Happy IPv6 Day, What Did You Get? - Page 2

 By Brian Proffitt
Page 2 of 2   |  Back to Page 1
Print Article

The new protocol is about more than just packets. You also need to make sure IPv6 can do the tasks you need it to do. IPv6 is a protocol that is still relatively immature as an application platform. There are still a lot of things that IPv4 can do that IPv6 users can't, because there may not be networking applications that are IPv6 ready.

In May, for instance, Cisco took a big step forward in solving this problem when it released a new version of its IOS platform with a reported 200 new IPv6 features.

"Our biggest goal in IOS now is to have parity between IPv4 and IPv6," Faraz Aladin, director, Marketing Cloud Switching and Services at Cisco told InternetNews.com. "Whatever you can do in IPv4, you should be able to do with IPv6."

Some of this is really basic stuff, too. The Cisco announcement in May highlighted the availability of the Network Time Protocol in IPv6. But in truth, any application that uses IP addresses will need to be updated.

Finally, you will need to make a plan on how to handle network security. There are some experts who are suggesting that you won't need network allocation tables (NATs) at the edges of your network anymore. With 2128 addresses available, you don't need an internal set of IP addresses contained behind firewalls. Each machine or device can have their own IP address. But if your network is on the same topology level as the entire Internet, what does that mean for security?

Right now, security is probably the biggest question mark for IPv6 deployment, because network security relies in well-defined network edges, ideally guarded by the firewall. If NATs went away, the firewall would have to maintain security across a fuzzier boundary. It's been suggested that with the huge network segments available in IPv6, malicious hackers would have to scan your network segment for years to find a potentially vulnerable target. Great, but what if you have to run the same kind of scan for internal vulnerabilities?

Another potential angle of attack: IP options in IPv6 like destination or authentication information aren't found in the main header, but in extension headers. This means an IPv6 packet is roughly put together like this: Main header and extension headers and packet content. Malicious packets could contain specific extension information or just a ton of junk extension data that might potentially choke the target device.

Security, then, will be the space to watch as you start moving towards IPv6. You must make sure you have efficient security tools in place that follow the best practices--which are even now being put together. Until these issues are solved, start making that inventory, and analyze which applications use IP addressing. Then you will be ready to swim into IPv6 when the lifeguards say the water is safe.

This article was originally published on Jun 8, 2011
Get the Latest Scoop with Networking Update Newsletter