You need to deploy a hundred mobile devices for your sales force team across the country in order to meet immediate business needs. This team needs to be connected with the central ERP of the company and share data on real time basis for analytics. While configuring these devices, you find that the IP address needed has run out of stock. You want to fall back on Network Address Translation (NAT) and Port Address Translation (PAT), that were developed as solutions to the diminishing number of available IP addresses — unfortunately they are exhausted as well.
What do you do?
Experts say that as Internet Protocol version 4 (IPv4) addresses are scarce, with current consumption rates, the Internet Assigned Numbers Authority (IANA) pool of free IPv4 addresses will vanish at the start of 2011.
“This starts a “Post IPv4 world” where the IPv4 Internet continues to function as before (certainly initially), but obtaining new addresses becomes harder and expensive. This inhibits expansion of existing firms, and new entrants to the market,” says Andy Davidson, Technical Director at NetSumo in his personal blog. NetSumo provides a wide range of services for ISPs and SME businesses.

The new path
Recently, the American Registry for Internet Numbers (ARIN) announced that IPv4 addresses would be history by 2012. Several years ago, it was estimated that addresses would be gone by 2020 or 2025. About two years ago, that estimation changed to 2017 and now 2011 or 2012 seems more likely when the address stock would be over.
“To eliminate such a pitfall, it is better that enterprises get moving steadily in the migration from the currently used IPv4 to Internet Protocol version 6 (IPv6) with a larger address-space that contains addressing (information) to route packets for the next generation Internet. In the next three to four years, a majority of enterprises would have migrated if they start now,” says Prem Nithin, Senior Technical Consultant, Cisco India and SAARC.
IPv4 provides 32 bits of address space while IPv6 offers 128 bits of address space with almost limitless addresses (340 trillion as per industry estimates). This allows a
provision for permanent unique addresses to all the individuals and hardware connected to the Internet. Moreover, the extended address length eliminates the need to use techniques such as NAT to avoid running out of the available addresses.
NAT and PAT allow a company or user to share assigned IP addresses among several private addresses. Using techniques such as classless interdomain routing (CIDR) has also extended the life of IPv4 and so has temporary-use allocations using Dynamic Host Configuration Protocol (DHCP).
Using the above methods helps preserve address space and anonymity but at the same time helps prevent peer-to-peer collaboration through shared applications. The future IP version allows for the restoration of a true end-to-end model, where hosts can connect to each other, unobstructed and with greater flexibility, security and quality of service; not always readily available throughout a NAT-based network.
Many in the industry opine and agree that enterprises must start supporting connections to and from IPv6 networks by 2011, at least at the gateway. As per reports, IPv6 is arriving in Europe and Asia, mainly in emerging technology hot spots that lack IPv4 and other legacy networks. It’s also coming to mobile networks because they depend on rapid, reliable connections.
According to Gartner analysts, Asian countries are ahead in the adoption of IPv6 because they were late to the IPv4 party, have large populations that need the address space, and expect to use Asian rather than Roman characters in domain names.
IPv6 activities in Japan, China, South Korea and more recently, India are now the subject of competitive interest for Western countries. A majority of network equipment vendors operating in the APAC region have taken the initiative of communicating that the products sold are IPv6-compliant.
In the US, many enterprises are looking at the government mandate to deploy IPv6. The US federal government had mandated that the network backbones of all federal agencies must be IPv6 “capable” by June 2008. The mandate failed to gained momentum as the current IPv4 is still able to serve the expanding requirements of the market.
However, major announcements by Sprint and Verizon to implement IPv6 will generate some interest in their customer base and the Internet community in general. Even Google has started its work to move on the new version and launched an IPv6-supported site to prepare for IPv6 connectivity (See: IPv6 at Google).
Apart from taking care of the address crunch to support more than a billion mobile phones, Personal Digital Assistants (PDAs), and other wireless devices that require Internet access, IPv6 also promises interruption-free connections, improved security, and easier address management than its predecessor.
On the address management front, the address auto configuration feature built into IPv6 supports intranet-wide address management, enabling a large number of IP hosts to easily discover the network and get new and globally unique IPv6 addresses associated with their location. The auto configuration feature brings “plug-and-play” Internet deployment of devices such as cell phones and PDAs and makes possible for them to connect with network devices without manual configuration and without the need for DHCP servers.

