IPv6 and IPsec Deployment Issues: IPv6 and IPsec Deployment Issues Tomoaki KOBAYAKAWA NTT Communications Corporation Nov. 2002


Objective of the presentation: Objective of the presentation To talk about: Existence of IPv6 Market Concrete scenario to deploy IPv6 and IPsec Expectations for IPsec from IPv6 points of views Not a proposal of the solution or protocols We need a solution


IPv6 is real already: IPv6 is real already IPv6 deployment status (Especially in Japan), Several commercial ISPs have started real IPv6 commercial service to the public. Many electrical vendors have plans to ship out home network appliances, such as “home gateway,” which controls house-hold equipments via network. Microsoft Windows XP has already IPv6 stack. Many routers such as Cisco, Juniper and the others have already IPv6 implementations.


Where IPv6 is chosen: Where IPv6 is chosen Many Internet users believe to be satisfied with IPv4 For the present, most IPv4 users do not switch to IPv6 just for prevalent Internet applications Even those users will employ IPv6 for the areas in which IPv6 is the economically valid choice Peer to peer applications that require global IP addresses IPv6 global address is abundant (IPv4 global address is not, especially in Asia) Embedded devices that cannot be configured so much IPv6 Plug and Play technology makes devices almost configuration-less


Scenario 1: Grand-ma in the country: Scenario 1: Grand-ma in the country Camera and remote display, so called “Grand-ma in the country” application Peer to peer communication using global IP addresses Embedded devices without keyboard IPv6 Plug and play Confidentiality and authentication are required Grand-ma in the country can see her grand-child on TV (Authentication should be provided by ISP) IPv6 Network Plug and Play: Buy at shop and just plug it!


Scenario 2: On-line game: Scenario 2: On-line game On-line games without center servers Most on-line games need center servers On-line games can be center-server-less with the following functions: Global IP addresses for end game machines Authentication and logging for billing controlled by game software providers Game machines are directly connected with IPv6 global addresses Direct connections are controlled by ISP or software vendors IPv6 Network, which enables end-to-end communications + Strong control by software vendor


Scenario 3: Open/lock the door from outside: Scenario 3: Open/lock the door from outside Control small sensors/actuators connected via IPv6 network such as: Scattered sensors, Actuators, House hold appliances, Weather observation sensors Confidentiality and strong authentication Configuration-less (For example, buy 1,000 sensors, then scatter them on your farm without user configuration) Check the door-lock status of your house from outside, and lock the key if unlocked Direct connections are authenticated by ISP IPv6 Network + Strong authentication


Another IPv6 employment reasoning: Another IPv6 employment reasoning IPv6 myth: “IPv6 is secured by IPsec” IPsec is IPv4/v6 independent Many enterprise users still believe this phrase and have asked us to provide our IPv6 services Two options to cope with the myth: Educate users; we lose potential customers… To make the myth true, can we provide ubiquitous encryption for general IPv6 communication?


We hope …: We hope … (Virtually) Zero configuration for end-users Security Policy should be maintained by an external Trusted Third Party Most embedded devices cannot have elaborated security policies Credentials should be installed not by end users but by factories Ubiquitous encryption without user configuration, if possible, actualize the IPv6 IPsec myth Adaptation to “IPv6 Plug and Play” feature Automatically generated ephemeral IPv6 addresses should be handled properly PKI avoidance PKI availability should not be mandated


Conclusion: Conclusion Need a kind of Plug and Play IPsec for IPv6 peer-to-peer applications Configuration-less IPsec application to every IPv6 communication Optional full-range security features Disuse of PKI External security policy management The architecture hope to be developed using the core of IKE of its successor So, give us, commercial IPv6 players, a solution.