Blue Coat Chief Scientist Qing Li shares his insights on IPv6 adoption methodology and the potential hidden costs of the new protocol standard.
World IPv6 Day went off smoothly Wednesday, June 8, as participating corporations and government agencies reported relatively few problems during the 24-hour test of the new Internet protocol that will slowly become standard over the next several years.
But the consensus among networking experts is that much work remains to fully develop the digital infrastructure for the next-gen Internet. Sooner or later, consumers and businesses will have to support IPv6 and IPv4 together — and someday run on IPv6 exclusively when IPv4 fades away.
How do you begin moving your organization to IPv6? Qing Li, network infrastructure provider Blue Coat’s chief scientist and senior technologist, shared his insight and advice in an e-mail exchange this week with Government Technology.
Qing Li oversees Blue Coat's IPv6 implementations and is a published author on the subject: a two-volume reference series, IPv6 Core Protocols Implementation and IPv6 Advanced Protocols Implementation, along with singular titles IPv6 Socket API Extensions: Programmer's Guide and Mobile IPv6: Protocols and Implementation.
What do you expect will be the major findings or takeaway lessons from World IPv6 Day?
Among other challenges, network attacks against IPv6 portals is one of the most important concerns from Blue Coat’s perspective, as the first IPv6 Secure Web Gateway vendor.
We will also be looking for Web content or pages that were improperly constructed and could make content that exists in mixed-mode environments difficult to deliver transparently to the end-consumer, resulting in what could be perceived as broken Web links. We could also see issues with packet fragmentation and routing efficiency in the network delivery paths that include both tunneled as well as native IPv6 links. Another potential issue is traffic that should have been filtered could be linked due to insufficient IPv6 support in intermediate firewalls.
One of the most important takeaway lessons from the World IPv6 Day exercise will be that IPv6 is real and has already been adopted and put into practice by many organizations. Companies should make transition plans early to overcome the learning curve and deploy IPv6 now to gain operational proficiency and secure the new infrastructure effectively.
How far along — or how far behind — are U.S. government agencies at the federal, state and local level on IPv6 preparation?
We have been working with various U.S. government agencies at the federal, state and local level — either directly or through their respective contractors. We are seeing that although quite a few agencies, such as U.S. NAVY DREN [Defense Research and Engineering Network] and the Army have been investing in IPv6 research and deployment, the majority of the agencies are only recently beginning to discuss IPv6. For quite a few, the road is still a couple of years away.
For organizations that are planning how they will support IPv6, what are key first steps to getting started?
As a first step, an organization needs to identify the applications and services that are critical to its operations and assess the roadmaps and timelines of those application vendors for offering IPv6-ready solutions. For longer timeline dependencies, an organization must evaluate alternative transition solutions to determine if the interim solution is sufficient and intelligent enough to bridge the gap between the users that reside in one environment (e.g., IPv6) with applications that are offered over another environment (e.g., IPv4).
One of the biggest hurdles for companies that are looking to adopt IPv6 is the lack of operational expertise and the potential that creates for unintentional security risks. Organizations need to think through the types of services and applications they want to offer over IPv6 and then develop the policies to accommodate the new ways in which those services operate.
All organizations, regardless of whether they are actively adopting IPv6, also need to be aware of the greater security risk that can come along with IPv6. IPv6 provides an order of magnitude increase in the number of new IP addresses, effectively increasing the malware attack surface. There are now billions of new addresses that can be used to host components of a malware attack or the attack itself. The bad guys can move their malware payload more often, making it difficult for Web security defenses to keep up. This problem is compounded by the fact that most Web security defenses, whether they operate in real time or as a static database, can’t rate IPv6 content, so they leave users exposed. Organizations should make sure that their current Web security solutions can rate and analyze IPv6 content, otherwise they are leaving a back door open to their users.
From a budgeting standpoint, what do organizations need to think about as it pertains to IPv6?
IPv4 and IPv6 are going to co-exist for many years, so any plan will need to support both technologies and make sure that IPv4 users can access IPv6 content and that IPv6 users can access IPv4 content. The most elegant, cost-effective way for organizations to support both environments during the transition is through an intelligent application layer gateway (like the Blue Coat IPv6 Secure Web Gateway solution), that can act as a proxy between IPv4 and IPv6 users and content. With this type of solution, requests made by IPv6 users for IPv4 services or vice versa can be understood natively in their respective protocols while the services are being delivered transparently back to the user.
Another consideration for organizations is the hidden cost of reusing IPv4 addresses. As a way to defer the transition, some organizations acquire used IPv4 addresses. If those addresses have been used in the past as part of a malware network, they likely retain their unfavorable ratings. An organization looking to then use those addresses legitimately could find that their site is blocked. This is largely because many Web security solutions utilize static databases and don’t refresh ratings to reflect the current status of IP addresses. Not knowing the history of the IP address can end up creating a lot more problems than it solves.
Organizations also need to think through all of their adjacent technologies. For instance, traditional WAN optimization solutions that accelerate data over IPv4 environments can’t accelerate IPv6 content. Users have the same demand for and expectation of quick and easy application access regardless of whether they are accessing the applications over IPv4 or IPv6 infrastructures. For IPv6 adoption to be successful, businesses need to make sure those same technologies are in place and offer the same effectiveness for IPv4 and IPv6 environments alike.