Trustv6 in the Network
05/12/2023
By Jeffry Handal, Principal SE at Cisco Systems
Introduction
What do IPv6, Zero Trust Architecture (ZTA), and QUIC have in common? They are all making a strong showing in the industry to solve problems in 2023! IPv6 has been the doom and gloom Internet protocol that has finally made its mark in the last few years making up more than 50% of the global traffic in some parts of the world [1]. Zero Trust has been abuzz in the market prompting us to think about security to the point that it is something everyone is concerned about. And QUIC has been that mysterious traffic we have seen on and off spiking in our networks but is now coming to save the day with practical implementations.
This article will take us a bit down memory lane. Then, we will briefly cover the philosophy of zero trust and force you to think about it in a new light founded on the principals of abundance and certainty with observances from a very practical viewpoint.
Memory Lane
Early in my career, the focus of IT was to ensure basic connectivity. Technology, standards, and available services were not as robust as they are today. Security was an optional investment of time, and frankly, many solutions in the market did not offer them. As technology matured, so did the standards. We have moved to a world where connectivity is more reliable to the point, we now have the luxury of moving to protocols like QUIC that are UDP-based. This has freed us to invest more time in other ways to optimize our networks like security. However, it is no accident security has quickly risen to the top of the list. More on this later.
In school, we are taught to solve a problem using a series of constraints and assumptions. The world as we perceive it seems to mimic this behavior in the sense that constraints do exist, and they are not always limited by the technology but more with what we like to call “layer 8” – the human element. The point of this thought experiment is to think the opposite way. Why should we always start with limitations and inhibitors? What if we designed with abundance in our set of assumptions rather than constraints. That would unleash human creativity, uncover new ways to solve problems, and free us to think differently. This is precisely the promise IPv6 offers. It is a resource rooted in abundance. As such, the problem of zero trust should take a different path.
Enough about the past. Let’s start to explore how IPv6 and security go together to help us create productive environments for the people we serve.
Zero Trust Decoder Ring
We have all heard security is like an onion in that it has layers. Have you ever stopped to ponder what does that mean in practical terms? If you have not, consider this: it’s about reducing risk and knowing at each layer what the consequences are. For example, contemplate the perimeter SD-WAN firewall as the outer layer of the onion. It helps you mitigate risk from the outside world – the broader Internet. An inner layer may be the host firewall of your operating system; it helps you limit access from the broader Internet and your internal network domain.
Zero trust is not a new concept; it is defined by many in various ways. However, one thing should remain clear: it is not a product! Simply put, it is a mindset. A mindset that means we all have a responsibility (including users) to ensure an efficient, secure use of company resources to boost productivity.
Another security reference plan I like to reference is Cisco’s Secure Architecture for Everyone (SAFE) [2]. It breaks down layers of security into elements we can relate to easily and adapt to our own environments. The point of the model is to understand our operation, involve all the stakeholders, and figure out the capabilities we have to reduce that risk. In the context of zero trust, it provides a powerful blueprint that identifies gaps and creates targets we can set our eyes on. The goal is to develop an attainable journey toward a zero trust modus operandi.
Trustv6
The Internet was founded on the principle of end-to-end connectivity. As mentioned earlier, first, we focused on connectivity. Then, technology matured and became stable; it set the expectation of reliability. This is in turn has allowed the Internet community to shift focus and develop new protocols and principles like the subject of this article. Zero trust promises the ability to work securely from anywhere and at any time. However, if your zero trust mindset is predicated on the prevalence of IPv4, you just put a wrinkle in the promise stated earlier. What happens to users on IPv6-only networks? Do they not get access?
IPv4 connections place packets in a less than desirable position since they can be manipulated during the NAT function, for instance. Even worse, consider Carrier-grade NAT (CGNAT). Do you know who is behind those connections? It makes for a difficult day at the office when you must troubleshoot an issue. Now, let’s look at IPv6. IPv6 connectivity opens a world that is connected end-to-end which changes the equation quite a bit and adds a level of simplicity This does not mean we use IPv6 as an identity, but to increase the level of “trust” in what we see coming across. Let’s unpack this a bit more. I trust more packets that come directly from the entity trying to establish a connection with my applications rather than packets that have been manipulated somewhere along the path through middle boxes (e.g., NAT44 engines, SSL decryption services). This should not be confused that trust is established. Instead, consider the potential for risk to be reduced by this form of direct communication. At the end of the day, the secure outcome of a zero trust architecture is not to eliminate risk but to reduce it. IPv6 is serving as a building block to get it a step closer.
Practical Advice
In the previous sections, we laid out the groundwork for a new mindset calibration. Now, let’s turn it into something practical we can take back to our organizations. As you shift your outlook into a zero trust approach, consider the following points:
User Experience: While seeking the utopia of secure, efficient operations, let’s not forget our users and their productivity. They are the reason we are here. It is not about the best security or having the most expensive tools. It’s about having the right user access the proper resources securely without experiencing frustration all while upholding the company’s security governance. Measure it and set proper expectations. Find the right balance of security and performance. And let’s not forget, wink, wink, many studies show IPv6 tends to perform better.
Trust your Model: There are many ways to think about zero trust, many have defined it (e.g., NIST, Gartner, {insert your favorite company name here}), but realize there is no right answer. There is just the answer that makes sense for your organization. You must adapt industry best practices and technologies to your users’ habits, company policies, and tools (e.g., applications) in a way that makes sense. Remember, at the end of the day, it’s about keeping the lights on so your entity may fulfill its mission. Do not get attached to IPv4, a security tool, or old school thinking. Evolve, stay curious, and learn something new. It will make work more fun.
The End-to-end Challenge: Just like the game of telephone we used to play when we were little, the message will be lost between the originator (e.g., user) and its final destination (e.g., the application). The Internet community has been working hard to give us more end-to-end (E2E) tools. For example, they have given us IPv6, Messaging Layer Security (MLS), QUIC, among other things. It is up to us to put these “tools” in place to begin the journey to set up a good foundation for zero trust that is rooted on the advantages E2E gives us. In a more direct way, network admins, go out and deploy IPv6 in your enterprise networks. Application developers adopt new protocols like QUIC or MLS to establish communications with end users. The point is, do not sit still, our adversaries are not.
Security by All: Security is no longer optional or just the responsibility of the security group. We all now bear a bit of responsibility and must do our part. From the application developer to the user, and from the open-source community to the network operator, we all must assume a level of responsibility to develop secure, accessible operations that keep our user’s experience in mind.
The C-suite: Just a few years ago, security was not in the top 5 items CIOs were investing in. Fast forward to today, this is not even questioned [3]. Security is an item of concern for all. Recent world events like the Ukraine war [4], COVID-19 and work from home, or the rise of ransomware, have really brought to bear we are not ready to go head-to-head with the advisory. All we are left to do is reduce risk to allow businesses to move forward. Therefore, leverage this moment in time to help fund those projects that will help the organization embrace the modern approach to connectivity (i.e., IPv6) and security (i.e., zero trust mindset).
While we may get nostalgic of where we have been, it is time to move on. We are in a time where we have more compute power in our hands than the Space Shuttle ever did. This is allowing us to evolve the way we work, live, and play. So, no matter where an application lives, the principles of zero trust should be the way to allow the right access, at the right time, and from the right locations, especially when on IPv6-only networks – which we should trust more for the betterment of humanity. ☺
References
[1] https://www.worldipv6launch.org/measurements/
[2] https://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_safe.html