Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IPv6 Implementation Guide: It's Go Time

  • We've been talking about it for years, but now it's official: The American Registry for Internet Numbers (ARIN) has run out of IPv4 addresses. In late September, ARIN announced that it had issued the final IPv4 addresses in its free pool.

    ARIN advised that users "usher in the next phase of the Internet by deploying IPv6 as soon as possible.” Of course, networking experts have been encouraging IPv6 deployment for a long time, and enterprises have been quite resistant. However, IPv6 adoption has been growing much faster than most people realize. Google statistics show US users at nearly 22%, and that number is rapidly increasing. In addition, the Internet Society tracks Verizon Wireless at more than 72% IPv6 deployment, as measured by connections from users to five major websites that use IPv6 (Google, Facebook, Akamai, LinkedIn, and Yahoo).

    Why do we need IPv6?

    The IPv6 protocol was established because the number of IPv4 addresses was being depleted so quickly. The IPv6 protocol creates a 128-bit address, four times the size of the 32-bit IPv4 standard, providing infinitely more available IP addresses. This will accommodate all the smartphones, tablets and other computers on the network, but also the coming proliferation of Internet-connected devices including refrigerators, cars, and myriad sensors in homes, buildings and on IP networks.

    Enterprises may not need to go IPv6 internally, but should consider that users will be accessing their publicly facing websites with devices using IPv6, especially if they're using mobile devices. Websites that haven't added IPv6 will perform more slowly when accessed by IPv6-enabled phones than those with IPv6 because the traffic will need to translated by a mobile operator.

    Jeff Carrell, a consultant at Network Conversions and an IPv6 expert, advises enterprises to start implementing IPv6 is in their forward-facing systems, including their web servers, load balancers, and firewalls.

    More core infrastructure applications are requiring IPv6, and at some point, major applications will stop supporting IPv4. IPv6 has been enabled now for about six years in most operating systems, and there are potential network design gains an enterprise can realize with IPv6 simply because of the new address size.

    How different is IPv6 from IPv4? It’s based on a colon-hexadecimal system, compared to IPv4 being dotted-decimal. Besides its 128-bit number vs. IPv4's 32 bits, it has no broadcast-type message. Those messages you know as broadcast in IPv4 are now link-local multicast. IPv6 also has a few other operational differences from IPv4.

    Some technologists may believe you can simply "turn on" IPv6, but that's not case. You may not break your network, but there's a good chance some things will not work as they did before, or they'll work different (generally slower) providing a poor user experience.

    (Images: ARIN)

  •  

    IPv6 benefits

    With IPv6, everything from appliances to automobiles can be interconnected. But an increased number of IT addresses isn't the only advantage of IPv6 over IPv4. Below are the major benefits of ensuring your hardware, software, and services support IPv6:

    1. More efficient routing

    IPv6 reduces the size of routing tables and makes routing more efficient and hierarchical. IPv6 allows ISPs to aggregate the prefixes of their customers' networks into a single prefix and announce this one prefix to the IPv6 Internet. In addition, in IPv6 networks, fragmentation is handled by the source device, rather than the router, using a protocol for discovery of the path's maximum transmission unit (MTU).

    2. More efficient packet processing

    IPv6's simplified packet header makes packet processing more efficient. Compared with IPv4, IPv6 contains no IP-level checksum, so the checksum does not need to be recalculated at every router hop. Getting rid of the IP-level checksum was possible because most link-layer technologies already contain checksum and error-control capabilities. In addition, most transport layers, which handle end-to-end connectivity, have a checksum that enables error detection.

    3. Directed data flows

    IPv6 supports multicast rather than broadcast. Multicast allows bandwidth-intensive packet flows (like multimedia streams) to be sent to multiple destinations simultaneously, saving network bandwidth. Disinterested hosts no longer must process broadcast packets. In addition, the IPv6 header has a new field, named Flow Label, which can identify packets belonging to the same flow.

    4. Simplified network configuration

    Address auto-configuration (address assignment) is built in to IPv6. A router will send the prefix of the local link in its router advertisements. A host can generate its own IP address by appending its link-layer (MAC) address, converted into Extended Universal Identifier (EUI) 64-bit format, to the 64 bits of the local link prefix.

    5. Support for new services

    By eliminating Network Address Translation (NAT), true end-to-end connectivity at the IP layer is restored, enabling new and valuable services. Peer-to-peer networks are easier to create and maintain, and services such as VoIP and quality of service (QoS) become more robust.

    6. Security

    IPSec, which provides confidentiality, authentication and data integrity, is baked into in IPv6. Because of their potential to carry malware, IPv4 ICMP packets are often blocked by corporate firewalls, but ICMPv6, the implementation of the Internet Control Message Protocol for IPv6, may be permitted because IPSec can be applied to the ICMPv6 packets. (Read ahead to page 4 for more on security.)

  •  

    Steps to dual-stack implementation

    Large Internet companies are already deploying IPv6, as are Internet service providers and telecommunications carriers. While some enterprises will have to purchase new equipment to comply with IPv6, a great deal of the equipment currently on the market supports both IPv4 and IPv6. And companies do not need to rip and replace their IPv4 networks, but can operate a "dual stack" system where IPv4 and IPv6 networks run in parallel.

    Enterprises are recognizing that they need a plan, but that plan can be done in stages with an initial focus on the Internet-facing network. Guy Edwards at Oxford University detailed a five-step plan for deploying IPv6 alongside IPv4, based on his own organization's experience.

    1. Perform a network device audit

    The organization should perform a network device audit, identifying all the routers, switches and firewalls on the network, as well as the specific versions of hardware and software that are running. With the help of networking vendors, the next step is to determine which of the devices are already IPv6-compliant. Network administrators should also run tests of their software applications on IPv6 devices to make sure they work.

    2. Perform an audit of services

    Next, the organization should perform an audit of services that run on the network, such as SMTP for e-mail and DNS for associating Internet domains and unique IP addresses. The audit should identify which of the network services may be IPv6 supported.

    3. Build an IPv6 test network

    The third step is to build an IPv6-only test network and run the same services and applications that already run on the IPv4 network. In the test environment, document any differences in configuration syntax and behavior for setting up the service under IPv6.

    4. Write a formal deployment plan

    Next, produce a detailed IPv6 deployment plan that lays out in as much detail as possible how the rollout will occur. The plan should be shown to management for approval; it can also be peer-reviewed to make sure that nothing is overlooked.

    5. Produce a formal IP addressing policy

    Last, write a formal IP-addressing policy for going forward. This policy could also be peer-reviewed. Visit the Internet Society's Deploy360 site for details on IPv6 address allocation.

    Management challenges

    Managing the resulting dual-stack environment can prove challenging. With IPv6, an enterprise has access to exponentially more Internet addresses, but that also means much more to manage. The IPv6 address space allocation is likely to be larger than an organization needs it to be. While that has advantages, it makes it harder to probe the entire network space. Monitoring unassigned space is important for making sure that no one is "squatting" in your address space.

    Ensure the management tools your company is using support IPv6, and test them out. Some network management tools designed to operate on an IPv4 network may not work the same way on an IPv6 network, because different sets of data are analyzed for IPv6 traffic versus IPv4 traffic. In addition, a network monitoring tool may recognize IPv6 but not be able to identify which specific packets are IPv6.

  •  

    Security & compliance

    How individual sites and networks become compliant depends on how much IPv6 affects them and how much planning they do. Security compliance may seem relatively easy because the IPSec standard is embedded into IPv6 rather than bolted on, as it is with IPv4. That can be reassuring, but there is a good deal of confusion surrounding IPv6 security and it's important to understand the details.

    An IPv6 transition shouldn't even begin until an enterprise verifies its security devices comply with IPv6. All firewalls and intrusion detection and prevention must support IPv6, and the enterprise must ensure all access control list rules are migrated from IPv4-compliant devices to IPv6-compliant devices.

    In addition, compliance and governance monitoring tools have to be able to accommodate IPv6, probably sooner than other management tools, in order to provide accurate compliance auditing and reporting. Migrating compliance to an IPv6 environment also requires a clear understanding of what kinds of application and user traffic are traversing the network.

    Once you've verified and prepared your devices, take the following frequently misunderstood points into consideration:

    1. IPv6 security defenses must apply to IPv4 networks

    Organizations with IPv4 networks may think that they aren't susceptible to IPv6-based attacks, but experts say that's not the case. Most new operating systems and mobile devices -- including Windows, Mac OS X, Ubuntu Linux, iOS and Android -- ship with IPv6 automatically enabled, so if you run or audit an IPv4 network, there are systems on it just waiting to communicate over IPv6. This creates an opportunity for exploitation by hackers and malware.

    The Windows HomeGroup feature, for example, uses TCP over IPv6 for local network management. Every system with IPv6 enabled has a link-local address that other machines on the local network can communicate with. This allows an intruder with access to the local network -- directly or through a compromised IPv4 system -- to access and attack the IPv6 interfaces of other local devices.

    2. Mandatory IPSec is no guarantee

    A widely assumed benefit of IPv6 is IPSec support, but the reality is more nuanced. While IPv6 supports IPSec for transport encryption, actually using IPSec is not mandatory and it is not configured by default. IPSec requires extensive configuration to be properly secured, even when it has been enabled. Details vary depending on your hardware and OS, so contact your vendors for implementation specifics.

    3. Man-in-the-middle attacks are possible

    Since IPv6 doesn't use Address Resolution Protocol (ARP), it's sometimes assumed to prevent man-in-the-middle-attacks. In fact, IPv6 uses ICMPv6 to implement the Neighbor Discovery Protocol, which replaces ARP for local address resolution. The Neighbor Discovery Protocol is just as vulnerable to man-in-the-middle attacks as ARP -- if not more so. A single compromised internal node can expose all local assets to the global IPv6 network through a simple route advertisement.

    4. The problem with NAT

    While some IPv6 misconceptions revolve around its perceived security, some believe it's less secure than IPv4 due to a lack of NAT. Network Address Translation (RFC 1918) allows organizations to assign private, un-routable IPv4 addresses to many devices, which are then provided connectivity to the Internet via a limited number of public IPv4 addresses.

    The private addressing of NAT can be mistaken as a security feature, and its omission is frequently cited as a reason not to deploy IPv6. But IPv6s expanded address space solves the original problem that NAT addressed. The real security of NAT was provided by the accompanying usage of stateful inspection of inbound traffic. An organization should not be any more or less secure with IPv6 as opposed to NAT, as long as it is combined with appropriate access controls and inspection tools.

  •  

    Where to learn more about IPv6

    One of the biggest challenges of IPv6 deployment is education. Learning the protocol requires either a lab with equipment or a virtual environment; and in either case, it's best to have a system that is as close to yours as possible.

    It also requires time and initiative. Many companies may not yet have a plan for IPv6 implementation, but when they decide to upgrade the schedule may be tight. Often network professionals begin the learning process on their own.

    Building a lab is the ideal approach, but costly. A virtual platform is less expensive. You need a virtual platform, possibly multiple network segments (internal and external), a router that has IPv6 capability, client OSs, and -- for the best learning platform -- a real, live IPv6 connection to the Internet, which can be the most challenging to obtain.

    There are a couple of providers of free or very-low-cost IPv6-in-IPv4-tunnels that can provide IPv6 connectivity to the Internet as well as an IPv6 address block so you can configure your own IPv6-routed networks in your lab. In this way, you can learn about IPv6 and actually test live on the Internet.

    For advice on building a low-cost lab, see Build your own IPv6 lab.

    For more IPv6 education, visit: