One of the first events that used IPv6 on a global scale was the 2008 Summer Olympic Games that were held in Beijing. It was a true piece of history as it was the first time where all network operations were solely conducted using IPv6. In retrospect, while the IPv6 standard has been out there for some 15 years (initially implemented in the Linux Kernel back in 1996), only in the past couple of years has it achieved a solid level of maturity, as I hear more and more customer’s opinions and questions about IPv6.
When is the right time to deploy IPv6? Which network layers should one start migrating? How can the network migration and the servers network stacks migration be best separated and effectively controlled? How to have minimal impact on the business’s existing operations? And how does security fit in? These are all not only important and valid questions, but they all consistently reflect one repeating need: the need to ensuring smooth migration to IPv6.
But first of all, a couple of words on IPv6, so that everyone is on the same page of the book to get the full context of this blog post. IPv6, as most of us know, was designed to solve the limited Internet addressing space by providing a greater flexibility in assigning Internet addresses. In other words, it enables the ability to assign many more IP addresses – way more, to be accurate – 2^128 compared to only 2^32 (with the current IPv4). But IPv6 is not all about delivering a larger address space; it also provides new-to-market features such as multicasting (the ability to transmit a packet to multiple destinations in a single send operation), routing mobility support, integrated IPsec (not optional as with IPv4), and even more advanced capabilities like stateless address auto-configuration that simply address assignments.
But what’s interesting to note is that almost no organizations planned to implement IPv6 from scratch. On the contrary, today’s IT managers seek to adopt IPv6 while ensuring their business applications and operations continue to operate un-disrupted. Also, the transition to IPv6 will not take place overnight; it is a long, step-by-step approach due to its high sensitivity and criticality to the organization.
So here are five recommendations that will ease your IPv6 migration:
- Plan your project. From my experience, customers often start migrating to IPv6 their externally-facing network infrastructure in order to be able to first expose an IPv6 Internet address (such as http://ipv6.beijing2008.cn/en), and only then move to other portions in their data center. This way the risk can be reduced and the complete transition to IPv6 can be expedited.
- Use a mediation layer that will take care of IPv6/4 or IPv4/6 conversion. The best network element I’d recommend for this task is an Application Delivery Controller (ADC) as it resides in the perfect location – just between your network and the applications – enabling you to first all of migrate your network, test it and sign it off, and only in the future upgrade your severs (that are basically more heterogonic in terms of OS, applications, etc.) to IPv6.
- Review and pay attention to the various layer 4 policies in your ADC – so the existing capabilities (routing, load balancing, health checks, etc.) continue to be functional and deliver their business benefits
- Use a certified solution which was thoroughly tested to ensure its feature completeness and stability – to minimize any potential “surprises” along the IPv6 project.
- Protect from new, IPv6-related security threats. Remember that IPv6 includes many enhancements – where some can be exploited by attackers. For instance, the stateless address auto-configuration feature (which we mentioned above) can be used by attackers to announce rogue routers; furthermore, in some cases, IPv6 traffic can enter networks without administrators being aware of their presence. Hence it is important to consider and implement security / perimeter gateway policies using an IPS, DoS mitigation solutions, etc.
With that, I’ll just wish all of us a pleasant, productive and riskless journey to IPv6!
Until next time,