Friday, July 1, 2011

World IPv6 Day coming June 8 - what should you be doing?

On 8 June, 2011, a number of large networks will offer their content over IPv6 for a 24-hour “test flight”.

Over 289 sites have registered to be part of the IPv6 test, and will make content available via their IPv6 connected networks for 24 hours. Participants include search engine providers Google, Yahoo!, Microsoft Bing.com; content providers Akamai and Limelight Networks; and content sites Facebook, Microsoft Xbox.com, and engadget.com. A number of US government websites will be available via IPv6, and numerous Australian and New Zealand networks are also taking part.

Known colloquially as "Test Drive Day", the event is organised by the Internet Society with the support of several large content providers, some of whom are mentioned above. The test will primarily consist of websites publishing DNS AAAA records, allowing IPv6 capable hosts to connect using IPv6.

While some users will connect using native IPv6 many will use 6to4 or Teredo tunnels via an IPv6 broker. Local brokers include gogo6, AARNet, Internode and IPv6Now.

According to the Internet Society "The goal is to motivate organisations across the industry – Internet service providers, hardware makers, operating system vendors and web companies – to prepare their services for IPv6 to ensure a successful transition as IPv4 address space runs out."

The IPv4 address space of approximately 4.3 billion addresses is nearing complete exhaustion; in late April this year the remaining IPv4 addresses allocated to the Australian and New Zealand region were assigned. IPv6 uses 128-bit addresses, providing approximately 340 undecillion addresses minus the addresses reserved for unique local (fc00::/7), document prefix (2001:db8::/32), 6to4 (2002::/16), teredo (2001::/32), 6bone (5f00::/8), orchid (2001:10::/28) and multicast (ff00::/8).

Don’t worry though, that’s still an awful lot of IP addresses. One undecillion is 1036 and generally accepted as well beyond any imaginable quantity and more than will be needed. Essentially each person on the planet gets more than a few million IP addresses for each cell in their body.

Not everyone is 100% happy regardless of how many IP addresses they receive - a few passionate naysayers at the recent RIPE 62 meeting 2-6 May 2011 in Amsterdam were suspicious of the IPv6 trial. Some network operators have resisted IPv6, and until recently vendor support for IPv6 capable home user routers was extremely limited.

IPv6 appears a little scary on the first look and is new territory for many network administrators, vendor support can still be patchy and the Internet is more than a few web sites - how prepared popular Internet connected non-browser based software is for IPv6 is largely unknown without thorough unit testing.

Many well known vendors don’t support IPv6 outside core routing and switching, only a few security proxies support IPv6. Monitoring and reporting may also cause issues, although companies such as Sourcefire are putting a great deal of effort into identifying and blocking IPv6 based attacks.

The perceived speed of websites in a dual stack world may also be an issue for many participating in World IPv6 Day. It is clear that setting up IPv6 tunnels over IPv4 will add latency to connections. However it seems unlikely that service providers will see an impact on their network or their call centres unless their networks are blocking ICMP packets.

As Mark Newton from Internode pointed out at AusCERT2011, “In an IPv6 world ICMP is not an optional part of TCP/IP”.

ICMP is required for IPv6 to function. Eric Carter, Cisco Security Research Engineer describes the differences between ICMP in a IPv4 world and IPv6.

"In IPv4, ICMP provides error reporting, flow control and first-hop gateway redirection."."With IPv6, however, ICMP has gained a much more significant and essential role because of new functionality that is now performed through ICMP. Fragmentation, Neighbor Discovery, and StateLess Address AutoConfiguration (SLAAC) represent essential functionality which is now performed using ICMP messages. Furthermore, many ICMP messages are designed to be sent to multicast addresses instead of only unicast addresses. Therefore, ICMP in IPv6 gains a whole new importance".

In an IPv6 world ICMP is not an optional part of TCP/IP

Mark Newton, Internode

IPv6 compatibility for some DNS servers is also raising some questions. As early as 2005 Microsoft advised via TechNet that misconfigured DNS servers operating in a dual stack environment may cause problems.

“Due to misconfigured DNS servers on the Internet, computers that use both IPv4 and IPv6 might not be able to resolve names and connect to Internet resources. This rare problem occurs when a misconfigured DNS server receives a request to resolve a name to one or more IPv6 addresses (a request for AAAA records). If the DNS server does not support IPv6, the name query fails. The querying node then sends a request to resolve the name to a set of IPv4 addresses (a request for A records). The misconfigured DNS server drops the subsequent DNS query for IPv4 addresses and the entire name resolution attempt fails”.

The technote continues “If you are experiencing this problem, ask your Internet service provider to reconfigure their DNS server to accept the subsequent DNS query for A records after failing the DNS query for AAAA records.”

Microsoft’s IPv6 Day blog attempted to downplay any possibility of World IPv6 Day would cause problems.

“Most people won't even notice World IPv6 Day. If you have no IPv6 connectivity, then you will continue to work as before. If you happen to have IPv6 connectivity, then your connectivity to participating websites will automatically shift over to IPv6.” Microsoft have supported IPv6 since Windows XP. Windows Vista and Windows 7 are automatically enabled to use IPv6 when it is provided by your ISP and your local network. Apple introduced IPv6 support in Mac OS X 10.2 Jaguar.

How to take part

If you’d like to bring your company’s website online using IPv6 during the World IPv6 Day you’ll need to make it IPv6 accessible using dual stack technology and provide a AAAA record for the site. IPv4 websites will of course continue to be accessible over IPv4 during the event.

Once your IPv6 availability is confirmed by your ISP and you have replicated your IPv4 firewall rules on your security infrastructure, you can be added to the list of participating sites by contacting the Internet Society. http://www.worldipv6day.org/how-to-join/ provides more information.

Want to test your IPv6 capability right now? Try http://test-ipv6.com/.



View the original article here

No comments:

Post a Comment