Do We Really Need SSL?

April 22, 2012 — netequalizer

By Art Reisman, CTO, www.netequalizer.com, www.netgladiator.net.

Art Reisman CTO www.netequalizer.com

I know that perception is reality, and sometimes it is best to accept it, but when it comes to security, FUD, I get riled up.

For example, last year I wrote about the un-needed investment surrounding the IPV4 demise, and, as predicted, the IPv6 push turned out to be mostly vendor hype motivated by a desire to increase equipment sales. Today, I am here to dispel the misplaced fear around the concept of having your data stolen in transit over the Internet. I am referring to the wire between your residence and the merchant site at the other end. This does  not encompass the security of data once it is stored on disk drive at its final location, just the transit portion.

To get warmed up, let me throw out some analogies.

Do you fear getting carjacked going 75 mph on the interstate?

Most likely not, but I bet you do lock your doors when stopped.

Do you worry about encrypting your cell phone conversations?

Not unless you are on security detail in the military.

As with my examples, somebody stealing your credit card while it is in transit, although possible, is highly impractical; there are just better ways to steal your data.

It’s not that I am against VPN’s and SSL, I do agree there is a risk in transport of data. The problem I have is that the relative risk is so much lower than some other glaring security holes that companies ignore because they are either unaware, or more into perception than protecting data. And yet, customers will hand them financial data as long as their web site portal provides SSL encryption.

To give you some more perspective on the relative risk, let’s examine the task of stealing customer information in transit over the Internet.

Suppose for a moment that I am a hacker. Perhaps I am in it for thrills or for illegal financial gain, either way, I am going to be pragmatic with my approach and maximize my chances of finding a gold nugget.

So how would I go about stealing a credit card number in transit?

Option 1: Let’s suppose I parked in the alley behind your house and had a device sophisticated enough to eaves drop your wireless router and display all the web sites you visited. So now what? I just wait there, and hope perhaps in a few days or weeks you’ll make an online purchase and I’ll grab your cc information, and then I’ll run off and make a few purchases.  This may sound possible, and it is, but the effort and exposure would not be practical.

Option 2: If I landed a job at an ISP, I could hook up a sniffer that eaves drops on every conversation between the ISP customers and the rest of the Internet. I suppose this is a bit more likely than option 1;  but there is just no precedent for it – and ISPs often have internal safeguards to monitor and protect against this. I’d still need very specialized equipment and time to work unnoticed to pull this off. I’d have to limit my thefts to the occasional hit and run so as not to attract suspicion. The chances of economic benefit are slim, and the chances of getting caught are high, and thus the risk to the customer is very low.

For the criminal intent on stealing data, trolling the internet with a bot looking for unsecured servers, or working for a financial company where the data resides, and stealing thousands of credit cards is far more likely. SSL does nothing to prevent the real threats, and that is why you hear about hacking intrusions in the headlines everyday. Many of these break-ins could be prevented, but it takes a layered approach, not just a feel good SSL layer that we could do without.

Posted in IPv6, Security, Topics. Tags: , , . 2 Comments »

Commentary: Is IPv6 Heading Toward a Walled-Off Garden?

September 25, 2011 — netequalizer

In a recent post we highlighted some of the media coverage regarding the imminent demise of the IPv4 address space. Subsequently, during a moment of introspection, I realized there is another angle to the story. I first assumed that some of the lobbying for IPv6 was a hardware-vendor-driven phenomenon; but there seems to be another aspect to the momentum of Ipv6. In talking to customers over the past year, I learned they were already buying routers that were IPv6 ready, but there was no real rush. If you look at a traditional router’s sales numbers over the past couple years, you won’t find anything earth shattering. There is no hockey-stick curve to replace older equipment. Most of the IPv6 hardware sales were done in conjunction with normal upgrade time lines.

The hype had to have another motive, and then it hit me. Could it be that the push to IPv6 is a back-door opportunity for a walled-off garden? A collaboration between large ISPs, a few large content providers, and mobile device suppliers?

