Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
How to prepare for IPv6 Networking
1. How To Prepare for
IPv6 Networking
BY ED TITTEL AND JEFF CARRELL
SPONSORED BY
2. The TCP/IP protocols that drive the Internet have been available in two different
versions since the mid-1990s. The network protocol known as Internet Protocol,
or IP, that helps name TCP/IP, comes in a 32-bit flavor known as IPv4, and a 128-
bit flavor known as IPv6. Though IPv6 traces its roots back to work undertaken at
the Internet Engineering Task Force (IETF) as far back as 1994, it has only begun
to register with internet service providers (ISPs) and major network users with
some urgency in the past few years.
Because it uses 32-bit addresses, IPv4 has serious issues today. The maximum number of addresses that
a 32-bit value can represent is around 4.3 billion. By the time various reservations for loopback, private
IP addresses, multicasts, and experimental uses are removed, somewhat over 3.9 billion public IP
addresses remain for allocation. As of February 2011, the Internet Assigned Numbers Authority (IANA)
had allocated all remaining public IP address ranges to the five global regional Internet registries. A
quick look at this IPv4 Exhaustion Counter below shows a total of 13.24 /8 (8-bit) IPv4 address ranges
remaining, for a total of less than 3,400 remaining unallocated IPv4 addresses. Essentially, this means
IPv4 is played out.
Figure 1: The iNetCore Exhaustion Counter
ReadWriteWeb | How to Prepare for IPv6 Networking | 1
3. By contrast, with a 128-bit address space, IPv6 creates a completely different universe. The total
maximum addresses available is on the order of 3.4 * 1038 addresses (that is 34 undecillion, in US
numbers). The IPv6 address space is roughly 8 * 1027 larger than the IPv4 address space. The best way
to really understand what this means is to ponder the typical IPv6 address allocation from an ISP to a
customer for networking use. Customers are usually granted a /64 address, which means a single entity
gets 4.3 billion times as many addresses as occur in the entire IPv4 address space.
There’s More to IPv6 Than Oodles of Addresses
Beyond an extremely large address space, IPv6 brings numerous other advantages to networks that
use this protocol stack, and the many services it supports. These include the following:
• A redesigned IP header format that moves non-essential and optional elements into so-called
extension headers that follow the IPv6 header. The resulting streamlined IPv6 header is more
compact, and faster and easier to process as it’s routed from sender to receiver.
• Efficient, hierarchical addressing and routing: rework of IPv4 into Classless Interdomain Routing
(aka CIDR) taught networking engineers how to organize and orchestrate addressing and routing
information. IPv6 incorporates all of this into its base design.
• Multiple auto-addressing and address configuration methods, including DHCPv6 and
automated link-local addressing. Local hosts can always automatically configure themselves for
local communication quickly and easily (the same is not true for Internet access).
• Improved security comes from built-in support for IP Security (aka IPsec) in IPv6. IPv6 incorporates
security header extensions for encryption, authentication, and VPNs, and uses IPsec from end to
end. Though IPsec remains optional in IPv6, it is much easier to use.
• Better routing technologies. Support for a Flow Label field in the IPv6 header makes it easier to
route and manage IPv6 network, to impose priority or quality of service regimes on network flows,
and to use sophisticated routing and high-speed packet delivery services through the cloud (MPLS).
• Better Neighbor Discovery protocols for IPv6 replaces the broadcast Address Resolution Protocol,
along with ICMPv4 Router Discovery, and ICMPv4 Redirect messages. It uses efficient multicast,
anycast, and unicast messages for neighbor discovery and route info.
• No more NAT (network address translation) is needed — though IPv6 proxies may be a good idea
to maintain anonymity and opacity — because sufficient IPv6 addresses for all conceivable uses
eliminate the need for address translation services.
WHY ISN’T EVERYBODY ALREADY USING IPV6?
IPv6 hasn’t exactly lit the world on fire, and people are still sticking to IPv4 addresses. Why haven’t
they switched? There are a lot of reasons, some which relate to services available, some to networking
2 | ReadWriteWeb | How to Prepare for IPv6 Networking
4. hardware components and infrastuctures, and some to necessary changes to important applications
and services to enable end-to-end use of IPv6. Let’s examine each of these parts in turn, to explain
where there might be hold-ups or other impediments in the way.
LACK OF NATIVE IPV6 INTERNET ACCESS
IPv4 and IPv6 are not interoperable, and in fact, require different protocol stack software to work
properly on networking hardware (including Layer 3 switches, routers, and firewalls), as well as
on servers and client devices that usually act as the end-points for Internet or private network
interactions. ISPs must add IPv6 support to existing IPv4 capabilities, and be able to support both
protocols indefinitely (this is usually called a “dual-stack” approach to IPv4 and IPv6).
A quick look at recent surveys on ISPs that support (or plan to support) IPv6 breaks down something
roughly like this:
• One-third of ISPs already support IPv6
• Up to 85 percent of all ISPs plan to support IPv6 by the end of 2012, so somewhere around 50
percent are “getting ready” to go with IPv6. In the USA, for example, major ISPs such as Sprint,
Comcast, AT&T, Time-Warner, and Verizon have pilot or partial deployments of IPv6. Most of them
offer native, dual-stack services for enterprise and US government customers already (thanks in
large part to federal mandates for IPv6 support to supply Internet services to US government
agencies and workers).
• The remaining 15-25 percent plan to support IPv6 in 2013 or later.
A recent article by Steven J. Vaughn-Nichols entitled Hurricane Electric takes its IPv6 expertise to the
datacenter makes the key point that datacenters create and use hundreds to thousands of virtual
machines at a time, and all of these VMs need IP addresses. As more and more new VMs are created,
data centers will have increasing needs for IPv6 addresses for them to use, with all that this entails. The
day of IPv6 reckoning may therefore be closer than some may think for many organizations, for this
reason.
IPV6 CAPABLE NETWORKING INFRASTRUCTURES NEEDED
Aside from whether or not external ISP links can accommodate IPv6, internal network infrastructures
must also be able to handle IPv6 as well. For companies and organizations that purchase enterprise-
class networking gear — including routers, firewalls, Layer 3 switches, and other networking
appliances of all kinds (WAN Optimization, spam filters, anti-malware devices, content filters, and
so forth) — IPv6 support is more often present than absent. For SOHO or SMB gear, however, some
research and testing may be needed to determine what’s what.
But on networks not already configured for IPv6 some work will be needed to enable IPv6 on
networking gear, and then to configure it properly, and test to make sure it’s working properly. Routers
will need IPv6 enabled, and to be tested to make sure IPv6 routing protocols are working properly.
Layer 3 switches will need to have IPv6 VLANs set up and configured. And finally, firewalls will require
turning on IPv6 packet forwarding, and rules or filters established for what kinds of IPv6 traffic (and
ReadWriteWeb | How to Prepare for IPv6 Networking | 3
5. addresses, states, and so forth) to allow and deny. Certain IPv6-based services will also be essential to
proper IPv6 network function, particularly DHCPv6 to assign and manage IPv6 network addresses, and
DNSv6, to resolve IPv6 based name lookups so that clients may use domain names to make Internet
service connections.
At SMB organizations, adding IPv6 support may involve replacing some networking equipment —
particularly switches, routers, firewalls, and so-called “combo devices” that often integrate all of these
functions into a single appliance. If there aren’t any IPv6 entries in the configuration menus for the gear
you’ve got, and the manuals don’t describe how to enable and configure IPv6 networking, odds are
that you will have to replace some or all of your current equipment with newer, IPv6-capable devices
instead, or at least update to newer firmware, if that firmware support IPv6.
UPGRADE AND ENABLE KEY NETWORK SERVICES FOR IPV6: DHCP, DNS, E-MAIL, AND
MORE
To make effective use of IPv6, the network infrastructure must itself be upgraded to provide IPv6
support. At a minimum, this means some kind of IPv6 addressing scheme must be designed and
implemented. Although DHCPv6 isn’t required to supply network interfaces with IPv6 addresses it is
enough like the IPv4version for network administrators to understand how to install and use it both
easily and readily. This addresses the need for clients to obtain IPv6 addresses that they can then use
for IPv6 communications and network access.
Likewise, support for the Domain Name Service (DNS) is as important for IPv6 users as it is for IPv4
users. Network administrators will need to investigate current DNS services to see if they can be
enabled, extended or upgraded to add DNSv6 support. For smaller organizations, this often consists
of confirming that an ISP (or other providers of DNS services, such as OpenDNS) can deliver DNSv6
services, and then providing the proper IP addresses for primary and secondary DNS servers in the
various configuration contexts where such information is needed.
Then there’s the application and services universe to consider as well, including email and Web servers.
Certainly, as a core information service for organizations, e-mail services will need to be extended to
support IPv6. In many cases, current software versions may support IPv6 and, as with other elements
we’ve already explored, IPv6 needs to be enabled, configured, and tested for proper operation. In
most cases, older SMTP, POP3, or IMAP services need upgrades or replacements to make IPv6 support
possible. But the beauty of a dual-stack environment is that both IPv4 and IPv6 can coexist peacefully
and harmoniously, and users can employ whichever stack works best for them.
4 | ReadWriteWeb | How to Prepare for IPv6 Networking
6. Case Study: A Sample SMB IPv6 Set-up Scenario
Without going into all of the details involved in set-up and configuration, let’s review a recent case in
point in converting a small company from IPv4 only to dual-stack IPv4/IPv6 networking and show you
how it was done and the time and issues dealt with along the way. We consider a network that enabled
Windows 7 clients to run in dual-stack mode, with IPv6 used when available, and IPv4 otherwise.
Total expenditures involved were around $2,000 to replace an older (Rev A) D-Link DIR-655 combo
device (firewall, single WAN port, 4-port GbE switch, and wireless access point with RevA3 firmware)
with a Fortinet Fortigate 80C device (firewall, gateway, 6-port GbE switch, dual WAN ports with
comprehensive and complete IPv6 support).
