The co-authors of Global IPv6 Strategies were the guests for a live Network World chat where they discussed all things IPv6. The group consisted of Fred Wettling (pictured, top), who manages architecture and strategic planning for Bechtel and is a member of the IEEE North American IPv6 Task Force, the IPv6 Forum, and is executive director of the IPv6 Business Council; Patrick Grossetete (pictured, middle), who is technical director of product management at ArchRock, makers of IP-based wireless sensor network technology; and Ciprian Popoviciu (pictured,bottom) PhD, CCIE No. 4499, who is a technical leader at Cisco Systems. They discussed the business case for IPv6, killer apps, security tools and the role of vendors like Microsoft and Cisco.
Chip_Popoviciu: Hello, happy to be here!
Fred_Wettling: Hi all - glad you joined us today.
Patrick_Grossetete: Hello everybody, glad to be here.
Moderator-Julie: While Fred, Patrick and Chip are typing their answers to your first questions, here's one that was submitted earlier. What is being done to reconcile the profile differences between DoD and NIST? Who is running the store?
Fred_Wettling: The basic issue you raise is that of unambiguous technical specifications that can be used to qualify U.S. government purchases. The process involves mapping use case (i.e. network-enabled war-fighter) to network function (routing) to the relevant IPv6 specification(s). DOD work on developing IPv6 profiles for qualifying IPv6 products was started several years ago by Defense information Systems Agency (DISA). Their use cases were specific to their missions. NIST profiles are targeted at most of the rest of the U.S. government and may also serve as reference models for other industries. DISA and NIST have been collaborating where possible. There is a lot of common ground. However, there are differences that will exist going forward that are being addressed. I understand dialogs are still going on. There seems to be some convergence toward the NIST profile, including a partnership with the IPv6 Read Logo.
Fred_Wettling: (continued) Who’s running the store? It’s DISA for DOD, NIST for most other agencies. Outside of the U.S. federal space, the industry is deciding the standards applicable to IPv6 core functions. Many vendors are clearly mapping IPv6 capabilities to versions of their products. My recommendation is use the method of qualifying products that are most applicable to your environment.
Layer8: RFC1918 provides more than ample IP space for the largest of enterprises, outside of ISPs and service providers. What would be some compelling reasons to adopt IPv6 as an internal IP architecture?
Fred_Wettling: RFC 1918 does not address communications between organizations. The world is moving to end-to-end communications between people, organizations and objects. The number of people and things that are being connected exceeds the number of possible IPv4 addresses (about 4 billion).
Chip_Popoviciu: Yes, RFC 1918 address space was sufficiently large for most of the needs of today's enterprises but that might not be the case going forward. Enterprises have layered services (data, voice, wireless, etc) each with an addressing scheme. These layers will take significant resources. Then we have the new devices coming into the environment -- sensors, readers, security devices. All these laments can make RFC 1918 insufficient for future needs.
Patrick_Grossetete: First, I would say that not everybody wants to share the same address space. Then, even net 10 is not large enough for large organizations if you consider the number of subnets created today for Wi-Fi or IP telephony deployments. If a large organization experiences a merger (very common) it will require re-numbering, which is always painful.
mikes: The government was originally committed to 2008 for IPv6 and now has a date of 2010. How real is this considering many government organizations have not even started? (And IPv6 has 3.4+38 verses IPv4's 4 billion.)
Patrick_Grossetete: I don't think the date by itself is important. It is more about acknowledging there is a lot to be done. Most world regions have IPv6 on their road maps. Japan and Korea having been the first to start.
Fred_Wettling: U.S. agencies have the challenge of quantifying technical specifications as part of their procurement process. The definition of IPv6 profiles has taken longer than anticipated.
Patrick_Grossetete: What's really important is the planning and education phases, which as we know require times. When done, the deployment should not be different from other networking projects. By the way, that means we look at integration and co-existence, not a full transition to start with
Chip_Popoviciu: Setting target dates is very important in getting things going. The 2008 mandate stimulated various work (such as the profiles) and this will continue. Also, note that several governments around the world have aggressive plans in place for integration and migration.
Moderator-Julie: Pre-submitted question: What are your thoughts about Microsoft's implementation of IPv6 and in what ways will it be important?
Chip_Popoviciu: With its large customer base, Microsoft has a significant impact on technology adoption, especially when it comes to a fundamental technology such as IPv6. Windows Vista will drive and sustain IPv6 adoption by the consumers, while Windows Server 2008 will drive adoption in enterprises. Both of these markets will in turn influence the IPv6 adoption plans of service providers. Microsoft’s implementation of IPv6 facilitates deployment. Through new, IPv6-only applications, it can also provide new drivers for IPv6 adoption.
Patrick_Grossetete: If you look at its operating systems' market penetration, you could see that Microsoft has “IPv6-enabled” more than 85% of the market. IPv6 is “default” on 18% of the market through Vista, another 69% needs to get it configured. Those are important numbers when tracking the IPv6 market penetration. http://marketshare.hitslink.com/report.aspx?qprid=10
artking:What is the business case for IPv6? Inside my enterprise I run 10.x address space with 16 million addresses and think this is Y2K size event with NO JUSTIFICATION. At the Internet border, my ISP may give me a 4to6 gateway in the future. The only place where it may impact me in a few years is the Internet properties we run that must be regression tested and support access from v4 and v6 Internet endpoints, etc.
Fred_Wettling: Many companies will not NEED to move to IPv6 in the next few years if they are satisfied with all of the services they are using now. This is a valid tactical approach when short-term cost avoidance is important. Other companies are strategically investing in the foundation for the future, like those that started using TCP/IP and Web technology in the 1980s and 1990s… before innovations like VoIP, Google or YouTube. Incrementally testing your IT infrastructure for IPv6 compatibility is a good move, and I applaud you for this foresight. This will help you avoid problems in the long-term when implementing IPv6 becomes a higher priority for your organization
Patrick_Grossetete: Without knowing your line of business, it may not be easy to comment on potential benefits. But clearly some worldwide regions and market segments are adopting IPv6. What would be the impact on your business if you couldn’t properly get customers or partners reaching your sites? Remember that a 4to6 gateway will have the same challenges as current IPv4 NAT, so why not simplifying the architecture by considering the original TCP/IP model.
Fred_Wettling: From the perspective of the person that has led enterprise IPv6 implementation in a major international company, the strategic benefits are becoming clear, especially where mobility, peer discovery, infrastructure management and end-to-end communications (without the application headaches of NAT traversal) are important. Chapter 5 of Global IPv6 Strategies has several real-life use cases that might interest you.
Layer8Solutions: Are there any large enterprises that have even begun a global IPv6 deployment, other than the government?
Fred_Wettling: I started leading the IPv6 deployment at Bechtel in early 2005. Right now ~93 % of all desktops and laptops are running IPv6 (dual stack). Our major data centers are running IPv6, and our WAN is running IPv6 through GRE tunnels where no native carrier IPv6 access is available to the premises. (Shameless plug …) Chapter 5 of our book, Global IPv6 Strategies, has detailed profiles on several companies that are implementing IPv6.
bruce.curtis: We have enabled IPv6 for all of the clients on our networks and are working on some issues with load balancers etc., for our servers. I see signs that ISPs are moving toward enabling IPv6 but other than Google, I don't see many destination sites enabling IPv6. Do you see more destination sites preparing for IPv6 than I have seen? Is there any way to get the sites like Yahoo, etc., to expedite enabling IPv6?
Chip_Popoviciu: Availability of Internet content over IPv6 is indeed a challenge and it makes offering IPv6 based IA services difficult to justify. That does not mean however that deployments are gated by the availability of Internet content. There are walled-in garden deployments which offer specific IPv6 services that can be managed within that domain. Migration of content to IPv6 will depend a lot on demand and that is a way to stimulate content providers to put content on IPv6. Also, there is work done in IETF to provide mechanisms that will encourage providers to put content directly on IPv6 but make it available to IPv4 users as well. Work in progress to be sure.
Fred_Wettling: Bechtel and others have run into a few bumps with product maturity and the versions in operation. One is the lack of IPv6 support in Microsoft ISA Server 2006. We have found work-arounds for most of the issues.
