IPv6 Deployment

Ways to Transition

Deploying IPv6 involves three different components: the host operating system, the applications and the network.

Operating Systems

Most of the modern operating systems now have two distinct IP stacks to support both IPv4 and IPv6 at the same time. The hosts  configured this way are called dual-stacked.  Windows XP, Windows Server 2003, Windows Vista, Linux, Mac OS X, FreeBSD, Solaris, AIX are all dual-stack capable operating systems in their recent versions.

Applications and Services

Networked applications and services must be modified, or ported, to support IPv6. Porting a piece of software usually involves modifying network programming to make it IP version agnostic. All software programming used to store or display network addresses must also be modified to support the longer IPv6 addresses and their syntax. Support for multicast also has to be added. There's no magic formula to make network software work with IPv6: it must be modified and tested for the new protocol.

Network Deployment

The most delicate issue in IPv6 deployment is to build an IPv6-capable network. In order for two dual-stacked hosts to communicate together using IPv6, an IPv6-enabled path must exist between them to exchange IPv6 packets.

In the above figure, the nodes 1, 3, 5, 6, 7, and 9 are dual-stacked. However hosts 1 and 9 cannot communicate directly with IPv6 as there isn't a complete IPv6 path between them.
A solution to this problem would be to upgrade all the nodes to support both IPv4 and IPv6. This approach is called building a dual-stacked network. Dual-stacking a network is different from dual-stacked host in the type of equipment and software used. A host is usually an end-user equipment such as a PC, a PDA or phone for example. In a dual-stack network, the equipment is built out of routers and IP capable switches.

Transition Tools Complement Dual-Stacking

Building a full dual-stack network cannot realistically be done in a short timeframe and must be scaled in time. Several reasons explain why the transition cannot be done rapidly:

• Lack of IPv6 support from manufacturers for some equipment. Some older equipment will never support IPv6.
• Hardware incompatibility or lack of hardware resources. Several types of router require a flash upgrade to support larger IPv6 images or a memory upgrade to support the two concurrent routing tables.
• Upgrades for IPv6 compatible software are required.
• Some equipment is under different administrative authorities, with different priorities and deployment plans.
• Operation of IPv6 based equipment is considered as risky as the new software may show instability or new vulnerabilities.
• The operation of a dual-stack network requries two independant networks to be managed at the same time.

To make the transition as smooth as possible and start enjoying the benefits of IPv6 right away, IPv6 transition mechanisms may be used.
Typically, an initial core of IPv6 nodes is built using dual-stacking. This may be only one or a few routers at first. In an ISP network, these few nodes establish the first IPv6 BGP peering with neighbors. In an enterprise environment, this first step involves setting up a first IPv6 connection to an upstream provider.
Then a transition mechanism is used to extend the IPv6 coverage from the dual-stack core all the way to the edge of the network and the different IPv6 hosts. The transition mechanism may also involve the connections of small IPv6 networks, also called IPv6 islands which are isolated from the IPv6 core. As more dual-stack capable nodes are added to the network, the transition devices may be moved toward the edge to meet evolving needs.

Types of Transition Mechanisms

Modern IPv6 transition mechanisms are part of one of two classes: translation or tunneling. Translation involves transforming an IPv6 packet into an IPv4 packet and vice-versa while tunneling is the action of putting an IPv6 packet within an IPv4 packet to make it transit the IPv4 section of the network. One must be aware that translation in general is not recommended as a transition mechanism.

Translation

The concept behind translation can be understood intuitively.

IP packets from one type are transformed into packets of the other type and sent on the network (as shown in the above picture). However, this approach has several limitations, among those:

• Most security protocols such as IPsec cannot be used through a translation device.
• The number of concurrent connections is limited by the capacity of the translator. This may also be used for denial-of-service attacks by saturating the translator resources.
• Protocols using IP addresses in the payload of the packets do not get translated properly. These protocols include DNS, FTP, SIP, RTP and ICMP. An Application Level Gateway (ALG), actually a proxy, is required for each of these protocols.

This is why translation in general and more specifically the most popular translation protocol, NAT-PT, has been deprecated by the IETF and is no longer recommended as a transition mechanism.

Tunneling

Tunneling does not have the limitations of translation.

The IPv6 packets are transported over the IPv4 network without being modified. Depending of the type of tunneling used, the packets may be exchanged directly between hosts or through a relay or tunnel server.

Types of Tunnels

Manual Tunnels

Manual tunneling is the simplest way to setup an IPv6 connection over an IPv4 network. Most dual-stack hosts and network elements support standard IPv6 in IPv4 tunnels, also designated as protocol 41.

A manual tunnel is based on two pairs of addresses, an IPv4 pair and an IPv6 pair. The IPv4 pair is comprised of the address of the client host  or router and the address of the tunnel server on the provider side. The IPv6 addresses are usually provided by the upstream party either as two addresses or as one /64 prefix.

Manual tunnels are easy to setup because they are widely available. However, they do not offer any type of authentication and monitoring function. The largest drawback of using manual tunnel is the human overhead involved each time a tunnel has to be created or changed.

Automatic Tunneling

The most popular automatic tunneling mechanisms are 6to4, ISATAP and Teredo, all of them are implemented in Microsoft operating systems. The most important characteristic of these protocols is that they provide an IPv6 address or prefix based on an IPv4 address. Actually, the IPv4 address of the node is embedded in its IPv6 address.

The advantage of this approach is to allow IPv6 addresses to be setup right away and to exchange IPv6 packets directly from one host to another using the IPv4 network. 6to4 and ISATAP addressing are respectively illustrated in the following pictures.
However, using these mechanisms also presents drawbacks. A host is not guaranteed to have a fixed IPv6 address, making it difficult to act as a server and run any type of services. These protocols, especially 6to4 because it uses anycast, are harder to debug as the return path of the packets may be different than their forward path.

Negotiated Tunnels

The only drawback of negotiated tunneling methods is that all the IPv6 traffic goes through a single server. Of course, that server may be implemented in a redundant fashion. This can also be considered a strength for an organization controlling and inspecting all IPv6 traffic.

Ways to Tunnel

Tunneling Scenarios

Different deployment scenarios exist for home users whose ISP does not offer IPv6. If the home gateway supports IPv6, 6to4 is an interesting solution. In that case the gateway acts as a 6to4 server and provides a /48 to the home network. However this solution requires the user to renumber all PCs in the IPv6 network each time the IPv4 address changes. If a stable address is desired, public tunnel server services such as go6 (www.go6.net) may be used.

If the home gateway is not IPv6 enabled, a host based solution is required. Since most hosts at home are behind an IPv4 NAT device, NAT traversal techniques are required. A protocol such as Teredo may be used for this purpose, or a tunnel service using UDP encapsulation. Both TSP and softwire support this type of tunneling.

An ISP offering IPv6 services to its clients will likely use the negotiated tunnel approach to ensure that network usage is controlled. Clients must log in with their credentials and always get the same IPv6 addresses. Some providers have a legal requirement to link IP addresses to individuals.
Tunneling is also useful to provide IPv6 to enterprises or agencies over multiple sites while minimizing the administrative overhead of configuring multiple manual tunnels. Since permanent IPv6 addresses are required, using automatic tunneling in this situation is not suggested.

Implementations

Implementations of tunneling mechanisms are various. Several tunnel broker implementations are built out of open source software projects. While these solutions can be implemented at low cost, they often lack the completeness and management tools from commercial products.
Some transition techniques are implemented in off-the-shelf routing equipment. The mechanisms implemented are usually well known and have reached a standard status for a long time. The cost of this equipment may be prohibitive if only used for IPv6 transition.
One the other side, it is possible to transition to IPv6 rapidly using a dedicated device, commercially supported and with all the monitoring and management tools expected on carrier-class equipment. Using this type of equipment, such as the Gateway6^TM from Hexago, allows for flexible deployment, simplified migration to IPv6, economy of scale and provides detailed monitoring of the IPv6 deployment.

Conclusion

Using dual-stack operating systems and porting applications and services to IPv6 is the first step in the deployment of the new Internet Protocol. However, deploying an IPv6-capable network is often the largest challenge.

Making all network equipment dual-stack is an expensive and complex operation. This is why using transition mechanisms as a complement to dual-stacking is a way to lower deployment costs and make the deployment of IPv6 much smoother.

Tunneling techniques are a good way to implement an IPv6 network however they have different usage according to the type of network and the intended use of the tunnel. Automatic tunneling is useful to provided hosts without support of their ISP with IPv6; however negotiated tunnels are a better solution if authentication or static addresses are required.

Having a dedicated solution for IPv6 transition allows keeping the IPv6 network separated while it is built. Hexago offers comprehensive solutions for ISPs, government agencies and enterprises to built their IPv6 infrastructure and deploy the new Internet at low cost.