As IPv4 disappears, transition poses hazards

The last IPv4 addresses may be allocated soon, and dealing with the change may be hard

With the last IPv4 addresses about to be allocated, the good news is that IT managers -- at least in the U.S. and Europe -- don't suddenly have to get the next Internet Protocol working.

The bad news is that there are some hazards both in putting off adoption of IPv6 and in implementing it, according to vendors and industry analysts.

If the Asia-Pacific Network Information Center is granted two more large blocks of IP addresses, which it is entitled to because its addresses are being snatched up so fast, then a rule will kick in that forces the Internet Assigned Numbers Authority (IANA) to divide the remaining five blocks of IPv4 addresses among the world's five regional registries. Once the regional bodies run out of those addresses, they will have nowhere to turn for new ones.

IPv6, introduced in the late 1990s, offers an almost unlimited number of addresses, compared with approximately 4.3 billion addresses for IPv4. While many devices use privately held addresses that are reused on the same LAN, unique IP addresses are usually needed for servers and other types of endpoints. Particularly in fast-growing parts of the world, such as India and China, those unique addresses are being consumed quickly. The two versions aren't compatible, so, for example, client systems that only have an IPv6 address can't get to content on servers that only have IPv4 addresses.

Yet despite the dire state of IPv4, the use of IPv6 is still minuscule, according to Arbor Networks, which supplies network monitoring equipment to about three-quarters of all large Internet service providers (ISPs).

The results of Arbor's last survey of the Internet, about five months ago, show only a fraction of one-tenth of 1 percent of all traffic used IPv6, "almost below the threshold of what we could measure," Arbor Chief Scientist Craig Labovitz said.

Part of the reason is that migrating to IPv6 costs money and in most cases offers no economic benefit, observers said. However, it will take cooperation from everyone to prevent the first IPv6-only Internet users being cut off from most of the world's Internet hosts, said Jason Schiller, a senior Internet network engineer at Verizon Business. He fears some user, somewhere, may be in that predicament in the next six to 12 months if nothing is done.

That's not likely to happen to enterprises in North America or Europe, analyst Glen Hunt of Current Analysis believes. For one thing, major U.S. service providers will have IPv4 addresses to give out to their customers for some time, he said. Also, through large-scale NAT (network address translation), the carriers could also act as bridges between the IPv4 world and users who can only get IPv6, according to Hunt. With NAT, users can share a single, unique IPv4 address that is exposed to the outside Internet.

However, Hunt and other experts warned that centralized, large-scale NAT has many dangers. The systems that perform the translation could become bottlenecks if asked to process too many requests. Having so many users share a single IPv4 address might also cause errors and security problems. For example, if a host suffers a DOS (denial-of-service) attack from behind the NAT device, it might associate the attack with the shared IPv4 address and respond in a way that affects all the users sharing the address, according to Verizon's Schiller. That could even involve those users getting blocked for a few minutes.

Large-scale NAT could also make troubleshooting harder for the service provider and interfere with application acceleration or even targeted advertising, if an advertiser tried to build a profile based on a shared IP address.

"If the guy next to you is into hunting and fishing, and you're not, you might start seeing ads for hunting and fishing," Schiller said.

For those reasons, Verizon hopes to avoid deploying NAT for this purpose on its own network. Instead, it recommends users set up NAT on their own premises.

Even organizations that do the right thing and deploy IPv6 may run into challenges to securing their networks, because most security systems today are built around the properties of IPv4, security experts said.

For example, there are so many addresses in IPv6 that the typical supply handed out to one organization is too large to scan for threats on the internal network.

"The networks are so large that to scan a typical net block would take 5 billion years," said Misha Govshteyn, vice president of technology and service provider solutions at security vendor Alert Logic. Scanning a typical IPv4 address range takes no more than a few minutes. Govshteyn added that his company is developing a new type of vulnerability assessment that will work with IPv6 networks.

This problem isn't as bad as it might seem, because there are other methods of finding potential threats, according to Danny McPherson, vice president of network security research at VeriSign Labs. A security tool can watch activity on the network or the allocation of devices through a method such as DHCP (Dynamic Host Configuration Protocol). Not being able to scan all the IP addresses in a network does prevent discovery of passive listening devices, but those devices might resist identification anyway, he added.

However, there will be headaches for companies upgrading to IPv6, McPherson said. Security products for IPv6 typically are more expensive than their IPv4 counterparts because the economies of scale haven't driven down costs yet, he said.

Partly as a result of these challenges, IPv4 will be with us for a long time, McPherson and others warned. Many systems that don't get replaced often, such as industrial SCADA platforms, could remain in place using old IPv4 addresses for years, McPherson said. IPv4 will probably remain for decades.

To deal with this, Verizon's advice to enterprises is to set up dual protocol stacks, allowing users both inside and outside to keep accessing Internet resources regardless of what kind of address they have been assigned. Verizon Business offers professional services to help businesses plan and carry out a transition.

Because carriers have IPv6-capable gear ready in their networks, enterprises in the U.S. don't need to rush into an upgrade, said Hunt at Current Analysis.

"If you have communication devices that are going to be in your network for the next three to five years, you're probably not going to change them just so you can go to IPv6," Hunt said. "But when you upgrade that server or that data center interconnect ... then is probably the time." He thinks the momentum toward IPv6 will pick up in the next two to three years and there will be significant progress within five to seven years.

Arbor's Labovitz was not so sanguine.

"Enterprises that want to expand their data centers, expand their networks will begin to encounter shortages of IPv4 address space. Or it may be more expensive," Labovitz said.

A moment of truth for IPv6 will be June 8, when the Internet Society conducts a test in which Google, Yahoo, Facebook and other major Web entities turn on IPv6 on their home pages for a day. A large-scale test is needed to identify problems with running IPv6, said Leslie Daigle, chief Internet technology officer at the Internet Society.

"I think there is a real possibility that a significant number of users will have to adjust their configurations" to access IPv6-enabled sites, Daigle said.

As long as they plan well, enterprises should be able to migrate without major challenges, but everyone should expect change over the next few years, Daigle said.

"We can expect the landscape of the Internet to be a little turbulent over the coming while."

Stephen Lawson covers mobile, storage and networking technologies for The IDG News Service. Follow Stephen on Twitter at @sdlawsonmedia. Stephen's e-mail address is

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags internetNetworkingVeriSignarbor networksVerizon CommunicationsInternet SocietyInternet Assigned Numbers Authority

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Stephen Lawson

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?