Security stasis as NBN Co, Telstra consider how to move customers to IPv6

Internet service providers (ISPs) and telecommunications providers may be plotting their moves to embrace next-generation IPv6 network protocols, but a massive base of legacy IPv4 equipment will complicate things for a long time to come, executives of both Telstra and NBN Co have warned.

Telstra, for its part, has been pursuing a dual-stack IPv6/IPv4 setup that will allow it to guide its large customers towards the newer protocol – which includes features like a much larger address space and built-in IPSec security – while avoiding problems with customers' existing IPv4 setup and customer premises equipment (CPE).

CPE, such as broadband modems and set-top boxes, introduces issues due to economies of scale and will require a massive overhaul to root out and replace devices that don't fit into IPv6 security and administrative models. Enabling this has proved to be a real challenge, requiring extensive equipment upgrades and changes to the company's operational support systems (OSS).

Through careful planning and a focus on equivalence between IPv4 and IPv6 services, the Telstra team has come through the process unscathed successfully launched commercial launch of IPv6 services in early September, director of transport and routing engineering David Robertson told attendees at this week's IPv6 Summit in Melbourne.

"Telstra aim to provide consistency of experience with our products when adding IPv6 features," he explained. "IPv6 needs new rules, and some new rules require brand new ways of working. We have to ensure there's no disruption to our well-established networks and very large customer base."

The telco had worked on the IPv6 implementation until it could deliver "consistency of experience with our products" across both protocol stacks, Robertson explained, with a risk-minimisation policy of "deliberately not using or encouraging" protocol translation stacks like 6to4 Teredo tunnels, which have been shown to have high error rates that compromise security and reliability.

Relying on native protocol support should make for a cleaner transition that allows native security technologies to be applied to both stacks. However, despite the benefits of the new stack and widespread testing showing it works effectively, Robertson said Telstra faces a very real challenge as it decides what to do with millions of IPv4-only modems and other access devices strewn across the length and breadth of its network.

Those devices are managed by the OSS infrastructure, which had to be upgraded to manage IPv6 and IPv4-based CPE through similar capabilities. "We've got to be awfully cautious that we don't reduce our capacity by 50 percent" by prematurely stranding the company's IPv4 environment, he explained.

"IPv6 capabilities in both the fixed broadband and mobile space are emerging, and home CPE and management of the home needs to be considered. There's a lot of legacy CPE out there which is simply not capable of being upgraded. The question is really how long you can use IPv4, and the answer is 'a very long time'."

While some Australian carriers have been working to shift consumers towards IPv6-compliant equipment, the massive installed base of IPv4-only gear makes support for the current protocol mandatory. This, in turn, will perpetuate the disconnect between security profiles on the new and old networks and force customers to manage two security environments simultaneously.

It's a common problem for carriers jumping towards IPv6, says Internet Society of Australia DO Hub director Richard Jimmerson. "When a large provider has to go in and deploy LSN, it's because they don't want to have to ring up their customers and tell them the device they bought at the electronics store four months ago doesn't work anymore," he explained. "They have to continue to support all of those devices and services that are legacy v4 and may never be IPv6 compliant in the future."

If Telstra's migration is about managing its legacy towards the future, NBN Co has the distinct advantage that it's starting from scratch and has no such restrictions. That fact helped the company specify a robust IPv6-capable network termination unit (NTU) that is making NBN customers IPv6-ready from the day they connect to the network.

As operator of an extremely high-volume network infrastructure, NBN Co has had to deliver a number of adaptations for tasks such as performance management and remote administration of its NTUs. It has also implemented a dual-stack solution for its voice ports, which run over a separate logical internal network.

Lack of a legacy infrastructure has helped NBN Co focus on mapping its services to the capabilities of IPv6, with multicast support expected to be offered to the market by the second quarter of 2012, packet identification tying customers to their NBN retail service provider (RSP) and four hard-coded classes of traffic tapping into IPv6's built-in quality of service (QoS) capabilities. A later option will be the delivery of priority bit mapping, which helps the network prioritise certain users.

"For IPv6 this is totally transparent," said manager of solutions architects Tom Skyes. "Once we get to April next year, we'll have a full suite of session management options available for RSPs. We're in early stages and trying to do what's required – but the good thing about building a network from scratch is that you can put these requirements into requests for proposal, and make sure they're complied with."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Copyright © 2011 IDG Communications, Inc.

What is security's role in digital transformation?