IPV6: Workarounds to IPV4 Stand in the Way


Ironically, the networking industry’s ability to produce NAT, CIDR, and
other workarounds to IPv4’s shortcomings has become one of the major
roadblocks to IPv6. Another big barrier, at this point, is lack of IPv6
applications. When IPv6 sees eventual deployment, though, network managers
are among those who will feel its benefits most keenly.


“IPv6 is a subject that only a network manager could love,” quips Robert
Batchelder, a GartnerGroup analyst. In a Gartner Group report, Batchelder
writes: “The primary benefits of IPv6 accrue at the network management level
in areas such as interdomain routing, network configuration, end-to-end
security, and address space management.”


Other analysts agree. “After two decades, the Internet protocol (IP) is
finally beginning to show its age. Workarounds to accommodate its
limitations are themselves creating inefficiencies, bottlenecks, and
security risks, making the Net increasingly complicated,” maintains Kevin
Werbach, an analyst at Edventure Holdings Inc.


“Partly because IPv6 is a short-term solution for an industry with
notoriously short planning horizons, and partly because the limitations of
IPv4 are felt most acutely outside the US, this issue has not received the
attention it deserves,” according to an Edventure report.


Some administrators, though, are paying attention to IPv6 already. “We are
currently using IPv4, (but) it has remained basically the same since the
70s. Since the design of IPv4, computers (have gotten) a lot more powerful
and network bandwidth has increased a lot. The number of hosts on the
Internet has also increased, to more than 4 million. This is one of the big
problems. IPv4 uses a 32-bit address space, and to make a long story short,
this does not provide sufficient space for the growing number of hosts on
the Internet,” writes one participant in an Internet newsgroup.


The Internet address pinch is much more critical in other parts of the
world, especially the Asia Pacific. However, by now, large numbers of Us based
enterprises do not hold Class A blocks, which would provide them with
long series of contiguous IP addresses. As Batchelder sees it, the use of
NAT to overcome this limitation is giving companies a “false sense of
security.”


Microsoft officials concur. “While NATs promote reuse of the private
address space, they do not support standards-based network layer security
or the correct mapping of all higher layer protocols, and can create
problems when connecting two organizations that use the same address
space,” according to a white paper from Microsoft.


NAT, of course, is used to map multiple private addresses to a single
public IP address.


NAT modifies end node addresses within the IP header while packets are en
route, and also maintains state for these updates for transparent routing
to their end destination. Sometimes, application-specific ALGs are used in
conjunction with NAT for application-specific routing transparency.


“Analogous to private branch exchanges in the telephone world, enterprises
use NAT to overcome a limited allocation of IP addresses and to simplify
the process of reconfiguring data networks,” Batchelder says.


NAT, though, also presents some serious issues. One of these is that its
address translation architecture makes it difficult to implement end-to-end
packet-level security in transactions. “At best, SSL and HTTP/S provide
partial solutions to the problem,” according to Batchelder.


Other observers point out that it is practically impossible to deploy end to
-end Ipsec with NAT en route. Kerberos 4 and Kerberos 5 can be
problematic, too. Because Kerberos 4 and Kerberos 5 tickets are encrypted,
an ALG cannot be written. Workarounds are available, but these solutions
can compromise Kerberos security.


IP fragmentation with NAT en route can easily corrupt a session. In
addition, certain types of applications are prone to breakage by the NAT
protocol, including peer-to-peer applications, bundled session
applications, applications that need large numbers of public addresses, and
applications requiring address mappings to be retained across multiple
contiguous sessions.


Beyond the danger of running out of IP addresses, which has only been
partially solved through NAT, the Internet has also faced the risk of
running out of capacity in the global routing tables.


“CIDR comes a long way toward overcoming routing problems,” Batchelder
notes. At this point, though, the Internet is still a mix of old-style
Class A, B and C addresses, and newer CIDR-style addresses. Furthermore,
CIDR presents issues of its own.


Unlike the old-style addresses, which were limited to network identifiers
of 8, 16 or 24 bits, CIDR uses prefixes ranging from 13 to 27 bits, to more
closely match a company’s needs. CIDR also permits “route aggregation,,” in
which a single high-level route entry can represent many different lower level
routes.


Under the old addressing approach, you would get address assignments
directly from the InterNIC or some other Internet registry. You then
“owned” the address, and you could take it with you even if you changed
ISPs.


In contrast, under the newer CIDR scenario, the ISP “owns” the address. You
are merely “renting” it.. If you change ISPs, you need to go through the
time-consuming process of re-numbering your network devices and propagating
the changes.


Gradual deployment of IPv6 does look likely over the next few years. The
Japanese and Korean governments have mandated its deployment within their
countries. Meanwhile, encountering a barrage of mobile devices in Europe,
the European Commission is now recommending that its members migrate
networks supporting research and government activities to IPv6 by 2005.


IPv6-driven mobile applications will probably be less of a factor in the
US, because of barriers to G3 deployment. However, faced with demand from
their European customers, global equipment suppliers are already starting
to provide products with built-in IPv6 support. The results are bound to
trickle in to the US networking market.


»


See All Articles by Columnist
Jacqueline Emigh

Latest Articles

Follow Us On Social Media

Explore More