Interview with LISA Trainer Shumon Huque: IPv6
IPv6 has been the next big thing for years. Like a virtual sword of Damocles, we've heard about the IP address exhaustion of v4, and USENIX has offered training on IPv6 at several LISA conferences, leading to many people implementing it at their own workplaces.
There's been a lot of positive feedback, and so again, we're featuring an IPv6 tutorial from none other than Shumon Huque, the Lead Engineer for the Networking & Telecommunications department at the University of Pennsylvania, where he's also the principal IPv6 Architect.
I got the chance to ask Shumon some questions about IPv6 and his tutorial this weekend.
Matt Simmons: Everyone has heard for years that IPv4 was (going to be) exhausted, and by now, a lot of people have alert fatigue. How big of a concern is it to implement IPv6? What will happen if we don't?
Shumon Huque: IPv4 exhaustion is certainly happening, although it is not yet acutely being felt in some parts of the world, particularly in the US. In some other geographic regions, the regional internet registries have already depleted their address blocks, and consequently it is becoming very difficult to get new IPv4
address space from ISPs in those regions.
And yet the Internet continues to grow. That growth will only be accommodated by IPv6 addresses. In the near future, there will be emerging populations of users and services that will be IPv6-only, and it is essential for us to deploy IPv6 to ensure that we will be able to communicate with them.
MS: I've heard a lot of people concerned about IPv6 and IPv4 interoperability. What's the "right way" to make sure that your network can continue to communicate with the rest of the internet, both IPv4 and IPv6?
SH: Today, the right way is to deploy IPv6 along side IPv4 (the so called "dualstack" mode of operation). This will ensure that we are able to communicate with IPv4-only, IPv6-only, or dualstack users and services.
For some organizations, they will have no option but to deploy only IPv6. There are a set of protocol translation "mechanisms" (some people might call them "hacks") that allow islands of IPv4-only and IPv6-only systems to communicate. But there are a range of significant operational issues and adverse effects associated with them.
The best way forward for the Internet community is to get everyone on IPv6 as soon as possible and obviate the need for these suboptimal translation mechanisms.
MS: Another fear I've heard people voice is that if all IP addresses are public, then that leaks sensitive information about their infrastructure that they have hidden behind NAT right now. Is this a valid fear? How do you mitigate that particular risk?
SH: This is at least partly true, depending on your point of view and your network operating philosophy. IPv6 does in fact have the concept of private addresses -- see RFC 4193, "Unique Local IPv6 Addresses (ULA)". But these are meant to be used, as their name implies, locally, eg. for organization-internal communication only.
The traditional NAT does not exist in IPv6, and is widely deemed unnecessary. In IPv6, there is no conceivable address conservation need that would require NAT. The alleged security properties of NAT can be much better achieved by other means, such as stateful firewalls (see RFC 4864 "Local Network Protection for IPv6"). After much discussion, a NAT-like mechanism called NPTv6 was eventually developed.
This can allow an organization to use private addresses internally, and map them to a different public prefix externally. But note that this is a 1-1 translation of the IPv6 network prefix only, and not the entire address, and one of its principal goals is to aid mutihoming. The topology hiding feature of IPv4 NAT does not exist, but again I'm not sure how useful a security feature that is.
MS: How will this year's course be different than past tutorials?
SH: It will cover approximately the same material, but has been fully updated with the latest IPv6 developments in terms of protocol enhancements, IPv6 support in systems, applications & services, and IPv6 deployment news.
MS: What would you say to someone who isn't sure that they need to learn IPv6?
SH: IPv6 is inevitable. If you work in the IT/computing/networking field, it's a safe bet to assume that you'll need to know IPv6. Why not start now?