For Bechtel, which is getting ready to flip the switch on an IPv6 network in the coming year, Teredo isnt a big deal. Thats not because Bechtel considers Teredo safe; its because the company wont touch it. "Teredo is off the map, not part of our game plan," Wettling said. "Were trying to avoid the additional overhead of implementing transition technology that doesnt get us to the state [in which] we want to be, which is to deploy IPv6 end to end throughout the network."For its part, Bechtel will run two separate stacks simultaneously: one for IPv4, one for IPv6. Having two separate stacks wont require twice the management time or twice the people-power, Wettling said, because the next-generation network is "a lot easier to run than IPv4." "Its absolutely amazing," he said. "Were a big company, and we have, internally, a mix of public and private addressing. We grow and shrink [address allocation] on sites according to how many people we have [in a given location]. [Bechtels business locations] move dynamically all over the world. As we grow and shrink populations, well add pools of IP addresses. "The shrinkage and growth over time has created a bunch of [address fragmentation]," Wettling said. "IPv4 address blocks are not contiguous. With IPv6, everythings dynamic. We dont have to go through the process of saying Im adding a new server, the address is blah blah blah. If its running IPv6, it gets the site prefix from an upstream router, creates its own IPv6 [address] and off we go. You can reboot 100 times and it comes up with the same address. Things like that, people dont talk about, but its a big sigh of relief." Wettling said another driver for the no-Teredo approach is that Bechtel wants to build a solid and secure foundation for innovation. The company has been having extensive discussions with external customers as well as with its internal customers, such as the engineering and construction departments. The parties have found opportunities to use IPv6 to improve its work methods, Wettling saidthe Katrina scenario being one exampleand wants to build those applications on a firm grounding. Granted, Wettling doesnt have a grudge against Teredo; he uses it at home with no problem. That said, he suggests that a company take heed if it plans to use it. If running Teredo on the host layer, for example, companies need to understand the implications, he said: "One is you need to make sure you have some local firewall to do some level of local blocking, and [make sure] it uses IPv6." Bechtel runs Cisco PIX firewalls, which support IPv6, to protect its IPv6 network, which now runs only in the lab. At this point the company is upgrading its intrusion detection/intrusion prevention systems to make sure they have the current versions of hardware and software to support IPv6. Also important when considering IPv6 from a security standpoint is to have logging facilities in place that can support IPv6. Bechtel, like many companies, keeps tabs on traffic flowing in and out of its network. "Being able to log IPv6 is important to us, so were working on making sure logging mechanisms will record v6 sessions," Wettling said. "Its not complete yet; thats one of the last things we have to do to connect to the outside." Once the logging piece is in place, Bechtel will be able to see source and destination addresses in network traffic. The company now records what machines from which a given transaction originates, as well as what user is attached to that machine. With IPv6s facility for stealth, how will Bechtel replicate that tracking? Wettling said IPv6 traffic differs from VOIP traffic, which uses a call manager or the like to set up a call but handles communication directly from P2P. IPv6 will be more similar to P2Pa technology with which companies already wrestle and that doesnt employ an external enabler. "A lot of companies have the challenge of wrestling with, What do we do with IM [instant messaging]? Treat it like e-mail as far as logging, or not?" he said. "Were still debating that within Bechtel." And after all, IPv6 and IPv4 are just protocols. At the end of the day, its that chunk of communication theyre transporting that matters. "Thats where people really need to focus on security stuff: Focus on protecting what needs to be protected," Wettling said. "The transport from my standpoint doesnt make much difference. Its protecting the resource. V6 gives us the ability to do things differently. We need to understand what the security risks are, and balance them against what the business opportunities are." Check out eWEEK.coms for the latest news, views and analysis on servers, switches and networking protocols for the enterprise and small businesses.
The reason for tunneling protocols is that IPv4 isnt going to suddenly disappear. Rather, IPv4 and IPv6 will coexist for many years to come. Theres a tremendous amount invested in the current IPv4 Internet. Also, IPv6 businesses will have to interact with those that choose to stick with IPv4 until equipment or software upgrades force the issue.