IPv6 is Your Friend and Your FoeIPv6 will be a benefit or burden to businesses and Internet users. When I am asked this question, my answer is usually both.
First and foremost, it is important to remember that the transition to IPv6 is inevitable. The last few IPv4 addresses are in the final stages of being allocated.
Cisco has predicted that the Internet will quadruple in size over the next four years, and that there will be 15 billion Internet-connected devices by 2015. While IPv4 only allows for about four billion IP addresses, IPv6 will allow the worlds seven billion people to have 15 billion devices each, and still be infinitesimally utilized. Additionally, IPv6 is designed to be more effective in terms of security, reliability and ease of management.
The best part of IPv6 in my opinion, however, is that it will negate the need for Network Address Translation (NAT). While NAT has been an effective fix for the address exhaustion problem that has occurred with IPv4, it is not beneficial from a security standpoint because it allows a single IP address to be used for a multitude of devices.
This grouping of devices behind a single address enables cyber attackers to essentially hide behind it, preventing those tracking them from being able to pinpoint their identity. Because IPv6 offers virtually limitless amounts of IP addresses, every single user and device on the Internet can be uniquely identified, vastly improving security.
The negative side to IPv6 comes not with the protocol itself, but with its slow adoption rate. Today, only a miniscule percentage of Internet traffic is IPv6, and many organizations are hesitant to migrate to the new protocol due to the technology upgrades involved in making the transition. While major technology vendors have long been preparing for the cutover to IPv6, many smaller application providers have not; forcing end-user organizations to replace some of their technology systems in order to make the transition.
Still, waiting around for others to upgrade before you do is not the right approach. All organizations need to at least be developing strategies around when and how they will make the leap to IPv6. Overall, this is a classic case of prepare now or scramble later, and later is coming sooner than most people realize.
Efforts such as World IPv6 Day have been instituted to help encourage the transition. On June 8, 2011, as part of World IPv6 Day, several high-profile organizations tested their websites on IPv6 in preparation for the impending cutover. Early adopters such as Google, Cisco, Facebook and Microsoft are paving the way, but for the Internet to continue functioning properly for everyone, all companies and government organizations need to be on board.
Unfortunately, if the transition to IPv6 is not made in a timely fashion, alternative solutions will prevail, jeopardizing the future security of the Internet.
One proposed method, Large Scale NAT (LSN) a.k.a., Carrier-Grade NAT (CGN), allows for literally thousands of users to share a single IP address (versus a single household or business being allowed to share via traditional NAT). As you can imagine, the security implications would be dire if LSN/CGN experienced widespread adoption.
What to do
So what should you do about it? End users themselves should not have to do much about this if the worlds businesses handle the situation appropriately. For businesses, there is really no silver bullet for a smooth transition. The best advice I can give to CIOs and IT administrators is to do your research and become well-educated on IPv6 and its implications to your organization. Figure out exactly what you need to do to transition to the new protocol and begin enacting a plan to make it happen soon.
Here are some specific things to consider when planning the transition to IPv6:
- Do all your desktops and terminals provide IPv6 support?
- If you have some systems that must remain on older operating systems and run IPv4 stacks in the short term, will they need to communicate to systems that will transition to IPv6? If so, will you run a dual stack on these systems allowing IPv4 and IPv6, or will you deploy gateways?
- Do you intend to make your current desktop environment public, or will you retain a NAT gateway to obscure your machines?
- Will your current applications support IPv6? Public-facing servers should likely run a dual stack for IPv4 and IPv6 resolution to provide the best chance of making sure that services are available to the broadest range of users.
- Will your current routing/switching/wireless environment support IPv6? If not, do you simply need a code upgrade or is a hardware refresh involved?
If you are planning to keep portions of your network infrastructure on IPv4:
- Will those systems need to communicate to the IPv6 systems and vice versa?
- Where will gateways/proxies/translators need to be employed?
- Do your existing network monitoring tools have IPv6 visibility? More and more vendors provide this, but not all do. Upgrading to IPv6 may require you to re-examine your monitoring strategies.
- For monitoring, do you have a way to separate IPv4 and IPv6 traffic statistics to ensure that hosts you are expecting to send IPv6 traffic are in fact doing so?
In addition to having to upgrade some of their systems, many organizations also worry about not knowing how their infrastructure will behave once the new protocol is in place. While this is a valid concern, it is still not a good reason to ignore the fact that IPv6 is coming and there are technologies out there that can help alleviate this issue.
For example, flow-based network monitoring and anomaly detection solutions that support both IPv4 and IPv6 can show IT administrators exactly what is going on inside their network at any given time.
[Editor's Note: Lancope sells flow-based network monitoring and anomaly detection solutions.]
These types of technologies can answer questions surrounding how network devices and applications are behaving before, during and after the transition, helping to mitigate any anomalies that arise before they become a serious issue.
For companies that have not yet been considering their switch to IPv6, the bad news is that it has to start happening now. The good news is that you are not alone, and that this is something every company around the world will need to undertake in the very near future. Many companies have already begun laying the groundwork, and there are plenty of resources, experts and technologies out there to help ease the transition.
As the leader of Lancope's product management team, Joe Yeager is responsible for the innovation and advancement of the six StealthWatch product lines. Prior to Lancope, Yeager was a Product Manager for HP in its Application Security Center division where he oversaw WebInspect, an industry-leading Web application security solution. At HP, Yeager successfully brought large-scale product releases to a market. Yeager holds a B.S. in Computer Science from the Georgia Institute of Technology.