160 likes | 276 Views
Issues of SAAG(ing?) Interest in the USGIPv6 V1.0 Profile. Doug Montgomery (dougm@nist.gov) and Sheila Frankel (sheila.frankel@nist.gov) NIST / Information Technology Laboratory. Topics Addressed. What are we talking about? USG IPv6 Profile and Testing Program Why are we doing this?
E N D
Issues of SAAG(ing?) Interest in the USGIPv6 V1.0 Profile. Doug Montgomery (dougm@nist.gov) and Sheila Frankel (sheila.frankel@nist.gov) NIST / Information Technology Laboratory
Topics Addressed What are we talking about? USG IPv6 Profile and Testing Program Why are we doing this? What have we done? What we think it means? What general issues remain? Issues of potential SAAG interest. How can you help? Submit your comments … in writing!
USG Policy Drivers • OMB - Policy M-05-22 & FAQ http://www.whitehouse.gov/omb/memoranda/fy2005/m05-22.pdf http://www.whitehouse.gov/omb/egov/documents/IPv6_FAQs.pdf • All Agencies – Plan for IPv6 adoption. Deploy & use “IPv6 capable/compliant” products in “core” networks by June 2008. • Requires agencies to “ensure orderly and secure transition” • FAQ: “Agencies should verify …capability through testing …are required to maintain security during and after adoption …” • NIST – “The National Institute for Standards and Technology (NIST) will develop, as necessary, a standard to address IPv6 compliance for the Federal government.” • OMB & GSA – “Additionally, as necessary, the General Services Administration and the Federal Acquisition Regulation Council will develop a suitable FAR amendment for use by all agencies.” • FAR Case 2005-041, Internet Protocol Version 6 (IPv6) http://edocket.access.gpo.gov/2006/06-7126.htm • “OMB further requires, to the maximum extent practicable, all new IT procurements include IPv6 capable products and systems. “ • DoD Policy for Enterprise-wide Deployment of IPv6 • http://ipv6.disa.mil/docs/stenbit-memo-20030609.pdf
DRAFT USGIPv6-V1.0http://www.antd.nist.gov/usgv6-v1-comments.html Status / Plans • Circulated for USG IPv6WG Review – 2006-12-22 • USG comments resolved and circulated for public comment – 2007-2-1. • 30 day public comment period ended March 3rd. • ~500 comments from ~50 sources. • Public comments resolved and final document to be published ASAP. • ~ March. • Issue plans for the development of a testing program. • ~ March • More on this later …..
USGIPv6-V1 Overview • Scope and Application • Recommendation from NIST – but in isolation is policy free. • Applicable to “non classified Federal IT systems”. • Strategic planning document to guide acquisition of IPv6 technologies for operational deployments. • Other uses/time-frames are cautioned. • Defines minimal low-bar of capabilities to: • Deliver expected functionality • Insure interoperability • Enable secure operation • Protect early investments • Technical basis for further refinement and other uses: • Agency / mission specific technical requirements. • Everything that is not mentioned is optional. • Agency / USG acquisition / deployment policies. • Defines “USGIPv6-V1 Compliant” hosts, routers, NPDs. • Provides technical basis for product testing and certification program.
Relationship to Other Efforts • Support OMB/GSA policies • Provide a basis through which OMB and GSA can further refine either emerging acquisition and deployment policies. • Avoid policy confusion – allow policy sources to define “USG IPv6 Capable” and FAR in terms of our profile. • Fill in the technical pieces necessary to support these policies and their time frames. • E.g., Provide interim specification of Network Protection Devices (firewalls and IDS systems) vital to ensure the security of Federal IT systems under OMB deployment strategy. • Leverage DoD / IETF / Industry Efforts • DISR, IETF Node Requirements, IPv6Ready, NSA, ICSA profiles and testing programs carefully analyzed. • USGv6V1.0 is a synthesis / intersection of these efforts mixed with USG specific requirements. • Long term goal is to get to a point where a distinct USG profile / testing program is unnecessary.
