IPv6 Adoption

IPv6 logo

Introduction

The world has run out of IPv4 addresses. This is due to several reasons including limited address space, poor allocations of address blocks, and lack of foresight when creating the IPv4 Protocol. The answer to IPv4 depletion was the creation of a new routed protocol, IPv6, by the Internet Engineering Task Force (IETF.) IPv6 includes many improvements over IPv4 along with many challenges. Improvements include having a much larger address space, decreased routing overhead, security improvements, and improvements in some configuration methods. In this paper, we will discuss the history of IPv6, compare IPv4 and IPv6, examine security improvements, and view the adoption of IPv6 by using examples of successful enterprises.

History

Internet Protocol version 6 (IPv6) was first drafted in December 1998 by the IETF in the draft standard RFC 2460: IPv6 Specification (Deering, 1998.) In 1999 the first IPv6 tunnel broker was implemented by Ivano Guardini of CSELT, which is an Italian research center for telecommunications. Then in 2001, Cisco Systems introduced IPv6 support on Cisco IOS routers and Layer 3 switches. (IPv6, 2014.) On February 4, 2008, IANA added AAAA records for the IPv6 addresses of six root name servers, which made it possible to resolve domain names using only IPv6. (IPv6, 2014.) This in my opinion is the start of IPv6 becoming an accepted protocol.

Coinciding closely with the World IPv6 Launch day on June 6, 2012, hosted by the Internet Society, was the depletion event that made the world realize the inevitability of IPv6 adoption. In February 2011, the Internet Assigned Numbers Authority (IANA) allocated the final IPv4 address blocks from the addressing space. IANA has worked with the different Regional Internet Registries (RIR) to recycle unused IPv4 address blocks to extend the life of IPv4 as much as possible. After the recycled blocks have been allocated to RIRs, IANA will have no more IPv4 addresses left to assign. (Meynell, 2019) If the world has not made a transition to IPv6 by then, the growth of the internet will be stifled.

Comparison of IPv4 and IPv6

IPv6 is like IPv4 in many ways, in essence, they are both used to identify hosts connected to a network. On the other hand, the IETF implemented many improvements and changes to IPv6 based on lessons learned from IPv4 over the years.

Similarities

IPv4 and IPv6 are both routed protocols that contain destination addresses and use packet switching (Grinius, 2020.) They also both use a counter to ensure packets take a maximum number of hops on the way to the destination to ensure packets do not loop indefinitely (Grinius, 2020.) There are similarities in the types of addresses that both versions support, both have unicast, multicast, link-local, loopback, and unspecified address types.

Differences

The differences between the two protocols are more pronounced. The most notable difference is the size of the address space provided by each. IPv4 is a 32-bit address expressed in Dotted Decimal Notation (DDN) with a total address space of 4.3 billion addresses. When IPv4 was introduced by DARPA in the 1980s, nobody thought that 4.3 billion addresses would run out. Some estimate that only 14% of all available addresses in use (Hoffman, 2020.) Combine that with an exponentially growing number of internet devices and a much larger address space is needed (Vajrami, 2019.) IPv6 is a 128-bit address expressed in hexadecimal “hextets” separated by colons, with 340 undecillion global unique addresses (Grinius, 2020.) This is enough addresses to assign an IP to every atom on earth (Meynell, 2019.)

Several new types of addresses were implemented in IPv6 to reduce network loads across the Internet. IPv6 has three types of addresses in the ecosystem: Unicast, Multicast, and Anycast (Vajrami, 2019.)

Unicast

Unicast IPv6 addresses can be divided further into five types. The first type is a Global Unique Address. These are routable on the Internet and are like public IPv4 addresses. An example would be 2001:581:F3D1:241F::/64. Link-local addresses are required on every IPv6 enabled interface but are not globally routable; they usually begin with FE80::/10. Originally site-local addresses were defined but are deprecated (see RFC 3879.) Loopback addresses are written as ::1/128 in IPv6 and are like 127.x.x.x in IPv4. Finally, Unique local addresses are only routable within the scope of an enterprise and are like private IPv4 addresses; they usually begin with FC00::/7 (Vajrami, 2019.)

Multicast

Multicast packets send packets from one source to many. To support IPv6 multicast, an interface must support Multicast Listener Discovery (MLD) protocol and Neighbor Discovery (Deering, 2017.) A simple multicast packet flow starts with an Internet Control Message Protocol version 6 (ICMPv6) host solicitation to the router(s) multicast group. The router returns a Router Advertisement (RA) packet that tells the host the configuration parameters for the multicast group. The multicast range is FF00::/8 (Vajrami, 2019)

Anycast

The anycast address is like multicast. The difference is that a packet from a host goes to a single selected destination based on the least expensive routing metric (Vajrami, 2019.)

Security Improvements

One benefit of creating a new IP protocol stack is that we can learn lessons from the predecessor, IPv4, which was not designed with security in mind, per se. IPv6 improves on this by building in an option that provides confidentiality, authentication, and data integrity called IPsec (short for IP security.) With IPsec built-in, IPv6 is much more robust and can run end to end encryption (Grinius, 2019.) This is especially important for Internet of Things (IoT) devices that have a bare-bones kernel and rely on IP for security.

IPsec

There is a wide range of security technologies in the Internet protocol suite. These include Transport Layer Security (TLS), Secure Shell (SSH), and IP security (IPsec), to name some. When IPv6 was first rolled out, IPsec was included as a must, to use IETF terminology, and key management specified Internet Key Exchange (IKEv2.) RFC 6434 updated the recommendation to a should for all IPv6 nodes (Jankiewicz, 2011) and persists through the best current practice, RFC 8504 (Chown, 2019.) IPsec provides authentication and encryption using Encapsulating Security Payload (ESP) and Authentication Headers (AH) (Vajrami, 2019.)

SEND

Secure Neighbor Discovery (SEND) and Cryptographically Generated Address (CGA) give us a secure way to exchange Neighbor Discovery messages. SEND authenticates devices at connection time, making naming-based attacks like Address Resolution Protocol (ARP) poisoning more difficult (Jankiewicz, 2011)

Implicit Security

The way that IPv6 is implemented reduces the use of address translation technologies, makes scanning and identification more difficult and ensures unique global addresses. Since the IPv6 address space is large enough to guarantee unique addresses for every device, it makes the use of address translation technologies unneeded. This makes identifying endpoints much easier (Deering, 2017.) Since empirical evidence shows that IPv6 addresses often follow patterns, nodes typically follow low-byte addresses like 2001:db8::1 (Meynell, 2019) it may be just as easy to predict IPv6 addresses as IPv4. The opposite is true for clients, which have randomized addresses of the enormous address space. During the IPv4-IPv6 transition, many tunneling technologies have been introduced with a slew of vulnerabilities. Since 2015, native or dual-stack IPv6 is possible and should be used instead of tunneling (Martin, 2015)

Transition

One of the main obstacles to IPv6 adoption is the perceived complexity, and the estimated cost to adopt IPv6. The reality is most of the burden lies on backbone providers to implement IPv6 infrastructure and develop robust protocols to enable their clients to take advantage of IPv6. Many companies have already successfully implemented IPv6.

Complexity

The stigma of complexity comes from the long and hard to memorize IPv6 addresses. Successful implementation has shown that educating IT employees on IPv6 mitigates the reluctance to adopt a more complex scheme. By carefully planning you can safely run both protocols side by side (Sophos, 2020.) There are two configuration methods to autoconfigure IPv6 addresses which make adopting much easier. Stateful Address Autoconfiguration (DHCPv6) and Stately Address Autoconfiguration (SLAAC) both ensure autoconfiguration that guarantees unique and secure addresses. Also, Duplicate Address Detection (DAD) is required by IPv6 which checks to ensure uniqueness before configuring an address (Jankiewicz, 2011.) According to Andrew Dul, a Network Architect at EGATE Networks, implementing IPv6 simplified addressing especially with identifying VLANs (Bly, 2016.)

Cost

Given that four of five RIRs are exhausted of IPv4 addresses, there is a secondary market for IPv4, making it increasingly more expensive to implement than Ipv6 (Sophos, 2016.) Dan Alexander, a Network Engineer of Comcast says that it is cheaper to deploy v6 when looking at the number of devices needed to provision and the cost to continue to buy and propagate v4 (Bly, 2016.) Even RFC 6555 works with a slight bias towards IPv6 by giving AAAA queries a slight head start over the query for IPv4 (Martin, 2015.)

Conclusion

As you can see, the transition to IPv6 is inevitable. To responsibly move to a post IPv4 Internet, it is the responsibility of every IT professional to educate themselves on the intricacies of IPv6 so that they can successfully dual-stack an IPv4 and IPv6 network without opening vulnerabilities. Ultimately IPv6 streamlines the packet routing process with simplified packets, flow labeling capability, and simpler autoconfiguration (Deering, 2017.) IPv6, through implementation and experience, will make our Internet more secure and more efficient.

References