Jul 27 2017

IPv4 to IPv6 Protocol Upgrade: How to Answer "Should I Enable IPv6?"

The time is ripe for your business to migrate to IPv6, but you need to keep your new connections safe.

A lot has changed in the world of the internet since 2012, when adoption of IPv6 protocol was still nascent. Since then, billions of devices have become connected. The constellation of machine-to-machine connections has morphed into the Internet of Things. Indeed, according to Gartner, there will be 8.4 billion connected devices in use worldwide this year, up 31 percent from 2016, and that figure will reach 20.4 billion by 2020.

Internet Protocol version six (IPv6) is the way that internet communication will be handled for the foreseeable future, since it supports vastly more IP addresses than IPv4. It’s also more secure than IPv4, so it not only supports greater growth for companies looking to connect more devices but ensures that growth will be secure.

Although IPv6 is more efficient, companies need to ensure their infrastructures are ready to support it. The transition period can expose security gaps, so companies should not enable IPv6 until they are fully prepared.

SIGN UP: Get more news from the BizTech newsletter in your inbox every two weeks!

"Should I Enable IPv6?": What is IPv6 and Why Should You Migrate to It?

As Sophos notes in a post on its website, the IPv6 protocol has been available for years. In 2016, IPv6 reached 10 percent deployment, a full 20 years after it was first implemented.

“IPv6 was developed by the Internet Engineering Task Force (IETF) to replace IPv4,” Sophos notes. “Launched in 1998, the main and most obvious feature of IPv6 is extending IP addresses from 32 bits to 128 bits, allowing for more growth in the future and relief for the shrinking number of available network addresses.”

Because it limited addresses to 32 bits, IPv4 only allowed for roughly 4.3 billion IP addresses. As Cisco Systems notes in a post, those addresses “were completely allocated to specific geographic regions on February 3, 2011.” By contrast, IPv6 “offers a significantly larger pool of addresses by using 128-bit addresses: 340 undecillion (3.4×1038),” Sophos adds.

Beyond the fact that IPv4 addresses have simply run out, there are numerous benefits businesses can gain by switching to IPv6, notes Mark Dargin, a network and security engineer currently with GE Healthcare’s customer technology and cloud services team, in a Network World post.

First off, the IPv6 protocol handles packets more efficiently than IPv4. “IPv4 has a checksum that is calculated at every router hop,” Dargin notes. “This calculation is not used in IPv6. The time that routers previously spent checking packet integrity can now be used to move the data forward. This can help improve application performance across a network.”

Additionally, as Network Computing notes, IPv6 “reduces the size of routing tables and makes routing more efficient and hierarchical.” IPv6 allows internet service providers to “aggregate the prefixes of their customers’ networks into a single prefix and announce this one prefix to the IPv6 Internet.” And, in IPv6 networks, “fragmentation is handled by the source device, rather than the router, using a protocol for discovery of the path’s maximum transmission unit.”

Instead of broadcast communication in IPv4, IPv6 uses multicast address routing, Dargin says, which “enables bandwidth-intensive traffic to simultaneously be sent to multiple destinations” so that “disinterested hosts do not have to process broadcast packets.” As a result, there is less traffic on a local network, which can alleviate network congestion, he says.

The IPv6 protocol also allows for innovative services. “By eliminating Network Address Translation (NAT), true end-to-end connectivity at the IP layer is restored, enabling new and valuable services,” Network Computing notes. This improved connectivity makes it easier to maintain peer-to-peer networks and strengthens services like Voice over IP and Quality of Service.

Perhaps above all, IPv6 is more secure than IPv4. Sophos notes that not only can IPv6 run end-to-end encryption, but the encryption and integrity-checking used in current virtual private networks is a standard component in IPv6 that’s “available for all connections and supported by all compatible devices and systems.” This should make man-in-the-middle attacks “significantly more difficult,” the security company notes.

Further, IPv6 makes the use of IP Security mandatory, the InfoSec Institute notes. “IPSec consists of a set of cryptographic protocols designed to provide security in data communications,” with protocols that enable authentication, data integrity and confidentiality.

As a result of all of these protocol improvements, more companies have adopted IPv6. Google reports that roughly 17 percent of internet traffic is running on IPv6, up from about 10 percent in January 2016.

How to Make Your IPv6 Transition Successful and Secure

What do you need to know before migrating to IPv6? Here are some key considerations:

  • Train IT staff before migration. An organization’s technical design and support staff need to be properly trained on the IPv6 protocol. “Without this training, an organization risks having a poorly designed IPv6 scheme, which can contribute to system downtime, more complicated network and decreased security,” Dargin says. “Complexity can significantly increase while running both IPv4 and IPv6.”    

    Sophos echoes that advice and notes that IT teams are guaranteed to run into problems if they try to deploy IPv6 the same way they did IPv4. “IT administrators must learn a whole new approach to networking, from simple network troubleshooting to configuring firewalls and monitoring security logs,” Sophos says. “There are many opportunities for confusion and mistakes.”

  • Update infrastructure. The switch involves many parts, including “upgrading, reconfiguring and testing various hardware devices and software,” Dargin notes. “Routers, switches, servers, application settings, laptops, smartphones, firewalls, etc. will need to be updated. Policy and procedure documentation will also have to be updated. For larger organizations, all this work could take years to complete.”    

    Sophos notes that it has already seen widespread malware with IPv6-based command-and-control capabilities. “So if your server enables IPv6 by default but your firewall doesn’t, which may be the case for many, we’ll all inevitably see more abuse for malicious ends,” the company adds.

  • Manage the transition successfully. Another risk organizations face, according to Dargin, is that some legacy hardware and applications do not support the IPv6 protocol. “During a migration, the devices on the network need to have an IPv6 address and an IPv4 address. If the device cannot use an IPv6 address, it will cause conflicts in not being able to properly communicate,” he says. “As the network evolves and migrates further towards IPv6, it will progressively lose more communication with the network until the device is replaced with one that supports IPv6.”    

    Further, Sophos says that companies should be cautious about network tunneling during the transition period. “Tunnels provide vital connectivity between IPv4 and IPv6 components or enable partial IPv6 in parts of your network still based on IPv4, but they can also introduce security risks,” the firm says. “Keep tunnels to a minimum and use only where absolutely necessary. Carefully check the setup of ‘automatic tunneling’ tools. Traffic tunneling will also make network security systems less likely to identify attacks.”

  • Secure your devices. That new connected Xbox gaming console or smart thermostat in your office running the IPv6 protocol may be a threat. Organizations will need to redesign their network structures to get the most out of IPv6. “Don’t run multiple migrations and be sure to consider the architecture of both the Internet facing and LAN resources — don’t casually get rid of your DMZ!” Sophos warns. The security company also says firmware and software for routers and switches needs to be patched and updated, and firewalls may need to be upgraded or reconfigured as well. Endpoint security should also be updated, Sophos adds.
  • Above all, don’t upgrade until you are ready. “Many platforms come with IPv6 enabled by default, but make sure it’s switched off until properly configured,” Sophos says. “Many current firewalls focus exclusively on IPv4 and will not filter IPv6 traffic at all — leaving systems completely exposed. Disable unnecessary services and check the ports and protocols used by the services you need. Running IPv6 by default could allow attackers to bypass security controls and wreak havoc.”

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.