IPv6 is a next-generation Internet layer protocol that was designed by the Internet Engineering Task Force (IETF) to solve the problem of IP address depletion under the current Internet layer protocol, IPv4. John Curran, the chairman of the board of trustees at the American Registry for Internet Numbers, said the Internet will run out of IPv4 addresses if they continue to be used at their current pace. Needless to say, Curran thinks this will cause some significant problems.
"On the day when we run out of addresses, none of you are going to notice it on that day, but it's the months that follow that turn out to be the problem," he said at this week's FutureNet conference in Boston, MA. "Backbones not going to be able to add customers unless they find more address space... the pieces you deal with going to be smaller and the routing table going to pay the price."
The trouble that IPv6 advocates have run into so far, however, is that individual businesses right now don't see the logic in investing time and money in IPv6 deployment during a recession where they have far more pressing and immediate needs. Or as Curran put it at FutureNet, "People don't see what they need before they actually need it."
Joda Schaumberg, the director of unified collaboration services for Global Crossing, said during a FutureNet panel that whole his company has seen a "significant increase" in IPv6 ports and traffic growth, it has had trouble educating enterprise customers about why IPv6 deployment is so important to their long-term health.
"I was in front of a CIO yesterday and I asked him whether deploying IPv6 was on his short, medium or long-term list of priorities," he said. "But it wasn't even on his radar."
The security implications of IPv6
Scott Hogg, who is also the coauthor of the Cisco-approved IPv6 Security guidebook and a regular contributor to Network World's Cisco Subnet blog, told FutureNet attendees that IPv6 could pose major security problems for their networks even if they hadn't yet deployed the new Internet layer protocol. This is because operating systems such as Vista and Linux are already IPv6 capable and thus any networks that use these operating systems might be handling IPv6 traffic without their operators' knowledge. Additionally, one way that IPv6 addresses connect to each other over IPv4 networks is through encapsulating IPv6 data in IPv4 packets and then "tunneling" through the older network. Because the typical firewall is unable to unwrap these IPv4 capsules to inspect the traffic inside, Hogg said that they could be a way for hackers to break into networks. "The firewalls don't look closely enough at encapsulated packets because the typical firewall today has nothing capable of opening up the capsule," he said. "Some vendors are starting to work together on this problem but they aren't there yet."
Hogg also said that creating dual-stack transition networks that run both IPv4 and IPv6 can create vulnerabilities for networks because they can become vulnerable to attacks with either IPv4 or IPv6 traffic. He said that any enterprise building a dual-stack network should make sure that it is secure before switching on any IPv6 capabilities. This means securing the network perimeter first, hardening network devices and building the IPv6 network first from the core and then out to the edges.
"In a lot of ways it's very similar to what you do to secure an IPv4 network," he said. "The migration strategy should be going from the core on out."
IPv6 only solves part of the problem
Even if every business and ISP were to successfully deploy IPv6 over their network tomorrow, it still wouldn't solve certain fundamental problems with the scalability of Internet routing. The IETF acknowledged these problems earlier this year when it formed a working group designed to address the scalability problems caused by multihoming, the practice whereby customers look to increase the reliability of their Internet connection by splitting their traffic over multiple carriers. Multihoming can become a problem because it can increase the size of routing tables to such a point that it will overwhelm router hardware.
Tom Nadeau, a senior network architect for BT, estimated that "we have 15 years to fix the routing problem or we're going to need IPv12." Doug Junkins, the vice president of IP Engineering for NTT America, said that while the problem with routing scalability is very real, it is still vital to at least start deploying IPv6 now in order fix the more immediate addressing problem.
"IPv6 adoption is solving one part of the overall problem, but there's going to need to be follow-up developments," he said. "My hope is that by deploying IPv6 we will help ease the transition to fixing the routing architecture in the future without having to fix the address side of the equation again."
This story, "FutureNet 2009: IPv6 coming, ready or not" was originally published by Network World.