Extreme Networks White Paper IPv6 Is Out There. - Is Your ...

painlosososSoftware and s/w Development

Jun 30, 2012 (5 years and 3 months ago)

380 views

Extreme Networks White Paper
IPv6 Is Out There.
Is Your Network Ready For It?
Abstract
The objective of this white paper is to highlight the importance for
IPv6 readiness in the network infrastructure of the enterprise
network. Extreme Networks addresses the concerns regarding IPv6
security threats with a product architecture and ExtremeXOS™
modular operating system, which is built from the ground up for
IPv6 along with the IPv6-ready switching hardware capability from
edge to core.
© 2006 Extreme Networks, Inc. All rights reserved.
IPv6 Is Out There. Is Your Network Ready For It?
— Page 
Extreme Networks White Paper
Executive Summary
The imminent successor to the current IPv4 addressing
scheme and protocol, Internet Protocol version 6 (IPv6)
clears the way for a new network environment. This
environment is characterized by rampant growth and the
need to accommodate new convergence applications such
as Voice-over-IP (VoIP), mobile telephony, Peer-to-Peer
networking, IP video distribution and government security
and defense systems. The transition to IPv6 is well underway
with the help of methods that allow for coexistence of IPv6
and IPv4 networks. As IPv6 progresses through early adoption,
it is deployed more and more in large public and private
networks worldwide.
IPv6 presents long overdue enhancements to IP but with it
comes unique security threats as well. With transitional
methods in use today, it is likely that IPv6 traffic is already
present on most networks. Therefore the security threats
due to IPv6 exist in the network whether enterprises and
service providers choose to adopt IPv6 in the short term or
wait for critical mass. The challenge is to evaluate the
implications of this transitional period and plan accordingly.
Extreme Networks
®
has addressed these concerns with a
product architecture and Operating System (OS) that are
built from the ground up for IPv6. Extreme Networks
recognizes that supporting IPv6 is only the first step to a
sound implementation. Wire-speed performance is also
available for native IPv6 environments and for transitional
situations where coexistence methods are utilized. Security
and network integrity issues have been anticipated to
address new threats associated with IPv6 and with IPv6
tunneling over IPv4. A well thought out CLI is in place that
integrates IPv4 and IPv6 management—not an afterthought
CLI. ExtremeXOS modular OS makes the transitional issues
non-network-impacting and provides a solid end-to-end
solution for moving to IPv6.
Why IPv6?
General Address Exhaustion Problem
Primary among the benefits of IPv6 is scalability. IPv6’s
predecessor, IPv4, adequately addressed its initial purpose,
to network a world of desktop computers. However, IPv4
now fails to accommodate the next wave of network growth.
Next-Generation Intelligent Devices
Proliferation of new intelligent networked devices requires
an Internet addressing scheme that expands far beyond the
capacity of IPv4. Mobile IP, IP television distribution, VoIP and
wireless LAN are examples of new applications requiring not
only network connectivity, but also Plug and Play configuration,
security, service quality, mobility and always-on availability.
These features lack consistent implementation in IPv4. At
the same time, they are becoming strict requirements for
helping to reduce the complexity in developing and deploying
next-generation communications devices.
Limited Address Ranges Granted
Many countries are quickly approaching IP address exhaustion
as expanding industry and new network applications contribute
to address depletion. The pace of adoption for IPv6 has been
deceptively slow because the United States owns the majority
of IPv4 address space and has been reluctant to follow the
lead of the rest of the world in moving toward this next
generation protocol. Many countries in Asia and Europe have
already mandated adoption of IPv6 in certain government and
industry deployments. This trend will continue as countries
hit the limitations of IPv4.
Recent deployments of IPv6 in Asian countries have been
possible due to government funding. China’s carriers have
committed to IPv6 in the next major network buildout: the
China Next Generation Internet (CNGI). In Japan, NTT has
become the first service provider to offer IPv6-based services
on a large scale.
Peer-to-Peer
(Network Address Translation Problem)
Workarounds have been created to slow address depletion
but this patchwork of fixes seems to further reduce the
relevancy of IPv4 in today’s networks. Among these techniques,
Network Address Translation (NAT) and Virtual Private
Networks (VPN) have helped slow the demise of IPv4 by
reusing addresses; however, newer applications such as
network-aware Peer-to-Peer connections require that each
end-station has its own unique globally routable address.
With IPv4 and NAT, this is not possible because users are
hidden behind a NAT device in the network. Intuitive peer-
to-peer applications such as file sharing, gaming and VoIP
require a complex third-party central authority to circumvent
NAT and manage the interaction. This has been a glaring
deficiency in an IPv4 environment using NAT that is resolved
with IPv6. Consequently, peer-to-peer applications are able
to thrive with IPv6.
© 2006 Extreme Networks, Inc. All rights reserved.
IPv6 Is Out There. Is Your Network Ready For It? — Page 2
Extreme Networks White Paper
Secure Encrypted and Authenticated
Communication
IPv6 enhances security with authentication and encryption
that is built into the basic architecture. Any authentication
method may be implemented, but keyed MD5 has been
championed for interoperability and will likely be the most
commonly used. MD5 is a secure algorithm that creates
digital signatures that can be used to verify data integrity.
Encryption is also algorithm-independent but will likely
standardize on Data Encryption Standard in Cypher Block
Chaining (DES-CBC). DES offers configuration options for
encrypting the entire payload (Tunneled mode) or just the
transport layer (Transport mode).
IPv6 strengthens networks security by enforcing common
security parameters which are designed into the protocol.
These integrated options can then be used in any manner or
combination to suit the security requirements of each network.
Ad Hoc Networking
Another benefit of IPv6 is the ability to create networks
spontaneously, with minimal user interaction. Many mobile
devices are impractical for users to configure based on the
situational factors associated with their use. This is true of
next-generation media devices that demand less user
interaction to operate and it is especially true of military
equipment and field communication devices. The ability to
deploy ad hoc networks is a key benefit of IPv6. The Mobile
Ad-hoc Network (MANET) is an example of an IPv6 ad hoc
network where mobile IPv6 nodes in mobile environments such
as cars, boats and airplanes can communicate independent of
the Internet. This would not require infrastructure such as
base stations and access points. With ad hoc networks, hosts
can come together to form spontaneous networks that rapidly
evolve as users join or drop connections. Mobility is also
important to allow users to arbitrarily move from one network
to another. IPv6 provides auto-configuration and Neighbor
Discovery, two key enabling technologies for mobility.
Quality of Service
IPv6 is better equipped to handle Quality of Service (QoS)
because of large allocations in the packet header for prioriti
-
zation of packet class and of flows of traffic. Handing of flows
allows a source node to set priority on a sequence of traffic.
It then prevents intermediate nodes from inspecting these
packets further. This aids in performance, especially when
encryption is used. Packet class prioritization is accomplished
in a similar way to IPv4, where values are set to identify
classes of traffic. These values then dictate how traffic will
receive priority in a congestion situation.
Multicast and Anycast
IPv6 offers improvement to multicasting over IPv4. Multicasting
is a required component of IPv6 and a new type of addressing
called Anycast is added. Multicast functionality has been
expanded and scalability has been improved with the addition
of a “scope” field to the multicast address. This multicast
functionality has been deployed in public networks for the
purpose of offering IPTV and IP phone services. Anycasting
is a new concept that gives routing decisions to each Anycast
node along the path where traffic flows. A packet that is sent
to an Anycast address is routed to the “nearest” interface
having that address.
Early Adopters
IPv6 is in the early adoption phase of its life cycle. Many
industries are discovering the unique benefits of IPv6 and
are taking the lead on IPv6 deployment.
Service Providers
Service providers are motivated to deploy IPv6 to use the
operational simplicity, improved availability and new service
capabilities inherent to the new protocol. The Plug and Play
architecture of IPv6 will simplify provisioning and help reduce
the costs associated with supporting end users. The QoS
functionality in IPv6 will better manage policies and ensure
Service Level Agreements (SLAs).
Also significant is the ability to offer new services enabled
by IPv6 and thus establish competitive industry advantages.
VoIP, IPTV and advanced mobility are among the new offerings
that become more realistic on a large scale with IPv6.
Education
Academia has been a primary driver of growth for the Internet
and will continue to play a role in its next stage of development
with IPv6. These institutions serve two major purposes: to
promote research and development of new technologies and
to serve as consumers of these technologies. In a way,
universities and school campuses are small advanced metro
regions, where every member requires multiple high-bandwidth
access connections.
Academic research projects show strong support for IPv6.
The Internet2 project, a consortium of academic institutions
tasked with pushing new applications and technologies, has
established an IPv6 working group dedicated to the transition
to IPv6. Similarly, the Internet Education Equal Access
Foundation (IEEAF) continues to push IPv6 to achieve its
charter of providing ubiquitous Internet-based education.
Many localized efforts also exist such as the 6NET, which
consists of multiple interconnected European academic
networks that have moved to IPv6 to prove its validity.
© 2006 Extreme Networks, Inc. All rights reserved.
IPv6 Is Out There. Is Your Network Ready For It?
— Page 
Extreme Networks White Paper
Enterprise
The opportunity that IPv6 provides in enterprises in the
future is envisioned to be enormous–driven by deployment
of next generation Internet enabled products and services.
Today’s IPv6-enabled products include OS, multimedia
devices, test equipment, security equipment and a long list
of new products under development that will be made
possible by IPv6. As of today, it is mostly the vendors and
manufacturers of these next-generation devices and
applications that have deployed IPv6 in their networks.
Military
Military applications worldwide have made a notable push
towards IPv6, as they require more globally reachable
addresses and new capabilities. Enhancements over IPv4
can help fulfill the vision of new capabilities such as drive-
by-networking. Plans increasingly call for the latest available
technologies in an effort to digitize the soldier and the
battlefield, and to improve national security. Intentions to
adopt IPv6 have been expressed by the German military and
French Military Procurement Agency (DGA). The U.S.
Department of Defense (DoD) will convert all networks and
applications to IPv6 by 2008. NATO has made recent progress
interconnecting sites with IPv6 as a fulfillment of goals set
by the NATO-INSC (Interoperable Network for Secure
Communications) project.
Overall, military planning is aggressively adopting IPv6. This
is due to anticipation of a much greater need for network
addresses and consideration of the ancillary benefits of IPv6
such as ad hoc networking and built-in security. This attitude
is beginning to show up more frequently in military
requirements across the globe.
Addressing New Concerns
Resulting from IPv6
IPv6 Is Out There—
Whether You Want It or Not
IPv6 is a reality in many client systems. MAC-OS X, Linux
and Windows 2000/XP devices are capable of communicating
using IPv6 and some even have IPv6 installed by default.
With IPv6-ready bootable Linux-Live CDs, any machine can
be turned into an IPv6-enabled platform. This bypasses IT
best practices for client OS control. As with IPv4, clients can
be turned into weapons that attack the network and data by
spreading worms and viruses. Wire-speed IPv6 ACLs are the
first step to protect your network—you will need these in
your equipment.
If you want to turn on IPv6 in your network, you must be
aware that, with IPv6, you will not be able to simply block
all ICMPv6 packets; a common practice used in IPv4 in
some networks. Path MTU discovery and other critical
operations of the IPv6 protocol rely on the availability of
ICMPv6. The IP infrastructure protocols need protection as
well. Auto-configuration and discovery capabilities, DHCPv6
and ICMPv6, are all potential targets or even vehicles for
attacks as their IPv4 counterparts have been. It is important
to have edge infrastructure in place that offers finer ACL
granularity through deeper packet inspection, looking at
specific protocol fields.
IP Address Security—
How Does Your Infrastructure Behave When
a Worm Uses IPv6?
Leading network equipment vendors have been adding IP
Address Security features to IPv4 for some time, protecting
the infrastructure and services from IP protocol-specific
attacks. Some of these features allow the enforcement of
DHCP usage. This protects from hackers hijacking IP
addresses, rogue DHCP servers, random source/destination
addresses or simple DHCP IP address pool depletion attacks.
Gratuitous ARP Protection will alert and prevent against
man-in-the-middle attacks where the attacker pretends to
be part of the infrastructure, the default router. IPv6’s
infrastructure protocols will allow creative minds to develop
either similar or even new kinds of attacks. Imagine rogue
router advertisements for man-in-the-middle attacks or
continuous reconfiguration of client/server addresses based
on auto-configuration.
Your network infrastructure will need the smarts of IPv6
awareness in its OS to take IP Address Security to IPv6.
Specifically, new address management and new protocol
support capabilities are needed to enable this next level of
security. Denial of Service (DoS) protection is another
capability that has to be present in your network infrastructure.
This capability protects the infrastructure device’s management
module from disabling as a result of flood type attacks. Again,
your network infrastructure will need the smarts of IPv6
awareness in its OS to protect itself.
F
i
g
u
r
e
2
:
T
w
o
-
T
i
e
r
A
r
c
h
i
t
e
c
t
u
r
e
M
G
M
T
=
M
G
M
T
=
F
A
N
=
F
A
N
=
P
S
U
=
P
S
U
=
P
S
U
-
E
=
P
S
U
-
E
=
S
T
A
C
K
N
O
1
1
2
2
3
3
4
4
5
5
6
6
7
7
8
8
9
9
1
0
1
0
1
1
1
1
1
2
1
2
1
3
1
3
1
4
1
4
1
5
1
5
1
6
1
6
1
7
1
7
1
8
1
8
1
9
1
9
2
0
2
0
2
1
2
1
2
2
2
2
2
3
2
3
2
4
2
4
E
x
t
r
e
m
e
N
e
t
w
o
r
k
s
®
S
u
m
m
i
t
®
X
4
5
0
e
-
2
4
p
C
O
N
S
O
L
E
C
O
N
S
O
L
E
S
u
m
m
i
t
X
4
5
0
e
-
2
4
p
© 2006 Extreme Networks, Inc. All rights reserved.
IPv6 Is Out There. Is Your Network Ready For It?
— Page 
Extreme Networks White Paper
Security Applications Can Be Circumvented
Transition to IPv6 using tunneling and translation methods
may prevent some security options that are based on network
analysis. This includes network insight that can be gained
from leading security appliances such as filtering and logging
appliances, firewalls, and others.
Some Ethernet switching equipment comes equipped with
network DoS detection, alerting you of offending attacks such
as TCP SYN attacks as packets transport protocols change.
Again, tactics for containing threats in an IPv4 world, will
have to be extended to IPv6 to support new packet header
formats and offsets.
Early engagement of your network infrastructure and security
vendors with IPv6 provides experience with and timely
delivery of equivalent features for IPv6.
Performance Impact
Performance will be impacted as a result of transitional
technologies required for IPv6/IPv4 coexistence. Coexistence
may require dual-stack functionality and encapsulation of
IPv6 packets into IPv4 packets to be tunneled across an IPv4
network. Most vendors supporting line-rate forwarding of
IPv4 traffic will not maintain this level of performance in an
IPv6 environment. Few vendors have anticipated this change
and even fewer have built equipment architecture that can
properly address the performance requirements of a transitional
phase to IPv6.
IPv6 as a Still-Evolving Technology—
Investment Protection?
IPv6 continues to evolve as early implementations flush out
security and stability issues and settle on interoperability
standards. Transitional technologies are a good example of
the extensive changes taking place in the market. The industry
continues to waver on its expectations for this protocol. As
a result, the path to maturity will come at the expense of
frequent changes along the way.
Enterprise and service provider networks are met with the
challenge of mitigating risks associated with IPv6 running on
their networks. They must also deploy solutions that have
the flexibility to accommodate frequent changes without
compromising network availability. New switching equipment
must have the performance to implement transitional
technologies and security at the edge of the network and
yet have the flexibility to adapt to changing standards.
Network Operating Systems—Built from the
Ground Up for IPv6?
The network OS for Layer 3 switches will require a ground-up
design to address a dual stack IPv4/IPv6 environment. Many
vendors have chosen to address IPv6 by shoe horning the
new protocol into a monolithic architecture that is ill-equipped
to address feature breadth and management requirements
of a transitional or native IPv6 network. Since networks are
typically transitional, the OS must continue to fully support
IPv4 features. It must also have the ability to turn off IPv6
completely when required for security purposes.
Network management is also a challenge. CLI design must
be completely integrated for IPv4 and IPv6. Many vendors
have resorted to poorly integrated CLIs for IPv6. These CLIs
create network management confusion and inhibit transition
to IPv6.
In addition to a ground up design built for IPv6, a network
OS must have the flexibility to adapt to inevitable changes
in strategy and implementation. This requires a modular
and highly available architecture to address the changes
with minimal network impact.
Why Extreme Networks?
History with IPv6
Extreme Networks Research and Development team members
have been involved with IPv6 since its inception, as early as
1995. This allowed initial delivery of an IPv6 implementation
in July, 2001. Not only was Extreme Networks an early pioneer
of IPv6 but it was also the first in the industry to provide
hardware-assisted forwarding and interworking/tunneling in
Ethernet core switches. Extreme Networks has leveraged
this early success and extensive experience to design next-
generation ASICs (4GNSS) and OS (ExtremeXOS™). These
key innovations were designed to optimize IPv6 perfor
-
mance and security. Such a technology mix will enable
enterprise and service provider networks to safely address
the spread of IPv6 traffic today and allow a smooth and
gradual transition to IPv6 moving forward.
Flexible Architecture
With Extreme Networks Fourth-Generation ASICS
(4GNSS), IPv6 has been designed in from the beginning.
Layer 2 wire-speed forwarding is available at the edge
including protocol-based VLANs and ACLs and Layer 3 fast
path processing can be used at the core. An end-to-end fast
path solution provides exceptional performance for those
getting started, setting up IPv6 islands and requiring
transitional methods.
Extreme Networks 4GNSS is highly flexible, providing
network processor-like programmability to support rapidly
evolving networks, like those transitioning to IPv6. This
built-in programmability with respect to packet inspection,
data rewrite and frame handling allows for very short
development cycles when compared to lengthy ASIC re-spins.
Switches based on 4GNSS make use of ExtremeXOS.
ExtremeXOS is a modular, self-healing software code base
that can isolate and recover from software failures.
© 2006 Extreme Networks, Inc. All rights reserved.
IPv6 Is Out There. Is Your Network Ready For It?
— Page 
Extreme Networks White Paper
Next-Generation Operating System—
ExtremeXOS
Extreme Networks next-generation OS, ExtremeXOS, was
designed from the ground up for dual-stack IPv4/IPv6 perfor-
mance. IPv6 can be easily activated when required in a network.
Even when operating with IPv4 only, ExtremeXOS will
harden the network to IPv6 attacks and will allow transitional
tunneled IPv6 traffic to safely run over the network.
ExtremeXOS serves as an infrastructure for IP address
security. As equivalents to ARP and DHCP attacks of IPv4
begin to take shape in IPv6 networks, ExtremeXOS will allow
dynamic loading of modules to address these new threats.
ExtremeXOS is built on a powerful POSIX kernel that
enables modularity and portable extensions. This flexibility
protects individual software processes and allows seamless
hitless upgrade of individual modules. Dynamically upgradable
software modules address changes to standards, upgrades
to security policies, and inclusion of new functionality.
ExtremeXOS removes the bond between the software
functions by sectionalizing the many lines of code into
multiple layers. As a result, this modular approach delivers
a resilient, multi-threaded OS that increases network uptime
and can securely and gracefully evolve alongside IPv6.
ExtremeXOS also simplifies the transition from IPv4 to IPv6
from a network management perspective. IPv6 has been
cleanly integrated with the IPv4 CLI for ease of use and
quick adoption.
Summary
Clearly, IPv6 offers considerable capabilities for new
applications and improved network intelligence. It will help
postpone IP address exhaustion for the foreseeable future
and bring significant improvements over IPv4. However,
there are specific challenges whether choosing to actively
participate in the transition to IPv6 or hold off and further
evaluate. The reality is, IPv6 is already tunneled over many
networks today. It is now the responsibility of vendors to
respond with equipment that maintains performance through
the transition and that mitigates the unique security risks
associated with IPv6.
Extreme Networks has taken a ground-up approach to address
-
ing these challenges by completely refreshing it’s product
line and operating system. Doing so has allowed Extreme to
build an architecture that meets the performance, flexibility
and security requirements of IPv6 without compromising
operational simplicity. This unique commitment to IPv6 makes
Extreme Networks an industry leader in helping smooth the
transition to the next version of IP.

© 2006 Extreme Networks, Inc. All rights reserved.
IPv6 Is Out There. Is Your Network Ready For It? — Page 6
Extreme Networks White Paper
Appendix A:
High Level Technology Overview
Address Scheme
IPv6 expands the number of bits in the address field from 32
to 128, effectively increasing the addressing capacity of IP
networks. This provides adequate capacity to handle the
predicted growth of network connectivity well into the future.
Auto-configuration and Neighbor Discovery
Unique to IPv6 is auto-configuration, which helps it excel in
network configuration efficiency and ease of use. Auto-
configuration enables devices to automatically configure
their own IP address without requiring manual intervention.
A device may use stateful or stateless auto-configuration.
Stateful auto-configuration uses a central IP address
management server such as a DHCPv6 server to assign
addresses. Stateless auto-configuration allows a node to
configure its own address by using information available on
the network. In this case, the network provides a prefix that
is combined with the device’s interface ID to complete an
IPv6 address for the device.
Host based auto-configuration is only part of the battle in
achieving Plug and Play networking. Stateless auto-
configuration requires that switches support Neighbor
Discovery so that prefix tables are updated and correctly
assigned. Additionally, other protocols are in development
to achieve DNS and service auto-configuration, which will
help complete the Plug and Play story for IPv6. Plug and
Play functionality is especially useful for mobile technolo
-
gies because it greatly simplifies setup and configuration.
The result is a larger target market demographic, reduced
learning cycles and quicker adoption.
Mobile IP
Rapid growth in wireless technologies and mobile devices
has further exposed the inability of IPv4 to properly serve
the new networking environment. IPv6 was designed to
increase the usability of Mobile IP by offering uninterrupted
connectivity as a host moves from network to network. A
typical example is a mobile VoIP user who is now able to
arbitrarily move from network to network without dropping
the call and without even changing IP address. IPv6 uses
the concept of a “home address” that never changes to
allow a connection to appear persistent to a mobile user
regardless of location.
Built-in IPsec Security
The architecture of IPv6 is much better suited to accommodate
large-scale security than IPv4. Authentication and Encryption
protocols that are optionally bolted onto IPv4 are now
mandatory and are gracefully incorporated into the architecture
of IPv6. Specifically, IPsec is used to provide an open, standards
based method for enforcing secure communications and
ensuring data integrity.
While NAT has been credited with the security benefit of
hiding internal networks, it has prohibited large-scale
implementations of authentication and encryption. Since NAT
re-writes the IP header, it renders the IPsec non-repudiation
feature unusable. IPv6 makes full use of IPsec and allows
the use of common standards-based security policies on a
global level.
Appendix B:
IPv4 To IPv6 Transition
(How You Get There from Here)
Updated Routing Protocols
Many routing protocols have made the necessary updates to
accommodate for the transition to IPv6.
RIPng as defined in IETF RFC2080 introduces a modified
version of RIP (Routing Information Protocol) that is tailored
specifically for an IPv6 environment. Like its predecessor,
RIPng is simple to configure and implement and can be used
effectively on small to medium-sized networks.
For larger networks, a link-state protocol such as OSPF is
necessary. With the availability of OSPFv3 (IETF RFC 2740),
the necessary enhancements have been made to operate with
IPv6. OSPFv3 builds on the core functionality of OSPFv2,
will coexist with OSPFv2 and will distribute IPv6 prefixes.
Ported Protocols
BGP4 was ported to handle routing information for multiple
protocols with the intention of supporting the transition to
IPv6. This extended protocol has been labeled BGP4+ (RFC
2858) and is fully backwards- compatible with networks
running BGP4. BGP4+ has been implemented and tested
and, as a result, has gained much stability over time.
IS-IS has also been enhanced to support IPv6 routing and
will allow support for singe or multiple-topology networks.
Multiple topology support will allow routing of multiple
network address families, such as IPv6 and IPv4, in the
same network. IS-IS will now forward IPv6 prefixes and
learn IPv6 route information.
PIM has also been enhanced to route to multicast groups
communicating with IPv6 and to interoperate with other
routing protocols supporting IPv6.
© 2006 Extreme Networks, Inc. All rights reserved.
IPv6 Is Out There. Is Your Network Ready For It?
— Page 
Extreme Networks White Paper
Transitional Technologies
Adoption of IPv6 has been free to accelerate due to
coexistence methods that offer a smooth transition from
IPv4 to IPv6. While early requirements called for mandates
of native IPv6, it is clear now that the move will be far less
abrupt. Transitional mechanisms are available to provide
interoperability between IPv4 and IPv6 hosts and allow a
gradual adoption of the technology. As a result, individual
hosts are able to deploy IPv6 at-will, independent of service
provider support for the protocol. This also frees service
providers to evaluate network and equipment readiness to
accommodate for the change.
Principal to the success of IPv6 is the coexistence of IPv6
on existing IPv4 networks. Coexistence methods include
dual-stack, tunneling and translation methods. See Table 1
for a complete list of proposed methods.
Emerging Winners of Transition Options
Only a few winners will emerge from the large pool of
proposed coexistence methods. Differences in scale,
usability and overall maturity have led to the prioritization
of available methods. The IPv6 Operations Working Group
(V6ops) has gone one step further and made specific
recommendations regarding which method should be used
based on variables such as industry, network size and
application mix.
There are two methods in particular, 6to4 and Configured
Tunnels, which have had early deployment success and
appear to be leading the pack. ISATAP has made recent
progress and may become more prevalent as well.
6to4
6to4 is becoming widely recognized as the simplest and
most popular method for interconnecting IPv6 hosts or
networks via an IPv4 transport infrastructure. It has been
deployed extensively in the 6bone network and other
interoperability trials worldwide. 6to4 requires one unique
IPv4 address for each IPv6 address space. The IPv6
Operations Working Group (V6ops) has specifically
recommended 6to4 deployment in SOHO or single-node
environments. In networks where only one switch serves
the network this method is especially useful because only
one connection is required to the IPv4 network. Each site
derives an IPv6 prefix from its gateway switch’s IPv4
address and this prefix is then used to create addresses for
all of the connections at that site.
Configured Tunnels
Configured Tunnels is less automated and offers one of the
more basic methods for interconnecting IPv6 hosts or
networks over an IPv4 transport infrastructure. Tunnels are
manually configured and remain static regardless of
network changes. Tunnel end-points are configured as dual
stack, with globally valid IPv4 and IPv6 addresses. These
devices are then responsible for encapsulating IPv6 in IPv4.
(
Source: IPv6 Summit 12
/
04. DoD Unclassified
)
Method
Tunneling - Encapsulation of IPv6 within IPv4 to traverse IPv4 networks
Proposed Standard
Descriptio
n
6to
Configured Tunnels
ISATAP
6over
DSTM
Teredo
Tunnel Broker

6PE
IETF RFC 06
IETF RFC 289
Internet Draft draft-ietf-ngtrans-isatap-2
IETF RFC 289
IETF ID draft-bound-dstm-exp-02
Internet Draft draft-huitema-v6ops-teredo-0
IETF RFC 0
IETF Internet Draft draft-ooms-v6ops-bgp-tunnel-0.txt
Automatically interconnects IPv6 sites via an IPv transport network
Manually interconnects IPv6 sites over an IPv transport network
Automatically interconnects IPv6 hosts within a site over an IPv network
Automatically interconnects IPv6 hosts over an IPv multicast networ
k
Utilizes IPv-over-IPv6 tunnels to carry IPv traffic within an IPv6 networ
k
Automatically interconnects IPv6 hosts over an IPv network with NAT
Automatically interconnects IPv6 hosts and small sites over an IPv network
Interconnect IPv6 sites over an IPv MPLS core transport network

Translation - Translates between each protocol and allows IPv6 only devices to communicate with IPv4 only devices
Dual Stack - Full support for both IPv4 and IPv6 in routers and hosts
SIIT
BI
A
BI
S
SOCKS
TRT
NAT-PT
IETF RFC 26
IETF RFC 8
IETF RFC 26
IETF RFC 089
IETF RFC 2
IETF RFC 266
Defines IPv to IPv6 header conversion and vice vers
a
Allows dual stacked hosts to communicate with other IPv6 hosts using existing
IPv applications
Allows dual stacked hosts to communicate with other IPv6 hosts using existing
IPv applications
Relays two “terminated” IPv and IPv6 connections at an application layer gateway
A TRT system, which is located between IPv6-only and IPv-only hosts, translates
TCP/IPv6 to TCP/IPv or UDP/IPv6 to UDP/IPv, and vice vers
a
Provides transparent routing to and from the IPv and IPv6 realms as well as
translation.
This is achieved using a combination of Network
Address Translatio
n
and Protocol Translatio
n
Table 1: IPv6 Transition/Coexistence Methods
Extreme Networks White Paper
Selecting a Transition Conclusions Method
Fully understanding the nuances of each proposal is not an
easy task. There are benefits and weaknesses to each. Many
are plagued with scaling issues, while others suffer from
security weaknesses that make any real-world implementation
impractical.
In most cases, the methods proposed are based on evolving
drafts that continue to change as early adopters wring out
issues and learn more about the behavior of IPv6 networks.
Unfortunately, this transitional period lends itself to risk,
risk that is very difficult to mitigate. It is not at all uncommon
for networks to be passing IPv6 traffic using these translation
techniques today, without the network administrator’s
knowledge. This can have severe security implications and
should be closely monitored.
www.extremenetworks.com
email: info@extremenetworks.com
Corporate
and North America
Extreme Networks, Inc.
8 Monroe Street
Santa Clara, CA 90 USA
Phone + 08 9 2800
Europe, Middle East, Africa
and South America
Phone + 0 800 00
Asia Pacific
Phone +82 2 2
Japan
Phone +8  82 0
© 2006 Extreme Networks, Inc. All rights reserved. Do not reproduce.
Extreme Networks, the Extreme Networks Logo and ExtremeXOS are either registered trademarks or
trademarks of Extreme Networks, Inc. in the United States and/or other countries.
Specifications are subject to change without notice.
0_0 /06
IPv6 Is Out There. Is Your Network Ready For It?