Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 02/04/08 issue

Taking control of IPv6

To reap the benefits, agencies face the huge job of managing address spaces

By William Jackson

Story Tools:

  • Purchase a Reprint
  • Link to this page
THE ARRIVAL of IPv6 will eventually give agencies better security, more flexible networking and a number of available IP addresses so large it can make your head hurt just trying to grasp how many there will be. But how well agencies take advantage of IPv6 will depend in large part on how well administrators manage their newfound wealth of IP address spaces, experts say.

By the end of June, the Office of Management and Budget expects agencies to have their network backbones ready to carry IPv6 traffic in addition to IPv4 traffic.

Nobody is yet requiring that agencies use IPv6, but agencies have begun acquiring address space in the new protocols and are making plans for taking advantage of the improved security and networking capabilities.

Management will be critical.

“It is going to be a long cycle for people to swap out the IPv4 technology” now standard in their networks, said Richard Hyatt, chief technology officer at BlueCat Networks.

“It is going to be the management of the address space that determines how quickly it happens.”

Management can be a challenge because IPv6 addresses are larger than IPv4 addresses and there are exponentially more of them.

As IPv4 addresses start running short, the abundance of new addresses will be a good thing. But administrators will have to resist the temptation to use the new addresses the same way they have used the current generation, said Chip Popoviciu, IPv6 address management expert at Cisco Systems.

“We need to be mindful that this is a large resource, and we need to manage it properly,” Popoviciu said.

How large a resource are we talking about? “With IPv6, one subnet is as large as the entire Internet is today,” said Sean Siler, Microsoft’s IPv6 program manager. And each agency will have tens of thousands of subnets.

“It’s a huge shift in paradigm.”

The large number of addresses is because IPv6 addresses are 128 bits long. The last 64 bits are used to assign the address to a particular device or function rather than a network, but the networking portion still is large enough to provide an almost inexhaustible supply of numbers.

Address groups are described in terms of a slash-number, written as “/number.” The smaller the slash-number, the larger the group of addresses.

“The general size of an address allocation is a /48,” said Richard Jimmerson, chief information officer at the American Registry for Internet Numbers (ARIN). That size allocation includes 65,536 /64 subnets. A /32 address allocation would contain 4 billion subnets.

ARIN is one of five Regional Internet Registries charged with allocating IP addresses.

ARIN serves the United States, Canada, Mexico, much of the Caribbean and the North Atlantic islands. There are separate registries for Africa, the Asia-Pacific region, Latin America, and the region covering Europe, the Middle East and Central Asia. The registries have been issuing IPv6 addresses since 1999. The Euro-Asian registry has been the most active, having allocated 980 address blocks as of January, followed by the Asia-Pacific registry with 515. ARIN has assigned 386 blocks in North America.

Each regional registry sets its own policies for distributing addresses. The Euro-Asian registry has a hierarchical scheme in which address blocks are assigned to local registries, which in turn distribute them to large network users. ARIN has a flatter scheme, intended to make it simpler for users to get addresses directly from the regional registry.

“They decided to make acquisition easier,” Jimmerson said. “With IPv6, the biggest concern was getting the address space into the hands of the people using it.”

In May, ARIN’s board of trustees issued a resolution on IP numbering availability, stating that IPv4 address space was nearing its end and advising “the Internet community that migration to IPv6 number resources is necessary for any applications which require ongoing availability from ARIN of contiguous IP number resources.”

U.S. government policy calls for agencies to get their address space directly from ARIN, and Jimmerson said 30 agencies have acquired address space so far, typically a /48 allocation.

“There has been a good amount of activity” by government agencies, he said. In addition to getting their addresses, they have been attending the numerous informational meetings and conferences held in the Washington area on the IPv6 transition.

After they acquire the addresses, the next question they face is how to divvy them up.

“With IPv4, you had to be careful about allocating addresses in a network,” he said. “With IPv6, you have less to worry about.”

There is less worry about running out of addresses.

But there still is a lot to consider. If addressing schemes are not built with an eye to the geography and architecture of a network and how it will use IPv6, administrators might waste network resources with unnecessarily complex routing tables requiring additional routers and slowing throughput.

Most IPv4 addressing schemes were built ad hoc as the Internet and other IP networks grew, with little thought given to an overall architecture.

Available address space was smaller and more easily managed, but this make-it-up-as-you-go process means that administrators are wrestling with inelegant network designs.

Clean slate

“We have an opportunity to build a clean addressing scheme that will let us simplify how we manage networks,” Popoviciu said. Administrators should resist the urge to simply plug IPv6 allocations into IPv4 addressing schemes, and this will require educating administrators.

“Education is the long pole in this tent,” said Dave West, Cisco’s global lead for IPv6.

“It is absolutely critical. They are slowly but surely coming to the realization that they need to step back and think about this.”

Managing IPv6 addresses is not rocket science, said Steve Grobman, director of business client architecture at Intel.

“The management differences are real,” he said, “but I don’t think they are that different from the other transitions IT has gone through,” such as the introduction of TCP/IP and wireless communications into networks. Like a true hardware man, Grobman said, “The good news is that most of the challenges are going to be on the software side.”

Most operating systems and networking hardware already have a basic ability to handle IPv6. OMB’s position on the transition has been that agencies could achieve this capability through routine upgrades of technology, without a major capital expense. To begin using IPv6 addresses, agencies will need Dynamic Host Configuration Protocol Version 6 servers and Domain Name System servers capable of handling IPv6 records.

The DHCP provides configuration settings to network devices so they can be located on the network. If the autoconfiguration capability of IPv6 is used, no DHCP server will be needed.

But if you choose to manage your own addresses, there are DHCPv6 servers available to allow this. There is a debate over the merits of stateful — or managed — addressing using DHCP, and stateless addressing using autoconfiguration.

“Many administrators don’t want hosts managing themselves,” Siler said. “But there is a time and a place for both” stateful and stateless addressing.

One of the advantages and problems with autoconfiguration is that it opens up the network to outside visibility, enabling flexible, dynamic configurations and peer-to-peer networking. There may be a temptation to use this to ease management burdens, “but the problem is that a lot of people are going to expose a lot more information than they intended,” Hyatt said.

For this reason, Siler said he believes that stateless addressing will not be used widely in managed enterprises as IPv6 is implemented.

The more managed allocation of addresses using DHCP will be a better fit with existing security models.

But IP addresses are too easily spoofed to be good security identifiers. As large numbers of new devices are added to networks and as security policies and tools are adapted to IPv6, DHCP will become less necessary.

“As time goes by, I believe that stateless addressing will start to be introduced into the enterprise,” Siler said. “It will come very slowly, but it will come.”

Room to hide

The question of Network Address Translation still remains to be answered. NAT has been used to extend the more limited IPv4 address space by enabling the use of private addresses inside a network. But it also has the effect of putting another wall between your internal network and prying eyes on the outside. NAT may not be necessary on an IPv6 network. “But if you remove it, you are beginning to expose what your network looks like,” Hyatt said. “It might not be that great when you come to think of it.”

However, the sheer size of the IPv6 address space might help mitigate the problem of visibility by providing room to hide. With IPv4, a typical subnet has about 254 hosts, Siler said.

“That’s the number most people work with,” and that size defines the number of servers, firewalls, routers and other devices on the subnet and where they are deployed. For convenience sake, most administrators probably will stick to that model, he said. But they will be distributing those hosts through a vastly larger subnet.

Assigned addresses can be clustered closely together for easier management, or they can be distributed widely through a 4-billion-address subnet, effectively hiding them from outside scans. This can be a security asset, but it also can make devices harder for administrators to find.

Managed devices can be located on a network, but unmanaged and mobile devices can easily be lost in this space, putting a premium on a good addressing scheme and good record-keeping.

Tracking addresses and their users will generate a lot of data to be managed, Hyatt said. “It’s going to create a real problem, keeping and using those amounts of data.”

“An important consideration is top-down addressing,” Siler said. “It is going to be important for one person to get a large address block and to suballocate it to other organizations within the department” to facilitate this record-keeping. This also can enable simpler routing tables, which will allow more efficient routing, improved security and easier network monitoring. A fragmented routing table slows throughput.

And finally, IPv6 will have to be managed alongside IPv4 as long as both protocols continue to be used on the same networks.

“It’s more overhead until we can get rid of IPv4, and that’s not going to be in the near future,” Siler said.

The opportunities for new applications, efficiencies and flexibility offered by IPv6 will make it worth our while to address these issues, Popoviciu said. “After all, we did this for the addressing,” he said. “Why not make sure we do it right, now that we have the addresses in hand?”

1 2 3 >> Next

More news on related topics: IPv6, Web Strategies