FRAMINGHAM, Mass. — For 15 years, Internet engineers and policymakers have been publicizing the need to upgrade the ‘Net’s current addressing scheme — known as IPv4 — to handle the network-of-network’s explosive growth.
Yet many U.S. CIOs and CTOs continue to harbour misinformation that they use to justify why they are not adopting the next-generation IPv6 standard.
This issue is significant because the Internet is running out of IPv4 addresses. IPv4 uses 32-bit addresses and can support 4.3 billion devices connected directly to the Internet. The non-compatible replacement protocol, IPv6, uses 128-bit addresses and supports a virtually unlimited number of devices.
Here is a list of the biggest misconceptions about IPv4 depletion and IPv6 deployment that we’ve read or heard in recent weeks:
1. The Internet still has plenty of IPv4 addresses.
Whether you think the Internet has run out of IPv4 addresses depends on where you live in the world and how fast your network is growing.
In early February, the free pool of unassigned IPv4 addresses was depleted when the Internet Assigned Numbers Authority (IANA) delegated the last five blocks of IPv4 address space – each with around 16.7 million addresses – to the five regional registries. The registries are expected to dole out the majority of these IPv4 addresses to carriers in 2011.
Over the next few months, it will become increasingly difficult for mobile and broadband carriers with fast-growing networks to acquire the blocks of contiguous IPv4 address space that they need to build out their networks.
Some carriers are predicting massive IPv4 address shortages this year.
Most U.S. companies that do business on the Internet have a limited number of IPv4 addresses. The day is fast-approaching when these companies will need IPv4 addresses and be unable to get them from their carriers. That will be the day when their CIOs realize the Internet has run out of IPv4 addresses.
2. My company doesn’t need to adopt IPv6 yet.
An IT executive at a company that operates a string of Web sites and earns more than US$100 million in annual revenues recently said that the business case “hasn’t been made” for adopting IPv6. This company has not begun any development work on IPv6, nor has it earmarked funds in this year’s budget for such work.
This executive is under the false impression that IPv6 is an upgrade that can be postponed.
John Curran, president and CEO of the American Registry for Internet Numbers (ARIN), says all companies that do business over the Internet should support IPv6 on their public-facing Web servers and Web services by Jan. 1, 2012 or risk losing potential customers.
Similarly, the Obama Administration has mandated that all U.S. federal agencies upgrade their public-facing Web sites and services to support IPv6 traffic by Sept. 30, 2012. [A spokesman for Canada’s chief information officer said Thursday that the Treasury Board is working with federal departments to define a path and timelines for migrating to IPv6.]
The depletion of the IPv4 free pool “is a wake-up call,” says Chris Davis, senior director of corporate marketing communications at NTT America, a leading provider of IPv6 transit and access services in the United States. “If you haven’t taken this seriously, you better start. If you don’t have a transition plan in place, you better make one…IPv6 is a reality.”
Part of the foot-dragging is the result of U.S. CIOs falsely believing that their carriers will take care of IPv6 transition for them. That’s not going to happen. Enterprises must IPv6-enable their own Web content through the deployment of native IPv6 or an IPv6-to-IPv4 translation mechanism on the front end of their Web servers.
3. A lucky Internet user will get the last IPv4 address.
Experts predict that the Internet will run out of IPv4 addresses many months from now and in a different fashion than the receipt of a winning lottery ticket.
For U.S. companies, IPv4 depletion will occur in 2011. ARIN says it has around 80 million IPv4 addresses left and expects to run out of these addresses within nine months.
Another reason that one lucky Internet user won’t get the last IPv4 address is that carriers are likely to share these increasingly scarce resources among multiple users. So even if you could figure out who got the last IPv4 address from a particular carrier in a particular region, the address would likely be shared among multiple users.
It’s also possible that unused IPv4 addresses will returned to regional registries and be recycled, but that will only stave off IPv4 depletion for a few more months.
4. A black market will emerge for IPv4 addresses.
Experts say a black market isn’t likely to emerge for IPv4 addresses because the regional Internet registries have created legal ways for organizations to transfer – or even sell – their unused IPv4 addresses.