What the Profile Defines • Sub profiles for 3 types of devices • 3. Host Profile • 4. Router Profile • 5. Network Protection Device Profile • 12 Functional Categories of Capabilities • 6.1 Base • 6.2 Routing • 6.3 Quality of Service • 6.4 Transition • 6.5 Link Technology • 6.6 Addressing • 6.7 IPsec • 6.8 Application Environment • 6.9 Network Management • 6.10 Multicasting • 6.11 Mobility • 6.12 Network Protection Devices • 6.12.1 Source of requirements • 6.12.2 Common requirements for network protection devices • 6.12.3 Firewall requirements • 6.12.4 Intrusion detection and prevention system requirements
General Issues? • Development of Testing Program • Expect industry/USG meeting on the topic in May at NIST. • Linkages to USG Policies • Working with OMB / GSA to define linkages and time frames. • Final USGv6-V1 Profile • Resolve ~500 comments and publish. • Define profile use / maintenance cycles.
Issues of SAAG Interest? • General • Specsmanship • Detailed profiling of IETF normative requirements is challenging. • This issue is particularly acute in the IPsec area. • Poison pill technique? • Device profiles? • How many / types of conformance classes of IPv6 implementations? • USGv6: Hosts, Routers, Network Protection Devices (NPDs) • IETF: Hosts, Routers • Why would we need more? • Allow some IPv6 devices to not implement IPsec, SNMP, DHCP. • Grandfather existing implementations … • Why did we need 3?
Issues of SAAG Interest? • General • Network Protection Device Profiles • Capability / behavior specifications for Firewalls, IDS/IPS systems. • Seeming void in the industry. • We would have loved to cite consensus standards. • We did consult “requirements” as we could find them (NSA, ICSA, etc). • Received Comment – “remove from USG profile and submit to the IETF”. • USG has operational deployment policies (June 2008) that can’t wait for this right now. • Not sure if the IETF considers NPD specifications within their scope.
Issues of SAAG Interest? • IPsec • Old or new IPsec/IKE? and when? • USGv6 Arch: Arch-v2/2401(M), Arch-v3/4301(S+) • USGv6 IKE: IKE-v1/2409(M), IKE-v2/4306(S+) • When can IPsec-v3/IKE-v2 be M? • When could IPsec-v2/IKE-v1 be M-? • AH mandated or optional? • USGv6: AH-v2/2402(O), AH-v3/4302(O). • Seems to be some disagreement in the industry about AH utility/advisability? • IETF: AH(O) in Arch-v3/4301, but AH(M) in Node-Reqs/4294. • Concerns about unused/tested protocol, operational concerns. • Other protocols that require AH? (OSPFv3).
Issues of SAAG Interest? • IPsec • Algorithms: • USGv6 3DES-CBC(M): • IETF: (M-) for Crypt-ESP-AH/4305 and Crypt-IKEv2/4307. • USGv6 AES-CBC-128(M): • IETF: (S+) for Crypt-ESP-AH/4305 and Crypt-IKEv2/4307, (S) for Crypt-IKEv1/4109. • USGv6 Null-Auth(O): • IETF: (M) in Crypto-Algs-ESP-AH/4305, but (O) in draft-manral-ipsec-rfc4305-bis-errata-03.txt • USGv6 AES-GCM/AES-GMAC(O): • Need understanding of status in industry / DoD. • IKEv2 • USGv6 NAT-T(M): but UDP-encap/3948 is (O)? • USGv6 DPD/3706(O): Required/preferred for IKEv2?
Issues of SAAG Interest? • Base Protocol / Addressing: • SEND/CGA: • USGv6: SEND/3971(S+), CGA/3972(S+) • Consistent with DoD …but, consistent with reality? • Privacy Addresses • USGv6: PA/3401(S) • Some thoughts abound that an IP address is Personally Identifying Information (PII), maybe privacy addresses will be universally mandated?
How Can You Help? • Submit comments on the draft USGIPv6 profile! • sp500-267-comments@antd.nist.gov. • Participate in upcoming forums. • GSA/OMB “USG IPv6 industry day” – in planning. • NIST – IPv6 Testing Forum – in planning - ~May 4th @ NIST. • Encourage / Embrace User Group Participation • In industry profiles, testing plans, etc.