Wednesday, 25 February 2015

The IT crowd: The next big challenge for IPv6

IPv6 (Internet Protocol version 6) is the current version of Internet Protocol - whoopty doo! What does that mean?

It means that the way computers talk to each other is changing slightly. From the point of view of people using computers it makes no difference. Most people have no interest in how computers communicate.

The problem is that some times, some people, need to do something about it, and those people do not always realise this.

Basically, what this is about, is upgrading the Internet to a new version, and that means all of the bits of the Internet changing as a result. People are used to upgrades on their computers and laptops and phones and even TV sets these days, it is pretty routine and seems simple enough - but sadly it is not quite that simple...

In order for the Internet to be properly upgraded it means everything on the Internet using the new system. But while we are getting there -  everything has to use both the new and old system at the same time. Only once everything is caught up can we stop using the old system (called IPv4).

The issue is that, even now, the old system (IPv4) pretty much works well enough. But we can't wait for it to stop working properly before we act. Long before that point we have to have everything using the new version as well, and it takes a lot of time to change things. So lots of people, just like me, are pushing and nagging for this to happen before it is too late.

So where are we at now?
  • Pretty much all of the home computer systems that matter are already upgraded or can be with an automatic upgrade some time. There will be a few things that don't get upgraded but we can generally work around them. The main things are devices that you use to communicate with the Internet, so computer/PC, laptop, iPad, phone, that sort of thing. They all work with the new version, which is good news.
  • Some Internet providers (like A&A) are already making sure that your Internet connection is upgraded already, and have done for many years, but the big players like Sky, BT, Virgin, and so on will start upgrading people's Internet connection soon (probably this year). That will mean that most homes will be using the new version where they can, which is good news.
  • The big companies that use the Internet to provide services, like FaceBook, Google, Netflix, and so on, have already upgraded - this means that people at home, with an upgraded Internet provider, accessing these services, are using the new version of Internet.
This is all very good news, and it is finally happening. Finally the old version can be seen as the poor man's, old fashioned, Internet and pressure applied for the last remnants to finally start to die out, one hopes.

But there is one stumbling block - SME (Small//Medium businesses).

The larger businesses have generally had a plan for many years and been upgrading their systems, but smaller businesses have not. It is not surprising in many ways - shit still works - if it aint broke, don't fix it - and this costs money to even think about or plan let alone make happen.

The problem is that small businesses are not using Internet like home users. For a home user, typically, you have some magic box from your Internet provider, and you have stuff like an iPad or PC, and they just work somehow - you do not have to think about it. That is good news, and a real endorsement of the hard work put in by a lot of people to make this work so well.

With a smaller business you actually think about how Internet addresses work in your company. Which devices have what addresses, and how multiple sites link together. How computers log access. How visitors get restricted access. Things like firewalls and address allocation policies. All of this works because people in a small business - the IT crowd - understand how the old version of Internet works, and do not necessarily understand how the new system works.

Without some mandate from above they have no interest in making their life difficult by taking on such a complex project - not while things still work properly the old way.

So here lies the challenge - how do we get SMEs, and their IT departments, to embrace the new system - to realise the power of IPv6, or at the very least realise the limited lifetime of IPv4 and everything still working properly the old way?


  1. This is totally where we are. We run our networks entirely in ipv4 currently and see no need for v6 - there is abundant v4 space for private networks so why change? V4 to v6 proxy at the firewall should handle things, if only i understood v6!
    May have to get manglement to pay for one of your courses methinks!

    1. This is what it keeps coming down to. Until there's a need to change then businesses won't. You can continue to run dual stack within the firewall and everything should carry on working as normal.

      That old print server in the corner that has been there so long the company logo has warn off so you've got no chance of finding the instructions to reconfigure can happily stay on IPv4 and everything in the office can still communicate with it.

      Eventually (when enough of the world supports it) you can disable the DHCP server giving out a default gateway for IPv4 and then you'll be native on the web. Might need a few more webservers to support that first though!

      Just playing devil's advocate here really. Everyone should get on IPv6 as soon as possible!

  2. Are the big ISPs actually showing any signs of doing IPv6 yet then? BT's leased lines come with v6 as standard, which is great, but I've not heard of anything WRT their DSL side. Virgin have been saying "before the end of the year" for at least 5 years now and it hasn't happened yet. PlusNet put an end to their IPv6 trial and rolled out CGNAT instead. EntaNet and FalconNet do v6, but you have to ask for it (so the market penetration is going to be about zero). Of course AAISP do v6 as standard.

    My current puzzle is how to do captive portals on a dual-stacked, routed network. IPv6 privacy extensions will break the whole thing, but using DHCPv6 instead of SLAAC turns off privacy mode so that's a possible solution. But you still have the problem that some traffic comes from the v4 address and some from the v6 address and you want to be able to authenticate both in one go. The captive portal page could specifically pull objects from the web server's v6 and v4 addresses and therefore link the addresses together that way, but that won't work for WISPr clients which never actually render the portal page when they auto-login. And of course on a routed network, the border gateway doesn't get to see the MAC address of the client (which is on the other side of a router).

    1. Plusnet's IPv6 trial is still ongoing and I can't find any information that says they've rolled out CGNAT (unless you've got a link that says otherwise).

    2. BT leased lines offer IPv6 but they won't support applications for PI address space, and IP range migrations are painful, so anyone bigger than a home user should be requesting it. It's a step in the right direction, but it's not quite joined up.

    3. DHCPv6 doesn't work on Android and the devs have shown no interest in implementing it, as they seem to see the only thing it being required for is to get DNS details etc which can now be done using SLAAC anyway, they don't see the allocate specific address scenario for situations like captive portal etc.

      (I encountered this in a scenario where its an enterprise WiFi system and need to keep track of who is using what IP in case of abuse etc so privacy addressing would introduce difficulties)

    4. Indeed, FireBricks don't (yet) do DHCPv6 on a LAN, either as server or client, but we are considering it to try and help address some of these issues, along with a privacy mapping option so on-LAN fixed IPv6 is mapped to privacy IPv6 when sent externally. All good fun.

    5. Matthew: +Net announced they were starting CGNat trials about 2 years ago and there were a lot of press articles about it at the time, e.g.:
      They also announced that they were pulling the plug on their IPv6 trial at pretty much the same time, with no indication that they were going to do anything sensible to replace it. A lot of people concluded that this meant they had abandoned the idea of rolling out IPv6 and were going down the CGNAT route instead. I've not heard anything since then - maybe there was enough backlash for them to reconsider withdrawing IPv6 support?

      Alex: To be honest, DHCPv6 has always struck me as a stupid idea - SLAAC works well for address allocation, and IMHO mDNS is a good solution for discovering all upper-layer services (even discovering the DNS servers themselves). DHCPv6's one redeeming feature is that it turns off privacy extensions, but it would probably be far more sensible for the router advertisements to include a "no privacy mode" flag. Having "privacy mode" addresses (i.e. not based on the MAC) isn't the problem here, picking a new address every few minutes is the issue.

    6. I suspect something is necessary for a corporate environment where privacy addresses are causing concern (and nuisance with IGMP aware switching kit). I wonder if there is a draft RFC or something that could add a bit to SLAAC.

  3. Currently a typical SME setup for IPv4 is natted. The organisation has their own addresses on their network, and a router converting to addresses usable on the internet. By choosing which external address to use, they can easily support multiple ISPs (for fallback, or load-balancing, or take advantage of different characteristics for different traffic types - fast but expensive ISP for high priority data and VOIP, cheap ISP for bulk), this can be done automatically as the changes are in a small number of places (typically just the router, maybe DNS or some other service registration protocol if hosting locally). For all its faults, NAT does make these things easy.

    IPv6 gives different options but they aren't quite equivalent.

    It is designed with the intention that a computer can have addresses from multiple networks; internal-only addresses could be used for access to internal resources while internet addresses are used for external access. This does cover the simple case of moving to a different ISP without changes to internal addresses, but it's more complicated than the v4+NAT case. Now you need to learn what the new addresses look like, what ULA means, what addresses you can use in that box (if your router even has one). Quite a stretch given the level of experience many of the people configuring these routers have (no slur intended; this isn't something they are dealing with from day to day. v4 is easier to use.).

    But then, ULA still misses things from v4+NAT. OK you can advertise addresses from multiple ISPs for some degree of load-balancing, but it's all done client-side and very uncontrolled (read the v6 source address selection rules and weep). And these are just "protocol allows it" things; it has taken a long time for SME router vendors to work out the basics with v6 (it's still not the case that you can pick up a router off the shelf with "IPv6 support" and be sure that it will work with your chosen ISP), it's going to take some real effort to actually support things like load-balancing in a nice way.

    So what are the alternatives?

    Companies can apply for PI address space, but it's not a widely known option. Find a supportive LIR and fill out the forms with the right words and you might be able to get it (of course it costs money on an ongoing basis). Then you need an ISP who will actually route it; I can think of 3 or 4 who would most likely do that, though it's not something they would advertise widely. And this totally ignores the effects on routing table size if it were to become commonplace (in the DFZ, affecting everyone, and in the IGPs of providers with large numbers of people doing that).

    My prediction: we start to see more v6 usage in SMEs when SME-focused router vendors start to include NAT. LAN on ULA space, translated at the border, as with v4. IMHO it's something of a pity it wasn't designed into the protocol from the start as it could have mandated a useful design (prefix translation only, with a designed-in way to learn the external prefix so that external connections can be accepted, without need for power-hungry keepalives etc).

    1. We have a number of (IPv4) customers that have multiple independent ISPs and use their routers to dynamically route and SNAT traffic via the different connections. You're right that this seems to be missing from IPv6 and I'm not sure what the solution is - the router is uniquely in a position to know which connections are up, how much load they are under, etc. and I don't see how you can get the same functionality on a v6 network. In the ideal world, the ISPs would cooperate with each other, but back in the real world that just doesn't happen.

  4. You claim all home equipment can do IPv6 already, but your list of phones, tablets and computers ignores completely embedded devices. I have network connected Blu Ray player and two Freeview PVRs. None of them do IPv6, haven't had software updates in over a year, and even if they did I happen to know that the Linux versions they are running are old enough that getting IPv6 working properly for the vendors would be non trivial (they have early support). I also have a SqueezeBox Receiver (look it up if you want) which is no longer supported by the manufacturer, but there isn't anything else I can buy that does the same job so I continue to use it. IPv6 simply is never going to happen for these devices, and they have the best part of 10 years life left in them I reckon.

    A friend has a one year old network connected AV amp. Similarly it does not do IPv6, and the manufacturer has said there isn't enough memory in the device to implement it.

    So what is your answer for all these long lived embedded internet devices? They typically have a life many times longer than a phone or tablet so we can't wait for them to die. Smart TVs are in the same category, except mine is a new one that does IPv6 (though only as a buried hard to find Advanced option).

  5. Probably more an ME issue than SME I suspect: for my own SME at least, getting IPv6 (later this month, hopefully, as a side-effect of changing ISP) will mainly involve a new router. Right now, there's one static IPv4 address and NAT, much like a typical home customer except the "static" bit; next month, that plus an IPv6 subnet.

    With a larger and more complex network, though, it'll be a struggle: I don't see any sign of university movement on this around here, for example. (They're mostly a single /16, subdivided into dozens of /24 or similar.) Of course, having a whole /16 tends to mean they don't feel any addressing pressure like smaller businesses do...