Taking control of IPv6
To reap the benefits, agencies face the huge job of managing address spaces<@VM>IPv6: FAQ<@VM>SIDEBAR | IP addresses: A wasted resource?
THE ARRIVAL of IPv6 will eventually give agencies better security, more flexible networking and a number of available IP addresses so large it can make your head hurt just trying to grasp how many there will be. But how well agencies take advantage of IPv6 will depend in large part on how well administrators manage their newfound wealth of IP address spaces, experts say.
By the end of June, the Office of Management and Budget expects agencies to have their network backbones ready to carry IPv6 traffic in addition to IPv4 traffic.
Nobody is yet requiring that agencies use IPv6, but agencies have begun acquiring address space in the new protocols and are making plans for taking advantage of the improved security and networking capabilities.
Management will be critical.
'It is going to be a long cycle for people to swap out the IPv4 technology' now standard in their networks, said Richard Hyatt, chief technology officer at BlueCat Networks.
'It is going to be the management of the address space that determines how quickly it happens.'
Management can be a challenge because IPv6 addresses are larger than IPv4 addresses and there are exponentially more of them.
As IPv4 addresses start running short, the abundance of new addresses will be a good thing. But administrators will have to resist the temptation to use the new addresses the same way they have used the current generation, said Chip Popoviciu, IPv6 address management expert at Cisco Systems.
'We need to be mindful that this is a large resource, and we need to manage it properly,' Popoviciu said.
How large a resource are we talking about? 'With IPv6, one subnet is as large as the entire Internet is today,' said Sean Siler, Microsoft's IPv6 program manager. And each agency will have tens of thousands of subnets.
'It's a huge shift in paradigm.'
The large number of addresses is because IPv6 addresses are 128 bits long. The last 64 bits are used to assign the address to a particular device or function rather than a network, but the networking portion still is large enough to provide an almost inexhaustible supply of numbers.
Address groups are described in terms of a slash-number, written as '/number.' The smaller the slash-number, the larger the group of addresses.
'The general size of an address allocation is a /48,' said Richard Jimmerson, chief information officer at the American Registry for Internet Numbers (ARIN). That size allocation includes 65,536 /64 subnets. A /32 address allocation would contain 4 billion subnets.
ARIN is one of five Regional Internet Registries charged with allocating IP addresses.
ARIN serves the United States, Canada, Mexico, much of the Caribbean and the North Atlantic islands. There are separate registries for Africa, the Asia-Pacific region, Latin America, and the region covering Europe, the Middle East and Central Asia. The registries have been issuing IPv6 addresses since 1999. The Euro-Asian registry has been the most active, having allocated 980 address blocks as of January, followed by the Asia-Pacific registry with 515. ARIN has assigned 386 blocks in North America.
Each regional registry sets its own policies for distributing addresses. The Euro-Asian registry has a hierarchical scheme in which address blocks are assigned to local registries, which in turn distribute them to large network users. ARIN has a flatter scheme, intended to make it simpler for users to get addresses directly from the regional registry.
'They decided to make acquisition easier,' Jimmerson said. 'With IPv6, the biggest concern was getting the address space into the hands of the people using it.'
In May, ARIN's board of trustees issued a resolution on IP numbering availability, stating that IPv4 address space was nearing its end and advising 'the Internet community that migration to IPv6 number resources is necessary for any applications which require ongoing availability from ARIN of contiguous IP number resources.'
U.S. government policy calls for agencies to get their address space directly from ARIN, and Jimmerson said 30 agencies have acquired address space so far, typically a /48 allocation.
'There has been a good amount of activity' by government agencies, he said. In addition to getting their addresses, they have been attending the numerous informational meetings and conferences held in the Washington area on the IPv6 transition.
After they acquire the addresses, the next question they face is how to divvy them up.
'With IPv4, you had to be careful about allocating addresses in a network,' he said. 'With IPv6, you have less to worry about.'
There is less worry about running out of addresses.
But there still is a lot to consider. If addressing schemes are not built with an eye to the geography and architecture of a network and how it will use IPv6, administrators might waste network resources with unnecessarily complex routing tables requiring additional routers and slowing throughput.
Most IPv4 addressing schemes were built ad hoc as the Internet and other IP networks grew, with little thought given to an overall architecture.