Although the initial world of IPv6 day offered no special content, I predict some future IPv6 day will have the incentive of extra content. The extra content will be a treat for those consumers with IPv6-ready devices.

The wheels for a closed off Internet are already in place. Take for example all the specialized apps for the iPhone and iPad. Why can’t vendors just write generic apps like they do for a regular browser? Proprietary offerings often get stumbled into. There are very valid reasons for specialized apps for the iPhone, and no evil intent on the part of Apple, but it is inevitable that as their market share of mobile devices rises, vendors will cease to write generic apps for general web browsers.

I don’t contend that anybody will deliberately conspire to create an exclusively IPv6 club with special content; but I will go so far as to say in the fight for market share, product managers know a good thing when they see it. If you can differentiate content and access on IPv6, you have an end run around on the competition.

To envision how a walled garden might play out on IPv6, you must first understand that it is going to be very hard to switch the world over to IPv6 and it will take a long time – there seems to be agreement on that. But at the same time, a small number of companies control a majority of the access to the Internet and another small set of companies control a huge swatch of the content.

Much in the same way Apple is obsoleting the generic web browser with their apps, a small set of vendors and providers could obsolete IPv4 with new content and new access.

Posted in Commentary and Editorials, IPv6, Net Neutrality. 1 Comment »

10 Things You Should Know about IPv6

June 13, 2011 — netequalizer

I just read the WordPress article about World IPv6 Day, and many of the comments in response expressed that they only had a very basic understanding of what an IPv6 Internet address actually is. To better explain this issue, we have provided a 10-point FAQ that should help clarify in simple terms and analogies the ramifications of transitioning to IPv6.

To start, here’s an overview of some of the basics:

Why are we going to IPv6?

Every device connected to the Internet requires an IP address. The current system, put in place back in 1977, is called IPv4 and was designed for 4 billion addresses. At the time, the Internet was an experiment and there was no central planning for anything like the commercial Internet we are experiencing today. The official reason we need IPv6 is that we have run out of IPv4 addresses (more on this later).

Where does my IP address come from?

A consumer with an account through their provider gets their IP address from their ISP (such as Comcast). When your provider installed your Internet, they most likely put a little box in your house called a router. When powered up, this router sends a signal to your provider asking for an IP address. Your provider has large blocks of IP addresses that were allocated to them most likely by IANI.

If there are 4 billion IPv4 addresses, isn’t that enough for the world right now?

It should be considering the world population is about 6 billion. We can assume for now that private access to the Internet is a luxury of the economic middle class and above. Generally you need one Internet address per household and only one per business, so it would seem that perhaps 2 billion would be plenty of addresses at the moment to meet the current need.

So, if this is the case, why can’t we live with 4 billion IP addresses for now?

First of all, industrialized societies are putting (or planning to put) Internet addresses in all kinds of devices (mobile phones, refrigerators, etc.). So allocating one IP address per household or business is no longer valid. The demand has surpassed this considerably as many individuals require multiple IP addresses.

Second, the IP addresses were originally distributed by IANI like cheap wine. Blocks of IP addresses were handed out in chunks to organizations in much larger quantities than needed. In fairness, at the time, it was originally believed that every computer in a company would need its own IP addresses. However, since the advent of NAT/PAT back in the 1980s, most companies and many ISPs can easily stretch a single IP to 255 users (sharing it). That brings the actual number of users that IPv4 could potentially support to well over a trillion!

Yet, while this is true, the multiple addresses originally distributed to individual organizations haven’t been reallocated for use elsewhere. Most of the attempted media scare surrounding IPv6 is based on the fact that IANI has given out all the centrally controlled IP addresses, and the IP addresses already given out are not easily reclaimed. So, despite there being plenty of supply overall, it’s not distributed as efficiently as it could be.

Can’t we just reclaim and reuse the surplus of IPv4 addresses?

Since we just very recently ran out, there is no big motivation in place for the owners to give/sell the unused IPs back. There is currently no mechanism or established commodity market for them (yet).

