 All right well we're going to talk about IPv6 and we have learned a whole lot in the past few months and I think over the next couple years all of us have still got a lot to learn and so that's one of the primary things that we're going to try to convey to you this morning that this is an absolutely new animal, it's a new beast, you know it's like you've been eating glazed your entire life, it's just a turn around and it sprinkles, it's really different and you've got to be ready for it and so we've got four reasons here, four small with a billion. Jump right in man, tell them about the mandates. All right so we've got a mandate coming next year, June 30th 2008 the United States government is supposed to be IPv6 compliant so we're going to talk about what that means and whether or not it's going to happen. Address space is one of the most interesting questions right up front, you're going from about four billion addresses to almost an infinite number of addresses, 340 undecillion that means almost everything can be addressable so we're moving into 37 zeros, like a sci-fi realm of telematics so we're combining the entertainment industry, the emergency incident response, basically your windshield wipers will receive an email from the weather channel and check, if you're heading towards the direction of the storm it'll know your GPS coordinates and it'll check for your windshield washer fluid and make sure they tell you to pull over and hey refill because in an hour you'll need it and security concerns, that's scary. The bottom line is we're going to increase the attack surface by orders of magnitude so imagine everything with a battery having an IP address. The idea is to have a host to host end to end connectivity so things will have global IP addresses, there's going to be no more NAT and privacy issues and this is below my mind right now. I already told them about the windshield wipers, oh actually we got a little treat for you guys so just to hook you in, I'll switch over to the, okay so on this screen I guess we got a, what do you mean something, what do you mean something, I can be config? I'll tell them about the error, continue about the, oh the v6 error, we're going to just jump back while he's hitting f5 there, okay completely different as we mentioned before, the extensibility is huge, there's all sorts of room built in to do new things and to apply the protocol in different ways, you ready to go? Yeah, why don't we switch over, we got a little treat for you guys here, this is the latest version of Microsoft Vista beta 2, I picked this up on Wednesday at the Microsoft booth, I don't remember what the build number was, it was kind of long but installed it on this little car pewter, basically little mini ITX based machine that could do GPS and email and Microsoft Office and Linux and do whatever you want in your car but right now it's running Vista so I'm kind of new to this, it's got a snazzy interface beautiful graphics, you get this default, okay okay, so let's dig around a little bit, let's dig around, let's jump into IP config see what that looks like, everybody done IP config before, you know what it looks like? Alright so basically in Vista IPv6 comes installed by default and it is enabled and XP, the support is there but it's not enabled so you got to basically type in IPv6 space install and boom you know two seconds later you know it's running but in Vista it's already enabled so the way you can check it is you just do ping you know colon colon one for loopback and it's there, you can do the same thing in your XP box except you got to type ping six space you know colon colon, now unfortunately this network you know we weren't sure if they could support v6 tunneling because obviously it's v4 here, we were going to use a transition mechanism to see if we can connect to a v6 website but it seems like the goons you know well they try, they really they try it hard so you know we thank them for that but it looks like we don't have connectivity but one good test you could do is try to ping wwwipv6day.org, okay I knew I shouldn't have had that beer so that comes over v4 you could force six dash six flag, I'm sorry guys I'm trying to look lopsided here did that look right? Okay I got a space there thank you, oh so the address resolved look at that but we can't reach it because I think they're you know they're not allowing tunneling here probably means you got to allow protocol 41 tunneling or allow it to radio maybe they're blocking to radio ports so we'll get into that we could also try to paste this address into the you know internet explorer you got to have the little square brackets now imagine that it's not coming through but last last night from the oh what's that looks like we got connectivity all of a sudden so this kind of quirky obviously this is beta right so now it's working so that's kind of cool let's go to uh let's go to IP config again config dashboard all right oh look at all that what is all this stuff on you know on by default okay so we have okay we recognize this part right here okay uh okay we got to radio on okay one second I think it's all there we got all kinds of new stuff now three and five I mean this is on by default I didn't set any of this up it was just a fresh install all right well I guess we got enough uh digging around here let's see if we can pull up that site okay something's not coming up while we maybe we'll get back to we'll play with it later let's let's jump back to the slide but anyway this was a little treat for Vista's it was totally on plan you know experiment we want to show you Vista's got this stuff you know okay so just hit the valuable on this slide you know IPv4 is already at a stage where they can charge you for every you know a lot a lot of services this thing okay another five bucks and we'll give you another address right well with V6 you know there is about 50 octillion addresses for every human on the planet uh so if IPv4 is about the size of a skyscraper IPv6 is about the size of 400 billion planet earths do this your slide whoa okay so so we have actually a chance to start fresh you know IPv4 nobody thought it would last that long you know 20 plus years almost 30 years and the idea you know it wasn't designed for a large network it was kind of build ad hoc you know nodes one on you know on top of another now we have a chance to start fresh you know with V6 so we could do hierarchical addressing we could allocate blocks and you know in a specific manner to you know to you know expedite routing and you know here you can see that you know we're going to have you know an orbital net a sub you know subsurface net interplanetary net so you got to get online to get your you know IP address from Mars now so basically you know based on your prefix you know you'll be able to tell you know what network you know you're you know you can exist and so I mean totally new totally new approach here so tell them tell them why some people you know hate this thing okay there's plenty of critics we don't want to sit up here and pretend like this is a really great direction or this is the only direction we have to go in there's there's sort of a lack of a migration strategy and a lot of people are really frustrated with the fact that it's it's an alternative it's not an extension so you can't really say I'm going to go slow and slow toward ipv6 you actually have to do sort of an about face and move in a new direction but then a lot of people are upset about that but that's actually that's part of the point of it is that there were all of these shortcomings of ipv4 but there are all these things we wanted to do in the future and so the new protocol is meant to address the the bad old stuff and and the new possibilities yeah so we tracked through the the history a little bit you know ipv4 again was very resilient because it was very simple it was it was kind of dumb as some of the founders have called it and that's why it was resilient you know back in the day there was actually a controversial battle between the gossip protocol and the internet protocol gossip was heavily government backed it was very bloated because you know contractors and vendors you know could definitely make a buck on making it more bloated right and providing support but ip1 so the question is is ipv6 you know another you know government backed you know protocol or you know you know is it hype is it just hype will it die just like maybe you know service oriented architecture I mean things come up on you know left and right so you know let's let's take step back and you know take a look at the big picture the bottom lines we are running out of a v4 address space you know some countries like India you know you have to go through nine levels of NAT you know and you know and there and you know some third world countries have a ip address space it's less than you know a given American you know university so even you know bottom line is you know v4 you know it is old and maybe it's time for a change in fact NAT was you know and that was created as a workaround to you know to to solve the address space problem and some people who rely on NAT for security which don't ask me why but you know but at least maybe for obscurity but okay but okay and then and now you know two bright individuals you know propose the next version you know almost you know more than 10 years ago now so v6 is not brand new actually some trivia v5 was just you know audio video streaming protocol they actually don't even named v6 v7 but some you know they caught the mistake and obviously the goals were you know to expand address space you know optimization of routing a lot of customization and security in mind of course so here's that you can see the two you know lines in v4 v6 and parallel basically you know everything from you know the first exhaustion prediction in early 90s of you know the address space to the you know next generation of the you know proposal and finally you know some government decisions to you know to get their networks to be compliant or be able to provide you know support so there's a lot there's a lot where that comes from too in terms of what is the definition of compliance does it mean that you actually run you know v6 traffic or are you just providing support so there's many definite you know you know much confusion about definitions so okay I don't know if it's too early for math but I'll try okay we got some big numbers but the bottom line is each person on earth right 6.5 billion people could have 50 octillion addresses to themselves okay so I don't hope that wakes you up so towards the bottom you see some you know v6 addresses if this is the first time you've seen one they're long and you can actually how long does it take to type one and can you make a mistake when you're typing one yeah I tied myself three days ago it took me on average 30 seconds and I was trying hard to type a full v6 address in and then after I typed it into val data you know quickly back and forth before I hit enter I mean if those you with key was in front of you just see how long it would take you know type in a full address well you can't see with the zeros but imagine a complicated address you know I feel bad for the guy that has to do you know eckles you know you know okay well jump back one sec real quick so you can catenade by doing a double colon so the two addresses towards the bottom are the same and Kenneth will talk more about privacy but let's keep moving so okay we got you know your standard graphic here you know you can notice some differences there were some fields ripped out from you know v4 to you know v6 v6 seems much more elegant seems simpler just we have a quadrupled source and and destination address space you know towards the bottom you can see that the one fundamental difference is the next header field which actually moves the header options to to the payload section so that makes it very flexible so now that you have in the payload section where you put the data you can come up with your own types of headers so that that allows for much customization so and you can also daisy chain headers so you can put one header then you know next header field another header next header and so on you could have as many you know nested headers so that that actually is fun when you start playing with tunnels and you start encapsulating tunnels within tunnels and okay let's let's keep moving back structure okay so okay well we covered extend the headers and you know you could again improve quality of service one fundamental differences fragmentation is done on the host on the on the destination host so it's no longer done on the routers okay big difference so routers now will grab the fixed packet headers which are 40 bytes not like not the variable length headers in v4 you know read that and make a routing decision they will not have to parse the packet okay big difference there's you know there's all kinds of complicated jumbrograms and advanced features in v6 that you know you can go read about we can you know spend there's there's hundreds of rps at this point rfcs so yesterday we tried to stump the panel a little bit one of my buddies asked the following question at the tcpip drinking game i don't know i don't know how much v6 traffic they get but uh that was a long question you know it was worth 10 you know drinks and i don't remember the answer was but i had to do something with extension headers and hop by hop jumbrograms okay so it's okay so it's uh okay and um some differences from you know v4 to v6 uh there's no trace route alternative anymore so those of you you know old schoolers that were used to this to the ip you know record route option you can't do that anymore uh no broadcast address addresses we have a complicated multicast addresses so again the multicast you can spend a whole college semester on that but you know the bottom line is uh you know it's that you can broadcast to specific groups of ip's and to you know within um within a network so it's it's like you're limited sub um sub broadcast groups uh no uptime check anymore so okay so that's uh gonna hurt us with scanning a little bit and but the header's still in the clear so whoo good news okay and uh you know you hear a lot of uh talk about built-in security with v6 so you know that's your silver bullet well you know they're most mostly they're referring to ip sec okay uh so that's an encryption uh i mean that's a cryptographic you know protocol and um the bottom line is uh what mandatory ip sec for v6 means simply is that uh if you're writing a v6 stack you have to provide support for ip sec doesn't mean that the network will automatically run ip sec so the bottom line is you know your your your v6 stacks out there will have ip sec support but how many people will actually use it i mean ip sec uh you know there's uh there's a public key uh you know algorithms involved and if if any are familiar with trying to deploy you know a global public key infrastructure you know you got to solve that problem first before before you try to introduce ip sec you know global you know brokerage of tunnels so um i'm sorry all right so the question was what about opportunistic encryption if it's available to uh to a specific host so it is it is it is not that hard to set up tunnels between uh you know the ideas have a host host connectivity so you can set up manual tunnels between you know you and somebody else on the other side of the planet or somebody's toaster refrigerator and the traffic will be encrypted so you can manually set up tunnels as long as the network will allow for for you know ip sec tunneling so uh that is allowed the problem is it's not scalable because you're deploying them manually so you need to have tunnel brokers that can negotiate keys between two hosts and between each session and if you're running you know two web browsers and you're when you're looking at 10 different web pages you got to have a different key for each session so imagine that on a global scale so okay well there's um ip sec was actually originally created for v6 in mind and uh it was back ported in v4 because v6 was you know so slow and getting rolled out that uh it was back ported so the idea again is to have uh you know if we can start fresh with the new model of internet we could we could try to have you know trust trust in a network where you know through the use of tunnels you know you you know who you're talking to there is authentication and uh the idea is to create a trusted network so as opposed to v4 where everything's kind of uh gentlemen says very few bgp sessions are encrypted with ip sec so there's some you know some more from the trenches so you know good luck deploying ip sec but we'll see let's move it let's move it yeah he was going to control the keys especially well we'll get to that in a second but on the international level who is going to control the keys right and so that's a huge limitation the widespread implementation of this stuff because once you get to the nation's state level one country is not going to allow another country to control its keys there's a plenty of uh use your imagination in terms of the pros of ipv6 because it's extendable you know you think of ad hoc networking you know mobility the ability for you to have your own unique unique has global ip address that you you can you know you can pick up and travel to you know travel cross seas and uh plug in a network and you have the same exact global unique ip address so you know use your imagination and uh again if we start fresh and we do it right if addresses are allocated correctly you can you can think of it as zip codes you can have prefixes uh specify you know you know have relation to a specific you know geospatial you know coordinate for a certain group of v6 addresses so imagine a thousand you know different users from uh you know an enterprise going you know surfing uh say you know a web server you know uh site b um well that's a in v4 traditionally you know there's no way to kind of you know there's no automated way to control the sessions they there's to be thousands different paths in v6 you can have bulk sessions so the idea is to have all those why not have all those thousand one thousand sessions you know viewing of you know from a browser you know at site eight you know viewing a server at site b why not bulk them together and channel them through the most optimized path so the idea is to you know approach it from from that perspective mobile devices everything everything telematics we mentioned earlier is the idea of combining you know you know entertainment uh you know incident response emergency systems everything with the battery you have an ip address okay there's also obviously some you know some negative aspects that you come to mind right away again some people are disturbed by by recognizing that there was no more net you know