Getting at the real truth about IPv6
Jul 18, 2011 10:03 am | Network World
by Carolyn Duffy Marsan
Is 2012 the year to invest in IPv6?
That’s what CIOs want to know as they plan their IT budgets for the next fiscal year. They need to decide if they are going to set aside funds to deploy this emerging Internet standard and how much it will cost to upgrade their hardware and software.
The short answer to that question is: Yes.
The conventional wisdom in the Internet industry is that CIOs need to invest in IPv6 during 2012 or they will put the growth plans for their online businesses at risk. This is because an increasing number of new mobile and broadband subscribers worldwide will be given IPv6 addresses starting in 2012.
“For an enterprise, it’s a safe assumption to make that if you start today to do a design assessment and your addressing plan, you can plan for an IPv6 deployment in the first half of 2012,” said Alain Fiocco, who leads the IPv6 program at Cisco. “2012 is when you’re going to see some measurable percentage of users on IPv6.”
Two recent events have demonstrated to CIOs around the world that the need for IPv6 is both real and imminent: The free pool of available IP addresses using the current protocol, IPv4, was depleted in February; and most IPv4 addresses in the Asia Pacific region were distributed to carriers in April.
Meanwhile, IPv6 has proven itself ready for deployment. On June 8, more than 400 of the Internet’s largest players, including Google, Facebook and Yahoo, participated in a 24-hour trial of IPv6 dubbed World IPv6 Day. No major outages, security breaches or performance degradation were reported during the event.
“There was a lot of concern that things would be broken, but the overwhelming majority of participants [in World IPv6 Day] had a positive experience,” says Greg Hankins, Global Solutions Architect for Brocade, which has supported IPv6 on its Web site, email and customer support infrastructure for more than a year. “I don’t think I’ve seen a single horror story or really negative implementation experience from anyone, which speaks a lot about the maturity of IPv6 and the maturity of IPv6 implementations by various switching, routing and appliance vendors.”
An estimated 20% of World IPv6 Day participants had such a positive experience with the new protocol that they left it up and running on their public-facing Web sites after the experiment was over. For example, Blue Coat left IPv6 enabled on its main Web site, and Cisco left IPv6 enabled on its www.scansafe.com Web site.
“We had a little over 1% of our users and traffic, our unique visitors, coming to the cisco.com Web site over IPv6. That’s pretty consistent with the rest of the industry,” Fiocco says. “That represents a couple of tens of thousands of unique visitors in 24 hours. None of them had any big, serious problems… For users in the U.S., performance in IPv6 was exactly equivalent to IPv4.”
The only disappointment for Cisco was that it was expecting 2% of its overall traffic at www.cisco.com to be IPv6 on World IPv6 Day instead of 1%. “That’s probably something we need to focus on for the next phase: working with the ISPs so that they enable the eyeballs,” Fiocco says.
IPv6 solves the problem of IPv4 address depletion by offering a virtually limitless pool of IP addresses that can be used by computers, smartphones, home appliances, gaming devices and all sorts of sensors and actuators that have yet to be invented. IPv4 uses 32-bit addresses and can support 4.3 billion devices connected directly to the Internet. IPv6, on the other hand, uses 128-bit addresses and supports 2 to the 128th power devices.
One problem is that IPv6 is not backwards compatible with IPv4. So network operators and content providers must support both protocols in a side-by-side configuration known as dual stack. Most carriers and enterprises will solve that problem by deploying network address translation (NAT) devices, which convert inbound IPv6 traffic into IPv4 traffic so IPv6-based users can access existing IPv4-based content and services.
Another problem is that few Internet users have IPv6 access today. This was evident on World IPv6 Day, which was a success for participating content providers but failed to draw as much IPv6 traffic as planners had hoped. The percentage of overall Internet traffic supporting IPv6 doubled on World IPv6 Day, but it still failed to reach even a quarter of 1% of Internet traffic, Arbor Networks said.
“There isn’t a lot of access ability for customers, for subscribers or individuals, to give them a direct IPv6 globally scoped address to get them to IPv6 content,” says Rob Malan, co-founder and CTO of Arbor Networks. “Almost all IPv6 traffic gets converted and then goes to the IPv4 content.”
One of the key issues for CIOs to monitor is the rate at which wireless and broadband carriers provide their new subscribers with IPv6 addresses. A major driver for IPv6 is Verizon’s new LTE network, which requires that all devices support IPv6. Meanwhile, Comcast, Time Warner Cable, Cox Communications and other U.S. broadband providers have ongoing IPv6 trials. These carriers will give IPv6 addresses to their new customers, but it will be a long time before they upgrade all of their existing customers to IPv6. So content providers must support both protocols for the foreseeable future.
“The content side is the easy side of the problem. The harder question is: How soon will you have a massive amount of IPv6 clients who need to get to you?” Malan said. “Think about the Linksys modem in your house. There are oodles of crusty old stuff out there that needs to get upgraded. That problem is hard and expensive.”
Experts agree that CIOs need to tread carefully where IPv6 is concerned. For now, they only need to worry about IPv6-enabling their public-facing Web sites and Web services. They don’t need to worry about upgrading anything behind the firewall on their private corporate networks.
The drop dead deadline for IPv6
When do a company’s public-facing Web sites and services need to be IPv6-enabled in order to prevent them from being unreachable to Internet users with IPv6 addresses? Nobody knows for sure when a significant number of IPv6-only users will emerge, but experts say this upgrade needs to be done within the next 18 months.