Also, once allocated by IANI, IP addresses are not necessarily accounted for by anyone. Yes, there is an official owner, but they are not under any obligation to make efficient use of their allocation. Think of it like a retired farmer with a large set of historical water rights. Suppose the farmer retires and retains his water rights because there is nobody to which he can sell them back. The difference here is that water rights are very valuable. Perhaps you see where I am going with this for IPv4? Demand and need are not necessarily the same thing.

How does an IPv4-enabled user talk to an IPv6 user?

In short, they don’t. At least not directly. For now it’s done with smoke and mirrors. The dirty secret with this transition strategy is that the customer must actually have both IPv6 and IPv4 addresses at the same time. They cannot completely switch to an IPv6 address without retaining their old IPv4 address. So it is in reality a duplicate isolated Internet where you are in one or the other.

Communication is possible, though, using a dual stack. The dual-stack method is what allows an IPv6 customer to talk to IPv4 users and IPv6 users at the same time. With the dual stack, the Internet provider will match up IPv6 users to talk with IPv6 if they are both IPv6 enabled. However, IPv4 users CANNOT talk to IPv6 users, so the customer must maintain an IPv4 address otherwise they would cut themselves off from 99.99+ percent of Internet users. The dual-stack method is just maintaining two separate Internet interfaces. Without maintaining the IPv4 address at the same time, a customer would isolate themselves from huge swaths of the world until everybody had IPv6. To date, in limited tests less than .0026 percent of the traffic on the Internet has been IPv6. The rest is IPv4, and that was for a short test experiment.

Why is it so hard to transition to IPv6? Why can’t we just switch tomorrow?

To recap previous points:

1) IPv4 users, all 4 billion of them, currently cannot talk to new IPv6 users.

2) IPv6 users cannot talk to IPv4 users unless they keep their old IPv4 address and a dual stack.

3) IPv4 still works quite well, and there are IPv4 addresses available. However, although the reclamation of IPv4 addresses currently lacks some organization, it may become more econimically feasible as problems with the transition to IPv6 crop up. Only time will tell.

What would happen if we did not switch? Could we live with IPv4?

Yes, the Internet would continue to operate. However, as the pressure for new and easy to distribute IP addresses for mobile devices heats up, I think we would see IP addresses being sold like real estate.

Note:  A bigger economic gating factor to the adoption of the expanding Internet is the limitation of wireless frequency space. You can’t create any more frequencies for wireless in areas that are already saturated. IP addresses are just now coming under some pressure, and as with any fixed commodity, we will see their value rise as the holders of large blocks of IP addresses sell them off and redistribute the existing 4 billion. I suspect the set we have can last another 100 years under this type of system.

Is it possible that a segment of the Internet will split off and exclusively use IPv6?

Yes, this is a possible scenario, and there is precedent for it. Vendors, given a chance, can eliminate competition simply by having a critical mass of users willing to adopt their services. Here is the scenario: (Keep in mind that some of the following contains opinions and conjecture on IPv6, the future, and the motivation of players involved in pushing IPv6.)

With a complete worldwide conversion to IPv6 not likely in the near future,  a small number of larger ISPs and content providers turn on IPv6 and start serving IPv6 enabled customers with unique and original content not accessible to customers limited to IPv4. For example, Facebook starts a new service only available on their IPv6 network supported by AT&T. This would be similar to what was initially done with the iPad and iPhone.

It used to be that all applications on the Internet ran from a standard Web browser and were device independent. However, there is a growing subset of applications that only run on the Apple devices. Just a few years ago it was a forgone conclusion that vendors would make Web applications capable of running on any browser and any hardware device. I am not so sure this is the case anymore.

When will we lose our dependency on IPv4?

Good question. For now, most of the push for IPv6 seems to be coming from vendors using the standard fear tactic. However, as is always the case, with the development of new products and technologies, all of this could change very quickly.

Posted in Educational Articles, IPv6. Tags: . 3 Comments »

$10,000 Prize for Predicting the World Switchover Date from IPv4

March 24, 2011 — netequalizer

Although somewhat overshadowed by the major news stories developing around the world in recent weeks, those of us in the tech industry have seen no shortage of attention paid to the impending changes surrounding IPv4. Just today, I read a few articles about how the world has run out of IPv4 addresses. I also recently received a survey about our specific plans for IPv6.

Even with all of this media attention, however, there are many questions that still remain (one of which we’ve decided to use for a new contest). While we can’t answer all of them, we’d at least like to chime in about a few.

Will a switch to IPv6 really reduce the need for IPv4?

Despite its availability, no one will choose to completely convert to IPv6 until the rest of the world knows how to send and receive it. To do so would be communication suicide. Only when there is a near full conversion to IPv6 could you reliably use it to exclusively communicate. This creates a paradox of sorts: In order to remain accessible to all, you must retain your old IPv4 address.

This is easier said than done for some.

While there are certainly products and services to forward your mail when you establish an IPv6 address, what about a new company established from scratch with no pre-existing Web presence? When the owners call their ISP to obtain an address for their new website, instead of the simple exchange that may have taken place in the past, the conversation will go a little like this:

ISP: “We ran out of IPv4 addresses last week, but don’t worry, we are going to hook you up with a brand-spanking-new IPv6 address and you should be good to go.”

Business Owner: “So, how do the people that don’t speak IPv6 contact me?”

ISP:Don’t worry. We’ll handle the conversions for you, like the postal office forwards your mail when you move.”

Business Owner: “Yes, but I did not have an existing address. I am a new company.”

Therefore, new companies must not only establish an IPv6 address, but they must also somehow scrounge up an old IPv4 address to prevent being cut off from the percentage of the world that has not switched over.

The point is that even with IPv6, there will be no immediate relief on the IPv4 address space (Fortunately, viable alternatives do exist).

So, when will IPv4 be obsolete?

We have no idea exactly when, but based on the discussion above, we don’t think it will happen any time soon.

What does it mean to be completely switched over to IPv6?

This question will only be answered over time, and even then, it will be open to various interpretations. However, to better track the implementation of IPv6, and to facilitate our understanding of it, we’ve decided to establish a contest.

 

The Contest

Note: The following is a contest overview. Official contest rules and registration details will be revealed in our April newsletter (click here to register for the upcoming newsletter).

Contest Rules and Requirements

We, APconnections, makers of the NetEqualizer, will award one $10,000 USD prize as per the following criteria:

  • First, you must register for the contest and provide all required information. The registration link will be included in the April NetEqualizerNews newsletter and posted on the NetEqualizer News Blog after our newsletter goes out next month.
  • Winners will be awarded based on predicting the date of the actual adoption of IPv6 worldwide (see below).
  • If no entries are entered for the actual date, then the prize will be awarded to the next closest prediction after the date of switchover.
  • One entry per person. Duplicate registrations will disqualify an entrant.
  • Entrants must be 18 years of age or older on the date of entry.
  • If more than one contestant chooses the winning date, the $10,000 USD prize will be divided equally among winners.

APconnections will monitor and announce when the world has switched over to IPv6 based on the following criteria:

  • The winning date shall be determined by the first time/date we can actively verify that any set of 50 companies with revenue of over $5 million USD per year has changed its public-facing Internet addresses to a full 128-bit address.
  • None of the 50 qualifying companies can be using any form of an older IPv4 address for any public communications with the Internet (i.e., e-mail servers, publicly accessible Web pages administered or licensed to the company).
  • None of the 50 qualifying companies shall be using any special conversion equipment to translate between IPv4 and IPv6 addresses.
  • Internal IPv6 intranet conversions do not qualify.
  • All public addresses at qualifying companies must use an address with more than 32 bits (greater than 255.255.255.255).
  • To be valid for the contest award, IPv6 worldwide adoption criteria date must be validated and published by the APconnections engineering staff and not by any other third party. Please feel free to help us by sending the names of any companies using IPv6 for verification.

Again, the official contest rules, registration information, and deadlines will be released in our upcoming April newsletter. So, be sure to sign up.

Posted in Contests, IPv6. Tags: , . 3 Comments »

Do We Really Need IPv6 And When?

May 30, 2010 — netequalizer

By Art Reisman

Art Reisman CTO www.netequalizer.com

Editor’s note: Art Reisman is the CTO of APconnections. APconnections designs and manufactures the popular NetEqualizer bandwidth shaper. APconnections removed all Deep Packet Inspection technology from their NetEqualizer product over two years ago.

First off, let me admit my track record is not that stellar when it comes to predicting the timing of eminent technology changes.

In 1943, Thomas Watson, the chairman of IBM forecast a world market for “maybe only five computers.” Years before IBM launched the personal computer in 1981, Xerox had already successfully designed and used PCs internally… but decided to concentrate on the production of photocopiers. Even Ken Olson, founder of Digital Equipment Corporation, said in 1977, “There is no reason anyone would want a computer in their home” (read about other predictions that missed the mark).

As a young computer scientist 1984-ish,  I would  often get questions from friends on whether they needed a personal computer. I was on the same bandwagon as Ken Olsen, telling anybody that asked — my dentist, my in-laws, random strangers in the park — that  it was absurd to think the average person would ever need a PC.

I did learn from my mistake and now simply understand that I really just suck at predicting consumer trends.

However, while the adoption of the personal computer was  a private consumer-driven phenomenon, IPv6, on the other hand, is not a consumer issue. And, my track record as an innovator of technology for business is much better. My years of guiding engineering decisions in Bell Labs, and now running my own technology company, provide a good base for understanding the headwinds facing IPv6.

Since the transition to IPv6 is not a consumer adoption issue, it has  many more parallels to the Y2K scare than the iPod. But, even then there are major differences.

Y2K had a time bomb of deadline. You could choose to ignore it,  but most IT managers could not afford to be wrong, so they were played by their vendors with expensive upgrades.

My prediction is that we will not transition to IPV6 this century, and if we attempt such a change, there will be utter chaos and mayhem to the point that we will have to revert back to IPv4.

Here’s my argument:

  1. There is no formal central control for  certification of Internet equipment. Yes, manufactures are self-proclaiming readiness, but even if  they all do a relatively good and professional job of testing — even with a 99 percent accuracy — on switchover day, the day everybody starts using IPV6 address space, the cumulative errors from traffic getting lost, delayed, or bounced from the one percent of equipment with problems will bring the Internet to its knees.  I don’t think the world will sit around for a few weeks or even months without the Internet while millions of pieces of routing equipment from thousands of manufacturers are retrofitted with upgrades.
  2. There’s no precedence. The only close precedent for changing the Internet address space would be the last time when AT&T added an extra digits to the dialing plan.  At the time they controlled everything from end to end.  They also had only one mission , and that was to complete a circuit from A to B. Internet routers, other than in the main backbone, do all kinds of auxiliary functions today such as firewalls, Web filtering, and optimization, hence further distancing themselves from any previous precedence.
  3. We have a viable workaround. Although a bit cumbersome, organizations and ISPs have been making due with a limited public address space using NetWork Address Translation for more than 10 years already. NAT can expand one Internet address into thousands.  Yes, public IP addresses for every man woman child for earth and every other planet in the Milky Way is possible with IPV6, but for the forseeable future, NAT combined with the 4 billion addresses available in IPv4 should do the trick, especially given the insurmountable difficulty with a switchover.
  4. Phased  Switchover nonsense ?  The pundits of moving to IPv6 are touting a phased switchover.  I am not sure what this accomplishes . If one set of users starts using a larger address range, for example, the Indian Government, they will still need to keep their original address range in order to communicate with the rest of the world. To realize the benefits of IPV6, the world as  whole, will need 100 percent participation. Phased switchover by  a segment of users, will only benefit vendors selling equipment.

Despite these predictions, the NetEqualier is ready for IPv6. We have already done some preliminary validation on IPv6  implementation in our NetEqualizer. In fact, we have even run on networks with IPv6 traffic without issues. While we have some work to do to make our product fully functional, we’ve already sufficiently tested enough to have confidence that if and when the IPv6 switch over happens, we will not cause any issues.

Posted in Commentary and Editorials, IPv6. Tags: . 9 Comments »
%d bloggers like this: