IPv6: a hero to save the Internet?
No one likes change, but there are compelling reasons why Internet market leaders are leading the migration to the latest iteration of the 'great enabler'Internet Protocol.
This year saw a significant turning point in the history of the Internet, albeit one which very few of its users will actually notice. On 6 June 2012, some of the biggest Internet companies in the world, including Facebook, Google and Microsoft, integrated permanent support for 'super protocol' Internet Protocol version six (IPv6) addressing scheme into their websites, as opposed to the limited test access they had run previously, while telecommunications hardware manufacturers will turn on IPv6 connectivity by default in the broadband routers they sell to businesses and home around the world. The transition is a major achievement by the Internet Engineering Task Force (IETF) and its partners, given the scale of the challenge; but some thorny issues will need to be overcome as IPv6 establishes itself.
IPv6 is needed because the Internet is about to run out of the IPv4 addresses that more than 99 per cent of online users employ to connect to the Web. The 32bit numbering scheme that forms the basis of IPv4 means only 4.3 billion are mathematically possible, almost all of which have already been allocated.
The Internet Assigned Numbers Authority (IANA) allocated the last of its IPv4 address blocks to the five Regional Internet Registries in February 2011, each containing 16.8 million addresses. According to the IPv4 Exhaustion Counter, an online resource compiled and maintained by the chief scientist at the Asia Pacific Network Information Centre (APNIC – one of the five RIRs), Europe's Réseaux IP Européens (RIPE) registry will exhaust its remaining allocation in July/August 2012, while the US RIR (ARIN) will run out in 2013, and African and Latin American RIRs in 2014. IPv6 has no such numerical limitations – by using 128-bit rather than 32-bit numbers, it offers more than 340 undecillion addresses or 3.4 × 1038 – an almost limitless amount which should be sufficiently large to accommodate all the people and devices expected to connect to the Internet for tens or even hundreds of years.
So: job done? Super IPv6 to the rescue? Can Internet users now breath a sigh of relief?
Not quite. To start with, although support for IPv6 has been built into central telecoms and data network switches for over a decade, with computer operating systems and software applications catching up since 2007, only a small percentage of people are actually using it to date, despite campaigns to encourage awareness and adoption.
According to US Internet service provider Comcast, less than 1 per cent of subdomains now have IPv6-enabled Web servers, while Google figures suggest that the number of users accessing its services over IPv6 was running at 0.72 per cent as of 3 June 2012.
Those numbers could rise dramatically in the next few years, with research company Gartner predicting that 17 per cent of global Internet users will connect using IPv6 by 2015. On top of that 95 per cent of all Web content is expected to be at least reachable (if not accessed) by IPv6 subscribers by 2016, according to research firm IDC.
Alongside Facebook, Google, and Microsoft, other companies participating in the world IPv6 launch include content providers like the BBC and YouTube, as well as content delivery network (CDN) companies Akamai and Limelight. The 400 plus names signed up to the initiative also include telcos and Internet service providers (ISPs) like AOL, AT&T, Comcast, Verizon and Yahoo, which play a key role in advancing IPv6 usage by encouraging their consumer and business subscribers to connect using the protocol.
Telcos and ISPs instrumental
Theoretically at least, those telcos, mobile operators and ISPs have more reason to upgrade, as they generally handle the highest numbers of new subscribers and devices. Most have been running dual-stack IPv4/IPv6 connectivity for some time, essentially allowing IPv4 traffic to flow over IPv6 network backbones, or offering native IPv6 connectivity on a limited basis to certain sections of their customer base.
The wide use of carrier grade (CGN) or large scale (LSN) network address translation (NAT) has seen residential networks configured with private network addresses which are then translated to public IPv4 addresses in the telco's network, for example. But the fact that some customer connections consequently pass through three different IPv4 addressing domains – at the customer premise, the carrier network and the public Internet – leads to inherent security, scalability and reliability issues.
In a recent white paper sponsored by telecommunications network equipment vendor Cisco Systems, IDC research manager for telecom business services, Nav Chander, noted that, whilst most network operators recognise the need for IPv6 migration and have already enabled their aggregation and core networks for IPv6 transit, the customer premise equipment (CPE) and access network part of the infrastructure remains "difficult and costly to upgrade".
