Most agencies likely already have some level of IPv6 connectivity in their environment, with clients automatically configuring a link-local IPv6 address to communicate with compatible hosts running on the same subnet.
But do these organizations need to obtain a block of globally accessible IPv6 addresses to assign to devices on the corporate intranet?
IPv6 Usage on the Rise
IPv4 is going to be available for many years to come, but because of the rapidly dwindling availability of public IPv4 addresses and the rise of mobile connectivity, IPv6 usage is on the rise. As agencies embrace the use of smartphones and tablets, those devices are very often assigned a native IPv6-only network address when connecting to the Internet outside the corporate firewall. It’s easier for Internet service providers (ISPs) to have just one protocol running on mobile devices that connect to their equipment; they then provide IPv4 Internet access using NAT64, an IPv6 transition technology.
The ability to connect devices end-to-end using IPv6 will make connectivity to a corporate network from mobile devices simpler and more efficient. There are already technologies, such as Microsoft Direct Access, that are built around IPv6 but that can work over IPv4 using transition technologies. The longer an organization can put off a complete move to IPv6, the less it will need to rely on protocols such as Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), which should be limited in its use.
Nevertheless, the federal government has issued a mandate to purchase systems that support IPv6 in the near future. The shift toward mobile computing and IPv6 means that agencies should prepare their corporate network infrastructures to support IPv6 as they upgrade their hardware. The aim is to run a dual-stack IPv6 and IPv4 network on which both protocols run simultaneously.
A lot of hardware already has some IPv6 support, but don’t forget to check for IPv4 feature parity. When buying new network hardware, make sure it meets RIPE-544 standards. More information on RIPE-544 can be found online at the RIPE Network Coordination Centre (ripe.net)
Leveraging IPv6 Security
System administrators often take comfort that their IPv4 intranets are hidden from the public Internet behind a network address translation device. NAT routers offer no real security benefit and add a lot of complications when trying to establish end-to-end connectivity between devices. A firewall that supports IPv6 stateful inspection can still be used to protect inbound and outbound traffic.
While it is possible to use NAT on IPv6 networks, IT staffs should avoid it. If a agency changes its service provider in the future, it will be assigned a different prefix for its IPv6 global addresses.
Renumbering is easier than it was with IPv4 because provider-independent address spaces can also be assigned by regional Internet registries. This enables an easier transition when changing ISPs. But it is predominantly intended for organizations that have high-availability requirements and need upstream Internet access to more than one service provider at a time (known as multihoming).
Internet Protocol Security is built in to IPv6 and can be used to authenticate clients and provide encryption and data integrity. When planning an IPv6 network infrastructure, consider enabling IPsec from the beginning. IT staffs should upgrade Windows XP clients to Vista or a later version to ensure central management of IPsec using Group Policy. If your agency doesn’t have a lot of servers to manage, be aware that IPsec Group Policy configuration is only supported in Windows Server 2008 and later. If there’s no need to use IPsec on your network, then systems administrators can use 802.1X-based authentication to prevent untrusted devices connecting to network access points.
IPv6 Pre-Deployment Tasks
After determining if your existing network hardware supports IPv6 (and if it does, to what extent), establish the amount of extra traffic IPv6 is likely to put on the network and whether network devices can cope with the additional load. For instance, do the devices have enough ternary content-addressable memory to accommodate routing tables large enough to store the additional IP addresses associated with IPv6?
When requesting a prefix from your Internet service provider, consider the size of the prefix; for example, determine how many individual hosts are supported and whether more than one prefix is needed to accommodate different regions. For more detailed information, check out Cisco’s IPv6 addressing guide.
Make an inventory of the applications and services running with IPv4 on the network. Do they have native IPv6 support? If so, what is the likely impact on network traffic when IPv6 is enabled? A test lab is vital for establishing IPv6 compatibility for network hardware and application support.
When designing an IPv6 deployment, it’s important to know the maximum prefix length that your ISP will issue and whether IPv6 and IPv4 are supported on the same link simultaneously. Also, determine if your ISP and telecom carrier provide native IPv6 support for WAN links. But don’t worry about IPv6 on clients and servers until the network backbone has been fully IPv6-enabled.
IP Address Management in IPv6
IT staffs should be prepared to work with IPv6 and understand the basic concepts. Then, when faced with a device that has multiple IPv6 network interfaces (such as ISATAP, a preferred native IPv6 and IPv4 address), they will know how to determine which to use in any given scenario. This is in addition to basic troubleshooting skills, such as checking IPv6 network connectivity.
IP Address Management in Windows Server 2012 allows administrators for the first time to track IP address usage and manage DNS and DHCP servers from one integrated interface. When establishing a global IPv6 address space from an ISP, use DHCPv6 in Windows Server to assign either the IP address and all other necessary networking parameters, such as DNS server addresses.
You might also want to assign just the additional networking parameters and let routers manage the IP addresses. IPv6 autoconfiguration allows DHCP-enabled devices to get the IPv6 network prefix from router advertisements and have an IP address automatically assigned. Whichever method you choose, the IT staff will need to configure routers with the appropriate flags to direct clients to a DHCPv6 server.