Business facts about IPv6
- What will stop working when IPv4 runs out?
- All existing infrastructure will work fine, but it will become almost impossible for you, your business partners, or remote end user customers to commission new machines that will be 100% compatible with the existing Internet. There will come a point when the burden of this restriction on new infrastructure and services on the old standards means that large parts of your existing infrastructure will need to be upgraded before you can move forward.
- What is the longest that we can realistically wait?
- Address shortages will become acute and prominent around the end of 2011. Various stop-gap technologies, partial selective use of IPv6, a free market in (potentially expensive) IPv4 addresses that other companies are prepared to sell, will allow a company to avoid deploying IPv6 for perhaps a maximum of another two years. From that point, perimeter and DMZ deployment would be urgent.
- If I can delay deployment for three years, why take action now?
- IPv6 deployment is a major project. The cost implications are enormous, and could be reduced by 80% if considered in a timely fashion. It maybe be necessary to replace large amounts of hardware and software. The only way to do this cost-effectively is to consider IPv6 in every purchasing decision over the whole purchasing cycle. It will affect switches, routers, servers, desktops, laptops, applications, mobile phones, VoIP, firewalls, NAC, intrusion detection, anti-virus, endpoint security, network management software and systems, webservers, group policy, routing and VPNs.
- "We're lucky, we have a class-A on hand"
- Certainly if you have a large allocation of IPv4 addresses, then you have some breathing room. But you will need to be compatible with the rest of the world at some point, in order to continue to communicate. Also - from the end of 2011, for maybe ten years, there may well arise a 'grey market' for IP addresses. Any IT-department sitting on a class-A or class-B network is likely to be instructed to sell that network space while it has substantial value.
- Why so much upheaval? Surely there is a better way!
- IPv6 is the only game in town. The IPv6 committee was formed in the 90's, has completely created the standard and have now disbanded. It has been a long process. It may have been possible to create a more evolutionary solution that would have allowed a more gradual migration of machines, but this was dismissed as it would have prevented IPv6 from including many new technologies. There were good reasons for the decisions taken, but a side effect of the revolutionary change is that no-one has wanted to jump first. If there are no parties that you need to talk to over IPv6 yet, why deploy first? The result is that the next three years are going to be an interesting time for the Internet as everyone runs to keep up.
It's worth taking a little time to be specific about what the alternatives are to IPv6, and why they are not tenable for more than a short time:
- IPv4 NAT: We've already been using NAT for 15 years to eke out the remaining address space. Firewall and network configuration becomes a maze of double NAT. Peer-to-peer applications like video conferencing become impossible to deploy on some networks. Debugging becomes horrendous. VoIP configuration and maintenance costs go up. Logging and auditing become compromised. It can't go on much longer without the burden of trying to keep everything running becoming impossible.
- IPv4 to IPv6 translation/NAT: It doesn't work. It's not possible to translate individual packets because of the different packet structure, fragmentation standards, control messages and so on. TCP and UDP can be proxied. Proxying is very different of course. Proxies for some services could be a part of your transition plan, but they are not trivial and you won't know which services will work until you do a detailed study.
- Are there any advantages to IPv6?
- A pure IPv6 network - the eventual goal - is much easier to administer than an IPv4 network.
- Auto configuration: point-to-point links are auto-numbered (rather than manually numbered or unnumbered). DHCP equivalents can be stateless and fast with permanent leases. DNS registration can be automated so that you never need to remember numbers.
- A firewall without NAT: The address hiding once provided by NAT is effectively replaced with unique addresses that are so sparse that scanning can never be used to reverse-engineer a network. All machines maintain unique addresses, so firewall load is decreased, as the need for deep-packet inspection is lessened. Every machine can be uniquely tracked, wherever it moves.
- Address administration: You never need to subnet again. All LANs are the same (large) size with the same mask, and point to point links use local numbering. Juggling addresses to make the best use of space is a thing of the past.
- What will my plan look like?
- Every company will be different. But it will probably involve:
- a review of hardware standards, and avoiding purchasing of equipment that won't transition
- a phased plan for perimeter, DMZ, intranet and roaming devices
- a new policy for resilience, dual-homing, and design of new services
- a phased plan for support systems, address allocation, naming, DNS
- a security policy
IPv6 can be an opportunity for your business - but you can be sure that it will become and expensive liability if proactive decisions are not taken soon. Ipsilon Consulting understands that the business decisions come first, and that good planning will help you to avoid massive replacement programmes later. Let us help you to meet the challenge.