HP 635n HP Jetdirect Print Servers - Practical IPv6 Deployment for Printing an - Page 3

Statement, Status, Practical Consideration - print server price

Get HP 635n - JetDirect IPv6/IPsec Print Server PDF manuals and user guides
UPC - 882780301016
View all HP 635n manuals
Add to My Manuals
Save this manual to your list of manuals

Page 3 highlights

address. These public IP addresses will eventually not be available due to IP address exhaustion as more and more public IP addresses are handed out. The time when these IP address will no longer be available is the subject to much debate and most often hinges on how existing IP addresses can be "taken back" and used more efficiently - however, the day will eventually arrive. For more information, please refer to the Frequently Asked Questions section for the recent ARIN resolution on IPv4 address depletion and moving to IPv6: http://www.arin.net/v6/v6-faq.html Statement: With Microsoft's Vista and Server 2008 having IPv6 enabled by default, simply running an IPv4 application on these platforms will allow it to become IPv6 enabled and participate in IPv6 communication. Status: Myth Practical Consideration: Widespread Vista and Server 2008 deployment primarily means a Dual-Stack transition mechanism for network applications. Dual-Stack refers to an application having both IPv6 and IPv4 communication available to the application. However, these software applications will need to be modified (source code changed, recompiled, etc...) to support what is called an "IP Neutral" Application Programming Interface (API). An IP Neutral application can communicate over IPv4 or IPv6 transparently to the user. An IPv4 application not modified to be IP Neutral will remain an IPv4 only application when executing on a Dual-Stack machine such as Vista because the application uses an API which only understands IPv4. Also, software solutions that are comprised of multiple dependent applications must have all their dependent applications modified to be IP Neutral for the software solution to be IP Neutral. Statement: Moving to IPv6 will make my network more secure because IPsec is required. Status: Myth Practical Consideration: IPv6 will be delivered to customers with IPsec support and without IPsec support. In addition, should IPsec be delivered with IPv6, it still must be configured to be utilized and an IPsec configuration can be a complex and time consuming process to get right for a medium to large sized network. In another sense, deploying IPv6 to an existing IPv4 network can also be seen to weaken the security of the network. It is very important to explore this point further. There is a vast amount of expertise in the network security world with IPv4. Intrusion detection and prevention devices, firewalls, demarcation routers, etc... all understand IPv4 pretty well. This IPv4 expertise doesn't necessarily translate into IPv6 expertise. Introducing IPv6 into a stable IPv4 environment allows for more attack vectors against popular TCP/IP protocols and a proper evaluation of IPv6 deployment is required. As an example, an IPv4 router which has many TCP/IP access control lists that restrict the type of applications that can be used for IPv4 is upgraded to support both IPv4 and IPv6 routing. Unless these access control lists are duplicated for IPv6, applications using IPv6 can circumvent the access lists that were in place for IPv4. Before deploying IPv6 to parts of the network that have a high amount of security configurations or security devices, be sure to understand how the configuration of these devices will need to change to accommodate IPv6 and understand whether these devices have an IPv6 upgrade and support plan. As an example, the latest HP printing and imaging products with Jetdirect technology allow for IPv4 and IPv6 to be treated equally in regards to security configurations, such as the negotiation of IPsec or the configuration of packet filtering rules. Statement: IPv6 is plug-n-play. By simply turning on IPv6 routing, my IPv6 devices will auto configure and IPv6 can be used just like IPv4 with DHCP. Status: Myth Practical Consideration: IPv6 Stateless Automatic Address Configuration (SLAAC) does make it easy for an IPv6 device to obtain a routable IPv6 address. Unfortunately, this ability comes at a high price of not being able to securely update DNS with name to IPv6 address mappings (Note - Integration into Microsoft's Active Directory can overcome this limitation). Given the length of IPv6 addresses and the goal of IP Neutrality for applications, names are much preferred over explicit IP addresses. It will be tempting for many customers to allow for unsecured Dynamic DNS updates to overcome this limitation in SLAAC. Customers should be aware that the large device space (64 bit identifier in the IPv6 address) with IPv6 means that discovery of IPv6 devices will be difficult to brute force in a short time and many attackers will logically move towards DNS as a way of finding and 3

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
3
address.
These public IP addresses will eventually not be available due to IP address exhaustion as
more and more public IP addresses are handed out.
The time when these IP address will no longer
be available is the subject to much debate and most often hinges on how existing IP addresses can be
“taken back” and used more efficiently – however, the day will eventually arrive.
For more
information, please refer to the Frequently Asked Questions section for the recent ARIN resolution on
IPv4 address depletion and moving to IPv6:
Statement
: With Microsoft’s Vista and Server 2008 having IPv6 enabled by default, simply running
an IPv4 application on these platforms will allow it to become IPv6 enabled and participate in IPv6
communication.
Status
: Myth
Practical Consideration
:
Widespread Vista and Server 2008 deployment primarily means a
Dual-Stack transition mechanism for network applications.
Dual-Stack refers to an application having
both IPv6 and IPv4 communication available to the application.
However, these software
applications will need to be modified (source code changed, recompiled, etc…) to support what is
called an “IP Neutral” Application Programming Interface (API).
An IP Neutral application can
communicate over IPv4 or IPv6 transparently to the user.
An IPv4 application not modified to be IP
Neutral will remain an IPv4 only
application when executing on a Dual-Stack machine such as Vista
because the application uses an API which only understands IPv4.
Also, software solutions that are
comprised of multiple dependent applications must have all their dependent applications modified to
be IP Neutral for the software solution to be IP Neutral.
Statement
: Moving to IPv6 will make my network more secure because IPsec is required.
Status
: Myth
Practical Consideration
:
IPv6 will be delivered to customers with IPsec support and without IPsec
support.
In addition, should IPsec be delivered with IPv6, it still must be configured to be utilized and
an IPsec configuration can be a complex and time consuming process to get right for a medium to
large sized network.
In another sense, deploying IPv6 to an existing IPv4 network can also be seen
to weaken the security of the network.
It is very important to explore this point further.
There is a vast
amount of expertise in the network security world with IPv4.
Intrusion detection and prevention
devices, firewalls, demarcation routers, etc… all understand IPv4 pretty well.
This IPv4 expertise
doesn’t necessarily translate into IPv6 expertise.
Introducing IPv6 into a stable IPv4 environment
allows for more attack vectors against popular TCP/IP protocols and a proper evaluation of IPv6
deployment is required.
As an example, an IPv4 router which has many TCP/IP access control lists
that restrict the type of applications that can be used for IPv4 is upgraded to support both IPv4 and
IPv6 routing.
Unless these access control lists are duplicated for IPv6, applications using IPv6 can
circumvent the access lists that were in place for IPv4.
Before deploying IPv6 to parts of the network
that have a high amount of security configurations or security devices, be sure to understand how the
configuration of these devices will need to change to accommodate IPv6 and understand whether
these devices have an IPv6 upgrade and support plan.
As an example, the latest HP printing and
imaging products with Jetdirect technology allow for IPv4 and IPv6 to be treated equally in regards to
security configurations, such as the negotiation of IPsec or the configuration of packet filtering rules.
Statement
: IPv6 is plug-n-play. By simply turning on IPv6 routing, my IPv6 devices will auto
configure and IPv6 can be used just like IPv4 with DHCP.
Status
: Myth
Practical Consideration
:
IPv6 Stateless Automatic Address Configuration (SLAAC) does make it
easy for an IPv6 device to obtain a routable IPv6 address.
Unfortunately, this ability comes at a high
price of not being able to securely update DNS with name to IPv6 address mappings (Note –
Integration into Microsoft’s Active Directory can overcome this limitation).
Given the length of IPv6
addresses and the goal of IP Neutrality for applications, names are much preferred over explicit IP
addresses. It will be tempting for many customers to allow for unsecured Dynamic DNS updates to
overcome this limitation in SLAAC.
Customers should be aware that the large device space (64 bit
identifier in the IPv6 address) with IPv6 means that discovery of IPv6 devices will be difficult to brute
force in a short time and many attackers will logically move towards DNS as a way of finding and