The First IPv6 WAN Optimizer: Speed At What Price?

Last week, Blue Coat upgraded its MACH5 to become the industry's first IPv6-compatible WAN optimizer. WAN optimizers have long supported tunneled IPv6 over IPv4, but the MACH5 is the first WAN optimization appliance to accelerate native IPv6--and then some. The MACH5 is actually a very sophisticated IPv6 application layer gateway (ALG), providing IPv6 connectivity, security and optimization in a single device. Yet it's precisely its sophistication that raises questions around device scalability

David Greenfield

February 16, 2011

4 Min Read
NetworkComputing logo in a gray background | NetworkComputing

Last week, Blue Coat upgraded its MACH5 to become the industry's first IPv6-compatible WAN optimizer. WAN optimizers have long supported tunneled IPv6 over IPv4, but the MACH5 is the first WAN optimization appliance to accelerate native IPv6--and then some. The MACH5 is actually a very sophisticated IPv6 application layer gateway (ALG), providing IPv6 connectivity, security and optimization in a single device. Yet it's precisely its sophistication that raises questions around device scalability and price.

The device is a logical move for Blue Coat, which has long championed the adoption of IPv6 technology, particularly at the endpoints first. "IPv6 networks are easier to manage, so it makes sense that IT will want to migrate clients first to IPv6," says Qing Li, Blue Coat's chief scientist. "However, organizations have invested heavily in v4 applications and services as a complete and comprehensive business solution, so they won't migrate them to v6 overnight."

As a result, says Li, organizations are going to find themselves in a situations with clusters of users and offices, particularly new offices, wanting to connect v6 at the end points back to the IPv4 servers. Alternatively, they may have some sectors, such as internal government applications, where v4 clients need to access v6 content .

The MACH5 enables this transition by translating between the two environments. It monitors the A and AAAA records of the DNS response (AAAA records carry IPv6 DNS information) to determine whether a domain offers IPv4 or IPv6 content. Additionally, checks are made to verify whether v4 or v6 is implemented. If there's a discrepancy between the IP version supported by the client and that supported by the server, the MACH5 can spoof the connection on either end.

In the example just provided, the IPv6 client is given an IPv6 address for an IPv4 server. The v6 address terminates at the MACH5, not at the server. On the other side, the IPv4 server is given an IPv4 address for the IPv6 client that terminates at the MACH5, not at the client. The MACH5 can then monitor the session, converting between the two environments.What's particularly interesting from a technological perspective is the complexity of this challenge. While many v4-to-v6 translation schemes focus on converting at the network layer, application layer issues remain unaddressed. This represents a problem because often applications will still reference IPv4 addresses and will hence be unable to run in a IPv6 environment.

The situation is only made more complex by the sheer number of sessions that are spawned by average Web pages as they aggregate Flash and other live content. Blue Coat claims the MACH5 can track and convert each of those sessions so users receive a Web page as it's supposed to appear.

One of the major issues around IPv6 has been potential security holes. The IPv4 stack has been well-tested and vetted. Any holes are known and can be addressed. That hasn't been the case with IPv6, where there just hasn't been the same level of operational expertise.

Even where IPv6 terminates at the edge, though, there are security problems that need to be addressed. Li declined to enumerate all the techniques implemented by Blue Coat for solving these use cases, but he did point to a few examples. Often Web sites, for example, will use IPv4 addresses within their cookies as an initial factor of authentication. The MACH5 will detect those cookies and supply the representative v6 addresses. The same goes for ACL.

As for accelerating IPv6, Blue Coat claims the MACH5 appliance can provide application-specific optimizations for CIFS, MAPI, HTTP, SSL, RTMP, RTSP and other application-specific optimizations. The MACH5 is also capable of doing application level content inspection.
 
Within Firefox, for example, colons within IPv4 addresses denote port numbers, but within IPv6, colons are used to separate the number of the address itself. The MACH5 can make the necessary changes so that an IPv6 address will be directed appropriately.Blue Coat deserves kudos for pushing the market and delivering a WAN optimizer suitable for the IP protocol of the future. With the depletion of the IPv4 addresses, the MACH5 is bound to gain some attention.

What's less clear, though, is the market need for a IPv6 WAN optimizer among enterprises. While government institutions have adopted IPv6, leading consultancies such as the Gartner Group are recommending that organizations do not migrate their desktops to IPv6 until sometime next year.

Then there's the question of pricing. Blue Coat did not offer pricing at press time nor specifics on the scalability of the MACH5. Those are key points. The MACH5 will track every session running through the connection and have to maintain state information about those sessions, which will require sufficient memory and disk resources. The scalability of the box and, by extension, of the price of the box should then become significant factors for consideration.

UPDATE: Since publication, Blue Coat has confirmed that the MACH5 starts at $2,995 U.S. list and tops out at $87,000. The company would not disclose specifics related to scaling, saying only that "Blue Coat's product management team have stopped compiling connection count numbers since there are so many variables and it can vary widely from instance to instance." Nor would BlueCoat disclose throughput numbers. Personally, while I appreciate the complexity of the problem, I think that IT managers deserve some guidance around the capacity of these appliances.

About the Author

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights