How IPv6 will work as IPv4 wanes

How IPv6 will work as IPv4 wanes

Summary: The stock of internet addresses based on IPv4 is on the brink of exhaustion, so IPv6 expert Tim Chown explores what will happen now organisations must face the switch

SHARE:
TOPICS: Networking
0

...IPv6 support internally in all devices and applications, and either dual-stack proxies or a NAT64 translation capability at your network edge to handle access to legacy IPv4 content. This may be a viable option for some greenfield sites or services, but would currently be rather premature for established networks.

However you deploy, you'll need IPv6 connectivity to access external IPv6 content. UK universities can benefit from support for IPv6 in the Janet higher-education network, but if your ISP doesn't offer IPv6 you'll need some form of IPv6-in-IPv4 tunneling capability. To just test IPv6, a free tunnel broker service like SixXS may be appropriate.

The introduction of IPv6 also introduces many challenges in network security. The first thing to note is that operating systems ship today with IPv6 turned on, so you need to be aware of that and manage it accordingly. You may already have IPv6 traffic on your network, or hosts that attempt to use tunneling (Protocol 41) or UDP encapsulation (Teredo) to talk IPv6 to external sites.

IPv6 security issues fall into two categories; those that exist in IPv4, and new issues arising due to IPv6 being a new protocol. You will want your firewall and intrusion detection system products to inspect IPv4 and IPv6 traffic, and to be able to enforce policy in a consistent way for both protocols. Your intrusion detection system will still be hunting the same HTTP malware patterns regardless of the protocol used, but your firewall will need to handle IPv6-specific rules, such as filtering RH0 packets.

A good example of a new IPv6-specific issue is rogue router advertisements (RAs). IPv6 hosts can autoconfigure an address and default gateway based on RA messages received from their subnet router, but if another other device on the subnet issues RAs, maliciously or otherwise, hosts may route traffic to the bogus router. One solution to this problem is rogue RA 'snooping' in switches, similar to DHCP snooping for rogue DHCPv4 servers, but vendors have yet to implement such features.

The silver lining

While there are still likely to be many IPv6 teething problems ahead, the good news is that many large networks, particularly academic backbone networks, have been running dual stack for many years. My university department has been running dual-stack IPv6 in production for over five years, including its public-facing web, DNS and MX servers. All our procurements require IPv6 capability. Our sky hasn't fallen, and our feedback to vendors and the IETF community has been valuable.

The good news is many large networks, particularly academic backbone networks, have been running dual-stack IPv6 for many years, and our sky hasn't fallen.

Content providers and ISPs are beginning to move. In the UK, you need to approach a niche ISP for IPv6 access. In the US, Comcast enabled their first dual-stack cable modem customers in January. Google already offers IPv6 access to its content, but you need to go through some checks first to be DNS white-listed with them. Facebook content is available to anyone over IPv6 from www.v6.facebook.com.

The acid test for those providers is adding IPv6 DNS records for their primary web domain. Research published by Google in June 2010 suggested the number of clients with 'broken' IPv6 connectivity was running under 0.1 percent. That's not bad, but it's still a lot of users.

ISOC has organised 8 June as 'World IPv6 Day', where Google, Facebook, Akamai and others will enable IPv6 on their production services for a day. It's an excellent chance for you or your organisation to do some preparation work and take part. Or you may choose to book the day off now. Either way, it should be very interesting.

Tim Chown is lecturer in the School of Electronics and Computer Science (ECS) at the University of Southampton. He has been involved on IPv6 research and development since 1996, working within the IETF on associated standards. His other interests include wireless networking, IP multicast and network security.


Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topic: Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion