As many of you are aware, this week the Interop tradeshow is taking place in Las Vegas.
Did you know that Cisco is the primary sponsor of the show’s InteropNet? InteropNet is a world-class, fully IPv6-enabled network powering the 15,000-attendee and 400-exhibitor tradeshow complete with dual-stack IPv6 capabilities to all capable endpoints. This is the first-ever show network to be “dual-stack” with IPv4 and IPv6 running side-by-side and it highlights Cisco’s IPv6 leadership. For more info on our IPv6 activities, please click here.
In addition, those of you stopping by the Cisco booth (booth 1127) will notice demos of our latest solutions including the new Cisco ISR Cloud Web Security with Cisco ScanSafe solution announced today. This solution seamlessly extends ScanSafe Cloud Web Security to branch offices and provides scalable, centralized Web protection and malware detection on the Cisco ISR G2 branch router and requires no additional hardware.
With this solution, organizations can easily deploy cloud-based Web security and Web usage policies, enabling highly secure local Internet access for all branch offices and users while saving time, money, and resources associated with traditional hardware deployments. The cloud service delivery model and central user account administration also make Cisco ScanSafe easy to deploy, manage and maintain via remote IT staff.
For more information on this plus the rest of today’s news (including mobility updates), please click here.
What would you say if I told you that one of the most visited websites on the Internet enabled IPv6 connectivity to their site in the course of an afternoon for zero dollars using existing Cisco hardware? How about if I told you that the site was Facebook? Most people would assume I was joking or exaggerating. However, by using LISP, Cisco Certified Internetworking Expert Donn Lee pulled off this seemingly impossible feat and then presented a paper at the North American Network Operators Group (NANOG) about the experience. You can even watch the video here.
What is LISP?
Let’s start by understanding the problem that LISP solves. An IP address serves two distinct functions: It identifies the endpoint host, but also suggests the location because the high order bits identify the network on which the device is located. If you move a device from one subnet to another, the address has to change since the device location changes. The endpoint identification from the previous location gets lost when the device moves, unless some form of tunneling or mobility protocol is employed.
Cisco Locator/ID Separation Protocol (LISP) is routing architecture that provides new semantics for IP addressing. The current IP routing and addressing architecture uses a single numbering space, the IP address, to express two pieces of information:
The way the device attaches to the network
The LISP routing architecture design separates the device identity, or endpoint identifier (EID), from its location, or routing locator (RLOC), into two different numbering spaces. Splitting EID and RLOC functions yields several advantages.
Check out this video for a quick review of LISP.
Although LISP was designed to deal with the route scalability problem in the Internet, it turns out is has the capability to help with the transition to IP Version 6 (IPv6), the next-generation Internet protocol.
The transition to IPv6 is an immediate challenge facing Public Sector, and specifically Federal customers today due to Government mandates and impending IPv4 address exhaustion for consumers of Government services.
Because IPv6 is not backward compatible with IPv4, and because its deployment and operation are different from that of IPv4, development and implementation of an IPv6 transition strategy is imperative. Many techniques exist to ease the transition to IPv6, and the network-based IPv6 transition techniques can be divided generally into three categories: dual-stack IPv4 and IPv6, IPv6 tunneling, and IPv6 translation.
Each approach has its features, benefits, and limitations; they are not all equivalent in terms of cost, complexity, or capabilities. Most likely, a combination of these techniques will provide the best solution. The role that the Locator/ID Separation Protocol (LISP) being developed by Cisco and the IETF can play in IPv6 transition strategies is documented in this Whitepaper.
Incorporating LISP into an IPv6 transition strategy can simplify the initial rollout of IPv6 by taking advantage of the LISP mechanisms to encapsulate IPv6 host packets within IPv4 headers (or IPv4 host packets within IPv6 headers). For example, you can build IPv6 islands and connect them with existing IPv4 Internet connectivity.
LISP is a Cisco innovation that is being promoted as an open standard. Cisco participates in standards bodies such as the IETF LISP Working Group to develop the LISP architecture.
“Wait a minute,” I hear you say, “Didn’t we already run out of IPv4 addresses?”
Yes, you have a good memory: The IPv4 address pool was exhausted in February 2011. The doomsayers and pundits all bemoaned the gloom and doom of the day, and experts gravely predicted the horrors of things to come. IT publications were filled with articles, Twitter exploded with witty remarks about the coming “ARPAgeddon,” and even the mainstream media ran semi-accurate sensationalist articles on the topic.
But then something funny happened. Nothing. The Internet kept working. IPv4 blocks continued to be handed out. The dust settled and most folks went happily about their business. How could this be so? Was it all a bunch of media hype and false alarms? No. February was really the early warning of the problems to come.
In the previous installment of our series of IPv6 security posts, we covered some of the basic things you need to consider when securing your IPv6 network. In this post, we’ll talk about some of the things to consider when performing security testing on your IPv6 product or network. This testing is useful whether you are developing an IPv6 application or simply deploying IPv6 on your network.
Increased Setup Time
Start with an IPv6 environment in which most people do not have a lot of experience. Next throw in the typical dual stack configurations, and it is almost guaranteed that any IPv6 security testing that you perform is likely to take longer than it took you in your IPv4 environment. With dual stack configurations, both IPv4 and IPv6 are viable traffic paths. Therefore, just making sure that your test traffic is actually using IPv6 is one of the first hurdles you will face. So when developing your schedules for performing IPv6 security testing, always allow a little extra time to account for those problems that will almost certainly appear.