Commonly Asked Questions About IPv6

IPv6 has been on the way for more than 10 years now, yet for much of the world, it has been irrelevant until recently. Now, as the shortage of IPv4 addresses begins to become obvious to even the most hardened skeptic, awareness and interest are growing.

The following sections address some commonly asked questions or myths that have been created over time with respect to IPv6.

Does My Enterprise Need IPv6 for Business Growth?

This is the most commonly asked question, especially because most organizations continue to connect to the Internet without IPv6 today. There are three key reasons why organizations might need IPv6:

■ Need for a larger address space (beyond IPv4) for business continuity and growing globally.

■ IPv6 is also a generator of new opportunities and a platform for innovation. There are still classes of network applications that aren’t possible with IPv4—for example, vehicle-mounted telemetry, which might involve millions of networked sensors on cars.

■ IPv6 is on by default in operating systems like Windows 7 and Linux.

Growth countries like India and China, with huge populations and burgeoning technical competence, will almost certainly move to IPv6 directly. Enterprises that want to be active in those markets but do not use IPv6 will be at a competitive disadvantage.

Table 1-1 Benefits of IPv6


Technical Benefits of IPv6

Details

Abundance of IP addresses

This is the most significant benefit that IPv6 provides over IPv4. An IPv6 address is made up of 128-bit values instead of the traditional 32 bits in IPv4, thereby providing approxunate-ly 340 trillion trillion trillion globally routable addresses.

Simpler address deployment

IP address assignment is required by any host looking to communicate with network resources. This IP address has traditionally been assigned manually or obtained through DHCP. In addition to manual and DHCP address assignment, IPv6 inherently enables autoconfiguration of addressing through Stateless Address Autoconfiguration (SLAAC), which can make the deployment of IP-enabled endpoints faster and more simplistic. SLAAC is commonly used for configuring devices that do not need end-user access. These devices include network sensors on cars, telemetry devices, manufacturing equipment, and so on.

For user-connected hosts including desktops and servers, the lack of DNS information in the router advertisement limits the deployment of SLAAC. The IETF community has put together an experimental draft (RFC 5006) that extends the router advertisement messages (RA messages) to include DNS information. There is also active engagement in the standards body to standardize RA extensions to not only include DNS server information but also to include NTP, BOOTP, and vendor-specific DHCP options.

Depending on the host operating system implementation, when an IPv6 network adapter is activated, it assigns itself an IP address based on a well-known prefix and its own MAC address. The new host uses its automatic configuration mechanism to derive its own address from the information made available by the neighboring routers, relying on a protocol called the neighbor discovery (ND) protocol. This method does not require any intervention on the administrator’s part, and there is no need to maintain a central server for address allocation—an additional advantage over IPv4, where automatic address allocation requires a DHCP server.

End-to-end network connectivity integrity

With IPv4 NAT, a single address masks thousands of non-routable addresses, making end-to-end integrity unachievable. With the larger address space available with IPv6, the need for Network Address Translation devices is effectively eliminated.

Table 1-1 Benefits of IPv6

Technical Benefits of IPv6

Details

Opportunity for enhanced security capabilities compared to IPv4

Although rarely deployed today, IPv6 has built-in security capabilities with built-in IPsec support, which can enable end-to-end control packet (routing adjacencies, neighbor discovery) encryption between two or more hosts. For data plane encryption of IPv6 flows, it relies on existing IPv4 mechanisms like IPsec.

Improved attribute extension headers for security, QoS, and encryption

IPv6 has extension attribute headers that are not part of the main packet header. These extension headers, with their own unique packet structures, help provide encryption, mobility, optimized routing, and more. When needed, these headers are inserted between the basic IPv6 header and the payload. The basic IPv6 header includes an indication as to the presence of extension headers through the Next Header field. This vastly speeds the router packet-forwarding rates and improves efficiency.

Improved mobility

Mobile IP (MIP) was developed to ensure that the original gateway is made aware when a host moves from one network segment to another. Originally with MIP (IPv4 based), all the traffic to and from the mobile device needs to go back to the original gateway (home gateway); this is called "triangular routing."

MIP has been extended in IPv6 to overcome this inefficient tri-angulation. In MIPv6, a foreign correspondent server is continuously updated as to the network the device is on and which gateway to use to reach the traveling device. The bulk of the packets flow directly between the mobile device and its communicators, and not through the home address. This process is known as direct routing. This reduces cost and vastly improves performance and reliability

Improved flow resource allocation with flow labels

All the Differentiated Services (DiffServ) and Integrated Services (IntServ) quality of service (QoS) attributes from IPv4 are preserved in IPv6. In addition, IPv6 also has a 20-byte Flow Label field that can be used by the end application to provide resource allocation for a particular application or flow type. Even though the standards bodies have defined flow labels in IPv6, not many enterprise applications tend to leverage this capability.

Will IPv6 Completely Replace IPv4?

IPv6 and IPv4 will continue to operate for a long time before the entire infrastructure is moved to IPv6 only. Enterprises and service providers have made significant investments in IPv4 and are well versed with the IPv4 technology.

As IPv6 adoption grows, enterprises need to invest in solutions that enable their legacy IPv4 domains to seamlessly and effectively communicate with IPv6 domains, thereby providing better return on investment. In summary, enterprises looking to adopt IPv6 do not need to discard their IPv4 infrastructure but instead should leverage transition technologies to enable them to coexist.

Is IPv6 More Complicated and Difficult to Manage and Deploy Compared to IPv4?

The larger IP address space provided by IPv6 has created a perception for network architects and administrators that IPv6 is more complicated compared to IPv4; this is not true. The vast address space equips architects to no longer reconfigure their limited address space, making network designs much easier.

All ancillary protocols like DNS continue to work pretty much the same for IPv4 and IPv6. In addition, IPv6 has better autoconfiguration and multicast capabilities (with embedded rendezvous point) that are simpler in implementation compared to IPv4.

There are some new ancillary protocols, such as multicast listener discovery and neighbor discovery, but for the most part, these replace similar mechanisms in IPv4.

Other than IPv6 addressing being in hexadecimal format, it is easier to perform address allocation planning and deployment because the focus is no longer on the number of hosts, but rather on the number of links or "subnets" allocated out of the address block. In many ways, IPv6 is just IP with a higher version number. Similar to IPv4, the IPv6 addressing plan would still need to be designed to ensure that there are natural points of address summarization in the network.

For the entire IT department (including network, computing, storage architects and administrators, application developers, and so on) to leverage IPv6 capabilities, an investment is needed to train them on this upcoming technology.

Does IPv6 continue to allow my enterprise network to be multihomed to several service providers?

Prior to 2007, IPv6 address allocation policies were strictly hierarchical and allowed only enterprises to obtain a network address from a single service provider to avoid overlapping the global routing table.

This has changed since 2007, where enterprises can now get provider-independent (PI) allocations similar to that of IPv4. When an organization applies for PI space, it can obtain IPv6 address space that is not tied to any provider.

By getting provider-independent allocations, enterprises can continue to build redundant, reliable solutions similar to their existing IPv4 designs.

However, many new elements are in development and policy changes are being discussed in the industry that can impact how multihoming is done with IPv6. Today there are unanswered questions related to this topic, and the reader should watch the standards bodies and contact their service providers as time goes on to stay updated on these changes.

Is quality of service better with IPv6?

The only QoS mechanisms built into IPv6 are a few header fields that are supposed to be used to distinguish packets belonging to various classes of traffic and to identify related packets as a "flow." The intention is that these header fields should enable devices such as routers to identify flows and types of traffic and do fast lookups on them. In practice, the use of these header elements is entirely optional, which means that the vast majority of devices don’t bother with anything other than the bare minimum support required.

However, IPv4 has similar header elements, intended to be used in similar ways, so the claim that IPv6 QoS is better than that in IPv4 is tenuous.

Is IPv6 automatically more secure than IPv4?

It would be more accurate to say that IPv6 is no less or no more secure than IPv4; it is just different. The main security-related mechanism incorporated into the IPv6 architecture is IPsec. Any RFC-based, standards-compliant implementation of IPv6 must support IPsec; however, there is no requirement that the functionality be enabled or used. This has led to the misconception that IPv6 is automatically more secure than IPv4. Instead, it still requires careful implementation and a well-educated system and network staff.

Does the lack of NAT support in IPv6 reduce security?

This is mostly a myth because NAT increases security. NAT exists to overcome a shortage of IPv4 addresses, and because IPv6 has no such shortage, IPv6 networks do not require NAT. To those who see NAT as security, this appears to mean a reduction in the security of IPv6. However, NAT does not offer any meaningful security. The mind-set of "security  through obscurity" is mostly an outdated concept because the vast majority of attacks do not occur through directly routable IP-based methods from the Internet into the inside enterprise but rather through Layers 4-7 attacks. IPv6 was designed with the intention of making NAT unnecessary, and RFC 4864 outlines the concept of Local Network Protection (LNP) using IPv6; this provides the same or better security benefits than NAT.

Next post:

Previous post: