Are you planning your transition from IPv4 to IPv6? If you’re just getting started, this blog post covers key IPv6 basics you need to know in 2017 as you prepare for your eventual migration. I recently invited IPv6 expert Jeff Harrington of NYSERNet onto a webinar to give an overview of the IPv6 basics, including what IPv6 is and why it’s important, in our webinar on “What You Need to Know About IPv6 in 2017.” Jeff is a self-declared “IPv6 evangelist, while also being an IPv6 realist.” I highly recommend watching the full 60-minute recording, but if you don’t have time, take five minutes to check out some of the main points of his overview below. I guarantee you’ll learn something!
What is IPv6?
IPv6 will eventually replace IPv4 as the standard for addressing hosts and devices. While still in full production, IPv4 is becoming a legacy protocol and will eventually be phased out. (Yes, you’ve heard it for years, but it’s truly on the cusp.) You can assign IPv6 addresses to anything: hosts, servers, network devices, routers, switches appliances, BYOD devices—anything with an IP address.
In format, IPv4 addresses are only 32 bits long, while IPv6 are 128 bits long. IPv6 addresses use hexadecimal, so if you’re used to typing IPv4 addresses with decimals, it will take some getting used to type colons.
Related Content: Use our free IPv6 test tool to validate an address
Why do we have to transition to IPv6?
The primary reason for IPv6 is the depletion of the IPv4 address space. There are 3.4x10^38 possible IPv6 addresses, providing a vastly larger addressing space than IPv4 did (which only offered 4.3 billion addresses).
It’s been known for 20-25 years that IPv4 would run out of addresses. Mitigation technologies like VLSM, CIDR, and NAT have extended the life of IPv4, but even with all those strategies, in the fall of 2015, ARIN announced we were essentially out of IPv4 addresses.
What happens when we’re totally out of addresses? Providers are reclaiming unused addresses to continue to use in the interim. While we could continue to put addresses behind a NAT, they tend to break a lot of real-time communication, so a lot of providers are looking to IPv6 to get all their technology onto the network.
Has there been any progress with IPv6 transitions?
We’ve heard dire warnings that we’re running out of IPv6 space, but nothing’s happened. Has there been any progression to IPv6 in the last 20 years? It may not seem like it, but almost any device you will need to worry about—modern desktops, mobile phones, network hardware, security devices, etc.—should now support IPv6. Some older systems (your HVAC, for example) that don’t tend to be as intelligent may have IPv6 limitations.
What about service and content providers? Most service providers are running IPv6 as a production service, so any national or international provider should be running both IPv4 and IPv6 with the same level of support. Most regional providers do as well, but some may not be there yet. In addition, the majority of cellular carriers also provide IPv6. The large content providers have been running IPv6 for years, including Google, Facebook, Netflix, AWS, Yahoo, and more. This year, Apple made an announcement that any app placed in the app store must support IPv6. Clearly, content providers know this is something they need to worry about as well.
Why move to IPv6?
Every business will have varied reasons to move to IPv6. Here are a couple that may be true for you:
- Business growth. From mobile devices and applications to the Internet of things, the shift to many will be driven by the growth of Internet-enabled devices connecting to their network—especially wireless-ready devices.
- Your customers are there. Now that many service providers have already transitioned, if you’re selling products or services to people who have already transitioned to IPv6, you will want to move as well.
- Better performance. IPv6 performs better and delivers greater end-to-end visibility. By transitioning to IPv6 you’ll give your customers a better experience.
- You have customers outside of North America. If you have customers outside of North America, you’ll want to serve them effectively by running IPv6.
- You serve the federal government. In many cases, if you want a government contract, from hardware to software, you will need to be IPv6-capable.
Why move to IPv6 NOW?
The biggest reason to move to IPv6 now is security. Even if you’ve done nothing to your network in terms of IPv6, if you’re buying new hardware, it’s likely that those machines are running IPv6 by default and talking to other machines on the same subnet with it. If any of those machines running IPv6 gets hacked, it’s likely you’re not managing or monitoring it, and it could lead to a data breach, botnet attack, or network outage.
Transition time and resources is the other big reason to start now. Depending on the size of your organization, your IPv6 migration may be time-consuming. Moving 100,000 devices is no easy task. You’ll need a detailed and thorough migration plan that includes:
- Considering how many users/devices you have
- Choosing a host addressing method
- Creating an address plan
- Obtaining address space (either from your internet provider directly, or from ARIN if you are multi-homed)
How do IPv6 site addresses and subnets work?
With addressing, each site should get a /48, whether it’s from your provider or ARIN. The definition of “site” is nebulous; any portion of the network with a different routing plan or different geographic location is considered a site. Inside that “site,” end hosts are addressed from /64 subnets. Each site has up to 65,536 subnets, and each subnet is exponentially larger than the entirety of the IPv4 address space.
Two takeaways here: you will get plenty of addresses. And creating your address plan ahead of your IPv6 migration is crucial.
How should I deploy IPv6?
Deploying IPv6 isn’t something that’ll happen over the weekend. Rather, it should be rolled out in a slow and controlled manner. Ideally your goal should be to transition to dual-stack instead of moving directly to IPv6, at least for most folks. Jeff recommends that you migrate your network infrastructure first and then move to a subnet-by-subnet deployment.
Is IPv6 as secure as IPv4?
You hear that IPv6 is more secure. That’s not true. IPv6 is neither more or less secure than IPv4. It’s as secure as you make it, similar to your IPv4 network. If your devices are already running IPv6, and you decide you’re not ready to transition, know that your internal network is running it and you need to make sure you secure it properly, even if you don’t intend to go into production. You’ll want to make sure any tools you’re using for security, reporting, logging, endpoint management, network monitoring, and more can give you visibility into both IPv4 and IPv6 performance. If you haven’t already, you’ll want to check with those vendors and find out what kind of IPv6 support they currently offer, or what kind of roadmap they have planned.
What does IPv6 mean for NAT?
NAT was developed as a method to extend the life of the IPv4 space. NAT is not a security mechanism. Lots of people equate NAT with security, but it wasn’t the point of NAT—the point was to ensure we wouldn’t run out of IPv4 addresses. The size of the IPv6 address space is vastly larger than what’s available on IPv4. Because we don’t need to worry about running out of IPv4 addresses, we don’t need NAT. Therefore, there is no equivalent to NAT in IPv6.
What this means is that all IPv6 devices have end-to-end connectivity, which was the original model of the internet. If you’re relying on NAT to hide your user and devices, you’ll have to rethink your security policy. If not, when devices become globally visible, they’ll be potentially seen by people with nefarious purposes in mind. You’ll want to make sure that border security locks what it needs to lock and put a greater emphasis on host security. In short, NAT is no longer something you can rely on.
Thank you, Jeff, for giving us an overview of IPv6 basics and providing practical insights on how to start thinking about IPv6 transitions. For more insights from Jeff, watch the full webinar.