John Curran, president of the American Registry for Internet Numbers, which doles out IPv4 and IPv6 addresses to network operators in North America, has said the drop dead deadline for U.S. enterprises to support IPv6 on their Web sites is Jan. 1, 2012.
“It needs to be a priority by the end of the year,” Hankins agrees. “That coincides with ARIN running out of IPv4 space by the end of the year or early next year, and it also coincides with LTE deployment. LTE is one of the major drivers for IPv6 because they are expected from the beginning to use native IPv6 support in terms of having users access online processes.”
The U.S. federal government has established Sept. 30, 2012 as its deadline for all public-facing government Web sites to support IPv6. Federal agencies have a second deadline of Sept. 30, 2014 to upgrade internal client applications that communicate with public Internet servers to use native IPv6.
Alain Durand, director of software engineering at Juniper, says CIOs have at most 18 months to get their Web content ready for IPv6-only customers. Juniper offers a special purpose Web site for IPv6 users – ipv6.juniper.net — today, and it supported IPv6 on its main Web site, www.juniper.net, for World IPv6 Day using its own routers and carrier-grade NAT gear that it calls translator-in-the-cloud.
“Starting to introduce IPv6 and starting to turn it on now would be a reasonable thing to do,” Durand says, pointing out that most broadband providers will support both IPv4 and IPv6 for awhile into the future. “In the beginning, IPv6 may go through some sort of NAT, then IPv6 may go native and IPv4 will go through some sort of NAT. The question for CIOs is: When can they offer a better service to their users by offering content natively over IPv6?…There comes a point at which offering content over IPv6 offers a better user experience to customers and offers you as a network manager more flexibility.”
Durand says he doesn’t know when CIOs will experience traffic management issues on their networks that will encourage them to switch from NAT devices to native IPv6. One worry is that it will be harder for network operators to filter out denial-of-service (DoS) attacks when NAT devices are used to share IPv4 addresses among multiple subscribers. That’s the kind of network management issue that will likely prompt network operators to deploy native IPv6 service.
“If you’re using IPv6 natively or translator-in-the-cloud, you have access to the originating IP source and you can filter out the DoS attack on this IPv6 address and only remove the bad guy without impacting the other 99 or 999 users,” Durand says.
The cheapest, easiest route to IPv6
Experts say CIOs only need to upgrade their public-facing Web sites and services to support IPv6 in the near-term. How long that will take and how much it will cost depends on the size and complexity of a company’s Web presence.
Major content providers like Google and Yahoo are upgrading their entire Web server infrastructures to support IPv6, including Web servers, database servers, storage, caching and all the software that’s used on these systems. Yahoo has been working on IPv6-enabling its infrastructure since 2008 and has said this is the second-largest engineering effort for its IT department, behind ongoing tech refresh efforts.
CIOs with smaller Web sites are likely to choose an easier approach: Adding an appliance such as a proxy, gateway or NAT device to convert IPv6 traffic into IPv4 for accessing IPv4-based content. With these appliances, companies don’t have to upgrade their Web server infrastructures but they will need to upgrade their network perimeter and routing infrastructure to support IPv6 and they may need to support transit peering for IPv6.
The appliance approach is gaining popularity. Brocade uses its ServerIron ADX Server Load Balancer and Blue Coat uses its IPv6 Secure Web Gateway to support IPv6 on their Web sites. For World IPv6 Day, Cisco used its prototype ACE Session Load Balancer, Juniper used its translator-in-the-cloud offering and A10 used its AX Series appliances.
An enterprise can expect to spend tens or hundreds of thousands of dollars deploying these appliances at the front-end of their Web sites to support IPv6, depending on the scale of their Web sites.
Using A10’s AX Series Appliances with Server Load Balancing-Protocol Translation to support IPv6 on a corporate Web site will cost a company “anywhere from $15,000 to $200,000, depending on the performance that they need,” says Paul Nicholson, A10’s director of product marketing.
An alternative is for CIOs to outsource their Web content delivery to a service provider like Akamai or Limelight Networks, both of which are developing commercial-grade IPv6 based services in the cloud. DNS and hosting providers also may provide these translation services for IT departments on an outsourced basis.
Limelight has been working on IPv6 adoption since 2008 and has offered a commercial-grade IPv6 CDN service since 2009.
“We have a massive infrastructure: Tens of thousands of servers, just south of 10 terabits of egress capacity, hundreds of [Border Gateway Protocol] peers and tremendously complex routing policies to support that,” says Tom Coffeen, director of Global Network Architecture at Limelight. “The scale of the challenge for us is very, very large. The relatively long adoption process served us well when World IPv6 Day rolled along.”
Limelight’s CDN delivered hundreds of thousands of Web objects and honored hundreds of thousands of client requests over IPv6 on World IPv6 Day. Coffeen says the success of Limelight’s IPv6 offering on World IPv6 Day demonstrates that the CDN is ready for an influx of enterprise customers in 2012.
So what’s the risk for CIOs that decide to do nothing about IPv6 in 2012? Your online presence may not be reachable by a growing number of customers around the world, experts say.
“The risk is that you are lights out for your customers,” Hankins says. “The risk is that you are off the Internet to a small but growing population.”
And that’s a risk that few CIOs are likely to take given that it’s relatively inexpensive to fix the problem using an appliance-based approach or a CDN.
“My advice to CIOs is to begin to do the migration and to begin their lab trials,” says Qing Li, chief scientist at Blue Coat Systems. “This month, we have one of our largest financial customers coming to Blue Coat to get IPv6 training. We’re talking to them about how to do IPv6 security, how to set up your infrastructure so there is IPv4 and IPv6 co-existence, and how to get application performance over both network types.”