With the pool of available IPv4 addresses for the North American market completely depleted as of September 2015,...
the pressure is mounting for enterprises to explore IPv6 connectivity, at least for their internet-facing services.
John Curran, president and CEO of the American Registry for Internet Numbers (ARIN), based in Chantilly, Va., has been working since 1993 to design and deploy the new version of Internet Protocol, IPv6.
Curran takes exception to Paul Vixie's position that "no benefit accrues to anyone who installs IPv6 today." According to Curran, while there are not necessarily any direct IPv6 security benefits, IPv6 connectivity solves the exact problem it was designed to fix: the depletion of the IPv4 address space.
You've said in the past that saying, 'IPv6 is more secure than IPv4,' is like saying, 'Cars are more secure than trucks -- or vice versa.' Just what will be the impact on security for enterprises turning on IPv6 connectivity?
John Curran: The first and most important thing to realize is, IPv6 does have the potential to be more secure than IPv4, but it's the potential. Protocols are tools, and it's really how you use the tool that determines the result.
In this case, IPv6 does have the advantage that, in the profile for IPv6, it's standard that effectively both an encryption and authentication header is available. And so people have the ability to pick up some of the IPsec capabilities by default, as long as they don't specifically override it, or as long as a vendor doesn't put a profile out that does it. You can end up with more secure communications, because the likelihood that the other end has the ability to do encryption is much higher than whether or not the other end might implement an IPsec protocol.
So, you've got that capability -- but I would never tell someone, 'Deploy IPv6 to make yourself more secure,' because that's not what IPv6 was created for. IPv6 was created to solve a very particular problem. The problem is specifically running out of IPv4 addresses and still trying to grow the global internet. So, IPv6 solves that problem, hopefully, without making the security issue any worse and potentially enabling it to be better if people take the time to deploy it correctly.
You've got encryption and authentication available through IPsec, but they are optional. It reminds me of the whole issue with SSL and TLS, where the protocol allowed backward compatibility and downgrading security protocols to go to a less secure protocol, like RC4. But wouldn't that also be an issue going forward with IPv6, where the security aspects of IPsec are optional?
Curran: Absolutely. And it has the same challenges and the same risks. It's very difficult to make a situation that inherently makes networks more secure, because while you can specify a protocol, it's ultimately up to someone to deploy the protocol. There have been cases where vendors have taken protocols into their own hands and changed their features. Even if the specification calls for required security, which most don't, that doesn't necessarily mean that's what actually gets implemented.
I don't think anyone should believe turning on IPv6 is going to make them more secure inherently. I think turning on IPv6 has the capability to keep them as secure and solve the major problem. I also think turning on IPv6 will actually, in many cases, improve their performance, but a lot of folks don't realize that yet.
What happens to the ability to track users and traffic for enterprises that decide not to offer direct IPv6 connectivity to their servers and websites?
Curran: There are presently networks where people have IPv4 connectivity to their public website, but they don't have IPv6. So, you have a website, it's got a domain name, you've got an IPv4 address and IPv4 connectivity -- but you don't have an IPv6 address or IPv6 connectivity.
To the internet, you're only reachable by IPv4, yet we have mobile networks out there that have moved to IPv6. They're done. To get to you, even if the local cell tower is IPv6, and my mobile phone is using IPv6 to the cell tower, and your website is in the same city and potentially in the same [central office] -- when I try to get to your IPv4 website, I'm going to have to go to another city, because your IPv4 network is invisible and needs to be translated to IPv6.
Because you haven't done the work, the carrier is going to do that, and my query to your domain name is going to be returned as an IPv6 address -- because even though you don't speak IPv6, the carrier's network is only IPv6.
John CurranCEO and president, ARIN
I'm going to get sent to a data center, which maps my IPv6 HTTP query over to IPv4 and sends it back. This could be miles away; this could actually be in another part of the country. So, if you don't change and other people do change their networks to be IPv6, you have to recognize there's going to be a performance impact.
And this is happening now: Our friends at places like Facebook and LinkedIn have both reported that their services are faster over IPv6 than over IPv4, and one of the reasons is because the carrier networks have moved to v6 for the mobile providers.
It almost sounds as though we're going to have IPv4 forever, in some little corners of the internet, in the same way we're still running Windows 95.
I don't know?
Curran: Oh, wow. OK, OK. I guarantee you that all of those are running in some corner of the world right now. So, will we have IPv4 running in some corner of the world? Absolutely. Will it be relevant to most discussions? At some point, it simply won't be.
Curran: First thing: There's quite a bit of NAT that exists for transition purposes. So, obviously, if you're in a situation where your device only speaks IPv6, you are using NAT when you talk to IPv4, because there's address translation going on somewhere there.
And there is certainly IPv4 to IPv4 NAT going on in places, because if you've got a large network that is entirely private addresses and you're talking to the internet, you've got IPv4 to IPv4 NAT going on and that's common, as it is in many homes and broadband connections. People run NAT because they have one address, and they want to use 200 of them inside their location.
So, we know the characteristics of NAT. I do even think there's a NAT IPv6 spec, though I will admit I haven't spent a lot of time looking at that myself.
Here's the issue: NAT doesn't provide security.
It may provide administration convenience; it may or may not impact performance, depending on how it's implemented and how fast you're running; but as long as we recognize that NAT never provided security, then all the answers are the same: It doesn't provide security on IPv4, [and] it still doesn't provide security on IPv6. It may make people feel better, but the fact that it makes people feel better doesn't mean, per se, you get any security out of it.
Ultimately, you need a firewall. And you need a firewall to look at things like protocols and packets and decide what's safe to let in. If you have NAT, you still need a firewall. No one is going to say NAT protects you to the point where you don't need a firewall.
So, does it make you feel better to have NAT? It might make some people feel better. I'm told that horses run faster if they have blinders, so they can't see things on their sides. NAT is kind of the same way: It makes you feel better, but it doesn't necessarily change a thing.
What about people who still want to get IPv4 address space and the reports that they have been getting them outside of official channels?
Curran: I can say that there is actually a very active, very large IPv4 address market. We have hundreds of address blocks that change hands every month from parties that have them to parties that need them.
There are hijacking of addresses, and we had a discussion about that this week, Leslie Nobile [ARIN's senior director of global registry knowledge] presented a brief update on that at NANOG [North American Network Operators' Group]. That's not someone who is selling an address block or trying to use some other method for addressing; that's a case where someone takes an old address block whose contacts haven't been updated, purports it to be their own and gets someone to pay them for it. That's not exactly innovative -- there have been people selling bridges that they don't own, or land that they don't own. There are people selling IP address blocks that they don't own.
The most important thing people need to know about the address is that there is an address market.
If you do need additional IPv4 addresses, there's a list of dozen or so organizations -- ARIN calls them facilitators -- who will help you find address space. And we make sure when you bring a transaction to us that the party who is offering you the address space is actually the one who has the rights to it. And then, we do the transfer.
It's been very successful, actually. We have a large and growing transfer market, because there are organizations that need more time. And if you need more time, and there's people out there who have address space that don't need it, a transfer market makes perfect sense.
Cisco recently issued an advisory about an IPv6 vulnerability involving a neighbor discovery-crafted packet being used to do a denial-of-service attack. You've spoken in the past about how IPv4 has been deployed globally for 20 years, so we have a lot of experience with it and many of the bugs have sifted out. Would this kind of thing cause large organizations to think twice before deploying IPv6 connectivity if they are concerned about implementation and deployment issues that haven't been discovered yet?
Curran: Think about the number of advisories that have been issued for protocol issues over the last two to three years. We have one now for IPv6 that's pretty significant. But we've had them for IPv4 that are pretty significant as well.
You go to CERT and take a look at the advisories -- you get a major advisory nearly every month. This one happens to be IPv6; the others have all been, a lot of times, IPv4-related or particular protocol-related. So, I don't think an advisory for IPv6 is significant, or outweighs the numbers you're getting already for every other protocol. It's just going to happen.
There is a shakedown period, but even the shakedown period doesn't help deploy protocols. In IPv4, we still find problems. We don't find it usually in the underlying IPv4 protocol that is true -- it's been rare to find something -- but you find them in all the associated pieces. So, you find it in people's TCP or in people's ARP implementation, or you find it in people's routing protocol.
We're still finding bugs, and we're going to continue to do it. IPv4 doesn't seem to have a lot, which is good. But you're still going to have to pay attention to alerts for all the other protocols, so if you're running IPv6, it's just another one that you're watching.
Find out more about making a smooth transition to IPv6 connectivity.
Learn more about what happened on World IPv6 Day in 2011.