But, just to note, IPv6.olympics.cn is an example of a high-profile site.
bruce.curtis: Yes ipv6.olympics.cn was a good sign of progress but at least for the little bit of looking that I did it often took you to another site that offered the content over IPv4. If I remember correctly for the few that I looked at the content came from Akamai. We have a few Akamai servers at our university and I think they and similar service providers are another important group to convince to enable IPv6.
Patrick_Grossetete: That's effectively something we discovered. Many websites use absolute URL (IPv4 addresses), redirecting traffic from v6 to v4. I agree that education is important as well for people developing Web applications, including caching and redirection. As we explained in the book, it is a long process.
Fred_Wettling: NTT is delivering broadcast TV service to many (millions) in Japan. This is not a service that you can ping with your browser, but is a clear indication of the underlying trend.
Moderator-Julie: Pre-submitted question: What kinds of interesting consumer IPv6 applications have you seen? Have you seen set top boxes, refrigerators, etc. outfitted with IPv6 and ready to hit the IPv6 Internet when it becomes more readily used?
Chip_Popoviciu: All of the above! A visit to the IPv6 showroom in Tokyo will be very enlightening in this sense. It will show how many of our current IP devices are IPv6 ready and it will show how far the Internet is expanding in terms of devices.
Patrick_Grossetete: Now working for ArchRock who develops IP wireless sensor networks, I may add that IPv6 plays a fundamental role in this new layer of Internet nodes. You need the large address space not only because you expect to connect many sensors but also because it eases the compression over radio links and helps to target “zero config” deployment for this class of devices. Applications range from environmental outdoor monitoring to wireless city services (parking metering, electricity/water/gas metering,…) green building, to data center to machine to transportation and other areas. You can now get any sensing location part of your IT environment to collect the appropriate data and take decision. A nice example is described on http://comnews.com/features/2008_april/0408_wireless.aspx.
Fred_Wettling: Have a Mac or Sony PlayStation 2 (or later)? These are a couple of examples where IPv6 is already “in play.” For example, Apple uses IPv6 in Mac OS X as part of its network device discovery process…. Seamless, smooth and efficient. Apple’s product promotion is focused on the “MAC Experience,” not the fact they are using IPv6. Cable providers are starting to deliver set-top boxes that comply with Data Over Cable Service Interface Specification (DOCSIS) 3.0. Motorola started selling DOCSIS 3.0 cable modems earlier this year.
bvalaski: I recently saw a webcast from SANS about implementing IPv6, and one of the largest setbacks seemed to be ISP implementation. Having to tunnel IPv6 over IPv4 seems to add a bit (no pun intended) of overhead. What incentives are being presented to the ISPs to 'win them over' to performing the infrastructure upgrade, and how effective are those so far?
Patrick_Grossetete: IPv6 over IPv4 tunnels was really the first step to get IPv6 packets flowing across the Internet. Today, native IPv6 (really dual-stack) being available on router's hardware, the recycling process allows ISP to turn on IPv6. Incentives such as winning a government or enterprise contract certainly helps. Several broadband ISP are running IPv6 as well, like mine (Free Telecom). They are now launching innovative services which leverage IPv6.
Moderator-Julie: Pre-submitted question: What is the scope of IPv6 applications that we will eventually find in the enterprise?
Fred_Wettling: Versions of ALL major operating systems have been shipping as IPv6 capable for years. With only minor configuration changes, IPv6 is enabled on OSes like Windows XP and Server 2003. Today, all major operating systems are shipping with IPv6 enabled by default, including Apple (10,3), MAC OS X Leopard, BSD, HP-UX 22iv2, AIX 6, Windows Vista, Windows Server 2008, Linux 2.6 Kernel and Solaris 2.10. On top of these platforms the vendors are at various stages of implementing IPv6 in their products. For example, SharePoint 2003 on an IPv6-enabled Windows Server 2003 platform supports IPv6 end-to-end communications, with a few limitations. Then again, Microsoft Exchange 2003 and ISA Server do not even know IPv6 exists. Web servers and services are straightforward to enable on most platforms. Talk with your software suppliers and ask for the IPv6 road maps on products that are important to you. Your application developers should be using development and testing platforms that will ensure IP version-agnostic operations.
