1
1
2
3
4
5 DEPARTMENT OF COMMERCE
6 DEPLOYING IPv6: EXPLORING THE ISSUES
7
8 WEDNESDAY, JULY 28, 2004
9 9:00 A.M.
10
11
12 DEPARTMENT OF COMMERCE
13
14 WASHINGTON, D.C. 20230
15
16
17
18
19
20 Reported and transcribed by: Deborah Turner, CVR
21
22
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
2
1 PANEL PARTICIPANTS
2
3 Mr. Michael D. Gallagher, Department of Commerce
4 Dr. Vinton Cerf, MCI
5 Dr. Michael Gallaher, RTI
6 Mr. Dan Caprio, Department of Commerce
7 Dr. Mark Skall, NIST
8 Mr. Joseph Watson, NTIA
9 Mr. Stan Barber, Verio
10 Mr. Mark Desautels, CTIA
11 Dr. Paul Francis, Cornell University
12 Mr. Tony Hain, Cisco
13 Mr. Henry Kafka, BellSouth
14 Dr. Latif Ladid, IPv6 Forum
15 Dr. Paul Liao, Panasonic
16 Mr. Mark Rotenberg, EPIC
17 Mr. Jim Bound, North American Task Force
18 Ms. Marilyn Kraus, DoD
19 Mr. Preston Marshall, DARPA
20 Dr. Douglas Maughan, Department of Homeland Security
21 Mr. Gene Sokolowski, GSA
22 Dr. Rick Summerhill, Internet2
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
3
1 PANEL PARTICIPANTS (Cont'd)
2
3 Mr. Ted Tanner, Microsoft
4 Mr. Rick White, TechNet
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
4
1 P R O C E E D I N G S
2 - - - - -
3 ASSISTANT SECRETARY GALLAGHER: Good morning, everybody.
4 As most of you know, I'm Mike Gallagher. I'm the Director
5 of NTIA and the Assistant Secretary of Commerce for
6 Communications and Information. And on behalf of
7 Secretary Evans I am delighted to welcome you to the
8 Department of Commerce and our meeting today on IPv6.
9 I also would like to welcome David Skall who is
10 the Acting Director of the Information Technology lab at
11 NIST. He'll be comoderating our panels this morning.
12 And as you most of you know the IPv6 effort is a
13 joint effort, this task force between the Department of
14 Commerce and NIST and it's in that spirit of partnership
15 that we are here today.
16 The Internet has revolutionized communications
17 in the United States and throughout the world. In less
18 than a decade the Internet has become the primary
19 mechanism for the dissemination, retrieval and exchange of
20 information between and among millions of computer users
21 worldwide, not just here in the United States.
22 But today, here in the United States over 60
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
5
1 percent of homes have computers in them and over 60
2 percent of homes access the Internet.
3 Broadband adoption in the United States stands
4 today at 25 percent of homes roughly and is growing and
5 mobility is on the rise.
6 Today there are 164 million mobile wireless
7 subscribers in the United States and that number, as we
8 have seen in the recent reports from the mobile wireless
9 companies, continues to grow rapidly.
10 We also enjoy new technologies that are coming
11 on the scene like Wi-Fi and WiMAX and XG which we'll hear
12 a little bit about hopefully today.
13 And it's also a time of dynamic and exciting
14 growth but also disruptive change. So it's important that
15 we as a government, we as policymakers, closely examine
16 the trends in the marketplace, understand the technologies
17 and the opportunities before us and help manage at least
18 the federal government enterprise through these times of
19 interesting change.
20 Because these are also times of viruses and
21 worms and spam and other vulnerabilities to our cyber
22 infrastructure that were not even contemplated several
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
6
1 years ago, so today's meeting examines one of the elements
2 that lies at the heart of the Internet, the Internet
3 protocol or IP.
4 IP not only provides a standardized envelope for
5 Internet communications, it also contains headers and the
6 headers that provide addressing, routing and message
7 handling information that enables a message to be directed
8 to its final destination over the various media that
9 comprise the Internet.
10 The current generation of IP, IP version 4 has
11 been in use for more than 20 years and has supported the
12 Internet's growth over the last decade. With the
13 commercialization of the Internet concerns were raised
14 about the ability of IP version 4 to accommodate emerging
15 demand especially the anticipated demand for unique
16 Internet addresses.
17 As a result the Internet Engineering Task Force
18 or IETF, the people who brought us IP version 4 began
19 working on the next generation of IP, which became IPv6.
20 Proponents of IPv6 assert that it has a number
21 of potential benefits as compared to version 4 most
22 notably a vast increase in the number of Internet
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
7
1 addresses.
2 Hardware manufactures and software developers
3 are beginning to incorporate IPv6 into their products,
4 particularly routers and operating systems. To date,
5 however, there appear to be few IPv6-based services and
6 applications available in the U.S. market. On the other
7 hand, a number of foreign governments, especially those in
8 Asia, have announced plans to push deployment of IPv6.
9 These developments have raised questions about
10 the pace of IPv6 deployment in the United States. The
11 President's 2003 National Strategy to Secure Cyberspace
12 directed the Department of Commerce to form a task force
13 to examine the issues related to IPv6 including cost and
14 benefits of deploying IPv6 and the appropriate role of
15 government in that process.
16 After reviewing public comments on the issue the
17 task force recently made available a discussion draft that
18 explores these and other IPv6 related issues.
19 This meeting is another stage in the Task
20 Force's effort to develop sound policy recommendations for
21 the President on this important topic. And after we have
22 fully discussed IPv6 I hope there will be time to consider
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
8
1 the mystery of what happened to IP version 5. (Laughter.)
2 We are very lucky to have with us today experts
3 from business, academia and government who will help us
4 grapple with the many policy facets of IPv6.
5 The first panel will consider the costs and
6 benefits of adopting IPv6, what new and different
7 capabilities that IPv6 can make available and what costs
8 consumers and benefits will have to incur to take
9 advantage of these capabilities.
10 The second panel will consider what role, if
11 any, the federal government should play in the market-
12 driven process that will largely determine the rate and
13 scope of deployment of IPv6 in the United States.
14 We are also very grateful to have here today
15 Vint Cerf. He's the Senior Vice President of Technology
16 Strategy at MCI. He is also one of the names that we
17 associate very closely with the origination and creation
18 of the Internet.
19 He's a friend of the Department of Commerce and
20 a partner in virtually every Internet policy development
21 that we pursue here and we are very pleased to have Vint
22 here with us today.
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
9
1 And Vint is going to start our forum with a
2 brief set of explanations of IPv6, what it is and why we
3 should care about it. So, Vint, if you'd like to take us
4 through that we look forward to your energizing thoughts.
5 DR. CERF: I appreciate that. Good morning,
6 everyone. And thank you very much, Secretary Gallagher,
7 for a kind introduction, a warm welcome at the Department
8 of Commerce.
9 I hope you all notice that I'm not using
10 PowerPoint and many of you know my favorite expression now
11 is "Power corrupts and PowerPoint corrupts absolutely."
12 So I'm trying to practice speaking without the benefit of
13 that ubiquitous tool.
14 Let me try to respond immediately to your IPv5
15 question. There are some old-timers in this room who do
16 remember that we actually never had an IP version 1 or 2.
17 What happened is that we started with something called TCP
18 and only after we got past the second iteration to the
19 third one did we realize we needed to split the TCP
20 protocol into two parts.
21 The IP part was introduced in part to allow for
22 real-time interactions that didn't require sequenced
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
10
1 delivery or guaranteed delivery of the information.
2 One of the examples that was used to drive the
3 splitting of TCP and IP was packetized voice. And so
4 we're back in the 1977 period considering how this
5 Internet technology could be made to carry real-time
6 traffic including speech but also things like missile
7 tracks, radar returns and things like that.
8 The point that was well made by Danny Cohen who
9 was one of the pioneers in packetized speech was that the
10 real-time traffic was kind of like milk and the file
11 transfer was kind of like wine.
12 You needed to deliver milk quickly before it
13 spoiled and you didn't mind if you spilled a little bit in
14 the process. Wine, on the other hand gets better over
15 time and so it's okay to take your time delivering that
16 because it will be better if it's all there when you need
17 it. So in those early years we were persuaded that we
18 needed to have a distinction between the IP layer and the
19 TCP layer.
20 The question about IPv5 is easily answered.
21 Once we realized that we needed to have a capability to
22 support real-time traffic we then began to explore video
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
11
1 and voice conferencing using packet modes of
2 communication. So we explored a new version of IP which
3 was designed for what was called streaming protocols. It
4 was IPv5, was ST for streaming transfers.
5 That involved quite a bit of hair and mechanics,
6 frankly, to set up and tear down state in order to be
7 sensitive to the steaming requirements of these real-time
8 modalities. And ultimately it was more complicated than
9 anyone really wanted and so we frankly abandoned the IPv5
10 protocol development but as is the practice in the
11 Internet world we didn't reuse the identifier and so we
12 simply took the next one.
13 Now, in fact, during the period of panic when we
14 thought we were going to run out of IPv4 addresses much
15 sooner than we actually have, several contending protocols
16 were proposed as the IP next generation. And so we
17 actually have IPv6, IPv7, IPv8, all defined and IPv9. So
18 there were 6, 7, 8 and 9; there were four different
19 proposals that were considered and ultimately the one
20 which was chosen is now what we call IPv6.
21 But those other protocols are also defined and
22 so if we go to something after IPv6 it will have to be
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
12
1 IPv10 because v9 and 8 and 7 are already taken.
2 ASSISTANT SECRETARY GALLAGHER: Well, hopefully,
3 you’ll be around to explain all that when that happens.
4 DR. CERF: Right. Well, actually this is kind
5 of like -- remember the Y2K problem? I'm anticipating
6 that somewhere around the year 9999 somebody is going to
7 say those idiots, why didn't they put a fifth digit on the
8 -- you know, when they had the chance way back in 1999?
9 Now, we have to go through this stupid stuff again.
10 Well, I don't know. I hope I am around when we
11 hit it. Frankly when Bob Kahn and I started working on
12 this stuff we recognized that we needed to have a protocol
13 that would run on top of virtually any communication
14 system.
15 So you all know about my t-shirt that says IP on
16 everything. With the v6 protocols, I guess it's got to be
17 IP everywhere or something like that. There are 128 bits
18 of address space in the version 6 IP packet format.
19 That's enough for about four times ten to the 38th
20 distinct terminations.
21 At one point I used to run around saying that
22 that's enough address space so that every electron in the
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
13
1 universe can have its own web page if it wants to until I
2 got an e-mail from a good friend at Caltech; Dear Dr.
3 Cerf, you jerk. There's ten to the 88th electrons in the
4 universe and you're off by 50 orders of magnitude. That's
5 bad even for government work. So I don't say that
6 anymore.
7 One of the primary attractions to the IPv6
8 design is simply it does have more address space and in
9 that sense it emulates the v4 except that it just gives us
10 more room to point to terminations.
11 It's also been restructured somewhat for
12 efficiency and there are a few extra features that have
13 been put in like a flow ID which we have not yet really
14 capitalized on.
15 It could be that no one will figure out what to
16 do but the concept was to have a way of identifying flows
17 of traffic that we needed to treat as kind of a common
18 collection of packets that needed to be treated in a
19 certain way.
20 It's fair to say however that just introducing
21 IPv6 is a nontrivial exercise. If it were the case that
22 we were designing the Net all over again and there was
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
14
1 nothing and we were starting with IPv6 this would be
2 easier in the same sense that it was easier to do v4.
3 For example, the core of the network was all v4
4 and the network grew from the core out. And that meant
5 that you always had connectivity in the v4 world.
6 The v6 world coming into, being born into a
7 network which is ubiquitous in v4 but not ubiquitous in v6
8 enters in a rather different state and so we end up
9 wondering what to do about the islands of v6 connectivity
10 that now need to be linked to each other somehow.
11 It isn't just there. It's something you have to
12 work on. So there are various techniques that have been
13 evolved in order to help this connectivity process along.
14 One of them is called tunneling and it's a way of taking a
15 v6 source and a v6 destination and passing traffic
16 encapsulated in IPv4 between the source and the
17 destination.
18 That has all kinds of interesting side effects.
19 I mean, the thing which the v6 packet is encapsulated in
20 has a finite amount of space and that means that you've
21 actually eroded some of it for purposes of putting an
22 embedded packet header in. So that has a side effect on
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
15
1 the applications that are pushing traffic through the
2 tunnels.
3 There are all these kinds of little details that
4 have to be dealt with. We will still have firewalls, for
5 example, which were not part of the original Internet
6 architecture. They kind of grew up as a side effect of
7 people trying to protect themselves from various forms of
8 attack. And your comment earlier about virus and worms is
9 quite timely because we do have to fight these things off.
10 So we have firewalls which we have to traverse.
11 I would submit that the conceptual difference between v4
12 and v6 is de minimis in terms of how you configure a
13 firewall to allow passage of a v6 packet or v4 packet
14 through it.
15 But then there are also these things called
16 network address translation boxes which are, in part, a
17 side effect of not having enough v4 address space to
18 simply allocate it freely. So we have even commercial
19 interests that interfere with the free allocation of v4.
20 If you happen to be a cable modem user you may
21 discover that your cable modem provider says well, you get
22 one IP address. I don't care how many computers you have
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
16
1 at home.
