The last few blocks of internet addresses using IPv4 are widely expected to be handed out this week. Southampton University's Tim Chown explores what happens next with the switch to IPv6.
As I write, the Internet Assigned Numbers Authority (Iana) has just allocated the IPv4 prefixes 39/8 and 106/8 to the Asia Pacific Regional Internet Registry (Apnic). Ordinarily, another couple of blocks of IPv4 address space disappearing off the shelf isn't headline news. This time, it's different.
These allocations mean the Iana has only five /8 blocks left, which, by prior agreement, will now be handed out one per regional internet registry (RIR). In plain English, the internet has run out of address space.
That sounds dramatic, but what does it actually mean? Well, the good news is the internet isn't going to stop working overnight. A lot of addresses allocated to ISPs and end sites remain as yet unused, so there's still breathing room. The Internet Engineering Task Force (IETF) has already produced IPv4's successor, IPv6. There's just the small detail that IPv6 deployment is described as, at best, in its infancy.
A unique problem
The lifetime of IPv4 has been prolonged largely thanks to network address translation (NAT). This has proliferated because it's easy to deploy and transparent to most users, who don't care about complexity in applications or the network, or that NAT makes initiating communications into their home networks more complex. If they can access Facebook, watch iPlayer and Google stuff, what's the big deal?
Vint Cerf has proposed that the UK government provide incentives to help businesses prepare for the imminent exhaustion of IPv4 addresses. Photo credit: David Meyer
Well, the problem is we need more unique IP addresses to support internet growth. This is growth of two types: innovation in devices, services and applications, as championed by the current 'internet of things' research agenda; and in countries that are still growing basic internet infrastructure. The gloomy alternative is increased address sharing, some customers running behind two layers of NAT and extensive use of carrier-grade NATs.
ISPs and organisations will now also have to trade for IPv4 blocks, and there may be pressure for some to return unused addresses. Trading will inevitably lead to more fragmented address space, larger routing tables and possibly poorer accountability regarding which organisations are using which addresses. It will certainly be interesting to see how the market value of IPv4 blocks shapes up. What price for a /12 with one careful owner?
Fortunately, the inevitable exhaustion of IPv4 was foreseen by the IETF, which since 1998 has been publishing IPv6 specifications. As a result of its work, IPv6 support is now present in all common router and operating system platforms, and Windows 7, Linux and Mac OS X have IPv6 enabled by default. Support in mobile and other devices is following fast.
Unfortunately, neither ISPs nor content providers have rushed to deploy IPv6. A classic 'chicken and egg': the ISPs won't deploy without IPv6 content, and the content providers argue no ISPs offer IPv6 to their customers. Something needs to change.
IPv6 provides 128-bit address space, more than enough for the foreseeable future. While many benefits have been touted for IPv6, its one key feature is the hugely increased address space. Problem solved? Well, yes and no. IPv6 is the future, but today's internet is IPv4-based, and we need a way to introduce IPv6 without adversely affecting existing IPv4 services.
The ISPs won't deploy without IPv6 content, and the content providers argue no ISPs offer IPv6 to their customers. Something needs to change.
People talk of transition to IPv6, but coexistence is a better term. There's no flag day, and IPv4 will stick around for a long time to come.
Choices when switching to IPv6
While IPv6 is not directly interoperable with IPv4, being IP it runs under TCP/UDP and over the same link layers as IPv4. Through updates to APIs, network stacks and routing protocols, IPv6 can be run alongside IPv4 on the same infrastructure — a technique known as 'dual-stack'. This is the most common way IPv6 is being introduced today. It means devices on your network can communicate natively to external IPv4 or IPv6 systems without any form of translation required. You can also roll out dual-stack incrementally.
The alternative to running dual-stack is to operate an IPv6-only network. While this may be the long-term goal for many sites, it requires...
...IPv6 support internally in all devices and applications, and either dual-stack proxies or a NAT64 translation capability at your network edge to handle access to legacy IPv4 content. This may be a viable option for some greenfield sites or services, but would currently be rather premature for established networks.
However you deploy, you'll need IPv6 connectivity to access external IPv6 content. UK universities can benefit from support for IPv6 in the Janet higher-education network, but if your ISP doesn't offer IPv6 you'll need some form of IPv6-in-IPv4 tunneling capability. To just test IPv6, a free tunnel broker service like SixXS may be appropriate.
The introduction of IPv6 also introduces many challenges in network security. The first thing to note is that operating systems ship today with IPv6 turned on, so you need to be aware of that and manage it accordingly. You may already have IPv6 traffic on your network, or hosts that attempt to use tunneling (Protocol 41) or UDP encapsulation (Teredo) to talk IPv6 to external sites.
IPv6 security issues fall into two categories; those that exist in IPv4, and new issues arising due to IPv6 being a new protocol. You will want your firewall and intrusion detection system products to inspect IPv4 and IPv6 traffic, and to be able to enforce policy in a consistent way for both protocols. Your intrusion detection system will still be hunting the same HTTP malware patterns regardless of the protocol used, but your firewall will need to handle IPv6-specific rules, such as filtering RH0 packets.
A good example of a new IPv6-specific issue is rogue router advertisements (RAs). IPv6 hosts can autoconfigure an address and default gateway based on RA messages received from their subnet router, but if another other device on the subnet issues RAs, maliciously or otherwise, hosts may route traffic to the bogus router. One solution to this problem is rogue RA 'snooping' in switches, similar to DHCP snooping for rogue DHCPv4 servers, but vendors have yet to implement such features.
The silver lining
While there are still likely to be many IPv6 teething problems ahead, the good news is that many large networks, particularly academic backbone networks, have been running dual stack for many years. My university department has been running dual-stack IPv6 in production for over five years, including its public-facing web, DNS and MX servers. All our procurements require IPv6 capability. Our sky hasn't fallen, and our feedback to vendors and the IETF community has been valuable.
The good news is many large networks, particularly academic backbone networks, have been running dual-stack IPv6 for many years, and our sky hasn't fallen.
Content providers and ISPs are beginning to move. In the UK, you need to approach a niche ISP for IPv6 access. In the US, Comcast enabled their first dual-stack cable modem customers in January. Google already offers IPv6 access to its content, but you need to go through some checks first to be DNS white-listed with them. Facebook content is available to anyone over IPv6 from www.v6.facebook.com.
The acid test for those providers is adding IPv6 DNS records for their primary web domain. Research published by Google in June 2010 suggested the number of clients with 'broken' IPv6 connectivity was running under 0.1 percent. That's not bad, but it's still a lot of users.
ISOC has organised 8 June as 'World IPv6 Day', where Google, Facebook, Akamai and others will enable IPv6 on their production services for a day. It's an excellent chance for you or your organisation to do some preparation work and take part. Or you may choose to book the day off now. Either way, it should be very interesting.
Tim Chown is lecturer in the School of Electronics and Computer Science (ECS) at the University of Southampton. He has been involved on IPv6 research and development since 1996, working within the IETF on associated standards. His other interests include wireless networking, IP multicast and network security.
Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.