It’s here, it’s big, it’s scary, and there’s nothing we can do about it. Since June 6, 2012, IPv6 has been deployed and ready for transition. Why hasn’t the world changed to a dominate IPv6 structure yet? It is because we are comfortable with version 4. We understand it, it is easily readable, and we can memorize the addresses. Most of all, the true fear is fear of the unknown and the fear of losing NAT (Network Address Translation). What everyone doesn’t understand is that with IPv6 NOTHING REALLY CHANGES. The only real change is a loss of NAT, but it was not designed for security, but to save IPv4 addresses from being exhausted. Despite that, global IPv4 address exhaustion occurred on January 31st, 2011. It’s time to switch and it’s better to jump in head first and embrace IPv6 before it’s too late and the scramble to transition before being left behind.
There are two big obstacles to cross that are preventing IPv6 from being fully implemented across the globe. The first is that IPv6 and IPv4 do not communicate with each other. What has been created is a separate network that is running alongside IPv4 networks in which IPv6 addresses cannot communicate with IPv4 addresses and vice versa. This problem is solved by using tunneling solutions such as 6to4, Teredo (enabled by default on Windows Vista and higher), and ISATAP. The most widely deployed solution is currently 6to4 (on both Windows and Unix-based systems). Teredo is only available on Unix-based systems via third-party software. Tunneling as a solution would not be an issue if more organizations switched to IPv6 or at the minimum dual-stacked (run both IPv4 and IPv6) in their infrastructure.
The second major obstacle is the loss of NAT. IPv6 addresses are globally routable from the internet, which means that every device in an IPv6 network has an IP address that can be pointed to directly from the internet instead of the external address of the router. Information Technology professionals are wrongly fearing the loss of NAT as a bane to security as it abstracts the internal private addressing schemes from the global internet. As any network security expert will say “Security through obscurity is not security”. Most modern home/consumer routers already implement IPv6 firewalls that automatically block all inbound traffic based on destination IPv6 address. In corporate networks, a typical firewall provides this functionality. This also means there is no longer a restriction on which private IP address will have the specific port being forwarded to it; meaning all traffic on a specific port can only go to one device.
Resistance is futile, but it doesn’t have to be scary. DHCPv6 works the exact same way as standard DHCP (but also allows Stateless Auto Address Configuration, AKA SLAAC) and DNS servers already implement AAAA records for IPv6 addresses (don’t be afraid of long scary addresses). Internet providers have already implemented dual stack IPv4 and IPv6, so it’s time to make the jump and embrace IPv6.