This
documentation is preliminary and is likely to change before becoming
final. Do not implement to it yet. Check for the next update by
February 2012.
What is IPv6?
- It's a new, network-level protocol originally based on IPv4;
addresses look like 192.168.4.
- IPv6 addresses look like 2607:f830:3400:0001::1.
- IPv6 addresses Still use /## for network, but ## can go up to 128.
- It only replaces IP: TCP and UDP are the old familiar faces.
However...
- IPv6 is not the same as IPv4: it's different!
- To start with, there's no broadcast...it's all multicast.
- Further, much of layer 2 (ARP, BOOTP, DHCP) are now layer 3.
- And, IPSEC is required in all implementations.
- Finally, ICMP is now much more than "ping:"
- Some parts are required for IPv6 operation.
- Some parts (line "ping") are still optional.
- Some parts you should never allow.
Why Do It?
- The world is running out of IPv4 addresses.
- Our network is safe: MN.IT has enough IPv4 IP addresses to meet the
foreseeable demand, so you can keep getting IPv4 addresses as needed
for your clients and servers.
- That's assuming, of course, that there isn't a disruptive new
application that requires on the order of one IP address per person.
- At some point in the next year, there will be customers - such as
citizens - coming to you who only have IPv6 addresses. That's
the problem that we need to address.
What Exactly Needs Doing?
- Adopting IPv6 means adding it to existing services.
- IPv4 will be with us for a long time: both IPv4 and IPv6 will
coexist for years.
- The key need is for public-facing systems (e.g., web servers).
- Internal and back end servers can be done later (or maybe never).
Converting Applications
- Converting any one application is easy, much easier than the
conversion from, say Novell IPX to TCP/IP.
- However, there are LOTS of applications.
- This is very much like the Y2K problem: you have to look through the
application to find where they make assumptions and fix them.
- In specific cases, you may be able to do IPv6 to IPv4 address
conversion: this is not a solution that will work in all - or even
most - cases.
Typical Assumptions
| | IPv4 | IPv6 |
|---|
| length (bits) | 32 | 128 |
| length(chars) | 15 | 39 |
| contains | 0-9, . | 0-9, a-f, : |
| largest mask | 32 | 128 |
| typical #IPs | 1 | up to 6 |
| client IP change | rare | often |
| client name in DNS | sometimes | rare |
| client IP in DNS | often | rare |
| public server in DNS | yes | yes |
| public server static IP | yes | yes |
Security Issue Highlights
- Hosts have lots of addresses and they can change: do filters at
the network, not IP level.
- Static assignment for servers, dynamic for clients.
- You'll need to turn on (some) ICMP.
- You'll need to block (some) multicast.
