IPv6 – Let the Sky Fall!

The Forrester Wave: Intelligent Application & Service Monitoring, Q2 2019

A year ago, I wrote a blog article about IPv4 exhaustion. A year ago, it was still something of an arbitrary thing, set for the far distant future, future…

The future is now.

ARIN Is Out of IP Addresses

A year ago, when I first wrote this article, the American Registry for Internet Numbers (ARIN) had an entire /8 left. ARIN was the last regional Internet registry (RIR) with space to allocate. Today, all the RIRs are exhausted. ARIN has a few /23s left for small IPv4 requests, but I expect those to last only a few weeks at most. In all, as of this writing, ARIN has .003 of a /8 left.

CIDR Netmask Notation in 30 Seconds or Less

There are a lot of IP addresses in Classless Inter-Domain Routing (CIDR) notation in this article, so let’s start with a quick primer on CIDR and how it relates to IPv4 and IPv6. An IPv4 address is 32 zeros or ones, and an IPv6 address is 128 zeros and ones. A subnet mask hides bits we don’t care about, leaving only the trailing ones and zeros. The most common IPv4 subnet you’ll see is a /24, or 24 ones followed by 8 zeros. It’s represented in a traditional IPv4 address as 255.255.255.0, but in binary, it’s 1111 1111.1111 1111.1111 1111.0000 0000. Feel free to count, I’ll wait!

You might have just realized, though, that it doesn’t have to be sets of 24 ones, you could have 29 ones and 3 zeros. This gives you 2^3, or 8, addresses. A /29 is represented as 255.255.255.248 or 1111 1111.1111 1111.1111 1111.1111 1000. With CIDR, then, your subnet mask can be any length that’s a power of two.

The Problem With IPv4

IPv6 eliminates the need for NAT.

IPv6 eliminates the need for NAT.

There are two main problems with IPv4. First of all, today, there are 7.3 billion people in the world. Half of them own a computer of some sort, and 6 billion have access to mobile phones. If we handed out just one IPv4 address to every person, we would be 3 billion IP addresses short. This makes reclaiming lost address space essentially pointless. Obviously, more addresses are needed for a modern Internet. The other problem with IPv4 is network address translation (NAT). Overloaded NAT — one IP with multiple private IPs behind it — breaks quite a few applications and provides no additional security against Internet threats. This results in a cost increase with no counter-benefit.

In their IPv4 Countdown Plan, ARIN predicts that we will exhaust IPv4 space within the next year. This means that providers will no longer be able to supply routable public IPv4 addresses. Shortly thereafter, you won’t be able to get additional IPv4 addresses from your provider, which means that you will be unable to turn up new public IP services.

How IPv6 Solves the Problem

IPv6 eliminates the need for NAT by having more IP addresses than can possibly be used and assigning them sparsely. Since IP addresses are no longer a scarce commodity, giant blocks can be handed out for only a few devices without a risk of exhaustion. For instance, a network that once had 254 usable IP addresses (an IPv4 /24) might now get an IPv6 /64 with 2^64 addresses.

So, what’s a /64?  IPv6 has 128 bits of IP space. This is 2^128, and,  trust me, this is an absurdly huge number. So, if you mask all but 64 bits, you still have 2^64, or 18 quintillion, addresses for 254 hosts. That’s more addresses than are on the entire IPv4 network, which means that attacks that depend on sequential scanning for vulnerable hosts, such as worms, are obsolete on IPv6. It would take 2 billion years for a worm to scan a /64, scanning 10,000 hosts per second. This is far more secure than overloaded NAT!

Start Getting Ready to Deploy IPv6 Today

Start today in terms of getting ready for IPv6. Audit your equipment to confirm the software or firmware it is running supports IPv6. You probably won’t have much trouble with the networking gear, itself, or modern server operating systems, because the majority of these already support IPv6. Frequent offenders, however, are devices like office multifunction copiers, security cameras and security card access devices, and other appliances on the network. Surprisingly, tablet and smartphone vendors and the LTE networks they run on are often behind as well. Reach out to these vendors to request a patch for IPv6 support.