Patrick_Grossetete: To add to Fred's list, I would like to add that IPv6 is also available on other operating systems such as Windows Mobile 5 and 6, Symbian-embedded Linux and TinyOS. This allows new classes of devices – smartphones, PDAs, cameras, IP phones, sensors – to be part of the game. On Windows Server 2008, clustering (or whatever they've named that feature) can be done at Layer 3 by running IPv6. Windows Vista Peer-to-Peer framework runs over IPv6 (). Those are just some examples.
mikes: How prepared are the support organizations for this? Will all the CCNA's be up to speed? And WHEN? Orgs will never change if the support function is not in place.
Chip_Popoviciu: This is an excellent question and touches on a topic sometimes overlooked. It is not easy or cheap to find IPv6-qualified folks, and a significant investment will be needed in preparing the staff for deploying and operating IPv6 environments. There are many courses available for IPv6 education, and the certification tracks are catching up. CCXX certifications do contain IPv6 modules now. Cisco engineers, in all organizations, including Customer Advocacy, have gone through IPv6 training.
Patrick_Grossetete: I could add that CERT Alert also covers IPv6.
ipv6_novice: How much of training is required for an IT force to migrate from IPv4 to IPv6 once they are convinced?
Fred_Wettling: You need to address all parts of the IP organization in your training and awareness efforts. The level of education will depend on the employee's role. App developers need to be educated and their development environments to be IP-version agnostic. QA environment needs to be IPv6-enabled. Support people need some basic awareness training. Security will be involved with IPv6, too.
Moderator-Julie: Pre-submitted question: Is the Internet community working on a way to make NAT the bridge by which people run dual IPv4 and IPv6 networks, and which vendors are behind such a thing?
Chip_Popoviciu: There are several efforts in IETF to address some of the problems we face due to the address exhaustion pressures and the fact that we don’t have all the pieces in place to switch to IPv6 (for example, the IPv6 Internet content is nowhere near to the IPv4 one). There are efforts geared toward using IPv4 NAT to further re-use address space beyond what we do today. There are efforts to create Protocol Translators (remember that NAT-PT was deprecated) that would interface the v4 and v6 Worlds and then there are creative ideas that use IPv6 in order to further re-use IPv4 address space. The one important thing to remember is that these efforts, some of which will be useful, some not, do not intend to prolong IPv4’s life indefinitely but rather to provide short-term relief as the migration to IPv6 takes place without an Internet growth slowed down by lack of IPv4 addresses.
Chip_Popoviciu: (continued): This is an Internet communitywide effort. Cisco is actively participating in the standardization work related to this topic while it explores the implementation of these ideas in products. Cisco demonstrated proof of concepts for several of these NAT options, most recently at the IETF meeting in Dublin. [NOTE: See story Much-maligned feature, NAT, being added to IPv6 )
Patrick_Grossetete:It is important to understand that all of the actual IETF proposals have challenges in term of performance, scalability and security. So, they will certainly be helpful to smooth the transition to IPv6 but won’t guarantee the Internet growth to cope with new Internet comers – remember that the Earth's population growth forecast is 50% in 2030-2050.
Fred_Wettling: Prudent organizations are positioning themselves to avoid global IPv6 transition problems by implementing IPv6 in a dual-stack (IPv4+IPv6) mode now. A current constraint is the slow pace of many carriers to provide native dual-stack services to their customers. Carriers like NTT and Hurricane Electric are providing services today that will eliminate the need of translation technologies for their fully dual-stack customers.
mikes: Integration and coexistence is just more work than a full transition and even this is not real.
Patrick_Grossetete: I don't think integration and coexistence are more work to start with. In fact, it allows you to pick an application and run it over IPv6 for a given geography. This represents minimum risks and doesn't require you to upgrade all IP nodes and applications you have in an organization. Long term, I am convinced we will see people moving to IPv6-only but it is still too soon. I don't see that as being different from integrating IPv4, then moving away just like we did with SNA/DECnet/Appletalk/IPX in the 1980s.
