carloscastilla - Fotolia
In the last year, ARIN, the Internet Protocol address registry for North America, finished allocating the last unallocated IPv4 network address, and IPv6 -- the solution to the problem of an exhausted IPv4 address space -- continued to expand rapidly. The importance of adding IPv6 connectivity to enterprise networks and to public-facing websites is growing as well.
John Curran, CEO and president of the American Registry for Internet Numbers (ARIN), based in Chantilly, Va., spoke with SearchSecurity about how IPv6 is faring now that the IPv4 address space has been exhausted -- and about the security implications of the decision turn on IPv6 connectivity in the enterprise.
This is the second part of a conversation with Curran. See part one here.
ARIN announced a year ago that the IPv4 address space had been exhausted. Today, where do we stand on IPv6 connectivity in the internet, and what does the progress look like in terms of IPv6 traffic on backbones, as well as how much traffic is IPv6-only?
John Curran: If you go to Google, and you google 'google IPv6,' you'll find Google's IPv6 statistics page. And this is interesting, because Google has a fairly wide reach -- they serve the same content up with both v4 and v6, so they have the ability to measure whether or not you're asking for it over v4 or v6. And they track this by country, and they track it over time.
Over time, the trend is quite compelling. We are now up to approximately 12% of the traffic on the internet globally; 12% of the requests to Google are requests going over IPv6, rather than over IPv4. And that's pretty significant, if you think about it. If you look at the curve, you'll see it's growing. Go back just a couple of years, it was 2%, then 5% and now 12%, and it's a rapidly escalating path.
But you can also click on the per-country data, and you'll see in the United States, 26% of the traffic is over IPv6 -- and that is growing even faster. The reason for this is because, if you're a large organization connecting new customers to the internet, you don't have a choice. I mean, you do. You can make it work with IPv4 -- it just gets more and more exciting every year, as you try to slice and dice IPv4 addresses thinner and thinner and cover more things with them.
Realistically, the major organizations, the major mobile providers who are growing fastest [and] the broadband companies have switched to using v6. In some cases, they're using v6 as their primary way of connecting new customers. So, if you look at a T-Mobile or an AT&T or a Verizon, that's where the growth is.
What people need to realize [is] this is pretty amazing growth, given that we ran out of addresses in this region in September 2015. So, we're not even a year in, and we've got this remarkable growth.
People go, 'Well, IPv6 has been around for 20 years and hasn't been deployed.' But we have remarkable deployment, given that the problem that we've been addressing only just occurred, and that's causing large networks to deploy it. And everything we've had up to that point has been preparation work.
If you look at the companies that build their business on the internet -- and that's kind of interesting, because more and more, every company is building their business on the internet -- but if I think about the ones that are predominantly internet-based, [such as] Facebook [and] Google, these companies are all IPv6. Facebook has turned its internal network into IPv6. So has Google. Not only their external connectivity, but internally, they've also switched over.
If you're thinking about being ready for the future, you probably want to look at companies that are network-based and planning for the future. They've already realized there's almost no choice here.
So, let me bring it back to an enterprise and what they need to think about. The internet is going IPv6. There's nothing an enterprise can do about it.
Now, if you have an enterprise website and it's IPv4, one way or another, customers will still be able to reach you. You don't have to worry about that. But two things to think about: If you enable IPv6 on your public-facing website -- and what I mean by that is, you begin testing it in a lab, you make sure it works, you make sure that the log files work and make sure that your access control works, and you do a responsible job of enabling IPv6 on your public website -- there will definitely be cases where customers are faster going to your website because they're going v6, end to end, rather than going through someone's IPv4 translator somewhere.
You can improve your performance, particularly important if you care about things like streaming, because streaming definitely goes much better without [network address translation (NAT)] in the middle of it. Also important if you care about your log files, like you actually want to know where the customer is, because you'll have the ability to get an IP address that's end to end, rather than getting all the customers from that city showing up as one carrier's data center on his IPv4 address. Because if you have v6, you have an end-to-end connection and an end-to-end address, you'll have better logging and statistics. If you're using v4, all you're getting is the fact that all of those carriers' customers' regions are coming from one data center, from one IPv4 address block. So, you don't actually know if some are north, or some are in the city and some are in the suburbs.
So, for an enterprise with a public-facing web server, it's fairly important to consider whether you want to turn on v6.
The other part of this is, even if you decide not to turn on IPv6, it's going to be because you don't have the resources or time to do it -- it shouldn't be because of security.
Why? Because even if you decide not to turn on IPv6, you still need to pay attention to IPv6 security.
It's not like you get to not worry about IPv6 if you don't turn it on.
You still have to double check that you're actually filtering IPv6, that you don't have any dynamic tunnels being set up in your organization -- because there are gateways that do that -- that you have detection of IPv6 turned on, and that you know enough about the protocol to handle, somehow, when a packet gets through.
So, it is possible you might decide you don't want to do IPv6 for your public website.
I get it, people have priorities, and IPv6 may not be yours. But even if you don't do the work of getting the benefits of v6, from a security perspective, you have to come up to speed on v6, you have to be aware of the tunneling protocols, you have to know when to look for them and you have to able to stop them at your border -- or you might be running v6 without even knowing it.
A lot of people have been hearing about IPv6 for 15 or 20 years, and you've said 'we were too early' with IPv6 because we had so much extra time to get used to NAT.
Curran: Perspective. I was part of the IPng Task Force, the group that did the IPv6 specification that worked from 1993 or 1994 through 1997 at the IETF [Internet Engineering Task Force]. The reason we did the work that early wasn't because I expected you to move your public website in 1999 to IPv6. It was because we knew we needed to be prepared.
The internet is the world's largest technical project, and it has no single point of control, which means when we do things like this, they require far more planning than anyone might imagine, because you don't have any way of mandating change. You have to actually create the circumstances in enough time that people can realize it, so they can plan ahead.
Right now, when I'm talking to you about putting IPv6 on your public website, as it turns out, I actually know the routers in your company support IPv6. I actually know, more than likely, all of your servers support IPv6. The reason we know this is because we did IPv6 back in the late 90s so that the operating system companies could put it in the standards -- in the Linux implementation, in the Windows implementation, in the OS implementations -- so that v6 could be turned on as a communication protocol.
In 2000, we worked with router manufacturers to make sure IPv6 was part of their standard stack so that we knew router manufacturers would have IPv6 capabilities. And, in fact, the U.S. government actually helped out there: They forced IPv6 support through their procurement standards so that router manufacturers put that in their standard stacks.
John Curranpresident and CEO, ARIN
The U.S. government is actually doing the same thing now with respect to public-facing websites. It's the leader: More than 1,000 U.S. federal websites were IPv6-enabled because the U.S. government requires it.
This has led to things like firewall vendors and load balancing vendors and security information vendors to realize, 'Oh, we have to deploy v6.' But that means these pieces of groundwork, of preparation steps, are all in place. When we started this project so early, it wasn't because we expected people to turn it on and use it in production in the common organization two years later. We knew we had to get the work done early, so all the groundwork is now in place, so an organization that wants to turn on IPv6 is less likely to find missing pieces.
Is it perfect? No. But a lot of the major vendors have all the support necessary because they've been doing it for more than a decade.
What else do you think is important for people to know about security and IPv6 connectivity in enterprises?
Curran: The fact is that IPv6 is a situation that is going to happen ... as I said, the major providers are already moving ahead, and it is simply a question of whether or not you want to actively engage or passively engage. Actively engage, run the protocol, get your staff up to speed, make sure your public-facing websites are v6-enabled.
You don't have to do that -- you really don't. It is something that you can set aside, and say, 'Not required, I'm on v4, the rest of the world needs to figure out how to get to me on v4 and I'm fine.'
That will work. That's a reasonable strategy. It means your staff doesn't have to worry about it. It means you don't need to worry about whether your equipment supports it. But it's a pretty brave strategy.
It's very risky taking the approach that says I don't need to worry about v6 at all. Because at the point in time when someone changes your mind, at the point in time when you have a business partner who requires v6, or the functionality you need isn't available on v4, or the performance isn't there because NAT is in the way and you can't stream the audio or video or do the video conference or whatever it is you need to do. Or the information isn't there because all the end customers are on v6, and all you're getting for statistics is v4 translation gateways not actual end-user customers.
When that finally occurs, and you get told, 'No, we have to support this,' well, now you've got to make sure your equipment supports it, and your staff supports it, and they've got to do all of that very quickly.
It's pretty brave.
It may not actually be a problem you have to worry about, because, at the same time, someone decides as a business imperative that you have to catch up with the rest of the internet, they may decide they want someone else to lead the effort.
And who would that be?
Curran: Your replacement.
Realistically, if an organization ignores these things to the point where someone mandates that they now need to catch up, it's quite likely something that you'd want someone who was more in tune with the internet to lead than someone who decided that they didn't want to keep current.
That's some pretty strong talk for people who are still wavering about IPv6.
Curran: There's nothing wrong with it. You can stay with IPv4. I just don't want people to think it's necessarily a safe option. That's a tactical choice on their part.
Find out why ignoring IPv6 connectivity should not be an option.
Learn more about how enterprises have begun deploying IPv6.