Ensuring a safe passage
One major appeal of IPv6 is that it is supposed to be more secure than IPv4, because IPSec is built-in while in IPv4 it is optional. It can be enabled in every IPv6 node, making networks more secure. IPv6 provides security extension headers for easier implementation of encryption, authentication, and virtual private networks (VPNs). With unique addresses and security, IPv6 can provide end-to-end security services, such as access control, confidentiality, and data integrity without the need for additional firewalls.
However, the security benefits of IPv6 can only be achieved if partners, clients, and other connecting parties also use IPv6. In addition, many organisations that rely on NAT for security and privacy will need to thoroughly consider access controls to ensure that moving away from NAT doesn’t create new security problems.
Security experts opine that while considering the migration to IPv6, enterprises should review the security infrastructure and ensure that the access control lists in the network and the firewall cover IPv6 transport traffic.
According to Securify, a US-based provider of identity-based monitoring solutions, many enterprises have delayed their migration plans due to lack of necessary IPv6 compliant security devices.
One such security risk is the self propagating feature of IPv6 where communication can occur with little configuration and without intent or oversight. Automatic tunnels that bypass controls and rogue routing can contribute to this likelihood. Network administrators must have the ability to detect when tunnels are used as well as what actual connections/routes and destinations occur.
“Apart from the security, other challenges in IPv6
adoption revolve around the capability of hardware devices and operating systems (standard as well as embedded) to support the new version, training of personnel and finally the existing investments in IPv4,” says Arun O Gupta, Customer Care Associate & Group Chief Technology Officer, Shoppers Stop.
Getting ready
For enterprises that are gearing up to adopt IPv6, one of the key areas is to integrate IPv6 in product lifecycle replacement. They should focus on IPv6 migration cost reduction by adding it into the planned product procurements of their existing information technology budgets.
At the same time, assessment of the existing infrastructure hardware for upgradation to IPv6 should also be conducted. It is better to take an inventory of hardware infrastructure that is IPv4 specific. Software can be upgraded at will but some hardware must support the IPv6 by design. The devices most likely to require attention include routers at the high and low end. Advanced routers may include acceleration hardware limited to 32-bit addresses while the basic routers may not have enough memory to support the software using the IPv6 protocol.
“Specifying IPv6 compliance in the requests for proposals (RFPs) and adding IPv6 support to new procurement beyond the core network helps enterprises meet the internal adoption deadlines for transition to IPv6. Integrating IPv6 procurement planning and training into existing IT processes would also help them in meeting their upgrade deadlines and avoid any unexpected or unnecessary costs,” says Cisco’s Nithin.
Major operating system and network device vendors such as Apple, Cisco, HP, and Microsoft support IPv6, but application vendors are lagging behind. Operating systems like Linux, FreeBSD and Solaris also support IPv6.
Many of the applications and services deployed at the back end were developed without keeping in mind the OSI model layer separation. These applications could prove to be a hurdle in the migration process.
According to Cisco, early planning in the migration to IPv6 could help reduce the costs of integration. It would be better for CIOs to include IPv6 training in the IT budget as the training costs might be significantly high in case of IPv6 migration. Integrating training costs into the IT training budget helps in a smooth transition and ideally, IPv6 should be considered a separate protocol requiring practice to gain proficiency.
Monitoring applications, communication suites, and peer-to-peer applications may need to be upgraded or replaced. These issues will lead many companies to utilise IPv4-to-IPv6 gateways rather than replace IPv4 networks. Network hosts and intermediate nodes with either IPv4 or IPv6 can handle packets formatted for either level of the Internet Protocol. Users and service providers can update to IPv6 independently without having to coordinate with each other.
However, the most important link in the whole migration process is the proper communication between ISPs and enterprise users. As there is no major enterprise business application that is only supported by IPv6, there are chances that the adoption could get into a chicken and egg situation. As ISPs are not offering IPv6 services, corporates cannot implement the technology, and because corporates are not asking for IPv6 services, ISPs are not investing in the technology.
“As 3G networks are deployed across the world wherein every device requires an IP address, it will be governments who will have to lead the way towards IPv6 rather than enterprises. Enterprise requirements get addressed using private IP addresses and some innovative use of technologies like NAT. Thus the business case is extremely weak and the cost of transition is to a large extent unknown with interoperability and security issues which are yet to be addressed,” says Gupta.
In CTOF’s interaction with CIOs, many have shown interest in IPv6 deployment and are also concerned on how to go about the whole process. They do understand that the technology promises lower cost in deployment, maintenance and operation. Also, IPv6 is one of those infrastructure expenditures that are not about saving on IT budgets, but rather an initiative that would drive enterprise productivity.
Though the time is not ripe for a strong business case or a killer application that is supported only by IPv6 it is better to start the process of migration slowly and ensure a smooth journey.

ashwani.mishra@9dot9.in

Advantage of IPv6 over IPv4
n   Provides significantly more address space
n   Easier address management and delegation
n   Easy address auto configuration
n   Embedded IPsec (encrypted security)
n   Duplicate Address Detection (DAD) feature

IPv6 at google
Google has announced the option of accessing its services over IPv6 connectivity. The company started offering Google Search over IPv6 on IPv6-only websites like ipv6.google.com requiring IPv6 connection, but other Google products have not been generally available over IPv6.
Google services available over IPv6 currently include Google Search (including image search, blog search and code "page1" search), Alerts, Calendar, Docs, Finance, Gmail, Health, iGoogle, News, Notebook, Reader and Sites. The company plans to add new services in the future.

Several critical risks associated with ipv6 include
Limitations of traditional active scanning: The huge and random addressing which is a core tenant of IPv6 makes using traditional active scanning for discovery infeasible and makes a passive discovery approach.
Increased misconfigurations: Experts anticipate that the transition to IPv6 as a new protocol and the related learning curve across thousands of organisations will result in untold misconfigurations.
Educate security department on IPv6: IPv6 will come to the networks under your control. As with any new networking technology, it’s essential to learn the basics of IPv6, especially the addressing scheme and protocols, in order to facilitate incident handling and related activities.
Upgrade security tools: IPv6 is not backwards compatible. The hardware and software used to route traffic across networks and perform security analyses won’t work with IPv6 traffic unless they are upgraded to versions that support the protocol. This is especially important to remember when it comes to perimeter-protection devices. Routers, firewalls and intrusion-detection systems may require software and/or hardware upgrades in order to “speak” IPv6. Many manufacturers already have these upgrades available.
Additional configuration for existing equipment: The devices that do support IPv6 typically treat it as an entirely separate protocol (as they should). Therefore, the access control lists, rule bases and other configuration parameters may need to be re-evaluated and translated to support an IPv6 environment.
Tunnelling protocols create new risks: The networking and security communities have invested time and energy in ensuring that IPv6 is a security-enabled protocol. However, one of the greatest risks inherent in the migration is the use of tunnelling protocols to support the transition to IPv6. These protocols allow the encapsulation of IPv6 traffic in an IPv4 data stream for routing through non-compliant devices. Therefore, it’s possible that users on your network can begin running IPv6 using these tunnelling protocols before you’re ready to officially support it in production. If this is a concern, block IPv6 tunnelling protocols (including SIT, ISATAP, 6to4 and others) at your perimeter.
IPv6 auto configuration creates addressing complexity: The auto configuration feature of IPv6 allows systems to automatically gain a network address without administrator intervention. IPv6 supports two different auto configuration techniques. Stateful auto configuration uses DHCPv6, a simple upgrade to the current DHCP protocol, and doesn’t reflect much of a difference from a security perspective. On the other hand, keep an eye on stateless auto configuration. This technique allows systems to generate their own IP addresses and checks for address duplication. This decentralised approach may be easier from a system administration perspective, but it raises challenges for those given the responsibility of tracking the use (and abuse) of network resources.

Best practices for IPv6 migration
Don’t wait: develop a plan now. Agencies that begin now can enjoy a well-planned evolution rather than an abrupt revolution. In fact, much of the existing equipment in federal agencies is already fully IPv6-capable.
Plan the migration thoroughly: Consider activities, budget, time, manpower, and knowledge acquisition. During the transition, which is likely to take years, enterprises need to ensure that IPv4 and IPv6 devices and networks can co-exist.
Consider network management: Most existing network management systems support IPv4 only. Enterprises will need to either supplement their existing systems with one that supports IPv6, or replace it with a system that supports both environments.
Source: Cisco

“It is better that enterprises start early to plan and migrate from  IPv4 to IPv6 to save money and time”
Prem Nithin
Senior Technical Consultant,
Cisco, India and SAARC

“It will be governments who will have to lead the way towards IPv6 rather than enterprises”
Arun O Gupta
Customer Care Associate & Group Chief Technology Officer, Shoppers Stop