Makers of network security gear are lining up to help enterprises and service providers implement IPv6 (Internet Protocol version 6), the next-generation network layer protocol for the Internet that offers a vastly larger number of host addresses.
NetScreen Technologies Inc. has made available to its existing customers a beta version of firewall and VPN (virtual private network) software that supports IPv6. The release comes less than a month after Cisco Systems Inc., the dominant maker of Internet routers and a major vendor of firewalls itself, laid out plans to add stateful packet filtering of IPv6 to its software and hardware firewall products in the first half of next year. [See "Cisco aims for IPv6 firewalls," June 27.] Check Point Software Technologies Ltd. last October introduced IPv6 support for its software with the release of Check Point VPN-1/FireWall-1 Next Generation, Feature Pack 3, according to a company representative.
The beta release of ScreenOS, the software for NetScreen's integrated firewall and VPN platforms, can automatically detect and secure traffic that uses either IPv6 or IPv4, the current version of IP. The beta release is free.
IPv6 is not yet necessary for networks in North America, where IP addresses are relatively plentiful, but is likely to be needed soon in some Asian countries and for advanced applications such as mobile data services and voice over IP, according to Dave Kosiur, an analyst at The Burton Group Corp. in Midvale, Utah.
A number of network routers from Cisco and other vendors are capable of handling traffic with IPv6 addresses, but the story doesn't necessarily end there for network administrators, Kosiur and others said.
"You don't need to have a firewall that routes IPv6 in order to run IPv6. However, the way networks are run today, it's out of the question to do it without security," said Alan Bavosa, a NetScreen product manager.
Some enterprises and service providers that last year were starting to use IPv6 were concerned that few security tools, including firewalls, were available for it. Another concern was that because IPv6 would allow each system to have a unique IP address, a hacker might be able to target a specific system in an enterprise for attack.
The new ScreenOS release provides encryption and firewall capabilities, as well as protection against denial of service attacks, for IPv6 traffic. It can encapsulate IPv6 traffic in IPv4, allowing enterprises or service providers to operate an IPv6 network across a backbone that hasn't been configured to handle the new kinds of packets, Bavosa said.
Organizations or carriers that haven't deployed IPv6 generally don't have to worry about IPv6 attacks because their firewalls and routers can't route the harmful packets, Kosiur and Bavosa said. However, if they want to start trying it out they'll demand some security mechanisms, experts said.
"If someone is dependent on firewalls now, then they will want a firewall when they move to IPv6," said John Klensin, chairman of the Internet Engineering Task Force's Internet Architecture Board.
Emerging applications may force enterprises and service providers in North America to IPv6, Kosiur said. To conserve unique, public IP addresses, many network administrators hand out addresses just for use inside a closed area, but new applications may have trouble with that, he said. For example, without the additional addresses provided by IPv6, it may be hard to implement VoIP (voice over IP) in an organization and receive calls from outside. In addition, networks of environmental sensors such as air quality sensors or closed-circuit TV cameras are likely to demand too many unique public addresses to be set up under IPv4.
Data services for mobile phones also call for IPv6, according to NetScreen's Bavosa. A carrier could hand out a temporary IP address to every subscriber whenever a service was requested, rather than assigning permanent public IP addresses to each phone, but maintaining that system would be complicated and expensive, he said.
Vendors are moving toward implementing IPv6 on a wide range of equipment, including firewalls, routers, load-balancing equipment and content caches, Kosiur said.
"If they have something to do with packet inspection, they're going to have to become IPv6-capable," he said.
The vendors got more motivation last month when the U.S. Department of Defense (DOD) announced that starting Oct. 1 of this year, all systems bought or built for its Global Information Grid will have to support both IPv4 and IPv6.
"They kind of got a kick in the pants from the DOD," Kosiur said. "That's not a customer you can ignore."
NetScreen expects to introduce a version of the IPv6-compatible ScreenOS for pilot production networks, which will include more advanced IPv6 features, in the first half of next year. A version for production environments is expected in the second half of next year, according to a NetScreen statement. Prices have not been set for the two future products.