Internet Protocol (IP), one of the core components of the Internet, is the system that allows machines and devices to find and connect to each other online. It is the bedrock of networking as we know it. The version we use today, IPv4, was designed in the early 1980s at a time when no one could have predicted the explosive growth of the Internet. The IPv4 address space is a 32 bit field. There are 4,294,967,296 unique values considered in this context as a sequence of 256 “/8s,” where each “/8” corresponds to 16,777,216 unique address values. At the rate of expansion presently being witnessed, there are fears that we may soon run out of IPv4 address.
When IPv4 first emerged in 1981, the billion or so addresses it could provide seemed like a massive figure, given the relatively limited number of computers at the time. Three decades later, computers are commonplace and a wide variety of other devices also use network connections, from smartphones, tablets and handhelds to game consoles, TVs and even cars and fridges. Suddenly those 4 billion addresses in the available address pool seem massively inadequate.
Of course, there are workarounds to the address shortage — notably network address translation (NAT), which lets a large number of devices connect from behind a single address, stretching the available public addresses further. NAT, shared services and Classless Inter-Domain Routing (CIDR) all help mitigate the scarcity of available addresses. These workarounds have been in use for some time, but even they are becoming challenged by Internet growth. Internet regulators are frantically trying to claw back unused addresses, renumbering and tightening distribution rules to squeeze as much as they can from the current system. But these measures are temporary and inefficient, and represent serious challenges in designing and implementing proper security and scalability.
For years, regulators and Internet experts have warned about the impending exhaustion of IPv4’s limited pool of addresses. Although estimates vary from years to decades, lately they’ve converged on the next few years. More and more new devices, platforms and services include support for IPv6, but so far mass migration has been delayed again and again. The lack of widespread public understanding of the benefits along with general fears of the difficulty and complexity of the migration process all contribute to the slow pace of IPv6’s adoption.
At first glance, 3.7 billion addresses seems massive. One reason it is not enough is the majority of the IPv4 address space has been allocated to countries that were early implementers of the Internet. The United States and Europe own the majority of the IP address space. Emerging countries like China need more IP addresses than what is available, driving the need for a larger address space.
Also, in the twenty-first century, devices other than computers need an Internet address. Cell phones, PDAs, vehicles, and appliances are all becoming part of the Internet. There simply are not enough IPv4 addresses to go around. So the big question is, how much is enough?
The current world population is more than six billion people, so there are more people than there are IPv4 addresses. If you assume everyone will eventually need at least one IP address, it is easy to see IPv4 does not have enough addresses.
The transition to IPv6 is inevitable, but migration to IPv6 requires considerable effort, preparation and consideration. If done incorrectly or incompletely, it can leave gaping security holes in your network systems. Without careful planning, you could accidentally run both IPv4 and IPv6 in parallel, effectively nullifying any security measures you have in place around either protocol.
That’s why it’s vital that security solutions and practices provide full compatibility with the new infrastructures, while users delaying the migration process need to make sure any potential holes in their current protective layers are covered.
The advantages of IPv6
IPv6 offers a significantly larger pool of addresses by using 128-bit addresses: 340 undecillion (3.4×1038) (I don’t even know if that is a word), compared with the 4 billion available in 32-bit IPv4 addresses. This extended pool of addresses provides scalability, but also introduces additional security by making host scanning and identification more challenging for attackers. But IPv6 provides more than just new addresses — it also provides a range of benefits for security, integrity and performance.
IPv6 was built from the ground up to be capable of end-to-end encryption. While this technology was retrofitted into IPv4, it remains an optional extra and isn’t universally used. The encryption and integrity-checking used in current VPNs is a standard component in IPv6, available for all connections and supported by all compatible devices and systems. Widespread adoption of IPv6, when properly implemented, could therefore make man-in-the-middle (MITM) attacks significantly more difficult.
IPv6 also supports more-secure name resolution. The Secure Neighbor Discovery (SEND) protocol is capable of enabling cryptographic confirmation that a host is who it claims to be at connection time. This renders Address Resolution Protocol (ARP) poisoning and other naming-based attacks much more difficult. And while not a replacement for application- or service-layer verification, it still offers a greatly improved level of trust in connections. In an IPv4 network it’s fairly easy for an attacker to redirect traffic between two legitimate hosts, allowing him to manipulate the conversation or at least observe it. IPv6 makes this very hard. (Not all device and OS implementations of IPv6 have applied this feature yet.)
This added security depends entirely on proper design and implementation, and the more complex and flexible infrastructure of IPv6 makes for more work ensuring every “t” is crossed and every “i” dotted. Nevertheless, properly configured IPv6 networking will be significantly more secure than its predecessor.
Data packets transferred under IPv4 are severely size-restricted, and those that are too big must be fragmented and reassembled. Routers and other intermediary devices along the transport path handle this fragmentation, but the work involved can be inefficient, time-consuming and ultimately costly. Under IPv6, the protocol design incorporates end-to-end fragmentation, simplifying and lightening the load of handling fragmented packets. With less work required to identify and properly split data, speed goes up and the workload along the transport path goes down.
IPv6 also does away with the need for integrity-checking of packets during transit, leaving this to higher-level protocols such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), freeing up valuable router time that can be better spent pushing data around as fast as possible.
There are also notable benefits in IPv6 for mobile devices, which will be able to maintain the same address when moving from one connection to another — going from a 3G network to Wi-Fi provided by your local coffee shop, for example. Rather than picking up a new address from the new connection service, the mobile device can keep the same “home” address at all times. This removes the need for “triangular routing,” in which data sent to the mobile device must first go through the network of the mobile provider. These changes not only provide greater speed, simplicity and usability, but also make connections more resilient and secure. Given the prevalence of mobile devices today, this enhancement should be most welcome.
Thanks to improved identity checking, IPv6 avoids many of the performance and security issues surrounding Multicast and Anycast broadcasting, and offers better auto configuration, with ICMP6 messages used to determine an appropriate address and configuration. Upgraded DCHP6 is also available for those who require more stateful control of network connections, and of course conventional static address assignment is possible if needed. The combination of a wider address pool and a more sophisticated address structure solves a lot of address conflict issues, which arise most commonly when company mergers or takeovers lead to integration and readdressing of networks. Organization-specific prefixes are a core part of the IPv6 infrastructure, and ensure no collisions even when lower portions of address overlap. Changing addressing structures is also simpler and more efficient.
Network Configuration Made Simpler
Address auto-configuration (address assignment) is built into IPv6. A router will send the prefix of the local link in its router advertisements. A host can generate its own IP address by appending its link-layer (MAC) address, converted into Extended Universal Identifier (EUI) 64-bit format, to the 64 bits of the local link prefix.
New Services Support
By eliminating Network Address Translation (NAT), true end-to-end connectivity at the IP layer is restored, enabling new and valuable services. Peer-to-peer networks are easier to create and maintain, and services such as VoIP and Quality of Service (QoS) become more robust.
It would seem that IPv6 is the solution to the imminent shortage of IPv4 addresses. But migrating is not without its own problems and challenges. In my next piece, I will be discussing the challenges involved in migrating and organizational considerations that should be taken before migrating.