Sunday, 16 August 2015

IPv6

IPv6

The new network standard was supposed to transform the internet: Steve Cassidy asks what’s going on with IPv6

I remember hearing that the arrival of IPv6 was going to be the new Y2K disaster. What happened? Did we all just sleep through it?

We did, and that’s what was always meant to happen. As with Y2K, the disaster predictions had the intended effect of making money available to help the transition go smoothly – to the extent that most of us haven’t even noticed it happening.


So is IPv6 running on our network right now?

Even if you’re not managing IPv6 traffic, you’re probably dealing with IPv6 activity from various sources. These might include operating systems with IPv6 baked in, internet companies that are using IPv6 internally – and not fully concealing the fact – and devices carried by your employees or visitors. For example, should you ever have someone from Microsoft come to present a preview of a new software product, at some stage they’re almost certain to say: “Hold on while I connect back to my desktop PC.” They’ll do that by running an IPv6 connection over your network.

I heard that using IPv6 meant hackers could directly access our devices! If it’s already running on our network, are we vulnerable?

Having IPv6 running on your network is fine: it’s unlikely your router or wireless access point will be configured to pass IPv6 traffic, or act as a 6to4 gateway device. It’s true that IPv6 allows every connected object to have a global public address, but it also supports private ranges as in IPv4. One real concern is the possibility of tunnelling IPv6 traffic over IPv4 packets, which makes it harder to detect trojans and viruses by logging internet activity. But the idea that hackers could directly probe every IPv6 client in the world doesn’t hold water.

Can we shut down IPv6 until we’re ready for a managed transition?

I’d say yes, but I’m yet to see a transition that can really be described as “managed”. The process of engaging with a new, unfamiliar network protocol always seems to involve an element of panic and pain. This argues for an experimental fiddle, rather than a huge undertaking, which is likely to cause more trouble than it avoids.

Do we need to insist on IPv6 expertise when we hire new support staff?

Insider staff don’t need to worry about arcana such as BGP or tunnel brokers. When hiring internally, it’s okay for a candidate to say “I don’t know”, because at the time of writing the industry has yet to agree upon an easily encapsulated best practice. In fact, at this stage it’s unlikely that past experience with IPv6 will actually help with the next project or incident that comes along, so expertise isn’t yet an absolute prerequisite. However, do talk to the support teams at your hosting, e-commerce, cloud or email platform providers: these guys need to understand the issues concerning access over an IPv6 connection.

Will we eventually need to turn off IPv4?

IPv4 – especially the private ranges – will be with us for a long time yet. And if you try to turn it off, you may actually make yourself more vulnerable: an IPv6-only network could be tricked into passing along rogue IPv4 traffic under the management of an unauthorised address-space server. So even when you think you have no further use for IPv4, I wouldn’t recommend turning it off altogether.

So what should be our IPv6 action plan for the next five years?

Experience suggests that the tipping point for IPv6 will come suddenly. So you should be preparing for a quick flip by evaluating the readiness of your services and equipment. Don’t go crazy: when it comes to dumb devices such as printers, the absence of IPv6 support needn’t be a deal-breaker, because bridging 6to4 will be a long-term need anyway. But do start thinking about investing in people as well as technology. It’s fine to budget for a high-end IPv6 firewall, but once you have it in place, who in your organisation will configure it – and confirm that it’s doing what you think it should be doing?