Qualys Blog

www.qualys.com
wkandek

IPv6 Implementation Series

This is the first in a series of posts discussing IPv6 implementation strategies, challenges and security issues.

Internet Lore has it that in 1977 when the Internet was initially designed, several options were on the table regarding the quantity of devices it should support: 32 bits, 64 bits or even a variable number of bits. When the discussions did not come to an end, Vint Cerf made an executive decision to go with 32 bits believing that the resulting 4 billion Internet Protocol (IP) addresses would be sufficient for, at least, the planned proof-of-concept.

Today, about 35 years later, we have reached a point where we are rapidly running out of available IP addresses. For the past 10 years, we have engineered our way around the predictable scarcity and slowed down the allocation of new addresses through mechanisms such as variable subnetting and Network Address Translation. Nevertheless, in early 2011, the Internet Corporation for Assigned Names and Numbers (ICANN) allocated the last available IP address blocks to the five Regional Internet Registries (AfriNIC, APNIC, ARIN, LACNIC and RIPE), and we are now officially in IP scarcity mode, with Asia Pacific working with its last network block, and Europe very close to it.

ip_exhaustion_org.png

A technical solution to the problem is arriving through a new version of the protocol: IPv6 is the replacement for the current IP (IPv4) implementation and provides a much larger address space by using 128 bit addresses. It has been been under development for the last 12 years and is included as a standard component in modern operating systems and networking equipment.

But today IPv4 is still the dominant networking technology carrying over 98% of the Internet’s traffic. And while IPv6 is expected to gain strength rapidly within the next few years, it will take a number of years to surpass IPv4, giving us a lengthy transition period during which organizations can decide how and when to implement IPv6.

ipv6_deployment_plans.png

Wherever you stand regarding IPv6, one thing you should not do is ignore it. After all, you may already be running IPv6 at least sometimes, even unknowingly accept potential security holes. Your corporate laptops may be participating in IPv6 networks, configured automatically as they leave your managed network and enter public or home networks. Both Windows 7 and Mac OS X, left in their default configurations, will automatically request and configure both IPv4 and IPv6 addresses (dual stack mode) and will usually default to using IPv6 whenever possible. This can happen easily in public networks and even at home where many ISPs (in my local area AT&T and Comcast, for example) have started to support dual-stack networks.

To get to know IPv6, we suggest you start researching pilot projects now and have your IT administrators get their feet wet with this new technology. Building a basic IPv6 network is straightforward, but accounting for all network tools in use within your organization and verifying their IPv6 readiness is still a challenging project that will require much due diligence.

Stay tuned to this space for more on IPv6 and visit my discussion thread on the Qualys Community on IPv6 implementations to share your thoughts and questions on this topic.

Leave a Reply