Today, you can hardly turn your head or pick up an industry magazine without hearing about IPv6. All the vendors have glossy brochures that boast IPv6 support, but for you, it’s just more long hours with nothing shiny to show the boss. In short, if you’re like most engineers, you’re dreading even thinking about IPv6 and hoping it will just go away. However, since IPv6 is not going away, let’s talk about some IPv6 survival skills designed to help you get through your IPv6 implementation.
This article explains the following IPv4/IPv6 basics, designed to help you effectively survive your IPv6 implementation:
- CIDR Netmask Notation in 30 Seconds or Less
- The Problem with IPv4
- How IPv6 Solves the Problem
- How to Start Getting Ready to Deploy IPv6 Today
- Preparing People in Your Organization
- Deploying IPv6
- Now You Have to Monitor It! (Monitoring IPv6 Hosts)
CIDR Netmask Notation in 30 Seconds or Less
There’s a lot of IP addresses in CIDR notation in this article, so let’s start with a quick primer on CIDR and how it relates to IPv4 and IPv6. An IPv4 address is 32 0’s or 1’s, and an IPv6 address is 128 0’s and 1’s. A subnet mask hides bits we don’t care about leaving only the trailing 1’s and 0’s. The most common IPv4 subnet you’ll see is a /24, or 24 1’s followed by 8 0’s. It’s represented in a traditional IPv4 address as 255.255.255.0, but in binary it’s 1111 1111.1111 1111.1111 1111.0000 0000. Feel free to count, I’ll wait!
You might have just realized, though, that it doesn’t have to be sets of 24 ones, you could have 29 1’s and 3 0’s. This gives you 2^3 addresses, or 8 addresses. A /29 is represented as 255.255.255.248. With CIDR then your subnet mask can be any length that’s an exponent of 2.
The Problem with IPv4
There are two main problems with IPv4.
First of all, today there are 7.1 billion people in the world. Half of them own a computer of some sort, and 6 billion have access to mobile phones. If we handed out just one IPv4 address to every person we would be 3 billion IP addresses short. This makes reclaiming lost address space essentially pointless. Obviously, more addresses are needed for a modern Internet.
The second problem with IPv4 is NAT. Overloaded NAT (one IP with multiple private IP’s behind it) breaks quite a few applications, and provides no additional security against Internet threats. This results in a cost increase with no counter-benefit.
ARIN, the American Registry for Internet Numbers, predicts in their article ARIN IPv4 Countdown Plan that we will exhaust IPv4 space within the next year. This means that providers will no longer be able to supply routable public IPv4 addresses. Shortly thereafter, you won’t be able to get additional IPv4 addresses from your provider, which means that you will be unable to turn up new public IP services.
How IPv6 Solves the Problem
IPv6 eliminates the need for NAT by having more IP addresses than can possibly be used, and assigning them sparsely. Since IP addresses are no longer a scarce commodity, giant blocks can be handed out for only a few devices without a risk of exhaustion. For instance, a network that once had 254 useable IP addresses (an IPv4 /24) might now get an IPv6 /64 with 2^64 addresses.
So what’s a /64? IPv6 has 128 bits of IP space. This is 2^128, and trust me, this is a really absurdly huge number. So if you mask all but 64 bits, you still have 2^64, or 18 quintillion addresses for 254 hosts. That’s more addresses than are on the entire IPv4 network, which means that attacks which depend on sequential scanning for vulnerable hosts, such as worms, are obsolete on IPv6. It would take 2 billion years for a worm to scan a /64 scanning 10,000 hosts per second. This is far more secure than overloaded NAT!
How to Start Getting Ready to Deploy IPv6 Today
Start today in terms of getting ready for IPv6. Audit your equipment to confirm the software or firmware it is running supports IPv6. You probably won’t have much trouble with the networking gear itself, or modern server operating systems, because the majority of these already support IPv6. Frequent offenders, however, are devices like office multifunction copiers, security cameras and security card access devices, and other appliances on the network. Surprisingly, tablet and smartphone vendors and the LTE networks they run on are often behind as well. Reach out to these vendors to request a patch for IPv6 support.
You can’t just audit devices, though. Some software on your network may not support IPv6. Internally, you will have to review CMS, ERP, and other business software. Especially critical, though, are public-facing services such as your web and e-mail services. These services will have to be updated, as IPv6-only clients are coming. Without updating, your customers may soon be unable to reach your services.
You will also have to go one step further with firewalls. With the death of overloaded NAT, you will have to configure the firewall to apply IDS rules and other zones without NAT. Your firewall vendor will be able to assist you here. Don’t fear, I promise the NAT wasn’t helping your security profile.
You also have to ensure that dynamic VPN users get an IPv6 address. We should take a moment and discuss software firewalls as well. Windows and Linux both ship with an IPv4 and IPv6 firewall enabled, so there aren’t serious security concerns here. Older versions of either operating system (older than 2008) should be carefully evaluated to ensure that IPv6 is properly firewalled from the start.
Preparing People in Your Organization
IPv6 is going to impact most of the technical people in your organization. If you get the technology part right, then the impact to the non-technical people will be minimal, but it’s still a good idea to keep them informed about what is going on. For example, accounting may need to be prepared for an unexpected uptick in upgrade expenditures. Logistics may need to expedite some shipments to help meet some upgrade deadlines. End users might see minor (or not so minor) disruptions to the network as upgrades are done and certain lessons unique to your organization are learned. Communication is key in keeping minor hiccups from becoming major disruptions.
In terms of your technical staff, you’ll need slightly different approaches depending on their role. For example, Application Developers will need to know how to add dual-stack capabilities to their code, and will also need to go through all the applications that store or parse IP addresses and update them to accommodate both forms of addresses. Systems Administrators will need to know how IPv6 changes the configuration and management of the systems they administer. Network Engineers and Architects will need far more extensive training because they are facing the largest set of differences.
For most of your technical staff, a good place to start is the free IPv6 certification course from Hurricane Electric. It’s not an extensive process, but it does offer some hands-on IPv6 experience in key areas. It’s a step-by-step process, and most administrators can complete it in a couple of days with proper resources.
Deploying IPv6
There are quite a few hurdles to jump to deploy IPv6. You will need to contact your Internet Service Providers to determine if they offer IPv6. If they do not offer IPv6, ask about the timeline for deployment, and inform them that supporting IPv6 is crucial for your business’s success and your ability to reach vendors and customers. If you have an Autonomous System Number (ASN) and Border Gateway Protocol (BGP), you can simply request an IPv6 block directly from ARIN, or your region’s RIR. If you don’t have an ASN, and your providers don’t have BGP, you can use a service such as HE.net’s tunnel broker service to deploy. Depending on your network’s latency to HE.net, this might even be a permanent solution.
Once you’re ready to deploy IPv6, you will need to request a /48 from your provider. This is 65536 /64’s.
Again, IPv6 addresses aren’t scarce, so just use Router Advertisement (RA) to assign a /64 to each LAN segment on your network.
You don’t need to remove IPv4 from your network today. Every major modern operating system (including the ones from Redmond) support IPv4/IPv6 dual stack out of the box.
Now You Have to Monitor It! (Monitoring IPv6 Hosts)
Zenoss supports monitoring IPv6 hosts today. Add an IPv6 device, model it, and everything will work. However, there are a few caveats due to the new technology in IPv6. Due to the large number of IPv6 addresses in a normal IPv6 subnet, don’t use auto-discovery to discover IPv6 devices due to the time it takes to scan a /64 subnet. Instead, use zenbatchload shipped with Zenoss, DNS transfer, Active Directory, or other sources to add IPv6 devices. For dual-stack hosts create two devices, one for IPv4 and one for IPv6, and both will monitor correctly.
GET MODERN NETWORK MONITORING
Conclusion
You can’t put off moving to IPv6 anymore. You want to, but you can’t! Even if you aren’t ready to start deploying IPv6 today, it is time to start planning, because sometime in the next year you’re going to need a public IP address and the answer will be “Sorry! Fresh out”.
Even if you have plenty of addresses to last you several years, chances are that some of your customers and some of your suppliers don’t. As soon as any of them are IPv6-only, you’re at a disadvantage if you don’t support IPv6.
Like It? Share It!
If you liked this article, don’t forget to share it on LinkedIn, Twitter, Google+, or Facebook. Also, don’t forget to follow our blog to get the latest news and information from Zenoss!
Note: A special thanks to Owen DeLong, who is the IPv6 evangelist at HE.net and a member of the ARIN advisory council, for his assistance in creating this article.
