Cisco Subnet An independent Cisco community View more

Dual-Stack Will Increase Operating Expenses

More IT staff required when running IPv4 and IPv6 simultaneously.

As we start to plan for IPv6 and start to deploy it on our networks we should try to anticipate the operational costs related to running both IPv6 and IPv4. IPv6 provides more addresses and some minor opportunities for cost savings. IPv4 addresses are becoming scarce and IPv4 networks are becoming increasingly costly to maintain. The combination of these operating costs and the long-tail of IPv4 will burden most organizations.

Transitioning to IPv6 is an inevitability because we will not be able to sustain the current level of Internet growth solely with IPv4. Eventually, all Internet systems will need to embrace IPv6. When planning for IPv6 deployment it is customary to review the plentiful transition techniques. Of all the IPv6 transition techniques, the dual-protocol approach is the most feasible. Even though tunnels and translation are options, it is far better to "go native" when it comes to IPv6. Even though the industry is looking for ways to prolong the lifespan of IPv4, the transition to IPv6 will necessitate running IPv4 in parallel with IPv6 for many years. The fact is that we do not anticipate decommissioning IPv4 anytime in the next 10 years.

Increasing scarcity of IPv4 addresses requires network administrators, system administrators, security administrators to spend their time on address reclamation activities. These IT administrators will have their plates full with identifying blocks of public IPv4 addresses and removing those addresses from internal systems and changing them to private IPv4 blocks. These public IPv4 addresses on the internal networks will need to be replaced with private IPv4 addresses, and those public IPv4 addresses used for public Internet-facing applications. Public IPv4 addresses will also be needed for public NAT/PAT pools due to the increased load on NAT systems. Today, many large organizations that use private IPv4 addresses internally will need to groom their private IPv4 address space to endure the long-term use of IPv4 while IPv6 adoption becomes ubiquitous.

IPv6-related capital expenditures (CAPEX) will not be substantial because much of an organization's IT systems are already IPv6 capable. Many computer operating systems, routers, and firewalls are now IPv6 capable by default. However, there are many organizations that are still using older operating systems like Windows XP. Windows XP does not come with IPv6-enabled by default, but although it can be manually enabled, it does not include a DHCPv6 client and it only performs DNS queries over IPv4 transport. Organizations will want to upgrade to at least Windows 7 before deploying IPv6 on their internal networks. Besides the licensing cost for the new operating system, upgrading to Windows 7 will likely require upgrading computer hardware to support the increased memory, CPU, and storage requirements. Similar upgrades may be required for other operating system brands and versions. This upgrade may require significant CAPEX, but it might be required regardless of the eminent IPv6 migration.

If a company has old systems that do not support IPv4, they will need to be upgraded to support IPv6 at some point, but their function may determine when that capital expenditure is required. It may be acceptable if the computer room UPS does not support IPv6 over its management interface. However, if the perimeter firewall does not support IPv6 then you will likely need to purchase a new one. The perimeter firewall is one device that is on the critical path of your IPv6 deployment project plan, and that capital expenditure will likely occur sooner rather than later.

Some organizations have been planning to reduce the cost to migrate to IPv6 by simply upgrading IT systems on an multi-year lifecycle basis. The assumption is that if they start to procure new IPv6-capable systems on a 6 to 8 year cycle, eventually everything in their infrastructure will be IPv6-ready. However, many organizations have not held fast to these procurement guidelines and have perpetuated purchasing IPv4-only systems. These organizations have also created IPv6 upgrade cost models by only considering the cost of hardware or software licenses, but not considering the investment of people's time to migrate to IPv6. The hardware and software upgrade costs are just the tip of the iceberg compared to the amount of human effort required to migrate to IPv6.

Organizations must consider the operating expenses (OPEX) related to the transition to IPv6 and the long-term operation of IPv6. Initially, the significant cost related to IPv6 is the training that IT staff will need to become proficient with IPv6. Few people in organization's IT staff have invested their own time to learn about IPv6 and virtually all IT staff will need to become knowledgeable about the new protocol, addressing and troubleshooting. After these people are trained, then they will be working to apply IPv6 configurations to routers, firewalls, DNS, computers, applications, and many other systems. This level of effort will be significant and occur in addition to their normal IPv4-related responsibilities.

Once we have IPv6 implemented, we will need to maintain both IPv4 and IPv6 in parallel for many years. Operating in a dual-protocol environment will mean performing many tasks twice. Organizations will maintain an IP Address Management (IPAM) system for IPv4 and IPv6. It will be critical to keeping track of the precious IPv4 addresses and manage the immensity of the IPv6 address space responsibly. Network administrators will need to maintain routers and switches with IPv4 and IPv6. Routers will need to be configured to use their two routing tables and every network will need an IPv4 subnet and an IPv6 subnet. Organizations will need to maintain DNS entries for IPv4 and IPv6 hosts. DNS administrators will need to configure new IPv6 forward and reverse records and continue to keep up on all IPv4 DNS changes. Organizations will need to maintain multiple DHCP scopes for each subnet (DHCP for IPv4 and DHCPv6). Every time a network is added, it will need both a DHCP scope and a DHCPv6 scope and they will both need to be tested. Every physical or virtual server will need both an IPv4 and an IPv6 address to be effective. These will need to be configured in DNS with A and AAAA records and IPv4 and IPv6 PTR records. It would be beneficial to have a DNS/DHCP/IPAM system that is IPv6-capable. IT staff will need a system that helps automate the creation of these IPv4 and IPv6 resources and tie them together to help make them manageable. These systems will also help IT staff avoid errors related to the challenging IPv6 address format.

Security administrators will need to maintain firewalls with two firewall policies; one for IPv4 and one for IPv6. However, some firewalls may use a single policy that will grow in size as IPv6 policies are added as the IPv6 deployment continues. Regardless, multiple objects will be created and maintained for IPv4 and IPv6 systems and naming conventions for each will need to be consistent. System administrators will need to harden servers and routers for both protocols equally. Security administrators will need to make sure that other security systems are operational for securing IPv4 and IPv6 connections. Application developers will need to make sure their applications are written to work in IPv4-only, dual-protocol, and IPv6-only environments. Application developers will assess their current code, make adjustments for their applications to become address-family independent as needed, and test their software in these three scenarios.

The initial configuration of IPv6 will take effort, but performing ongoing maintenance of both network protocols will require human effort. In addition, the costs of having to troubleshoot IPv4 and IPv6 in parallel will take time. That is why it will be imperative for IT staff to be adept at troubleshooting in a dual-protocol environment to help reduce the Mean-Time to Repair (MTTR) and increase the operational availability. As the IPv4 environment gets more complicated with more address reclamation activities and multiple-layers of NAT, the cost to maintain IPv4 by itself will increase.

IPv6 will provide some minor cost reduction benefits as more and more IPv6-enabled systems join the IPv6-enabled Internet. Use of stateless address autoconfiguration (SLAAC) and use of public addresses reduces the reliance on NAT will help drive down operational costs. Maintaining and troubleshooting NATs adds to staff loss of productivity and increased MTTR. IPv6 will simplify some things as a byproduct of the abundant addressing, but the combination of IPv6 and IPv4 may be costly to maintain. For IT management, this increased administrative effort of IPv4 (with NATs and IPv4 address reclamation) and with having to run IPv4 in parallel with IPv6 may require increased IT staff. Additional headcount may be required to sustain the network during the dual-protocol transition. However, this may be good for helping to generate jobs.

We must remember that dual-stack is not the final step. In fact, IPv6-only is the "point-of-arrival", but it will take many years to get there. Therefore, the sooner you can migrate to IPv6-only, the sooner you can start to reduce your IT costs. However, in order for your organization to move to IPv6, many other organizations need to migrate to IPv6 together.

Following is a predictive graph of what these network operational costs may look like. There is no scale to this graph, but it is meant to illustrate the concept of the additive maintenance costs of a dual-protocol environment. Over time, the operating costs of IPv4 and IPv6 will rise and fall, but the total costs will rise to a high level during the period when both IPv4 and IPv6 are running. Initially, there will be a large increase in IPv6 costs due to the initial deployment of this protocol on the bulk of the IT infrastructure. During the first years of the transition, the costs of IPv4 operations will continue to rise. Once IPv6 gets fully implemented, then we will start to see IPv4 traffic volumes start to level off as more connections use IPv6 instead. This will be the painful part during the transition because we will have to operate both protocols for many years and your IPv4 costs will continue to rise before you can start to move away from using IPv4. The phase-out of IPv4 will take many years as systems will need to be replaced. Eventually, costs will start to diminish as the benefits of IPv6 will become realized, but it will take many years and increased costs during the transition period.

Dual-Protocol Operational Costs

The industry has waited until IPv4 address exhaustion has occurred before deploying IPv6. This is a costly "game of chicken" and the price of procrastination for not moving to IPv6 could be substantial. IPv6 may stimulate the jobs market due to the increased effort required, however, organizations still need to hire qualified IPv6 people. There are still many IT staff who have not started to learn about IPv6 and that has left a gap that has put the industry into an "IPv6 brain drain". Organizations planning a migration to IPv6 should consider the OPEX costs and the CAPEX costs before getting sticker shock in mid-transition to IPv6.

Scott

Insider Shootout: Best security tools for small business
Join the discussion
Be the first to comment on this article. Our Commenting Policies