Moderator-Julie: Pre-submitted question: You hear a lot about the address shortage (which NAT has solved for a lot of companies) and about new features of IPv6. So, if it’s not just about address space, what's the killer IPv6 application?
Chip_Popoviciu: Today we do not have a killer IPv6 app. Chasing a killer app is a deceiving perspective on IPv6. This is a fundamental technology which is valuable by the simple fact that it enables us to scale our networks and services. Do we have services available only over IPv6? Yes we do but they are not yet perceived to be killers.
Patrick_Grossetete: I will not call it a killer application, but IP wireless sensor networks are clearly a new layer of Internet nodes that get connected. For technical reasons, IPv6 is THE protocol selected by the IETF 6LoWPAN working group, there is no IPv4 equivalent. It just demonstrates that people start to be creative when not being zealots about IP protocol version.
Fred_Wettling: IPv4 had been around for quite a while when Google opened for business in Menlo Park, CA in 1998. Skype Beta was released in 2003. YouTube was started in 2005. Are these IPv4-based successes “killer apps”? IPv6 “killer apps” will certainly evolve as end-to-end use of IPv6 becomes more pervasive.
thindson: What would be good first planning steps for a large enterprise that has more than one Internet provider and extensive private addressing internally?
Fred_Wettling: Work with enterprise leadership, at least within IT, to ensure there is an understanding of the strategic global importance of IPv6. Understand that this will take time. Bechtel found it useful to embed IPv6 in already existing change processes, from development, through QA, into production. IPv6 is now just another check box on natural control points... just like security and other controls. If I may offer another plug, we cover this subject in a good level of detail in chapter 6 of our book.
Chip_Popoviciu: I would add that in order to minimize costs of integration, it is essential to tie IPv6 projects into other infrastructure projects such as bandwidth expansion, or insertion of new network elements. Adding the IPv6 component in such projects requires a small additional investment (if any) but it helps ready the environment for IPv6 at minimal costs. Even if the goal of the project is not IPv6, keeping IPv6 in mind helps reduce costs in the long run.
Layer8Solutions: Moving toward IPv6 is a huge undertaking in capital and human resources. How do you begin to cost justify such a move to the business unit? I would argue that even the merger of two enterprises, running IPv6 would require the same network integration effort as would two companies running IPv4.
Chip_Popoviciu: The size of the investment depends significantly on how soon one gets started preparing for IPv6. Leveraging refresh cycles early on makes a big difference in integration costs. Please refer to my reply to the previous question. As I said, it is essential to tie IPv6 projects into other infrastructure projects such as bandwidth expansion, or insertion of new network elements. I would add that in order to minimize costs of integration, integrating IPv6 in all IT projects will help reduce costs for the overall IPv6 integration project.
Patrick_Grossetete: In fact, one of the first reasons an enterprise may start considering IPv6 should be security. Knowing you have IPv6 implemented on all recent OS – (see previous Q&A on the scope of IPv6 applications) - how could you let traffic going through your network without monitoring it?
Fred_Wettling: Bechtel is a $20+ billion global enterprise with > 44,000 employees. As I mentioned in my response to the earlier question from thinsdon, Bechtel took advantage of our natural change processes, including product refreshes. For example, over the last two years, we have completed application verification for all client apps and most of our server-apps. The incremental cost of adding IPv6 to the OS when testing things like Office 2007 is insignificant. We found that approaching IPv6 as an addition to all other IT-related activities held costs to a minimum. Here's one example. Windows 2003 Server build profiles were modified one time to include required IPv6 parameters. After that, new servers include IPv6 as part of the build process. This is less effort and cost than a project to go around the enterprise and enable IPv6 as a discrete task.
Moderator-Julie: Pre-submitted question: What is Cisco's road map for IPv6 in the switching market? Today many players are offering RIPng in small switches?
Chip_Popoviciu: Cisco is developing road maps for its products based on customer demands, incrementally adding features as the market demands them. This strategy applies to the small switch products as well. Currently, Cisco small switches such as 3560/3750 go beyond supporting RIPng, they support OSPFv3 and EIGRP for IPv6. For the latest information on a specific feature support on a specific platform, it is best to contact your Cisco account team.
Moderator-Julie: Pre-submitted question: Some people say that people will sell their old IPv4 addresses and that this might drive the cost of IPv4 above IPv6 . Do you believe this is likely and have you seen any evidence of it yet?
Chip_Popoviciu: Like any finite resource, IPv4 addresses always had and will have a value even though this might have not been self evident. Now that we approach exhaustion, this value is becoming more and more relevant. Acquiring someone's IPv4 address space is not a new concept. There are organizations known to have considered buying other organizations for their IPv4 address space. A market, open or black, for trading IPv4 address space is inevitable. Work is ongoing on how such markets should be organized and managed.
Fred_Wettling: As IPv4 exhaustion nears, this has become a hot policy topic at the five regional Internet registries (RIRs). The fundamental issue is that companies don't own their allocations. They are just granted permission for exclusive use of the numbers from upstream numbering authorities. IANA (Internet Assigned Numbers Authority) allocates large blocks of IPv4 and IPv6 addresses to the RIRs. RIRs allocate smaller blocks to local (LIR) and national (NIR) registries, and the process continues to trickle down. IANA and RIR policies are used to govern allocation criteria and governance, including reclamation.
JoeRockHead: What is the status of good security tools for IPv6?
Fred_Wettling: We have found that several security tools (firewall, IDS, IPS) are ready for IPv6 traffic, others are at varying stages of maturity. While Microsoft should be applauded for its IPv6 deployment in its operating systems, it has not yet addressed IPv6 in its ISA Server that several organizations use for Internet traffic security logging. Current versions of Squid DO support IPv6. The "bad guys" are exploring the use of IPv6 to gain access to systems. A common approach is the use of tunnels that may be turned on in a default configuration ... like Teredo, ISATAP or 6to4. Security awareness is important when deploying IPv6. A lot of potential risks can be solved with prudent configuration, including turning host-based tunnels OFF by default. Command Information has been doing some interesting work in this area.
Moderator-Julie: Pre-submitted question: What is IPv6 multi-homing and when is it important?
Chip_Popoviciu: IPv6 multi-homing is the same thing as IPv4 multi-homing and it applies in the same scenarios as for IPv4. Let's remember that IPv4 multi-homing mechanisms are problematic. If we want to stick to them, we can implement them the same way in IPv6. The question really is: Can we do better? It actually is imperative we do better. So now we need to find that better way.
Patrick_Grossetete: At the beginning, multi-homing is an asset of policies and business rules between ISP and their customers. Technology has been enhanced to deal with those policies but issues such as routing table growth, routing protocol convergence and stability, etc., have to be faced. For those reasons, some people thought IPv6 multi-homing policies should not be allowed, but market realities make it a must. As Chip wrote, multi-homing on IPv6 can be done exactly the same way as IPv4, but the community still needs to solve the issues whatever the protocol version.
Moderator-Julie: Thanks for attending! Our time is up. We want to thank our guests for an excellent chat. The transcript to this chat will be posted on Network World, on Cisco Subnet and Microsoft Subnet and will live on the main chat page, at www.networkworld.com/chat/. Check out our next chat with wireless guru Craig Mathias, 2 p.m. ET. If you can't attend but have wireless management questions, please post them in advance of the chat to our "Post a Questions" widget on the main chat page www.networkworld.com/chat/.
Patrick_Grossetete: Bye for now. It was great to get your questions.
Chip_Popoviciu: Good bye, thanks for attending.
Fred_Wettling:A pleasure to talk with you all this afternoon. Bye.
Like this? Here are more chat transcripts of recent Network World chats.
Twitter, forums, and blogs: Are social networks your friend or foe? With Curt Monash
-- August 19, 2008Network Access Control Face-Off: Joel Snyder versus Richard Stiennon
-- July 22, 2008- -- July 8, 2008
Counterfeit network gear: how to detect it and protect yourself with Mike Sheldon
-- June 18, 2008Open source and its changing role in the enterprise with Stormy Peters
-- May 15, 2008- -- May 5, 2008
LAN switch security: What hackers know about your switches with Christopher Paggen
-- November 13, 2007- -- November 07, 2007