By Carl Weinschenk (Part 2 of 3)
The current Internet addressing scheme is expected to become obsolete in 2012. In the second post of his 3-part series for SHARE President’s Corner, veteran tech writer Carl Weinschenk explores why businesses must transition to Internet Protocol version 6 (IPv6).
All Roads Lead to IPv6
Transitioning from IPv4 to IPv6 can be compared to adding lanes or otherwise rebuilding an indispensable highway: A way must be found to do the work without stopping — or even significantly disrupting — the flow of traffic.
There are three basic approaches to the transition: dual stack, tunneling and translation. What experts call the most elegant method, called “dual stack,” also is the most popular. Perhaps the most influential proponent of dual stack is Comcast Cable. Comcast, the biggest cable company in the United States, is credited by industry observers as recognizing the importance of IPv6 and proactively taking steps to make it real.
Dual stack, as the name implies, is the use of IPv4 and IPv6 silos that are completely independent of each other. The nature of the arriving packet is assessed and treated accordingly. The decision to treat the packet as IPv4 or IPv6 is made at layer 2 of the Open System Interconnection (OSI) protocol stack. A frame format called an “Ether type” tells the system the nature of the packet with which it is dealing, according to Dr. Ciprian (Chip) Popoviciu, the President and CEO of Nephos6, a technology consulting firm that helps companies use the transition to IPv6 to introduce or expand their cloud presence.
Comcast started commercial rollout of dual stack late last year. John Jason Brzozowski, Comcast’s Principal Engineer/Architect, would not comment on the progress the cable operator is making, but said that “things are in the hopper” for the near future.
Brzozowski said Comcast’s implementation is a two-phase operation. The initial step is to IPv6-enable PCs. The second phase is to enable routers and other devices “behind” that computer in the home to use IPv6. “IPv6 is not a technology that can be introduced in a flash cut,” he said. “It is incrementally introduced over a period of time.”
Popoviciu said that dual stack, the recommended approach, offers two big advantages: It is simpler than the other approaches and it allows discreet management of the traffic on both networks. The downside of dual stack is fairly simple: Running two networks means more spending on software, personnel and training. Popoviciu said that the IPv4 equipment in place often can host the dual stack. In some cases, however, the hardware will need to be replaced.
The second group of options is a set of variations on the theme of tunneling. It is possible to place IPv6 packets into IPv4 “wrappers.” Those wrappers are read by the routers, switches, session border controllers and other devices that traffic packets. In networks that use multiprotocol label switching (MPLS), the IPv6 packet can be assigned a label to use as its hall pass through the network. Which of these approaches is optimal depends on the specific attributes of the network.
The downside of tunneling is deeply related to its advantages: Since the IPv6 packet in essence is hidden within the IPv4 packet, it is harder to manage, scale and track traffic, according to Popoviciu. “The overlay that is created with tunnels can be difficult to manage,” he said. “There is no clear understanding of how packets go through the network.”
The final option is translation. This is the process of intercepting IPv6 traffic and transcoding it to IPv4 before it reaches legacy gear. Translation, according to Popoviciu, is a stopgap solution. The big drawback is that it depends upon asymmetrical mapping between very small and very large address spaces, a cumbersome approach that doesn’t scale well.
Whatever approach is taken, the panacea for insiders is to combine the transition to IPv6 with address mapping to ease the implementation of security, quality of service and other policy-based attributes. Put more simply: Controlling precisely which addresses are given to disparate groups of users can drive efficiency.
For instance, a certain range of IPv6 addresses could be associated with users who have the right to access an organization’s daily sales results and other sensitive data. If a request comes from outside that range, that could be a yellow flag for security personnel. In a hospital setting, a set range of IPv6 addresses could be assigned to tablets and other communications devices and another set to patient monitoring equipment. That organization could help streamline management and, ultimately, save money and improve services.
A final major concern is security. Eric Vyncke, a Distinguished System Engineer for Cisco, said that the security of systems running IPv6 and IPv4 are on par. There is, however, a lack of IPv6 training at the security personnel, network engineering or application development level. An example is that firewall configurations differ between the two protocols. Not paying attention to those differences can lead to problems. In general, security concerns run in tandem with the nature of the approach. For instance, dual stack techniques enable hackers to attack both stacks simultaneously. Tunneling, since it relies in essence on hiding IPv6 packets, makes it difficult to trace an attack.
Organizations must pay close attention to security issues. Laura Knapp, the Worldwide Business Consultant for Applied Expert Systems and SHARE’s Project Manager for Communications Technology, said that crackers – malicious hackers – will take aim at IPv6 as soon as it grows common enough to make cracking it pay. Crackers also like challenges, she added. One possible attack, Knapp said, is to distribute auto configuration information that routes packets to infected servers. “That means employees may get to a server that has malware on it that can infect the network,” she said.
Though it will be provisioned in multiple ways, IPv6 clearly is the wave of the future. Mainframes, as the hub from which many spokes emanate, will play a key direct and indirect role in the landscape. Mainframes will use IPv6 internally and will send and receive data directly or through intermediate interfaces to networks that use the new addressing scheme.
In the next installment, Carl Weinschenk continues his conversation with experts in the field, who examine in-depth on the impact of IPv6 on the mainframe community.