These days, practically everything is connected: smartphones, home security systems, refrigerators. There’s even an annual connectivity conference dedicated to wearable technology, like eyeglasses with lens screens and smartclothing embedded with tablets.
We’re browsing with real-time communication and playing with complex connectivity for a population more than double what it was 40 years ago. Wealth, too, has expanded and enjoys more global distribution than before. Today’s 2 billion Internet users demand fast connectivity anytime, anyplace — and while all these changes have come upon us rapidly, we’re still working with an Internet protocol designed for a much simpler time.
Good While it Lasted
Currently, most technology runs on Internet Protocol version 4 (IPv4), written when personal computers didn’t exist and all we needed was simple mainframe communication. It was the ’80s. SNA services were the standard and TCP/IP was in its infancy. Humans numbered 3 billion — which even then seemed high — and most of the people spending money on computers lived in Japan and the West.
This “ancient” system, IPv4, uses 32-bit addresses so unique IPs are limited to 2 to the 32nd power, about 4.3 billion (4,294,967,296 to be exact). In the ’80s, that sounded like plenty. Of course, we know better now.
By 2020, forecasters predict 5 billion people and 30 billion devices — each requiring an IP address — will be connected to the Internet. The amount of traffic they stand to generate is, to put it mildly, mindboggling, but it’s not a problem we haven’t seen coming.
In the mid-’80s, someone guessed that the advent of personal computing would cause problems, so IPv4 was modified to introduce private IP addresses. Problem-solvers carved three subnets out of the entire address space and declared that they wouldn’t be routed over the public network; they could be used and reused within private LANs as many time as needed. This allowed IPv4 to stretch another 30 years. It did help, although IPv6 arrived in the ’80s we might not be having this conversation right now.
Private IP addresses conjured up NAT, or Network Address Translation. Your edge router or firewall builds a connection tracking table for every internal workstation to the Internet and vice versa. Outbound, it changes the source IP address from the private workstation to the public IP assigned to your company. There’s usually just one IP for your entire company, no matter how many thousands of workstations your local network may have. This is a great concept, but it does cause issues with things like voiceover IP (VoIP) and quality of service (QoS), which require true end-to-end connectivity.
Private IP addresses create a nice shield so the world doesn’t know the actual IP or even number of workstations your network has. Some consider this a nice security protection, although given the ease with which hackers penetrate networks today, I’m inclined to see it as an illusion of the past that clearly demonstrates that NAT is not a true protection.
Private IPs were just a stopgap, though, and it was widely reported in 2010 that IPv4 addresses were about to run out. In Asia and Europe, the Regional Internet Registries (RIRs) associated with the authority that controls the assignment of global IP addresses, the IANA, found themselves fresh out of IP addresses. What’s been distributed is all there is left, and ISPs are simply recycling what they have.
The U.S. is said to have a few million IPs left, but that’s not many. ISPs are juggling what they have, trying to make do. However we look at it, we no longer have IPv4 IP addresses to assign to new users.
Even if we had more IP addresses to go around, the protocol would still need to evolve. IPv4 was written for small networks and has some inherent issues that bog down connectivity. Every day, the IPv4 Internet infrastructure trembles on collapse. Have you noticed — perhaps ever-more frequently? — serious slowdowns, routing losses and connectivity issues over the Internet? It’s not always your service provider. IPv4 wasn’t built for today’s massive networks and hence produces incredibly large routing tables, which are hard to manage. It forces routers to do CRC on every single packet they handle, even though modern equipment does that at the hardware layer. It has no inherent QoS and flow-control capabilities and, all in all, is not the protocol for future.
Several years ago, an ISP in the Czech Republic made a mistake in the routing table of a large edge router — a single mistake that propagated around the globe and caused half of the Internet to go down. These are things we can no longer afford. We built the Internet as a resilient, multi-redundant network that would be up no matter what. That concept sparked the birth of the Internet. And now we find ourselves with an infrastructure so congested it’s perpetually on the brink of collapse. This is unsustainable.
IPv6: A Solution for Today’s Internet
In the early 1990s, developers already sized up IPv4 as insufficient and began working on a solution. First, they established an address space of 128 bits, making the number of available addresses 2 to the power of 128, which equals 340 followed by 36 zeroes: 340 undecillions (or 340 sextillions, depending on who you ask). Speculators say this number exceeds the stars in the universe — a number we’re not about to exhaust anytime soon. We can address any device we want, plus every grain of sand, and still have IPs left.
Addresses will also be distributed more democratically, avoiding the initial issue of IPv4 where the U.S. gobbled the vast majority of IPs. (There are organizations in the U.S. that own entire Class A subnets totaling 17 million IP addresses. What private organization could ever need that many public IP addresses?)
In another change, IPv6 IP addresses are defined as Unicast (global or link local), anycast and multicast. Broadcast is now seen as a special case of multicast, and there is no more NAT. Since we have so many IPs available, there’s no need to mask them behind private versus public. Security supporters of the NAT concept are appalled, but then again, NAT wasn’t offering much protection anyway.
Designers built the new protocol by learning from the past. It simplifies routing and avoids CRC at layer 3, improving traffic flow; it incorporates flow control, improving QoS and VoIP. There’s plenty yet to be tested, but — fingers crossed — IPv6 should solve a lot of problems.
The Long and Winding Road to IPv6
IPv6 will have more efficient routing, more efficient packet processing, direct data flow and simplified network configurations. It will offer real, robust QoS and true end-to-end connectivity, plus embedded security. Despite the pros, the U.S. adoption falls at less than 5 percent. According to Google, Romania is winning the race with a mere 9 percent.
If IPv6 is such a godsend — and the world is hungry for routable IP addresses — why the delay? It’s a complicated issue, but here are some of the predominant reasons IPv6 adoption is flagging:
- First of all, IPv4 has been around for 40 years. The bugs have been ironed out and, if not, there’s a workaround. Second, it’s easy to come by network engineers who are crafty in the art of routing IPv4 and handling even very large networks. That’s not the case with IPv6: We’re bound to find lots of bugs in the protocol, lots of bugs in the devices that handle the protocol, and we have very, very little expertise. Try hiring someone with certification in IPv6 — my bet is you’ll score zero candidates.
- Another key hurdle: The two protocols are absolutely incompatible. The IP addresses aren’t easily translatable and the headers also clash. Getting a network to “speak” IPv6 is an expensive proposition. Your network gear will need to be reconsidered, and if your routers and switches don’t speak the IPv6 language, you’ll need to upgrade. Recently purchased workstations might work, but Windows XP users are out of luck. Firewalls are iffy, and you may need to review the configurations if you want to use them with IPv6. Remember, IPv6 has no concept of NAT, so all those nice port forwarding statements have to go. You’ll need to ensure your inbound policies are truly tight, and it might be time to review your egress policies as well. Without NAT, the firewall configuration becomes even more important. Things like “Accept All Traffic Outbound” are no longer recommended (not that they ever were, and without the proper firewall, you’ll have IPs directly exposed and routable over the Internet.
- Having IPsec built into the protocol can be a problem for those who want to control what flows through their firewall. Embedded encryption is nice, but it also causes problems.
- The expenses you encounter to actually start using IPv6 can be daunting. And once you do, who will you be talking to? You’ll likely be part of a very small group speaking a language no one else understands. The Internet is made to easily communicate with the world; so what if you speak a protocol no one else does?
Despite the impediments, IPv6 is coming. A group called the Internet Society organized World IPv6 Day in 2011, followed by World IPv6 Launch days, held each June. President Obama issued an executive order to mandate that all government agencies would have to be using IPv6 on their public websites by September 2012. (That didn’t quite go as planned.)
Companies like Google, Yahoo and Facebook have started using both IPv4 and IPv6 IP addresses on their servers. Some companies, like Network Box, are IPv6Ready certified. Network Box devices seamlessly translate the protocols at every OSI layer from 3 to 7. Using a Network Box, or a similar gateway device, you can maintain a private LAN using IPv4 while using IPv6 to talk to the rest of the world.
Devices like these should encourage the transition. If companies can start using IPv6 without having to change all their network gear and without having to hire expensive and rare expertise, we’ll likely see a rise in adoption.
Despite the industry dragging its feet on the transition from IPv4 to IPv6, it will happen, and there are already organizations forming to help you through. A group of international universities formed IPv6Ready.org, which defines a series of test tools companies can use to verify their devices are using the protocol correctly and that they’ll be able to communicate when put in a network with other vendors’ devices. This will come in handy after you’ve invested in network devices that speak IPv6, and are looking to guarantee that the dialect is compatible with other brands’ routers, and that implementations by various vendors are actually compatible. The group’s website also lists devices that have obtained IPv6 certification. Check the list before you buy!
Should You Invest in IPv6 Certification?
What about you? Should you invest in IPv6 certification? Well, it certainly wouldn’t hurt — and it might land you a very good job. We can’t continue to pretend it’s OK that we’re out of IP addresses, nor can ISPs recycle IPs forever. We need to forge a path that includes widespread adoption of IPv6, whether we like it or not. So, yes, go ahead and get certified. It won’t be a waste of your time or resources.
I’ve tried my best to explain and rationalize the concept of IPv6, but it’s hard to squeeze all the details into one blog post. For a more thorough look at “IPv6 and What it Means to You,” listen to the webinar I hosted for CompTIA late last year. And if you want to get in touch, leave a comment in the box below.
Pierluigi Stella is chief technology officer for Network Box USA and has an extensive knowledge of security issues with emphases on the financial, banking, healthcare, education and hospitality and travel sectors.
