eSecureData Inc.

Premise

What is IPv6 and how does it affect you? If you’ve got a website or web business operating on IPv4, you already know that IPv6 is coming and you’ll need to be prepared for it. In this paper we’ll explain what IPv6 is, how it fits into current Internet designs, and what needs to be done to prepare for its adoption.

What is IPv6?

IPv6 is a new and improved Internet Protocol that that is intended to replace the current Internet Protocol, IPv4. IPv6 is designed to accommodate the continued growth of the Internet by allowing for vastly increased address space^[1] .

Work on IPV6 started in the 90s and the standard was completed in 1998. IPv6 addresses are 4 times as long as IPv4 addresses, so we move from an internet with 4.3 billion addresses using IPv4 to 340,282,366,920,938,463,463,374,607,431,768,211,456 or 2128 addresses using IPv6. That’s 3 with 38 zeroes^[2] .

In simple terms, IPv6 is a separate Internet that runs on the same hardware and wiring that the current IPv4 Internet runs on. The protocols are different, however, and IPv6 can’t naturally talk to IPv4 or vice versa, without some additional work^[3] . We will discuss this further later in the paper.

IPv4

IPv4 is an Internet Protocol that forms the basis of the current Internet. It was created in 1981 and the 4.3 billion addresses available under that protocol are almost all allocated. This is the primary driving issue leading us to move away from IPv4. At this stage, smaller and smaller blocks of addresses are available for allocation. At the same time, with such a huge installed base (essentially the entire existing internet) IPv4 will not disappear anytime soon^[4] .

Allocations of IPv4 addresses started to dry up in early 2011 with the last allocation by the Internet Assigned Numbers Authority (IANA) given to AFRINIC, the African Internet Authority. Since then regional sub authorities have been phasing down their allocations as they too run out of numbers to assign. Today in excess of 95% of addresses are assigned^[5] ^[6] .

IPv6 Today

IPv6 is native to most operating systems today, but Internet providers generally default to providing only IPv4 functionality to clients^[7] . Despite this, Google reports that over 3.5% of its searches now take place over IPv6, and that number is growing exponentially^[8] .

Aside from the challenges posed by slow adoption by Internet providers, IPv6 also faces some challenges from incomplete implementations on some operating systems^[9] ^[10] . Android is not yet supporting a few functions such as DHCPv6 and ND-RDNSS, and Windows Phone 7.5 did not support IPv6 at all. Windows Phone 8 does, however.

IPv6 Addresses Explained

IPv6 has much longer addresses than IPv4. Accordingly there are a few tricks to keep them manageable. IPv6 uses 8 hexadecimal groups of 4 so a basic address could look like this:

12ef:0000:2303:0005:0000:0000:0000:57af

A couple of shortcuts: first, you can drop leading zeros in any block of 4. Second, you can compress groups of contiguous zeros (in one spot only) by putting 2 colons together so you could change the former address to this: 12ef:0:2303:5::57af^[11] .

There are also several reserved address ranges. Addresses beginning with fe80 are local unicast addresses. Addresses beginning with ff01 to ff08 are multicast addresses. Private network addresses are fd70:7dc0:e89f:1b75:xxxx:xxxx:xxxx:xxxx. The loopback address is ::1.

Generally, the first 48 bits are the network prefix, the next 16 bits are the subnet id, and the last 64 bits are the interface identifier (also known as the device identifier)^[12] .

Autoconfiguration

One of the challenges faced under IPv4 is address assignment. Under IPv4, network administrators solve this problem with protocols such as DHCP which assign IP addresses to new devices when they’re plugged in to a network. This relies on a server somewhere on the network which has a pool of available IP addresses that it can assign to devices on that network. IPv6 has a similar protocol called DHCPv6 which relies on a server with a pool of available addresses, but it also has autoconfiguration capability to allow devices to configure themselves on a network without any server-side configuration at all. This removes the need for the configuration and maintenance of DHCP services^[13] .

Renumbering

Under IPv4, once addresses are assigned, there is no easy way to change them without configuring each device manually. This can pose a challenge to network administrators as needs and designs change. Under IPv6, network administrators can renumber and reassign segments of networks by setting expiration times on network prefixes which forces periodic auto-configurations. They can then set new prefixes for the devices to use during their next autoconfiguration, and devices can maintain both old and new addresses for a limited period of overlap^[14] .

Communication between IPv6 and IPv4

IPv6 and IPv4 can both run on the same physical network at the same time, but these two networks don’t talk to each other without additional work. Since the current Internet is overwhelmingly IPv4, it is essential for any IPv6 migration to incorporate some mechanism to communicate with the existing IPv4 internet^[15] .

NAT64 is a commonly used protocol for making the IPv4 Internet available to devices on the IPv6 Internet. This is done by implementing a single device on the IPv6 network that does NAT, or Network Address Translation, to the IPv4 Internet. Devices on the IPv6 network have only IPv6 addresses, but their traffic is translated to IPv4 as needed to go out to that network and retranslated back to IPv6 when it returns.

Dual stack is another commonly used method to get the two networks talking, but it takes a very different approach. On a Dual Stack network, each device on the network has software implemented that lets it communicate using either IPv4 or IPv6, and each device on the network is assigned both IPv4 and IPv6 addresses. Dual stack is currently the more common approach, as it allows networks to migrate slowly to IPv6 in a controlled manner^[16] .

IPv6 and Security

Many people are concerned about the security challenges posed by IPv6, mainly because it’s so new that nobody is really sure yet what those challenges will be. We do know that IPv6 improves security in some primary ways. The IPv6 network, rather than being target rich like the IPv4 network, is very sparsely populated, with billions of unused addresses for every utilized address. This makes life more complicated for automated hunting programs^[17] . Some estimates suggest that using current hunting techniques, it would take hundreds of years to even find a potential target in IPv6, and this is before you could even begin to explore vulnerabilities on that target. IPv6 also has IPSec security built in natively, rather than being an add on as it is under IPv4^[18] .

Summary

IPv6 is here and growing. eSecureData has taken steps to ensure that our clients are positioned to run IPv6 while retaining full IPv4 functionality. We are implementing both NAT64 and Dual Stack to make the transition seamless, and our staff is trained and ready to assist in migrating sites to IPv6. If you are interested in a secure hosting environment with IPv6 already implemented, take a look at the eSecureData website at www.esecuredata.ca.