Broadband

IPv6: Where to begin?

Complacency regarding IPv6 isn't an option for IT types. IPv6 is coming and we need to acknowledge that. Michael Kassner is ready to dive in and demystify IPv6. What concerns you the most about the switch?

Most veteran IT types (including me) are leery when it comes to any kind of change; even thinking about converting networks to IPv6 seems like a bone-chilling bad dream. In order to make the transformation (sorry, it’s coming) easier, I’d like to initiate a dialogue about Internet Protocol version six (IPv6). My ultimate goal is to help everyone (me too) feel comfortable with IPv6.

I’m in a bit of a dilemma though. Where should I begin? I’d really like to hear what you’re concerned about and what you’d like to see covered?

First some history

Right now, Internet Protocol version four (IPv4) is the dominant (IETF approved standard) Internet protocol. Meaning IPv4 is the common digital electronic language our computers use to communicate on the Internet. IPv4 is a data-oriented protocol that's specific to packet switched networks (e.g., Ethernet). It’s a best-effort protocol, meaning there’s no guarantee of delivery or correctness of the data. That’s handled by Transmission Control Protocol (TCP), which is defined along with IP in the Internet Protocol Suite. In simple terms, TCP and IP are the Internet protocols that do the same thing as snail mail addressing.

Why IPv6?

Initially, IPv6 was developed simply because there aren't enough addresses (IP addresses to be exact) available using IPv4. If you are interested, the exact number of IP addresses using IPv4 is 2 to the power of 32, or 4,294,967,296. That may seem like a bunch, but most experts agree that the amount of IP addresses available in IPv4 will run out by 2010. That prediction is partially based on the fact that there are 6.7 billion (6,720,539,678) people inhabiting our planet right now, and a large percentage of them will be needing at least one IP address.

In comparison, IPv6 has 2 to the power of 128, or 340,282,366,920,938,463,463,374,607,431,768,211,456 available IP addresses. To gain a perspective on that, IPv6 allows each of the 6.7 billion people alive today the option of having 2 to the power of 95, or 39,614,081,257,132,168,796,771,975,168 IP addresses. I suspect that many addresses should be enough for a while.

Ancillary benefits of IPv6

Like most version upgrades, IPv6 eliminates several negative components that have been uncovered in IPv4. Just to whet everyone’s appetite, some of the enhancements are:

  • Auto-configuration of IP addresses is substantially less complicated.
  • Route aggregation and the ability to have several levels of hierarchy are now possible.
  • IPv6 requires end-to-end security (IPsec), a huge improvement since IPv4 has no inherent security.
  • Management traffic is more streamlined and robust.

These improvements may not sound like much, but they are when you look at them closer. I’d like to save the explanations until later when we get into the specific details, and that’s only if you’re interested in knowing those details.

What to cover?

I’ve just touched the surface as to what IPv6 will bring to the table. IPv6 will also require a whole new way of thinking about IP addresses and the Internet Protocol itself. I’ve started the following list of topics that seem important to me:

  • How are IPv4 and IPv6 similar?
  • How are IPv4 and IPv6 different?
  • What makes IPv6 better?
  • What is IPsec and is it secure enough?
  • How does the new IP addressing scheme work?
  • What will it take to transition to IPv6?

I’m sure there are more topics to discuss, and that’s where I’d like your help. Please let me know what should and shouldn’t be covered.

Final thoughts

IPv6 is very important, yet it’s relatively unknown and potentially a very boring subject. I’ve read countless articles and white papers about IPv6, and most are gibberish. With your help, I’d like to try and do it right, that way we all will have a better grasp of what’s in store for us.

Need help configuring, administering, supporting, and optimizing network infrastructure? Then turn to our free Network Administration NetNote. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

187 comments
kenrwoodson
kenrwoodson

Monstrous amount of hosts and possibly RIP to IPv4 subnetting and CIDR (maybe DHCP, too.) But I have heard that those packets can circumvent an IPv4 firewall; an easy way to "breach the Trojan walls." But it's a good change since not too many future admins would need assistance in operating a network with 1 quadrillion hosts (a nice time for I.T. undergrads like myself to finally graduate). Though the only negative is the complacency of decimal numbering. Get those hexadecimal multiplication tables ready... ;)

George@2ndfloorcomputers
George@2ndfloorcomputers

Is this a chicken and egg issue? If my ISP does/can not assign me an External IPv6 address, can you really change much? or even start testing a test network? Can you have your Router with an ouside IP address with IP6, and your internal network with IP4 address? or vice versa? I'm just getting started with this whole IP4/6 problem, so forgive me if this is a dumb question.

