January 25, 2013 archive

New Internet-Draft: Balanced IPv6 Security for Residential CPE

What should the appropriate IPv6 security policy be for residential customers?  How can they get the benefits of IPv6 while still ensuring that their home networks are secure?  These are the questions pursued in a new Internet-Draft available today:

http://tools.ietf.org/html/draft-v6ops-vyncke-balanced-ipv6-security

The abstract and introduction explain quite well how this applies to “customer premise equipment (CPE)”:

Internet access in residential IPv4 deployments generally consist of a single IPv4 address provided by the service provider for each home. Residential CPE then translates the single address into multiple private IPv4 addresses allowing more than one device in the home, but at the cost of losing end-to-end reachability.  IPv6 allows all devices to have a unique, global, IP address, restoring end-to-end reachability directly between any device.  Such reachability is very powerful for ubiquitous global connectivity, and is often heralded as one of the significant advantages to IPv6 over IPv4.  Despite this, concern about exposure to inbound packets from the IPv6 Internet (which would otherwise be dropped by the address translation function if they had been sent from the IPv4 Internet) remain.  This document describes firewall functionality for an IPv6 CPE which departs from the “simple security” model described in [RFC6092] .  The intention is to provide an example of a security model which allows most traffic, including incoming unsolicited packets and connections, to traverse the CPE unless the CPE identifies the traffic as potentially harmful based on a set of rules.  This model has been deployed successfully in Switzerland by Swisscom without any known security incident.

This document is applicable to off-the-shelves CPE as well to managed
Service Provider CPE.

The authors welcome comments to the draft and their email addresses can be found at the end of the document. It’s definitely a worthwhile contribution to the IPv6 security discussion and could provide useful guidance to operators seeking to understand how they should configure customer equipment to allow IPv6 yet still remain secure.

Last Day To Submit Speaking Proposals for SIPNOC2013

Sipnoc 2013Got a great idea for a talk to give to an excellent gathering of SIP/VoIP network operators? Have a new way of handling security? Have a case study you'd like to present for how you solved an operational issue?

The SIP Network Operators Conference (SIPNOC) is an outstanding event happening in Herndon, Virginia, USA, from April 22-25. It brings together network operators working with SIP / VoIP networks for several days of talks, networking (of the human kind) and education. I've gone the past two years, speaking about IPv6, and they are truly excellent conferences. Not too big, not too small... and with an extremely high quality of people both attending and speaking.

If you think you'd like to present, TODAY, January 25, 2013, is the end of the call for presentations for SIPNOC 2013. They are seeking presentations on topics such as (see the CFP for more detail):

  • Peering
  • SIP Trunking
  • Congestion Control
  • Applications/content Development
  • Interoperability
  • Call Routing
  • Security
  • Monitoring/Troubleshoooting and Operational Issues
  • Testing Considerations and Tools
  • Availability/Disaster-Recovery
  • WebRTC and SIP
  • SIP-Network Operations Center Best Practices
  • Standardization Issues and Progress
  • FoIP/T.38 Deployment
  • User-Agent Configuration
  • IPv6 Deployment Challenges
  • Emergency Services
  • Scaling and Capacity Issues
  • HD-Voice Deployment Challenges
  • Video Interop Issues

They are seeking individual talks, panel sessions, research sessions and BOFs.

Even if you just have an idea for a session, I'd encourage you to submit a proposal so that the SIPNOC 2013 Program Committee will know of your interest and can reach out to you for more details. More info about the process can be found on the CFP page.

If you aren't interested in speaking, but are now intrigued by SIPNOC and would like to be learning from all the excellent sessions, you can go to the SIPNOC 2013 main page and find out information about how to register and attend.

If you work at or for a telecom/network operator who is involved with SIP and VoIP, I highly recommend SIPNOC as a conference you should attend - you'll learn a huge amount and make great connections.

P.S. I have no affiliation with SIPNOC other than being a speaker there in the past. SIPNOC is a production of the SIP Forum, a great group of people focused on advancing the deployment and interoperability of communications products and services based on SIP.


If you found this post interesting or useful, please consider either: