The sad state of IPv6 and why you need to learn it.

I have been learning and using IPv6 for a quite a while, even before I worked in research and education, back in the ISP days.  I thought I should learn it because, frankly, I figured we’d all be converted to it by now, already whole hog using it like it was the layer 3 addressing mechanism that it is.  Flashback: My first IPv6 access was via a tunnel to HE a long, long time ago and before that I was reading what I could about it.  I’ve been evangelizing IPv6 for about that long, too.  I’ve taught IPv6 networking workshops on many occasions showing eager network engineers, security engineers, sysadmins, incident responders and even the occasional CIO how to understand, interpret and plumb v6.

Now, I love OpenFlow and SDN as much as the next network geek, and I think it’s about as disruptive and game changing as the next guy.  However, IPv6 is next.  There.  I said it.  We need it.  Hey, OpenFlow 1.3 supports it so there is your tie in.  We’re out of v4 for the most part and, lets be honest, NAT is a freaking abomination. It’s not a solution to anything other than over complicating a transit path with translational mappings.

I recently received an email from a buddy from my first days in tech about a project that some colleagues of his had been working on and while at a base technical level it’s an interesting concept, this project infuriated me.  This is the problem with the industry, especially in North America.
The right thing, in my opinion, is to put effort like this aside and concentrate on IPv6 development and deployment. Projects like this, while good intentioned and technically innovative, delay he inevitable and give lazy, “luddist” engineers and developers a way to keep ipv4 even longer. alarm_clock

I have mostly just kept this to myself publicly.  Sure, I blather on about it the office and preach about IPv6 over beers with networking professionals, but mostly I just suffer and bite my tongue when I hear some enterprise architect talk about firewalls, NAT, IPv4 only security appliances and how “they don’t need IPv6” or how “the enterprise isn’t ready” [for IPv6].

Wake up call, you’re late. IPv6 is here.  It’s been here.  It’s all over in Asia and other parts of the world.  It’s supported by default by your consumer service provider.  Guess what?  It’s too bad that your lazy developers didn’t code your apps for it. It’s too bad that your specialized app only supports IPv4 and probably doesn’t even understand DNS.  You’ll eventually have to deal with IPv6.  In actuality, you’re likely already using it and have no idea it is happening.  If someone finally tore that legacy XP machine from your change-despising hands you’re probably tunneling your traffic.  Unless you explicitly disable IPv6 on a modern operating system, you’re using it.  It may be just locally on your segment, but it’s on.  borg Get on board.  Resistance is futile.  There are great resources for learning IPv6.  Your desktop and server OS have probably supported it for years.  Your routers likely support routing it.  The last parts are going to be the security devices, policy and the legacy apps.  If you’re a networking guy, go do the HE tunnelbroker certification process. They have a very good fundamentals tutorial and it covers everything you need to know to get started.  You can also get a cool shirt and some code to shove into your website.  Mine looks like this:

 

Take the plunge, get some IPv6 going in your enterprise, home network, lab, whatever.  Learn and educate.  It will only improve your value and you’re going to have to learn it later anyway.

3 Comments

  1. Engineer Z says:

    I agree fully. As you may recall Nick, for a long time I’ve said “NAT is a turd” and “Carrier-grade NAT is a polished turd.” At least at first glance “Enhanced IP” looks like more turd polishing to me. How do we break folks’ habit of working around the shortcomings of NAT and show the value of truly global address space? Why do folks keep hacking on the NAT kludge?

    One big problem is that too many folks now believe NAT is one of the required steps to secure their devices from the ‘net. It’s just one of those things you’re supposed to do. If I put everything in 10.0.0.0/8 and NAT to my public address space then the bad guys can’t get to my computers, right? We know the reality is that there are much better ways of controlling access without breaking the network stack in the process. (And they do a better of job of providing true security.)

    The cynical engineer me is starting to believe the state of networking technology has surpassed the abilities of many of the so-called network administrators and engineers out there. You’re going to replace IPv4 with IPv6? (LOL- I envision a Folgers-type switch. We’ve secretly replaced the IPv4 protocol that John Smith’s network usually serves with IPv6… Let’s see if anyone can tell the difference…) You’re going to freak out a lot of folks all the way up and down the IT management change because their brains can’t possibly grok yet another technology to stuff into the network infrastructure. I hope I’m wrong and that things aren’t so bad in the IT community.

    Lastly, I think part of the problem is a chicken-egg situation. While some of the big boys support IPv6 (my PFSense box stats say IPv6 has reached some significant penetration) the vast majority of sites out there still don’t support IPv6. Do a “dig http://www.amazon.com AAAA” (or, my favorite, “dig http://www.slashdot.com AAAA” :-) ) and tell me what you see. However there is hope when http://www.fark.com has an IPv6 address. I think we need to keep up the evangelizing because there are enough useful IPv6 destinations out there. Perhaps if we get deep enough penetration with IPv6 we’ll start seeing some IPv6-only destinations which can start snowballing IPv6 deployment.

  2. J Hull says:

    First off, I have to admit I know very little about IPv6. But I have a senior network admin in my team that seems pretty well versed.

    While he was explaining some of the differences between IPv6 & IPv4 the question came up: If we use IPv6 and all devices are addressed from a block that our ISP has assigned to us, what happens when we change ISP’s? Can the address block follow the company instead of staying with the ISP?

    If not, then I think would make sense that when you use IPv6 it would be assumed that all systems will use DHCP? It would seem to me that static addressing may causes an incredible amount of work if you need to switch providers.

    Sorry if the above questions highlight my limited understanding. We’re a fairly small company (<200 FTE) and our plate is always full of immediate "must have" projects for our business units. But I have told my IT team that upgrading our network to IPv6 is a priority in our 1-3yr planning process.

  3. Addressing in v6 is a bit different. Each interface can (and will) have many addresses, moving addressing is a bit more straightforward (yes, unless you get PI address space from ARIN you’ll need to renumber if you change ISPs). I usually recommend using the M bit and DHCPv6. In my opinion static addressing for anything that isn’t a server is a management challenge waiting to happen.

© 2723 The Forwarding Plane. All rights reserved.

Copyright 2016 Nick Buraglio, ForwardingPlane, LLC

%d bloggers like this: