Five ways for IPv6 and IPv4 to peacefully co-exist

Five ways for IPv6 and IPv4 to peacefully co-exist

Summary: Ready or not, you're going to need to use both IPv6 and IPv4 on your corporate intranet and to connect to the Internet for years to come. Here are some ways to do it.

SHARE:
TOPICS: Networking, Telcos
25

It would have been so easy if the early Internet and TCP/IP network designers had made IPv6 backward compatible with IPv4. They didn't. In 1981, IPv4's 32-bit 4.3 billion addresses look more than enough addresses for the ARPANet/Internet. That was the Internet then, this is the Internet now.

Oh, network professionals saw the Internet address shortage coming and knew it would be a problem. I can't do better than to quote, Leslie Daigle, Chief Internet Technology Officer for the Internet Society, who admitted at a June 2009 meeting that "IPv6's lack of real backwards compatibility for IPv4 was [its] single critical failure." It's too late now to cry over spilled standards. We need to work on getting the two fundamental network standards to peacefully co-operate today.

There are several ways of handling this issue. Let me warn you right now, none of them are perfect, but one, or more of them, should work for your company. Before buying into any of these technologies though you must throughly test Ipv6-to-IPv4 and back again component interoperability before deploying them. There's a lot that go wrong, and you don't want any of it happening during business hours on your production network.

IPv4/IPv6 co-existence can take one of three forms.. One is dual stack, where your network hardware runs IPv4 and IPv6 simultaneously. Next is when you "tunnel" one protocol within another. Usually, this means taking IPv6 packets and encapsulating them in IPv4 packets. The technical basics for these are outlined in the RFC 4213 Basic Transition Mechanisms for IPv6 Hosts and Routers. Finally, there's Network Address Translation-Protocol Translation (NAT-PT) aka RFC-2766. This works just like the name says, software or a device translates IPv6 packets into IPv4 packets.

While Network Address Translation (NAT) fans might like this at first glance, it comes with its own set of problems. As Cisco points out in its excellent white paper, "Network Address Translator-Protocol Translator," "The application of each area must be well understood, as the protocol does not represent a generic mechanism that would be universally applicable." In short, you'd better know your way around Application Level Gateways (ALG) if you plan on deploying NAT-PT.

In addition, a core difference between NAT-PT and IPv4 NAT is that address translations must be done for both incoming and outgoing traffic. This can get complicated in a hurry. You could use static, bi-directional mapping, but that will get out of date quickly and it doesn't scale worth a damn. Of course, you could use Domain Name System (DNS), but old-style DNS servers don't support IPv6's AAAA records. And, again, I see real scaling problems as those DNS servers that do support IPv6 get constantly bombarded by address requests.

With Dual-IP stacks, your computers, routers, switches, and other devices run both protocols, but IPv6 will be the preferred protocol. A common procedure is to start by enabling both TCP/IP protocol stacks on the wide area network (WAN) core routers, then perimeter routers and firewalls, followed by your data-center routers and finally the desktop access routers. As the public Internet transitions to IPv6, your network administrators may need to deploy dual-stack capable switches on your; edges earlier.

The upside of this approach is that Dual-IP stacks are supported by all the major operating system and network vendors. The downside is that most legacy networking hardware and servers don't support IPv6. This can lead to such problems as dual-stack edge switches running into DNS (Domain Name Server) problems while users are trying to get to various Internet sites. In addition, many versions of Internet applications, even such commonplace ones as File Transfer Protocol (FTP), won't work with IPv6.

One way to answer these problems is to use Dual Stack Application Level Gateways (DS-ALG) These gateways are commonly used as proxies that translates between the two protocols over the IPv4 Internet.

The bad news with this approach is that it will only work for specific applications. It also has the potential to slow traffic down as every packet has to be inspected to see if it needs DS-ALG services.

In tunneling, one protocol is carrying inside another. Usually, that's going to be IPv6 in IPv4. These tunnels can move your IPv6 packets across both your internal IPv4 WAN and the mainly IPv4 Internet, Someday, when IPv6 becomes the top Internet protocol, we'll use IPv6 tunnels to carry IPv4 traffic.

There are two kinds of tunnels: manual, aka static, and dynamic. Manually configured IPv6 tunneling requires configuration at both ends of the tunnel. The manual approach is best just for connecting say corporate IPv6 intranets over the Internet. It's not a good answer to any other IPv6 Internet problem.

Dynamic tunnels use a variety of techniques to establish packet destination address and routing on the fly. This makes them far easier to create and maintain. I

The most popular dynamic tunneling technique is 6to4. It has the advantage of not requiring an explicit tunnel set-up. Instead, it uses dedicated relay routers to forward encapsulated IPv6 packets over IPv4 links. A significant advantage of 6to4, is that it lets you set up Ipv6/V4 tunnels without requiring a lot of manual effort. 6To4 uses IPv4 unicast to create point-to-point links over the IPv4 backbone for transmission.

To be used safely, your vendor and network engineers must be sure to set its security up carefully. It's all too easy to hide bad traffic inside the encapsulated packets and to spoof addresses within the IPv4 and IPv6 headers, which can lead to Denial of Service (DoS) attacks.

These are some of the most popular ways to get IPv6 and IPv4 on the same network. There are many others. Want to know what the worst news about all of them is? None of them are very compatible with the others. As I've said before, like it or lump it you are going to need to move to IPv6.

In the meantime, you're almost certain to need one, or more, of these technologies in the next few years. Again, Before deploying any IPv4/IPv6 bridging solutions, you're going to need to spend a lot of time having your network engineers and vendors making sure that everything in your new network stacks can interoperate. It' all too easy to mix and match equipment and methods in ways that will slow your network down to a crawl.

I will also add that you must test out the hardware and software before signing off on it. I've already found that a lot of stuff, which says it's IPv6 ready isn't really, but that's a story for another day.

Topics: Networking, Telcos

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

25 comments
Log in or register to join the discussion
  • It is never too late

    IPv6 exist (implemented) for almost 10 years. Still, no real moving forward. It's overcomplicated. It seems at design stage no one thought about The Transition.

    So maybe (a dream!) a redisign is needed? Never too late!
    arni@...
    • RE: Five ways for IPv6 and IPv4 to peacefully co-exist

      @arni@...
      IPv6 is fine as is. It is no more, and quite less in some respects, complicated than IPv4. It's just that a LOT of organizations don't want to have to switch over and do that nasty little thing called BUY NEW HARDWARE AND SOFTWARE!
      Lerianis10
      • RE: Five ways for IPv6 and IPv4 to peacefully co-exist

        @Lerianis10

        of course! we are having crysis, remember?.. but you're wrong, IPv6 is not less complex. if they wanted to solve addressing problems - they should of solved addressing problems. instead, they redesigned almost completely. i know, our company makes IP-enabled specific hardware.
        arni@...
      • Tell you what. You volunteer to lose your job to pay

        for all this required hardware and software. Oh, you're not so eager to adopt IPv6 now?
        frgough
      • RE: Five ways for IPv6 and IPv4 to peacefully co-exist

        @Lerianis10 : Seems you haven't been on the procurement side of companies. It's not that easy for a Fortune 500 company to order buying NEW HARDWARE AND SOFTWARE... SLAs, Training Costs, Learning Curves, IT HelpDesk renegotiation, ROI analysis, and the list goes on and on in red tape...

        So it's very different out there... if you know what I mean...
        cosuna
      • RE: Five ways for IPv6 and IPv4 to peacefully co-exist

        @frgough

        No, IPv4 depletion has been a known problem for a decade. NAT sucks, or at least Comcast's did until they offered phone service, and convergence latency and jitter became an issue. I can't imagine they saved any money there. No, network engineers shouldn't volunteer their jobs. CIOs and anyone else at the business/management tier who failed to transition should.
        tkejlboom
    • RE: Five ways for IPv6 and IPv4 to peacefully co-exist

      Believe you will need!!!!!!

      is a very good!

      HTTP://0845/4PC
      lincc324
    • RE: Five ways for IPv6 and IPv4 to peacefully co-exist

      Believe you will need!!!!!!

      is a very good!

      come WWW.BIZBOYSELL.COM
      lincc324
    • RE: Five ways for IPv6 and IPv4 to peacefully co-exist

      @arni@...

      No, the problem is that companies are run by idiot accountants to try to fill the place with the minimum staff with the minimum training with technology agnostic upgrade cycles.

      The notion that anything new must be designed to seamlessly transition from the old is childish. The old tech certainly wasn't designed to be replaced by something else, and it clearly wasn't a purchasing decision made by the drone ten years ago.

      HPN is finally moving forward. It wasn't because it was technically difficult. It's pretty much because HP only does something
      a. when a customer asks for it, or
      b. because Cisco did it.
      So far, over all, in the lab IPv6 works better on the new switches than IPv4. I doubt we'll get the drop on Cisco, but maybe wherever Arni works?
      tkejlboom
      • RE: Five ways for IPv6 and IPv4 to peacefully co-exist

        @tkejlboom

        idiot accountants, huh? maybe ipv6 was designed by idiot designers?

        with things like global IP network YES, things should be designed with with transition in mind. good next-generation designs are always a compromise at some level.

        today, IP is used everywhere, from mainframes to tiny temperature detectors. for a global IP with billions of devices YES, protocol should be backwards-compatible. and multilayered structure like tunnel-NAT-tunnel-tunnel-etc. is not good thing in a long run...

        remember transition to classless routing?..
        arni@...
  • RE: Five ways for IPv6 and IPv4 to peacefully co-exist

    1. NAT-PT (RFC 2766) has been obsoleted by RFC 4966. A new scheme DNS64/NAT64 is being developed by the IETF, start at http://tools.ietf.org/html/draft-ietf-behave-v6v4-framework-10 . A demo implementation is at http://ecdysis.viagenie.ca/

    2. How old-style are you talking about for DNS servers? BIND has supported IPv6 records since about 2000.

    3. Edge switches are likely to be Layer-2 only and shouldn't care whether they are carrying IPv4 or IPv6 packets. Layer 3 dual-stack switches/routers shouldn't have problems with DNS. Are you thinking of simple-minded firewalls that drop long DNS reply packets (and will drop DNSSEC replies as well).

