IPV6: Workarounds to IPV4 Stand in the Way

by Jacqueline Emigh

In one of networking's little ironies, some of the technologies in place to extend the life of IPv4 are making life harder on net admins trying to implement IPv6. Jacqueline Emigh explains.

Ironically, the networking industry's ability to produce NAT, CIDR, and other workarounds to IPv4's shortcomings has become one of the major roadblocks to IPv6. Another big barrier, at this point, is lack of IPv6 applications. When IPv6 sees eventual deployment, though, network managers are among those who will feel its benefits most keenly.

"IPv6 is a subject that only a network manager could love," quips Robert Batchelder, a GartnerGroup analyst. In a Gartner Group report, Batchelder writes: "The primary benefits of IPv6 accrue at the network management level in areas such as interdomain routing, network configuration, end-to-end security, and address space management."

Other analysts agree. "After two decades, the Internet protocol (IP) is finally beginning to show its age. Workarounds to accommodate its limitations are themselves creating inefficiencies, bottlenecks, and security risks, making the Net increasingly complicated," maintains Kevin Werbach, an analyst at Edventure Holdings Inc.

"Partly because IPv6 is a short-term solution for an industry with notoriously short planning horizons, and partly because the limitations of IPv4 are felt most acutely outside the US, this issue has not received the attention it deserves," according to an Edventure report.

Some administrators, though, are paying attention to IPv6 already. "We are currently using IPv4, (but) it has remained basically the same since the 70s. Since the design of IPv4, computers (have gotten) a lot more powerful and network bandwidth has increased a lot. The number of hosts on the Internet has also increased, to more than 4 million. This is one of the big problems. IPv4 uses a 32-bit address space, and to make a long story short, this does not provide sufficient space for the growing number of hosts on the Internet," writes one participant in an Internet newsgroup.

The Internet address pinch is much more critical in other parts of the world, especially the Asia Pacific. However, by now, large numbers of Us based enterprises do not hold Class A blocks, which would provide them with long series of contiguous IP addresses. As Batchelder sees it, the use of NAT to overcome this limitation is giving companies a "false sense of security."

Microsoft officials concur. "While NATs promote reuse of the private address space, they do not support standards-based network layer security or the correct mapping of all higher layer protocols, and can create problems when connecting two organizations that use the same address space," according to a white paper from Microsoft.

NAT, of course, is used to map multiple private addresses to a single public IP address.

NAT modifies end node addresses within the IP header while packets are en route, and also maintains state for these updates for transparent routing to their end destination. Sometimes, application-specific ALGs are used in conjunction with NAT for application-specific routing transparency.

"Analogous to private branch exchanges in the telephone world, enterprises use NAT to overcome a limited allocation of IP addresses and to simplify the process of reconfiguring data networks," Batchelder says.

NAT, though, also presents some serious issues. One of these is that its address translation architecture makes it difficult to implement end-to-end packet-level security in transactions. "At best, SSL and HTTP/S provide partial solutions to the problem," according to Batchelder.

Other observers point out that it is practically impossible to deploy end to -end Ipsec with NAT en route. Kerberos 4 and Kerberos 5 can be problematic, too. Because Kerberos 4 and Kerberos 5 tickets are encrypted, an ALG cannot be written. Workarounds are available, but these solutions can compromise Kerberos security.

IP fragmentation with NAT en route can easily corrupt a session. In addition, certain types of applications are prone to breakage by the NAT protocol, including peer-to-peer applications, bundled session applications, applications that need large numbers of public addresses, and applications requiring address mappings to be retained across multiple contiguous sessions.

Beyond the danger of running out of IP addresses, which has only been partially solved through NAT, the Internet has also faced the risk of running out of capacity in the global routing tables.

"CIDR comes a long way toward overcoming routing problems," Batchelder notes. At this point, though, the Internet is still a mix of old-style Class A, B and C addresses, and newer CIDR-style addresses. Furthermore, CIDR presents issues of its own.

Unlike the old-style addresses, which were limited to network identifiers of 8, 16 or 24 bits, CIDR uses prefixes ranging from 13 to 27 bits, to more closely match a company's needs. CIDR also permits "route aggregation,," in which a single high-level route entry can represent many different lower level routes.

Under the old addressing approach, you would get address assignments directly from the InterNIC or some other Internet registry. You then "owned" the address, and you could take it with you even if you changed ISPs.

In contrast, under the newer CIDR scenario, the ISP "owns" the address. You are merely "renting" it.. If you change ISPs, you need to go through the time-consuming process of re-numbering your network devices and propagating the changes.

Gradual deployment of IPv6 does look likely over the next few years. The Japanese and Korean governments have mandated its deployment within their countries. Meanwhile, encountering a barrage of mobile devices in Europe, the European Commission is now recommending that its members migrate networks supporting research and government activities to IPv6 by 2005.

IPv6-driven mobile applications will probably be less of a factor in the US, because of barriers to G3 deployment. However, faced with demand from their European customers, global equipment suppliers are already starting to provide products with built-in IPv6 support. The results are bound to trickle in to the US networking market.

» See All Articles by Columnist Jacqueline Emigh

This article was originally published on Thursday Jul 11th 2002