Available address space was smaller and more easily managed, but this make-it-up-as-you-go process means that administrators are wrestling with inelegant network designs.Clean slate
'We have an opportunity to build a clean addressing scheme that will let us simplify how we manage networks,' Popoviciu said. Administrators should resist the urge to simply plug IPv6 allocations into IPv4 addressing schemes, and this will require educating administrators.
'Education is the long pole in this tent,' said Dave West, Cisco's global lead for IPv6.
'It is absolutely critical. They are slowly but surely coming to the realization that they need to step back and think about this.'
Managing IPv6 addresses is not rocket science, said Steve Grobman, director of business client architecture at Intel.
'The management differences are real,' he said, 'but I don't think they are that different from the other transitions IT has gone through,' such as the introduction of TCP/IP and wireless communications into networks. Like a true hardware man, Grobman said, 'The good news is that most of the challenges are going to be on the software side.'
Most operating systems and networking hardware already have a basic ability to handle IPv6. OMB's position on the transition has been that agencies could achieve this capability through routine upgrades of technology, without a major capital expense. To begin using IPv6 addresses, agencies will need Dynamic Host Configuration Protocol Version 6 servers and Domain Name System servers capable of handling IPv6 records.
The DHCP provides configuration settings to network devices so they can be located on the network. If the autoconfiguration capability of IPv6 is used, no DHCP server will be needed.
But if you choose to manage your own addresses, there are DHCPv6 servers available to allow this. There is a debate over the merits of stateful ' or managed ' addressing using DHCP, and stateless addressing using autoconfiguration.
'Many administrators don't want hosts managing themselves,' Siler said. 'But there is a time and a place for both' stateful and stateless addressing.
One of the advantages and problems with autoconfiguration is that it opens up the network to outside visibility, enabling flexible, dynamic configurations and peer-to-peer networking. There may be a temptation to use this to ease management burdens, 'but the problem is that a lot of people are going to expose a lot more information than they intended,' Hyatt said.
For this reason, Siler said he believes that stateless addressing will not be used widely in managed enterprises as IPv6 is implemented.
The more managed allocation of addresses using DHCP will be a better fit with existing security models.
But IP addresses are too easily spoofed to be good security identifiers. As large numbers of new devices are added to networks and as security policies and tools are adapted to IPv6, DHCP will become less necessary.
'As time goes by, I believe that stateless addressing will start to be introduced into the enterprise,' Siler said. 'It will come very slowly, but it will come.'Room to hide
The question of Network Address Translation still remains to be answered. NAT has been used to extend the more limited IPv4 address space by enabling the use of private addresses inside a network. But it also has the effect of putting another wall between your internal network and prying eyes on the outside. NAT may not be necessary on an IPv6 network. 'But if you remove it, you are beginning to expose what your network looks like,' Hyatt said. 'It might not be that great when you come to think of it.'
However, the sheer size of the IPv6 address space might help mitigate the problem of visibility by providing room to hide. With IPv4, a typical subnet has about 254 hosts, Siler said.
'That's the number most people work with,' and that size defines the number of servers, firewalls, routers and other devices on the subnet and where they are deployed. For convenience sake, most administrators probably will stick to that model, he said. But they will be distributing those hosts through a vastly larger subnet.
Assigned addresses can be clustered closely together for easier management, or they can be distributed widely through a 4-billion-address subnet, effectively hiding them from outside scans. This can be a security asset, but it also can make devices harder for administrators to find.
Managed devices can be located on a network, but unmanaged and mobile devices can easily be lost in this space, putting a premium on a good addressing scheme and good record-keeping.
Tracking addresses and their users will generate a lot of data to be managed, Hyatt said. 'It's going to create a real problem, keeping and using those amounts of data.'
'An important consideration is top-down addressing,' Siler said. 'It is going to be important for one person to get a large address block and to suballocate it to other organizations within the department' to facilitate this record-keeping. This also can enable simpler routing tables, which will allow more efficient routing, improved security and easier network monitoring. A fragmented routing table slows throughput.
And finally, IPv6 will have to be managed alongside IPv4 as long as both protocols continue to be used on the same networks.
'It's more overhead until we can get rid of IPv4, and that's not going to be in the near future,' Siler said.
The opportunities for new applications, efficiencies and flexibility offered by IPv6 will make it worth our while to address these issues, Popoviciu said. 'After all, we did this for the addressing,' he said. 'Why not make sure we do it right, now that we have the addresses in hand?'What is IPv6?
