Friday, March 18, 2011

Ten things that should be IPv6 ready but aren't

IPv6 is, unquestionably, a better system for building the Internet upon, and a migration to it can't come soon enough. Connecting to the Internet today is a mess, involving a lot of hacks, confusing configuration options, and things that ought to work but don't, simply because IPv4 was never designed for it. IPv6 makes the Internet as easy to connect to as your power supply.

But supporting IPv6 comes at a price, the system is not compatible with IPv4 in any way whatsoever. From being, effectively, an entirely different network, to needing a slightly different approach from software needing to use it, IPv6 requires work by a large number of parties for it to become viable.

In order for IPv6 to be adopted, hardware, software, and infrastructure needs to be ready to support it. It's perfectly possible to run IPv6 at the moment, but using it as your primary protocol is out of the question. Too much of the Internet is IPv4 only, and much of your software needs to be updated to support IPv6. The good news is that support is growing, but there's still work to do. And while I've come up with a fairly scary list below, always keep in mind the fact that you can venture into the IPv6 world while remaining connected to the IPv4 world for now. The two may be incompatible, but you're not going to be forced to choose one or the other any time soon.


1. Your router/gateway

If you're going to use IPv6, then the device you hook everything up to, that in turn hooks up to the your building's Internet connection, has to support IPv6 too, and most router/gateways don't. That's not going to stay that way, increasing numbers of barebones, cheap, routers are supporting IPv6, but it's hard to tell which when you're buying them at the store.


2. Your desktop operating system

The good news is that most operating systems support IPv6 already. The bad news is that for most, you have to manually enable the system, it's not right there, ready to work once hooked up to the network.

There's little reason for this. It's extremely easy for an operating system to detect whether it's hooked up to an IPv6 network, and to turn on IPv6 if it is, but some operating system vendors are wary of doing so after early attempts to "force" IPv6 to turn on were hampered by bloody-mindedness from certain ISPs, and system administrators in large corporate environments expressed reservations about having a new networking system deployed without them specifically managing it. But turning the entire system off by default, and having computers not even attempt to use an existing, already set-up, IPv6 network is very clearly overkill.


3. Your ISP

If you want to use IPv6, it would stand to reason you need an IPv6 connection from your ISP. Unfortunately, very few actually offer such a thing. Worse still, those people who want to use systems like "6to4" to get an IPv6 connection when their ISP doesn't support it often find themselves out of luck because their ISP blocks it, seeing anything but basic web service as a premium product that only large, rich, corporate entities would want. It's stupidity, but there you are.


4. Your enterprise's security systems

The MIT version of the Kerberos system is the de-facto standard for authorization outside of Windows, and last time I looked it didn't support IPv6. That's bad, what's worse is that virtually any sane post-IPv6 security system requires that computers handle their own security, with central management being provided by a mix of directory services and authentication systems. What does this large blob of jargon mean?

Well, in IPv4, security is generally provided by a box called a "firewall", that filters content from the Internet to an internal network. It's a lousy approach, but has been necessary over the years because security had been grafted onto the Internet almost as an afterthought.

In IPv6, a more fine grained approach is used where each computer is responsible for its own security. Computers talk to each other using encrypted connections, via a system called IPSec, and they guarantee those connections are secure using a system called IKE. The computer's operating system filters connections, ensuring that only authorized applications make and receive authorized connections to other computers.

But some key exchange standards needs Kerberos to do the authentication. And if MIT is the de-facto standard...

Now, I titled this "Your enterprise's security system", but actually any organization, no matter how small, is going to end up needing this issue fixed to move forward. There are alternatives to MIT, notably Heimdal, that does support IPv6, but the choices of which software to use are rarely made in isolation - especially when, as with Kerberos, the operating system vendor is more likely to have made the choice for you.

What's the alternative to using Kerberos to securely exchange keys? DNSSEC, and that's not exactly ready either...


5. The World Wide Web

A combination of inertia and the lack of support from ISPs means IPv6 sites are still rare on the web at the moment. For ISPs that don't actively block 6to4, most website servers can be switched to support both IPv6 and IPv4 at the flick of a switch (or rather installation of some configuration options), but there are multiple steps here:
  1. The owner of the site has to want to do it.
  2. The administrator of the site has to know how to do it.
  3. The ISP used by the site to connect to the outside world has to, at the very least, not block it.
In my experience, you can't rely on any of those being true.


6. Your Android phone and other mobile devices

One area where IPv6 support is being pushed fairly heavily is the mobile world, where operators are keen to migrate to technologies built on the newer standard. Unfortunately, Android isn't ready! With Google being a dabbler in IPv6, and with operators keen on making the switch, this is somewhat surprising.

On a separate note, while I'm thinking about it, and nothing to do with the topic at hand, the switch to IPv6 will be, uh, interesting for many. Those used to free tethering, for example, where you use your phone to hook your computer up to the Internet, might be a little surprised when they find that the entirely different nature of IPv6, and lack of NAT, means tethering really will be a different service, that mobile networks will be keen on charging for.


7. The things on your network that aren't computers

At home I have a high definition player, a satellite box, a couple of games consoles, and probably some other stuff I can't think of right now, hooked up to my Internet connection. You might add a Roku box or a Vonage router to that mix. Not all are IPv6 ready, despite being the very things that IPv6 will make easier to connect.


8. Your employer's networks

Planning on working from home? Or conversely accessing stuff at home from work? You and your employer will need compatible networks. Mention IPv6 to the average system administrator and they'll express a range of emotions, from joy that the networks are actually going to work properly, to concern about the amount of work that still needs to be done before it can be deployed, to fear about the risks during the transition. Your office will probably not be upgrading any time soon.

Talking of which...


9. The people who are responsible for your networks

It doesn't matter who you are, whether you work at home or use an office network, whether you're down with the whole IPv6 thing or are reading this wondering what a vee six is, there are always people in the chain of responsibility for your networks that are not quite fully aware of what IPv6 is and isn't, and what it takes to support it.

IPv6 isn't on most of the networks you connect through because someone, be it a manager, a sysadmin, someone who provides infrastructure, or someone inbetween, has decided, rightly or wrongly, that it shouldn't be implemented yet. And no, these aren't "stupid" or "lazy" people, in many cases they're some of the smartest people around. But in order to move forward, they need to be convinced, and they need to know it's an issue, and be part of the team that's pushing things forward and knocking down those roadblocks.


10. YOU

OK, that might be unfair, you might very well be reading this over a network you've set up that's IPv6 ready. But if you work in the industry, you might ask yourself the following questions:
  1. Do you understand IPv6 as a general technology?
  2. Do you understand the different approach to security and routing IPv6 brings to the table?
  3. Have you set up IPv6 at home, using either an IPv6 broker, or 6to4?
  4. Do you have any idea what applications in your organization are capable of supporting IPv6?
You can't make the migration until you're ready.

Did I miss anything? Did this suck less than my usual "Ten reasons" posts? Let me know below!

No comments:

Post a Comment