What happened to IPv5? and other oft asked IPv6 questions

advertisement
What happened to IPv5? and
other oft asked IPv6 questions
The Internet Society, IPv6 and You
Susan Estrada
Is the Internet about to run out of IP
address numbers?
• Yes and no. For the version of the Internet Protocol that underpins
the Internet today (IPv4) there is a limited amount of unused space
remaining. While estimates vary, based on recent trends it is
anticipated that the current pool of unallocated IPv4 addresses will
be consumed sometime around 2010 - 2011.
However, an enormous amount of IP address space exists under
IPv6. IPv6, in fact, was specifically designed to fix the address
limitations of IPv4. IPv6 addresses have been available for
allocation since 1999 and the RIRs, ICANN, ISOC and others are
encouraging network operators to apply for IPv6 addresses and
implement IPv6 in their networks. Refer to the following
announcements from:
AfriNIC
APNIC
ARIN
LACNIC
What is IPv6?
• IPv6 is the new version of the Internet
address protocol that has been developed
to supplement (and eventually replace) IPv4, the
version that underpins the Internet today.
What happened to IPv5?
• Version 5 of the IP family was an experimental
protocol developed in the 1980s. IPv5 (also
called the Internet Stream Protocol) was never
widely deployed. Since the number 5 was
already allocated, this number was not
considered for the successor to IPv4. Several
proposals were suggested as the IPv4
successor, and each was assigned a number. In
the end, it happened that the one with version
number 6 was selected.
How does IPv6 solve the problem
of IPv4 address exhaustion?
• Simply by having a lot more address space to uniquely identify
devices that are connected to the Internet. IPv4 has a theoretical
maximum of about 4 billion addresses whereas IPv6 has an
unthinkable theoretical maximum: about 340 trillion, trillion, trillion
addresses. In actual use, IPv6 addresses are structured for routing
and other purposes and as a result the number of addresses
available is effectively less, but still extremely large.
For the end user, the large amount of IPv6 address space means:
Home users will generally be given blocks of addresses sufficient to
number multiple networks and thousands of devices. (In contrast,
under IPv4, home users today typically get a single address.)
Enterprises and small businesses will generally be given enough to
number a substantial number of networks and tens of thousands of
devices; while larger sites will get significantly more.
What happens when IPv4 address
pool is finally depleted?
• Existing devices and networks connected to the Internet
through IPv4 addresses will continue to work as they do
now. In fact, IPv4-based networks are expected to coexist with IPv6-based networks at the same time.
However, for network operators and other entities that
rely on Internet numbering allocations, it will become
increasingly difficult and expensive (and eventually
prohibitively so) to obtain new IPv4 address space to
grow their networks. The cost and complexity associated
with keeping track of and managing remaining IPv4
address space efficiently will also increase.
Therefore, network operators and enterprises will
need to implement IPv6 in order to ensure long-term
network growth and global connectivity.
Network Address Translation devices (NATs) allow many
computers to use the same IPv4 address. Won’t more
NATs solve everything?
• No. Deploying more NATs is not an adequate long-term solution.
NATs can work reasonably well for certain applications, such as
allowing multiple users in a small office or home network to access
simple Web pages or mail services. Computers that sit behind NATs,
however, do not have true end-to-end Internet connectivity. NATs
complicate many “real time” and innovative Internet applications,
such as Internet telephony and multimedia distribution. This can be
particularly problematic for large corporate networks and users that
want to run sophisticated applications, and also for those who are
developing new applications. In addition, diagnosing and fixing
problems on a network full of NATs is generally much harder than on
a network without them.
Furthermore, as the difficulty of obtaining IPv4 address space
increases, it is inevitable that some sites will only support IPv6. IPv6,
therefore, will be required to ensure global connectivity.
Top
But won’t we still need NATs for
security?
• No. All the security features provided in an
IPv4 NAT box can be provided by an IPv6
router with firewall capabilities, without the
need to modify the address.
Are there other advantages to IPv6
besides increased address space?
• The main advantage of IPv6 is that it
provides much more address space. Being
a more recent protocol, IPv6 does have a
few design improvements over IPv4,
particularly in the areas of
autoconfiguration, mobility, and
extensibility. However, increased address
space is the main benefit of IPv6.
I've heard some people say IPv6 is more secure than IPv4,
while others say it is less secure than IPv4. What is this
about?
•
Debates concerning IPv4 versus IPv6 security often focus on different aspects of network deployment.
It has been said that IPv6 supports improved security because the specifications mandate the inclusion of the IP
Security (IPsec) suite of protocols in products. In IPv4, including IPsec is optional, but it is commonly available.
Because the IPsec protocol suite is designed to be indifferent to IP versions, the technology works generally the
same way in both IPv4 and IPv6. In this way, the benefits of using IPsec are similar in either environment.
The increased address space provided by IPv6 does eliminate the need to use NAT devices,
which are pervasive in many IPv4 networks. Broadly speaking, security is harder to deploy and troubleshoot when
NATs are present in a network as they disrupt IP layer traceability and therefore security audit trails. In addition,
the address rewriting that NAT performs is considered by some security protocols to be a security violation. Thus,
with the increased address space eliminating the need to use NATs, IPv6 potentially facilitates deployment of endto-end security.
Many of the IPv6 security issues reported today have to do with vulnerabilities in individual products, not the IPv6
protocol. IPv4 is widely deployed and individual IPv4 products have gone through the recurring cycle of
discovering and fixing security vulnerabilities and other bugs. Because IPv6 products are comparatively new, they
have not benefited from similar experience. Consequently, security vulnerabilities in IPv6 products will need to be
discovered and repaired, just like for other products.
Also, the operational practices built up over many years for IPv4 networks will have to be adapted for IPv6. New
practices will need to be developed for the dual stack IPv4 and IPv6 environment. This will be accelerated as more
network operators deploy IPv6 and continue to exchange information about experience and best practices through
established operators groups, the IETF Operations area, and other forums.
Overall, maintaining network security will continue to be a challenging undertaking in both IPv4 and IPv6 contexts.
Neither protocol provides a simple solution to the complexities associated with securing networks. Like with IPv4,
network operators should become educated on IPv6 security practices and keep up-to-date with developments as
they plan for and deploy IPv6.
Is IPv6 ready for deployment now?
•
There are three basic aspects involved in the deployment of IPv6: the protocol, the products, and the operational practices.
The IPv6 Protocol
IPv6 has benefited from over 10 years of development within the Internet Engineering Task Force (IETF). The core standards have been
stable for many years and deployed in both research and operational contexts. In addition to the core specifications, IPv6 includes a large
number of individual standards that have a more limited applicability and are only needed in specialised environments. Additional
development work will continue in these areas as new issues are discovered in response to deployment-specific scenarios. Like the
continuing evolution of IPv4, there will always be updates and additions to IPv6 in response to deployment experience. Thus, even though
the core IPv6 specifications are stable, there will continue to be ongoing work on IPv6-related specifications.
IPv6 Products
The core IPv6 specifications are becoming increasingly available as a standard part of products and service offerings. However, not all
products are fully IPv6 capable at this time and some significant upgrade gaps remain, especially in low-end consumer equipment.
Similarly, while many software applications and operating systems (especially in open source code) have already been updated for IPv6,
not all products (including some from major vendors) are fully IPv6 ready. It is best to check with specific vendors on the IPv6 readiness of
their individual products and services. In addition, in-house application software or custom code that interfaces with the network will likely
need updating for IPv6.
IPv6 Operational Practices
Operational practices built up over many years for IPv4 networks will have to be adapted for IPv6. There is growing experience in the
deployment of IPv6 in research networks and R&D projects, while some production networks (primarily in Japan and Korea) have been
running IPv6 for a number of years. IPv6 traffic today, however, remains small in comparison to IPv4. As more network operators deploy
IPv6 and continue to exchange information about experience and best practices through established operators groups, the IETF, and
other forums, the community knowledge level will grow.
In summary, IPv6 is ready for deployment, but additional effort is needed to make its use pervasive. The IETF, equipment
vendors, application developers, network operators and end users all have roles to play in
ensuring the successful wide-spread deployment of IPv6.
How much will the transition to IPv6
cost?
• Since network needs and businesses differ, IPv6 transition
strategies and related costs will also vary between organisations.
Hardware and software vendors are increasingly integrating IPv6 as
a standard feature in products, allowing organisations to deploy IPv6
as part of routine upgrade cycles. For many organisations,
operational costs, including staff training, and one-time
administrative costs to add IPv6 to management databases and
documentation, are likely to constitute the majority of the cost of
upgrading to IPv6. Organisations that run in-house customised
software will experience additional costs to upgrade these programs
to IPv6, and enterprises that have test/release processes will see a
marginal additional cost for the IPv6 configuration tests.
For end-users, operating systems such as Mac OS X, Windows, and
Linux now incorporate IPv6 within their latest releases and will
automatically use IPv6 if it is available. Applications are expected to
follow as the global demand for IPv6 increases.
I have enough addresses today. Why
should I bother implementing IPv6?
• IPv6 is an important part of ensuring continued growth and
accessibility of your services to the rest of the Internet and emerging
markets in particular. As the Internet progressively becomes a
dual IPv4/IPv6 network, ensuring that you are IPv6 enabled will
be critical for retaining universal Internet connectivity for your
clients, users, and subscribers, business partners and
suppliers. Indeed, as the difficulty and cost of obtaining IPv4
address space increases, it is inevitable that some sites will only
support IPv6. Connectivity with such sites (and customers) will
require IPv6.
It is also worth considering what services and devices may need to
be supported over the next few years as the remaining IPv4 pool
become depleted. Your existing address allocations may be
insufficient to support a sudden increase in the number of connected
devices per person (as many organisations experienced with the
rapid deployment of IP-enabled wireless handheld products and
similar devices a few years ago).
Is there a specific date when everything
needs to be upgraded to IPv6?
• No. There is no specific date when everything must be upgraded to
IPv6 (although some organisations, including governments, have
already identified target dates for their own IPv6 implementation.
IPv6 and its transition mechanisms have been designed for a long
period of co-existence with IPv4 and it is expected that IPv4-only
systems and applications will survive for many years. However,
IPv6-only systems are expected to arise and many of these
users are likely to be in emerging business markets and
developing countries.
Implementing IPv6 requires planning and with IPv4 address pool
exhaustion expected around 2010-2011, planning needs to start
now. Network operators and administrators should already be
incorporating IPv6 into their network upgrade and procurement
plans.
When will I need to turn off IPv4?
•
Possibly never. The purpose of deploying IPv6 is to ensure network growth
and continued interconnectivity when IPv4 address space becomes
depleted and difficult to obtain. In addition, as the global Internet continues
to expand, it is likely that some Internet sites will only be available via IPv6.
To avoid problems, one should be fully IPv6-enabled by the time IPv6-only
sites start appearing. However, in practice, it is only the public (or user)
facing part of an enterprise's infrastructure that needs to be IPv6 enabled at
the outset. The back-end infrastructure - which users do not interact with
directly - can continue to be based entirely on IPv4, so long as that is the
most cost-effective approach. (Enterprises may determine that it is more
cost-effective to progressively turn off IPv4 in parts of their network once it is
no longer needed or in significant use.)
One should expect, however, that it might never be cost-effective (or
possible) to upgrade certain legacy systems. Thus, it will likely be a decade
or more before enterprise sites find themselves in a position to consider
completely turning off IPv4. In practice, there is no need to turn it off so long
as IPv4-only applications still remain in use.
I run an ISP with a block of IPv4 address space.
Can I just convert that into IPv6 space?
• You will need to obtain new IPv6 addresses in addition to your
existing IPv4 address blocks. IPv4 address space that you have
today can still be used in a dual IPv4-IPv6 environment. The RIRs
all have policies that make it straightforward for an ISP with IPv4
space to apply for and receive IPv6 address space. You should
contact the RIR for your region or your ISP for more information
on how to acquire IPv6 addresses.
It may also be good idea to use this opportunity to redesign your
addressing plan, taking advantage of the greater flexibility of IPv6 to
assign subscriber address blocks more optimally. Similarly,
customer sites may use IPv6 as an opportunity to redesign and
optimise their internal addressing plan. However, it may be possible
to re-use an existing subnet addressing plan within the new IPv6
block, if that is preferred.
I run IT services. What should I be
doing now to get ready?
•
Plan for IPv6 as you would for any major service upgrade.
Do an audit of your current IPv6 capabilities and readiness. Assess the level
of IPv6 technical knowledge within your staff and make plans for staff
development and training that will support IPv6 implementation.
Think about which of your services will lose business if they are only
accessible to IPv4-users and make them a priority for IPv6 capability. For
example, you may plan to implement an IPv6-enabled front-end Web server
immediately, before converting your internal network.
Remove obstacles to enabling IPv6 including identifying any legacy systems
that can not be upgraded, and choose a solution for them (most likely, the
solution will be an application level proxy that can support both IPv4 and
IPv6 for the remaining lifetime of that system). Plan upgrades and
purchases so that you don’t find yourself needing to deploy and enable IPv6
but discover at a late stage that you are not ready because a key system
dependency is not IPv6 capable.
Contact your vendors to find out about IPv6 support in their current products
and future releases and ask your ISP about their plans to support IPv6.
ISOC is looking at IPv6 education
• HELP!?/:<0
• http://www.isoc.org/educpillar/resources/ipv6_faq.shtml
• Leslie Daigle at ISOC
– daigle@isoc.org
• Susan Estrada at Aldea
– susan@aldea.com
Download