IPv6: Dual-stack strategy starts at the perimeter

We are in an awkward point in the history of the Internet. IPv4 address depletion has occurred yet we expect to use IPv4 for the next 15 to 20 years. Organizations see two paths before them. One alternative is to use continue to use IPv4 and expect to use multiple layers of network address translation (NAT) for many years to come. The other alternative is to start to use IPv6, however, the majority of enterprise organizations and content providers have not embraced the protocol.

Test of ADCs

U.S. federal organizations should be working on meeting the September 2012 Office of Management and Budget (OMB) mandate to IPv6-enable all government Internet-facing web applications. The glacial speed of the federal government combined with government budget issues makes it difficult for them to meet "yet another unfunded  IPv6 mandate".

Most enterprises have ignored IPv6. They believe they have plenty of IPv4 addresses for their own needs and that they do not have a need for IPv6. The global economic downturn has caused IT organizations to "do more with less" and they have less time to learn and deploy new-fangled technologies like IPv6. Even though IPv6 has been standardized for many years, there is a general lack of knowledge and experience with IPv6 and now many enterprises are starting to realize the position they are in. Furthermore, the vast majority of organizations are confused about how to start planning for IPv6.

Quiz: is it panic time for IPv6?

Many organizations get stalled with their IPv6 deployments. They feel they must plan for a full transition to IPv6 which requires all devices that use an IPv4 address migrate to IPv6. This is not practical and it is more likely that organizations will gradually deploy dual-protocol configurations in various portions of their environment to over the course of many years. There will be legacy systems in network environments that will only use IPv4 until they are decommissioned. For example, the computer-room UPS has a network interface that only works with IPv4. It is not feasible to replace the UPS just to gain IPv6-management capabilities.

IPv6 has had time to "mature" and now it comes standard in many products. The good news is that much of the network infrastructure, operating systems and applications already contain IPv6 capabilities. DNS Servers and most of the Internet root name servers now support IPv6. ISPs now offer IPv6 Internet connectivity options. Routers, firewalls, and other systems already have robust IPv6 functionality.

Organizations should strive to use the dual-stack migration strategy. This is where you add IPv6 to your existing systems to make them function using both IP versions simultaneously. Tunneling and translation techniques should be used when dual-protocol configuration is not possible. The mantra of "dual stack where you can, tunnel where you must" is the order of the day.

For many years, IPv6 experts have been urging organizations to IPv6-enable their Internet perimeter systems. The thought was that it is the logical first step and focused on the enterprise getting upstream IPv6 Internet connectivity. It makes sense that perimeter DNS systems, web applications and e-mail servers would be the first zones of the network topology to get IPv6. Through the process of migrating the perimeter to IPv6, an organization would learn most of what they needed to know about IPv6. Too many organizations get overwhelmed thinking about everything in the enterprise that needs to migrate to IPv6. The "Internet-edge" deployment method defines a finite scope that helps an organization focus their efforts.

Organizations will need to IPv6-enable the Internet-edge before they deploy IPv6 further into their internal backbone network. Native IPv6 connectivity must be deployed one Layer-3-hop at a time to maintain contiguous IPv6 routing. Stepwise deployment of IPv6 is required to prevent discontiguous networks that would need to be bridged with a manually configured tunnel.

The first step in this plan is to establish IPv6 Internet connectivity. Your current ISP may already have native IPv6 Internet connectivity available for no additional cost. Organizations might contact their existing ISP to find that they do not offer native IPv6 Internet activity.

In this situation, an organization could use a manually-configured tunnel on their Internet router to quickly get IPv6 Internet connectivity. Organizations may also start to perform a search for other carriers who offer native IPv6 connectivity in their service area. Starting out with a tunnel to the IPv6 Internet, is better than doing nothing. Another option is to use Locator/ID Separation Protocol (LISP) on the Internet router to create a LISP-tunnel for reaching the IPv6 Internet. However, tunnels can add complexity and administrative burdens, and they reduce the effective maximum transmission unit (MTU) size. This is why many consider tunneled IPv6 Internet connectivity less preferable to operating both protocols natively simultaneously. However, the organization could continue to strive for dual-stack upstream Internet connectivity and then decommission the tunnel.

Both commercial enterprises and federal organizations need a streamlined approach to establish IPv6 communications to their Internet web applications. Virtually all of an organization's web applications run on dual-protocol-capable operating systems, but on IPv4-only networks. Therefore, most of these applications are accessible by clients using only IPv4. These perimeter servers and services may remain IPv4-only for some time, but organizations need an easy way to make them IPv6-reachable.

Organizations should focus on their Internet edge as their first step in transitioning their environment to IPv6. Starting from the Internet and then moving inward is the logical step-wise method for adopting IPv6. Start with your upstream Internet connectivity, IPv6-enable your Internet routers, IPv6 enable your firewalls, then add IPv6 addresses to your authoritative DNS, then you can IPv6-enable server load balancer/application delivery controller appliances to natively IPv6-enable your perimeter application servers. As you IPv6-enable the perimeter you will learn about IPv6 and that experience can be leveraged as you deploy IPv6 further into your organization's internal environment.

Return to main test.

Copyright © 2012 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022