Getting Serious with IPv6 in a Windows Networking Environment

First of Several Blog Posts on Planning and Implementing IPv6 in your Microsoft Windows Environment

This past week, the Internet Assigned Numbers Authority (IANA) that issues IP addresses issued the last 5 blocks of public IP addresses, thus starting a firestorm of news stories on the Internet that IPv6 is the next Y2K. As one of the twelve Y2K Advisors to the White House under President Clinton, I figured I’m compelled to write an article on IPv6, so here goes… (oh, and by the way, my stance on Y2K was that planes weren’t going to fall out of the sky and the world wasn’t going to come to an end at the stroke of midnight on January 1, 2000. The Daylight Savings Time issue in 2007 when the US changed the start and end dates of DST was a much more disruptive event for everyone in the computer industry…)

And by the way, unlike pretty much every other article on IPv6 on the Internet, I won’t stop at just giving you the theoretical background of what IPv6 is. This is a first of several blog postings I’ll be writing that’ll actually give you hands on step by step guidance on how to actually implement IPv6 in your Windows / Active Directory environment. Read on…

The IPv4 Problem

As a background for those who are just coming up to speed on the whole “IPv4 Problem”, when IP addressing was developed for the Internet, it was expected that 232 (or 4.3-billion) IP addresses would be plenty, however by the late 1990s and the rise of the dotCom era, internet service providers were forced to implement Network Address Translation (NAT) so that internet network users utiltize private (internal) IP addresses thus minimizing the need for every Internet connected device to have a public IP address. So today, when you plug your computer into the network at your place of work, you plug your desktop into your home network, you go to a WiFi hotspot or connect and surf the Internet from your mobile phone, you are almost always assigned a private (internal) IP address. Your private address communications is routed out to the Internet through a router so that many private internally addressed users in a single site communicate through a single public IP address.

However, every publicly addressable Webserver needs to have a unique public IP address for Internet users to access the Webserver. Every NAT router also needs to have a public IP address for the internal users to access the Internet. With a world of 7-billion people and businesses around the world connecting their companies to the Internet and hosting a Website, 4.3-billion public IP addresses isn’t a lot.

IPv6

To address this problem with IPv4 addresses being depleted, IPv6 was introduced to provide 2128 (or 340-undecillion (that’s 340 with 36 zeros after it) IPv6 addresses. While the RFC on this is over a decade old, organizations have chosen to not spend time to implement IPv6 in their networks. The time is now to begin.

Implementing IPv6 in a Windows Network

Fortunately IPv6 has been available in Windows since Windows 2008 and Windows Vista, so organizations that have migrated their servers and workstations to the latest Windows server and on the path to implement Windows 7 on the client already have IPv6 available for their systems. So it is a matter of setting up the addressing scheme, IPv6 DNS, and routers to support IPv6.

Unfortunately an IPv4 device cannot route or access an IPv6 server system, so all endpoints need to support IPv6. However, once configured with IPv6, the endpoint can route over existing IPv4 networks, this is through IPv6 translation technologies called 6to4, Teredo, or IP-HTTPS. The 6to4 and Teredo are official IPv6 translation standards, IP-HTTPS is something Microsoft put together in Windows 2008 R2 and Windows 7 because most routers on the internet don’t route 6to4 or Teredo, so while those are great standards, they don’t work in the real world. With IP-HTTPS, an IPv6 system translates its IPv6 traffic over IPv4 through HTTPS, basically tunneling IPv6 through HTTPS like we’ve been doing RPC over HTTPS for Outlook to Exchange for years.

To implement (and really use) IPv6 in a Windows environment, an organization needs to have:

  • Active Directory Servers on IPv6, so Active Directory 2008 or Active Directory 2008 R2, preferably Active Directory 2008 R2 so that global catalog servers support IP-HTTPS
  • DNS needs to support IPv6 (ie: DNS on a Windows 2008 R2 server) so that DNS will resolve IPv6 addresses, and again, on Windows 2008 R2 so that DNS supports IP-HTTPS
  • DHCP needs to be setup to support issuing IPv6 addresses (ie: DHCP setup on a Windows 2008 R2 server) just like the DHCP servers today issue IPv4 addresses
  • Client Systems should be upgraded to Windows 7 with IPv6 enabled so that client systems are issued IPv6 addresses from DHCP servers, authenticate to Active Directory, and can do name resolution of IPv6 systems through the IPv6 DNS server(s).

With this basic setup, the organization now has the basis for IPv6, however with just this, the user’s still can’t access servers in the network nor access the Internet. So the next step is to:

  • Setup internal servers to support IPv6 (such as Exchange 2010, SharePoint 2010, SQL 2008 R2, and the like) on Windows 2008 R2 servers with IPv6 enabled (which most companies that have been implemented Exchange 2010, SharePoint 2010, etc have been implementing those systems on Windows 2008 or Windows 2008 R2 which is great, those organizations are already one step closer to being on IPv6!)
  • Setup Internet routing to support IPv6 so that IPv6 internal devices can communicate to and through the Internet

This last step is one of the more challenging steps as your Internet provider needs to support IPv6 as well as all of your Internetworking equipment (ie: switches, routers, gateways, etc) need to support IPv6 as well

Frequently Asked Questions (FAQs)

The following are frequently asked questions I get on IPv6

Q: Is this IPv4 problem just hype (like Y2K) or is it real?

A: The IPv4 problem is real, and the Internet WILL run out of IPv4 addresses to issue likely before the end of 2011 in some regions such as Asia where Internet Service Providers cannot keep up with the number of public Internet connections being requested. However, no planes will fall from the sky, and if you already have all of your Web servers and public servers addressed and have a few spare public IP addresses available, you’ll be fine, the Internet won’t go away any time soon. However, new sites and new Internet hotspots may have a hard time coming online if there are no public IPv4 addresses available for them to bring up their sites

Q: So the problem is somebody else’s problem and not mine, right?

A: Yeah, kind of, but Internet providers who make their money bringing on new customers won’t be able to bring on new customers without public IP addresses available to host their customer’s servers and connection points. When you make it an economic problem for Internet Service Providers, they will move faster to support IPv6 on their networks. Once they start the ball to provide IPv6 to endpoints (and not IPv4), then a whole wave of IPv6 only providers and devices will drive an accelerated need to have IPv6 support

Q: So it’s possible for hotspots to only support IPv6 then?

A: Absolutely, that’s the issue, that you’ll have a corporate executive traveling to Asia with their laptop, plug into a hotspot, and the hotspot only supports IPv6, but the executive’s laptop only supports IPv4 (either you haven’t upgraded the exec to Windows 7 yet, or you did but didn’t setup IPv6 to work properly on their laptop). Now somebody else’s problem becomes the problem of the guy at the top of your company’s foodchain wondering why he can’t access the Internet when he travels.

Q: So IPv6 is only an impact on convenience?

A: Actually, no, IPv6 can hit a company’s bottomline too… Say for example your company sells stuff over the Internet, either directly as an e-tailer, or just having a company presence around the globe. If say Asia runs out of IPv4 addresses and then all new connections there get IPv6 addresses only for their mobile phones, laptops, hotspots, and businesses but your company has no IPv6 presence or support on the Internet, then your company now has an economic downside caused by your lack of getting IPv6 going on your network. Your VP of Sales and the CEO will come rushing into your office wondering why millions of users in China can’t access your company Website to buy your products, or Google doesn’t resolve your IPv4 address for an IPv6-only connected searcher. Now not having IPv6 support is just like having your company Website down. Do people complain when your entire www public Website is down? If so, then you need to do something with IPv6 sooner than later.

Q: You mean Google has a different search engine for IPv6 sites than it has for IPv4 sites?

A: Google has a http://ipv6.google.com site that is specifically for IPv6 searches. It’s unclear how Google will handle mixed IPv4 and IPv6 searches, but again, if an end point is only running IPv6 because they couldn’t get an IPv4 address for their site, then that end point can only access other IPv6 servers. It is unlikely that Google will redirect an IPv6 user to hit an IPv4 site and have the user repeatedly get a “site not found” error.

Q: But I thought you said there was IPv6 to IPv4 translation?

A: Yes, there is 6to4, Teredo, and IP-HTTPS translation, but it is for ROUTING of IPv6 traffic through an IPv4 network, not a conversion algorithm that’ll allow an IPv6 device to access an IPv4 device. There are ways to Proxy IPv6 traffic to access an IPv4 server, Microsoft has a product Unified Access Gateway (UAG) 2010 that does such a thing for DirectAccess IPv6 users to access IPv4 servers, but it is intended to be a Proxy, good for a business to allow employees access to selected servers, but not something that will handle day to day public website traffic

Q: Isn’t the whole idea of IPv6 to get rid of firewalls and NAT and have all devices just openly plug into the Internet, thus every one of our internal servers is exposed to the Internet with no security?

A: Well, kind of but not completely. The idea of every IPv6 being uniquely and directly addressable is true so that devices “can” communicate directly with one another over the Internet, but when you think about it, it’s not like each of your servers will have a private connection to the Internet (ie: DSL line to the Internet for each server…). No, each of your IPv6 servers will connect to your company backbone just like it does today, and then your backbone will have to connect through some router that then connects to your connection to the Internet. And since you will be proxying or routing communications through a single Internet point (still), you can still put in firewalls and all that type of stuff like you have today. What IPv6 does “is” provide the “ability” to have every device directly addressable on the Internet just like it was when the Internet was first founded and not have everything routed through a NAT server. There are pros and cons, but at least with IPv6 you have the “option” of having all devices available on the Internet without bottlenecks if you choose.

Q: Wait, so I need to put in a whole new network, firewall, and stuff and move all my devices to that network?

A: No, your existing Ethernet cabling and everything remains as is, but the devices that route your traffic, act as firewalls or gateways need to be able to support the routing of both IPv4 and IPv6. Remember when you created subnets on your routers to isolate traffic to specific subnets and then your setup routing between subnets? Well that was all for IPv4, right? You put an IPv6 computer on that subnet, it won’t use an IPv4 subnet routing protocol to get that IPv6 to “hop” to the next segment. You need to make sure all of your Internetworking devices support routing of IPv6 traffic, and you need to make sure your firewall will allow IPv6 traffic through it. By default, an IPv4 firewall will block 100% of all IPv6 traffic. So you need a new firewall or upgrade your firewall, proxy server, ISA server, etc so that they recognize and are configured to support your IPv6 scheme just like you’ve configured everything to support your IPv4 scheme

Q: Can’t I just wait until I really need IPv6 and deal with it then?

A: Uh, yeah you can, just like you can wait to start using a seatbelt in your car until you really need the seatbelt when you’re in an accident… IPv6 is not “if” but more “when”. It will happen, and unless you plan to retire in the next 2 years, it’ll happen in your career span. IPv6 is built in to Windows 2008 and higher, and Windows Vista / Windows 7. It doesn’t take a lot to setup IPv6 DNS and IPv6 DHCP, and once those are setup, all of your current Windows (2008, 2008R2, Vista, and Windows 7) devices now support IPv6. It’s not hard to do on the Windows side of things, you might as well put it in place so when you need to be on IPv6, you’ll already be ready to do so.

Q: So just my Windows systems, right?

A: Windows systems are a start, but obviously you need to start the process to get all of your systems to IPv6 (Mac, Linux, Unix), and make sure that ALL of the routers, switches, appliances, gateways, anything you buy is IPv6 capable. If it is not IPv6 capable, you should NOT buy it. IPv6 will be here before your accounting department depreciates the hardware and software they are buying today, so make sure everything is IPv6 ready

Q: Okay, I’m convinced, where do I start?

A: So 99% of the stuff you find on the Internet on IPv6 seems like the same article and information rehashed a million times telling you about IPv6, theoretically what it means, but there’s not a lot of stuff out there that’ll help an IT Professional actually plan, architect, and implement an IPv6 scheme in their environment. I’ve written several guides on actual IPv6 implementation (my book “Windows Server 2008 R2 Unleashed” by Sams Publishing has a whole chapter on IPv6 in a Windows environment), however I will be posting more on my blog here over the next few weeks on step by step guides. Come back to this site http://www.networkworld.com/community/morimoto and I’ll have more hands-on resources available (actually I just posted the first of serveral hands-on technical blog posts on how to actually implement IPv6 in a Windows network environment.  The first blog post on IP addressing and terminology:  http://www.networkworld.com/community/blog/ipv6-addressing-subnets-private-addresses)

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT