For Bechtel, which is getting ready to flip the switch on an IPv6 network in the coming year, Teredo isn't a big deal. That's not because Bechtel considers Teredo safe; it's because the company won't touch it.
"Teredo is off the map, not part of our game plan," Wettling said. "We're trying to avoid the additional overhead of implementing transition technology that doesn't get us to the state [in which] we want to be, which is to deploy IPv6 end to end throughout the network."
ADVERTISEMENT
The reason for tunneling protocols is that IPv4 isn't going to suddenly disappear. Rather, IPv4 and IPv6 will coexist for many years to come. There's a tremendous amount invested in the current IPv4 Internet. Also, IPv6 businesses will have to interact with those that choose to stick with IPv4 until equipment or software upgrades force the issue.
For its part, Bechtel will run two separate stacks simultaneously: one for IPv4, one for IPv6. Having two separate stacks won't require twice the management time or twice the people-power, Wettling said, because the next-generation network is "a lot easier to run than IPv4."
"It's absolutely amazing," he said. "We're a big company, and we have, internally, a mix of public and private addressing. We grow and shrink [address allocation] on sites according to how many people we have [in a given location]. [Bechtel's business locations] move dynamically all over the world. As we grow and shrink populations, we'll add pools of IP addresses.
"The shrinkage and growth over time has created a bunch of [address fragmentation]," Wettling said. "IPv4 address blocks are not contiguous. With IPv6, everything's dynamic. We don't have to go through the process of saying 'I'm adding a new server, the address is blah blah blah.' If it's running IPv6, it gets the site prefix from an upstream router, creates its own IPv6 [address] and off we go. You can reboot 100 times and it comes up with the same address. Things like that, people don't talk about, but it's a big sigh of relief."
Wettling said another driver for the no-Teredo approach is that Bechtel wants to build a solid and secure foundation for innovation. The company has been having extensive discussions with external customers as well as with its internal customers, such as the engineering and construction departments. The parties have found opportunities to use IPv6 to improve its work methods, Wettling said—the Katrina scenario being one example—and wants to build those applications on a firm grounding.
Granted, Wettling doesn't have a grudge against Teredo; he uses it at home with no problem. That said, he suggests that a company take heed if it plans to use it. If running Teredo on the host layer, for example, companies need to understand the implications, he said: "One is you need to make sure you have some local firewall to do some level of local blocking, and [make sure] it uses IPv6."
Bechtel runs Cisco PIX firewalls, which support IPv6, to protect its IPv6 network, which now runs only in the lab. At this point the company is upgrading its intrusion detection/intrusion prevention systems to make sure they have the current versions of hardware and software to support IPv6.
Also important when considering IPv6 from a security standpoint is to have logging facilities in place that can support IPv6. Bechtel, like many companies, keeps tabs on traffic flowing in and out of its network. "Being able to log IPv6 is important to us, so we're working on making sure logging mechanisms will record v6 sessions," Wettling said. "It's not complete yet; that's one of the last things we have to do to connect to the outside."
Once the logging piece is in place, Bechtel will be able to see source and destination addresses in network traffic. The company now records what machines from which a given transaction originates, as well as what user is attached to that machine.
With IPv6's facility for stealth, how will Bechtel replicate that tracking? Wettling said IPv6 traffic differs from VOIP traffic, which uses a call manager or the like to set up a call but handles communication directly from P2P. IPv6 will be more similar to P2P—a technology with which companies already wrestle and that doesn't employ an external enabler.
"A lot of companies have the challenge of wrestling with, 'What do we do with IM [instant messaging]? Treat it like e-mail as far as logging, or not?'" he said. "We're still debating that within Bechtel."
And after all, IPv6 and IPv4 are just protocols. At the end of the day, it's that chunk of communication they're transporting that matters. "That's where people really need to focus on security stuff: Focus on protecting what needs to be protected," Wettling said.
"The transport from my standpoint doesn't make much difference. It's protecting the resource. V6 gives us the ability to do things differently. We need to understand what the security risks are, and balance them against what the business opportunities are."
This article was originally published on eWeek.com.
Check out eWEEK.com's Infrastructure Center for the latest news, views and analysis on servers, switches and networking protocols for the enterprise and small businesses.
