If I learned one thing from IPv6 Day, the effort by the Internet Engineering Task Force to really test the IPv6 infrastructure of the Internet, it was that the enterprise is in for some tough sledding. In short, the ability of critical infrastructure components to support IPv6 is lacking.
In fact, it’s not just lacking, it’s pathetic. Worse, the tools to manage IPv6 are equally primitive. And, of course, there’s the problem of the access providers, who apparently haven’t heard about IPv6, despite the fact that it’s been around for more than a decade.
Over the course of the last six months, I’ve been testing firewalls and routers for state and local IT departments. Part of the goal was to see if they could be configured and managed by organizations with limited staffs. Another part was to see if they would work with IPv6. The sad truth is that while some devices will at least pass IPv6 packets and accept IPv6 address assignments, the management tools are limited. On some devices, IPv6 is given lip service, if that.
In fact, to date, I have yet to test an enterprise firewall that really supports IPv6. In some cases, IPv6 is obviously an afterthought, added because there’s a place on an RFP somewhere that requires it. In others it’s not even that. If you look at the management interface, you’ll see no evidence of IPv6 anywhere. In fact, the only firewall/router that I found that actually passes IPv6 packets both ways and filters the packets properly comes from Linksys, and it’s designed for small businesses, not large enterprises. But I won’t go into the details because it’s out of production.
So what I found on IPv6 day is that it’s apparently not possible to get the enterprise firewalls that I’ve got on hand to pass IPv6 packets in any useful manner. In other words, you can’t just enable IPv6 and then make the Internet available to your users using IPv6 as you can with IPv4. In some cases, you may be able to set up a point-to-point IPv6 connection, but even that’s dicey. You can forget about using a tunnel broker-the devices can’t use the IPv6 tunnels even if the tunnel can be created.
I called Martin Levy, the director of IPv6 strategy for Hurricane Electric, the largest IPv6 backbone provider on the Internet. Levy faults both hardware vendors and ISPs for the problems that enterprises are having adopting IPv6. He suggests asking your Internet provider if they support IPv6. If not, “Get another provider,” he advises. As Levy points out, ISPs have had a dozen years to get used to the fact that IPv6 would be necessary, and that there’s really no excuse for not supporting it.
Put Pressure on ISPs, Hardware Vendors to Support IPv6
Levy also advises that organizations should make sure that the hardware they buy really supports IPv6. As he points out, there’s no reason to buy hardware that doesn’t since IPv4 addresses are already exhausted and IPv6 is inevitable. He said that if you already have reasonably new hardware, it’s possible that you can solve the problem with a firmware upgrade.
What’s frustrating is that IPv6 adoption should be fairly simple. Every version of Windows since XP SP3 supports IPv6 natively. So does every Mac OS device and so do most Linux distributions. Even some mobile devices will accept IPv6 address assignments. But all of this IPv6 in the client world does you no good if you can’t get to the outside world because your router or firewall won’t pass the packets. Even if your router or firewall will pass the packets, it doesn’t help if your ISP doesn’t support IPv6.
You can get around this to some extent if you use a tunnel broker such as the one from Hurricane Electric, which will create an IPv6 tunnel from your workstation to the IPv6 backbone, but that only works if you can get through your firewall. There are of course other ways to try the IPv6 universe, and there are sites, including Google and Facebook, that have IPv6-only sites so you can try out your connection.
But the problem of getting to the IPv6 world remains. Those handy tools that you’ve used for years to set up your IPv4 network don’t exist in the IPv6 world. The setup wizards aren’t there; the local DHCP servers are hard to find and harder to implement. The enterprise infrastructure hardware doesn’t really support IPv6, even if it claims to.
The solution is fairly straightforward. When you buy new infrastructure gear for your network, insist that it support IPv6 completely and if necessary have the vendor prove it to you. Also have the vendor prove that the gear can be supported by your existing IT staff. Part of the problem with IPv6 is that it has become the purview of consultants who know the undocumented secrets of some types of equipment and only they can make it work-for a fee, of course. But today’s IT departments can’t afford to depend on consultants for their basic needs.
As a result, it’s time that you made your infrastructure manufacturer prove that they can support IPv6, and make your ISP prove it as well. If they can’t, then don’t spend your money with them. There’s competition these days-take advantage of it.