IPv6 and a Failure to Communicate

As the supply of IPv4 addresses dwindles, institutions that fail to plan a transition to IPv6 face the possibility that their systems will be unable to communicate with others.

In April, Asia officially ran out of Internet Protocol (IP) version 4 addresses--the computer equivalent of running out of telephone numbers. Over the next couple of years, the rest of the world will also run dry. Yet, unlike the Y2K bug that had some people convinced the sky would fall, this particular problem is generating little more than tired shrugs from IT folks.

IPv4, whose addresses have 32 bits, is being replaced by a new protocol, IPv6, whose addresses are 128 bits long. While the transition to IPv6 will definitely inflict its share of problems and annoyances, the depletion of IPv4 addresses is not immediately threatening to most colleges and universities, many of which still have large pools of IPv4 addresses. Unlike the Y2K bug with its threat of a midnight meltdown, this is a problem that most IT administrators feel can be tackled gradually.

Indeed, many institutions, especially smaller schools, are just starting to plan for the transition--or are planning to plan for it.

But the issue facing IT departments is not that they will run out of IP addresses. Instead, they must confront two other, related challenges: ensuring that IPv4 addresses can communicate with IPv6 addresses during the drawn-out transition period; and tackling the inevitable security issues that come with the implementation of any new protocol. No one's quite sure what the future will hold on that front.

Bridging the Gap
"We're not running out of addresses; we don't need IPv6 to replace addresses that we don't have," confirms Vince Stoffer, network security administrator at Reed College (OR), which hopes to roll out a transition road map over the next year or so. "We’re looking at it more as a need to communicate with the rest of the world that might be exclusively using IPv6. We'll soon be to the point where people in Asia or other parts of the world can only connect with IPv6. If we're not offering IPv6 services, they're not going to be able to view our campus web page or communicate with us using certain types of services," such as Skype

It is fear of this communication breakdown that is likely to drive the transition efforts of many institutions, agrees Tim Winters, senior IT manager in charge of the IPv6 Consortium at the University of New Hampshire InterOperability Laboratory (UNH IOL). "Someday there will be users in the network who are v6 only," he notes. "And that's when you're going to see universities start to make e-mail and websites accessible over v6.

Winters, who has been studying IPv6 since 1998, when it was just a theory, has seen the tide turn toward acceptance of the new protocol. Previously, before the IPv4 allocations began to run out, network administrators developed techniques or new technologies to extend IPv4. In Winters' experience, though, such workarounds often cause additional problems.

Now the focus is shifting to two solutions that will allow IPv4 and IPv6 devices to communicate with one another: dual-stacking and tunneling. Dual-stacking refers to the side-by-side implementation of both IPv4 and IPv6 protocols in a single environment, so devices can connect to either type. Tunneling, on the other hand, refers to carrying encapsulated IPv6 packets over IPv4 networks. Tunneling may be an attractive option for IT shops that don't have the expertise to implement a dual-stacking solution.

Security Alert
Security concerns among IT shops are another of the reasons why institutions have been slow to adopt IPv6. Many security devices carry a sticker of IPv6 readiness, but in fact do little more than read the IPv6 traffic. On closer inspection, firewalls don't block the traffic the way they do in IPv4, and corollaries for IPv4 intrusion-detection rules don't exist yet for IPv6.

The federal government is taking the lead on the security front. USGv6, a program that falls under the auspices of the National Institute of Standards and Technology, was tasked with establishing the technical infrastructure to support IPv6 adoption by government agencies. Working in conjunction with UNH IOL, USGv6 documented security policies for new IPv6-capable security devices. The lab used this profile to create testing for the devices, including hosts, routers, and firewalls. Today, a list of products certified according to the profile requirements is a reference for government purchasers (w3.antd.nist.gov/usgv6/testing.html). This is the first step toward anticipating the kinds of security breaches that are likely to occur with IPv6.  

Nevertheless, says Winters, "there will be new attacks for v6. I don’t think we’ll find out the issues until we really start to deploy IPv6. Then we’ll find out, 'yeah, this is a problem,' and we’re going to have to find a way to stop it. This is no different from v4. People are always finding new security holes. It’s a similar model."

New Equipment
Regardless of how worried colleges and universities are by IPv6's potential security flaws, the reality is that IPv6 adoption isn't optional. IPv6 will be the new standard, and an institution's purchasing policies should reflect this.

"The key is to ask if something supports v6," Winters says. "You don’t want to buy something today that won't be supporting it, or doesn't have a road map to do it, because then you're going to have to replace it again."

Operating systems will be IPv6 ready, he says, but peripheral devices like printers and data storage might not be.

Stoffer agrees. "If I were spending a bunch of money on a new device, I would really be following up, saying, 'Tell me about your road map for v6 and how it works on this piece of hardware and how that's going to change over the next couple of years,'" he says. In the meantime, he monitors IPv6 newsgroups and discussions to stay on top of developments, with the expectation that IPv6 readiness will be a major criterion for future IT investments.

Fortunately, given the gradual nature of the move to IPv6, many schools can transition to IPv6-ready equipment as they upgrade their networks over the coming years.

Bug Bash
While many higher ed institutions may be a little late to the party, the transition to IPv6 is definitely getting traction elsewhere. On June 8, the Internet Society (ISOC) will host World IPv6 Day, a worldwide IPv6 bug bash with participants such as Google, Yahoo, and Facebook offering their content over IPv6 for at least 24 hours.

In addition to testing the IPv6 readiness of these organizations, ISOC intends for World IPv6 Day to raise awareness and help ease the transition to the new protocol. At the very least, events like World IPv6 Day offer a glimpse of IPv6 as it currently stands in the slow, steady march away from IPv4.  

Featured