Security Experts:

Is IPv6 Part of your Risk Management Framework?

IPv4 to IPv6 - CIOs Who Haven't Planned for IPv6 Transition Need to Act Now

The Internet's supply of IPv4 addresses is quickly becoming empty, setting the clock ticking on the final exhaustion of the Internet numbering plan that the world has used for over three decades. Expected to occur in March of 2011, the event will be a wake-up call for connected organizations everywhere. It is clearer than ever before that IPv6 transition plans are urgently needed. Once all IPv4 addresses are depleted, organizations will only be able to receive IPv6 address space.

Implementing IPv6 AddressesIf the Internet Assigned Numbers Authority (IANA) has not already assigned its last blocks of address space, it will certainly do so over the next few months. Potaroo's IPv4 Address Report, which has historically proven quite conservative, currently has IANA handing the last five blocks of IPv4 to the world's five Regional Internet Registries by February 17, 2011. The same estimates see the Regional Internet Registries (RIRs) allocating their last smaller chunks of addresses to ISPs in early November this year. In 2012, it will become increasingly difficult for organizations to seek IPv4 address space allocations through the usual channels, and IPv6 will start to become more and more of an everyday reality for Internet users worldwide.

If you haven't started to work on an IPv6 strategy yet, you're probably behind the curve. IPv6 was designed largely to solve the IP address exhaustion problem. It exponentially increases the amount of address space available to Internet-connected devices. IPv4 addresses, which are represented by a 32-bit number, enables a mere 4,294,967,296 (4.3 billion) IP addresses. IPv6 uses 128 bits, allowing 340,282,366,920,938,463,463,374,607,431,768,211,456 (340 trillion trillion trillion) addresses. As a result, IPv6 is also far less easy on the human eye. Network administrators, perhaps accustomed to carrying several dotted decimal IPv4 addresses (such as 127.0.0.1) around in their heads, will have bigger problems memorizing more than a couple hexadecimal IPv6 addresses, such as 2001:0DB8:0234:AB00:0123:4567:8901:ABCD.

Related Reading - The Increasing Importance of Securing The Smart Grid

But memorizing numbers will be the least of their headaches. Despite the fact that the IPv6 protocol has been standardized and in production on a small scale for well over a decade, the inevitable transition to IPv6 presents substantial challenges for ensuring the end-to-end stability and performance of IP networks and the Internet as a whole. It's perhaps not surprising that so few organizations today have started implementing their IPv6 strategies (if they have them), preferring instead to wait and see if alternative solutions emerge. We'll discover over the next 12 months that the time for procrastinating is finished, and that the exhaustion of the IPv4 pool will prove a watershed moment that will kick-start adoption of IPv6.

Before the end of the year, the RIRs will run out of IPv4 addresses to allocate to ISPs in their respective regions. Not too long after that, ISPs that have previously dealt entirely with IPv4 will start to receive their first chunks of IPv6, which they will in turn start to assign to their address-hungry customers. At this point, the number of IPv6 end users on the Internet will begin to rapidly increase, and the only way content providers will be able to serve these people is if they, and their upstream providers, also support IPv6. Any organization that runs a mission-critical, public-facing Web site will face this predicament.

Many believe that the move to IPv6 should be a board-level risk management concern, equivalent to the Y2K problem or Sarbanes-Oxley compliance. During the late 1990s, technology companies worldwide scoured their source code for places where critical algorithms assumed a two-digit date. This seemingly trivial software development issue was of global concern, so many companies made Y2K compliance a strategic initiative. The transition to IPv6 is of similar importance. Google, for example, has spent the last three years looking for IPv4 addresses that have been hard-coded into its software, as well as for instances where its source code assumes a 32-bit address. As more companies start to wake up to IPv6, this kind of compliance project will become more widespread.

It will take years for the Internet to fully switch to IPv6, so organizations need to prepare for a world in which both protocols are used simultaneously. This presents its own set of challenges. An ideal solution would be for everyone to run both protocols together, in a dual-stack configuration. New mobile devices and Voice over IP (Internet Phone) systems that come online after IPv4 addresses are exhausted will be forced to connect from IPv6 only environments.

Gateways and tunneling solutions are band-aids, and they are likely to present problems of stability, performance and functionality. Most network gateway hardware will have limitations – testing has shown that many products that are ostensibly "IPv6-compatible" often either don't enable the same full IPv4 feature set when using the newer protocol, or have implemented IPv6 only in software, creating performance bottlenecks not experienced when using a hardware-accelerated IPv4 stack.

There's a lot to consider, and the sooner wired organizations start to consider IPv6 at the strategic level, making it part of their risk management strategies, the better prepared they will be to cope with the transition. Staff needs to be trained in IPv6 best practices, not just in software development but also in technology procurement departments. Organizations should consider making supporting the IPv6 strategy a performance metric by which relevant employees are evaluated. Suppliers, such as ISPs and hardware manufacturers, should be coaxed into providing IPv6 functionality that is equivalent to that enjoyed in the IPv4 world. The IPv6 transition plan is worthy of board-level status reports.

The inevitable switchover to IPv6 has been anticipated for a long time, but the cutover is imminent. When the IANA runs out of IPv4 addresses, headlines will be created, even more awareness will be raised, and hands will be forced. Wheels will be set in motion for a more rapid adoption of IPv6 than we've seen over the 12 years since the protocol was standardized. CIOs who have not planned IPv6 transition plans as part of their strategic agenda must act now, or risk the entire enterprise online.

Related Reading - The Increasing Importance of Securing The Smart Grid

Subscribe to the SecurityWeek Email Briefing
view counter
Ram Mohan is the Executive Vice President and Chief Technology Officer at Afilias, a global provider of Internet infrastructure services including domain name registry and DNS solutions. Ram also serves as the Security & Stability Advisory Committee's liaison to ICANN’s Board of Directors and has helped direct and write numerous policies effecting domain name registration and DNS security.
view counter