IPv6: What's with all the FUD (Fear, Uncertainty and Doubt)?
Did you know that on January 31, 2011, the last two large blocks of IP address space (referred to as a “Class A” or “/8”) were allocated by IANA (Internet Assigned Numbers Authority) to the Regional Internet Registry in Asia Pacific? By any measure, the Internet is rapidly running out of IP address space. Yet concern and anxiety continues to build amongst administrators and IT professionals. How did we get here? Should we fear the unknown or is the IP addressing problem really an overblown ball of hype?
IPv4 (defined in detail in RFC 791) was designed in the early 1980s. It uses 32-bit addresses, providing for almost 4.3 billion addresses across the entire range. However, some of these address ranges are reserved for special purposes, including private networks, multicast and other purposes. Many large IP address blocks were assigned to educational institutions and government agencies (e.g.: the 126.96.36.199/8 address range is designated to the Massachusetts Institute of Technology). Of course, at the time this was considered more than enough address space given the fairly limited scope of IP-based device deployment and adoption.
We all know that the world has changed over the past 30 years, so has the demand for IP addresses. IPv6 was designed to meet the ever-growing demand for IP addresses with a nearly unfathomable 128-bit address space. With approximately 3.4 x 10^38 available addresses, IPv6 is hoping to develop a new era where devices that we seldom think twice about (refrigerators, toasters, etc.) will be able to communicate with each other over IP. (That’s right; your washer will be able to send you an email when the clothes are clean!) What an exciting time to be working in IT, right?
IP address syntax looks very different in IPv6 than in IPv4; an example might look like 2001:0db8:85a3:0000:0000:8a2e:0370:7334. IPv6 addresses are divided into two sections; there is a 64 bit network prefix and a 64 bit interface identifier. There are three types of IPv6 addresses: unicast addresses (identifies each network interface), anycast addresses (identifies a group of interfaces) and multicast addresses (used to deliver one packet to many interfaces). There are also reserved IPv6 addresses for specific purposes, such as the loopback address, link-local addresses (for use in the local network only) and solicited-node multicast addresses (used to discover neighboring nodes via the Neighbor Discovery Protocol).
IPv6 also implements new features that were ‘baked in’ during the design phase of the protocol, versus attempted to be bolted on later with IPv4. It provides a much simpler method of assigning addresses to client devices. IP Security (IP Sec) is now integrated into IPv6 and is mandated in the standard specifications (RFC 2401 has a great explanation of this if you’re looking to dive deeper). IPv6 deployment may eventually lead to the removal of Network Address Translation; due to the tremendous amount of IPv6 addresses available, expect industry to focus more and more on the host-based security approach (see the Jericho Forum to learn about this concept).
While IT Pros may be hesitant to look at adoption of IPv6 just yet, many network teams have already prepared the network infrastructure in organizations all over the world. In fact, the network geeks are often eager to discuss a potential migration to IPv6 on the corporate network and/or running in what’s called “dual stack” mode where devices can speak IPv6 and IPv4. So, what’s holding back adoption? Backwards compatibility and business need. In 2005 a Department of Defense mandate requiring that network equipment manufacturers support IPv6 for devices the DOD was procuring. Most relatively modern deployments of routers, switches and other networking gear in the enterprise likely support IPv6; the orchestration of configuration and deployment between teams is what’s essential to making it work effectively. Deploying a new IP protocol on a corporate network is something that hasn’t been attempted in many organizations and will require teamwork and transparency from the different teams involved.
So, what’s the ‘killer app’ for IPv6? Early adopting IT administrators are voting with their feet and rolling out Direct Access. Direct Access is a new technology available in Windows 7. It’s only enabled in Windows 7 Enterprise and Ultimate (Note: I strongly suggest you consider Windows 7 Enterprise for your corporate environment). Direct Access allows for a seamless remote connectivity experience for users. By establishing IPv6 tunnels back to the corporate network, a user can interact with corporate resources the exact same way regardless of whether they are at work, at a hotel, coffee shop or at home. Direct Access attempts to connect via an IPv6 tunnel established to a Windows Server 2008 R2 system that ‘proxies’ the connection back into the corporate network. If IPv6 (6to4) is blocked, Teredo (IPv6-inside-IPv4) is used. If Teredo is blocked, a protocol called IP-HTTPS is used. You will find that Direct Access is a ‘must’ have feature for users that have experienced it; once it’s enabled, turning it off will likely result in user rebellion. The management aspects of Direct Access are hard to resist from an enterprise perspective as well. Being able to patch, pull logging data or push applications to a device no matter where it is physically provides control and insight that IT has been questing after for years.
While Direct Access is a phenomenal feature integrated into Windows 7, it does not require IPv6 to be fully deployed in a corporate environment. With Microsoft Forefront UAG (Unified Access Gateway), IPv4-addressed resources (perhaps a Windows Server 2003 system or another operating system that does not natively support IPv6) can be published via Direct Access. This allows an IT organization to deploy Direct Access on their Windows 7 clients immediately while gradually transitioning their backend resources to a more modern operating system.
When deploying Direct Access in an IT organization, there are a number of unique challenges to consider. Depending on the user’s connectivity and network routing equipment involved, there could be unique network-based troubleshooting issues to deal with. Direct Access also integrates into a Public Key Infrastructure (PKI) environment, so it’s prudent to have that deployed and healthy prior to undertaking a Direct Access implementation. A healthy Active Directory and a properly configured Forefront Unified Access Gateway installation that’s tied into Active Directory are recommended as well.
Planning and foresight to implement IPv6 in your environment is a prudent first step to moving forward with Direct Access or any other IPv6-related technologies. While you may not be re-addressing your servers with IPv6 anytime in the near future, IPv6 is here, it’s integrated into modern operating systems and networking equipment. Learning IPv6 now, learning its capabilities and integrating it into your IT roadmap will be essential to support not only your existing devices, but the explosively growing mobile device population as well. IPv6 is a relatively new technology to most IT Pros and there is a learning curve to be overcome. IPv6 has a significantly different structure than IPv4. Some applications are IPv6 aware now, others are in the process of integrating support it. The best advice is to dive in with your sleeves rolled up, get a (properly segmented and air gapped) deployment set up in your test environment and get your hands dirty! In the next installation of this article, I’ll describe how to deploy and implement Direct Access in detail to give you some ideas for trying out that new built IPv6 enabled lab.