IPv6: Not A Simple Renumbering

A decade ago, organizations went through a massive overhaul of their IT infrastructure in an effort to prevent the massive outages anticipated with Y2K. Now they need to decide whether a similar investment will be needed again. Publicly routable IPv4 address allocations are going to reach exhaustion in the next two years, if the projections from the Number Resource Organization (NRO) are to be believed. Soon after that, finding IPv4 addressing won't be easy. Carriers have been gradually preparing themselves for the migration to IPv6. Many are closely looking at installing NATing technology to extend the life of IPv4. Meanwhile the Federal Acquisition Regulation (FAR) will change as of July 1 requiring all hardware and software purchased by US agencies to be IPv6 compatible.

But the enterprise is another matter. Adoption of IPv6 early on by enterprises will ensure an easier transition to the new addressing scheme, argue proponents. The fact remains, however, that moving to IPv6 too early will create significant problems for enterprises. Yet organizations have other priorities. "IPv6 is tomorrow's protocol," says one CIO who asked not be named. The client wants to go there, but the stark reality is that it would bring more chaos to an already chaotic place. It's not just making sure that the requisite IP stacks are loaded on the necessary equipment.

The change to IPv6 requires a fundamental assessment of core services and a revaluation of security of the network. "You need to look at testing more than just the IPv6 stack itself as IP addressing will be embedded within networking services running over that equipment," says Dave Kresse, CEO of Mu Dynamics, a provider of IPv6 testing equipment and services.  Protocols such as SIP, SMTP, RTFP and, of course, HTTP all embed IP addressing within them. Organizations need to be sure that these and others will continue to work over their new protocol suite despite the change.  

What's more, security will be a huge concern for organizations deploying IPv6.  Years of testing have gone into insuring the security of IPv4. Organizations now need to deal with how to ensure that known exploits over IPv4 do not succeed when passed over IPv6. Similarly, tunneling schemes that include exploits in IPv6 tunneled over IPv4 will likely traverse firewalls that would otherwise have been caught over native IPv4.

At the same time, organizations can't assume that their network application will continue to run as expected. Take SIP, for example. Soft phones compatible with IPv6 are available from vendors such as Counterpath, but handsets, for example, are another matter, says Timothy Winters, a senior manager over at the  University of New Hampshire InterOperabilty Laboratory (UNH-IOL), one of two organizations currently accredited by the  National Institute of Standards and Technology (NIST), to perform the U.S. Government IPv6 (USGv6) compliance testing.The same goes for the routers themselves. Beyond the actual routing, routers involve important ancillary functions relevant to IPv6, such as network management, high availability features, video transcoding and traffic inspection, which each need to be evaluated for IPv6 compatibility. Large organizations will need to evaluate their BGP implementation. BGP has the ability to support applications, such as propagating Access Control Lists (ACL) across an I-BGP mesh that can involve IPv4 addresses.  More specifically, when the ACL data starts including IPv6 addresses, will those ACLs still propagate through the routers? Will they be corrupted? Or worse, will that router suffer some outage as a result? Those are some of the questions that enterprises will need to answer.

All organizations will need to check their use of redundant router configurations. Router backup protocols, such as the open Virtual Router Redundancy Protocol (VRRP) or Cisco Hot Standby Router Protocol (HSRP), allow an IP address to be shared among a group of routers in order for an outage to be identified quickly and so a back-up link can be identified.  When IPv6 is added, large portions of the HSRP code base must be updated. Code that doesn't support IPv6 may affect the whole router.
 
Finally, enterprises need to figure out where to focus their testing and compliance efforts. On that score, organizations might have a few shortcuts. For the most part, companies selling to service providers, such as NTT, who are heavily invested in IPv6, are a safe bet, says Kreese.  Enterprises can add to that list Cisco, Juniper and F5, says Martin Levy, director of IPv6 strategy at Hurricane Electric, the largest provider of IPv6 services in North America.

All of those providers also have a strong carrier presence where IPv6 presence is in demand. The enterprise is another matter. "The network industry is stalling when it comes to being IPv6-ready," says our anonymous CIO. " Many vendors don't seem that eager to go to IPv6 primarily due to the lack of real interest and lack of resolution of some of the security issues that remain outstanding with IPv6.  Everyone is realizing it's not 1998 anymore."