of User (continued) Type of User Power User? (meaning using VPNs 70% or more of the time on their jobs) Typical Applications Relative number of employees Remote access frequency IPv4 or IPv6 Comments Field engineers CAD/CAM and engineering applications; inventory and ERP queries only sporadically Few Not Often IPv4 (IPv6 becoming more used in this are) Bandwidth-intensive applications work best in Level 3 operation (OSI Model).

IPSec also is backward compatible with many other legacy field applications IT Administrators Diagnostic and monitoring through the use of VPNS; Extensive use of Telnet sessions to administer systems remotely; database access and queries Very Few Not Often IPv4 (IPv6 is slowly making inroads into this area) IPv4 running the IPSec VPN protocol is favored by this class of user due to the integration and extension to LANs and more network administration applications; IPv6 running SSL is optimum for configuring it management portals Another useful analytical approach to evaluating the differences between IPv4-dominated IPSec and the growth of IPv6-based SSL VPNs is in evaluating how actual companies today are using each protocol, and in the case of the industries shown in Table 5, how they are integrating these protocols together to ensure the highest levels of security by their specific need areas.

For financial services firms for example, including the Royal Bank of Canada, the use of account validation for their commercial accounts. Financial Services are one of the key industries that continue using a combined approach to security over VPNs selectively using IPv4 and IPv6 depending on the specific business process requirement. Financial Services is also another industry that is taking a hybrid-based approach to managing security across their VPNs. In the case of Deloitte, the extensive use of IPv6 for managing commercial transactions is commonplace.

This consulting firm relies on the use of IPv6-based SSL VPN sessions for enabling their consultants and partners who spend the majority of their time traveling, and working on clients' sites. In the public sector there is the critical need for ensuring a high level of confidentiality and security in posting and managing tickets, letters of compliance, and the tracking of enforcement strategies.

Industries that require a hybrid approach to managing security include healthcare, where HIPAA reporting requirements make it critical to have IPv4 running IPSec-based VPN sessions, while outbound sales and service personnel need the convenience and security of IPv6 over SSL. Financial Services Business Services Public Sector Healthcare Retail and Wholesaler Manufacturing Company Royal Bank of Canada Deloitte Arizona Game and Fish Virtua Health VF Corporation Large U.S.

auto manufacturer Business Drivers Remote Access to non-staff agents Accommodate flexible work assignments Cost savings in reducing number of allocated laptops Remote access from client locations Enhancing filed agent productivity by providing cost-effective remote access over broadband and dial-up.

Access to non-Web-based terminal applications Providing Web-based e-mail for all employees, including those without laptops Extranet for suppliers, vendors, and partners Technology Requirements Endpoint security Application-level firewalling with predefined rules Integrates with IPv4for account validation) Firewall friendly Strong client options Managed Service Integrates with IPv4 for transactions) Easy set-up and configuration Broad app support using clientless Web browsers Uploads of tickets and materials via IPv4) Terminal or "green screen" compatibility Policy for HIPAA compliance HIPAA compliance uploaded via IPv4) Detailed configuration options Strong Lotus Notes compatibility Internet Information Server-compatible deployment Pricing is updated via IPv4) Managed service Scalable for future expansion Extensive use of IPv4for pricing; financial reporting across divisions) Deployment Size 100 to 1,000 20,000 to 25,000 users 200 growing to 500 in 2005 8,500 growing to 10,000 500 growing to 10,000 100 growing to 5,000 Application usage Moderate; mostly e-mail, Web portal, and terminal services apps Moderate; mostly e-mail and client/server Moderate; mostly terminals services, e-mail, file access, and UNIX emulation Complex; e-mail; client-server; and legacy mainframe applications Moderate; mostly e-mail and client/server Moderate variety of clientless applications through the extranet.