ARIN, for example, has a process set up that allows network operators to apply for IPv4 address transfers much as they apply for new IPv4 addresses. In either case, network operators must show they have plans to use the IPv4 addresses to provide network services and not to hoard them for future use.
The regional Internet registries are considering a new policy that will allow for IPv4 address space to be transferred from one region to another.
“North America has a large amount of address space issued in the early days of the Internet,” Curran says. “Those resources should be available to the entire Internet community. I expect we’ll see interregional transfers.”
Raul Echeberria, chairman of the Number Resource Organization, which represents the five regional Internet registries, admits that a black market for IPv4 addresses is a possibility but says that he is not sure it will evolve because of the existing rules for IPv4 address transfers. But he adds that the value of IPv4 addresses will decline as network operators adopt IPv6, making this black market less attractive.
5. IPv6 is more secure than IPv4.
IPv6 proponents say that one of the new protocol’s benefits is that it has built-in support for IP Security (IPsec), an Internet security standard that allows for authenticated and encrypted communications between two end points. But experts say that IPv4 supports IPsec well enough that security isn’t an advantage of IPv6.
“It’s a myth that IPv6 is more secure than IPv4,” says Qing Li, chief scientist for Blue Coat Systems, which supports IPv6 in its network appliances. “IPv6 was designed to facilitate the implementation of IPsec better, it allows IPsec to operate better, but that’s just a facility … It doesn’t mean that IPv6 by itself is more secure.”
IPv6 is likely to make the Internet less secure, not more secure, in the near term. That’s because so many network operators are going to upgrade to the relatively unproven IPv6 technology at the same time.
Another issue is that there are few network engineers with the know-how and experience to secure IPv6 networks.
Also, security vendors are not providing the same number of features or the same level of performance in their IPv6 products as they offer in their IPv4 products.
“If your network vendor told you they have complete parity between IPv4 and IPv6, that’s a myth,” says Danny McPherson, CSO for VeriSign, operator of the .com and .net domains and a leader in IPv6 deployment. “It’s highly unlikely that most of the commercial products have realized the scale and capability with IPv6 that’s on par with IPv4.”
McPherson says deploying IPv6 will create new vulnerabilities for network operators. For example, the Internet will have more translation devices that can attract distributed denial-of-service attacks or be single points of failure. Also, network operators will have less visibility into Internet traffic patterns, so it will be harder for them to find threats like botnets.
“There’s going to be some window of vulnerability until we get up to speed with IPv6. The sooner we get past that the better,” McPherson says. He adds that “if you enable IPv6 on your network, you better make sure you have the same controls and countermeasures that you have for IPv4.”
6. IPv6 will make the Internet simpler.
IPv6 offers the promise of end-to-end communications with the removal of network address translation (NAT) devices and other middle boxes that were necessary to extend the life of IPv4’s limited addressing scheme.
But in reality, network operators are going to have to run IPv6 and IPv4 side by side for years – if not decades – to come. This lengthy co-existence of the two protocols is going to make network management more complex for the foreseeable future.
Network operators must run both protocols because IPv6 is not backwards compatible, a reality that many CIOs and CTOs just don’t believe possible. Indeed, the Internet engineering community has said that its biggest mistake in the design of IPv6 is that it is not backwards compatible with IPv4.
IPv6 was once touted as the end of network address translation (NAT) devices, which Internet purists hate because they interrupt IP communications midstream. But network operators have delayed upgrading to IPv6 for so long that now they will need to rely on carrier-grade NATs and other IPv6-to-IPv4 translators to accommodate a rise in IPv6 network traffic that is expected to start within the next 12 months.
“Most of the transition technologies are either NATs themselves or are designed to work through NATs,” Liu says. “Teredo [an IPv6-over-IPv4 tunneling technology] is designed to work through NATs. Nat64 [an IPv6-to-IPv4 translation scheme] is a NAT technology. I don’t think NATs are going away anytime soon.”
(From Network World U.S.)
(With a file by Howard Solomon, Network World Canada)