The IPv6 Apocalypse is Here: 3 Reasons to Upgrade

IPv6 networking should be implemented now. IPv4 IP addresses have been depleted. IPv6 provides better security, better performance, and has a much larger address space.

IPv4 has completely run out of IP addresses. 4.3 billion addresses - all used. What now?

In November of last year, RIPE NCC made the final IPv4 address allocation and has officially run out of addresses. The other four significant registries ran out years ago.

Registries give address blocks to Internet service providers (ISPs). ISPs have pools of addresses that they, in turn, assign to their customers (this is how your home cable modem gets internet access). But ISPs cannot get any more IP addresses. There are none left. But we don't have to be worried (this is not Y2K). Luckily, we have IPv6.

Internet Protocol Version 6 (IPv6) has a much larger number of possible IP addresses and promises to handle packets more efficiently, increase security, and improve performance. The internet seems to be working just fine on IPv4, which has been running the internet for decades.

So, is it finally time to implement IPv6 for my websites and network infrastructure? Let's find out.

1. The Only IP Addresses Available will be IPv6

IPv6 Will Never Run Out Of Addresses. Of course, that's what they probably thought about IPv4 when they created it in 1981. How could we ever come close to using 4.3 billion addresses? Turns out, the internet, and more recently, internet-of-things (IoT), is super popular, and according to Security Today, there were almost 27 billion connected devices as of January 2020[1].

We have been repeatedly warned that we are going to run out of IPv4 addresses and that we must move to IPv6.

IPv4 uses a 32-bit address space, which means there are approximately 4.3 billion possible IP addresses. The way we have been able to connect many more devices (27 billion) to the internet is through NAT technology. NAT stands for Network Address Translation, which hides several devices behind a single public IP address. NAT has enabled us to not worry so much about the lack of available IPv4 addresses. We will still run out.

IPv6, on the other hand, uses a 128-bit address space which allows for 340 trillion trillion trillion addresses. For perspective, that is about 7 IP addresses for EVERY ATOM in EVERY PERSON on earth. I think this address space is sufficiently large for the foreseeable future.

Although most of the internet still runs on IPv4, many companies have started the migration to IPv6. As more and more do, the pressure on the IPv4 address space will subside. Internet registries do still have some special purpose address ranges and do reclaim and reissue IPs as they become available.

Eventually, if we stay only on IPv4, Internet Service Providers will no longer be able to issue IPs to new customers.

The reality now is that most sites that are IPv6 enabled are also still reachable on IPv4, which is still tying up those addresses. Major companies that have completed a significant transition of their networks include Comcast, T-Mobile, AT&T, and Verizon. The good news is that IPv6 was defined over 2 decades ago, and most hardware and software systems already support it, but the switch over has been excruciatingly slow. There are also some legacy or embedded systems that will never transition and will still need to operate on IPv4 until they can be replaced or retired in the future. Service providers also use 6to4 and 4to6 technology to create a bridge between IPv4 and IPv6 networks that will help with the transition.

Doing a quick experiment myself, I Googled "what's my IP?". While connected to my home internet (Comcast) - it shows I have an IPv4 address. If I disconnect from my home wifi, connect to my wireless carrier (Sprint) - I get an IPv6 address.

So maybe the question is not should I implement IPv6?, rather when will I be forced to implement IPv6?

IPv6 is the future, and you will need to upgrade at some point. Now is an excellent time to start preparing your infrastructure if you haven't already.

2. IPv6 Provides Better Performance

IPv6 handles packets differently, but is it any faster? There are several aspects of IPv6 that should make it faster than IPv4.

1. One main difference we will see from IPv6 is that all devices are globally routable. There is no longer a need for NAT technology to increase the address space like in IPv4. NAT allows us to hide devices with private IPs behind a single public IP. The translation of packets from private routes to the public route takes time. Since NATs also can serve many devices on the private network, they can become a bottleneck. IPv6 addresses never need to flow through a NAT, theoretically making IPv6 faster.

2. IPv6 does not require the network to handle packet fragmenting. What is packet fragmenting? IPv4 networks handle various packet sizes. Different devices on your network or throughout the hops on the internet that your data takes have different allowable maximum transmission units (MTUs). If a router receives a packet that is too large for the next hop, it either drops or fragments the packet. Dropped packets cause retransmission of data, and fragmentation takes time to re-assemble packets. IPv6 does not allow network components to fragment packets, theoretically making it faster. The sender must do any fragmentation in IPv6.

Theory is one thing; data is another. What do benchmark comparisons of IPv6 vs. IPv4 look like? Speed tests have many different factors at play, but one evaluation made by Securi in 2016 did not show any significant difference between the protocols[2]. Some argue that IPv6 will not show improvements over IPv4 because network hardware and software have been optimized over the years to enhance IPv4 performance, which may hinder IPv6 performance. Another evaluation shows that IPv6 is generally faster, but current dual-stack (both IPv4 and IPv6 together) implementations can make it look like IPv6 is faster, when it's not[3]. Where other analyses claim IPv6 is decidedly faster[4].

The bottom line is that it is difficult to see the difference between IPv6 and IPv4 right now, but that may change. There are many clever things yet to be discovered, and network optimizations to tweak as IPv6 becomes more prevalent, which may give it an edge over IPv4.

3. IPv6 Improves Security

The IPv6 specification includes security features that have been retrofitted onto IPv4. When using these features, Ipv6 can be more resilient against man-in-the-middle and (address resolution protocol) ARP poisoning attacks. Its ample address space also makes network scanning more difficult for attackers.

IPSec, commonly used in IPv4 virtual private networks (VPNs), is a native part of IPv6 theoretically making end-to-end encryption easier. Along with the public addressability of all devices poses a challenge to network architects that are familiar with configuring hosts behind a NAT that provides an additional layer of security, SSL/TLS termination, and a single ingress point to install intrusion detection and prevention systems. IPv6 somewhat changes the way we think about network design.

IPv6 uses the secure neighbor discovery (SEND) protocol to determine link-layer addresses of other nodes and available routers. SEND is a more secure implementation that defends against naming attacks like ARP poisoning, to which IPv4 is vulnerable.

The problem with these features is that they make use of the IPv6 extended headers. These headers were intended to make packet processing faster by allowing routers and nodes to ignore header data they did not need. Unfortunately, it has become common practice to drop IPv6 packets that contain these extended headers[5]. This can result in many dropped packets, making some IPv6 security features unusable.

Some will argue that IPv4 (with features we have added to it over the years) can be just as secure as IPv6, and they are right. The biggest security-related argument to upgrade to IPv6 may be that since the move to IPv6 is inevitable, we should get there faster and reduce our attack surface. Many systems have both IPv4 and IPv6 addresses. Service providers use 4to6 and 6to4 technology to bridge the two network types. Having two connections means that there are more ways attackers could try to gain access to your systems. These bridging technologies also have their own specific exploits.

Some of the biggest concerns over IPv6 security are not related to the protocol itself. System administrators that are more familiar with IPv4 have less experience and less confidence configuring and deploying IPv6. This will result in less mature IPv6 implementations, which will leave them vulnerable. The more we can do now to educate network administrators and provide them the practical experience they need, the better off we will be when IPv4 goes away.

Conclusion

Implementing IPv6 isn't all that complicated, especially if you are running a simple website or a small internal network. Amazon Web Services (AWS) makes it easy to provision IPv6 addresses in your VPC, EC2 instances, and other services. Deprecating and retiring IPv4 will be much harder. The sooner we are all compatible with IPv6, the sooner we can reap the benefits.

Thanks for reading! Please leave feedback. I am a software engineer and solutions architect. I am interested in all things AWS, Cloud, and technology in general.

References

• 1: https://securitytoday.com/Articles/2020/01/13/The-IoT-Rundown-for-2020.aspx?Page=1
• 2: https://blog.sucuri.net/2016/08/ipv4-vs-ipv6-performance-comparison.html
• 3: https://teamarin.net/2019/06/25/why-is-ipv6-faster
• 4: https://www.retevia.net/fast/
• 5: https://www.internetsociety.org/wp-content/uploads/2019/03/deploy360-ipv6-security-v1.0.pdf