STEP 1: SOLVE THE ISP BARRIER (ONE HOUR)
Because local native IPv6 ISP service was not available from the company’s chosen ISP, a tunnel-based
approach was set up with well-known IPv6 service provider Hurricane Electric (HE) as part of the
overall solution. HE offers a free IPv6 Tunnel Broker solution that support native IPv6 Internet access
by tunneling over IPv4 connections through a non-native IPv6 ISP from an in-house IPv6 enabled host
computer or boundary device to an HE IPv6 router.
Though tunneling does impose a performance impact, HE routers are extremely fast and efficient.
And because the company peers with major backbone providers at its datacenters, we didn’t notice
any perceptible slowdowns when comparing Internet interactions with dual-stack services for
IPv6 as compared to using IPv4 instead. So far, users at the company have noticed no change in
Internet behavior or performance, even though they’re using IPv6 for up to 35% of their network
communications, according to our traffic analyses.
STEP 2: MAKE THE NETWORK IPV6-READY (THREE HOURS)
Once we replaced the D-Link boundary device with the Fortinet Fortigate 80C, we simply had to
enable IPv6 on that device, and set up protocol filters for HTTP/HTTPs, SMTP, POP3, remote access, and
ICMP, then set up the HE tunnel broker. We were immediately able to use IPv6 on devices attached
directly to the Fortinet box through one of the switch ports. The total time and effort involved was
under two hours, including a mix of GUI/Web and command-line-based setup and configuration
activities on the Fortinet device.
The next step was to configure our HP/3COM Layer 3 switches to support IPv6 VLANS to set up the
switched equivalent of subnets on these devices.
ReadWriteWeb | How to Prepare for IPv6 Networking | 5
7. STEP 3: CREATING AN IPV6 FRIENDLY ENVIRONMENT (ONE HOUR-PLUS)
Configuring the HE tunnel broker automatically handled the DNS issue: we simply linked to HE’s DNS
servers which run dual-stack and resolve IPv4 and IPv6 name resolution requests. In other cases, we’ve
found that configuring Microsoft or BIND DNS for IPv6 takes some study and preparation, but that the
actual activity usually takes less than 15 minutes to complete. The first time can be challenging but it
gets progressively easier after that.
The Fortinet Fortigate 80C includes a simple DHCPv6 server as part of its IPv6 configuration options.
We needed only to provide it with a suitable address range for assignment, and to note static address
assignments for servers, routers, switches, and so forth, and address management was good to go.
Finally, we also modified an Exchange Server 2010 to enable IPv6 support. All of the IPv6 related issues
and details are completely explained and illustrated in the TechNet article Understanding IPv6 Support
in Exchange 2010 so this proved relatively easy and straightforward. IIS 7 supports IPv6 as-is, so unless
you’ve turned off IPv6 features on the servers on which it runs, though it is necessary to download FTP
for IIS 7.0 if you want to support IPv6 FTP connections for IIS (see this SoftLayer forum post for details).
Depending on your installation, this could take an hour or more.
6 | ReadWriteWeb | How to Prepare for IPv6 Networking
8. Time to Take the IPv6 Plunge!
When it comes to pursuing IPv6 deployment for your own networks, you’ll want to undertake a
specific series of tasks. Inside your network, you’ll need to research the level of IPv6 support that is
present on every device attached to your network. It’s a good idea to set up a test lab that’s as close
to your production environment as time and money will allow, so you can document changes and
the migration process independently, acquire needed upgrades and replacements, and deploy when
you’ve got a sure-fire working set of equipment, software, and migration scripts or how-tos.
In dealing with obtaining IPv6 from an ISP, you’ll want to contact them and inquire about IPv6
availability (or scheduled dates for turning native IPv6 access on). You’ll want to ask specifically how
they will support IPv6 when it does become available, particularly if this means upgrading CPE
software or replacing your current CPE device itself. In the meantime, you too, can set up a tunnel to
Hurricane Electric.
For organizations that contract Web, e-mail, DNS, and other services hosting to third parties, you’ll
want to find out about their current or planned support for IPv6. In some cases, what you learn may
also require making some changes to bring your organization into the IPv6 fold.
Ed Tittel and Jeff Carrell are both longtime computing industry veterans, former Novell employees, and
co-authors (with Laura Chappell) of a college textbook entitled Guide To TCP/IP, 4e (Course Technology,
2012, ISBN: 978-11330-1986-2). Jeff develops and delivers training on HP network switches and routers, and
teaches hands-on IPv6 labs for SharkFest and all kinds of IPv6 task forces and organizations. Ed makes his
living as a freelance writer and researcher. Together, they operate IPv6NetworkPros.com, an IPv6 portal that
includes a virtual IPv6 training lab, IPv6 content and information, and pointers to most imaginable kinds of
IPv6 resources.
ReadWriteWeb | How to Prepare for IPv6 Networking | 7