That cost is one reason why no telco or ISP is actively pushing anybody to turn on IPv6 connectivity in their private networks, though a few have applied gentle nudges by offering IPv6 consultancy and end-user educationservices to their business customers.
There are sound economic reasons for them to do precisely that, according to IDC, especially when it comes to connecting new customers for the first time. It estimated that fixed wireline operators could expect to see 69 per cent in savings over five years by using IPv6 for new customers, instead of relying on private IPv4 space and NAT exclusively for example, whilst they also risk missing out on the new service and revenue opportunities that IPv6 enables, particularly in the mobility space around advertising and other locational services.
If the telcos and ISPs have been ponderous in advancing their IPv6 implementations, other organisations appear tortoise-like by comparison, largely because the use of NAT on private networks has given them no real reason to move on from IPv4.
"If you had a nice big university with 50,000 students and only one IPv6 address to connect to the Internet, that would not be a problem – everything else can be done with IPv4 on the campus so why change?" said Melvyn Wray, senior VP of product marketing EMEA at network equipment maker Allied Telesis, "but if you want a situation where everybody connects without going through the local area network there is huge demand there for IPv6."
Qing Li is chief scientist/IPv6 expert at Internet security, load balancing and WAN optimisation vendor Blue Coat Systems. He argues that the apparent lack of progress belies the fact that many companies have actually already deployed IPv6, but are not willing to go public about it. "Many large organisations, particularly financial institutions and service providers, have been migrating towards IPv6 but they have been doing that very quietly for various reasons," Li says. "They do not want to air their problems and share that with the competition for example, but we are seeing large enterprise, our key account customers, preparing their IPv6 transition quite aggressively this year."
Meanwhile, there are certain industries which mandate IPv6 usage – education, like JANET for example, the Ministry of Defence – "but for the majority of people it is one for the future," adds Mervyn Wray at Allied Telesis Wray. "Even though we have been shipping kit which is IPv6 enabled for a good ten years, even today 95 per cent of it ends up going into IPv4 networks."
The common pattern of enterprise deployment, if one exists, sees large multinational companies with branches in different regions around the globe – like Sony, which is headquartered in Tokyo, but which has offices in China and the US – undertaking proof of concepts for over a year which once successful lead to wider IPv6 rollouts in other territories, while government agencies have lead the way in converting their Web portals to support IPv6.
That process could be slowed further by ongoing fears about the lack of dual IPv4/IPv6 support in older applications which could adversely affect their performance when accessed over IPv6 and also prove difficult to migrate – nobody is keen to risk being unable to use mission-critical applications or be forced into investing time and money in resolving transitional hurdles. That loss of performance could well prove most acute for Web-based applications accessed by mobile devices where bandwidth is constrained in comparison to wireline networks; others predict that software operating at Layer 7 of the network will suffer.
"Many infrastructure vendors have built and released third- and fourth-generation switches and routers to support IPv6 so performance is no longer a consideration," argues Blue Coat Systems' Qing Li. "The focus now is mostly on applications and services over IPv6 – we have spent the last eight years developing that and found performance degradation to be negligible."
Allied Telesis's Wray also points out that: "The IPv6 packet size is larger; but it is still carried over Ethernet. So, whilst there is a slightly bigger data overhead, the [escalated] speed of network technology is more than enough to guarantee there won't be anything more than a 0.1 per cent delay in loading the latest Web page."
Mobile providing the impetus
The performance of mobile applications is particularly important because much of the impetus for IPv6 migration is expected to come from mobile devices. Connecting multiple IPv4 devices in private networks to the Web via a single IPv6 address is a viable long-term option where those devices – PCs, servers, printers for example – are fixed rather than mobile and never pass beyond the bounds of the company firewall.
Growing ranks of devices connecting to the Internet from any location – smartphones, netbooks, laptops, tablet PCs, e-readers, and other portable units – will exhaust available IPv4 allocations more rapidly forcing carriers and ISPs to switch to increase their use IPv6. By 2016, some 39 per cent of all mobile devices will be IPv6 capable, according to the Cisco Visual Networking Index covering global mobile data traffic, with IDC predicting there will be six billion such devices in use by 2015.
Says IDC's Nav Chander: "Many new applications and devices, such as Internet-enabled wireless devices, home and industrial M2M appliances, Internet-connected transportation, integrated telephony services, sensor networks such as RFID, smart grids, cloud computing and gaming, will be designed for, and enabled by, IPv6 networks."
Add to those the home gateways and routers made by Cisco/Linksys, D-Link, and other manufacturers in the IPv6 initiative, which since June have IPv6 connectivity enabled by default, as well as a new IP CCTV, TV displays, and home automation devices all clamouring for their own Internet connections, and one can well believe that IPv6 is reaching its tipping point. *
'Shadow Networks' casting security umbra?
Some experts warn that migrating IPv4 networks to IPv6 can leave organisations open to security vulnerabilities created by so called 'shadow networks': undetected systems created by attaching IPv6-enabled devices to networks running firewalls, intrusion detection/prevention systems (IDS/IDP) and other security applications that are only set up to monitor and manage legacy IPv4 environments, potentially allowing hackers to bypass existing security controls.
Qing Li, chief scientist and IPv6 expert at Blue Coat Systems says that problem is partly down to the fact that IPv6-enabled routers and switches are designed to be easy to install, with many businesses simply attaching them to their existing networks without realising what happens or could happen next.
"The first step is to get an IPv6 circuit, effectively an upgrade of routers and switches, but they may not have the knowledge or experience," he says. "One of the advantages of IPv6 is that it is plug and play, so once it is configured you may be advertising information that allows individual workstations to configure themselves and start broadcasting traffic globally."
The issue is exacerbated by the worrying likelihood of ill-considered Bring Your Own Device (BYOD) policy adoption whereby companies encourage employees to connect their own personal devices – laptops, smartphones or tablets that have been pre-configured to support IPv6 straight out of the box – to their corporate systems. Certain operating systems, including Windows Vista, Windows 7 and Mac OS 10.7, also default to using IPv6 if an IPv6 connection is available.
"That is a huge problem because globally accessible IPv6 addresses can create secure services and tunnels and those communications become liabilities because they can carry data leaks and IP details outside of the organisation, or transmit content which is inappropriate without the IT department knowing," warns Blue Coats Systems Li.
Rather than being any more of a liability than IPv4, Melvyn Wray at Allied Telesis argues that the improved security contained in IPv6 is the one factor which is most likely to persuade organisations and individuals to migrate to the new protocol in the first place, and that the chances of undetected vulnerabilities emerging are very small.
"The primary advantage with IPv6 is much higher security," Wray cautions, "so if companies see information compromised [with IPv4] they may start looking to IPv6 to secure it."
Unlike IPv4, IPv6 is encrypted using the IP Security (IPsec) protocol by default, for example, and also includes authentication and encapsulating security payload (ESP) headers within its packet architecture which are purposely designed to prevent certain types of network attacks which plagued IPv4, including WORMs (the larger address space means the WORM takes longer to propagate and is therefore more likely to be detected).
Wray further argues that IPv6 is no less secure than IPv4 in that respect, and probably more so by virtue of its default encryption. Even if attaching IPv6 devices created a tunnel between itself, and an IPv6 enabled network without the knowledge of the network manager, any hacker would still have to crack the encryption key and circumvent multiple authentication layers to find a way in, the chances of which are almost negligible.
Ultimately though, it is more likely to be human error rather than any inherent weakness in IPv6 security which is more likely to cause problems - inexperienced staff inadvertently opening-up vulnerabilities while reconfiguring their networks and applications to support the new protocol. The transition to IPv6 remains a learning curve for ICT professional tasked with making it happen; but not all are comfortable with the prospect, according to Qing Li at Blue Coat Systems"IT managers and CIOs do not have the sufficient IPv6 operations experience." he says, "and they are kind of scared..."
|To start a discussion topic about this article, please log in or register.|
"Is augmented reality the next big thing or a marketing gimmick? Is it fundamental to the future or a fashion faux pas?"
- 3 LANE ROADS [01:34 pm 20/05/13]
- Define Energy. [01:25 pm 20/05/13]
- Marketing from Engineers' perspective [09:49 am 20/05/13]
- Fukushima Daiichi Unit 3 5th Floor Highly Radioactive Debris [03:09 pm 17/05/13]
- Cluster formation on cooja simulator [01:59 pm 17/05/13]
Tune into our latest podcast