The six biggest misconceptions about IPv6
- 25 February, 2011 01:43
For 15 years, Internet engineers and policymakers have been publicizing the need to upgrade the 'Net's current addressing scheme -- known as IPv4 -- to handle the network-of-network's explosive growth. Yet many U.S. CIOs and CTOs continue to harbor misinformation that they use to justify why they are not adopting the next-generation IPv6 standard.
This issue is significant because the Internet is running out of IPv4 addresses. IPv4 uses 32-bit addresses and can support 4.3 billion devices connected directly to the Internet. The non-compatible replacement protocol, IPv6, uses 128-bit addresses and supports a virtually unlimited number of devices: 2 to the 128th power.
Here is a list of the biggest misconceptions about IPv4 depletion and IPv6 deployment that we've read or heard in recent weeks:
1. The Internet still has plenty of IPv4 addresses.
Whether or not you think the Internet has run out of IPv4 addresses depends on where you live in the world and how fast your network is growing.
In early February, the free pool of unassigned IPv4 addresses was depleted when the Internet Assigned Numbers Authority (IANA) delegated the last five blocks of IPv4 address space - each with around 16.7 million addresses - to the five regional registries. The registries are expected to dole out the majority of these IPv4 addresses to carriers in 2011.
IPv4 free pool depletion is the first step in the Internet running out of IPv4 addresses. It is a significant milestone in the 40-year history of the Internet because it shows that IPv4 addresses are a limited resource.
Over the next few months, it will become increasingly difficult for mobile and broadband carriers with fast-growing networks to acquire the blocks of contiguous IPv4 address space that they need to build out their networks.
Some carriers are predicting massive IPv4 address shortages this year. Chinatelecom has predicted that it will be short 20 million IPv4 addresses in 2011, which will affect its roll-out of mobile broadband, IP TV and other popular services. As far as Chinatelecom is concerned, the Internet has already run out of IPv4 addresses.
Some U.S. government agencies and companies that were involved in the original research that evolved into the Internet received enormous blocks of IPv4 address space before anyone realized it would be a scarce resource. For these lucky organizations - like the U.S. military, IBM and the Massachusetts Institute of Technology - it won't feel like the Internet has run out of IPv4 addresses any time soon.
Most U.S. companies that do business on the Internet have a limited number of IPv4 addresses. The day is fast-approaching when these companies will need IPv4 addresses and be unable to get them from their carriers. That will be the day when their CIOs realize the Internet has run out of IPv4 addresses.
2. My company doesn't need to adopt IPv6 yet.
An IT executive at a company that operates a string of Web sites and earns more than $100 million in annual revenues recently said that the business case "hasn't been made'' for adopting IPv6. This company has not begun any development work on IPv6, nor has it earmarked funds in this year's budget for such work.
This executive is under the false impression that IPv6 is an upgrade that can be postponed.
PANIC TIME QUIZ: Are you ready for IPv6?
John Curran, president and CEO of the American Registry for Internet Numbers (ARIN), says all companies that do business over the Internet should support IPv6 on their public-facing Web servers and Web services by Jan. 1, 2012 or risk losing potential customers.
Similarly, the Obama Administration has mandated that all U.S. federal agencies upgrade their public-facing Web sites and services to support IPv6 traffic by Sept. 30, 2012.
Experts in IPv4 depletion say companies that don't have a transition plan in place for IPv6 are already too late.
The depletion of the IPv4 free pool "is a wake-up call," says Chris Davis, senior director of corporate marketing communications at NTT America, a leading provider of IPv6 transit and access services in the United States. "If you haven't taken this seriously, you better start. If you don't have a transition plan in place, you better make one...IPv6 is a reality."
Part of the foot-dragging is the result of U.S. CIOs falsely believing that their carriers will take care of IPv6 transition for them. That's not going to happen. Enterprises must IPv6-enable their own Web content through the deployment of native IPv6 or an IPv6-to-IPv4 translation mechanism on the front end of their Web servers.
"The carrier needs to take care of IPv6 as far as their infrastructure is concerned, but the enterprise has to take responsibility for their own networks and their own network access, including routers, firewalls and web services," Davis says.
3. A lucky Internet user will get the last IPv4 address.
Experts predict that the Internet will run out of IPv4 addresses many months from now and in a different fashion than the receipt of a winning lottery ticket.
In February, IANA depleted the free pool of unassigned IPv4 addresses. Next, the regional Internet registries will dole out the remaining IPv4 addresses to carriers in a process that is expected to take anywhere from three to nine months. The registry that is expected to deplete its pool of IPv4 addresses last is AfriNIC, the African registry.
"Each regional registry will run out of IPv4 addresses at its own rate," Curran says. "That almost certainly means, because of the current rate of demand, that AfriNIC will make the last assignment."
The Asia Pacific Network Information Centre (APNIC) has a unique policy for distributing its last 16.7 million IPv4 addresses. It will allow carriers to get a one-time allotment of 1,024 IPv4 addresses, thereby holding some IPv4 addresses in reserve for start-ups. However, these tiny allotments of IPv4 addresses won't meet the needs of fast-growing network operators. So for all practical purposes, IPv4 will be depleted in Asia this year.
For U.S. companies, IPv4 depletion will occur in 2011. ARIN says it has around 80 million IPv4 addresses left and expects to run out of these addresses within nine months.
Another reason that one lucky Internet user won't get the last IPv4 address is that carriers are likely to share these increasingly scarce resources among multiple users. So even if you could figure out who got the last IPv4 address from a particular carrier in a particular region, the address would likely be shared among multiple users.
It's also possible that IPv4 addresses will be recycled. Carriers and enterprises that upgrade to IPv6 can return their unused IPv4 addresses to the regional registries. Several U.S. organizations including the U.S. military, Stanford University and the Interop trade show have returned some of their unused IPv4 address space to ARIN. If recycling IPv4 addresses becomes more popular, the trend could stave off IPv4 depletion for a few more months.
"We do expect to see addresses that come in from the transfer policy," Curran says. "The person who gets the last IPv4 address from the free pool won't be the last person who gets an IPv4 address."
4. A black market will emerge for IPv4 addresses.
Experts say a black market isn't likely to emerge for IPv4 addresses because the regional Internet registries have created legal ways for organizations to transfer - or even sell - their unused IPv4 addresses.
ARIN, for example, has a process set up that allows network operators to apply for IPv4 address transfers much as they apply for new IPv4 addresses. In either case, network operators must show they have plans to use the IPv4 addresses to provide network services and not to hoard them for future use.
"There will be a market for transfers," Curran says. "We do have a listing service, where parties who want address space can list it. ARIN's job is to maintain accurate records of who has the address space."
Curran says ARIN has the authority to reclaim IP addresses if they are transferred outside of the policies that it has established.
"People who are attempting to do that run the risk that their IP addresses will be revoked by ARIN and reissued," Curran says. "There are enough people waiting for [IPv4 addresses] that they will get quickly used."
The regional Internet registries are considering a new policy that will allow for IPv4 address space to be transferred from one region to another.
"North America has a large amount of address space issued in the early days of the Internet," Curran says. "Those resources should be available to the entire Internet community. I expect we'll see interregional transfers."
Raul Echeberria, chairman of the Number Resource Organization, which represents the five regional Internet registries, admits that a black market for IPv4 addresses is a possibility but says that he is not sure it will evolve because of the existing rules for IPv4 address transfers.
"There is, of course, the possibility that some IPv4 addresses will trade outside the system, but I am confident that it will be a small amount compared to those that will be transferred within the system," he says.
Echeberria adds that the value of IPv4 addresses will decline as network operators adopt IPv6, making this black market less attractive.
"If the Internet community moves to IPv6, the value of IPv4 addresses will decrease in the future," he says. "There won't be a reason for having that black market."
5. IPv6 is more secure than IPv4.
IPv6 proponents say that one of the new protocol's benefits is that it has built-in support for IP Security (IPsec), an Internet security standard that allows for authenticated and encrypted communications between two end points. But experts say that IPv4 supports IPsec well enough that security isn't an advantage of IPv6.
"It's a myth that IPv6 is more secure than IPv4," says Qing Li, chief scientist for Blue Coat Systems, which supports IPv6 in its network appliances. "IPv6 was designed to facilitate the implementation of IPsec better, it allows IPsec to operate better, but that's just a facility...It doesn't mean that IPv6 by itself is more secure."
IPv6 is likely to make the Internet less secure, not more secure, in the near term. That's because so many network operators are going to upgrade to the relatively unproven IPv6 technology at the same time.
"Long term, IPv6 will greatly improve Internet security because every end point will have encryption available. But that wonderful nirvana is a long-time away," Curran says. "Short term, IPv6 means turning on lots of code features for the first time. Any time you're using new code all over the Internet, there are lots of possibilities of bugs. So people will need to be very alert."
Another issue is that there are few network engineers with the know-how and experience to secure IPv6 networks.
"There is so little operational experience with IPv6 that people are going to naturally make mistakes," says Cricket Liu, vice president of architecture and technology for Infoblox, which sells IPv6-enabled DNS appliances. "Network engineers who are configuring IPv6 are going to make rookie mistakes with IPv6 that they wouldn't make with IPv4. The quality of the implementations out there is going to be an issue."
Also, security vendors are not providing the same number of features or the same level of performance in their IPv6 products as they offer in their IPv4 products.
"If your network vendor told you they have complete parity between IPv4 and IPv6, that's a myth," says Danny McPherson, CSO for VeriSign, operator of the .com and .net domains and a leader in IPv6 deployment. "It's highly unlikely that most of the commercial products have realized the scale and capability with IPv6 that's on par with IPv4."
McPherson says deploying IPv6 will create new vulnerabilities for network operators. For example, the Internet will have more translation devices that can attract distributed denial-of-service attacks or be single points of failure. Also, network operators will have less visibility into Internet traffic patterns, so it will be harder for them to find threats like botnets.
"There's going to be some window of vulnerability until we get up to speed with IPv6. The sooner we get past that the better," McPherson says. He adds that "if you enable IPv6 on your network, you better make sure you have the same controls and countermeasures that you have for IPv4."
6. IPv6 will make the Internet simpler.
IPv6 offers the promise of end-to-end communications with the removal of network address translation (NAT) devices and other middle boxes that were necessary to extend the life of IPv4's limited addressing scheme.
But in reality, network operators are going to have to run IPv6 and IPv4 side by side for years - if not decades - to come. This lengthy co-existence of the two protocols is going to make network management more complex for the foreseeable future.
"IPv4 will still be out there for some number of decades," Curran says. "There is no timeframe to get rid of IPv4, but over time it will become more cost effective to just run IPv6...There's going to be the complication of running two network protocols for years and years."
Network operators must run both protocols because IPv6 is not backwards compatible, a reality that many CIOs and CTOs just don't believe possible. Indeed, the Internet engineering community has said that its biggest mistake in the design of IPv6 is that it is not backwards compatible with IPv4.
"Lots of people think that IPv4 and IPv6 are compatible and that not a lot of action is going to be required to interoperate between IPv4 and IPv6 hosts," McPherson says. "If they don't have dual stack, then they will need some translation device."
IPv6 was once touted as the end of network address translation (NAT) devices, which Internet purists hate because they interrupt IP communications midstream. But network operators have delayed upgrading to IPv6 for so long that now they will need to rely on carrier-grade NATs and other IPv6-to-IPv4 translators to accommodate a rise in IPv6 network traffic that is expected to start within the next 12 months.
"Most of the transition technologies are either NATs themselves or are designed to work through NATs," Liu says. "Teredo [an IPv6-over-IPv4 tunneling technology] is designed to work through NATs. Nat64 [an IPv6-to-IPv4 translation scheme] is a NAT technology. I don't think NATs are going away anytime soon."
Liu says he hopes that by 2016 most of the Internet's backbone will be upgraded to IPv6 and that there will be just pockets of IPv4-only connectivity.
"For the next five years, things are going to be much more complex because we will have two protocols running side by side," Liu says. "We're going to have all of those crazy transition technologies. Not just one, but many...It's a rose-colored view of the world to believe that IPv6 is suddenly going to bring us to this network nirvana of end-to-end."
Read more about lan and wan in Network World's LAN & WAN section.