Feeds

Adventures in Tech: Taking the plunge into IPv6

Our intrepid reporter does it, but you'll still have to

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Part 1 The threat from the fast-dwindling supply of mainstream "IPv4" Internet addresses for new users is a bit like Y2K creeping up on us all over again. Almost no one can see beyond the cost of code review, systems change, hardware upgrades and general upheaval into the brave fairly-old world of IPv6 - but putting it off forever isn't really an option either. And like Y2K, if it's handled well, no one will ever notice or thank us "IT professionals" for it: we'll be accused of make-work, scare-mongering and overcharging. What's not to like?

Ultimately IPv6 will do away with the much of the annoyance of NATing, dynamic IP addresses, address rationing, etc, and should make for more efficient and cheaper communications. IPv6 support may soon be necessary to be reachable at all by some users.

IPv6 (or IPng: Next Generation) has been the future of the Internet for a decade and a half, so why the hesitation to get with the programme? It's probably a case of "if it ain't broken" and Y2K backlash, but the existing IPv4 address scheme is now broken and Y2K wasn't a figment of the imagination (I fixed a lot of finance-related bugs around then, trust me).

Anecdotally it seems relatively safe, for example, to implement dual-stack (ie with both IPv4 and IPv6 address) Web sites immediately. See the "heise online" IPv6 experience which was largely positive.

"The small number of flaws was so encouraging that heise online decided to adopt dual-stack for production use as soon as possible ... [users] do occasionally report problems. The majority of these continue to revolve around the flawed IPv6 implementations in Mac OS X, iOS and in the firmware of AirPort base stations. But the number of cases is far smaller than previously feared. Overall, heise online considers the switch a complete success, and would recommend it to any similar site."

8th June this year was "World IPv6 Day" http://www.worldipv6day.org/faq/ which was a global test of the new world order. It mainly worked, and almost no one noticed. In particular, bringing up IPv6 support didn't in practice hurt IPv4 users much or at all.

And just failing to plan for IPv6 at all doesn't just lose traffic and potential customers. It may also undermine your security too. You'd better plan those IPv6 security policies, keep an eye on rogue 6-in-4 tunnels (failing to upgrade your external links doesn't necessarily stop IPv6 getting in and out), and work to minimise the attack surface of already-IPv6-capable services and applications in house.

netalyzr

Netalyzr poised to start looking at my Internets

PREREQUISITES

Let's put aside for the moment the matter of whether you're going to upgrade your client or app or server to support IPv6, what would need consideration if you did?

  • Does your host/connection/routing even support IPv6 yet? And don't forget to include your connection, your servers' and your customers'/users' too.
  • Do your routers, bridges and switches support IPv6?
  • Does your DNS service support IPv6 (eg AAAA records, RFC3596) yet?
  • Will your WiFi / IP phone / hot-desk systems work with IPv6?
  • What parts of your code/system/logging are likely to break or otherwise need TLC?
  • Are you intending to run dual-stack (ie both IPv6 and IPv4) from any/all hosts (servers, workstations, phones, gadgets)?
  • How will you deal with IPv6 tunnelling, planned and rogue?
  • How will your performance monitoring and user-tracking tools cope? (For example, do you track approximate user location by IPv4 address prefix?)
  • Will your anti-DoS/anti-abuse mechanisms based on client address work?
  • Have you the expertise to craft watertight IPv6 firewall rules, especially if you no longer use NAT and the protection it provides to internal machines as a side-effect?
  • Since one way that hosts can create their own IPv6 addresses is to use their Ethernet MAC address, have you thought about the information leak that this represents, eg for road-warrior mobile users?

Internet Security Threat Report 2014

More from The Register

next story
Azure TITSUP caused by INFINITE LOOP
Fat fingered geo-block kept Aussies in the dark
NASA launches new climate model at SC14
75 days of supercomputing later ...
Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
Weekend woe for BT as telco struggles to restore service
You think the CLOUD's insecure? It's BETTER than UK.GOV's DATA CENTRES
We don't even know where some of them ARE – Maude
Cloud unicorns are extinct so DiData cloud mess was YOUR fault
Applications need to be built to handle TITSUP incidents
BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
Don't worry about that cable, it's part of the config
Stop the IoT revolution! We need to figure out packet sizes first
Researchers test 802.15.4 and find we know nuh-think! about large scale sensor network ops
DEATH by COMMENTS: WordPress XSS vuln is BIGGEST for YEARS
Trio of XSS turns attackers into admins
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?