The ABCs of IPv6
IP version 6 is poised to revolutionize networking. Here's why you should care and what you need to do to get ready.
The odds are good that you're aware Microsoft will soon release new server and host operating systems that will come loaded with the Internet Protocol version 6 (IPv6) stack pre-installed and ready to rock on your network. Did you know that IPv6 will be the default-routed protocol, though? Unless you uninstall it from your new servers and hosts, your network will be moving to IPv6. If it fails, your hosts will revert back to IPv4.
Should you be welcoming a move to IPv6? After all, the current IPv4 protocol stack has been working pretty well. Tricks like network address translation (NAT) have taken care of the address exhaustion issue. Most systems do a good job assembling the resources needed for robust security, discovery and interoperation on these networks. Still, IPv6 has a lot to offer -- more, in fact, than you might realize.
Any enterprise that plans to do business in Asia (where IPv6 is nearly ubiquitous) or with the U.S. government should start using IPv6 right away. The Office of Management and Budget Agencies (OMB) has given U.S. government agencies until June 2008 to migrate their network backbones to IPv6 technology. Yes, that's backbones, not hosts. Many agencies are adopting IPv6 all the way to the desktop anyway. The Federal Aviation Administration (FAA) plans on moving its WANs to IPv6 by 2007 and all of its data centers to the new protocol by 2008. I won't even get started on the Department of Education, which will be running nothing but IPv6 within a few years.
All this government-mandated migration has big implications for IT managers. The OMB itself has budgeted $25.4 billion toward new IT expenditures (to start planning and implantation). There are also vast amounts of private industry deployments underway.
IPv4 isn't going to simply go away. IPv6 is expected to coexist with IPv4, which means administrators will have to manage both protocols for quite some time. Labor and training costs will constitute the majority of the dollars spent upgrading to IPv6.
What does all this mean? For one thing, it opens a whole new universe of opportunities for anyone working in IT, including IT training companies and IT instructors. It comes down to more work, more training and more effort over a long period of time.
If IPv6 is going to be so much work, will it be worth the payoff? The answer seems to be a resounding, "Yes." For one thing, there are security mechanisms built into IPv6 -- including IPsec -- that can go a long way toward hardening all your networks and systems. IPv6 also offers a super-smooth merging of voice, video and data on a single network with access through a single device. I really don't think a lot of people have made the connection of how fundamental IPv6 is to this convergence opportunity.
These upside arguments won't convince everyone. I've actually met people who told me they'd rather retire from network administration than work with IPv6. The common thread I see among these folks is that none of them grasp what a powerhouse IPv6 can be when it comes to making networks flow much more efficiently. All that is about to shift dramatically. The wind of change may only be a slight breeze today, but it will be a gale force in about a year!
One of the many benefits of IPv6 is that it will let you assign IP addresses to armies of mobile devices like cell phones, personal digital assistants and a bunch of other Internet-savvy toys we don't even know about yet. The group of devices we now call hosts will no longer just be PCs.
Another cool IPv6 feature is that it self-configures on every host by default. Many router manufacturers make IPv4 seem like it's plug-and-play by automatically setting up a NAT connection, but it really isn't. With IPv6 there's no more NAT. Instead, it uses a process called stateless auto-configuration (ACONF), which lets the host discover the network and configure itself appropriately.
Stateless ACONF can seriously help with network management. Just think about not having to worry about host addresses. Also, there are no more broadcasts, no more ARPing, and (for the most part) no more subnetting in IPv6.
Is this too good to be true? Perhaps. IPv6 is more complicated than IPv4. You'll need to master IPv6 addressing and look into IPv4 to IPv6 transition approaches, including the various tunneling techniques in IPv6 such as 6to4, 4to6, ISATAP and Teredo.
All About Addressing
Everyone knows that IPv6 expands the available address space compared to IPv4. What some folks may not grasp is the massive size of the new address space. The 32-bit addressing at our disposal in IPv4 provides more than 4 billion addresses. By contrast, IPv6 has 340,282,366,920,938,463, 463,374,607,431,768,211,456 (that's 340 undecillion for those of you counting at home) possible IP addresses. We're talking about 3,911,873,538,269,506,102 available addresses for each square meter on the surface of the Earth.
Like IPv4, a good portion of IPv6 addresses are reserved. The result: You still end up with a big number -- about equal to the number of ants on the planet -- of addresses. Even if we were to start addressing all our appliances, stereos, TVs, cars and gizmos, and add to that the millions of devices we've yet to dream up, we'll have about 60 years before we run out of addresses again.
There are actually three types of IPv6 addresses, which provide a robust address scheme for efficient trafficking of one-to-one and one-to-many communications. The three different types of IPv6 addressing are:
- Unicast: Packets addressed to a unicast address are delivered to a single interface. For load balancing, multiple interfaces can use the same address.
- Multicast: Packets addressed to a multicast address are delivered to all interfaces identified by the multicast address -- same as in IPv4. These are also called one-to-many addresses. An IPv6 multicast address always starts with FF.
- Anycast: Identifies multiple interfaces, which is the same as multicast, but the anycast packet is only delivered to one address -- the first one it finds defined in the terms of routing distance. These can be called one-to-one-of-many.
OK -- this is really important: IPv6 addresses identify interfaces, not nodes. Nodes are only identified by any unicast address assigned to one of its interfaces. And remember, there are no broadcasts in IPv6 like there are in IPv4 (i.e. 255.255.255.255). All types of IPv4 broadcast addressing is instead performed using multicast addresses in IPv6.
IPv4 hosts usually have only one IP address on an interface. IPv6 hosts will have multiple addresses assigned to each interface -- a minimum of three. One will be a link-local for local traffic on that link, one will be the global address for routing to other links, and then, of course, there's always a loopback interface. Finally, each interface is always listening for multicast IPv6 traffic. Don't worry -- I'll go over all these terms and define them for you in the next section.
Inside Unicast Addresses
Let me start by describing a few of the most important unicast addresses that IPv6 uses:
- Aggregatable Global Unicast Addresses. These are referred to just as global addresses and are the equivalent of a public IPv4 address. They're both routable and reachable on the IPv6 Internet. These addresses are designed to facilitate a more efficient, hierarchical addressing and routing infrastructure than what we have now in IPv4.
- Link-Local Addresses. These are used by nodes when they want to communicate with other nodes on the same local network -- called a link with IPv6. Used between on-link neighbors, these links are required for the neighbor discovery process. Link-local addresses are automatically configured on each node, and a router will never forward link-local traffic beyond that link. You can identify a link-local address because it always begins with FE80::
- Site-Local Addresses. These addresses are equivalent to the private space we use with IPv4, e.g. 10.0.0.0, 172.16-31.0.0 and 192.168.0.0. Because IPv6 doesn't use NAT, the site-local addresses are used between nodes when communicating with other nodes in the same organization. These are not automatically assigned like link-local addresses. You can easily spot a site-local address because they always start with FEC0::
- Loopback Address. The loopback address is used to test the IP stack on a host, same as in IPv4. In IPv6 the address is ::1. To test your IPv6 stack, just ping ::1.
Now let's take a look at some IPv6 addresses and how they're defined.
The IPv6 Address Syntax
One of the toughest IPv6 concepts is address syntax. Not only are IPv6 addresses long, they're rendered in hexadecimal instead of the dotted-decimal format used in IPv4. It definitely takes a little getting used to this syntax. The IPv6 128-bit address is divided along 16-bit boundaries, and each 16-bit block is converted to a four-digit hexadecimal number separated by colons. (Say that after a couple of beers.)
A sample Global unicast IPv6 address could easily look like this:
To simplify this monster, just compress the zeros in the address to make it easier to read. Here's how doing that looks:
It's still kind of big and scary-looking, but the compression trick takes the edge off a bit.
Here's how a link-local IPv6 address might look:
And in a compressed format:
We can compress them even more. If we have long sequences of zeros, we can compress a contiguous sequence of 16-bit blocks set to 0 in the colon hex format :: (known as a double colon).
Here's an example of a link-local address using a double colon:
Even better, an already compressed multicast address of FF02:0:0:0:0:0:0:2 can be compressed further to:
Now here's the best part: There are no subnet masks with IPv6 addresses. IPv6 uses only the prefix notation like CIDR does in IPv4. The typical masks are /48 which defines a route prefix, and /64 which is a subnet and host prefix. You do need to understand that IPv6 prefixes can be any size, and know that any prefix less then /64 is a route or summary range.
EUI-64 Address-Based Identifiers
An IPv6 address prefix is used for stateless autoconfiguration -- meaning no DHCP server is required on an Ethernet or any type of LAN interface. The prefix must have a length of 64 bits.
Of the 128 bits in an IPv6 address, the first 64 contain the network address(es)
and the last 64 bits represent the host ID. The host ID, when using stateless
autoconfiguration, is really just a combination of the original 48-bit MAC address
and 16 more bits (for a total of 64). It's called an Extended Unique Identifier
(EUI)-64 and it's the last 64 bits of the 128-bit IPv6 address.
[Click on image for larger view.]
|Figure 1. The enlarged IPv6
address syntax enables stateless autoconfiguration of devices.
Because IEEE 802 hardware (MAC) addresses are only 48 bits long, the hex characters
0xFF-FE are added to the fourth and fifth octet (after the Organization Unit
ID [OUI]). For example, a host with the MAC address of 00-90-96-A4-3F-07, would
look like this:
How to Prepare for an IPv6 Transition
Government agencies are busy analyzing what it will cost to comply with OMB's requirement to have both IPv6 and IPv4 on their networks. It's probably a good idea for you to start thinking along those same lines.
Because IPv4 is not expected to disappear anytime soon, you should have three basic goals:
- A dual stack, running both versions 4 and 6 of the protocols on the network (this will happen automatically, like 10/100 Ethernet did).
- Tunneling, in which packets from one IP version are encapsulated in the other. This happens automatically on the hosts, but not on your routers, so you'll have to do a little internetworking redesign.
- Address translation, which makes IPv4 packets readable to IPv6 networks and vice versa. Again, the hosts can handle this, no problem. This is totally a routing issue.
Keep in mind that tunneling is probably a good transition method because many
software vendors won't be "IPv6 only" compatible for three or four
years -- maybe longer.
[Click on image for larger view.]
|Figure 2. Tunneling encapsulates
IPv6 packets inside IPv4 headers, making them readable by legacy networks.
Paving the Way for IPv6
Setting up an effective bridge plan between IPv4 and IPv6 will not get you off
the hook permanently. If you're a large corporation, you need to start your
planning now. Form a team to review asset management and explore how IPv6 might
come into play. By considering the ramifications of IPv6 on your infrastructure,
you'll define exactly what you'll need to include in your next purchase order.
Here are a few things to keep in mind as you start considering a migration:
- Create committees or groups to design an IPv6-savvy network and get word out to your executives.
- Create a hierarchy with rules and responsibilities for members in the group.
- Determine your committee's goals and try to create fictitious IPv6 business scenarios that will let you analyze costs and determine how a migration can help meet those goals.
- Develop a complete application inventory to enable discussion of migration strategy, and make application developers aware of your plans.
- Make sure at least one member of the group is from the security side of your organization.
- Focus your team on enabling a seamless transition -- users should not have to worry about the migration of routed protocols on the network.
- Understand that the types of hosts running on your network or Internet are irrelevant. Whether Unix, Linux or Mac, all devices (nodes) that run IPv4 will now run IPv6.
Be careful to avoid some of the most common -- and dangerous -- pitfalls of this kind of network migration. In the months and years to come, too many large companies and government agencies will find themselves struggling with intractable shortfalls and delays as they try to muddle through what can be a complex undertaking.
IPv6 has been stitched into Windows Vista and Longhorn Server whether you like it or not. You cannot completely uninstall it, but you can disable IPv6 in Windows by doing the following:
- Open the Connections and Adapters folder and go to the Properties dialog box for each of the connections and adapters listed there (simply right-click the item and click Properties from the context menu).
- Clear the check box next to the Internet Protocol version 6 (TCP/IPv6) component in the list under: "This connection uses the following items." Doing this will disable IPv6 on your LAN interfaces and connections, but it won't disable IPv6 on any tunnel interfaces or the IPv6 loopback interface.
- To further root out IPv6 functionality, you need to go to each and every machine and add the following registry value (DWORD type) set to:
Now IPv6 will be disabled on all LAN interfaces, connections and tunnel interfaces, but not on the IPv6 loopback interface.
It may be a whole lot easier to just leave IPv6 alone on each device. -- T.L.
As with any deployment, it's important to spread the knowledge. Make sure executives know what's up. Do not delay your deliverables and milestones, unless you enjoy working in catch-up mode. Finally, give your IPv6 migration your full attention. This isn't some service pack release -- it's a fundamental change to your infrastructure. What's more, moving to IPv6 is a rare opportunity to re-architect your existing network. So take full advantage and look into ways you might upgrade or restructure your network while you plan the IPv6 roll out.
You can run from IPv6, but you can't hide forever. I hope you now understand that IPv6 can and will be your friend -- it's not the scary monster about which you've heard. By collecting data on your networked applications, you can be prepared for the IPv6 wave headed to your network soon.
Finally, if you plan on taking any new Microsoft or Cisco exams, you better know your IPv6. Both companies are determined to make sure you can work with IPv6 before they will certify you on their new products. If that's not reason enough to master IPv6, I don't know what is.