Ready or not, IPv6 is coming
Google attempts to avert interweb end-of-days scenario
The widespread use of network address translation (NAT) has delayed to need to step-up to the more advanced technology. However although NAT works well for client-server internet applications, its use gets in the way of the deployment of applications and services where every device needs a unique IP address.
Even so, industry experts expect IPv4 address resources to run out by 2012. Japanese internet firm Intec NetCore has even written a web app that shows an IPv4 exhaustion counter. With 480m IPv4 addresses left, Intec NetCore reckons there's 788 days left till "X-Day" when the available addresses finally run out.
As well as tackling the long-predicted number shortage, IPv6 brings other advantages, including simplifying routing aggregation and address auto configuration. The protocol also brings integrated encryption and mobility benefits absent from IPv4.
Support for the protocol has gradually been introduced in operating systems and in networking hardware. For example, Cisco added IPv6 support on Cisco IOS and switches in 2001. Apple Mac OS X has supported IPv6 since 2006, with built-in support by Windows following the introduction of Windows Vista.
It's in areas such as switching and routing that IPv6 brings the greatest potential upheaval. ISPs and enterprises need to change their network architecture in preparation for the wider use of the protocol.
"Operating systems have supported both IPv6 and IPv4 for a good number of years with a dual stack, so you don't have to upgrade everything," explained Melvyn Wray, senior VP of product marketing at networking equipment firm Allied Telesis. "It's with layer 3 switches or routers and the WAN that you have problem."
While three or fours years ago IPv6 technology might have been considered "esoteric", the technology has become more important as the world runs out of IPv4 addresses. Wray argued that Asia was feeling the pinch earlier than the West. Simply adding more NAT kit is no solution to the problem, he argued.
"They are already running six or seven layers deep on NAT on some Asian networks. They will run out of addresses entirely in 12-18 months. It's not anything like as bad a problem in the West, although the increased use of Blackberries and iPhones is creating an extra demand for addresses.
"It's not just the addressing scheme. IPv6 offers more efficient routing and better security the IPv4," Wray told El Reg.
Adoption of the technology also changes the security landscape.
"Contrary to popular belief, I believe IPv6 is alive and well in certain small pockets of China and Japan, where it's actually pretty useful for them to effectively run a separate Asian internet space alongside the existing [western] one," Mark Sunner, an independent security consultant, told El Reg.
"The bigger question however is when will it get all the way down to western desktops, and this will take probably something as long as a decade, because that's just how long it will take to retire/expire all the legacy kit that's out there."
Sunner said that even though IPv6 might take years to be fully implemented, its incorporation in operating system stacks makes it an issue for penetration testers even now.
"It is widely accepted that IPv6 is always an eon away. Nobody actually cares about it - but they should; because it ships as standard in all the new versions of Vista, OS X, Ubuntu etc. and is often active," Sunner explained.
"This means that whilst you may not be able to browse the web via IPv6 any time soon, the person sat nearby in your office may be taking a look at your file system - courtesy of IPv6 - via tools that exist right now," he added.
A paper on penetration testing and IPv6, by H D Moore of Metasploit fame, can be found here. ®
Sponsored: Are DLP and DTP still an issue?