    I think dual-stack is the best way to co-exist.

    In a few years, do DNS64/NAT64 to let your future IPv6-only subnets get to legacy IPv4-only internet sites. This scheme has an exit-strategy -- it will be needed less as the legacy IPv4-only Internet shrinks.
    jm493
    • RE: Five ways for IPv6 and IPv4 to peacefully co-exist

      @jm493 BIND has long supported IPv6, but many people have never bothered to turn it on.
      sjvn
    • RE: Five ways for IPv6 and IPv4 to peacefully co-exist

      @jm493 The key phrase with RFC 4966 is that it's "being developed." I have hopes for it, but it's not here yet.
      sjvn
    • RE: Five ways for IPv6 and IPv4 to peacefully co-exist

      @jm493

      ProCurve at least encourages people to route from the edge. You have to go pretty far down the list to get to the products that can't. There are really people that are still relying on a completely in to out topology? Sad.
      tkejlboom
  • small business

    Can somebody tell me, how it is going to be easier for a small business of 25 user to move to Ip6
    lao1391
    • RE: Five ways for IPv6 and IPv4 to peacefully co-exist

      @lao1391

      Dual stack and contact your ISP to make sure that they're feeding you an IPv6 address.
      tkejlboom
      • Cut to the chase...

        @tkejlboom - If I am making a hardware buying decision in 2010 and my ISP has not yet publicly announced an IPv6 rollout, which equipment will work with IPv6? Where are the product reviews? Where are the case studies?
        pwatson
    • RE: Five ways for IPv6 and IPv4 to peacefully co-exist

      @lao1391 It's going to be difficult. Anyone who tells you that IPv6 is as simple as v4 is not telling the whole truth. It's much more complex- I can understand easy numbers like 133.70.132.234, but not crazy hexadecimal stuff like 0ab3:028c:8491:94de:491f:948a:04b3:badd.


      You also do need to invest in new switches, routers, and wireless APs, as well as servers- if it's older than Windows 200, then it needs replacing- and if the client computers are running Windows XP, or if a consultant comes in and is running Windows XP on his/her laptop, they need something in place to make sure that they can connect to the LAN- since as I recall, IPv6 isn't enabled by default on XP unless you install it...

      Speaking of which, if there is a network projector, that'll need replacing as well because it only works on the v4 network.

      Oh, and that 10-year-old, absolutely vital program that everyone uses will have to be replaced, too.

      There are 2 options that should be done here to actually get rid of this problem of "address exhaustion::

      1.) Make a new protocol. Since IPv6 isn't accepted by the general internet yet (less that 1 percent), make a protocol that's actually backwards-compatible with IPv4.
      Let's call it IPv8. This protocol will work with IPv4 systems until they all are obsoleted, and then some: because as it was said a while ago, some companies just don't have the resources to re-write programs to work with the "new internet". Nobody will miss IPv6. Trust me. The only companies that will are the ones with enough resources to start an upgrade, and they haven't done it yet. The Internet MUST BE backwards compatible- something that the IPv6 people just didn't think of at the time, just as they didn't think about normal-human-understandable addressing.

      2.) Force certain networks to observe certain protocols. For example, move all mobile phones to mobile IPv6, and have the carriers support the transition. Since phones are obsolete at most every 3 years, this is the fastest way to "plug the leak" until we can find a more permanent solution. Or, just use a large NAT system on phones to stem the tide of the exhaustion once more.

      One thing that they haven't realized: the internet MUST BE BACKWARDS-COMPATIBLE! Until it is, the problem will just get worse and worse.
      R220
      • I agree!

        They should just use an address space that can expand, and expansion means inclusion. 216.239.116.55 should just map to 1.1.216.239.116.55, not some freaking 16 byte hexadecimal number. We would not have this problem if we had a decentralized system with provision for portals into other name/address spaces. Why should everyone have a 16 byte number all of a sudden? Why should the Internet be one central system? You don't write "Earth" on your postcard if you want to send it to your neighbour.

        Just some thoughts.
        kouzen
      • Maybe better if IPv6 doesn't make it

        It's a mistake to believe that IP addresses should only be readable to machines. I hope the day never comes that IPv6 is adopted and [I hope] that a better replacement emerges.
        kouzen