IPv6 Adoption: 4 Questions and Answers
IPv6 deployment is on the rise. Google reported that as of July 14 2018, 23.94 percent of users accessed its site via IPv6, up 6.16 percent from that same date in 2017. Drafted in 1998 and an Internet Standard as of July 2017, Internet Protocol 6 (IPv6) is intended to replace IPv4 in assigning devices on the internet a unique identity. Plans for IPv6 got underway after it was realized that IPv4's cap of 4.3 billion addresses would not be sufficient to cover the number of devices accessing the internet. This blog post is the first in a series aimed at encouraging IPv6 adoption, whether at the enterprise-wide level, the organizational level, or the individual, home-user level.
In the SEI's CERT Division, we assist federal government agencies with the differing security requirements with regard to moving from IPv4 to IPv6. These questions and answers arose through our work in engineering test and security evaluation labs for IPv6. The federal government is already mandated to make the conversion, and many of the best practices we've developed to improve security at the government level are just as applicable in business or home environments.
This blog series is intended to combat the 'fear of the unknown' regarding IPv6 adoption. Our posts cover various aspects of IPv6 deployments, with the goal of helping organizations feel more 'free' to choose to adopt IPv6 ahead of that eventual requirement to convert. In our experience, it's almost always better to make these major changes on your own schedule rather than an externally imposed deadline.
In this first blog post, we'll explain why IPv6 conversion is an eventuality: maybe not today or tomorrow, but an eventuality nonetheless. In future posts, we'll look at specific aspects of the conversion in more detail, including
- The effects of IPv6 adoption and your how your organization accesses the Internet
- The effects of IPv6 on how your external target audience(s) access your organization's online assets
- IPv6 and how it changes your internal networks
- Changing security requirements in an IPv6 world
First question: Why does IPv6 even exist?
To answer that question, let's go back to the 1960s, when the Defense Advanced Research Projects Agency (DARPA) was looking for a communication solution that would be more survivable than the existing point-to-point analog communication networks of the time. In its work, DARPA adopted a packet-switched model (back when packet switching was in its infancy) because it offered more self-healing properties than hard-wired circuit-switched connections. Given a connectivity mesh, the thought was that a packet-switched network could adapt to link outages by finding alternate paths within the mesh to maintain necessary communications during wartime.
The resulting network was named ARPANET. This network development occurred years before industry standards existed, so researchers were free to try new approaches. One of these concepts was a network of networks to connect sites together into an internetwork. An Internet Protocol (IP) suite developed by Robert Kahn and Vint Cerf supported this internetworking concept and was adopted as an interim ARPANET standard. The rest, of course, is history: ARPANET grew to connect research universities as the National Science Foundation's NSFNET, which then began a slow adoption in the commercial world in the late 1980s and early 1990s.
Suffice it to say the adoption of the internetworking concept and the Internet Protocol vastly exceeded anyone's wildest dreams. Due to that success, however, the industry has spent decades extending the life of IP version 4, though it was realized that IPv4 could not be indefinitely extended to cover the needs of the future. IPv6 was developed as the next-generation solution to support continued growth of the Internet. (For a more detailed history, see https://www.internetsociety.org)
Second Question: Isn't IPv4 still working?
Yes, it is, for those who already have addresses. But we actually HAVE run out of IPv4 addresses. As reported in The Internet Protocol Journal (September 2017, page 28),
...the major hiatus in the supply of additional IPv4 addresses commenced in 2011 when the central Internet Assigned Numbers Authority (IANA) pool of unallocated IPv4 addresses was exhausted. Progressively the Regional Internet Registries (RIRs) ran down their general allocation address pools: Asia Pacific Network Information Centre (APNIC) in April 2011, RÃ©seaux IP EuropÃ©ens Network Coordination Centre (RIPE NCC) in September 2012, Latin America and Caribbean Network Information Centre (LACNIC) in 2014, and American Registry for Internet Numbers (ARIN) in 2015.
The American Registry for Internet Numbers (ARIN), created specific rules (and a listing service) for IPv4 address transfers. There is also a waiting list for IPv4 addresses as they become available. As of this blog post, there were more than 200 pending requests for address allocations, with approximately a one-year waiting time to receive an allocation.
As demand continues to grow and supply continues to decrease, it will be harder and harder to get an IPv4 address on demand at ANY price. This lack of supply will affect
- large-scale users who need extensive address blocks to service their public-facing resources (both because of the shortage of addresses, but also because of a shortage of contiguous address blocks, meaning that even when large users get the number of addresses they need, it's highly likely they will get a jumble of smaller address blocks as opposed to one single block, thereby complicating routing and similar issues)
- small to medium businesses (SMBs) who will find it hard (or at least expensive) even to get an IP address for receiving inbound email
- individuals who may have difficulty getting a public-facing IPv4 address to maintain compatibility with their home IPv4 networks, which can complicate edge router configurations (see https://www.ripe.net/publications/docs/ripe-631 and https://whatismyipaddress.com/ipv6-issues ) and peer-to-peer gaming (https://www.ipv6.com/gaming/ipv6-and-the-world-of-gaming/
Third question: With all these problems, why is no one moving to IPv6?
The truth is that many people ARE using IPv6. In fact, Google's own statistics about the percentage of users accessing Google over IPv6 has been trending upwards since 2011, reaching almost 24 percent at the time of this writing. (View current statistics.)
Where is all this growth coming from? Well, if you have a smart phone, and you are on your cellular connection, then you are part of that growth. There are multiple websites that will display the address you are connecting with: I use whatismyip.com (as an example). My cellular connection has been using IPv6 for years now, and yours probably does too.
Other change agents? The U.S. government (including the Department of Defense) required any equipment purchased from 2009 on to be IPv6-capable, which essentially made all commercial/industrial-grade equipment on the market IPv6-capable.
This federal mandate also applied to operating systems. With Windows as the dominant operating system for Internet-connected systems, it is significant to know that all Microsoft operating systems sold since Windows Vista (including server systems) not only are IPv6-capable, but they come with IPv6 enabled by default. To go a step further, moreover, these same Microsoft products actually prefer IPv6 over IPv4 when running in their default dual-stack mode, with both IPv4 and IPv6 enabled.
Fourth Question: How does IPv6 adoption vary by country?
The Google statistics site cited earlier has a second tab with general information on worldwide IPv6 adoption, but more detailed information is available in a report site from Akamai. As of August 2017, eight countries are above 20 percent IPv6 traffic, led by Belgium with more than 46 percent of all traffic, and the United States at more than 40 percent. A different tab displays ISPs, with five cellular providers and four cable companies in the top 10 list.
Another measure of IPv6 adoption is how many web sites are now being resolved in domain name system (DNS) by their IPv6 records (an AAAA record; see www.rfc-editor.org/rfc/rfc3596.txt). As reported by the Internet Society, more than 9 million domain names had IPv6 resolution as of May 2017. Akamai reports that IPv6-generated DNS queries grew from monthly totals of 171 billion transactions in January 2016 to more than 530 billion transactions in May 2018.
While major local infrastructure migrations are lagging, both in and out of government, it is noteworthy that some significant migrations have begun, including the Social Security Administration and NASA . As stated earlier, moreover, cellular providers and cable communications providers have made major investments in IPv6 infrastructures.
- As a final note: a conversion to IPv6 will involve more than just changing IP addresses.
- IPv6 uses different methods for automatic host IP assignment (it's much different from IPv4's Dynamic Host configuration Protocol [DHCP])
- Host-name resolution becomes more complicated, as you need a DNS service that supports both IPv4 address resolution (for accessing legacy sites) as well as IPv6 name resolution for the IPv6 assets in your network and on the wider IPv6 Internet
- Edge routers and Internet Service Providers (ISPs) must support IPv6 addresses and IPv6 services and routing protocols
- Network security configuration and monitoring should now monitor both IPv4 and IPv6, as you will likely be supporting both traffic streams from the Internet, even if your internal infrastructure is totally migrated to IPv6.
- You may need to delay conversion to IPv6 if legacy hardware or software can't support IPv6, so you should take a thorough inventory of all IT assets before reaching a 'point of no return' in conversion where you're forced into hard choices involving complete rollbacks or the loss of some functionality.
In the next post in this series, I will discuss the effects of IPv6 adoption and its impact on how organizations access the internet.
View my SEI Cyber Minute, Preparing for IPv6 Enterprise Deployment.
This post has been shared 0 times.
TAGSbest practices in network security cert cyber missions secure coding security-related requirements ipv6 secure development
Get updates on our latest work.
Sign up to have the latest post sent to your inbox weekly.