Preparing your business for IPv6

The concern that the internet is running out of address space was discussed at January's annual meeting of the World Economic Forum, an independent organisation committed to shaping economic and technological issues.

With the multitude of mobile devices now in use, plus the growing adoption of the internet in the developing world, there is a risk to the smooth running of the internet until the next generation Internet Protocol, version 6 (IPv6), is adopted.

IPv6 will meet the demand for the increasing number of IP addresses that are needed as the population in developing countries comes online, sensors and radio frequency identification (RFID) tags become more widespread and networked, and billions of mobile phones are used for accessing the internet.

Roughly two-thirds of the currently available 4.3 billion IPv4 addresses are already in use, but the IPv6 architecture could increase that number to 340 trillion trillion trillion.

Vint Cerf, chairman of the Internet Corporation for Assigned Names and Numbers (Icann) is one of the key advocates of the move to IPv6, which is already under way in the internet's underlying infrastructure.

"I am a big proponent of IPv6," says Cerf. "Network Address Translation has helped overcome IPv4 address scarcity, but there is no doubt that if we continue at our current rate, we will run out of IP addresses. About one-third of the billion net users are in China, and we only have 4.3 billion unique addresses."

IPv6 may solve the address space issue, but businesses around the world have been glacially slow in implementing it.

Internet service providers, along with governments and the large global companies that can set the internet technology agenda, have been accused of dragging their feet in IPv6 implementation.

ISPs for their part, insist that they will adopt IPv6 when the time is right. A spokesman for the Internet Service Providers Association says many ISPs are split on whether or not they should be pressing ahead.

"Some ISPs are really gung-ho for IPv6, while others are less enthusiastic. It is all about timing - what is the right time? Much of it is down to customers - when they want IPv6, the ISPs will be ready," he says.

Governments are starting to do their bit. The US Office of Management and Budget last August required all government agencies to run IPv6 on their network backbones by June 2008. The US Department of Defense has also called for all military networks to migrate by 2008.

In Europe, 6Net, an EC project that ran between 2002 and 2005, built a native IPv6-based network connecting 16 countries to gain experience of IPv6 deployment, while IPv6 dissemination, training and support activities continue in the 6DISS project, set up to provide IPv6 training and knowledge transfer to research networks in developing regions.

However, IPv6 has largely failed to reach the radar screens of IT executives, with some notable exceptions, such as Bechtel, Toyota and Boeing.

Indeed, the engineering company Bechtel, driven by the company's manager of technology standards and strategies, Fred Wettling, has bucked the trend, and made IPv6 a business imperative, with a number of labs within the company running hundreds of IPv6 machines to learn how the IPv6 environment operates.

Bechtel is also a member of the North American IPv6 Task Force as part of the IPv6 Forum.

What might quicken other IT directors' interest in IPv6 is Microsoft and security.

Microsoft Windows Vista and Windows Server Longhorn are IPv6-ready. In fact, both the IPv4 and IPv6 protocols are installed and enabled by default since they are a single network component.

IPv6 has also been supported on Sun Microsystems' Solaris operating system since March 2000 and has dual-stack implementation to run IPv4 and IPv6 simultaneously. Support for IPv6 was significantly improved in Solaris versions 9 and 10, and Linux supports IPv6 too.

So, if as an IT director, you are planning to migrate to Windows Vista, you will need to be aware of the changes that IPv6 can bring, because being IPv6-ready can present security challenges of its own.

The virtually limitless address space available via IPv6 will eventually enhance network security. That is because many common IPv4-based network attack scenarios rely on brute force address and port scans of entire subnets, sites, or even the internet as a whole.

In such IPv4 deployments, once an assigned address prefix is known, an attacker only has to scan between 28 subnet and 216 site addresses to find every host device on that network.

In contrast, the 64-bit space for individual interface IDs in the IPv6 address structure is so vast that brute force scans of the available address space are practically impossible.

However, by the same token, enterprise network administrators may also lose the ability to perform equally effective brute force address scans for the purposes of security auditing and testing.

Many popular IPv4 security analysis tools are based on address scanning. So, finding and identifying misconfigured or compromised hosts that are deliberately hiding on an IPv6 subnet may be as difficult as attacking them from the outside.

Although IPv4 presented security concerns when it was first implemented, it has had 20 years to identify and address them.

As its successor IPv6 becomes more prevalent, it is likely that additional security issues will arise as attackers give it more attention. However, experience gained from having to make IPv4 networks secure may help bring security levels in IPv6 networks up to speed.

IT directors must be aware that work will be needed to incorporate IPv6-suitable requirements into their existing IPv4 security architectures. IPv6 security policies that are simply cut-and-paste translations of existing IPv4 policies will not be adequate.

Careful evaluation and testing of security systems - for example, firewalls, intrusion detection systems and auditing tools - should also be conducted to determine their capabilities to support both IPv4 and IPv6, as well as specific transition mechanisms.

Organisations must also develop security plans for dealing with IPv6 traffic, regardless of whether they make the transition to IPv6.

IPv6 capabilities already exist in most networks, with recent host and router deployments. The fact that IPv6 capabilities are shipped by default in many common host and router operating systems implies that they may be "turned on" at any time, either on purpose, by accident or for malicious reasons.

For IT directors, the main reason for the continuing presence of IPv4 in most corporate networks is cost. There may appear to be no compelling business case for migrating to IPv6 if your current IPv4 network has been secured, tweaked and configured to support your company's present business goals.

One of the key drivers for many users will be their approach to adopting Windows Vista, because that will require them to be aware of what IPv6 is, and what it means. In the short term, that means ensuring networking staff are trained on IPv6 and are aware of what it means from both a security perspective and a business perspective in terms of driving future applications.

Patrick Grossetete, manager of product management at Cisco Systems, and a member of the IPv6 Forum Technical Directorate, says IPv6 is about providing IP connectivity to a number of devices that potentially could be part of new business applications.

"Enterprise IT directors will have to consider what IPv6 means for their organisations. They will have to ask themselves 'What kind of applications do we want to do in the future on IPv6?' just as they had to address those questions on IPv4 in terms of their web business or doing video streaming? Or 'What aspects of our business model could be switched to IPv6?'

"The first thing an IT director should do is get a network assessment done. In Vista, IPv6 is on by default. What does that mean for IPv6 traffic on your network, if you are evaluating Vista now?"

Grossetete believes IPv6 will change the way enterprises look at certain applications, such as grid computing.

"Although it is probably at least three years before organisations will be doing anything serious with IPv6, it is not too early to consider how large and how scalable you want your IPv6 applications to be," he says. "The sooner you think about it, and consider issues such as training, the more likely it is that you will save costs in the future."

More on IPv6:

www.6diss.org

www.nav6tf.org/html/biz_council.html

The end of the web as we know it?

www.weforum.org/en/knowledge/KN_SESS_SUMM_19693?

www.cisco.com/en/US/tech/tk872/technologies_white_paper09186a00800c9907.shtml#1107501

www.bechteltelecoms.com/docsbttj_v4n2/Article01.pdf