Misunderstandings About IPv6

by Jeff Loughridge

IPv6 has been defined for over decade yet the protocol lacks the years of operational experience of its predecessor. IPv4 is well understood in terms of behavior, troubleshooting, and best practices. That IPv6 will reach operational parity is a given once it becomes the dominant IP protocol. In the meantime, I expect that misunderstandings about IPv6 will continue to exist.

IPv6 will not engender an improved Internet experience. If the transition is highly successful, the average Internet user will not notice. He or she will continue to interact with the Internet in the same way. IPv6 equals more address space, which will allow network operators to uniquely identify more endpoints. You could argue that the benefit to the end user is indirect; the sheer number of IP-enabled devices–gaming consoles, TVs, tablets, smart phones–that will be online in the coming years could not happen without more addresses. From the perspective of network engineers, certain components of IPv6 such as Neighbor Discovery could be viewed as improvements upon the equivalent IPv4 functions. Overall, I do not believe that maintaining an IPv6 network will be easier. During the transition period, the duties of network engineers will be very challenging.

Let’s dispel the myth that IPv6 has better QoS mechanisms than IPv4. There is no truth in this. Around the turn of the century, some people seemed convinced that QoS manufactures bandwidth. Unfortunately, no such bandwidth fairy existed then, and IPv6 does not change the QoS landscape.

Misunderstanding about IPv6 and security are particularly dangerous. Although IPsec is mandated in IPv6 RFCs and better integrated in the header, IPsec can’t be used for all traffic flows. IPsec in IPv4 and IPv6 are roughly equivalent in terms of usage. IPv6 introduces a new attack vector for dual stack networks. Creating a like-for-like security policy for the two protocols is not sufficient. There are mechanisms in IPv6 that do not have exact parallels in IPv4 and vice versa.

The misunderstanding that inspired this post falls in the security area. I was using the nmap security tool to experiment with an IPv6 stack on a virtual Ubuntu server. The IPv6 functionality is very limited in nmap. I had to consult the web to figure out why certain features were failing. I came across the statement that nmap lacks the ability to scan IPv6 ranges (the developers report that this will be fixed by the end of summer 2011). What bothered me was a comment from an nmap user that scanning IPv6 ranges would less than useful since IPv6 uses EUI-64 to create IPv6 addresses. This logic is debatable even if all IPv6 nodes used stateless autoconfiguration (SLAAC). ISP backbones are an example where SLAAC is not used (let’s hope not at least). Some providers derive IPv6 address by mapping the existing 32-bit IPv4 address into a /96. Others manually define IPv6 using other techniques. The use of DHCPv6 on LANs is another reason why crackers will scan IPv6 address ranges.

There many other misunderstandings about IPv6 that are covered in article such as Earl Carter’s IPv6 myths post. For more on this subject, read his article and others on the web.

Advertisements
Tags: , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: