Next-generation IP pioneers learn by doing

The next version of Internet Protocol (IP), years in development and touted at various times as the solution to seemingly every technical problem on the Internet, finally is seeing its first live implementations.

That long-awaited development is good news for anyone who cares about mobile data services, secure corporate computing or the future growth of the Internet, according to some Internet gurus.

These implementations are not trials, the users say, but they still are in the early stages, and participants are grappling with problems with the new technology, namely security issues. Lacking some of the security tools they are accustomed to using with IPv4, but not yet sure how to use the new capabilities IPv6 offers, they may face a rocky transition. Researchers, users, vendors and analysts agree the migration to IPv6 will be a long and difficult task, one that many North American enterprises may not attempt for another decade or more. However, the experiences of a few early adopters give some hint of the issues that transition may raise.

IPv6 transforms IP, the underlying set of rules for the Internet, by allowing for a virtually unlimited number of unique addresses. The current version, IPv4, uses a 32-bit address space that allows for only 4.3 billion addresses. In North America, where much of the early development and use of the Web took place, enough large blocks of addresses have been doled out that most network administrators aren't urgently worried about running out. Address conservation techniques used with IPv4 have helped. However, in other parts of the world, the address crunch looms larger and has helped inspire action.

"Japan, Korea, and China are just now at the stage where the U.S. was years ago (in the use of IP). They look at the remaining address space and say, this is going to be a problem," said Cisco Fellow Steve Deering, a longtime participant in the development of IPv6.

Europe also has taken the initiative, with the European Commission backing IPv6 adoption and some service providers getting into the game. There are high hopes in the region for mobile data services, which may require new IP addresses for millions of new handheld devices.

The new technology may also ease the introduction of new Internet services such as gaming and streaming multimedia, according to some industry participants. A unique Internet address for each client may allow those services to bypass intervening servers that in IPv4 are commonly used to translate addresses, so they can scale up more easily.

One barrier to adoption of IPv6 has been what those involved with the technology call a "chicken and egg" problem: Some service providers and hardware vendors have been reluctant to support IPv6 without hearing strong demand from customers, and corporations are not motivated to make the investment when they see slow progress by competitors and service providers. However, a few service providers and vendors have tried to break that cycle by taking the plunge into IPv6, mostly because they believe it's the way the world is inevitably heading.

A glimpse at a few of the live implementations taking shape today shows corporations are still timid about deploying the technology.

The Japanese government, as part of its e-Japan Initiative to bring the country to the forefront of IT by 2005, is sponsoring an IPv6 Promotion Council that has helped set up several trials of the new protocol on various carriers' networks. The trials are set to begin early this year. In the meantime, the government's leadership already has helped to encourage the creation of commercial services, analysts and industry participants say.

Information Service International - Dentsu Ltd. (ISID), a systems integration company based in Tokyo, last March began building a working IPv6 network inside the company that will connect more than 5,000 systems. The company is looking to more addresses and easier network administration and security, as well as access to applications available on future IPv6 networks, as key benefits of the technology.

Despite ISID's head start in deploying IPv6, adoption within the company has been slow so far, according to Seiji Kumagai, chief research scientist in the E-Technology department at ISID. The systems on the network have both an IPv4 and an IPv6 software stack, which allows for a gradual migration.

"Since July, we have adopted IPv6 as dual stack but, at the moment, there aren't many services available, so that not many people are using IPv6," Kumagai said.

One aspect of IPv6 that still needs work is security, he said. A connection that runs entirely over IPv6 misses out on some of the security capabilities in IPv4.

"We need a similar security wall policy like what we have now with IPv4," Kumagai said. The original, end-to-end security model envisioned for IPv6 security offers simplicity in the sense that each system on the network has its own security. However, securing each system individually could be a headache for large organizations, he said. Giving up that model and securing the network at a firewall may be more practical, but today IPv6-capable firewalls are just beginning to appear, he said.

Despite the lack of IPv6-based services today, companies that can't use IPv6 will be left behind when those services start to become available, probably from 2003 onward, he said. Large companies will have to use IPv6 in order to allocate enough addresses for their users. By 2005, services for mobile devices that take advantage of IPv6 will start to become available, he said.