IPv6, or Internet Protocol version 6, is the 'next generation' version of IPv4, the venerable networking standard that has increasingly driven the Internet since 1980. It's the true follow-on to IPv4 since IPv5 was nominally the designation for The Internet Stream Protocol that was first suggested in the late 1970s for experimental transmission of voice, video and distributed simulation.
Technically, IPv6 differs mainly by using a 128-bit address space, four times that of IPv4. Other differences are allowance for universal plug and play, support for multiple forms of multicast and for anycast, inherent use of IPsec security protocols, and significantly better scalability.What ever happened to IPv5?What does IPv6 mean for address space?
Though the IPv6 address space is only four times that of IPv4, it means the number of available unique IPv6 Internet addresses ' which define where systems and devices are on the network and how data packets get from one place to another ' totals 3.4 x 1038 (or 10 to the 38th power).
The 4 billion addresses available under IPv4 could be completely consumed in the next several years. With IPv6, however, each person on Earth could theoretically have 50 octillion, or 5 x 1028, unique addresses.
Exactly how many addresses are actually available is open to interpretation, however, since the first 64 bits of the 128-bit address space is reserved for network routing.
The Defense Department, for example, has acquired a /16 (slash 16) Block address. That means 16 of the leftover bits go for externally reachable routing, and the other 48 bits for subnets, though each subnet can have its own 64-bit address space. The DOD's /16 gives it 'just' 281 trillion network addresses and, theoretically, 18.45 quintillion (18.45 x 1018) host addresses.Bitten by IPv6What can IPv6 do for you?
IPv6 allows for end-to-end connectivity across the network, much greater mobility for network users and auto configuration of all IPv6-enabled devices connected to the network.
The DOD's vision of the networked warrior and its goals for net-centric warfare, for example, would not be possible without IPv6.
The protocol's use of longer addresses and optimized message headers will also allow users to specify just what function a device plays on the network, allowing for different quality-of-service for certain kinds of traffic and so boosting the operation of services such as voice over IP and videoconferencing.
IPv6 adoption probably won't be driven by particular applications, though the overall move to converged, handheld devices and the increasing needs of mobile computing should be major incentives for the increased use of IPv6.
That said, IPv6 should spawn some petty nifty apps. The peer-to-peer networking possible with IPv6, without the need for servers in between, could rewrite the notion of networked collaboration, for example. It should also provide for tighter control of networked devices.
It will also mean lighter weight applications, and the chance to eliminate some of the network hardware that now performs some of the functions that will be included in these new applications.Ask not what you can do for IPv6, but rather what IPv6 can do for youA new kind of protocolThe means to end-to-endHow does IPv6 do for security?
In the short-term, as agencies are transitioning to IPv6, security might be of more concern since a dual stack approach ' having both IPv4 and IPv6 active on the network at the same time ' will likely be the preferred approach, and the appropriate security for each version of the protocol has to be managed.
Tunneling, as a way to encapsulate IPv6 packets for transport across an IPv4 network, is already popular as a relatively cheap way to provide dual IPv4/IPv6 capability, but it also introduces security issues. Unknown tunnels could be opened, which introduces a security risk, so policies have to be developed to determine who can use tunneling, and for what purpose.
That said, IPsec is included in IPv6 as the default security scheme. As it operates at the network layer of the protocol stack it is independent of the applications and services that run over the network, and so is considered more flexible than other popular security such as SSL. It also provides for data encryption.
If IPsec is turned on, IPv6 capable security devices such as firewalls and intrusion detection systems will automatically configure themselves with an IPv6 address.IPv6 security: The forgotten elementHackers are ready for IPv6'are you?When will IPv6 arrive?
To some extent it's already here. Microsoft's Windows Vista operating system is IPv6 enabled by default, other operating systems support IPv6, and more and more devices are IPv6 capable. Telecom companies' backbone networks are all IPv6 ready, and some of those are carrying IPv6 traffic now.
However, there were very few active IPv6 nodes on the Internet at the beginning of 2008. There are not many applications that require it and until there is, or until the number of IPv4 addresses wilts completely, both private companies and government agencies have little incentive to turn to IPv6 for their networking needs.
Federal government agencies have until June of 2008 to make sure their backbone networks are capable of carrying IPv6 traffic, but that doesn't mean they will have to at that time.Getting ready for IPv6? It's already hereHow does IPv6 affect you now?
The Office of Management and Budget said in 2005 it would require federal agency networks to be IPv6 capable by June 2008. At the time only the Defense Department had made serious efforts to prepare for IPv6, according to a Government Accountability Office report, and most others had not inventoried IPv6 software and equipment, or had developed business cases or cost estimates.
By the end of 2007, most agencies were seen as having made some progress toward IPv6, though the level of progress differed widely. Some were well into implementing their plans and had begun the move, some were still considering the best way to make the transition.
Where practical, OMB requires agencies to only buy equipment and software that is IPv6 compliant. A written waiver is required for any other procurement. Where it isn't compliant, it has to be adapted for IPv6 by the June 2008 deadline.
Federal standards agencies are generally well advanced in developing the necessary guidance for agencies making the move to IPv6. Early in 2008 the National Institute of Standards and Technology released its latest draft of proposed standards for IPv6 networking and security products. The National Security Agency in 2007 started development of software to make sure IPv6 was secure enough to be used on classified networks.
Both the DOD and intelligence agencies are planning to move at least their classified networks to IPv6 by 2010.The answer is: 'IPv.what?'NSA ponies up to secure IPv6Latest draft of federal IPv6 profile released for commentWhat are the IPv6 deadlines?
The next deadline is June 30, 2008. By then, all agencies should have completed their transition to IPv6 on their backbone networks, and all other agency networks should be able to interface with them.
Before then, deadlines set by the Office of Management and Budget were:
OMB details milestones to move to IPv6Agencies, start your protocols!Office of Management and Budget IPv6 directiveHow is Microsoft handling Vista?
- By June 30, 2006 agencies should have completed an inventory of IP-aware applications and peripherals that depend on the backbone network, along with an IPv6 transition impact analysis.
- By February 28, 2006, agencies should have developed backbone transition plans.
- By November 15, 2008, agencies had to identify who would lead their IPv6 transitions, and had to have completed an inventory of IP-aware devices in the backbone.
Microsoft made IPv6 the preferred network protocol in its latest operating system, Windows Vista, and committed to making all of its enterprise applications IPv6-ready out of the box.
To allow its customers to use IPv6 it included Teredo, a protocol that allows dual stack IPv6/IPv4 nodes to pass IPv6 traffic to each other by tunneling through Network Address Translation (NAT) devices and across non IPv6 enabled local networks.
NAT's are used on the Internet as a way of artificially expanding the IPv4 address space by translating the address and port numbers of traffic to and from private network hosts that use IPv4 addresses.
However, some observers have noted that, although Teredo is designed to be used as the IPv6 provider of last resort, it's typically used more often than recommended leaving computers open to attack from the outside since it can bypass regular security controls.
Workarounds include making security devices specifically aware of Teredo packets so they can inspect them, or blocking them completely and relying on native IPv6 traffic only.IPv6 tunneling in Vista ' a new area of concernMany unknowns remain in move to IPv6When IPv4 was adopted, 4 billion sounded like an awful lot of IP addresses.
Today, faced with the exhaustion of IPv4 address space within five to 15 years, we are turning to a new generation of protocols and a new addressing scheme to fill our seemingly insatiable desire for more and better networks and devices.
What happened to all of those old addresses? Were they squandered? Common estimates put the efficiency of address usage at 25 percent to 50 percent, which would mean that as many as 50 percent or 75 percent of available IPv4 addresses remain unused, sitting idly in sparsely populated subnets within the allocations of early adopters.
That's probably not so, said Richard Jimmerson, chief information officer at the American Registry for Internet Numbers, one of five Regional Internet Registries responsible for doling out address space. 'A lot of address space is in use inside networks that is not announced on Internet routing tables, for one reason or another,' he said.
These addresses sit, not necessarily idle, behind firewalls and are not reachable from the Internet. The U.S. government has entire secret networks that are not announced, Jimmerson said. 'That's a large amount of address space.'
Of course, the original IPv4 addresses were not evenly distributed, forcing users in Asia and Europe to turn to IPv6 earlier than those of us in address-rich North America.
Some of this inequity has been mitigated by tools, such as Network Address Translation, which have helped stretch available space. But on the whole, we have done a pretty good job of managing the original 4 billion addresses available through IPv4, Jimmerson said. 'We have to be approaching 4 billion devices on the Internet now.'