2 I won't say who my cable provider is but I
3 called and said, well, I would like five or six addresses
4 please because I needed to refer to these devices
5 externally from wherever I was in the world, like the
6 printer and so on, and they said, well, we can do that.
7 It will be an extra $5 a month for each IP address.
8 And I remember biting my tongue and wanting to
9 say many bad words. I invented this stuff. I shouldn't
10 have to pay another $5 a month. But I didn't. So I don't
11 want to minimize the challenges associated with deploying
12 the IPv6 into an already connected v4 environment.
13 The Network Address Translation boxes which in a
14 sense interfere with the end-to-end addressing of the
15 network are a kind of architectural abomination but
16 they're there and at one point the Internet architecture
17 board debating what to do about the introduction of v6,
18 the mechanisms, suggested that maybe the NAT boxes could
19 become stepping stones for the introduction of version 6
20 protocol in the midst of a sea of IPv4.
21 So you could be talking IPv6 at the edge and the
22 NAT box would actually translate into v4, pass the packets
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
17
1 to the other end and pop them back out on the other side.
2 So it could be that these boxes that some of us don't like
3 very much may be a stepping stone towards introduction of
4 IPv6.
5 There have been debates over whether this
6 introduction would occur from the center out or whether it
7 would happen from the edge in. And for a while I thought
8 maybe it was a black and white thing, it either started at
9 one side or the other.
10 I think not. Now, I'm convinced that you have
11 to work both ends of this thing. In the edge clearly if
12 nobody is implementing IPv6 there's no point in having a
13 v6 transport because nobody would use it.
14 If the core doesn't have the ability to
15 transport v6 then there is not much motivation to build
16 devices that have v6 addresses because they can't use
17 them. So I'm now persuaded that we have to work both the
18 core and the edge at the same time.
19 The software vendors, as Secretary Gallagher
20 mentioned, have, in fact, stepped up to the plate so that
21 Microsoft has a v6 capability in its XP operating system.
22 Many of the other, most of the other major operating
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
18
1 system providers have UNIX-based IPv6 and so on.
2 And in the router world most of the major router
3 vendors, especially those dealing with core routers like
4 Juniper and Cisco have well-defined and well-developed
5 IPv6 switching capability.
6 So what we anticipate now is a kind of parallel
7 deployment of v4 and v6. So the v6 will be present and
8 running in dual mode in the host and in the routers and
9 that state of mixed environment will probably go on for
10 quite some time. There's an old theorem that says things
11 that work persist. And v4 arguably works and so it will
12 not just disappear all by itself.
13 What will happen, I think, is that more --
14 assuming that v6 is successfully deployed -- is that it
15 will eventually be the dominant carrying protocol and the
16 v4 islands will then need to be connected. Now, the NAT
17 boxes will be inverted and they'll carry v4 packets
18 encapsulated in the v6 sea of Internet, assuming all that
19 actually goes as we hope.
20 Speaking just for MCI for a moment we have been
21 involved in v6 for quite some time because back in 1995 we
22 built a network called the VBNS which is Very Broadband
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
19
1 Network Service for the National Science Foundation,
2 primarily in the academic community.
3 That system very quickly supported v6 addressing
4 and routing. We participated in the six bone and then
5 more recently we are participated in the Moonv6 program
6 which I hope you'll hear more about. It's a domestic
7 effort to support the testing of interoperability of v6
8 implementations. We look forward to a production
9 implementation of IPv6 in 2005.
10 But I want to tell you that this is a nontrivial
11 exercise. It's not enough to have v6 addressing
12 capability in hosts and the operating systems and have the
13 switching capability in the routers and also, of course,
14 routing protocols that know how to speak v6 as well as v4.
15 Because there is all this surrounding apparatus
16 for ordering v6 service, for doing the provisioning of the
17 routers to get the v6 addresses assigned to a customer in
18 the appropriate ways, this is the back office system.
19 And the back office system has to be modified in
20 order to know about IPv6 to make the assignments, do
21 appropriate steps, take appropriate steps to provision for
22 a new customer.
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
20
1 There had been occasional debates in our
2 community about whether v6 is somehow a separate
3 chargeable thing. My view, frankly is that at some point
4 you should get both a v4 and v6 address when you order
5 Internet service, you know, end of story.
6 At some point, someday you won't be able to get
7 a v4 address and at that point v6 will have managed -- I
8 hope by that time we have v6 widely deployed because if we
9 don't we're in deep trouble.
10 By the way, in case somebody thinks I'm
11 listening to an iPod I'm not. I fell and hit my head last
12 week or two weeks ago and broke one of my hearing aids.
13 And I don't have a replacement yet because they're all in
14 the ear and they need to have a mold that is taken to fit.
15 So I'm running around with this thing which is a weak
16 substitute. But if you want to know what the baseball
17 score is, let me know.
18 In the long run, I honestly believe that there
19 will be billions of devices on the Internet and they
20 really will need unique addressing. And so IPv6 is the
21 only way to get there because v4 runs out of gas at 4.3
22 billion and we have never been able to allocate it as
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
21
1 precisely and efficiently as one would like to achieve
2 that maximum number.
3 I confess to you that there was a year's debate
4 back in 1976 about how big the IP address space should be
5 and it didn't settle. I mean, we had one group that
6 wanted 32-bits. Another group wanted 128 and a third
7 group wanted variable length.
8 Well, the variable length guys were vilified
9 equally by everybody who didn't want to program variable
10 length headers and figure out where something is in the
11 packet.
12 And the 128 sounded just a little excessive in
13 1976. I mean, after all, it was an experiment. So I
14 thought well, 4.3 billion addresses should be enough for
15 an experiment. And that was a fair assessment at the
16 time.
17 What I didn't understand is that the experiment
18 didn't end. It just kept going and it became a commercial
19 enterprise, thanks in part to the Department of Commerce,
20 the National Science Foundation and other parts of the
21 U.S. government who made decisions that led very clearly
22 to the commercialization of the Internet.
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
22
1 I think the U.S. government has not gotten as
2 much credit as it deserves for the creation of the
3 Internet, not simply the funding of the research but also
4 the policy steps that it has taken over the course of the
5 last 25 or 30 years to make this happen. So let me close
6 by making a couple of suggestions.
7 First of all, you had mentioned the study about
8 IPv6 that has been commissioned and which I take it is
9 still ongoing. Secretary Gallagher, I would suggest also
10 that you might consult with the President's Information
11 Technology Advisory Committee and ask if they would
12 address the same question.
13 You'll get a different set of perspectives and
14 another cut at the significance of v6, the challenges that
15 we face in implementing it and deploying it and the value
16 that we expect to get from it.
17 And finally, since I am going to have to sneak
18 out of here to go to the FCC Technology Advisory Board
19 meeting I won't be here to engage in this discussion but
20 many of you here have been working Internet and IPv6 for
21 many years.
22 I want to especially acknowledge Latif Ladid who
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
23
1 is in the back there who started the IPv6 forum, which has
2 spawned a great deal of discussion all over the world at
3 policy levels and in engineering levels and production
4 levels about IPv6.
5 It's easy to slip into a kind of hyperbolic
6 interaction and I would urge you to avoid that today.
7 What's important here is to understand what the issues
8 are, to appreciate that this is not pixie dust; this is
9 hard work.
10 I personally am committed to getting v6 up and
11 running from in my company and I'm going to be pursuing
12 and encouraging others to do the same but I don't want to
13 minimize the challenges associated with its
14 implementation.
15 So listen carefully to the discussion and those
16 of you who are engaged in that discussion I ask you to be
17 as calm as you can be. You have an opportunity to help
18 everyone really understand the nature of the problem and
19 what the opportunities are. And so I wish you a very
20 successful conference and I thank you for this morning's
21 opportunity to address you. (Applause.)
22 ASSISTANT SECRETARY GALLAGHER: Vint, thank you for
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
24
1 those insightful words and the historical framework that will
2 support our discussion today and your wit and wisdom over
3 the years, very much appreciated here at the Department
4 and look forward to continuing that up to version 10.
5 As I mentioned, the Commerce Department's IPv6
6 task force has made available a discussion draft that
7 explains the issues associated with the deployment of IPv6
8 in the United States.
9 That document is available on NTIAs web site
10 which is www.ntia.doc.gov. The task force has been
11 assisted in that effort by RTI International, a consulting
12 firm in Research Triangle Park, North Carolina. Dr.
13 Michael Gallaher, no relation, is the director of
14 technology.
15 DR. CERF: We don't really believe you.
16 ASSISTANT SECRETARY GALLAGHER: These government
17 contacts are rigged, aren't they? That's great. We know
18 what the standard is. He is the Director of Technology,
19 Economics and Policy for RTI and he's here to give a brief
20 overview of the discussion draft.
21 I hope that Dr. Gallaher's talk will provide
22 both food for thought and fodder for the discussion that
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
25
1 follows and we welcome Dr. Gallagher to take us through
2 the report.
3 UNIDENTIFIED SPEAKER: Despite the corrupting
4 power of PowerPoint we're going to set one up real quick
5 here.
6 DR. GALLAHER: Okay. Thank you. As was
7 mentioned, RTI is supporting the task force in
8 investigating IPv6 and so what I would like to do this
9 morning is to take a few minutes and provide some
10 background information and highlight some of the issues
11 that hopefully will be discussed during our two panel
12 sessions.
13 As we heard IPv6 was developed in the mid-90s
14 with the objective to increase the address space by going
15 from 32 to 128 bits. Other improvements were to simplify
16 header that hopefully will improve efficiency and the
17 addition of flow labels and priority differentiation that
18 will provide enhanced capabilities.
19 So to date for the global trends very few
20 address blocks have been assigned with even fewer traffic
21 being observed. Domestically, as we heard, most of the
22 software and hardware vendors are in the process or are
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
26
1 planning to integrate IPv6 capabilities into their network
2 products.
3 However, internationally we have, particularly
4 in Asia and Europe, they have been slightly more
5 aggressive in development and deployment of IPv6. For
6 example, in Japan and China and Europe they have actually
7 allocated public funds to help incentivize the adoption.
8 And I think manufacturers have been slightly more
9 aggressive in implementing IPv6 into their products and
10 services.
11 We hope that at our discussions today and the
12 panel will gain more insights into what the trends are
13 internationally.
14 Now, in light of the global developments and the
15 potential benefits of IPv6, especially the security
16 benefits, as we heard the National Strategy to Secure
17 Cyberspace has directed the Secretary of Commerce to
18 investigate this issue.
19 As part of this they have asked the task force
20 to solicit input from potentially impacted industry
21 stakeholders and hence that's one of the reasons we're
22 here today. Now, as we heard the task force is cochaired
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
27
1 by NTIA and NIST who are moderating today's session. As
2 part of its efforts it has been engaged in a variety of
3 information gathering activities.
4 We have received over 22 responses to the
5 request for comments totaling 400 plus pages of very
6 valuable information. NTIA and NIST have been meeting
7 with stakeholders and RTI has conducted over 50 interviews
8 with Internet users, vendors, government agencies and to
9 research associations.
10 So this is all fed into the discussion draft
11 that we have posted and really the purpose of the
12 discussion draft was to present some preliminary insights
13 into the long-term benefits of IPv6 and the short-term
14 costs in vulnerabilities.
15 So this meeting gives us an opportunity to share
16 with you some of the views that we have heard and so what
17 I would like to do over the next few slides is to
18 highlight some of the issues that we heard and that can
19 hopefully be followed up today at the panel.
20 Now, from our interviews most of the benefits
21 that we talked about can fall into these categories that I
22 have listed up here. The most commonly cited benefits are
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
28
1 either directly or indirectly linked to the increased
2 address space that will support peer-to-peer
3 communications and hopefully a new generation of
4 applications built on increased connectivity and mobility.
5 However, there are significant uncertainties
6 surrounding the benefits and many of the experts said that
7 quite a few of them are conditional on how the Internet
8 will evolve and the emergence of new compatible
9 technologies. And so we hope to hear more about some of
10 these issues today at the panel session.
11 Now, as was mentioned earlier there has been a
12 fair amount of debate of whether we are truly faced with a
13 possible shortage of IPv4 addresses and to some degree
14 this is a difficult question to answer because the current
15 forecasts are built on existing demand and existing
16 applications.
17 So really a larger question should be what are
18 the new applications that will emerge given the increased
19 address space that will become available with IPv6?
20 Now, many experts contend that IPv6 will
21 simplify and accelerate the development availability of a
22 wide range of innovative end applications. And these
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
29
1 include wiring of the household where every household will
2 have remote access to hundreds of devices or appliances.
3 It also includes increased service productivity
4 where we could potentially wire our automobiles and
5 appliances that will reduce maintenance costs and
6 potentially increase the life expectancy of these durable
7 goods.
8 Additional benefits include the enhanced
9 mobility and the possibility of continuous Internet
10 connections for our laptops and our PDAs and mobile phones
11 and sensors, et cetera, could spur the development of new
12 applications in both the public and private sector.
13 However, a valid question is can these
14 applications come about using IPv4 and if they can what
15 would the cost be?
