IPv6 migration has been on the horizon since at least 2003, but according to many experts, the time is now here to begin making the transition from IPv4, if you haven't already. The federal government has set a self-imposed deadline of 2008 for its agencies to migrate to IPv6, causing many enterprises to wonder whether they need to follow suit. In this crash course, you'll find answers to your top IPv6 questions, including what IPv6 is, how it differs from IPv4, and how to begin making the transition.
In this guide:
Are there any IPv6 security issues to consider?
What is IPv6?
IPv6 (Internet Protocol Version 6) is the latest level of the Internet Protocol (IP), now included as part of IP support in many products including the major computer operating systems. Formally, IPv6 is a set of specifications from the Internet Engineering Task Force (IETF). IPv6 was designed as an evolutionary set of improvements to the current IPv4. Network hosts and intermediate nodes with either IPv4 or IPv6 can handle packets formatted for either level of the Internet Protocol. Users and service providers can update to IPv6 independently without having to coordinate with each other. (From Whatis.com)
For more information, listen to our IPv6 audio download, you'll learn what IPv6 is, what benefits it offers in comparison to IPv4, and what happened to v5 -- as well as helpful information to help you begin making the transition in your own organization.
How is IPv6 different from IPv4?
The most obvious improvement in IPv6 over IPv4 is that IP addresses are lengthened from 32 bits to 128 bits. This extension anticipates considerable future growth of the Internet and provides relief for what was perceived as an impending shortage of network addresses.
IPv6 describes rules for three types of addressing: unicast (one host to one other host), anycast (one host to the nearest of multiple hosts), and multicast (one host to multiple hosts). Additional advantages of IPv6 are:
- Options are specified in an extension to the header that is examined only at the destination, thus speeding up overall network performance.
- The introduction of an "anycast" address provides the possibility of sending a message to the nearest of several possible gateway hosts with the idea that any one of them can manage the forwarding of the packet to others. Anycast messages can be used to update routing tables along the line.
- Packets can be identified as belonging to a particular "flow" so that packets that are part of a multimedia presentation that needs to arrive in "real time" can be provided a higher quality-of-service relative to other customers.
- The IPv6 header now includes extensions that allow a packet to specify a mechanism for authenticating its origin, for ensuring data integrity, and for ensuring privacy. (From Whatis.com)
Are we really running out of IPv4 addresses?
Recently, the American Registry for Internet Numbers (ARIN) announced that v4 addresses would be history by 2012. Loki Jorgenson, chief scientist with Apparent Networks, said ARIN recently changed its position from being neutral on IPv6 to actively encouraging it.
Jorgenson agreed with ARIN's estimation and said it could be just under five years before IPv4 addresses run out completely, but that projection is modest and made on the assumption that there won't be an IPv4 usage increase in the meantime. The five-year prediction is based on current usage rates, where ARIN doles out a certain number of IPv4 addresses per year. A usage increase could deplete the pool of addresses much sooner than anticipated.
"It's a very gray, slushy kind of boundary where [we don't know] how much time that buys us," Jorgenson said, again stressing that it could be some time in 2010 or 2011 when the pool of IPv4 addresses runs dry. Adding to that confusion, he said, is the possibility that companies and agencies that have hoarded an excess of IPv4 addresses could sell them off as the supply dwindles, creating a short reprieve from total depletion.
In a presentation at the Burton Group Catalyst Conference, John Curran, chairman of ARIN's board of trustees, said that 68% of v4 address space was allocated as of June. Of the remaining 32%, only 19% is openly available, while 13% is unavailable.
Curran said the dwindling address pool changes past estimations of address depletion. Several years ago, it was estimated that addresses would be gone by 2020 or 2025. About two years ago, that estimation changed to 2017. Now (as Jorgenson mentioned), 2012 seems more likely, Curran said during his presentation. (From IPv6 readiness is key as IPv4 peters out by Andrew Hickey)
Most recently, the IPv4 address pool drained from the Internet Assigned Numbers Authority (IANA). Learn what the IANA's IPv4 depletion means for enterprises in this tip.
For more information, read IP address depletion hastens IPv6 adoption by Loki Jorgenson, or read this interview with IPv6 expert Scott Hogg: Does your business network need an IPv6 transition? Who needs IPv6?
How do I make the transition?
- Migrating from an existing IPv4 network to an IPv6 network need not be done in one big step, thanks to new technology that provides gateway services between each, such as the BIG-IP IPv6 gateway from F5 Networks. BIG-IP provides a full proxy for traffic between IPv4 and IPv6, allowing all traffic to be translated for consumption by either IPv4 or IPv6 end points. This allows organizations to stage their migration gradually as demand for IPv6 increases. (From How will IPv6 affect application management? by Karl Triebes)
- Loki Jorgenson said that as v6 devices become available, companies should look into running a dual-stack model: networks that run both on v4 and v6, similar to a half-duplex/full-duplex deployment.
- Silvia Hagen agreed that many companies will choose a dual-stack model, which will ease the transition, but that will create an additional workload going forward because v4 and v6 will require two separate security concepts and two routing protocols.
- In your IPv4 to IPv6 transition, learn in this tip how IP formats are used to convert IPv4 addresses to v6 addresses.
How will IPv6 affect application management?
- With IPv6, there are significant changes that improve network device management. First, the increase in IP addressing from 32 to 128 bits is accompanied by an increase in the structure and allocation of addresses. The IPv6 address is comprised of a global routing prefix, a subnet ID, and an Interface ID (the portion local to a link within a LAN). The global unique portion of the address space is distributed hierarchically according to the network infrastructure topology through IANA. This allows the global routing table for IPv6 to be small, avoiding some scaling issues common with BGP routing today.
- Second, there are enough addresses in IPv6 to give perhaps every square inch on the planet Earth a unique IP address. While this enables virtually any device you can imagine to be on the Internet, it poses a potential nightmare for an administrator to manage all the address assignments. Fortunately, IPv6 includes a feature (made of numerous smaller features) called Autoconfiguration of Nodes. This is essentially a next generation replacement of DHCP and ARP that is available in all IPv6 networks and allows you to connect a new device to the network without even minimal configuration. It also makes it much simpler to re-address your network if you change ISPs (and are thus allocated a different global routing prefix), because all you have to do is change the configuration of your router, and your entire network will re-acquire new addresses with the new prefix. This is a huge reduction in the network management burden.
- With the increased features of IPv6 come some potential management issues. IPv6 provides native support for security, termed IPsec. Encryption may or may not include some of the header information depending on which mode is used to form the VPN, which can reduce the amount of active traffic management that can be applied to the flows between clients and servers. Managing the security policy between the endpoints (IKE) can be tricky as well if you need to implement that yourself; this is one of the main things an IPsec based VPN provides. Of course, IPsec can be strong but brittle in certain remote-access situations such as accessing a corporate network from a mobile device, further adding to the management burden by an IT department trying to provide such services. (From How will IPv6 affect application management? by Karl Triebes)
Are there any IPv6 security issues to consider?
According to information security expert Mike Chapple, there are five specific security issues to be aware of when implementing IPv6:
- Security practitioners need education/training on IPv6. IPv6 will come to the networks under your control – it's only a matter of time. As with any new networking technology, it's essential that you learn the basics of IPv6, especially the addressing scheme and protocols, in order to facilitate incident handling and related activities.
- Security tools need to be upgraded. IPv6 is not backwards compatible. The hardware and software used to route traffic across networks and perform security analyses won't work with IPv6 traffic unless they are upgraded to versions that support the protocol. This is especially important to remember when it comes to perimeter-protection devices and first-hop security. Routers, firewalls and intrusion-detection systems may require software and/or hardware upgrades in order to "speak" IPv6. Many manufacturers already have these upgrades available. For example, Cisco networking devices support IPv6 as of IOS release 12.0S.
- Existing equipment may require additional configuration. The devices that do support IPv6 typically treat it as an entirely separate protocol (as they should). Therefore, the access control lists, rule bases and other configuration parameters may need to be reevaluated and translated to support an IPv6 environment. Contact the appropriate manufacturers for specific instructions.
- Tunneling protocols create new risks. The networking and security communities have invested time and energy in ensuring that IPv6 is a security-enabled protocol. However, one of the greatest risks inherent in the migration is the use of tunneling protocols to support the transition to IPv6. These protocols allow the encapsulation of IPv6 traffic in an IPv4 data stream for routing through non-compliant devices. Therefore, it's possible that users on your network can begin running IPv6 using these tunneling protocols before you're ready to officially support it in production. If this is a concern, block IPv6 tunneling protocols (including SIT, ISATAP, 6to4 and others) at your perimeter.
- IPv6 autoconfiguration creates addressing complexity. Autoconfiguration, another interesting IPv6 feature, allows systems to automatically gain a network address without administrator intervention. IPv6 supports two different autoconfiguration techniques. Stateful autoconfiguration uses DHCPv6, a simple upgrade to the current DHCP protocol, and doesn't reflect much of a difference from a security perspective. On the other hand, keep an eye on stateless autoconfiguration. This technique allows systems to generate their own IP addresses and checks for address duplication. This decentralized approach may be easier from a system administration perspective, but it raises challenges for those of us charged with tracking the use (and abuse!) of network resources. (From Get ready for IPv6: Five security issues to consider)
More IPv6 resources:
- Download "IPv6," Chapter 25 of CCNA Portable Command Guide, and learn what you need to know about IPv6 to pass your CCNA exam.
- View our IPv6 timeline of major milestones in the history of IPv6 development.
- Learn about the different IPv6 address types and how each format defines particular areas in a network.
- Learn about the pros and cons of disabling IPv6 in Windows Vista.
- View our IPv6 tutorial for more information.
This was first published in August 2007