IPv6: Proper Planning Prevents Poor Performance update from February 2012

IPv6 is coming, and we've reported in this series some of the issues network operators have to deal with in the near future. Two issues that require more than just checking boxes on a to-do list concern compliance and security. However, making sure the IPv6 network is as compliant and secure as the existing IPv4 network can be accomplished with the proper planning.

In the Part 1 of this three-part series on the IPv6 transition, Network Computing looked at how some enterprises need to pay more attention to IPv6 than others; Part 2 covered how to operate an IPv4 and an IPv6 network simultaneously in what experts call dual-stack mode. We wrap up the series today with a few tips on how to make sure the IPv6 network is as secure and well-managed as the one it is replacing.

The transition from IPv4 to IPv6 is required because the world is running out of IPv4 addresses due to the proliferation of Internet-connected devices. It started with computers and servers and expanded to virtual servers, home game consoles, appliances, myriad monitoring devices and, soon, automobiles. The mere 4 billion IP addresses under IPv4 will expand to "trillions and trillions" of potential addresses under the IPv6 standards, says Leslie Daigle, chief Internet technology officer for the Internet Society (ISOC), a global nonprofit organization promoting IPv6. Mark June 6 on the calendar for IPv6 Day 2012, a date on which several household name Web properties are expected to be IPv6-ready.

How individual sites and networks become compliant depends on how much IPv6 impacts them and how much planning they do. Security compliance may actually be relatively easy because it is so deeply embedded in IPv6, says Jon Oltsik, an analyst with Enterprise Strategies Group.

The IPSec standard is baked into IPv6 rather than bolted on, as it is with IPv4, he says. That can be reassuring, but there are still a few things to make sure to do before rolling out an IPv6 network.

"You really can't make that transition until your firewalls support IPv6 and your [intrusion detection and prevention] supports IPv6 and you've migrated all your access control list rules from IPv4-compliant devices to IPv6-compliant devices, so that's the big issue," says Oltsik.

Migrating compliance to an IPv6 environment requires a clear understanding of what kinds of application and user traffic are traversing the network, cautions Jim Frey, managing research director at Enterprise Management Associates.

"The compliance and governance monitoring tools have to be able to accommodate IPv6, probably sooner than hother management tools need to, because without it the compliance auditing and reporting would be incomplete," he explains.

The ISOC's Daigle says another security concern is for network operators to keep track of the many more IP addresses they'll have at their disposal in an IPv6 world.

"The IPv6 address space is so large and your allocation is likely to be larger than you need," she says, adding that network operators may have "dark spaces" of unallocated addresses between addresses they do use. Security technology may be needed to watch out for "squatters" using IP addresses that don't belong to them.

As network administrators start planning for the IPv6 transition, they can turn to a Web portal ISOC has created, Deploy360 for helpful advice including blogs, white papers, videos and other materials.

Learn more about Research: IT Pro Ranking: Data Center Networking by subscribing to Network Computing Pro Reports (free, registration required).