some people rely on that they love net that's you know that's that's probably sometimes that's their first layer of security uh there's no more net in v6 well they actually you know that there are some exotic ways to to to do that but there's no point you know if you have 50 octillion you know addresses just yourself um there's uh there's many migration technologies that during the uh during the phase of uh introducing v6 traffic into your network you're gonna end up having v4 and v6 at the same time so now you gotta think about how your sensors will you know watch traffic on both stacks well how are you gonna watch tunneling i mean there's many migration will increase the attack surface you know by orders of magnitude there's uh ipsec ipsec is great but then what about uh what about the sensors what about negotiating the keys with you know with the sensors with your ids with your firewalls with your host base solutions now if you know if you have encrypted sessions you know end to end your your sensors are blind so you gotta you know include brokerage mechanisms that will share the keys for you know with the sensors so and that's that's complicated stuff who i'm getting scared okay let's move it all right so we kind of given you a an introduction uh to some of the issues that are at play on the on the tech side but anything this important uh on the tech side you can imagine has as significant implications for governments around the world national security issues uh ability to sort of control and come to the aid of your populations uh to control military forces to run expensive satellites uh in space uh one thing you know often say dod drives uh technology just like you know nasa sort of drove so many things you know over the past you know a few decades that sort of came out uh into everyday life um warfare uh that said itself like everything else is is completely networked today so it's the very nature of warfare uh is is network centric you know down to the number of bullets and the sticks of butter you have uh to give to your troops um all of that needs to be controlled uh via the networks now obviously for a military that that's going to lead to a better operational picture and more flexibility um in the battlefield at home a big question is whether or not this is going to allow governments more or less control over their own populations and the question is is important but also very philosophical in nature i mean from one standpoint you say great we're moving to the encrypted internet so my private communications are going to be secure on the other hand there's going to be more static ip addresses right and so it's going to be easier to track you back and we'll talk about the people's republic of china and how they're viewing ipv6 as important to their their national security picture uh in the real world we have we have emergency response issues that are that are very important not to the top level of national security but to the folks who you know who run law enforcement and fire and and and uh disaster recovery so one of the one of the important examples is called metronet six uh and again the the the basic uh thing in it incorporates metro politics and network ipv6 is short for um is handheld devices for pretty much everybody who's involved in uh emergency uh response disaster recovery uh available uh you know year-round that would connect everybody and one of the important aspects of this is ad hoc command centers so you know in washington dc or or anywhere else uh there could be sort of from the top all the way down uh secure communications uh between folks and this course is you know pre nine eleven there was so much flak you know the the cia and the fbi didn't speak to each other well they spoke different languages they didn't trust each other um if if implemented correctly you could see how ipv6 would lead to more trust you know you could you could even uh have you know a a sort of an intel group talk to a policeman on the street right and pass them information securely hey look behind you the ipv6 mandate uh so a year from now june 30th 2008 you know there is a significant element within the united states government aside this is important enough that you're going to do it period um it's interesting in that after that another major body responsible for looking at ipv6 turned around and said whoa this is not even this is not even a good idea at the present time in fact if we do it too early it's going to lead to increased costs and reduced security uh the the two are the omb which is associated with with the white house and we're operating on a white house initiative uh the department of commerce which was looking at it from from more of a tech perspective america and companies uh really is there a funny position right uh you would think that they would be driving this uh you know for many reasons for market share and for research and development however they're kind of stuck with the lion's share of ip addresses right so they've got so many ip addresses they don't know what to do with them and they're still have a sort of fully knatted so that's sort of an irony of the thing uh but we got we got a ton of ip addresses i mean just for example stanford university has more ip addresses than china so there is there is uh not really a shortage on the american side there are reasons though to switch to ipv6 uh companies are very interested in reducing the rendezvous servers and the developer time that's necessary to do all of the coding that is involved with natting uh so when you when you're developing you know xbox games when you're looking at vista all of this very expensive to develop so ipv6 they see as a way to increase you know the the facility of uh allowing p2p connectivity and so toward that end microsoft's under offering a hundred million dollars for developing software and programs that would fit this model for vista in the future in case you're interested let's move to the people's republic of china so you know in the united states the shift is mandate driven currently right well in many other countries it's purely market driven they need the address space you look at india is worse than you know china but you look at uh in china you know okay they already don't have enough ip addresses for everybody who's online