mail
mail

Great work Michael..... Efforts are being made to promote IPv6 globally by all the task force.... We are Experts in IPv6 technical writing..... for more details please contact www.futuretechwriters.com mail@futuretechwriters.com

Michael Kassner
Michael Kassner

I first want to thank everyone for the tremendous response. I appreciate all of the amazing comments and suggestions. I've been compiling a list of what seems to be the main concerns and topics that need to be discussed or cleared up. I have listed those below: 1. A simple overview of IPv6 and the differences between it and IPv4. 2. IPv4 and IPv6 coexistance, what does that mean? 3. What will happen with older machines? What devices support IPv6? 4. How to add IPv6 to new and or existing networks? 5. What about having IPv6 perimeter IP addresses and IPv4 IP addresses on the internal network? 6. If IPv6 is enabled on devices in a IPv4 network with IPv4 only firewalls, what does that really mean? 7. How IPv6 addressing works and concrete examples. Explain IPv6 IP address short-hand. 8. On-line resources for IPv6. 9. List of IPv6 ready applications, drivers, etc. 10. What MS operating systems support IPv6? 11. How does IPv6 impact security? What is IPsec? 12. IPv6 ready firewalls and do they actually work? 13. Privacy concerns with IPv6. 14. Will common networking tools such as Ping work with IPv6? 15. Explain the misconception about IPv6 and private networks. 16. How does DHCPv6 work? What are the differences between it and DHCPv4? 17. How does DNSv6 work? What are the differences between it and DNSv4? 18. How are packets fragmented in IPv6 and how does that compare to IPv4? 19. Mobile devices and IPv6. 20. Is there some kind of a time-line for ISPs and backbone networks to implement IPv6 if it's not already in place? 21. When do I need to start the change over process? Does that list make sense to everyone and did I miss anything? I also wanted to mention that I'm working on getting some podcasts or email dialogues going with several IPv6 experts. Is there a preference as to podcast versus written Q&A? Again, thanks for the response and keep it coming. Edit: I forgot how to count, Dahh

The 'G-Man.'
The 'G-Man.'

I think we are going to see a split in the addressing schemes used. Internal networks will still use IPV4 for some time while the public Internet and Telco connections in general will be the first swap to IPV6. We will have to live with some kind of NAT device (well we do anyway, firewall normally) for a few years while vendors sort themselfs out. Finally all the vendors will have the correct kit and software pefrected to allow the internal neworks to function as easily as IPV4 does.

greg.hruby
greg.hruby

IPv4 addresses Example: 192.1.2.34 IPv6 Node Addresses Example: 3ffe:ffff:101::230:6eff:fe04:d9ff. anybody anticipating problems with applications where the installation process includes "customizing" an .ini or other file that passes the IP address of partner servers or resources. If the application isn't written to pass along a field of information that is up to seven 4-character hexadecmal addresses - I can see blown apps being the problem because they can only pass partial addresses. + like switching all the roadway signs to aramaic or pictures. oh it'll work - but .... It sounds like Y2K - the anticipated problems aren't the ones everyone's gonna have.

tom_housden2k8
tom_housden2k8

I first encountered ipv6 by mistake. I am a computer engineer, and a customer encountered a problem with changing broadband providers. In the Device Manager suddenly appeared this 6to4 Adapter. I disabled that but it still wouldn't connect. No connectivity for both ipv4 or ipv6. No problems with the network adapter, so looked up 'incompatibilities with ipv6 and Vista'. Lots of problems. Solution: I disabled ipv6 and it was okay! Another example: One of my other customers came home from Portugal and suddenly couldn't connect; I disabled ipv6, everything was fine after!

j@n
j@n

Thank you Mike, It is definitely a good read for all the IT professionals especially one dealing extensively on the web front. Just one thing that concerns me is the compatible transition from IPv4 to IPv6. I just hope there aren't any complications that will erupt with the implementation. Thanks again. j@n

steelejedi4
steelejedi4

I have recently qualified with the CCENT certification and in the course work we covered slightly the IPv6. To me this seemed daunting, but as I progressed through the course, I found that it is really a better system. Although the numbers are longer I suppose people thought IPv4 was daunting when it was first announced. But IPv4 was only brought about to supply numerical translations for what was thought to be a Government/Military access point for security. When the whole internet thing started to snowball it should have become appearant that there would be need for bigger better protocols, so I am surpriseed it took this long to come up with IPv6. So I say any bring it on, lets all learn new things, as that is what life is all about isn't it, gaining knowledge to able to better understand the future.

amitabh.singhal
amitabh.singhal

Principally, i agree with the need prepare for transformation. In India the Internet industry has been talking about it a bit, but apart no one seems to be able to overcome the commercial and economic obstacles, apart from the fact that, no one seems to be getting hurt by not switching over to IPV6. the thinking being - why try upset the applecart commit financial harakiri in an already tough economic situation. BTW, the figures about IPV4 (4.3 billion addresses) - with just about 1.1-1.5 bllion people only using the Net out of 6.7 billion and most folks serviced on dynamic allocation rather than fixed IPs, are we really going to run out of addresses that fast. Dont get me wrong - i do believe-in-principle in the need to upgrade to IPV6, but 'running out of IPV6 addresses' kind of reasoning doesn't seem to be making much of an impact. Probably there needs to be a higher class of justification for people to seriously put their hard earned and easily lost money into IPV6. Regards. Amitabh Singhal, India

seanferd
seanferd

What plans may the owners of network real-estate have for implementing v6? I've not really heard anything about this for some time, and implementation is always projected into some indefinite future.

Craig_B
Craig_B

After reading original post and all the replies it seems that IPV6 really needs more discussion. I think most IT folks, think "yeah, I know it's coming tomorrow, however I need to worry about today's problems". Just like the campaign to get the word out on DTS TV and what that requires a simular IT community campaign may be needed. I think the basic background of what is IPv6 and why we need to change is good but what is really needed is how do I get there from here.

jalspach
jalspach

For me, the last three points are of the most importance. # What is IPsec and is it secure enough? # How does the new IP addressing scheme work? # What will it take to transition to IPv6? While the other points are interesting, I am not looking to be sold on the switch so I do not need an exhaustive discussion up front on the differences / similarities of IPv6 vs IPv4. And the benefits of V6, for me, could be summed up with some bullet points. If I want more info on a specific feature, I can google it.

rich.geddes
rich.geddes

I've taken some classes that describe ipv6 and it is described as **simpler** than ipv4. There are less fields in the header, etc. The problem that I've encountered in trying to use it, is that the implementation seems to to be changing... the IETF seems to set something in writing, and thereafter "deprecates" it.. great word... it's a euphemism for .. "oops I messed up... let's try it again..." what we need is good solid information and examples that work that across OS's... this protocol should be OS independent. Most IT people don't have time to learn information that is deprecated or confusing. The statistics for it's adoption alone tells the story. I think ipv6 **is** simpler... the ietf specs and subsequently the education are messed up... too much politics on the committee, or too many unqualified people pulling those levers... maybe.

syedumairali
syedumairali

I would also like to know what will be the fate of OSI model, specially layer 4. will that remain same and how the packet size would increase because I am thinking for low bandwidth links perpective where we require small packet size please comment ?

tptbusines_98
tptbusines_98

If you goto www.ipv6.org, there is plenty of information available on the subject. Microsoft and Cisco have information on the subject. Also, O'Reilly books "IPv6 Essentials" and "IPv6 Network Administration" should be a great help too...

Michael Kassner
Michael Kassner

I'm not sure how they even guess that. I've seen sites that even had a clock type application doing a count down. I've heard anywhere from 2010 to 2012. I guess we will have to see.

amos
amos

What really happens to my company net access if it or my ISP network doesn't transition in time?

wdewey@cityofsalem.net
wdewey@cityofsalem.net

This is not to be argumentative, rather this just seemed to be a good place to put my opinion. Personally what I see is ISP's running a dual v4/v6 backbone with incentives to switch to v6 addressing as people feel the address crunch. I have been thinking about NAT between v4 and v6. One of the major issues is that if there is a 1 to 1 relationship between v4 and v6 addresses then v6 addressing would be limited to the same number of addresses as v4 (or rather any addresses outside the translation would not be reachable by v4 only networks). That would lead me to say that the router doing the translation would need to dynamically assign v4 addresses (basically make up addresses on the fly). This would mean that it would be necessary to modify DNS requests and remember translations for longer than they remain in cache on the device requesting them. A system like this would also not be able to handle any static requests like typing an IP address into the address bar of a browser unless they were statically created on the NAT device. Well, the more I hear about this and the more I think about it the bigger the problem becomes if we don't switch before the v4 address range becomes depleted. Bill

Michael Kassner
Michael Kassner

This is one aspect of IPv6 that I'm having a difficult time finding any real data on. As you mentioned it could very well be the sleeping dragon. It seems that the only way to really know is to jump in and see what breaks. I was hoping to compile a list of applications/versions that break right now. It's a slow process though. I'd love to hear from members having examples of applications that do break.

Michael Kassner
Michael Kassner

I'm researching that aspect right now as part of the series. I'm also trying to get some information from MS as to what is happening. Maybe a member here has the answer as well.

Michael Kassner
Michael Kassner

Just make sure to stay tuned as more articles are coming on IPv6. I've a lot of questions to answer.

amos
amos

Was invented in the early 1990's to sovle the prblems of Internet expansion exactly as you aid you were surprised hadn't been done. Only... few wanted to transition, and the 90's ended in panic over Y2K. Somebody invented a NAT box and the pending 2001 last IPv4 address jumped back to about 2015. So... nobody needed IPv6 anymore, and few wanted to think about transition after the Y2K costs... ... now in 2008 we have no miracle to replace NAT... need I say more?

Michael Kassner
Michael Kassner

I like what you said and that's what I'm about as well.

Michael Kassner
Michael Kassner

All the information I've come across is pointing to us running out of IP addresses sooner than later. The explosion of smart phones and other Internet-facing devices will rapidly use up the remaining IP addresses according to the experts. I'm surely not an expert, I just want as many members as possible to have a good idea as to what is coming.

jdtaylor1
jdtaylor1

people are complaining about remembering ip addresses for v6 but what about DNS Servers. Does DNS need to change for IPV6 implementations? I read this somewhere. The DNS servers must be able to support registration and querying for IPv6 AAAA resource records. DNS servers are also required to support DNS queries over IPv6.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

1. IPsec is a protocol that is used to carry an encrypted payload and/or tunnel packets. It is most often used in a VPN scenario and is one of the most secure communication methods that I am aware of, if properly implemented. NOTE: Just because IPv6 has IPSec built into the stack does not mean that every packet will be encrypted. 2. I don't currently have an answer to this. 3. I get the impression that there will be more upcoming articles on IPv6 that will answer this question better than I can here. Bill

amos
amos

The admin-relevant details of IPv6 are pretty much set. Most of the confusion I've seen over the last year has been caused by people who know IPv4 fairly well. All these suggestions of 'make v6 do v6-v6 NAT', 'private v6 network numbering areas', 'DHCP assignment of addresses', 'packet fragmentation' etc. are done without taking into account why the feature of IPv4 even exists. All those I've listed exist only to take an IPv6 feature and twist IPv4 into doing it too.

Patrick Bowman
Patrick Bowman

IP is layer 3, regardless of version. It has no effect whatsoever on the OSI Model. Packet size is not going to increase unconditionally. Header size in v4 is 20 bytes, more if options are added. Header in v6 is standardized at 40 bytes. As stated in another response, minimum MTU is increasing to 1280 bytes, so if this is a concern, plan early to address it.

pavelonsky
pavelonsky

Obviously there will be changes on the OSI model, I guess IPv6 will sorround some levels, 4 and 5 maybe, and I think it will be shorter than the TCP/IP model.

amos
amos

Yes, this is the current biggest risk of migrating over. Checking each application and service on the network is still a big effort. Each of the IPv6 projects and proponents have their own lists. Often published. Of apps which work or have patches. Most lists are quickly outdated and very, very incomplete. The transition road map is to transition the network hardware and apps over one by one. Starting with firewalls, and working down to web servers. My list is: hardware, firewalls, timeservers, admin systems, billing system, routers, OS, clients, email, ftp servers, web services (HTML, Java apps etc), web servers, news, other bits. Though specifics may vary on your network. If you want v6 capable apps look to the open-source community software. Most of that is ready or underway now. (some bias on my part)

amos
amos

... was NAT !!! Irony. When a 6to4 tunnel interface generates a global IPv6 address for the host, it uses the public IPv4 assigned as part of the v6 prefix to tell remote sites what IPv4 interface you are routing through. So that other IPv6-enabled boxes can send data back to you through. For example: The far end gets told to tunnel data back over IPv4 via 10.0.0.10. Which is the Vista boxes official public IPv4. Fun.

pgit
pgit

This MTU change looks like it could be one reason why NAT between v4 and v6 is difficult... ? So I'll shift gears; is it possible to NAT v6 to v6? It would be nice to prevent "trusted" IPv6 addresses from getting out beyond a firewall.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

There are a number of protocols that span several layers of the OSI model (telnet, FTP), but that doesn't change the model. I don't know if v6 spans more layers than v4, but I kind of doubt it. Bill

Michael Kassner
Michael Kassner

Amos, I value your comments on this article. It seems that about three of four of the members have real-world experience with IPv6 and it's been invaluable to read all of your comments.

Michael Kassner
Michael Kassner

I had wondered if that was a viable path and why the other member blamed NAT for the problems. Thank you very much for sharing that information. I had guesses but no real experience to base any opinions on.

amos
amos

I'd normally expect it to. For IPv4... I had an internal machine a few months ago which showed the same symptoms though. The servers were properly 6to4 numbered and the Vista clients were not. In that case the client private->server external tunneled packets would go out the client to some border router where they were NAT'd out of the network. And immediately looped back in again as destined for the server. The return packet from server used 6to4 routing shortcuts, server internal -> client internal. With no NAT. Vista client firewall then dropped packets from an 'unknown' third party respondse. As you say, not too sure it was NAT or firewall or routing at fault for those cases. But it caused clients to face border firewall security instead of internal security.

Michael Kassner
Michael Kassner

Hello Amos, In my examples the IPv6 machine couldn't even access internal servers, so that eliminates NAT, right?

wdewey@cityofsalem.net
wdewey@cityofsalem.net

I hear this a lot, but I don't understand it. First I want to get terminology correct. When I hear most people talk about NAT I assume they actually mean PAT because they are talking about home routers which most will not do a true NAT translation. So with PAT, how easy is it to initiate a connection from the outside or hijack an established connection and how is that different than what a standard home firewall does? Of course NAT/PAT will not protect against any social engineering attacks (which a firewall on the router probably won't either). This means that good anti-virus software and security awareness is necessary. If you get a high end application firewall it may block malicious content from infected web sites, but, again, a standard home firewall will not. A good software based firewall on the machine is also a good additional layer so that outbound connections can be evaluated before allowing. Outbound connection can be blocked from a router based firewall, but they would have to be statically configured which I don't see a home user doing. As a buffer from scanning and malicious network based attacks from outside the local network I see NAT/PAT as very effective and I recommend everyone that asks to purchase a router just for this feature. Bill

amos
amos

... is a big hurdle and red-herring for the people who have fallen in love with DHCP address asignment. It usually assigns them as ::2, ::3, ::4, ::5... Which is a trivial to scan and break. For example; the person who was demo'ing addresses earlier used ...::408, which indicates DHCP on that (fake) network. They have just betrayed the entire network of apparently 400+ hosts to scanning attacks.

derekmorr
derekmorr

Re: 1 - That's unlikely. The current plans to deploy IPv6 to customers are to delegate a /64 or a /56 to each customer. Re: 2 - How do you think your addresses are unknown? It's possible to tunnel through NAT, and several attack vectors do not require NAT. Just because you are behind NAT does not mean you are safe. Re: 3 - Why do you think that?

Dumphrey
Dumphrey

removes any doubt as to which computer was logged. So the IRAA can sue a specific person on a campus, business etc for IP theft etc. It adds better accountability to the net and significant improvements in behavioral tracking (read better advertising revenue). But thats just the conspiricy nut in me comeing out.

pgit
pgit

1. I suspect at some point in the future, once all devices (incl your credit card) are individually addressed the billing structure will take this into account. NAT would allow multiple devices to appear to be one. 2. I know NAT is not a security measure, but it is comforting to know local addresses are unknown to the outside. I have no interest in 'end to end' for my "convenience." 3. not a reason, really, but I doubt IPv6 will be able to be entirely fire walled. I've said it before, going back to when the idea was first floated; I am convinced there's an agenda behind v6 well beyond the stated.

Patrick Bowman
Patrick Bowman

NAT was created as a band-aid b/c we were running out of addresses. IPv6 was created to fix the problem. If you are relying on NAT as a layer of security, you might want to re-evaluate your security. NAT is fairly easy to beat for anyone looking to get in. As far as the v6 NAT question, no: http://arstechnica.com/news.ars/post/20080722-after-staunch-resistance-nat-may-come-to-ipv6-after-all.html Last paragraph addresses what I think you are asking.... "So far, nobody has seriously suggested a one-to-one IPv6 NAT, let alone standardizing an address sharing NAT for IPv6"

chaapala
chaapala

The IETF would tell you that there is little security in obscurity. Your firewall should control access, not hiding in a NAT. Also, the size of an IPv6 address, even just the 64-bit host portion, is generally considered too large to "crawl" to pick up hosts. In other words, before an attacker did enough "pings" or equivalent in order to find one of your hosts, your firewall software should have long since paged your admin that a scan is being done. Your concern is one that is held by many, though.