IPv6 networking: Bad news for small biz
You may not get fired for buying Cisco, but you can go bust
Sysadmin blog IPv6 is traditionally a networking topic. Yet IPv6 is as much a business consideration as it is a technical one. As world IPv6 day rolls around again, we're going to see an ever-increasing amount of technical IPv6 coverage. Before we do, I think a business interjection is warranted.
IPv6 was neither designed for small biz nor consumers. IPv6 was designed by big-ticket network engineers bearing global infrastructure and enormous enterprise networks in mind. Learned gentlemen who live in a world where buying IBM and connecting it with Cisco never got anyone fired.
High atop this lofty tower of big data and even bigger budgets, RFC after RFC was submitted, debated, refined, revised and eventually implemented in the code we see in our operating systems today. Problems faced by enterprise networks needed solving, and IPv6 evolved into an excellent solution.
But nobody worried about the little guy. There are a lot more of us small and medium enterprises than big heavies. With IPv4 allocations gone we're facing having to adopt a protocol with some significant flaws [PDF]. Well, flaws for normal people; they're pretty much irrelevant if you have a big enough budget.
The elephant in the room is renumbering. In the IPv4 world, you have one internet addressable IP address and the rest of your network lives in a non-routable space. Your internal network is on the other end of a NAT firewall, subnetted and organized into something that makes sense for the local sysadmins. If you need to change your internet service provider for any reason, that's perfectly okay. Your external address changes, a few firewall rules are changed and life moves on. If you need to reorganize your address space internally, no problem! You execute the change, and the outside world is none the wiser. Simple, easy and convenient.
In an IPv6 world, this is a no-no. There is no NAT; it was deemed heretical by the priestly caste of network engineers running the holy church of the IETF. Blasphemers are chastened and belittled. So what are our options?
The official answer is a combo deal. You must accept that renumbering is the new order. If you change ISPs and your assigned block changes then you must have every single computer, switch, router, printer, and network-attached doodad change with it.
No more static addresses*, not even for servers. Everything should be configured by DHCP or stateless autoconfiguration. Whereas in an IPv4 world you created firewall rules for servers (and the applications they ran) by IP, in an IPv6 world your firewall will still work because all your systems should have proper fully qualified domain names.
The domain name assignation will "just work" because it will be tied into the DHCP and into a proper, full-blown asset management system. You will record all your MAC addresses for all your servers correctly, and assign them to the right profile. All of this will work together flawlessly, human error somehow won't happen, and the market will create solutions that are easy to use.
Sure it will. It's been 13 years since the original RFC for IPv6 was published, and there is a marked dearth of usable SME or consumer gear that pulls off all of this majesty and wonder.
Right about now, an interjection typically begins "but the Cisco…" and I have to stop everyone right there. If your argument includes the words Cisco or Juniper, we're not talking about the same market.
The budgets available for the IT space I am talking about differ by an order of magnitude. Despite this, we somehow manage to provide uptimes no worse than the big guys and still manage redundancy. At least we do in an IPv4 world.
This leads into the other major issue with IPv6: the inability to do multihoming. In an IPv4 world this is simple and cheap. The IPv6 solution is "get a carrier-independent address assignment and do proper routing".
And I'd like to be the King of all Londinium and wear a shiny hat.
Meanwhile on planet Earth
These folks obviously know nothing about life on the frugal edge. Consumer-grade ISP connections simply don't allow for that sort of thing. Even if you have the cash for your ISP's so-called business-class package, they'll still give you the stink eye the instant you start talking about such tomfoolery.
From a purely technical perspective, is the suggestion on the table really that three-person companies seeking ISP redundancy start doing BGP? That is the single craziest thing I have ever heard.
There are other issues, and the necessary solution is finally getting some attention. Even the IETF has (with great protest) recognized the need for NAT in IPv6. It's called Network Prefix Translation (NPT) now; more traditional NAT implementations having been introduced and shot down already.
Right about here, a network priest is bound to butt in with many and varied horror stories, invariably coming back to "it breaks the holy end-to-end-model whose restoration is of paramount importance".
This is where the business side of the equation is important. IPv6 NAT is here, today. Implementations exist in the real world. It is cheap, simple, and makes nearly all of the IPv6 problems that SMEs and consumers have simply go away. The few remaining bugs with it are being worked out.
In 13 years, the alternatives put on the table have boiled down to "spend more than you have available". Worse, the rationale typically presented simply doesn't matter to the people buying and implementing IT equipment in the SME and consumer space.
The chance for the priestly case of network engineers to reshape the world has passed. A laser focus on the technical came at the cost of any focus whatsoever on the practical. In the end, the high priests of the internet simply didn't give the fuzzy wuzzies reason enough to believe. ®
 NPT is a 1:1 form of NAT. You can assign computers behind the firewall addresses according to whatever schema makes the most sense to you. You can use the firewall to map them 1:1 to an external block. So your server on the internal IP fd05:936e:4ab8::0024 can map directly to an external IP such as 2001:cdba:3257:9652::0024.
When you change ISPs you simply change the prefix configuration in the firewall without having to redo all of the rules, and without having to readdress a single network device. fd05:936e:4ab8::0024 now maps to 2001:556e:3311:abfc::0024, and Bob's your uncle.
Updated to add
* This does not mean that static addressing under IPv6 is not possible, certainly it is and nearly every IPv6 implementation supports it. It is however a terrible idea if there is even a remote possibility that renumbering will need to occur, as it would require manually readdressing each statically addresses interface on each system. This contrasts with the configurability that a 1:1 NAT offers, wherein static addressing is made feasible even in the face of renumbering.
Sponsored: Becoming a Pragmatic Security Leader