NTT Communications Corp., a unit of Japan's dominant telecommunication carrier, is now offering commercial IPv6 services over its network to customers in Japan. Few customers so far have signed up for the services, partly because enterprises have to build IPv6 into their own private networks before they can take advantage of the IPv6 wide-area service, said Toshihito Shibata, chief leader of the IPv6 project team at NTT Communications.

Shibata likewise said IPv6 raises new security concerns. For example, because it removes the need for NAT (network address translation), it lets employees access any terminal in a company's network from any other terminal on the Internet, without going through a NAT server. This can offer convenience to users and help with network management, but it may make it easier for hackers to reach those terminals, he said. Because the packets being exchanged use real, permanent Internet addresses instead of internal addresses (which are private and may be temporary), a hacker who can determine the device's address may be able to attack it directly, he said.

NTT recommends customers take advantage of standard IPSec (IP Security) encryption to secure packets all the way from the source terminal to the destination. This has not been possible with IPv4 networks that use NAT, because NAT servers interpret encrypted packets as damaged.

One service provider in Europe that also is offering IPv6 services likewise named security as one of its concerns.

SURFnet BV, an Internet service provider for research centers and institutions of higher learning in the Netherlands, has loaded IPv6 software on Cisco Systems Inc. routers and offers services, including access to the company's FTP (File Transfer Protocol) archive, over the IPv6 backbone. The protocol already is complete enough to implement and offer support, according to SURFnet, but the bulk of SURFnet's traffic is still IPv4.

"The IPv6 routers lack some functionality," said a SURFnet network manager, who asked not to be named. For example, he said it is easy to secure traffic running through IPv4 routers by using access control lists (ACLs). This is not true of the IPv6 routers, he said.

ACLs can be used to control what kinds of packets can pass through a router, as well as who can access a router to make configuration changes. To control access to router management, SURFnet uses a standard authentication and encryption protocol.

For its part, Cisco says it has offered standard ACL software, including the ability to filter traffic by host address, on its IPv6 software since May 2001. The next version of its IPv6 stack will offer "extended" ACL software that includes filtering of TCP (Transport Control Protocol) and UDP (User Datagram Protocol), said Patrick Grossetete, IPv6 product manager in Cisco's IOS (Internetworking Operating System) group.

Support for IPv6 in firewalls will be another prerequisite for widespread acceptance of the new technology, he said. Firewalls are often used to perform the same access-control functions provided by ACLs.

Another stumbling block today is the fact that many applications, such as Web server software, lack support for IPv6, SURFnet's network manager added.

Most vendors of network equipment, firewalls and software operating systems are just beginning to address the requirements users are discovering. Vendors and deployers attribute the shortfalls to the fact that both products and implementations are just starting out, and express confidence they will be addressed later.

"When you're going to build a new protocol stack from scratch, and that is what the host and router vendors are doing, you have to prioritize. Items higher up on the list are basic functionality. ... Lower down on the list are additional features, such as ACLs," SURFnet's network manager said.

As with live implementations, Japan appears to be leading when it comes to core network equipment. Hitachi Ltd. and NEC Corp. already offer Internet core routers that can route IPv6 packets on specially programmed processors, without having to use the much slower software on a router's central processor. This means the routers can direct and forward IPv6 traffic roughly as fast as they can IPv4 traffic.

U.S.-based core router maker Juniper Networks Inc. also offers support for IPv6 in hardware. However, Cisco, the world's dominant vendor of core routers, has yet to take that step. It offers IPv6 capability in most of its routers, but only in software. The company expects to introduce hardware IPv6 support some time this year, Cisco's Grossetete said.

Cisco, also a major vendor of both software and hardware firewalls, supports IPv6 only on its software firewall in IOS. Some of the firewall's features, such as intrusion detection and VPN (virtual private network) termination, are not yet offered for IPv6. Meanwhile, its Pix Firewall hardware does not yet support IPv6.

A key problem in providing firewalls for the new protocol is how to reconcile the potential for individual client-based security and administrators' desire to centrally manage security as they do now with firewalls, Grossetete said.

"We have to evolve the firewall to make sure that a firewall and IPSec can create this (security) together," he said.

Check Point Software Technologies Ltd., a leading maker of firewall software, is adding basic support for IPv6 to a future release of its software that may ship as soon as the second quarter of this year, the company said in response to a query. However, Check Point said it is working with select customers on specific needs for IPv6 migration.

Bringing operating systems and applications up to speed with IPv6 also will be a long road, vendors and other industry observers say. Unlike some network migrations, this one requires changes far beyond the backbone. Except in enterprises that are using IPv6 only on the wide-area network, every server and client system that takes advantage of IPv6 needs its own IPv6 software stack, said Mary Petrosky, an independent networking analyst based in San Mateo, California.

Microsoft Corp., as the operating system provider for most of the world's PCs, could play a major role in determining how quickly IPv6 is adopted, researchers say. Microsoft acknowledges this role.

"We see this as a very important area," said Tom Laemmel, a Windows product manager. "The current Windows is well poised now for the growth of IPv6."

Windows XP now includes a dual IPv4 and IPv6 stack, which users can install through the Run window on their desktops. With this dual stack, IPv4 and IPv6 can work side-by-side. Although it is usable, it is intended for developers to use in building IPv6-ready applications and devices, Laemmel said. Microsoft's current server OS, Windows 2000 Server, includes a software development kit for building IPv6 applications and devices.

By the end of this year, Microsoft will introduce an IPv6 stack in an upgrade to Windows XP, as well as in its next server OS, Windows .Net Server, that users will be able to deploy in a live network, according to Microsoft.

At least one widely used version of Unix, Sun Microsystems Inc.'s Solaris, has included IPv6 capability since the first commercial release of its current version, Solaris 8, in 2000, according to Bill Moffitt, a Solaris product line manager. If a Solaris 8 server is plugged into an IPv6 network, it can automatically begin exchanging IPv6 packets, he said.

The new protocol is not included in the Linux kernel but is offered as part of at least one distribution of the open-source operating system, Red Hat Inc.'s Red Hat Linux 7.2. However, Red Hat currently does not provide support for the IPv6 component, according to Red Hat spokeswoman Melissa London.

Beyond server and client operating systems, IPv6 compatibility will also have to be built into applications themselves.

Some basic applications, including certain file transfer, e-mail, and Domain Name System applications, have been made to work with the new protocol, according to Jim Bound, a Compaq Fellow and chairman of the IPv6 Forum's Technical Directorate, which assists the Forum on technical matters.

What remain to be upgraded for IPv6 duty are more complex applications such as databases and CAD (computer-aided design) programs, Bound said.

Making a cleanly written, standards-based application work with IPv6 may not be difficult, said John Klensin, chairman of the Internet Engineering Task Force's Internet Architecture Board. However, many proprietary and complex applications have evolved unusual and even undocumented ways of using IPv4. Changing these over to IPv6 may be a steep challenge, he said.

The pioneers creating live deployments and commercially available products are doing the vital work that will make IPv6 work, Klensin said.

"It's fairly easy to do an implementation of IPv6 as long as you're doing a nice lab implementation," Klensin said. "The only way we do product-level implementation ... is by doing the product-level implementations."

Kuriko Miyake in Tokyo and Joris Evers in Amsterdam contributed to this story.

Some IPv6 advice for enterprises

Given the current state of support for IPv6 (Internet Protocol, version 6) in products and knowledge about implementing it, even longtime IPv6 gurus say the technology is still in early-adopter phase. In an enterprise, consider using it now if you have certain needs, and get ready for a lot of trailblazing, they say. Some industry analysts advise even more caution.

Here is some advice offered by various researchers and analysts:

-- Look at IPv6 if you want to connect clients directly across the Internet, for example, to securely download product designs to robots in remote factories.

-- Applications that require a lot of mobile clients, such as remote diagnostic tests on vehicles, also may benefit from IPv6.

-- If you're considering an enterprise deployment in North America, where IPv4 addresses are fairly plentiful, make sure your technical requirement for IPv6 is real.

-- Corporations and carriers building new networks in rapidly developing regions such as Asia and South America should go with IPv6 from Day One rather than try to stretch out their IPv4 addresses later.

-- Over the next few years, multinational corporations that have operations in Asia or South America may need to adopt IPv6 in those areas as others start to use it there, and tunnel the IPv6 traffic across an existing IPv4 network in other regions.

-- The more your network grows, the more work and expense will be needed to adopt IPv6.

Join the newsletter!

Or
Error: Please check your email address.

More about Check Point Software TechnologiesCiscoCompaqDentsuEuropean CommissionHitachi AustraliaInternet Architecture BoardInternet Engineering Task ForceJuniper NetworksMicrosoftNECNTT AustraliaPoint Software TechnologiesRed Hat

Show Comments