You can’t just audit devices, though. Some software on your network may not support IPv6. Internally, you will have to review content management systems (CMS), enterprise resource planning (ERP), and other business software. Especially critical, though, are public-facing services such as your Web and email services. These services will have to be updated, as IPv6-only clients are coming. Without updating, your customers may soon be unable to reach your services.

You will also have to go one step further with firewalls. With the death of overloaded NAT, you will have to configure the firewall to apply intrusion detection system (IDS) rules and other zones without NAT. Your firewall vendor will be able to assist you here. Don’t fear, I promise the NAT wasn’t helping your security profile.

You also have to ensure that dynamic VPN users get an IPv6 address. We should take a moment and discuss software firewalls as well. Windows and Linux both ship with an IPv4 and IPv6 firewall enabled, so there aren’t serious security concerns here. Older versions of either operating system (older than 2008) should be carefully evaluated to ensure that IPv6 is properly firewalled out of the box.

Preparing the People in Your Organization

IPv6 is going to impact most of the technical people in your organization. If you get the technology part right, the impact to the nontechnical people will be minimal — but it’s still a good idea to keep them informed about what is going on. For example, accounting may need to be prepared for an unexpected uptick in upgrade expenditures. Logistics may need to expedite some shipments to help meet some upgrade deadlines. End users might see minor (or not-so-minor) disruptions to the network as upgrades are done and certain lessons unique to your organization are learned. Communication is key in keeping minor hiccups from becoming major disruptions.

In terms of your technical staff, you’ll need slightly different approaches depending on their role. For example, application developers will need to know how to add dual-stack capabilities to their code and will also need to go through all the applications that store or parse IP addresses and update them to accommodate both forms of addresses. Systems administrators will need to know how IPv6 changes the configuration and management of the systems they administer. Network engineers and architects will need far more extensive training because they are facing the largest set of differences.

For most of your technical staff, a good place to start is the free IPv6 certification course from Hurricane Electric. It’s not an extensive process, but it does offer some hands-on IPv6 experience in key areas. It’s a step-by-step process, and most administrators can complete it in a couple of days with proper resources.

Deploying IPv6

There are quite a few hurdles to jump to deploy IPv6. You will need to contact your Internet service providers (ISPs) to determine if they offer IPv6. If they do not offer IPv6, ask about the timeline for deployment — inform them that supporting IPv6 is crucial for your business’ success and your ability to reach vendors and customers. If you have an Autonomous System Number (ASN) and Border Gateway Protocol (BGP), you can simply request an IPv6 block directly from ARIN or your region’s RIR. If you don’t have an ASN and your providers don’t have BGP, you can use a service such as HE.net’s tunnel broker service to deploy. Depending on your network’s latency to HE.net, this might even be a permanent solution.

Once you’re ready to deploy IPv6, you will need to request a /48 from your provider. This is 65,536 /64s. Again, IPv6 addresses aren’t scarce, so just use router advertisement (RA) to assign a /64 to each LAN segment on your network.

You don’t need to remove IPv4 from your network today. Every major modern operating system (including the ones from Redmond) support IPv4/IPv6 dual stack out of the box.

Now You Have to Monitor It!

Zenoss supports monitoring IPv6 hosts today. Add an IPv6 device, model it, and everything will work. There are a few caveats due to the new technology in IPv6. Due to the large number of IPv6 addresses in a normal IPv6 subnet, don’t use autodiscovery to discover IPv6 devices due to the time it takes to scan a /64 subnet. Instead, use zenbatchload shipped with Zenoss, DNS transfer, Active Directory (AD), or other sources to add IPv6 devices. For dual-stack hosts, create two devices — one for IPv4 and one for IPv6 — and both will monitor correctly.


GET MODERN NETWORK MONITORING

GET IT NOW

Conclusion

You can’t put off moving to IPv6 anymore. You want to, but you can’t. It’s time to start deploying IPv6, because there are no more IPv4 addresses to be had. I used to have a joke here about being “fresh out.” Today, we’re a lot closer to “none left.”

Even if you have plenty of addresses to last you several years, chances are that some of your customers and some of your suppliers don’t. As soon as any of them are IPv6-only, you’re at a disadvantage if you don’t support IPv6.

A special thanks to Owen DeLong of Akamai and the ARIN advisory council for his assistance in creating this article.