Security stasis as NBN Co, Telstra consider how to move customers to IPv6

A massive base of legacy IPv4 equipment will complicate things for a long time to come

Tom Sykes, product development and sales manager with NBN Co
(left) with Tony Hill (Chair, Asia Pacific IPv6 Task Force)

Tom Sykes, product development and sales manager with NBN Co (left) with Tony Hill (Chair, Asia Pacific IPv6 Task Force)

Internet service providers (ISPs) and telecommunications providers may be plotting their moves to embrace next-generation IPv6 network protocols, but a massive base of legacy IPv4 equipment will complicate things for a long time to come, executives of both Telstra and NBN Co have warned.

Telstra, for its part, has been pursuing a dual-stack IPv6/IPv4 setup that will allow it to guide its large customers towards the newer protocol – which includes features like a much larger address space and built-in IPSec security – while avoiding problems with customers' existing IPv4 setup and customer premises equipment (CPE).

CPE, such as broadband modems and set-top boxes, introduces issues due to economies of scale and will require a massive overhaul to root out and replace devices that don't fit into IPv6 security and administrative models. Enabling this has proved to be a real challenge, requiring extensive equipment upgrades and changes to the company's operational support systems (OSS).

Through careful planning and a focus on equivalence between IPv4 and IPv6 services, the Telstra team has come through the process unscathed successfully launched commercial launch of IPv6 services in early September, director of transport and routing engineering David Robertson told attendees at this week's IPv6 Summit in Melbourne.

"Telstra aim to provide consistency of experience with our products when adding IPv6 features," he explained. "IPv6 needs new rules, and some new rules require brand new ways of working. We have to ensure there's no disruption to our well-established networks and very large customer base."

The telco had worked on the IPv6 implementation until it could deliver "consistency of experience with our products" across both protocol stacks, Robertson explained, with a risk-minimisation policy of "deliberately not using or encouraging" protocol translation stacks like 6to4 Teredo tunnels, which have been shown to have high error rates that compromise security and reliability.

Relying on native protocol support should make for a cleaner transition that allows native security technologies to be applied to both stacks. However, despite the benefits of the new stack and widespread testing showing it works effectively, Robertson said Telstra faces a very real challenge as it decides what to do with millions of IPv4-only modems and other access devices strewn across the length and breadth of its network.

Those devices are managed by the OSS infrastructure, which had to be upgraded to manage IPv6 and IPv4-based CPE through similar capabilities. "We've got to be awfully cautious that we don't reduce our capacity by 50 percent" by prematurely stranding the company's IPv4 environment, he explained.

"IPv6 capabilities in both the fixed broadband and mobile space are emerging, and home CPE and management of the home needs to be considered. There's a lot of legacy CPE out there which is simply not capable of being upgraded. The question is really how long you can use IPv4, and the answer is 'a very long time'."

While some Australian carriers have been working to shift consumers towards IPv6-compliant equipment, the massive installed base of IPv4-only gear makes support for the current protocol mandatory. This, in turn, will perpetuate the disconnect between security profiles on the new and old networks and force customers to manage two security environments simultaneously.

It's a common problem for carriers jumping towards IPv6, says Internet Society of Australia DO Hub director Richard Jimmerson. "When a large provider has to go in and deploy LSN, it's because they don't want to have to ring up their customers and tell them the device they bought at the electronics store four months ago doesn't work anymore," he explained. "They have to continue to support all of those devices and services that are legacy v4 and may never be IPv6 compliant in the future."

If Telstra's migration is about managing its legacy towards the future, NBN Co has the distinct advantage that it's starting from scratch and has no such restrictions. That fact helped the company specify a robust IPv6-capable network termination unit (NTU) that is making NBN customers IPv6-ready from the day they connect to the network.

As operator of an extremely high-volume network infrastructure, NBN Co has had to deliver a number of adaptations for tasks such as performance management and remote administration of its NTUs. It has also implemented a dual-stack solution for its voice ports, which run over a separate logical internal network.

Lack of a legacy infrastructure has helped NBN Co focus on mapping its services to the capabilities of IPv6, with multicast support expected to be offered to the market by the second quarter of 2012, packet identification tying customers to their NBN retail service provider (RSP) and four hard-coded classes of traffic tapping into IPv6's built-in quality of service (QoS) capabilities. A later option will be the delivery of priority bit mapping, which helps the network prioritise certain users.

"For IPv6 this is totally transparent," said manager of solutions architects Tom Skyes. "Once we get to April next year, we'll have a full suite of session management options available for RSPs. We're in early stages and trying to do what's required – but the good thing about building a network from scratch is that you can put these requirements into requests for proposal, and make sure they're complied with."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitynbn cotelcosipv6Telstra

More about EnablingetworkIPv6 SummitTelstra Corporation

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts