IPv6: jump in, or just put a toe in the water?

Now that we've officially run out of IPv4 Internet address blocks, the calls to migrate to IPv6 are getting louder and more desperate, especially among ISPs who say companies that dally risk losing network visibility. Not so fast, say proponents of a more measured approach to migration. Get it wrong and you risk more than that.

The Experts
Dorn Hetzel
Dorn Hetzel

network engineer, who once founded an Internet Service Provider and went on to hold top architecture and engineering roles at other ISPs, says that, unless you’re an ISP, you don’t need to rush. View debate

Martin Levy
Martin Levy

director of IPv6 Strategy at Hurricane Electric, says the time has come, that we can no longer contemplate the implications, we can no longer duck the migration decision, we have to implement IPv6 now. View debate

Dorn Hetzel

IPv6 - Slow and steady

Popular opinion in some circles suggests that if you're not on a fast track to converting to IPv6 then awful things will soon befall you.

Network World's IPv6 cheat sheet

If you're an ISP or a continuous consumer of fresh public IP addresses, then you will have to deal with v6 sooner rather than later. However, for most other networks, a slow and steady plan for getting to v6 will lessen both problems and costs. This isn't something you want to rush into.

First, it's true that the "free pool" of public v4 addresses is getting low and will soon run out. But then, most businesses don't need new allocations very often. In fact, many are still running today on the initial set of public addresses they got from their ISP or from a registry when they first connected to the Internet.

Not being able to get more public v4 addresses isn't a problem if you don't need any. Also, while each new computer attached to a network needs an IP address, these are usually RFC1918 IP addresses, not public addresses. For most typical circumstances, there is no shortage of these.

So perhaps there isn't a critical lack of public v4 addresses forcing you to v6. Should you go ahead and convert now anyway to get ahead of the curve?

If your network is typical, migration may bring more cost than benefit. After all, there are many existing network attached devices, such as printers, phones and cameras, that do not have any software provision to deal with v6 addresses. While we constantly update the software on our computers and have plenty of storage for that, printers and the like don't tend to get updated very often, if ever, and don't have a lot of extra storage for newer, more complex software.

The result is that, even after adding v6 to your network, you will probably still need to run v4 in parallel for quite some time while all of this legacy hardware ages out. How long that takes will depend on your industry. In education, for example, replacement cycles are typically five years or longer.

OK, you've decided to put v6 off for a while, at least until you've turned over a bit of hardware. How will your users get to those fancy new Web sites that are v6 only? There are at least two ways this problem gets solved. First, those sites don't really want to exclude potential customers, so there is a good chance they will set up a v4 proxy to handle requests from users that haven't converted yet. Then, as we get further down the road, there is one device in your network that should probably be the first one to get a public v6 address. Your firewall.

Under the heading of firewall, I would also include your VPN server if it is separate from your firewall. Your firewall has already been doing the job of translating from v4 internal IP addresses on your LAN to v4 external addresses on the Internet. It's not a big stretch to consider using it to translate from v4 internal addresses to v6 external addresses.

Your VPN server has been accepting connections from travelling workers on public v4 addresses and connecting them to your v4 internal addresses, so a similar upgrade would apply. Once these devices that deal with the outside world have been upgraded, the lifespan of your internal networking technology should be significantly extended.

How about all those futuristic applications we haven't thought of yet that will be enabled by that vast ocean of public IP addresses that v6 will bring us? Peer-to-peer applications we haven't even imagined yet. Of course, the peer-to-peer applications we have already thought of are the ones that choked your network until you taught your firewall to block them!

Now, don't ignore v6 completely when it comes to your internal network. It's definitely time to take future V6 upgradeability into account as a factor in purchasing decisions for network switches, routers and anything else attached to the network. But still, don't go turning on all that V6 capability right away. Odds are there will be more than a few bugs worked through by early adopters.

Hetzel founded Internet Atlanta, one of the first local ISP's in the Southeastern US, in 1993, which he sold in 1996 to Epoch Internet and become their director of network architecture until late 1998. He was Director of Sales Engineering at Level 3 1999-2000 and then VP of Network Engineering for Enron Broadband. Nowadays he does network engineering and consults for local school systems in his area.

Martin Levy

A prompt transition is essential

Transitioning to IPv6 is akin to improving a congested and dilapidated roadway. "Dipping a toe" into overdue infrastructure repairs is simply not a viable approach.

Can your security policy handle IPv6?

The IPv4 addressing scheme has served the world well, but there can be no doubt that it has run its course. Do you remember when Margaret Thatcher was Prime Minister of Great Britain, Hill Street Blues won eight Grammy awards, and Journey's Escape was the top-selling album in the U.S.? It was September 1981, the year the IPv4 addressing scheme was first published.

Four billion addressable devices seemed like a lot in 1981, but as of February 2011, the IANA's supply of IPv4 addresses was fully allocated. As ISPs stop allocating IPv4 addresses for public-facing systems, only devices with IPv6 capabilities will have unrestricted connectivity to the global Internet. The upgrade decision so many have been trying to avoid for so long is no longer optional. The time for IPv6 adoption has come. Present and future projects are at risk of address starvation in the IPv4-only world, which will create connectivity issues and restrict the usefulness of all network-based offerings.

To provide backward compatibility for IPv4 while supporting IPv6, the global Internet and nearly every IT shop must embrace a dual-stack IP world. All stops on the communication pathway - from endpoint devices, to ISPs, to backbone providers - must operate with IPv6 alongside IPv4. Although the dual-stack requirement seems daunting to beginners, the transition need not be difficult.

Panic time: How prepared are you for IPv6?

The process of choosing a service provider, hosting company, hardware vendor or application software provider must now include the question, "Do you have IPv6 support?" Your partners need to specify whether each connection can be provided as a dual-stack connection and is a full dual-stack to the rest of the world. Hardware and software vendors should state whether there are any known caveats or limitations in their products' IPv6 support.

As applications and networks migrate from IPv4 to a dual-stack IPv4/IPv6 environment, it is important to ensure parity between the two protocols. For example, applications that log IP addresses must be able to store both 32-bit IPv4 addresses and 128-bit IPv6 addresses. In another example, infrastructure that implements filtering or security based on IP addresses (e.g., a firewall) must support IPv6 addressing schemes.

Thankfully, the act of choosing end-users' desktops, laptops, tablets and smartphones is much simpler. Nearly all major endpoint operating systems fully support IPv6. The fact that those devices are connected to IPv4-only networks simply means the devices' IPv6 capabilities have been left dormant. Enabling IPv6 within the network elements will awaken those capabilities, but existing security and auditing systems may need upgrades to handle the new IPv6 address allocations.

It is important to note that nearly every major Internet backbone has included IPv6 within its plans. The percentage of core backbones that run IPv6 increases daily. The global Internet has been working on enabling IPv6 for ten years; however, only in the last three years have the commercial offerings been significant enough to see IPv6 services offered to customers. It is clear that customers are requesting dual-stack connections, and service providers have been listening to those customers. There is much more effort needed in this space, but today a customer has every right to ask his service provider for IPv6 and expect a serious answer. (Read the 6 biggest misconceptions of IPv6.)

The infrastructure behind the global Internet has also become dual-stacked over the last 10 years. The root name servers have been enabled for IPv6 for many years. Top Level Domains (TLD) like .com, .net and .us are serviced by domain name servers that are dual-stacked. Presently 256 out of 306 TLDs are enabled for IPv6. Individual domains can now be registered with IPv6 name servers via many domain registrars.

Furthermore, IPv6 address allocations from the Regional Internet Registrars (RIR) have been available for as long as IPv6 has been operating. The RIRs have been instrumental in pushing IPv6 readiness within their regions and some have made allocation of IPv6 addressing as easy as clicking on a Website link. If you are a direct customer of an RIR (like ARIN in North America, RIPE in Europe or APNIC in Asia Pacific region) then you can allocate an IPv6 block with ease.

The U.S. Commerce Department has estimated an ongoing benefit to the global economy of $10 billion per year from IPv6 adoption. Enterprises that fully adopt IPv6 will benefit from simplified network configuration from the elimination of network address translation, improved end-to-end services, and - most importantly - the assurance that their public-facing servers and infrastructure will be available to all who seek them. The time to dive in is now.

Hurricane Electric is a Fremont, Calif., ISP.

Want more Tech Debates? Check out our archive page

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.