IPv6 Migration & Its Contingencies, Complexities & Implications: Part 6

This chapter discusses IPv6 growth over the next decade, specifically focusing on security, the ultimately lynch pin to success for IPv6 and billions of devices to the global internet.

IPv6 Growth by Year’s End 2025

With such fast growth in the number of internet devices, it looked as if IPv4 addresses would be exhausted. However, researchers and technologists in the internet standards organizations anticipated this problem in the early 1990s and developed methods to extend the life of IPv4. Meanwhile, they also initiated the development of the “next generation” of IP, an effort that led to the development and standardization of IPv6.

The principal methods developed for prolonging the use of IPv4 include network address translation (NAT), classless inter-domain routing (CIDR) and PPP/DHCP address sharing. Using NAT, a single device, such as a router, acts as an agent between the internet and a local network, so that only a single IP address is required to represent an entire group of endpoints. Although the main motivation of CIDR was to reduce the size of routing tables carried by ISPs, it also permits smaller allocations of addresses to customers and ISP. In particular, it lets a grouping of separate IP networks appear as part of a single subnet, allowing service providers to conserve addresses by divvying up pieces of a full range of IP addresses to multiple customers.

Besides these technical approaches for further extending the life of IPv4, unused, but assigned, addresses have been reclaimed for use. Another major driver is action by the regional internet registries to prevent waste of IP addresses. PPP and DHCP are more auto configuration aids; as more and more people move to always-on broadband connections, the address-conservation aspects of this will decrease. Unfortunately, the conservation of IPv4 address has undesirable effects that penalize performance and increase operating costs. The measures used make system administration more complex and error prone. In particular, to configure NAT to support remote administration entails high operating costs. The lack of transparency of NAT makes reliable diagnoses of problems difficult. When NAT is used, the on-the-fly manipulation of IP packet headers, necessary for establishing a link between a private network and the public network, makes end-to-end IPSec security impossible, as NAT’s modification of packet headers leads to a rejection of packets during IPsec controls.

Moreover, NAT degrades performance, which is especially important for applications sensitive to transit times. Perhaps worst of all, NAT is a stumbling block for launching peer-to-peer applications, which have recently emerged as key applications for both end users and businesses. For such applications, it is necessary to know the correspondent address in the private network, requiring complex application-related mechanisms for locating the address of the final correspondent. Finally, installing a local web server causes problems because the server must be accessed from outside via NAT. While the interim measures taken to prolong the life of IPv4 has created other problems, the most immediate challenge driving migration to a new protocol is that the number of internet endpoints is growing explosively, with the result that it is impossible that IPv4 can meet future needs. Technologists in many industry sectors are predicting or actually designing complex applications for devices that will require IP addresses for a vast number of endpoints.

There are more than one billion PCs, more than one billion mobile Internet endpoints (including mobile phones), more than one billion cars, billions of home-based voice-over-IP gateways, as well as the growing numbers of gaming stations and home appliances that may each need their own Internet addresses. By the early 1990s researchers anticipated the need for more Internet addresses and began work on a new generation of the Internet protocol, IPv6. IPv6 supports 128-bit addresses and the number of addresses available for internet endpoints is vast, exceeding the number needed for any scenario yet devised. IPv6 was approved by the IETF as a Proposed Standard in 1995 and was approved as a standard in 2000.

Although the original impetus for the creation of IPv6 was to increase the address space, the opportunity to design a new internet protocol made it possible to introduce additional enhancements. IPv6 was designed with architecture more consistent than that of IPv4, with 4 although not all 2128 bit strings of length 128 are valid internet addresses, the number of available IPv6 addresses is vast.
IPv6 Improved Security

Hooks can be used for improved support for improved security, multicasting and any casting, and mobility, as well as potentially for quality of service. One particular security-related advantage of IPv6 is that worms to an extent will be harder to write for IPv6 networks. Another is the inclusion of the secure neighbor discovery protocol, which protects neighbor discovery messages through the use of cryptographically generated addresses.

Although IPv6 brings many benefits, it is not a panacea for all challenges the internet faces. IPv6 does add several layers of built-in security and once employed, it will help to stop certain classes of attacks by making it difficult to spoof, or masquerade, as a different computer. However, IPv6 has no ability to close most known network vulnerabilities, which usually exploit security weaknesses above the IP layer. Yet it is a key part of the solution to establishing a “culture of networking security.”
IPv6 enables better traffic flow than IPv4 and enables automatic connectivity. In particular, IPv6 offers “neighbor” discovery and address auto-configuration capabilities supporting mobility, allowing hosts to operate anywhere without special support. Using these capabilities, a host can be reached no matter where it is connected to the internet. This is accomplished by binding the current “care-of address” of a mobile host to its home address.

Although IPv6 offers advantages, its adoption has been slowed by the complexity and costs associated with the move from IPv4 to IPv6. Because of this, the migration from IPv4 to IPv6 will require the coexistence of these protocols for some time. The key strategies used in deploying IPv6 at the edge of such a network involve carrying IPv6 traffic over the IPv4 network, allowing isolated IPv6 domains to communicate with each other before the full transition to a native IPv6 backbone. It is also possible to run IPv4 and IPv6 throughout the network, from all edges through the core, or to translate between IPv4 and IPv6 to allow hosts communicating in one protocol to communicate transparently with hosts running the other protocol. All techniques allow networks to be upgraded, and IPv6 to be deployed incrementally with little to no disruption of IPv4 services.

The key strategies are to deploy IPv6 over IPv4 tunnels that encapsulate IPv6 traffic within IPv4 packets, to deploy IPv6 over dedicated data links, to deploy IPv6 over MPLS IPv4 backbones and to deploy IPv6 using dual-stack backbones allowing IPv4 and IPv6 applications to coexist in a dual IP layer routing backbone. Some of the Japanese ISPs have found it better to run parallel networks, especially given the relatively immature support for v6 in routers.

Dr. Eslambolchi