Inertia: The Silent IPv6 Killer
As most of you know, IPv6 is the newest internet protocol for systems to run on, creating the opportunity, perhaps necessity, for change depending on a business’ desires or needs. We have a number of situations however, where the motivation for the change required to deploy IPv6 fails both of the above tests.
Because IPv6 does not immediately bring new revenue opportunities, and it is not clear that there is an immediate benefit to the income side of the balance statement, the higher management people who make such deployment decisions generally do not view IPv6 as a positive investment or an effective use of resources. Because learning a new protocol when the current protocol appears to be working does not seem to carry any immediate benefits, neither for an organization nor a self-interest. Systems administrators, network administrators, and other IT professionals often believe that IPv6 will wait, and if they're lucky enough will do keep until they retire.
The business case for IPv6
For the management level, there are a number of ways to make the business case for immediately deploying IPv6.
APNIC (the Asia-Pacific Network Information Centre) and RIPE (the Réseaux IP Européeans) have run out of IPv4 addresses in their general free pools, and ARIN (the American Registry for Internet Numbers), the registry for North America and much of the Caribbean, is down to just over 29 million IP addresses remaining in its free pool.
On the management level, these numbers prove the business case for an urgent deployment of IPv6. While 29 million might still seem like substantial number of IP addresses, consider that until they ran out, the Asia Pacific region was consuming new IP addresses at the rate of roughly 16 million per month.
The question is what happens if you wait until it’s obviously urgent to deploy IPv6. Answers will vary depending on your organization, but some factors to consider include:
- It will take significant time to deploy IPv6 once you start. It could be as long as a two-year project in some organizations.
- Having your support personnel learn IPv6 while trying to support it in the field is likely far less effective and far more disruptive to your operations than if they learn it before its widespread use.
Having IPv6 ready and running before you see urgent demand means that the urgent demand is a non-event. You saw it coming and were completely prepared. Failing to deploy IPv6 early means a chaotic rush to get a two-year project done in less than two weeks. In my experience, most enterprises that attempt this method have not experienced great success.
- Starting early means that you can make purchasing decisions on your terms and set the timeline to optimize for preferred pricing, timing to coincide with regular technology refresh cycles.
- If your competitors have IPv6 deployed and you don't before your customers want it, that extra incentive may drive your customers to your competitors. Getting there first might not bring in new revenue, but there's usually significant value in ensuring that existing customers stay. IPv6 can help with that.
The security case for IPv6
Many people who have never seen an enterprise network without NAT, are probably thinking that this prospect sounds rather scary. You have spent most of your career knowing that NAT is part of the firewall and that NAT is what protects you from the big bad outside world. Honestly, that is actually a myth. The problem comes from the fact that we tend to be lazy with our language and NAT has come to be the general term throughout IT for what is actually better described as Stateful Packet Inspection with Address Translation.
Notice that in that term, there are actually two components. The first one, Stateful Packet Inspection actually provides your security. SPI is the process of examining each outbound packet to see if it creates a new flow or conversation. If it does, an entry is added to a state table with enough information to identify incoming packets that match that particular flow. If it doesn't, then the existing flow entry is used. In the case of NAT, that flow entry is also given a public IP address and port number to use as a replacement for the internal (the source for outbound packets) address and port number. Any outbound packets that match a flow entry have their headers altered accordingly. This alteration of the headers is what we mean by address translation. That part does not do anything for security, and actually diminishes security.
IPv6 is a lot easier to administer than IPv4. Though for a while, during the transition, we're going to have to maintain them both, and the longer we have to maintain IPv4, the more painful and expensive doing so will become. The quicker we dispel our inertia, the quicker we achieve deploying IPv6 as widely and as efficiently as possible.
-- Owen DeLong, IPv6 Evangelist, Hurricane Electric (In addition to his day job, Owen maintains a significant IP network in his house running both IPv4 and IPv6 on multiple subnets, all without the use of NAT.)