Attacking one of the key problems early adopters have had with IPv6 (Internet Protocol Version 6), Cisco Systems Inc. plans to beef up security, adding support for stateful packet filtering of IPv6 traffic to its software and hardware firewall products in the first half of next year.
The dominant maker of Internet routers, also a major vendor of firewalls, provided that statement of direction at the North American IPv6 Global Summit, held this week in San Diego. Cisco demonstrated the filtering capability in its IOS (Internetwork Operating System) firewall at the conference, said Patrick Grossetete, Cisco IOS IPv6 product manager.
IPv6 is intended as the successor to the current version of IP, called IPv4. It incorporates many new features, most importantly the ability to accommodate a vastly increased number of addresses, but few users have yet made the transition. Cisco did point to one step forward: Starting Oct. 1, all systems bought or built for the U.S. Department of Defense's Global Information Grid will have to be IPv6 capable as well as supporting IPv4, according to a department memo issued last year and provided by Cisco.
Some who had started to use IPv6 in production networks last year were concerned that not as many security tools, including firewalls, were available for the new protocol. Another security concern was that because IPv6 would allow each system to have a unique IP address, a hacker might be able to target an individual system within an enterprise for attack.
The demonstration showed IOS Firewall software, designed to be part of the operating system that runs all Cisco devices. The software can do stateful inspection of IPv6 traffic, meaning it can examine each packet within the context of other packets that preceded it, an aid in protecting against DoS (denial of service) attacks. It can handle IPv6 traffic using Transmission Control Protocol (TCP), User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP).
Most of Cisco's current routers and routing switches now have support for IPv6 routing in hardware as well as software, Grossetete said. Previously, the platforms had to use software for IPv6 routing, which generally is slower.
The proliferation of non-PC devices that need their own IP addresses will be a major driver of demand for IPv6, Grossetete said. As the new protocol is implemented in enterprise and service provider networks it will open the door to direct end-to-end connections across the Internet and new collaboration, videoconferencing and grid computing applications, he added. It may even cause service providers to change the way they design networks, such as changing asymmetric DSL (digital subscriber line) networks to symmetric systems to allow for growing peer-to-peer use.
As IPv6 is phased in, one of the biggest challenges will be making sure IT staff have training in both the old protocol and the new, Grossetete said.
Cisco is participating in a three-year project called the 6Net with partners including the European Commission. The demonstration project involves a native IPv6 network of Cisco routers across Europe, which has already been up for 18 months, according to Grossetete. The company also is working with French car maker Renault SA on a mobile IPv6 project in which Cisco 3200 Series Mobile Access Routers in vehicles use IPv6 over IEEE 802.11b wireless LANs and cellular mobile data networks.