IPv6, it's waiting for you

IPv6, it’s waiting for you

IPv6 is an expression IT professionals are likely to have seen or heard at one time, but what exactly is it? Let us give you a quick introduction, and then try to explain what it does differently by comparing it to its predecessor, IPv4.

IPv4 and IPv6 are both Internet communications protocols designed as an identification and location systems for networked devices. This allows people to direct traffic to a specific address. IPv6 is short for Internet Protocol version 6. Naturally, that means IPv4 is version 4. In case you are wondering, version 5 was so short-lived that it never reached any importance.

Why the change?

One reason to replace IPv4 was the number of possible IP addresses associated, which was at approximately 4.2 billion. The authority that handed out the IPv4 blocks (IANA) ran out of IPv4 blocks in the beginning of 2011. The number of possible addresses was limited because the IPv4 addresses are only 32 bits long. With IPv6, the address is 128 bits long (both types are hexadecimal), so the number of possible addresses went up to 3.4 × 1038. That’s a lot of addresses.

compare IPv4 and IPv6

Pros and Cons of IPv6

Using IPv6 means that you don’t need Network Address Translating (NAT), which basically comes down to showing 1 external IP to the outside world. Regardless of which device you are using, others will always see the same IP with NAT. IPv6 gives every device a unique address, although the first 64 bits (the network address) are the same. So if you move the device into another LAN, you will get the first 64 bits of that network.

In the early days of IPv6, the last 64 bits were often based on the devices’ MAC address, but this opened possibilities to track devices across networks—which then posed a privacy issue. The lack of NAT also means with IPv6 you no longer need port-forwarding if you want to relay traffic to a certain node in the network. The contact can be established at the unique IPv6 address.

IPv6 offers data-security at the IP level. With IPv6, it is possible to use Internet Protocol Security (IPsec) during the data transport. This enables the use of encrypted traffic and authentication. The authentication means the receiver can be sure about who the sender is, there is no spoofing, and no man-in-the middle. End-to-end encryption was possible in IPv4, but only as an option (e.g. by using a VPN), and it was added as an afterthought. The Secure Neighbor Discovery (SEND) protocol plays an important role in the authentication part.

IPv6 offers the possibility of mobile nodes. The traffic intended for a node that (temporarily) has a different IP can be forwarded to the current IP.

Latency can be higher when using IPv6. In theory, it could be faster, but in real-world use it is slower because not every peer is able to use IPv6. Packets may have to travel around these peers because of this.

Bigger packet headers are caused by the longer addresses. The sender and receiver have a longer address so the headers grow accordingly.

Firewalls have to be considered at the device level. Since IPv6 addresses open up direct access to devices, not everything can be checked at the network router level. Especially when your servers have IPv6 enabled by default and your firewall is not configured accordingly, malware and breaches are not far away to take advantage.

Take action for a safe transition

  • Be ready for IPv6 before you start using it, as it may require a complete makeover of your network design. Study up on IPv6 before you’re forced to make the change.
  • Consider what needs to be done to maintain or better your current security posture.
  • Research how the transition can help you to improve security.
  • Plan the transition in a way so that your environment stays secure during each step of the process.
  • When purchasing new equipment, make sure it will still be useful after the transition to IPv6. Most new devices will be compatible, but will they still be needed?

Conclusion

Since there is no more room to continue using IPv4, we should get ready for IPv6. Several large ISPs and mobile operators are already migrating to IPv6 along with a lot of other major online services. It’s time It professionals do the same.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.