Why you (yes, YOU) need IPv6

“There’s no business case for IPv6.” “There’s no killer app for IPv6.” “I still have plenty of IPv4 addresses.” And so on and so forth. Who knew that the IETF was so wrong when they decided in 1992 that the world needed a new Internet protocol?

Well, there may be no killer app, but let’s look at why you (yes, you) should be interested in migrating your network to IPv6. In the teeth of the naysayers.

“I still have plenty of IPv4 addresses”. Perhaps, but there are over three billion people in China and India who do not. Not to mention South East Asia, South America… These countries missed out on the first wave of the Internet, the wave where places like MIT got several IPv4 A-class networks for nothing. Vietnam in the mid-nineties was running on 64 addresses, if memory serves. A smart, skilled, ambitious graduate in say, India, looking to make his or her first million, will not be doing it with IPv4. If you want to trade with that person, you’d better speak their language – and I don’t mean Hindi or Urdu. The Chinese and Indian markets alone are poised to be near-future economic powerhouses, and you know what they say about 900-pound gorillas…

But you don’t import or export, you say? Well, new companies starting up today, even in first world countries, cannot get new IPv4 space easily, if at all. They can acquire a company with some, or get some via (ever more expensive) address trading, but the days of easy IPv4 expansion are gone. What this means is that if you want to sell off part of your company, or branch out into a new venture, you will have to divide your IPv4 address space between the old and the new, or pay through the nose in money and complexity for the addresses you need.

In short, you too will eventually run out of IPv4 addresses. If you start on IPv6 now, you will feel far less pain than if you wait until you are forced to adopt it. Apart from anything else you will have time to make your mistakes, garner experience and build expertise while IPv6 is not a mission critical technology. It’s always best to replace the engines while the jet is still on the runway. And of course, you will be ahead of those of your competitors that chose to wait.

Even if you can get away with just IPv4 for a while, new graduates will not want to take jobs that tie them to old technology. Existing skilled practitioners will likewise be looking to work where their skills are kept up to date, not somewhere where the latest and greatest is passing them by. IPv4 will soon be networking’s COBOL – still in use, but the people able and willing to¬† maintain it are getting ever harder to find, and ever more expensive.

Most enterprises running IPv4 networks have been living in that cramped cave for so long they have forgotten how to stand upright. Some are so far gone that they think getting around bent over double is not only normal, but the right and proper way to do things. So let’s look at what IPv6 gives to those prepared to embrace it.

First and foremost, an effectively infinite number of addresses. The IPv6 /48 issued by default to an enterprise site has more /64 subnets in it than an entire IPv4 /16 has addresses! And each /64 subnet has more addresses in it than the entire IPv4 Internet – over four billion times more. Leaving off the superlatives for a moment, what that means in practical terms is that one size fits all – a /64 is big enough for any currently conceivable purpose. You will never have to slice and dice subnets again. Your whole network will be homogeneous, all subnets will look the same. Administration will be easier and less error prone, and for both those reasons less costly. It will be easier and less costly to modify, expand, shrink, merge or split networks too – all operations that cause the hardiest IPv4 network designer to quail.

To consider some other advantages of moving to IPv6, we must take a short historical excursion. In the mid 1990’s, NAT (Network Address Translation) took over the Internet. We had already run out of addresses, and the world clamoured for more. NAT was adopted wholesale, especially by the burgeoning global ISP industry, starving for addresses to hand out to the newly connected masses. But the cost was great.

First and foremost NAT took away end to end transparency – the ability for any computer on the Internet to talk directly to any other computer on the Internet. We speak glibly of “peer to peer protocols”, but there hasn’t been a real one of those for a decade or more. What we have instead is massive use of rendezvous servers – external servers with public IP addresses that NATted computers connect to and through, so that they can pretend they are talking directly to each other. The rendezvous servers are choke points, performance killers, points of failure and security threats – the threat of failure and the threat of compromise. And of course they are an additional layer that costs everyone money, one way or another, because someone has to run them. Some rendezvous servers, like Skype supernodes, are brazen bandwidth thieves – those users with public IP addresses provide rendezvous support for those without. IPv6 gives us back a simpler Internet.

NAT meant loss of performance. Every packet exiting a NATted network must be translated on its way out, and returning packets must be translated on their way back in. Yes, this is now possible at wire speed – but think how much faster that wire speed could be if that translation was not necessary. The NAT processing takes CPU power and memory for the mappings – many thousands of mappings are needed for even the most modest network. Think how much cheaper the hardware would be if it did not have to do NAT. IPv6 takes those performance losses out of the equation.

NAT made most protocols are more complicated than they had to be. Protocols that pre-date NAT need special processing (another performance hit) because many of them ship IP addresses in payloads. The NAT processor must locate these in every packet and translate them, too. If a NAT device doesn’t know about such a protocol, then the device can’t translate it, and that protocol simply does not work over NAT. Protocols that post-date NAT have had to be developed with NAT in mind, and must scrupulously avoid doing things that NAT would break. A protocol should not have to consider the network characteristics, but post-NAT, they do. IPv6 makes protocol design easier and allows protocols to be simpler. And simpler protocols are faster, more reliable protocols.

Some protocols cannot be NATted at all. Some such protocols can be tunnelled (a further cost in complexity and performance), but some are simply not usable with NAT. IPSec’s AH sub-protocol, for example, authenticates packet header integrity, including source and destination addresses. NAT is fundamentally antithetical to this, because the recipient never sees the addresses that were used to calculate the integrity check. IPv6 allows all protocols to work without having to consider the network layer.

Because it hides the real addresses involved, NAT obscures matters when troubleshooting. Because IP addresses are routinely reused by NAT, the same externally visible IP address may be used in many mappings, for many different internal hosts. Figuring out which host was using which mapping when, and for what purpose, is quite an undertaking, and one which requires a lot of logging. IPv6 simplifies troubleshooting.

The one true reason for running NAT, IPv4 address scarcity, disappears with IPv6. All the above disadvantages vanish like fog at sunrise.

Now, some folk say that in spite of all of the above, they quite like NAT because it provides security; it blocks inbound connections by default and it obscures internal addresses. These are, however, mere side effects of NAT. If an enterprise wishes to obscure its internal addresses it would be far better served by privacy addressing or the use of proxies. If an enterprise wishes to block inbound connections, a firewall is purpose built for the task. Relying on the side effects of a non-security protocol for security benefits is not good security. Any cost-benefit analysis of the security provided by NAT will come up heavily on the side of cost rather than benefit.

So, after that major detour, we return to IPv6. IPv6 gives you back a world without NAT. That doesn’t mean open slather! You can still use the full panoply of security devices to protect your network – firewalls can still be programmed to allow only those connections that you wish to permit. But for those protocols and hosts that you do allow through, the world is a simpler, faster, more efficient, and cheaper place.

And that’s the start of a business case, don’t you think?

 

This entry was posted in Article and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *