No, nothing blew up on World IPv6 Day. Content providers and network operators that tested the next-generation, 128-bit hexadecimal Internet addressing protocol on June 8 widely reported that the day was uneventful—clients reached servers, and servers served content. But that doesn't mean wide area network (WAN) managers can assume their IPv6 migration plans will succeed.
Network engineers at content delivery network (CDN) provider Akamai Technologies have learned that not all IPv6 transition technologies are created equal, according to Matt Levine, director of mapping engineering.
It has become "broadly known" among network operators that unmanaged 6to4 tunnels, which are designed to transfer IPv6 packets over the IPv4 Internet, are "flakey" and bound to be "a big source of problems," Levine said.
"A network engineer might go, 'Oh, this [unmanaged 6to4 tunnel] is a cool technology to get things on [IPv6],' and the conventional wisdom is pushing toward: Just don't do that," he said. "Don't try to set up this unmanaged magic to get people on v6 on the cheap because it's going to cause problems."
Tunneling requires the packet to carry an additional header, which essentially makes an IPv6 packet too large to squeeze through an IPv4 tunnel, creating a fragmented IP packet, Levine said. Most firewalls often filter out the control mechanism that ordrinarily resolve the issue by decreasing the packet size, Internet Control Message Protocol version 6 (ICMPv6), as irrelevant data, he said.
Although a dual-stack network that natively supports IPv4 and IPv6 requires more time and effort to deploy, it behaves much more reliably, Levine said.
Once connectivity is enabled, applications shouldn't be affected significantly by an IPv6 migration, Levine said. WAN managers should only be concerned about applications that "care about" the IP address, such as an application that tries to impose access control rules, he said.
"Anywhere you've done something like that, you need to go and rethink it and make sure you [make it accessible] for v6 [users]," Levine said.
IPv6 migration: Security questions remain
But WAN pros should prepare to tackle more than low-level transport issues in an IPv6 migration plan.
There are still a number of questions surrounding IPv6 security, largely due to the fact that network security vendors have been slow to invest in and support IPv6, according to Lawrence Orans, research director at Gartner Inc.
Aside from their government and military customers, network security vendors have seen little demand for IPv6 support, Orans said. The fact that World IPv6 Day failed to reveal any major security gaps does not bode well for further vendor action, he said.
At this point, [IPv6] may not be new, but it hasn't been exercised heavily, so there could be surprises in there we haven't stumbled across.
Director of Mapping Engineering, Akamai Technologies
"Be prepared for uneven feature support amongst firewall and [intrusion prevention system] IPS vendors and from operational tools for managing and monitoring these devices," Orans said. "Once [vendors] see a real market opportunity, security vendors will move quickly to meet the demand."
WAN managers can takes steps to make their IPv6 migration more secure without the help of network security vendors. They can start by ensuring that network configurations and policies are prepared for the next-generation protocol, said Akamai's Levine.
"It's easy to assume, 'I've got these rules set up: I'm going to allow port 80 for HTTP traffic' ... and not think the rules are IPv4 specific," Levine said. "You may have just opened up an IPv6 file server, which you never meant to do."
However, there are still other security concerns around an IPv6 migration that won't be fully understood until the protocol is widely deployed, he said.
"There's a concern that the bad guys may be able to hop addresses at a moment's notice, so you'd better hope at this point that it's not easy for them," Levine said. "Certainly, operating systems' handling of IPv4 is highly battle-hardened by now. At this point, the v6 code may not be new, but it hasn't been exercised heavily, so there could be surprises in there we haven't stumbled across."
Let us know what you think about the story; email: Jessica Scarpati, News Writer.