16 Now, many of the experts we spoke with during
17 our interviews were concerned that the benefits being
18 purported for IPv6 are conditional on certain evolutionary
19 pathways of the Internet. For example, it's uncertain
20 what the prevalence of middleware will be. We heard the
21 example of NATS already talked about in a future IPv6
22 environment.
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
30
1 There appears to be disagreement over the
2 benefits and the costs of NATS and other middleware
3 devices such as firewalls. I mean, they exist now and
4 what is the likelihood that they will be removed from the
5 system in the future?
6 And the concern is that if the benefits of IPv6
7 are based on an assumption of the removal of most
8 middleware that could be an issue for future development.
9 So we definitely hope that the panel will talk
10 this morning about issues such as what are the costs and
11 benefits of middleware? What's the likelihood of their
12 persistence and what are the implications for IPv6?
13 Now, in our discussions and interviews one of
14 the few things that everybody was in agreement on was that
15 the timing and penetration of IPv6 is highly uncertain.
16 To date, it has not received significant
17 penetration, I think still less than one percent of
18 Internet users have access to IP services and the future
19 penetration will hinge on several issues such as the
20 emergence of killer applications, security concerns, both
21 pros and cons, to international competitiveness, and the
22 government's role in deployment.
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
31
1 Now, related to security, experts commented that
2 there are both short-term vulnerabilities as well as
3 potential long-term benefits.
4 The short-term vulnerabilities are associated
5 with the additional network administrative activities, the
6 need to support potentially two networks during transition
7 simultaneously and the learning curve required in the
8 early stage of IPv6 deployment.
9 I mean, it was cited that we've been working on
10 security issues with IPv4 for 20 years and we haven't
11 gotten them all ironed out so it's not unrealistic that in
12 a transition to IPv6 there will be issues.
13 Now, in the long run a fair number of experts
14 thought that security benefits could be realized but there
15 was significant disagreement over the timing and the
16 magnitude of these benefits.
17 And even if IPv6 is the enabling technology to
18 achieve these benefits -- or is it just going to play a
19 supporting role in this? Also, as mentioned, there's
20 uncertainty about the presence of middleware and what this
21 means to the security benefits of IPv6.
22 Now, we were told that the transition is likely
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
32
1 to be gradual. There will be no flip-switch date when all
2 of a sudden the entire network will be operating under v6.
3 The capabilities will likely be added gradually
4 over time as part of the routine upgrades, maintenance and
5 software and once the infrastructure is in place, as we
6 heard, that there are various transition techniques such
7 as tunneling and dual-stack operation that can allow a
8 gradual transition with both v6 and v4 operating
9 simultaneously.
10 There will be costs and most experts imply that
11 they would primarily be to labor costs for enabling the
12 technologies once the capabilities are in place. We have
13 a fairly detailed discussion of this in our document that
14 was posted and we hope that we'll get further information
15 on this today as part of the panel sessions' discussions.
16 Now, interoperability is an issue to varying
17 concerns with experts. Interoperability is the ability to
18 seamlessly communicate information between networks and
19 applications and the issue is relevant both for
20 communications between IPv4 and IPv6 networks but also
21 between different networks and applications of IPv6 that
22 might have used different implementation strategies.
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
33
1 Testbeds such as the Moonv6 that was mentioned
2 that are a collaboration between the Department of
3 Defense, the University of New Hampshire and vendors are
4 helping to address and identify several of these
5 interoperability issues.
6 A question for today's discussion could be what
7 role, if any, might government play in addressing these
8 interoperability issues and what lessons learned can be
9 taken from testbeds such as Moonv6 that can then be
10 applied on private sector interoperability problems?
11 Now, several stakeholders have expressed concern
12 about the implications for U.S. competitiveness if America
13 lags behind the rest of the world in the deployment of v6.
14 And at issue is will there be sustainable first-
15 mover advantages associated with early adoption such as
16 knowledge and technologies and experience that are gained
17 through early adoption or will there be significant
18 switching costs that could lead to product lock-in and
19 provide a benefit for the first movers?
20 In addition for U.S. corporate and industrial
21 users the question is will they be at a competitive
22 disadvantage if they lag behind their foreign
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
34
1 counterparts?
2 And here the issue is are there productivity
3 gains from early deployment and how do they compare with
4 the increased or incremental costs associated with early
5 or accelerated deployment?
6 And finally, there were some concerns that
7 potentially to regions or countries where early deployment
8 takes place could use interoperability issues to their
9 advantage, such as particular implementations of solutions
10 or to legal and privacy implications of encryption
11 restrictions.
12 Stakeholders we spoke with generally felt that
13 there were no significant market barriers to adoption and
14 that monopoly was not a concern or monopoly power was not
15 a major concern to enter the market for IPv6.
16 However, there were some concerns and they were
17 primarily associated with the public nature of the
18 Internet in that there are tenabilities to capture the
19 full return on investments.
20 And these could potentially create the barriers
21 to deployment, its implications being that we could see an
22 underinvestment in R&D to support standards protocols and
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
35
1 conformance testing.
2 Also, that the return on investment could lead
3 to a chicken or egg dilemma in which potentially the
4 network delays deployment waiting on the killer
5 applications and vice versa the application manufacturers
6 are waiting for the network to get in place.
7 Finally, and what will be the focus of our
8 second panel today, what is the proper role, if any, for
9 the government?
10 The general consensus is that market forces will
11 and should drive the deployment of the interview but we
12 heard from most experts that the government should be an
13 active participant in the transition. Potential roles for
14 government include them as a consumer in which potentially
15 they could engage in wide-scale adoption. The Department
16 of Defense is an example of this.
17 Also, government support of R&D both to support
18 the basic infrastructure and to support the
19 interoperability and conformance testing for application
20 development, also information dissemination through
21 trainings, workshops and meetings is a potential for
22 government.
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
36
1 So in conclusion the task force looks forward to
2 the panel discussions and hopefully we can shed some light
3 on what role we will have here for government and also
4 some of the other issues that were mentioned earlier.
5 Thank you. (Applause.)
6 ASSISTANT SECRETARY GALLAGHER: Thank you, Dr.
7 Gallaher. That's very helpful. It tells us, gives us a good
8 launching point of the work that's been done to date by
9 the task force and has been gathered and synthesized by
10 the group.
11 And we'll have one more general discussant
12 before we start the panel. I would like to invite Mark
13 Skall to come forward and kind of share from a partnership
14 perspective his view on our task today and other light
15 that he would shed on our quest. Mark.
16 MR. SKALL: Thank you, Secretary Gallagher. My
17 name is Mark Skall. I'm the Acting Director of the
18 Information Technology Laboratory within NIST and I'm
19 getting back to the baseball discussions, I'm sort of the
20 pinch hitter for Dr. Semerjian, who's the Acting Director
21 of NIST, this morning. He got called away unexpectedly.
22 I know he was very excited about being here as I am.
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
37
1 We at NIST are a technical agency and we really
2 look forward to participating in discussions like this
3 where it's very important to analyze the technical issues,
4 try to come to some consensus before, of course, we can
5 make these very important policy decisions.
6 We at NIST, as our name implies, have a lot of
7 experience working with standards. We've worked with
8 many, many standards organizations for more than 30 years
9 including IETF, W3C, Oasis, ANSI ISO and many, many more.
10 We have contributed technical expertise to these
11 committees, helped them develop standards, helped them
12 write the specifications and insure that they are, in
13 fact, testable.
14 We do other things as well. We've developed
15 conformance tests for many of these committees, reference
16 implementations, interoperability tests, and other
17 different testing tools. And all of these activities we
18 know will be important to this effort as well.
19 We're very excited about this. We work closely
20 with industry at NIST and we would like to contribute any
21 way we can and we look forward to an interesting
22 discussion. Thank you. (Applause.)
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
38
1 ASSISTANT SECRETARY GALLAGHER: I will ask the panelists
2 panelists to come forward and take their seats here at the table and
3 table and while they're doing that just a word about the moderators.
4 As was mentioned, this is a partnership that was
5 called for by the President's Strategy to Secure
6 Cyberspace. And here in the Department of Commerce we're
7 constantly reminded by the Secretary that we have two
8 goals to keep in mind as we go about our work.
9 One is to make sure that we have economic
10 security, that we're creating an environment for
11 entrepreneurs to succeed and for job creation and for
12 prosperity in our country.
13 And no one shares those goals more than Joe
14 Watson who's the Associate Administrator of our Domestic
15 Policy shop here at NTIA.
16 And also our Deputy Assistant Secretary of the
17 Technology Administration at this end of the hallway, Dan
18 Caprio. Dan's a wonderful leader, a great addition to our
19 tech team here at the Department of Commerce and he will
20 be spinning comoderation as well.
21 And what we have here is all of the elements of
22 the partnership with Mark here from NIST to bring together
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
39
1 the need to drive economic security but at the same time
2 realize that the other goal is national security and that
3 we have an eye on that. And that's certainly a core focus
4 of the national strategy as well.
5 So gentlemen, welcome. Take your seats and
6 we'll look forward to the next hour and a half as we go.
7 MR. WATSON: Mike, thank you very much for that
8 very rich and generous introduction. As Mike indicated,
9 I'm Joe Watson. I'm the head of the domestic policy
10 division here at NTIA and I'm joined by two very
11 knowledgeable and talented comoderators here.
12 Dan Caprio also wears a couple of hats around
13 here both as the Deputy Undersecretary for Technology but
14 also as the Chief Privacy Officer at the Department of
15 Commerce. So very delighted to have Dan here. And also a
16 fellow Illinoisan who I'm always pleased to have around.
17 And Mark Skall, who is the Acting Director for
18 the Information Technology Laboratory. So thank you to
19 these gentlemen for giving us your time here.
20 Just a little bit about the rules before we get
21 under way here. I'd like to remind the panelists that
22 this will be a question-and-answer formatted event.
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
40
1 Everyone should feel free to respond to a
2 question even if it was not specifically directed to you.
3 So if you'd like to respond to a question posed to another
4 panelist or to a response given by one of the panelists
5 please just raise your tent card and we'll make sure that
6 we get your points heard.
7 I'd also like to remind the audience that there
8 will be ample opportunity for questions and answers at the
9 end of the panel so once we bring the moderated questions
10 to a close we will turn to questions directly from the
11 audience.
12 If we could begin now by having the panel
13 participants go around and introduce themselves just give
14 your name, the title and organization. We can get
15 underway. Perhaps we can start with Mr. Rotenberg down at
16 the end.
17 MR. ROTENBERG: My name is Mark Rotenberg. I'm
18 executive director of the Electronic Privacy Information
19 Center. I'm also the acting chairman of the public
20 interest Registry and we manage the dot org domain.
21 DR. LIAO: I'm Paul Liao. I'm the chief
22 technology officer for Panasonic's operations in the
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
41
1 United States.
2 DR. LADID: Thank you. Latif Ladid. I'm the
3 President of the IPv6 Forum European Commission, Chair of
4 the IPv6 Task Force and also Internet Society trustee.
5 MR. KAFKA: Hank Kafka. I'm Vice President of
6 Architecture and emerging technologies for BellSouth.
7 MR. HAIN: Tony Hain. I'm senior technical
8 leader at Cisco Systems for IPv6 technologies and IPv6
9 Forum.
10 DR. FRANCIS: I'm Paul Francis. I'm associate
11 professor at Cornell University and in the interest of
12 full disclosure, I'm the inventor of NAT.
13 MR. DESAUTELS: I'm Mark Desautels, Vice
14 President for Wireless Internet Development at the
15 Cellular Telecommunications and Internet Association,
16 principal, Association of Wireless Companies in the United
17 States.
18 MR. BARBER: I'm Stan Barber. I'm Vice President
19 for Engineering Operations at Verio.
20 MR. WATSON: Thank you very much, gentlemen, for
21 going through your introductions. Perhaps if we could
22 begin by turning to the issues which I think all of our
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
42
1 commenters this morning touched on, which is the primary
2 benefit in terms of features and capabilities of IPv6
3 which makes it of great interest to us all here today.
4 We have often heard touted and in remarks this
5 morning the increased IP address space as a leading
6 benefit for transition from IPv4 to IPv6, but perhaps, and
7 I would open this to the entire panel, if we could discuss
8 what you see as the significant features and capabilities
9 within IPv6 and how you would contrast those with what is
10 presently available under IPv4. Does anyone want to
11 comment on that? Mr. Barber, first.
12 MR. BARBER: I think the summary that was given
13 earlier this morning both from Dr. Cerf's talk as well as
14 Dr. Gallaher's talk was a reasonable summary of many of
15 the benefits.
16 The biggest one most people talk about is the
17 address space and the fact that it's much bigger. With
18 all due respect to Dr. Francis it makes it possible to
19 have every device that is on the Internet be uniquely
20 identifiable.
21 Now, there are benefits to that. There are
22 obviously concerns to that that relate to the anonymity
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
43
1 issue and being able to disguise or perhaps obfuscate who
2 the actual end node that's connected to another end node
3 might be.
4 If you take as a given that that obfuscation may
5 or may not be a good thing, it is not a good thing for the
6 purposes of doing peer-to-peer secure communications,
7 using IPsec as a model, then having lots of addresses and
8 being able to assign it to lots of stuff is a good thing.
9 The other things that people talk about having
10 to do with flow labeling and putting changes in the header
11 format and being able to define extension headers and
12 other things like that are things that largely don't exist
13 in IPv4 at all because it wasn't designed to do that
14 originally. And so those things make IPv6 more of a
15 state-of-the-art capability for us to build upon.
16 Now, do all those capabilities exist in the
17 software that you can buy from vendors today? No.
18 Why is that? Well, they haven't been writing software for
19 IPv6 very long and that's one of the reasons that I think
20 the possibilities for the future of IPv6 are wide open
21 whereas the possibilities for doing similar things in IPv4
22 are probably more limited.
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
44
1 MR. WATSON: Dr. Francis.
2 DR. FRANCIS: I want to sort of preface by
3 saying that I think it would be great if we had IPv6. I
4 mean, it would certainly simplify how everything operates
5 if nothing else.
6 But I want to sort of take a role as being a bit
7 negative about IPv6 because I think there's -- in general
8 there's other ways to do things.
9 So just with respect to this comment he
10 mentioned that with IPv6 you could identify every small
11 device in the world and that's very true. But we should
12 keep in mind that the role of IP is to enable
13 communications not simply to identify devices.
14 There's lots of ways to identify devices. They
15 can have serial numbers, URIs, e-mail addresses and things
16 like this. So the role of IPv6 is to enable one device to
17 be able to send IP packets to another device.
18 And while having one clean address space would
19 certainly be the best way to do that we should keep in
20 mind that through NAT boxes, even in the way NATs are used
21 today, there would be enough so-called addresses to have
22 about 250 simultaneously running connections for every
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
45
1 human on the planet.
2 So you can -- I'm not saying it's the best way
3 to do stuff but you can go quite far with NAT, and I would
4 not say that we're going to run out of addresses per se
5 any time soon because of the extensibility of what NAT can
6 do.
7 MR. WATSON: Dr. Ladid.
8 DR. LADID: Paul, I think we should recognize
9 also that you have codesigned IPv6 so you know how it
10 works which is is quite important to note. And coming
11 from international, the debate about address space is
12 inexistent because there's no address space but we have to
13 look at it from a global point of view.
14 If we look at the Internet penetration worldwide
15 we have reached something like 10 percent and we have
16 consumed two-thirds of the address space for this.
17 If you want to move to something like 20
18 percent, or doubling the current penetration, we not only
19 need two-thirds of the address space but we need, I think
20 Tony will be talking about this later on, something like
21 375/8s you know to achieve 20 percent, which is a metric
22 to enable mass-market of Internet on a worldwide basis.
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
46
1 So you can imagine that from a geopolitical
2 point of view and from a kind of even distribution of the
3 Internet address space around the world it is a very, very
4 political issue. It has become a political issue. I
5 think we need to recognize that. Thank you.
6 MR. WATSON: Well, Dr. Liao, I mean, Panasonic
7 is right now on the vanguard of IPv6 in terms of producing
8 actual products that utilize IPv6. I wonder what your
9 read is and what the read is from some of the market
10 participants who are actually producing products and
11 services around IPv6 is with respect to the beneficial
12 features and capabilities of IPv6 versus IPv4?
13 DR. LIAO: I think the consumer electronics
14 companies like Panasonic are looking to a future that's
15 sort of ubiquitously networked, the sort of vision that
16 every device is connected to the Internet and we get the
17 benefits of that ubiquitous networking.
18 It's a kind of networking that is ubiquitous not
19 only from the point of view of every device being
20 connected to the network but also the kind of seamless
21 mobility that no matter where you are, when you are, at
22 any time, any place, you're connected to the Internet.
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
47
1 And IPv6 is a kind of foundation that enables that.
2 Of course, it's possible to do a lot of these
3 things if not all of these things by some patchwork of
4 solutions throughout IPv4.
5 However, the one thing that as a consumer
6 electronics company we would like to avoid is to have
7 everybody become a systems administrator. And one of the
8 beauties of this sort of foundation of IPv6 is that it's a
9 real tool to enable that from happening.
10 Probably those of us with a technology
11 background are already systems administrators, not only
12 for our own home but probably for all of your relatives.
13 And as we have 10 percent penetration, just
14 think what's going to happen when it gets to 20 or 30
15 percent. Then I'll have to quit my normal job just to
16 take on my second job as being assistant administrator for
17 my home. So it's not something that I'm looking forward
18 to. So it would be great if we could do that.
19 You mentioned that we have some products. For
20 example, we have an IPv6 camera and this camera we'd like
21 to be able to access from any place on the Internet and be
22 able to and consumers be able to make use of that thing.
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
48
1 Today it works with IPv4 but it's a little bit
2 of a hassle to do the configuration. The auto
3 configuration capabilities of IPv6 would be great to have.
4 It's those types of capabilities, this kind of vision of a
5 ubiquitously networked world that is really driving our
6 thoughts.
7 MR. WATSON: And perhaps either to you, Dr.
8 Liao, or to Mr. Barber, can you tell us a little bit about
9 some of the products, services and applications that we
10 kind of see on the horizon that would be enabled by IPv6
11 beyond, obviously you've discussed the camera?
12 DR. LIAO: One of the people that works here at
13 Panasonic in the States is Alex Ramirez in the back of the
14 hall, but he was telling me in the cab on the way over
15 that they have this thing in Japan which is rather
16 remarkable.
17 A large number of taxi cabs evidently each have
18 their own unique IP number and they transmit whether the
19 windshield wipers are going or something like that so that
20 some local TV station or something is keeping track of the
21 kind of weather patterns.
22 I mean, if you started thinking about that type
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
49
1 of application or you start deploying huge numbers of IP
2 addresses then you begin to understand why having a large
3 address space is -- actually I don't know firsthand about
4 this thing because Alex just told me about this on the cab
5 ride over. But it just seems to me that's a kind of
6 interesting application. Maybe Stan knows more about
7 that.
8 MR. BARBER: Yeah, I've heard about that specific
9 application. They're looking at weather patterns in terms
10 of where their micro climate rainstorms occur in Tokyo is
11 very interesting.
12 One of the things that we are working on in my
13 company is trying to find ways to make it easy for people
14 to do secure peer-to-peer communications which is one of
15 the touted values of IPv6 and the biggest issue with
16 anything related to IPsec or almost anything having to do
17 with security is key management.
18 There's nothing in IPv6 specifically that deals
19 with key management. And there's nothing really anywhere
20 that sets one standard for key management. And so we've
21 built a couple of demonstration projects to actually solve
22 that problem which we are currently working towards
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
50
1 releasing a product so you would be able to do peer-to-
2 peer communications over IPv6 using the key management
3 tools that we provide.
4 And so once that specifically is available you
5 would be able to set up a direct communication between say
6 your laptop in the hotel and the actual database machine
7 in your enterprise directly because the trust relationship
8 is built between those host systems.
9 There's some people in the community that's
10 really very concerned about that because they like
11 controlling things at the firewall or whatever. Those are
12 valid concerns. And we're not attempting to say that they
13 aren't.
14 But we are saying that we need to start putting
15 together applications that give us capabilities that we
16 really don't see a lot of today and having this secure
17 peer-to-peer capability and then seeing where it goes from
18 there and seeing how it impacts, how people use the
19 network would be one of the ways to start realizing some
20 of the potentials that we might be able to see in that
21 space.
22 DR. SKALL: So we've heard a little bit about
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
51
1 products that would work better under IPv6 and other new
2 ones that could only work under IPv6. So failure to
3 deploy IPv6, would that have dramatic effects on
4 inhibiting new applications or can it be gotten around?
5 MR. HAIN: There's some, actually two aspects to
6 that. One is can we get around the deployment of these
7 new applications and what's the cost of actually the
8 workaround?
9 And to some degree, yes, we can build these
10 technologies and allow us to use NAT and grow the network.
11 At the same time we're trying to conserve but there's this
12 interesting disconnect where you're trying to conserve
13 your way into a growing and expanding network. It just
14 doesn't really fit. If we're in a conservation mode in v4
15 and we're trying to conserve our way and grow the network
16 that just doesn't fit.
17 I wanted to comment quickly on Paul's earlier
18 comment that we can use NAT. In fact, every hotel I go to
19 I'm behind a NAT somewhere. And I happened to run into
20 the interesting trick and I haven't done the statistics to
21 figure it out but the address that I got back over the VPN
22 connection that I got was exactly the same as what the
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
52
1 hotel block was. So I had two interfaces with the same
2 address and everything stopped.
3 Being reasonably technical I knew what was going
4 on. I knew what to do to fix it but the average person is
5 not going to be able to work their way out of this
6 situation.
7 So NAT by itself doesn't help you. It creates
8 different kinds of problems. So it solves some problems
9 and creates others. And the other comment I wanted to
10 make was Latif's earlier comment about the global need and
11 the numbers that he was quoting for 375/8s, that's
12 actually being much more restrictive about allocation
13 policy than we are today.
14 If we just use today's allocation policy we need
15 about four times that number just to get the countries up
16 to 20 percent. So the numbers that I was working on were
17 assuming that we were going to be much more conservative
18 as time went on in our allocations and make it at least be
19 something sane where it's only four times the number we
20 have left not 12 times the number we have left.
21 MR. WATSON: Mr. Kafka.
22 MR. KAFKA: On Dr. Liao's example of the
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
53
1 taxicabs in Japan, I think that's one example that if you
2 extend that to some of the concepts of smart dust and
3 smart sensors where you get not just taxicabs in Japan but
4 huge numbers of sensors in a region that type of
5 application needs a large number of identifiers of some
6 sort.
7 And IP being the national protocol IPv6 can fit
8 well into that application. So there are some advanced
9 concepts that can vastly increase the demand for IP
10 address spaces.
11 On the other hand, upgrading the entire global
12 infrastructure of the Internet in a rapid basis to IPv6
13 willl bring in quite a few expenses and isn't necessarily
14 critical for obtaining some of the benefits that you would
15 gain from the increased address space that could apply to
16 specific applications.
17 I think that what we may see and what may be the
18 logical introduction, in fact, is already happening in
19 IPv6 is that these pockets of application spaces where new
20 advanced applications come into place those advanced
21 applications that benefit the most from IPv6 and/or
22 require IPv6 to even make them viable will begin to
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
54
1 introduce the optimization, the introduction.
2 And that's where you'll get the best cost
3 benefit ratios for IPv6 and those types of islands. Same
4 kind of thing happens, I think, in some countries where IP
5 address space is scarce and adoption of IPv6 therefore
6 becomes a critical item in those countries.
7 So the primary benefits of IPv6 in terms of the
8 address space and also in terms of mobility, there are
9 some definite benefits to mobility management in IPv6 for
10 data mobility.
11 Again, things you can do in IPv4 and, in fact,
12 are being done today in IPv4 with additional devices that
13 will manage the mobility of IP addresses that become more
14 natural in IPv6.
15 It gives the opportunity for a gradual
16 introduction, the introduction to occur first in those
17 areas which have the best benefit and then as that grows
18 and as the costs drop the introduction can spread and
19 become more viable and work through the interworking
20 capabilities.
21 MR. WATSON: Dr. Ladid.
22 DR. LADID: Just to summarize a little bit, I
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
55
1 guess on the Internet today we have one single large scale
2 application called Web. And I don't think that's really a
3 major achievement. There are so many applications that
4 could grow to the size of the web and I would expect about
5 ten of them to be as large as the Web.
6 We just have to give it the end-to-end muscle
7 and I'm sure innovation will start kicking in. And if
8 they see -- I mean, NAT was doing an excellent job so far,
9 but we are starting to do these interactive symmetric
10 applications that require end-to-end and all of a sudden
11 you end up with these disruptions.
12 And if I look at the number of allocations in
13 India, India has about 2 million addresses for 1.3 billion
14 people. So we have turned the engineers in India into NAT
15 engineers, not into IP engineers.
16 And I'm sure we are going to import all that to
17 turn the U.S. into a NAT world. So I would argue that we
18 are going from the Internet into the InterNAT. (Laughter.)
19 And if you think you have plenty of address
20 space in the U.S. let me cool you down a bit because about
21 100 companies do have something like 50 percent of the
22 Internet address space.
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
56
1 Government has about 15 percent so I would argue
2 that the U.S. economy has only about 10 percent of the
3 address space worldwide which is less than what Europe has
4 and almost the same number as Asia.
5 So I would not accept anyone that tells me that
6 the U.S. has more address space than the rest of the
7 world. You are deploying more NATs than anyone in the
8 world. And since you have plenty of NAT managers this
9 country is going into a NAT concept and welcome to the
10 InterNAT. And I guess you are kidding, no innovation in
11 the future.
12 MR. WATSON: But Dr. Ladid, maybe in speaking a
13 little bit on NATs, and Dr. Francis you can perhaps
14 comment on that, but you spoke about the prevalence of
15 NATs in the U.S. To what extent would the persistence of
16 NATs, to what extent would that impact deployment of v6
17 applications in the future?
18 DR. LADID: I guess we have different scenarios
19 that need to be discussed. I mean, this is an exercise
20 that even the IT team is working on in creating certain
21 transition scenarios. I think it's in the planning that you
22 can benefit in low-cost introduction of IPv6 in the U.S.
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
57
1 I would argue with the current v4 address space
2 that exists among these hundred companies I think the U.S.
3 will have the cleanest transition period because of the
4 address space that exists in the U.S. It needs to be
5 allocated to do such a thing.
6 But if you look at the exercise of Stanford
7 University that moves from /8 back to 3/B which was
8 applaudable but it has cost them two years of work just to
9 find out that it does not make sense to size down from a
10 larger address space into a smaller one.
11 MIT wanted to do that in a good citizen effort
12 to give back some address space and decided that since v6
13 is coming we better wait until the move to IPv6.
14 And one of the recent articles from the
15 Forrester Research Group mentioned that IPv6 autoconfiguration
16 would pay for itself within a year. And I would like some
17 researchers to work on this one because I think that's a
18 very strong argument to deploy IPv6, one of the very
19 strong arguments.
20 MR. WATSON: Dr. Francis.
21 DR. FRANCIS: I think you need to be careful
22 when you say that NAT is going to kill innovation because
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
58
1 NATs have always been coupled with firewalls and people
2 sort of think of NAT as what prevents boxes from talking.
3 But if there were no NAT it would be firewalls that
4 prevent many boxes from talking.
5 It would still be a better situation definitely
6 because it's always simpler when you have a larger address
7 space but nevertheless, I mean, an example in my case, I
8 have a global address on my desk at work but I cannot
9 reach it from outside of work because the firewall blocks
10 me.
11 I have a private address at home but there's
12 various ways that I can actually get to the devices at
13 home. So it's ugly. No question about it. But I'm not
14 sure you can just make the statement that it's going to
15 hurt innovation.
16 I mean, an example might just be say DoCoMo in
17 Japan, which was a tremendously innovative thing that
18 really kicked off data applications over cell phones and
19 it was all done without IP in the end systems. So I think
20 we have to take that statement cautiously.
21 DR. LADID: I would like to respond to this one.
22 I think when NAT introduced it took about two years to get
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
59
1 the firewall to secure NAT, so NAT was not a security box.
2 It was basically a sharing
3 DR. FRANCIS: Yeah, firewalls
4 DR. LADID: Let me finish.
5 DR. FRANCIS: I'm sorry.
6 DR. LADID: Would you share your phone number
7 with your neighbors? No.
8 DR. FRANCIS: What?
9 DR. LADID: Would you share your phone number
10 with your neighbors?
11 DR. WATSON: It's going back to the party-line
12 concept.
13 DR. LADID: So this I call in Russian protocol.
14 It is. Right?
15 DR. FRANCIS: I don't share my e-mail address
16 with my neighbors.
17 DR. LADID: No, not e-mail.
18 DR. FRANCIS: I know. But that's my point is
19 that --
20 DR. LADID: So, firewalls came in later on and
21 since it was quite clear that no one from outside would
22 connect to you either with a firewall or with NAT so there
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
60
1 was no need to have that hole into the firewall. That's
2 why the discussion about NATs is happening.
3 And I think we have to rethink the security as a
4 business enabler to create this famous end-to-end
5 security. And I would challenge the security experts to
6 come back to the drawing board and redesign a new model
7 for security.
8 So it has to be like the way we do it with
9 management. Through the management station you can decide on
10 which stations have access to what and so on and so forth.
11 So these are the new security models that needs to be
12 redefined. And I think the security guys have not yet
13 picked up IPv6. And we should put every effort to get
14 them back onto this work.
15 MR. WATSON: Let's broaden the discussion a
16 little bit. Mr. Hain and then Mr. Barber.
17 MR. HAIN: To some degree, Paul is right. By
18 itself, NAT doesn't preclude innovation but you have to
19 look at it from the perspective of where is the innovation
20 going. And if all of your innovative effort is going into
21 NAT traversal are you delivering the end product?
22 And so from that perspective you can get back
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
61
1 all of that resource that would have gone into figuring
2 out how to traverse the NAT and put that back into
3 delivering the end product. And so by itself it doesn't
4 preclude innovation it just changes where you put the
5 focus.
6 DR. LADID: I would just --
7 MR. WATSON: Well --
8 DR. LADID: I will not talk a lot. I think
9 simple networks are superior networks. And innovation
10 flourishes on simple networks. I think that's
11 where we have to put our effort. And we have done this
12 research in Europe and also in Japan and I wish there
13 would be more research in the U.S. as well. For sure we
14 will be talking the same language.
15 MR. WATSON: Mr. Barber and then we'll go back
16 to Dr. Francis.
17 MR. BARBER: I wanted to talk a few moments
18 about cost of deployment since that was brought up earlier
19 in the discussion.
20 MR. WATSON: Do you have another point on this
21 before we move on?
22 DR. FRANCIS: Yes. All I was going to say is
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
62
1 it's true there's a lot of effort put into getting through
2 NATs but I think if we didn't have NATs there'd be
3 probably not as much but a fair amount of effort trying to
4 figure out how to get through firewalls.
5 DR. LADID: That I agree with.
6 MR. WATSON: Well, good. We have some
7 agreement. Mr. Barber.
8 MR. BARBER: What I wanted to say is that
9 there's been a lot of discussion about the cost of
10 deployment and I was wanting to talk about that for a
11 moment because we've done a deployment so we have some
12 practical experience in that area.
13 So we agree with the assessment in the draft
14 that says the biggest cost in the deployment is the labor
15 because the people have to be trained to understand how to
16 use IPv6 versus IPv4.
17 And we have found that that cost is not very
18 high if you're dealing with people who understand IPv4
19 very well because the differences are trainable. If
20 you're dealing with people who don't have an Internet
21 background to begin with and you're having to bring them
22 up to speed from the get-go and you're starting with IPv6
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
63
1 as the base then it's like building an Internet engineer
2 from scratch and that's very costly.
3 Some of our educational institutions you have to
4 get your bachelor's degree to actually understand some of
5 the peculiarities with respect to the details of routing
6 and how to spell BGP and stuff like that.
7 The people who are writing the software and the
8 people who are vending the hardware are actually making
9 the whole situation much easier because the stuff's in
10 there. When you buy a Cisco box today, for example, IPv6
11 is in there. When you buy a Juniper box today IPv6 is in
12 there. So you don't have to actually go out and add it.
13 If you buy it today it's there.
14 One of the problems that I've seen though is
15 that as you traverse down the cost scale then you run into
16 issues about finding IPv6. Panasonic, for example, is
17 being very progressive about having IPv6 in their end
18 devices but there are lots of guys in that price space who
19 don't yet have v6 down there.
20 So one of the issues as I see it is having more
21 of the low end devices have v6 in there day one. And it
22 would be great if there was more effort in that space to
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
64
1 see more devices that would have v6 as an option in it off
2 the shelf.
3 MR. WATSON: Dr. Liao.
4 DR. LIAO: During one of the initial
5 presentations there was talk about whether the benefits of
6 the, sort of the social good benefits were much larger
7 than the private benefits. And I guess to some degree
8 that could be true.
9 Sort of the larger social fabric benefits of
10 IPv6 in the sense of you have this larger address space
11 monoconfiguration and all that, are so easy necessarily
12 for, let's say, Verio to reap an immediate payback on
13 whereas the social good of providing that foundation, that
14 infrastructure that will allow a lot of innovation to
15 focus on the end product becomes much more readily
16 achievable.
17 The founder of Panasonic once said that he'd
18 like consumer electronics to be as cheap and as freely
19 available as water. And if you look at the price of these
20 things these days it's been achieved. And this is just
21 about as expensive as a DVD player.
22 But the reason that consumer electronics has
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
65
1 been so successful is the cost is really low. Now, what
2 we're looking at today in the consumer electronics world
3 is basically taking all the complexity that every one of
4 us has struggled with at least three or four times a year
5 that you find with dealing with how do you configure your
6 PC to make it work with this or that or whatever, and
7 that's getting into your television, that's getting into
8 your music player.
9 And there are many ways to address these
10 complexities but it would be nice to have a foundational
11 way that everybody could share that cost. The big issue
12 that we're looking at as we go forward in the future is
13 one of maintenance.
14 The software upgrades that we're so familiar
15 with within the PC world will be something that will
16 happen routinely, that we expect to happen routinely in
17 all the consumer electronics world. And IPv6, I think,
18 will be a key element to make that happen.
19 It doesn't have to be done through IPv6. There
20 are other ways to do it. Paul Francis mentioned you can
21 use serial number addresses and a whole host of other
22 ways.
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
66
1 But that's the issue. We might end up with a
2 whole host of other ways that really looks, what we're
3 really looking at is a cost redundancy that we didn't
4 necessarily have to have so that those electronics may be
5 again more expensive than water instead of vice versa.
6 MR. WATSON: Mr. Kafka. And can I remind folks
7 for the benefit of our webcast audience to speak directly
8 into the microphones. Thank you.
9 MR. KAFKA: I think in the case of IPv6 there
10 are many benefits as have been discussed and it can indeed
11 enable the proliferation of devices, ease of maintenance,
12 improve security capabilities. But a key point to keep in
13 mind comes back to some of the discussions around security
14 and NAT and firewalls and also I believe applies to
15 administration.
16 IPv6 is not a panacea that solves all of the
17 problems and all of the issues because you adopt it. It
18 can be an enabling technology. Long-term it is going to
19 have some definite benefits as the need for IP addresses
20 explodes as more and more devices determine, and we kind
21 of move away from the current linear growth in address
22 needs into a potentially jump or even exponential growth
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
67
1 with the new application and capabilities.
2 But there are fundamental underlying issues that
3 need to be addressed whether it be in IPv4 and IPv6 and,
4 in fact, based on the comments earlier about the extended
5 transition period that we'll have in place it will have to
6 be addressed in both IPv4 and IPv6 and in interworking
7 issues between IPv4 and v6.
8 And those fundamental issues include how do we
9 do firewalls, security protection. As an example, it's
10 great to have the printer in your home addressable from
11 anywhere on the Internet. On the other hand it may mean
12 that people can start sending junk prints to your printer
13 if they get access to that address the way you get junk
14 faxes today. There are security mechanisms that have to
15 be put in place to control this independent of IPv4 or
16 IPv6.
17 Similar aspects with the administration of end-
18 user devices. IPv6 will provide a good foundation for
19 that but just as IPsec has extended from v6 into v4 the
20 fundamental issues and problems and research problems that
21 have to be solved apply across both of those areas of
22 technology and for the next five to ten years we're going
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
68
1 to have both of these networks clearly in place. And we
2 need to solve those problems in a comprehensive way that
3 covers both of those network ranges and approaches.
4 MR. WATSON: Mr. Barber.
5 MR. BARBER: I would like to say that I agree
6 with many of the points that were just made. The key
7 issue in my opinion is to try and find ways to develop
8 those solutions so that they apply in both spaces at the
9 same time so that you're not developing something that's
10 specific to v4 that can't be reused in v6.
11 You may find that there are answers that are v6
12 that you can't retrofit but if we're going to spend time
13 to develop those solutions we should try and develop them
14 in such a way that they can apply to both spaces at the
15 same time.
16 That gets back to one of my earlier comments
17 about key management. Whatever key management facilities
18 that we put together they should work in IPsec whether
19 it's IPsec v4 or IPsec v6. Our point of view is that
20 we're going to do it in the v6 world because we believe
21 that peer-to-peer secure networking is a key feature and
22 we need to have that capability available so people can
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
69
1 start using it to see what the benefits really are.
2 But irrespective of whether it's a key
3 management facility for v6 we want to develop that also so
4 it could work in the v4 world for the enterprise-to-peer
5 traditional type IPsec that we believe will develop, that
6 could develop there over a VPN infrastructure, a
7 traditional VPN infrastructure.
8 MR. WATSON: Well, before we turn to a bit of a
9 more detailed discussion of the security implications of
10 v6 I would like to pose a question to Mr. Desautels and I
11 apologize if I'm mispronouncing your name.
12 MR. DESAUTELS: That's correct.
13 MR. WATSON: I'm a Midwesterner and I have the
14 tendency to soften everything in speech. I'd like to
15 speak a little bit specifically to one of the benefits
16 that a lot of folks have spoken to, which is that of
17 enhanced mobility.
18 And really you get a sense for what kind of
19 benefits IPv6 would produce for wireless providers and
20 their customers and what plans are under way presently by
21 folks in the wireless industry with respect to the
22 deployment of v6.
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
70
1 MR. DESAUTELS: Thank you. And you asked, the
2 wireless industry with regard to Internet and data
3 applications is sort of in a little bit of a trailing
4 phase of the rest of the world. And thus I think IPv6 is
5 a lower priority at this point for most of the wireless
6 operators.
7 Right now in the United States we're barely
8 seeing about 1, 2, 3 percent of carrier revenues coming
9 from data services, and these are very simple applications
10 in the United States, like downloading ring tones and some
11 games.
12 And the idea of more sophisticated streaming
13 type applications or multitasking applications is
14 something that while a lot of the carriers talk about as
15 being a very potentially valuable service to provide is
16 not one that they have immediately in the sights as
17 something they will be providing.
18 The idea of seamless mobility however is one
19 that drives most of the business decisions that they make.
20 And so to the extent that IPv6 is going to help enhance
21 that seamless mobility it will be something that I think
22 carriers incrementally would be looking to deploy as they
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
71
1 upgraded their network.
2 It's kind of interesting, too, that carriers
3 had, a number of them in the United States had started to
4 deploy an IP-based packet network some time ago for data,
5 CDPD, and basically have let that network go away and have
6 gone for data to the circuit switch networks and only now
7 are working their way back to packet networks.
8 And at this point, having only begun to believe
9 now that they're seeing 1, 3, 5 percent of revenues coming
10 from data services, that enhanced data capabilities in
11 their networks, more broadband capabilities are going to
12 draw revenues and users and yet still being concerned
13 about what the applications are beyond voice that users
14 are going to want to see are still proceeding kind of
15 slowly.
16 I say one other action that was taken recently
17 that's fairly interesting, one of the providers has begun
18 -- and Washington is a place where it's commercially
19 available -- to make fairly high-speed broadband
20 available.
21 You can get pretty consistently 300 to 500
22 kilobits on this service in the D.C. and I've had 700
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
72
1 kilobits in this very building. Other network providers,
2 service providers, had determined that they were not going
3 to be providing, they were going to wait before they were
4 going to start deploying that kind of capability.
5 And subsequently, it changed their minds based
6 on the uptake that they believe or how they would trail
7 their competition if they didn't move immediately to
8 provide that kind of broadband service.
9 So I think there is the constant belief that
10 these services are going to drive their businesses and as
11 they see uptake I think IPv6 becomes more important.
12 MR. CAPRIO: I think we've played out the
13 benefits side and wanted to sort of move over a little bit
14 onto the security side. As Joe said at the outset, I'm
15 the Deputy Assistant Secretary for Technology Policy and
16 also the Chief Privacy Officer for the Department.
17 And we see the explicit connection between
18 privacy and security and in the summary we heard some
19 discussion of the short-term vulnerabilities on the
20 security side and then also some of the potential
21 benefits.
22 So, Mark, you've been waiting patiently. I
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
73
1 thought I'd sort of bring you into the discussion, I mean,
2 it's for everyone to get involved but talk some about the
3 characteristics of IPv6 that enhance network security but
4 also raise some privacy concerns.
5 MR. ROTENBERG: Sure and thank you, Dan. The
6 first thing I want to say just following on the last
7 discussion it's from the consumer user perspective I think
8 it's still very early to try to evaluate the potential
9 applications of IPv6 and the benefits and it's a little
10 bit like trying to imagine in the 1970s the commercial
11 applications for the Internet.
12 I mean, we know that they will emerge but it
13 will take obviously some time to see what works and what
14 doesn't and what people respond to in the marketplace. In
15 this intermediate time, as we're moving toward the
16 deployment of IPv6 the one issue that we have been able to
17 watch fairly closely has been the privacy issue.
18 There was an interesting privacy issue that
19 arose almost at the outset with IPv6, simply from the fact
20 that there was more address space and I think the proposal
21 was in the original protocol to reserve 64 bits for the
22 Mac address of the device.
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
74
1 In other words, when you have a computer, for
2 example, with an ethernet card that ethernet card has a
3 unique serial number. You can actually see it, typically,
4 on the base of the computer. And you could take the
5 number associated with the ethernet card on your device,
6 drop it into the IP address that your computer might use
7 for its Internet transactions and thereby uniquely
8 identify the device permanently.
9 I mean, you sort of have to understand that
10 identification can be both dynamic; it can change, and it
11 can be static; it can be fixed. And from the privacy
12 perspective we had some real concerns about the idea that
13 there would be a permanent IP address linked to a device
14 because it would really deny people a certain type of
15 privacy and anonymity that they were accustomed to.
16 We also believed and I think this is correct
17 that it would create new types of security risks. It's
18 not the case from our perspective that if you give end-
19 users more privacy you necessarily create some security
20 vulnerabilities. I think you have security
21 vulnerabilities under both scenarios.
22 So we said, in effect, that it would be a
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
75
1 mistake to permanently identify addresses of devices
2 through the new Internet protocol. And one of the things
3 that resulted from this discussion was a very positive
4 response from the IETF, the Internet Engineering Task
5 Force.
6 And they said in effect well, how do we solve
7 that problem? I mean, we want to deploy IPv6. We want to
8 have more address space but at the same time we recognize
9 that there is real privacy risk.
10 And an RFC 3041 was developed which essentially
11 allows the deployment of v6 with roughly speaking dynamic
12 addressing very similar in fact to what Internet users get
13 today behind a NAT or a firewall.
14 And I think this is a good response. We were
15 trying to figure out in preparation for the hearing, in
16 fact, which of the major companies have begun to deploy
17 3041 in their IPv6 implementations. I think in fact
18 Microsoft has done this through Windows XP. We couldn't
19 tell if Apple is doing it in OS X.
20 Finally, on the positive side, of course,
21 there's a very important feature of IPv6 which we strongly
22 support which is the end-to-end encryption that you get in
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
76
1 IPsec.
2 Now, you can do this also in IPv4 and, in fact,
3 that's what the VPN that Mr. Hain was talking about before
4 in effect does. But as a general matter, we think end-to-
5 end encryption would be very good for end-users. It could
6 support a lot of things like secure e-mail and address
7 some other security issues.
8 And IPv6, in effect, sort of mandates it and
9 IPv4 you have to do a little bit of work to get it. So
10 that's kind of a quick take from our perspective on the
11 privacy issues.
12 MR. HAIN: Just to follow up a little bit on the
13 privacy concerns, and 3041 addresses in particular,
14 there's multiple aspects of just routine operations you
15 have to worry about. And one of them is if you want to be
16 a type of application that is contacted, how does an end-
17 user find you and typically it's by name.
18 So if you're using one of these randomly
19 generated addresses it's very challenging for you to
20 figure out okay, what address are you actually using. I'm
21 trying to use your name right now.
22 And so the immediate response is well, we'll
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
77
1 register in DNS but if you're generating these random
2 numbers you're churning DNS. And so we have to be careful
3 and maybe actually go look at the Microsoft
4 implementation. It generates both addresses. It
5 generates the random one that you'll use for contacting
6 out other nodes and it generates the static one that it
7 will register and have a relatively stable value that
8 doesn't churn infrastructure components at the same time.
9 So if you're being called you get called on one address.
10 If you're calling out you call on the other address.
11 So there's a significant difference in inv4 and
12 v6 is the multiple address capability that every device is
13 expected to have. And so there are extra pieces to it
14 besides just is it based on your Mac address or is it
15 random? There's reasons for having both.
16 MR. CAPRIO: For the panel, just to try this out
17 a little bit, what do we see or you all as the experts see
18 is the characteristics of IPv6 that serve or seek to
19 enhance network security? Mr. Kafka or Dr. Liao or Mr.
20 Hain?
21 DR. LADID: Maybe add a few things that we are
22 discovering in our research. We found that v4 address can
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
78
1 be scanned in five minutes. In fact, the entire Internet
2 can be scanned in ten hours. And we tried to scan a v6
3 address and we go into the billions of years so the lesson is possibly we
4 could delay scanning of addresses which is a good thing to
5 delay the spread of viruses or this needs to be a research
6 problem.
7 But I think there is a possibility of delaying
8 the spread of viruses because this is most important thing
9 to do but your win time to get that device.
10 On the privacy, I think IP6 has a privacy
11 protocol while v4 does not have one. Obviously, privacy
12 with NAT is an excellent chance to do that because it was
13 impossible to build in a privacy protocol in such a small
14 address.
15 There are some new ways of doing security
16 without even PKI, moving from decimal to hexadecimal. And
17 I think we are going to discover many things with
18 hexadecimals.
19 Now, this 64-bit address space can also be used
20 for ad hoc security. So we can hash, for instance, public
21 keys into that 64 and then send it to the ad hoc
22 correspondent who can rehash it with its private key. So
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
79
1 you don't need even the PKI infrastructure as such.
2 I think this is innovative. We are doing a bit
3 of research on this one that even Microsoft has written an
4 article on it called cryptographic-generated addresses.
5 This could have an excellent opportunity for mobility ad
6 hoc networking that are not that close to PKI structures.
7 In terms of mobility I think we see also many
8 new advantages, especially using the private addressing or
9 let's say the privacy addresses in order to move from
10 network to other networks.
11 And we expect that this kind of address will be
12 used as kind of address in the future in order to, I'd
13 say, obscure the location of the person we're using in
14 different networks.
15 With the mobility being also spectrum efficient
16 I think we will see that there will be a greater benefit
17 for mobile networks as we apply IPv6, especially mobile
18 IPv6 routers. Thank you.
19 DR. SKALL: Can I just ask a practical question?
20 The need to simultaneously run IPv4 and IPv6 networks, to
21 what degree would that compromise security?
22 MR. BARBER: We do that today, so I can talk
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
80
1 about that. The biggest single issue is tools to run the
2 network. IPv4 has been around a long time so lots of
3 tools to run the network. IPv6 has not been around as
4 long so there's not lots of tools to run a network in
5 IPv6. So we tend to depend on the IPv4 tools to run both
6 networks because that's what we have.
7 We would like to see that change. We'd like to
8 see more development of IPv4 native tools to operate the
9 network. Part of that depends on our friends at Cisco and
10 Juniper and other similar companies to help us get those
11 tools and we certainly encourage them to do that.
12 But that is a problem today with IPv6 deployment
13 is just the fact that it's not been around a long time and
14 the ubiquity of tools to operate and deploy a network is
15 still frankly in its infancy.
16 That will change. I think companies that have
17 been mentioned here today, Microsoft and others, are all
18 working to fix that, but that is a problem.
19 Another thing I'd like to mention since again we
20 do do both networks today is that there are some problems
21 that are common to both networks, that are not security
22 specific but relate to the overall performance of the
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
81
1 network. In this case I'm talking about denial of service
2 attacks. Denial of service attacks affects both IPv4 and
3 IPv6.
4 One advantage that we see potentially with v6 is
5 the fact that the end nodes all have sets of addresses.
6 Sometimes it's easier to track back the source of attack
7 for an IPv6 source than it is for an IPv4 source.
8 Now, we're still very early at realizing how
9 much benefit that is, again, because we're still at the
10 beginning of running an IPv6 network on a global scale.
11 But so far the research inside my company indicates that
12 it's actually easier to do a trace back for a denial of
13 service in IPv6 than v4.
14 MR. WATSON: Mr. Hain.
15 MR. HAIN: Just to follow up. Once you've got
16 the tools actually the significant thing that most
17 security incidents involve personnel issues of matters of
18 training. So to answer your question, they need the tools
19 but once they have the tools they need the training to
20 make sure they don't make the mistakes, make the same
21 changes in both places.
22 MR. WATSON: Dr. Francis.
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
82
1 DR. FRANCIS: I just want to sort of say the
2 same thing again that we shouldn't get thinking that some
3 of the things we're talking about can only be done with
4 IPv6. Again, there's lots of ways to do everything.
5 And it's not so much a question of can we do it
6 or can't we do it as in a sense how complicated is it to
7 do it or simple to do it once we eventually get to a peer
8 IPv6 world and so on.
9 So just a few quick points. For instance, you
10 mentioned secure mail. Well, of course, you can do secure
11 mail today with Secure Mail. You can't hide the identity
12 of who you're talking to with Secure Mail. That's out in
13 the open so that the mail system can deliver it but the
14 rest of it can be secure.
15 If you want that part to be secure, who you're
16 talking to, then often lower-layer security is good but if
17 you had an IPv6 world then you could tell at the IPv6
18 level who you were talking to unless you went to an
19 intermediate box that could sort of hide the identity of
20 who you're talking to, an onion routing system or
21 something like that. But then in a sense, it's no longer
22 end-to-end secure.
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
83
1 So it's a very complicated thing. And there's
2 lots of different ways to do different things and
3 sometimes it's easier to do security at a higher layer and
4 sometimes it's better to do it at a lower layer.
5 Regarding mobility again, people should not
6 think that we can't do mobility without IPv6. You know,
7 most mobility in sync with the networks and so on today is
8 done at lower layer, at a link layer and so on.
9 You can go miles and miles and miles without
10 every having to change to an IP level mobility event. You
11 do lower level mobility events.
12 Again, IPv6 would certainly help in many
13 respects but it's not like there aren't other ways to do
14 things. And actually, Latif made a very good point with
15 respect to the spreading of worms.
16 Right now, people can spread worms by just
17 scanning every IP address in the world. It would be very,
18 very hard to do that with IPv6 but on the flipside right
19 now mostly we have virus problems which are spread through
20 e-mail attachments and so on, not worm problems. And
21 viruses spread by looking at the address book and then
22 finding other things to talk to not by scanning the
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
84
1 network.
2 We have to be very careful in an IPv6 world that
3 we don't have a kind of worm which actually goes into a
4 box, scans whatever information allows you to talk to
5 another IPv6 node and then much more quickly than a virus
6 spreads talks to that node and spreads.
7 And I think the only thing that slows down a
8 virus is the fact that it runs through an e-mail system
9 which it takes time to read your e-mail, to open the e-
10 mail. It's really at the level of human communication
11 that it can spread.
12 So at least it's on the order of hours not
13 seconds but once you push that down to IP you've got a
14 real problem. And it's not going to spread through port
15 scanning; it's going to spread through looking at
16 something locally to the machine and then using those
17 addresses to talk.
18 MR. KAFKA: I think the comment Paul just made
19 is a good indication of the types of security issues that
20 we have to look at when we're going into IPv6.
21 In particular, absolutely right that IPv6 solves
22 some of the problems so that you can't scan it as easily.
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
85
1 However, a new attack threat could be instead of going
2 into the e-mail address book you go into the IP address
3 cache on the PC and learn to attack from that.
4 You can still do a very rapid attack and, in
5 fact, a more targeted attack in a sense because you get
6 access to that. Overall in security IPv6 does provide a
7 wider range of mechanisms that can be used and exercised.
8 That has some definite potential benefits for
9 security. On the other side of that though, each of those
10 new mechanisms and new approaches hasn't yet been solidly
11 tested in the current battle between the black hats and
12 the white hats that's going on every day in the current
13 Internet.
14 So as those new mechanisms get put into place
15 there's a lot of work that needs to get done not only to
16 understand them but to develop approaches that can use
17 those mechanisms and achieve comparable and then higher
18 levels of security than exist in the current network, that
19 would be along with each new mechanism and each new
20 approach there will be new methods of attack and there's
21 going to, the ongoing escalation isn't going to stop.
22 It's just switches places.
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
86
1 I think there is definitely more power that can
2 come from the toolkit but at the same time you've got to
3 understand the approaches and mechanisms. Firewalls and
4 NAT are very well understood.
5 We think that there may be even reasons for
6 using NAT mechanisms or if instead you switch from NAT
7 mechanisms to the anonymous v6 addresses to accomplish
8 some of the same kinds of things that you hit some of the
9 same kinds of challenges but those mechanisms are going to
10 need to stay in place to defend against the range of
11 attacks that happens.
12 We're also going to need to not only deal with
13 the IPv6 mechanisms themselves but also the IPv6-v4
14 interworking mechanisms and potential holes of
15 vulnerabilities that could show up in those interworking
16 mechanisms.
17 There's a very broad range of new research
18 that's needed both in terms of theoretical research and
19 approaches, new product development in algorithms and tool
20 development, and test them in the laboratory and the
21 university and also out in the real world as IPv6 starts
22 to grow in size and deployment.
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
87
1 It's not going to be something that will happen
2 overnight. It's an ongoing set of capabilities. It will
3 put even more emphasis as we go into this new world, the
4 mechanisms for exchanging information about best practices
5 in terms of approaches, keeping everyone up to date,
6 understanding what the latest security practices are,
7 firewalls and firewall proxy mechanisms are well
8 understood.
9 We'll need to translate some of those to v6 and
10 then as we expand beyond the current v4 so that range is
11 continue to test those and vet those in the real world and
12 see how they hold up, continue to improve them, react
13 responsibly.
14 So if anything, that increased capabilities and
15 mechanisms and the tool sets will make it more critical
16 during the transition phases for best practices to be
17 shared, understood, new threats to be identified and
18 addressed.
19 MR. CAPRIO: Thank you for that. A number of
20 issues on the table here. I actually wanted to return to
21 the point that Dr. Ladid made. I mean, we see the
22 transition issues from v4 to v6 and I mean, and you
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
88
1 suggested and Mr. Kafka just, I think, began this
2 discussion but that we need a new model for security.
3 And so I mean, do we need a new model and how
4 does the transition from v4 to v6, how does it help us to
5 change the paradigm?
6 DR. LADID: I'll tell you a story about Paris in
7 the 16th century. It had the highest walls in Europe.
8 And then people found out that most of the prisoners they
9 were from within Paris and the outside posts could alarm the
10 central administration that somebody is coming from Italy
11 to hit them. So they had time to respond. Then they took
12 down these walls back in the 16th century.
13 So the current security model is the 16th
14 century wall of France, which is basically I want to stop
15 anything, which is excellent, because that's the only
16 mechanism we have.
17 Now, if we want to make security a business
18 enabler and a communication enabler, look at the DoD vision
19 to empower the soldier. I guess you have to think about the
20 model where you would like to give him the security built
21 in he doesn't even have to think about it.
22 The security is a negative deliverable. We have
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
89
1 to make it as an easy adoptable tool and this is where
2 most probably a better distributed platform of security is
3 the future so that if you have distributed firewall
4 mechanisms to protect each host so when one is attacked
5 the other ones aren't attacked.
6 And then with that you will be enabling also the
7 kind of NAT traversal done for the entire network will be
8 able to do it for each single host. We'll be able to open
9 doors for some and not for others and so on. And this is
10 a model that's in Europe we're doing research on. And I'm
11 sure the U.S. community will be going to it.
12 MR. HAIN: Yes. And one of the things we have
13 to do as we start talking about security is define what we
14 really mean because everybody has their own interpretation
15 of what the term security means.
16 One of the things that came to mind as Latif was
17 speaking is the model of the wall. We've got the model
18 today of this NAT where I've got a very clean point that I
19 can attack so denial of service types of attacks, which
20 are a security threat in some senses but they don't really
21 penetrate they just deny service it's much, much easier to
22 do a denial of service attack against a NAT because
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
90
1 there's one and I can take out an entire network behind
2 it.
3 If I go to the privacy address model, the 3041
4 addresses with a reasonably frequent update my denial of
5 service window from when I've got out and exposed this
6 address is only the length of time I'm using it. As soon
7 as I stop using it and I've moved on to another address
8 I'm now not attackable on that address anymore. Denial of
9 service stops.
10 So simple little appliances that the consumers
11 might buy can be using this type of address model and if
12 they're not being contacted they're not really denial of
13 service attackable or whatever beyond whatever window that
14 they're actually stable on that address.
15 So there are a lot of opportunities and we have
16 to define what's the threat, what do we mean by security,
17 what's the threat and then how do we approach that?
18 MR. WATSON: Dr. Francis.
19 DR. FRANCIS: Actually, I just don't get that
20 last thing a little bit because the privacy address in
21 IPv6 is related to the lower part of the address. You
22 flip that around so that they can't identify but the upper
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
91
1 part that you get from your ISP would remain the same.
2 So you attack that, the ISP's going to deliver
3 it to you just because the upper part matches you. And
4 whether it's a valid address or not doesn't matter. It's
5 still going to go in through that access link that they
6 want to attack you on. Am I wrong?
7 MR. HAIN: It will be delivered to a router but
8 it won't be delivered to the end node so you can't
9 actually attack.
10 DR. FRANCIS: Yeah, but you're saying -- I mean,
11 it will be delivered to the firewall basically but that's
12 like delivering it to the NAT. I mean, it will still get
13 to that box and you'll overwhelm that access link and --
14 MR. HAIN: It's a matter of -- you know, a
15 router can drop packets much faster than it can go through
16 the state stable of a NAT to figure out whether it's
17 actually got the state to forward this thing on or not.
18 DR. FRANCIS: So you're saying it would just
19 take more packets to deny the service?
20 MR. HAIN: Right. I mean, it's the same
21 function. It's just a matter of the level of threat.
22 DR. LADID: Yes, but you have a point. That
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
92
1 needs to be addressed, yes. It would come from the top.
2 MR. CAPRIO: Mr. Barber, Mark, Dr. Liao, do we
3 need a new model for security?
4 MR. ROTENBERG: Well, I just think that the
5 point that was raised a moment ago is important for people
6 to understand. You know, this discussion has come up also
7 in the context of distributed denial of service attacks
8 and more broadly about security of the Internet.
9 There is a view which says we really want to
10 know exactly who's on a particular device at a particular
11 point in time so that we can trace back and try to locate
12 sources of problems but that particular model sort of
13 brings with it also the opportunity to have fixed points
14 of attack.
15 And that's why we have to be, I think, very
16 careful about pursuing in the discussion over IPv6 a
17 protocol that would require fixed addresses, permanent
18 addresses, because then you have permanent points of
19 attack.
20 And for end-users I think what Mr. Hain was just
21 describing a moment ago I mean, the NAT does handle
22 overflow better than the person sitting at the end with
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
93
1 their computer would. And it also has some benefits to
2 the end-user.
3 MR. WATSON: Mr. Kafka.
4 MR. KAFKA: The other aspect to look at this is
5 in terms of distributed firewall capabilities can indeed
6 address some of the scale issues and some of the denial of
7 service attack issues by distributing out attack points.
8 On the other hand, they raise their own
9 challenges in terms of administering, controlling and
10 establishing those firewalls. So you've got to not only
11 put in place a distributed firewall capability but a
12 policy management infrastructure that will make sure you
13 can identify and propagate those sets of capabilities as
14 well.
15 So while I would say that -- I can't say we need
16 a brand new security model in the sense that a lot of the
17 security models are already in place and are potentially
18 extensible and involvable to take advantage of many of the
19 new mechanisms that are there.
20 So you take a firewall mechanism, distribute the
21 firewall and then put in a policy structure to manage
22 distributed firewall with the same degree of efficacy that
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
94
1 current firewall administrators at a centralized corporate
2 site can administer.
3 So there are some new tools, new mechanisms and
4 new approaches that can come into play but a lot of the
5 fundamental principles will stay the same.
6 A corporation is still going to want to control
7 Internet traffic to certain sites, to be able to monitor
8 Internet traffic, to be able to secure capabilities, to
9 restrict access to machines inside its firewall.
10 All of the type of capabilities that fit into
11 current secure and protect intrusions, all of those
12 principles remain the same. It's just seeing what we can
13 do differently and with a different toolset.
14 Say the one mechanism that can lead to not an
15 entirely new model but perhaps more extensive use of
16 models already in place is the broader adoption and use of
17 IPsec under appropriately controlled circumstances.
18 Again, having that protocol a mandatory part of
19 the implementation in IPv6 is somewhat of a help but I
20 think as Stan Barber said, the core set of capabilities
21 that really probably are fundamentally setting the pace of
22 IPsec deployment coming around having a public key
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
95
1 infrastructure in place and a trust management mechanism
2 in place that can enable that and enable it to work not
3 just from the standpoint of private and pairing use but
4 also from the standpoint of law-enforcement access, all
5 those type of issues as well.
6 So in terms of taking new security model issues,
7 a common issue that can spread across v4 and v6 comes down
8 to the PKI infrastructure and the set of government and
9 law-enforcement access to that as appropriate, trust
10 mechanisms, not just the technology aspects but also, if
11 you will, the social aspects behind it and the business
12 aspects behind it. And that can be a key part of the
13 attention the security model could evolve.
14 DR. LADID: I wanted to emphasize -- as a matter
15 of fact it was the model I wanted to talk about because
16 this is what NTT is also in the planning to deploy when I
17 talk to your colleague and end-to-end security even as a
18 service, from an ISP point of view directly then allow
19 home users and also machine-to-machine access in a secure
20 way. And yes, I agree, this is the way to go. Thank you.
21 MR. BARBER: The one other thing that we really
22 haven't talked about today that might establish a new
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
96
1 security model that is IPv6-specific has to do with the
2 extensibility of IPv6.
3 There are things that we can do with IPv6 in
4 terms of defining extensions to it that might in fact
5 create new security architectures that we haven't
6 previously envisioned.
7 So when those opportunities present themselves
8 we might be able to realize them in an IPv6 world where we
9 could not realize them in an IPv4 world. What they are, I
10 can't say. That's the whole point. But the fact that we
11 have the architecture in the protocol so that we could
12 actually define those things could potentially provide us
13 with a whole different way of doing security that we don't
14 have today.
15 MR. CAPRIO: Thank you for that point. I mean,
16 the idea of innovation and sort of what's over the horizon
17 is very important.
18 Time, maybe, for one more question before we go
19 to the audience and that is the issue of anonymity has
20 come up along with the lines of law-enforcement Mark
21 mentioned traceability but in terms of IPsec I mean the
22 ability to permit authentication, one of the big problems
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
97
1 that we all face is just the proliferation of spam. And
2 the issue there is how do you go back and find it.
3 And so spoofing and pfishing, can IPsec, can
4 that help us, and the authentication issue, can that help
5 us in terms of law-enforcement and spoofed e-mails and
6 sort of tracing back? I mean, how do you all see that
7 playing out?
8 MR. ROTENBERG: I participated in a conference
9 recently at the ITU on this topic and the thing was
10 countering spam. And certainly many network
11 administrators and companies and countries are very
12 concerned about the spam impact as are consumers, of
13 course.
14 And there was some discussion about the role of
15 identification on the network to counter spam. There's a
16 proposal right now which, I think, is sender ID really to
17 identify at the domain name level the source of spam,
18 which I think could be very helpful.
19 I will say one of the concerns on the privacy
20 side is that you could put in very elaborate
21 identification techniques for Internet users hoping to
22 catch spammers and find yourself in a situation where
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
98
1 clever spammers are still defeating the ID techniques but
2 everybody else, now having put their actual address out
3 there is getting far more spam than they would have
4 otherwise.
5 So you really have to be careful with some of
6 the solutions that you don't end up creating new problems.
7 And that's why I said at the outset that to protect
8 privacy doesn't necessarily mean a cost in security. In
9 fact, it may also give you better security.
10 MR. WATSON: Dr. Francis.
11 DR. FRANCIS: I just wanted to briefly say I
12 wouldn't think that v6 would have much to do with spam
13 because it goes through mail relays. It's not an end-to-
14 end thing from the get-go. So once a box hits a mail
15 relay or some other way of propagating the spam the
16 identity of the sender is lost. So I don't think there's
17 a relationship.
18 MR. WATSON: At this time we'd just like to turn
19 the questions to the audience so if members of the
20 audience have questions for our panel participants you
21 could step to the microphone and please give us your name
22 and organization we would be happy to take your questions
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
99
1 now.
2 Okay. Well, perhaps just to spur things off
3 I'll ask Dr. Ladid a question that is something that the
4 discussion draft grapples with, which is the state of IPv6
5 deployment internationally and how you'd characterize
6 deployment internationally and how you characterize,
7 contrast that with deployment in the U.S. specifically?
8 DR. LADID: Yeah, I need to kill some of the
9 myths because there are a lot of people say that the U.S.
10 is behind. This is not true. The U.S. is at the same
11 level as anyone else in the world.
12 Most of the designers of IPv6 are in the U.S.
13 and it's these people that nobody is listening to
14 here in the U.S. that travel around the world in
15 order to propagate the mission, in order to put pressure
16 back on the U.S., in order to get the U.S. to move. This
17 is what's happening.
18 So the same type of research has been done. The
19 same type of promotion, more v6 has probably done more
20 than 180 million euro research in Europe in terms of
21 getting the message out there.
22 Obviously, there is a clear difference between
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
100
1 what is happening in Europe and in Asia. There is a
2 political good will in Asia to promote IPv6, especially in
3 Japan since they have not invented the Internet this is a
4 new chance.
5 And I think from the discussion from my
6 colleague next to me, moving from a manual Internet to an
7 automatic Internet makes everything possible for
8 innovation.
9 I guess Japan has through a small statement by
10 their prime minister back in September 2001 mentioning
11 IPv6 has sparked tremendous interest across the community
12 so I would expect Japan to have v6 products ready for U.S.
13 customers to buy and they won't even notice that IPv6 is
14 existing now. So you need the networks to be installed in
15 this part of the way and also enjoy these new products.
16 I think they have the first mover innovation
17 advantage. Obviously, the Koreans followed suit as they
18 do usually but the biggest surprise to all of us is China.
19 You know, China has only about 40 million addresses but
20 they have a 20-year plan to deploy everything.
21 So be it Internet, wireless, just name it, great
22 with a massive investment plan and they looked at the
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
101
1 address space and it's a no-brainer since they want to
2 replenish their entire network.
3 So starting from zero it's a lot easier to do
4 obviously as Vint said at the beginning. So they will
5 have the largest v6 network in the world deployed within
6 the next 12 months and are to test on a production level
7 Grid computing, wireless technologies, most probably they
8 will have their own wireless protocol as well to compete
9 with WCDMA and CDMA 2000.
10 And I would expect most probably the killer
11 applications to come from China. Lowest cost possible.
12 So that's the biggest point that the U.S. will be missing
13 is that the fast-pace to application development because
14 it's there where you make money.
15 And that is the thing that the U.S. should maybe
16 try to capture, at least to the first move on apps instead
17 of just buying them at lowest cost. I think this is a
18 dramatic situation for the U.S.
19 Europe is in good shape, I cannot say that Europe is
20 very advanced, but I would say that research and academia
21 and so on are on par with the target. Industry is still a
22 bit behind but there is a program to promote IPv6 in a
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
102
1 formal way as compared to the North American IPv6 Task
2 Force led by Jim Bound on a voluntary basis. And it's a
3 60-hour work a week a couple of men pushing it for free.
4 I think this needs to be kind of formalized so
5 that industry has a focal point where they can tap on
6 information on business practices in every sector and
7 enable not only the PC sector to move but especially the
8 nonPC area where the biggest innovation is going to
9 happen.
10 So I think the U.S. has a very key opportunity
11 not to miss this one. And I will encourage you because
12 the deployment of IPv6 in the U.S. would make IPv6 happen
13 in the world, not the other way around. I'm convinced of
14 this. Thank you.
15 MR. WATSON: Also throw it to the audience just
16 in case anybody has any questions for these gentleman.
17 MR. BOUND: Good morning. Jim Bound, North
18 American Task Force and IPv6 Forum. I'd like to ask the
19 panel if they would comment, assuming that the restoration
20 of the end-to-end Internet model, which is the primary
21 benefit of IPv6 how that can help in your mind the social
22 aspects that we face in our own inner city ghettos, for
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
103
1 security defense networks.
2 In 9/11, police, port authority, and firemen
3 were unable to communicate. That cost lives. That's a
4 social problem, too. And how can IPv6 maybe help it so
5 that the kids that I work with in my private life from the
6 inner city ghettos have equal opportunity to learn about
7 communications, learn about the Internet and evolve?
8 Thank you.
9 DR. LADID: I'd like to address this because
10 this is -- coming from a developing country like Morocco,
11 Casablanca, it's one of the key issues driving my mission
12 is we have to leave behind us something superior that our
13 kids in the next 50 years can use. And I don't think with
14 the decay in Internet today we are going to reap some
15 applause from the next generation of kids.
16 And 2050 I would expect any kid in the world to
17 have access to knowledge through something. And I think
18 we have a moral obligation and a unique opportunity to do
19 something special, not only to look at the profits and
20 look at the stock market and so on and so forth.
21 I think we've got to go beyond this and do
22 something that's going to give some kind of hope and
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
104
1 vision for the entire world. We cannot just make money
2 all the time. There are people that do money all the time
3 but I think some of us have to think out of the box and do
4 something that is going to have not only the -- but most
5 probably the kids in Detroit and the Bronx so on and so
6 forth, they have exactly the same digital chasm that we
7 have in Africa.
8 MR. WATSON: Dr. Ladid, if I could, to chase on
9 the international discussion a little bit, one of the
10 charges in the President's directive to us is to look at
11 issues pertaining to international interoperability.
12 And I'm wondering if you could comment a little
13 bit on the issues relating to international
14 interoperability and how they might differ from the
15 concept of general interoperability?
16 DR. LADID: I guess Jim Bound could talk about
17 this in the afternoon session because he leads a project
18 called IPv6 Ready Program which is a worldwide program and
19 the chair is in Japan and we have three groups, one in
20 Japan, one in Europe and one in the U.S. And we're
21 setting some rules how to become interoperable.
22 It's happened, this has happened for IPv4 in a
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
105
1 fashionable way through interop which became the show.
2 And we have learned the lesson to specify that create a
3 local program for this. And we're looking at the time
4 scales how things are going to deploy.
5 The toughest one is obviously security so it
6 will be the last one to be done. The program for IPv6
7 Ready was launched a year ago and we have something like
8 70 companies that have got this local. The next one will
9 be to be more detailed and also include IPsec in order to
10 create an interoperability.
11 And v6 mandates IPsec for the manufacturers to
12 make it available. It's up to people to use it. So
13 there's a very important difference here but making it
14 available, I mean, in this case you can spark use this
15 thing and you can expect your correspondent to have the
16 same facilities. And this is very important aspect in
17 terms of interoperating. I guess I will leave it to Jim
18 to talk.
19 MR. WATSON: Dr. Francis.
20 DR. FRANCIS: Just to answer Jim's question it
21 seems to me it's a pretty long distance between IPv6 and
22 talking about social inequity and ghettos and things. I
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
106
1 mean, even the New York police and fire departments or
2 whatever the problems were in those guys talking to each
3 other I don't know the details but I doubt they were due
4 to NAT boxes and if they were those guys should have set
5 up a VPN. So these are all fun and good things but I mean
6 I'm not sure what the place is with respect to IPv6.
7 DR. LADID: I would like to address this one.
8 MR. WATSON: Go ahead, Mr. Hain.
9 MR. HAIN: In particular, first responder kinds
10 of situations, because you've got multiple addresses per
11 node by default in every v6 implementation you can have an
12 ad hoc event scene network that allows people to share
13 information locally without having to respond back up
14 through their chain of command while they still maintain
15 access through their chain of command. They're not
16 disconnected at event scene or chain of command process.
17 So there is some potential gain there that we
18 need to think about products in that space and how you
19 would deploy infrastructures that allow these first
20 responders to show up.
21 And since we typically think in terms of first
22 responders being a local situation, we don't think too
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
107
1 much outside the box but in the global climate today,
2 first responders are really a global first response. I
3 mean, you've got multiple governments responding to
4 situations that occur in various parts of the world
5 simultaneously and they need these same kinds of
6 capabilities where they can just show up, interoperate
7 with each other while they're maintaining their chain of
8 command process back home.
9 MR. WATSON: Mr. Barber.
10 MR. BARBER: One of the things that I have
11 actually seen in this space has been some of the handset
12 providers who have been experimenting with the IPv6 are
13 actually looking at these ad hoc connectivity things so
14 you would be able to use a handset to call other people in
15 the area through their IPv6 implementation without
16 actually involving the cellular provider per se.
17 You'd be just having handset to handset
18 communication being enabled by this peer-to-peer, this
19 dynamic workgroup that you could set up using this
20 multiple address capability of IPv6. That is a very
21 impressive early development, that is something that we
22 really haven't had before and the potential of that can be
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
108
1 very profound.
2 MR. WATSON: Mr. Rotenberg. He's been waiting
3 patiently.
4 MR. ROTENBERG: Well, I want to say I think I
5 probably agree with Dr. Francis that it's a bit of a
6 stretch to think that we solve problems of social
7 inequality through IPv6 deployment.
8 On the other hand, I do think the question
9 points toward the larger sort of historical reminder about
10 the Internet protocol. I think if Vint was here he would
11 probably smile wistfully at the phrase end-to-end.
12 I mean, it really is the original concept of the
13 Internet basically to create the opportunity for people to
14 interact in this digital space without intermediation.
15 Now, we have over the years through NAT been
16 able to make IPv4 continue to work but for people who want
17 to be found, I think this is important to understand about
18 privacy.
19 I mean, certainly there are circumstances where
20 people would like to conceal their location online. There
21 are other circumstances where people very much want to be
22 known, want to be available and want to create the
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
109
1 opportunities for networks with networks, communications
2 within larger schema. And I think that is very much sort
3 of at the larger level something that IPv6 does enable.
4 I don't know where it takes us but I do think
5 particularly for a lot of the pioneers it's very closely
6 tied to the original vision.
7 MR. WATSON: And Dr. Ladid, and then Dr. Francis
8 and I think that will be probably all that we'll be able
9 to do for this panel.
10 DR. LADID: Thanks, Paul, for putting a little
11 pepper into the discussion. If I take for instance India
12 and they have something like 2000 ISPs. And these people
13 cannot even pay $5000 to become a member of APNIC not to
14 get D4 address space. So this has created a caste system
15 within the ISP community.
16 Only 3Y address space from APNIC and all the
17 other guys they buy from these people just one or two
18 addresses and then they NAT over NAT over NAT their
19 customers. So it's not anymore Russian protocol. This is
20 a caste protocol. That's what it is.
21 MR. WATSON: Dr. Francis.
22 DR. FRANCIS: I'm a little reluctant to have the
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
110
1 last word here because I didn't want to actually have the
2 last word. I was just going to say regarding ad hoc
3 networks, again, for local communications I agree it's
4 better with IPv6 but it's the same story. There are other
5 ways to do it and I'm not even saying that they're better
6 than IPv6 but just keep in mind that IPv6 is not the only
7 path toward these ends.
8 So an ad hoc network you can certainly build ad
9 hoc networks with IPv4. IPv4 can have two addresses and
10 so on. So it's not an end statement itself so maybe
11 someone else should say the last thing.
12 MR. WATSON: Okay. We'll let Mr. Hain then.
13 MR. HAIN: Just real quick the last word here so
14 you don't have the last word.
15 DR. FRANCIS: Thank you.
16 MR. HAIN: Yes, technically you can do it with
17 v4. No argument there. It's a matter of how much system
18 administrator time do you need to actually pull that off
19 and how expert do the people that are actually
20 implementing this need to be.
21 And the expectation here is that the v6
22 implementation is rather automatic so firefighters and
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
111
1 police don't have to understand the technology. They just
2 plug stuff together and it works where with v4 they might
3 have to have a system administrator along to reconfigure
4 everything so that they're all on the same network.
5 MR. WATSON: Thank you, very much.
6 ASSISTANT SECRETARY GALLAGHER: Well, I'll just
7 offer one observation, a few closing remarks and then we'll
8 go to our break. The only observation is that Dr. Francis
9 there are a few things that are clear to me given your role
10 with NATs.
11 First is that you're going to be a popular
12 speaker as IPv6 becomes more part of our vernacular going
13 forward in the evolution of the Internet. The other one
14 is you might want to keep an eye out over your shoulder
15 for robots that look like Arnold Schwarzenegger being sent
16 back from the future to eliminate this threat to a number
17 of different things in our technology society. (Laughter.)
18 And I'd like to thank all the panelists for a
19 very informative discussion and one that obviously there
20 are deep feelings but there's contributions being made
21 here by all of these individuals and the organizations
22 that they represent to create the knowledge base that we
For The Record, Inc.
Suburban Maryland 301-870-8025
Outer Maryland 800-921-5555
112
1 need to know what to do going forward and to have that
2 contribution.
3 So we appreciate your understanding of the
4 capabilities of IPv6 and also of the challenges and we
5 should thank our panelists and then we'll go to a 15-
6 minute break. (Applause.)