It's hard to believe that IPv6 is 14 years old, yet I don't personally know a single company that has migrated to it. I did some quick research and found that quite a few companies are using IPv6 or are IPv6 ready, meaning they have the infrastructure in place. Google, Sprint, AT&T, Comcast, Verizon, China, Japan, Korea, and several federal agencies claim to be using the new address space.
What are some of the security implications of moving to IPv6?
- You must deal with IPSec.
- ICMPv6 runs on top of v6, giving it ARP-like security.
- Additional functionality for protocol negotiation and key management.
- Until v6 is fully deployed, packets will come into your network tunneled - v6 packets in a v4 data stream.
- v6 stateless autoconfiguration allows systems to generate their own IP address and then check for duplicates on the network.
- Large Extension Headers (EH) or a long chain could be used to confuse or everwhelm routers and firewalls and hide an attack.
What are the advantages of going to IPv6? Here are just a few:
- More address space.
- Security will be improved. The use of IPSec is mandatory in IPv6.
- QoS can be fine-tuned due to the additional bits available in the header file.
- NAT will no longer be needed due to the additional address space.
So why aren't more companies using it? To answer that question, we have to look at why IPv6 was developed. The new addressing protocol was developed because we thought we were running out of IP addresses. When the specification was first released in 1995, we thought we would be out of addresses by 2005. It looked like the sky was falling. 2005 came and went and we didn't run out of addresses. Here we are in 2009 and the estimate is now that by 2012, we will be out of addresses. The Internet Engineering Task Force (IETF) is working on methods to help with the transition to IPv6. These include:
- Dual-stack lite - In development by Comcast, this tool will translate IPv4 addresses to IPv6 through an external gateway using NAT.
- NAT64 - Another tool to translate v4 to v6 and vice versa.
- DNS64 - Allows a v6 device to call up a v4-only name server.
- IPv4 sharing - The IETF is working on a way that will allow ISPs to share a single IPv4 address among multiple users.
When we look at these methods, what we really see are the ways that will yet prolong the use of IPv4. Who knows when this nonsense will end? Companies need to bite the bullet and make the switch.
Yes, there are a few minor disadvantages to going to IPv6:
- Since there can be more addresses on a subnet, the router table will have more entries and the router will have to process more and therefore will use more memory and CPU. The increase should go unnoticed.
- Deployment costs. These should be minimal.
- Not all applications take advantage of IPv6 yet.
- It's difficult to build a justifiable business case at this point in time.
I am not saying that the sky is falling, but would it help if I said it was? When is your organization going to switch to IPv6?