uh but uh you know they need uh they need the space uh in a in a serious way it's also a big effort as china modernizes very quickly to develop a serious indigenous intellectual property and everybody's participating they are somewhat sluggish today and and really the prime the prime factor and this is somewhat disappointing for the chinese ipv6 team is this is lack of applications and so you know you can see how that's that's that's a problem so finally uh in regards to the prc and and it's not just to bash the prc but it's it's this is a problem for all all nation states it's sort of the balance between you know privacy consumer freedom and and the the the need for law enforcement to prosecute crimes so in the chinese case uh you know we've got some things to look at okay they already station police at internet cafes and they're already on the lookout for things like sweatshop videos that will indicate that they're you know they're not playing fair by international labor laws um and then on the criminal side you have them openly saying ipv6 is important for us to assure that we reduce crime uh in the country and it's specifically through the better better tracking of individuals through static ip's uh some colorful stuff between america and china is you see a lot of uh collaboration a lot of acquiescence and between our major companies uh companies because they want the the market entry into china and there's no way they're going to get there without providing china with what they need just like microsoft provides them with the source code right uh in order for them to buy the operating system they're not going to buy it otherwise um you know google and yahoo they have they have helped prosecute individuals in china you know by offering you know personal information uh upon request now at least one congressman is you know comparing this to world war two a collaboration with the nazis uh europe is moving forward they this is this is uh um much more market driven there's a lot of investment there um they've got some of the same stuff we've got going on on the emergency response side uh and some of the same issues with okay we're we've come this far so what now you know can we have more money to invest or they don't really you know there was complaints that they didn't see the uh the the visible uh tangible rewards uh so far with with ipv6 uh here is a concept car and again ipv6 makes these things possible we talked about earlier with the the windshield washer fluid but really you you can network everything right and so you can be plugged in uh to to many different things you can even have uh you know ad hoc network connectivity everybody in the car and then between cars you know if a car is approaching you too fast you know you could know that if you're if you're you know son is 16 years old is driving too fast it sends you an email quickly right and lets you know uh so there's a there's a lot of possibilities the japanese side is different from from the china the chinese example in that uh you know in china they need the address space for for people in japan it's it's electronics right they've got so many things it's absolutely gadget crazy country so they want to address all this stuff so we can talk to each other so we can talk with the companies uh so you know so they can talk with their friends so they've been at this for a long time you know as early as 2000 they identified ipv6 is critical to you know to the future of of an e japan uh and they do hold uh the world records uh the university of tokyo both in ipv4 and in ipv6 and they're putting money into you know a taxi pilot programs so so that when you know visitors and when you know travelers come in they can see the immediate value of the new of the new network connectivity um in india is very interesting uh just mention one thing you know so so the the the the companies want to have a v6 test bed right and so it's a bit of a controversy on whether or not they're going to open it up to the world or have it sort of as their own their own thing obviously uh the major international telecoms providers want to play in this but there's a big element there that that want to keep it close hold and and and you know pay uh just real close attention to national security issues and um sort of proprietary information there um south korea already owns trillions of addresses um this is a is an issue say for instance for africa africa there's a lot of countries that really benefited from cell phones satellite phones vsat all this stuff was really beneficial because they didn't have a lot of landline in countries right so this is a huge step forward for them and in the same way ipv6 should also help certain countries with really no with hardly any uh a network connectivity at present there's going to be plenty of addresses to go around okay here's a here's a slide i just thought i would check quickly to see uh you know within government donate domain so we have dot gov right well france has gov dot fr and every every country has has their government address space so these are the ipvc ipv6 hits within the address space so it was a little bit surprised with you this was as of yesterday the usa came out on top but maybe maybe a bit of a surprise uh the south korea came in came in second uh but very very close uh but then you have china japan taiwan or all next what does that tell you right asia is seriously investing uh in ipv6 some countries i mean it's shocking check republic i mean you've ever been there what a what a terrific place right but uh zero hits now you mistyped it i think you mistyped it i did not mistyped it i did not i did not mistyped it i checked in fact several several different ways so interim analysis okay it's very different you know between the prc and the usa right um there's a lot of investment in china it's very visible they talk about it all the time it's crickets on our side but uh you have to realize the different economic models uh very much pertain here and in china you don't do anything without government support so it could very well be and we talked with a real big shot in ipv6 world who said that the behind the scenes american industry is almost certainly the the number one spender an investor uh in ipv6 you really just don't see it so it may it may be just slightly different different models here in our country the you know in the united states it is going to be more market driven and we'll see how that plays out it's going to cost money for sure and you may be wondering what's this going to cost my my company right uh so the department of commerce report which was more technical in nature and and really got more into the weeds uh said if you have eight core routers 150 switchers and four firewalls it may cost you two million dollars but yeah lots of other people saying this is absolute nonsense you're going to take care of all of this for no money at all it's all going to happen within tech refresh right so you know hardware software that's coming out now is ipv6 is compatible right so you're primarily you're going to have to invest in some training and in some uh awareness uh and one of the things we're going to suggest to you later is that maybe your organization just taps a couple of folks to get up to speed on the ipv6 issue because it's not not going to be it's not going to do you any good to jump in with both feet but you're just going to want to watch this issue uh and know where you should be there's a real interesting comparison between y2k and ipv6 there's a lot of people who think that you know that it's way overblown and then you're better not you're not paying attention at all to ipv6 and it'll just go away but almost certainly it's going to require some smart resource decisions on your part and there are going to be some niche admin skills such as typing these long addresses that that may come in handy on the privacy side there's just differences you know and some of this is cultural it's real interesting a lot of times when you look at you know warfare espionage uh you know politics police work a lot of culture comes in and so in in asia they're gonna have they're gonna have a less of an expectation in general for privacy in your daily life in some languages privacy i think my wife studied chinese for years and i can't quite remember now but i think in the languages you don't even know how to describe privacy right you don't even know where to begin because it doesn't exist right uh so you know in europe you know much more there's some sectors absolutely demand it um in our country you know we still have the death penalty right so you know we we love our privacy in this country but we also feel like y'all if he's a criminal or we think he may have committed a crime shoot him really actually it might be worth mentioning uh it might be worth mentioning that uh there is the uh e u i dash 64 uh field in the in address where you take the lower 64 bytes and essentially you rip off the mac of the of the of the nick and uh you insert the additional bits that are somewhat randomized so you take you take the mac and then in the middle you slap on some randomized bits to create give yourself in a sense you know privatize the you know address so there is there is that and it makes it complicated for large enterprises to deploy because they can't keep track of their assets that way so you know whether you know whether that's going to happen it would be a prevalent or not is another issue so okay incident management we're kind of running short on time but basically you've got you know the registries you have the internet management bodies and uh let me just show you some of what they say because we don't know there's some there's there's still charting the the course for this so it's it's more like i want to move in this direction and you will figure out how to get there as we go but some of the things they they really want aggregation it's they want a network infrastructure that's hierarchical in nature and that is that is planned right and that is not sort of uh wild west and and just you know uh but that's it's tough it's tough and we can give you a couple examples already it started starting moving in a very um sort of uh crazy crazy way they want everything to be unique worldwide you know so that so that uh so that it's not behind in that and it's not obscure and it's not difficult to uh to to to trace to trace somebody back which has all kinds of implications obviously they want everything to be registered they want it to be fair and equitable so you know for that's worth they want us to avoid wasteful practices so that we don't begin to waste IP addresses as we've done in the past and you can leave that to yourself to wonder whether that's that's really an issue anymore there is something called the ipv6 ready logo and these are the five things that you can actually get tested uh to to acquire this logo but just a quick search for the logo um this week yielded plenty of Chinese addresses and more so perhaps up front than the uh the English addresses um but but very interesting here some people are after the logo one of the things oh this is very interesting the uh to acquire the logo a lot of people wanted ipsec to be intrinsic to it you know you got to have ipsec before you get the logo and the prc china uh said no no it needs to be optional we want the logo without ipsec being mandatory and they won the debate so part of the thing to think about here is whether or not uh you know other countries or other interested you know privacy groups uh anybody somebody raise your hand uh should have weighed in on that debate and argued uh you know the flip side and and tried to win the debate however the bait's been settled and ipv6 sec again is uh is optional and ready ready logo two i believe it's in the works that might actually have ipsec i think their national community i think finally stood up and tried to influence standards so some to look out for the current status of v6 deployment where is it now some of you might have heard of the six bone well six bone dot org website as of uh i think first week of july has announced that uh you know they discontinued essentially their project because uh that uh first essentially experimental testbed for v6 uh doesn't uh need to exist any longer because we're moving to the real v6 internet so the six bone has been discontinued uh now you know now if you go to ipv6day.org that is a you know a quick little wiki to you know with some cookbook steps on how to get connected for free right now today and so you know goodbye six bone now now the expectation is that v6 internet is you know spreading you know you know physically you know across the world know the experimental stage you know that that label has been you know ripped off so again obviously we cannot jump straight into v6 and we can't flip a switch majority of our networks are v4 only right now so i think it's important to distinguish between a difference of tunneling mechanisms that allow you to do v6 over v4 networks um there's also a term native v6 which means your hard work can handle v6 you know the v6 stack so then you can run dual stack uh you know dual stack hardware which could talk both v4 and v6 and eventually we'll have all native only v6 and uh we'll treat v4 as you know as legacy we're gonna tunnel v4 probably over v6 but i think that that'll be that's you know that's i think light years from now but i think v4 will stick around for a long time but imagine all the combinations of these heterogeneous environments where you have v4 only you know v4 with the v6 tunneling you know v6 native only dual stack i mean imagine the combinations of you know the environments that can exist and there's obviously some tunneling protocols that are listed on the right now you know what exists out there right now that can support v6 as of today you know most companies there's very few robust stacks out there most companies just buy buying from third party so whether the stacks have been tested you know they're still you know i'm surprised that six bone is gone i'm actually very surprised but you know i guess the experts are you know expecting that there's some implementation of the stacks that are ready there's uh it's worth mentioning that the two uh two uh asian projects uh kame and osagi kame being um japanese for the tortoise and osagi being japanese for the rabbit and two projects that kind of race to uh to complete the you know v6 modules for uh for the you know the unix kernel for kame and for you know linux kernel for the osagi and as the you know the moral of story is that kame finished uh you know long long before the the uh the linux version and osagi is still very buggy so linux support you know it's out there and i believe after 2.4 it's uh you know it's already included but it is very buggy especially if you try some of the advanced features like auto configuration so the moral of story is you know bsd you know finished way way ahead okay these are real stories uh of tech support right so you want to try it real quick okay okay so i'm tech support i say hi this is comcast hi i'd like to subscribe to your internet service for my resident specifically uh pv6 sure why not uh well can you double check if you actually have native v6 three minutes later do you have a max or ipv6 is for max okay okay i wish we could record this legality it was recorded okay verizon uh verizon same thing you guys have v6 sure could you check if you actually have native v6 well you're talking about the mobile internet where you can connect no matter where you are no oh you mean fiber they're laying fiber everywhere well the medium doesn't matter uh fibers of plus though i i don't know you need a static ip but we don't offer that since we're dsl i know our sales folks they told you to call me but but they know what we offer well yeah they forward me to you okay um so obviously you know your browsers you know your applications you know we need to um need to have updates uh so there's you know developers will we need to learn you know the new protocol there's you know there's some uh actually some interesting you know parsing issues not with browsers having to accept colons and square brackets you know you can use your imagination um the industry uh is uh you know still slow the the standards are not being you know pushed we just uh you know organizations are taking you know what they can there's a lot of room for snake you know oil products it's important i think for larger organizations to push for standards for people to speak up because you know right now it's the the you know the industry does not provide much in support um um again uh you know some some trends to expect you know as v6 will come around you know your average new hires uh you know for your network specialists uh you know have you know a couple years of uh you know v4 experience i mean i i barely know v4 but hey i'm gonna see ssp so i think you know i'll be able to handle the v6 right well you know new hires will have zero knowledge in v of v6 um and uh actually you know a quick little maybe trivia does anybody know what the double colon uh the nickname for double colon is fill with zero no but you know what it's called a box yeah we don't know we're just serving we actually because we had actually we wondered if there's a name for we couldn't find one yeah for weeks okay there you go the double colon is a box okay let's go we thought we need another rfc for the name because you're going to be saying it so often you know colon colon colon what about a double colon a colon by itself uh colon but see there's two syllables so there's room there if anybody thinks there's something catchy go ahead see what he said on ipv6 go by what the japanese do okay okay okay so you know where are we gonna expect you know the the attack methodologies to you know to take you know to move in what direction uh you know if if ip sec will become prevalent then the certificate authorities uh that will hold the keys will essentially become targets uh dns will become an obvious target because that'll be the primary uh you know primary source for uh you know network administrators to to keep track of all their assets and um you know especially with the auto configuration and privacy addresses you know you you will need you know the dns will become a primary target so maybe dns sec i mean there's some there's some interesting solutions for you know hardening the dns server so you know we need to look out for that um there's a client side exploits that that that essentially addresses the the fact that uh because of host to host you know connectivity and the inability to scan large address spaces anymore you know the idea would be to to target the host directly so uh myriad of security concerns uh actually uh if you could switch real quick to uh switch the box if we have vista up we have let me show you some uh some interesting i found uh yesterday let me then pull it up for you i took a screenshot uh i'm just going through the properties and explore and um we'll wait for it until you do it to put up so we actually gotta get moving here who so there's a lot of link local problems uh that is a that is a very interesting area essentially you can think of your layer two attacks you know are you know essentially um being moved up you know to the next level so there's a lot of our poisoning our cash poisoning on the next level so it's an interesting area to get into something something to look forward to uh uh actually there's a screenshot so uh basically uh i went to ipv6 web page uh click properties on a gif and what is that garbage right there in the protocol that highlighted that so i mean interesting i'm granted it's a beta but it's that's kind of confusing uh again large attack surface you there's a you know migration will you know probably cause a chaotic environment and again the tax service is increased that's the whole thing i think you know it's getting much larger especially during the period where you're going to have to run both uh simultaneously so let's keep moving the sensors uh again we'll need uh key negotiations so you need tunnel brokers uh there's many exotic ways to do that uh it's complicated uh we can go ahead and uh you know move on there's um what are the current hacker tools out there current attacks uh there's uh there's suite of tools by uh the thc group uh new van hauser uh has actually published some interesting you know the first i think ipv6 ipv6 ipv6 uh attack suite uh it's very interesting i played with it immense results worth playing with um it works i mean bottom lines of works man in the middle attacks you know flooding network a lot of garbage traffic um you're relaying you know you know essentially inserting yourself in the in the route stealing addresses uh you know because anytime uh in auto configuration when you want to grab an ipv6 address you could it checks for uh duplicate address detection well you can constantly say well i'm it i'm it you can constantly grab you know ipv6 addresses a lot of interesting stuff uh you go to check out thc there's uh you know i think he i can't do him justice but it works and it's worth it and our next iteration of our presentation we're actually compiling a list of you know 30 plus tools right now that uh you know libraries that that that they could you know that could allow you do some vulnerability assessments and pentesting v6 um so one of the things just to realize about compliance is it's sort of really been watered down and it's you know compliance i'm sure initially was hey we're going to get squared away with this thing now it's pretty much you know the core networks are going to need to support ipv6 and probably the minority of of networks with you know within the usg may be there by then oh the ipv6 ready logo the politics are highly charged there's still a lot of decisions to make and they're very important uh so uh you want to make sure that you realize sort of the sort of the the points of future tension and and sort of weigh your voice in uh now here's some recommendations again you'll also be on the defcon website this week uh but um you these are some of the recommendations that we've come up with uh for you and your organization and the bottom line first thing first thing is that you probably have you might have real v6 traffic on your networks right now so go back and check the first thing is turn it off you don't if you don't need it you know obviously turn it off and then you know then tested look you know depending on your requirements allow it you know slowly for you know specific purposes if needed but first turn it off turn off tunneling in v4 you know even if you're if you don't have v6 hardware uh your your tunneling might be allowed so you want to you want to block protocol 41 you want to block to rato ports and uh essentially first ensure that you don't have any rogue traffic because to rato is certainly worse meant mentioning it's uh it's microsoft's you know spec they could essentially exploit nat and you know through udp it could it can give your machine behind and you know a cone nat a global ipv6 address you know for connectivity so i think i think the a lot of the online games have motivated that so uh it's funny is in the spec for to rato it actually mentions that this should be your last resort okay sure uh we uh i think we're running out of time for a demo but if anybody is interested that you're welcome to come up and chat with us about uh the v6 pack was our prototype we actually originally was going to be on a on a on a nano itx board running embedded linux but we salvaged our car pewter that's running mini itx and uh with that you know with the spirit of telematics we you know the idea is to we we have analog sensors with the um with the java you know api that if you you know lift you lift the last beer and you're uh and you're you know in the fridge it can send you know an email message you know to your cell phone so just it's just a toy but right now big thanks to dolomites sitting over here for helping us out with the car pewter he made some of the some progress on it but part part of it is we're just not there with ipv6 is not we're not there yet so is it was it was it was tough it was tough to pull off but hopefully soon right and what was funny is uh you go ahead and uh what's really funny is they've already done this at caesars so we show up right and we open the fridge and they've already got one right you reach in and this happens to me last year in a foreign country i just reached in to you know to say well what is this bottle in here and you pull it out and all of a sudden click behind it right there was a sensor and then all of a sudden i'm i'm building my bills charged and i've got to drink this thing yes but the ipv6 fridge was thought of a long time ago by the hotel industry well i don't think it's not v6 there's a v6 yeah there's a i think there's a modem the telematics part yeah we found found a little you know modem behind it but uh well yeah somebody somebody that it's uh maybe we could work with them so we own your fridge elite snackers hey thanks guys thanks a lot really appreciate it