When it comes to network management software that supports IPv6, buyers should be wary.
An increasing number of network monitoring and management tools support IPv6, but these products often don’t include the full set of features available in IPv4. And few commercial offerings provide the extra capabilities needed for IPv6, an upgrade to the Internet’s primary protocol that has a new addressing scheme, built-in autoconfiguration and end-to-end security, among other features.
“We deployed IPv6 many years ago, and from a network-centric point of view, there are still some basic things that aren’t there yet,” says Rick Summerhill, director of network research, architecture and technologies for Internet2, a next-generation network run by a consortium of U.S. universities.
“We rely on [Cisco] NetFlow to analyze what goes on in our network, and that isn’t there yet for IPv6. It’s little things, like being able to do usage on our interface,” Summerhill says, pointing out that both routers and network management software are missing key features. “The ability to analyze your network in some way — that’s what’s still missing.”
Summerhill says this gap in the ability of network management software to handle IPv6 leaves networks that are moving to the new standard vulnerable to attack.
With new technology like IPv6, “you’re much more vulnerable to attacks or to malicious attempts to disrupt your network, and the ability to analyze those attacks when they happen is really important,” Summerhill says.
Experts say the need for network monitoring and management tools for IPv6 is even greater than tools for today’s IPv4 networks for several reasons:
* Networks of the future will be more complicated than today’s because they will run IPv4 and IPv6 side by side for years during the transition from one standard to the other.
* IPv6 lets network managers directly address more network devices than ever before, which will lead to larger networks.
* IPv6 addresses are longer and more cumbersome to display and store in network management applications.
* IPv6 packet headers are larger, and there are more of them, and that’s a challenge for network management and monitoring tools.
* New IPv6 features, such as end-to-end security, will make it harder to monitor packets for network traffic analysis.
That’s why it’s critical that network managers have tools to monitor and manage IPv6 devices and traffic, to analyze both network protocols, and to help with troubleshooting.
“We believe that both security and management have to be top-of-mind in any customer transition to IPv6,” says Dave West, director of field operations for Cisco’s Federal Center of Excellence. “You have to be able to manage devices and visualize the flows.”
The tools to do this aren’t available today, and it’s unclear whether enough IPv6-ready network-management functions will be available by June 2008, when U.S. federal agencies are required to turn on IPv6 support in their backbone networks.
Network management applications for IPv6 are “still in the development phase,” says Yanick Pouffary, technology director for the North American IPv6 Task Force and an IPv6 Forum fellow. “Everybody is targeting the federal agencies and the timeline that is in the Office of Management and Budget mandate.”
“You’re not going to find IPv4-to-IPv6 parity if you look across the board in network management,” Cisco’s West acknowledges. “We have some features now, and other value-added features will come in time.”
West adds he expects “management capabilities will mature as more devices come online to support IPv6.”
If these tools don’t become available soon, network managers run the risk of having to do twice the work to support IPv4 and IPv6 in dual-stack networks.
“It’ll be harder in the sense that you have two protocols to look over,” Summerhill says. “But if management systems come along that are capable of doing dual-stack, it won’t be that much harder.”
What network managers need for IPv6
Developed by the IETF a decade ago, IPv6 is a long-anticipated upgrade to IPv4, the Internet’s primary protocol. IPv6 has a 128-bit addressing scheme that lets it support an order-of-magnitude more devices connected directly to the Internet than IPv4’s 32-bit addressing can.
Network managers will need IPv6-enabled management tools for DNS, address management, traffic generation, traffic analysis, troubleshooting and application-performance monitoring, to name a few management tasks.
These tools must support the whole family of IPv6-related protocols created by the IETF including Neighbor Discovery, a messaging protocol for discovering neighboring devices that also aids local connectivity, routing and configuration.
“Network management tools will need to embrace the IPv6 protocols like Neighbor Discovery to be able to manage the devices,” the IPv6 Task Force’s Pouffary says. “The network appliance needs to be on an operating system that understands IPv6, and you have to make sure that your software calls up IPv6 data structures. . . . The bulk of the work for network tools is how to display that information. They’ll need [GUI] changes.”
Pouffary says network management tools need to be upgraded to provide an integrated view of IPv4 and IPv6 devices and traffic. “You want a view of all of your network that is integrated, so network managers can react to threats and manage devices regardless of whether they are running IPv4 or IPv6,” she says.
Pouffary says it’s important for network managers to make sure the policies they have for accessing network resources in IPv4 are applied to IPv6 with its autoconfiguration feature and end-to-end security model.
“The products that enforce your policies need to understand that you have IPv6 devices on your network,” she says.
Network management applications will need to support IPv4 and IPv6 together in dual-stack mode, which is the most common type of deployment. Another important feature is tunneling, which lets IPv6 traffic move over an IPv4 connection or vice versa.
“You need to be able to query an IPv6 device over an IPv4 connection,” Pouffary says. “You need to be able to speak the language of the device that you are talking to and also understand the transport plane.”
What’s available for IPv6
Commercial network-management packages are adding support for IPv6, but that support often is limited to a few key features required for initial deployment. Even open source tools fail to provide full-fledged IPv6 support.
“There are quite a few tools that we use for IPv4 that do not support IPv6,” says Matt Davy, chief network architect for Indiana University. “This includes both tools we buy as well as tools we have developed on our own.”
Davy says the university’s legacy Juniper Networks firewalls, as well as its open source Snort and Bro intrusion-detection systems, don’t provide thorough enough support for IPv6.
“They have some IPv6 support, but it’s not very good,” Davy says. “The tools that we use to monitor the network, seeing the state of what’s up and what’s down, are mostly open source and things that we developed, but they currently don’t have support for IPv6.”
Davy says the situation is a “pretty big problem. We have IPv6 deployed pervasively. We have 80,000 data jacks that are IPv6-enabled, and we don’t really have enough visibility into the traffic.”
Davy says the university is attacking the problem by upgrading to newer Juniper firewalls and intrusion-detection software with support for IPv6.
“It’s a process of replacing existing equipment with new equipment that supports IPv6 and updating the tools we’ve developed to support it as well,” he says.
Davy points out that less than 1% of the university’s network traffic is IPv6.
Network management for IPv6 is “much further along than it was three or four years ago,” Davy says. “There are options out there in the open source area, and more are coming in the commercial software. . . . But feature-compatibility with IPv4 is still a pretty long ways off.”