Take This Commodity for Granted and Security Will Suffer

Take This Commodity for Granted and Security Will Suffer

Sometime next year, likely starting in March 2011, the world is going to run out of a commodity that governments, businesses and consumers have largely taken for granted. Without a fix, communications will be hampered and economic growth could be stunted on a global basis.

Rationing has only had a minor impact on the world's voracious appetite for this dwindling commodity, unassigned Internet protocol version 4 (IPv4) addresses. The good news is that scientists and engineers have a solution: IPv6, which provides orders of magnitude more addresses — approximately 3.4 x 1038 — whereas IPv4 provides a mere 4.3 billion (4.3 x 109). While there have been numerous previous warnings of the depletion of unallocated IPv4 addresses, most experts seem to concur that with current consumption trends and mitigation efforts, the primary entity for maintaining and monitoring IP addresses on a global basis, the Internet Assigned Numbers Authority (IANA), will run out of its remaining blocks of IPv4 addresses early next year.

Over the next eight months, each of the Regional Internet Registries, starting with the APAC Network Information Center (APNIC), will run out of its remaining IPv4 address blocks. In fact, Geoff Huston, Chief Scientist at APNIC, has a daily IPv4 address report that predicts IANA address depletion will occur in March and highlights APNIC's current average daily assignment of addresses is an astonishing 700,000!

While there have been some valuable IPv4 address reclamation and
Reassignment efforts, most of the “easy” reassignments have already been executed. IT/network experts believe that future reallocation efforts will be of limited value, as all or most devices in a given IPv4 network will need to be assigned new addresses. The cost to do this for a large corporate network is believed to be about the same as simply migrating to IPv6.

So, what happens after all the IPv4 addresses have been assigned? Will the Internet and all networked devices, including security systems, stop working? No.

However, new devices and services will have to be assigned IPv6 addresses that will not work with older IPv4 hosts and networks without IPv4/IPv6 gateway translation services. While you can expect these services to be offered by major service providers and supported by most networking devices (routers and switches that have been produced in the last 10 years or so) with software upgrades, security system end users, dealers and integrators, as well as manufacturers, should be prepared to make the transition to IPv6. Depending on your role, that preparation will be dictated by how the security system is deployed and used and your future expansion plans.

Owner/End User Considerations
As a security system owner or end user, the approach to IPv6 planning and implementation depends on one of the following scenarios:

1. If the security system is not connected to the Internet or to a business network and there is no plan for adding new devices, it is reasonable to continue to use and buy security products that only support IPv4 addresses. However, it should be understood that these types of security systems will have a number of limitations in terms of remote access and that certain features offered in newer security products may not work in these closed systems. Moreover, there will be a time when IPv6 will become an issue in these systems as products age and must be replaced with newer products which will only work on an IPv6 network.

2. If there is a need for the security system to communicate over the Internet, or work with an operate on the business network, or there is a plan to add new security devices to an existing system, or an additional site (such as a new branch office or campus) is required, it is time to get ready for IPv6.

Clearly, it is highly advisable for security system owners to work with their respective IT departments if the security system is connected to the business network or the Internet. Without the proper coordination, both the security system and the business network could be adversely impacted. The IT organization will likely have an even greater need to resolve IPv4 issues and may provide all or part of the solution needed for the security system as well.

In most cases, IPv6 readiness will require system owners to take an inventory and assess which of the current security devices already support IPv6 or can be updated with new firmware or software that will make them IPv6-compatible. For those devices that are not and cannot be upgraded, end users or their respective IT groups can purchase translation gateway devices (such as dual IPv4/IPv6 protocol stack-enabled servers or routers) or translation services from their ISPs. These translation devices and services will allow IPv6 and IPv4 devices to coexist and communicate with each other.

Ideally, all future security system purchases should be capable of supporting IPv6. However, if an IPv4 device that cannot be upgraded must be purchased, system owners should talk to their dealer, integrator and/or the manufacturer about discounts or upgrade programs for purchasing IPv4-only products until IPv6 products are available.

Manufacturer Considerations
Given that depletion warnings have been in the news for several years and that major customers, particularly government agencies, have had IPv6 compatibility requirements for about the same period of time, most manufacturers should be well-prepared. For those manufacturers who develop software that runs on top of Microsoft or Linux, these operating systems have IPv6 capability. Thus, the security application software modifications should be fairly minimal and IPv6 compatibility should be no more than a software release upgrade away.

On the hardware side, IPv6 can create more of an issue. Compatibility has dependencies on the semiconductor or IC chips used, internal system architecture, available memory and firmware flexibility. If the security device has been in the market for 10 or more years, it is somewhat understandable that the device cannot be upgraded to support IPv6. However, it would seem logical that a newer generation of the hardware should already be available or nearing introduction.

If the hardware is not already for sale in the market, manufacturers should consider offering discounts or implementing low- or no-cost upgrade programs such that IPv4 products can still be competitively sold between now and the next generation becoming available.

Dealer/System Integrator Considerations
Based on the foregoing discussions for end users and manufacturers, it should be clear that dealers and system integrators need to be very familiar and comfortable with IPv6 deployment requirements now. As it is likely that system integrators and dealers have already sold IPv6-capable products, the key success factor is and will be experience. If none of these system installations are currently using IPv6, it is probably time to actually enable IPv6 on various manufacturers' products in labs or in prototype system setups.

System integrators will need to understand the capabilities of not only security devices and software, but also the capabilities of the customer's networks, as well as the capabilities offered by ISPs that operate in the system integrator's sales territories.

From a consultative sales perspective, dealers and system integrators should proactively discuss with the customer the issues and trade-offs associated with various vendors' products and how they will perform in the customer's security system environment. This is where IPv6 experience will differentiate one integrator/dealer from another. Moreover, as few to no system deployments or upgrades go quite as planned, the experience derived from having used IPv6 products will be helpful when it comes time to troubleshoot operational issues.

Closing Thoughts
It now seems certain that IPv6 security systems will be deployed in the next year or two, at the latest. While various networking technologies and address reallocation pools have put off the impending IPv4 address depletion, it seems that most experts now concur IPv6 deployment is imminent. ISPs in all theaters have begun their migration activities, albeit some have only started the process lately or are in the final planning stages. IPv4 systems will still be commonplace and relevant for some time; however, new device additions, remote access or remote-site connectivity and new security system deployments will pose new but addressable challenges.

The key is to plan ahead and understand the capabilities of existing devices and systems. Work with your counterparts whether they are in the IT department, system integrators/dealers, manufacturers or end users/ system operators. Surprises should be minimized, and the use of IPv6 products will enable some new capabilities that will make the job of security professionals easier and make them more productive.

About the Author
Robert Beliles was an executive at Hirsch Electronics (an Identive Group company). He also cofounded Cisco Systems' networked physical security business and was responsible for its flagship switch and one of the first VoIP-enabled routers. For more information, please contact b2convergence@gmail.com.

Share to:
Comments ( 0 )

asmag.com provides weekly and monthly e-Newsletters which include the latest security industry news, vertical solution case studies and product information.

Please key in code