IPv6 Comes of Age Despite Growing Pains
IPv6 Comes of Age Despite Growing Pains
Internet Protocol Version 6 is slowly being adopted as the replacement for version 4. Touted as a more secure protocol with increased address space, portability, and greater privacy, research into this and other related protocols has increased, particularly in the context of smart grid, mobile communications, and cloud computing. For the Science of Security community, it is relevant to resiliency, composability, and policy-based governance. But despite improved features, adoption of IPv6 is proceeding at a snail’s pace with the possibility it will not be universally deployed for several more decades. One must ask why the reluctance and delay?
IPv6’s predecessor, IPv4, was first used for the ARPANET in 1983; it still routes most Internet traffic today. IPv4 uses a 32-bit addressing scheme to support 4.3 billion devices, which initially was thought to be enough. However, the growth of the Internet, personal computers, smartphones and now Internet of Things devices proved that the world needed more addresses. Use grew from 10,000 users in 1983 to 2.5 billion in 2019. The Internet Engineering Task Force (IETF) recognized this would occur 21 years ago. In 1998 it created IPv6, which uses 128-bit addressing to support approximately 340 trillion trillion (2 to the 128th) users.[i]
The basic IPv6 protocol (RFC 2460) was published in 1998. It incorporated advanced features including new header format with less overhead, faster router processing, larger address space, more efficient processing at intermediate routers, built in security (IPSec), better support for prioritized delivery, extensibility and eliminating the need for the address translation that masks internal addresses in IPv4. In addition, there were economic and policy drivers: upcoming address exhaustion, native security, national policy and technical leadership were seen as factors promoting adoption.
The Internet Society expected IPv6 to be adopted fairly rapidly due to these improvements, particularly with regard to native security. It also expected cost savings as the price of IPv4 addresses would peak in 2018, and then drop after IPv6 deployment passed the 50% mark. But currently, according to Google, the world has only 20% to 22% IPv6 adoption and the U.S. only about 32%.[ii] This slow transition to IPv6 has caused significant resentment in the Internet community.[iii]
In the early 2000s, governments increasingly required support for IPv6 in new equipment. For example, in the U.S. in June 2003 Defense Department CIO John Stenbit ordered DoD to adopt IPv6 with a planned completion date of June 2008. Justification for adopting the new standard was to improve system security and service quality, forestall depletion of 32-bit address space, maintain US technological currency and stay even with commercial developments. In 2005 the US government specified that the network backbones of all federal agencies had to be upgraded to IPv6 by June 30, 2008 which was completed before the deadline. In addition, in 2010 the US government required federal agencies to provide native dual-stacked IPv4/IPv6 access to external/public services by 2012, and internal clients were to be able to utilize IPv6 by 2014. The government of the People's Republic of China implemented a five-year plan for deployment of IPv6 called the “China Next Generation Internet.” Most European governments have similarly supported deployment.
NIST lists deployment data for most .gov domains, but among .mil domains only for the open public facing sites for Air Force, Army, Navy, Marines, Defense Acquisitions University, Defense Information Systems Agency, Defense Research and Engineering Network, High Performance Computing, and the Naval Information Warfare Systems Command (NAVWAR) (NOSC). [iv] According to NIST, US government web sites are 36% IPv6 operational (as of 19 October 2019). Deployment varies within agencies and departments and among different services. For example, gov.nsa is green for DNS and web access, but red for email and DNNSEC. [v] NIST also shows overall US Government deployment has actually declined since peaking on 4 Jan 2015. [vi]
John Curran, President and CEO of the American Registry for Internet Numbers, which distributes blocks of IP addresses to North American ISPs and other network operators, said "The drop-dead deadline for external Web sites to support IPv6 is January 1, 2012. When we get to the end of 2011, we're going to have a lot of people connecting over IPv6 and that doesn't bode well for the content providers who don't support IPv6." But that connectivity proved to be dual stack technologies and IPv4 remained dominant.
Globally, a major change in the IPv6 deployment picture occurred during the two-and-a-half-years from the start of 2015 to mid-2017. Over that period the level of IPv6 adoption rose from 3% to 15%, with the majority of that rise occurring in the first half of 2017. By the end of that year, the level of IPv6 deployment was measured at some 18% of the Internet, but there was no significant further movement in that number across the first four months of 2018. Four months is probably an insufficient period to justify an assertion that IPv6 deployment has stalled, but the hiatus in the growth of the use of IPv6 is certainly a source of some concern. Today the five largest national pools of Internet users are in China, India, the United States, Brazil and Japan. Together, these five economies account for slightly more than one half of the entire current estimate of some 3.4 billion Internet users.
In the private sector, carrier networks and ISPs have been the first group to start deploying IPv6 on their networks, with mobile networks leading the way. For example, T-Mobile USA has more than 95% of its traffic going over IPv6, with Verizon Wireless next at 86%. Comcast and AT&T have their networks at 71% and 79%, respectively. Major websites are following suit with just under 25% of the Alexa Top 1000 websites currently reachable over IPv6 as of 9 Oct 2019.[vii]
The Internet Society suggests that as the price of IPv4 addresses begins to drop enterprises should sell off their existing IPv4 addresses to help fund IPv6 deployment. The Massachusetts Institute of Technology (MIT), for example, has concluded that 8 million of its IPv4 addresses were “excess” and could be sold without impacting current or future needs since it also holds 20 nonillion IPv6 addresses (10 to the 30th).[viii]
In 2008, the American Registry for Internet Numbers (ARIN) suggested that all Internet servers be prepared to serve IPv6-only clients by January 2012. Of course they weren’t. Capital costs have always been a drawback to deployment. Capital investment in IPv6 network equipment, converting and testing applications, acquiring new security tools and implementing new security procedures, managing parallel IPv4 and IPv6 networks, continued connectivity to legacy applications, dual stacks and tunneling, “always on” environments, mobile IP and mobile computing devices (direct path) and emerging technologies such as virtualization and Cloud computing were seen as expensive issues that called for delays in deployment. Older hardware that might be upgraded has been more likely to be replaced instead.
Mobile IP protocol allows location-independent routing of IP datagrams on the Internet. A mobile node has two addresses - a permanent home address and a “care-of” address. The Mobile IPv6 (RFC 3775) protocol was published in 2004. In some countries, major mobile networks are driving IPv6 adoption. Some mobile networks are taking the step to run IPv6-only to simplify network operations and reduce costs.[ix]
Verizon Wireless proactively deployed IPv6 even with an existing IPv4 network. Per reports, they had at least 70 internal instances of the same private address space, and were spending effort and money on the resulting network complexity. IPv6 deployment was a solution that simplified their network and reduced the cost of operating it. More than 80% of traffic from Verizon Wireless to major online content providers now uses IPv6. T-Mobile USA is similarly in the process of turning IPv4 off within their mobile network, operating IPv6-only.[x]
Facebook reports that they are turning IPv4 off within their datacenters; IPv4 and IPv6 from outside comes to their load balancers, and behind them it is only IPv6. The effect has been operational improvements and innovation in their software. LinkedIn and Microsoft have similarly stated an intention to turn IPv4 off within their networks. Universities have also been early deployment test locations and early adopters.[xi]
6LoWPAN, IPv6 over Low power Wireless Personal Area Networks, is an architecture intended to allow low power devices to participate in the Internet of Things. The IEEE specification allows for operation in either a secure or non-secure mode. For the Science of Security community, the creation of secure processing in low power and ad hoc environments relates to the hard problems of resilience and composability. In the IoT context, it also relates to cyber physical system security.
IPv6 security promised larger address space, IPSec with secure data comms and key exchange, better authentication, data integrity, confidentiality, secure key exchange, safe VPNs, and encryption. But IPSec is not without its issues. Activity tracking based on IP address is a potential privacy issue for all IP-enabled devices. Device activity can be particularly simple to track when the host identifier portion of the IPv6 address is automatically generated from the network interface's MAC address. Privacy extensions for IPv6 have been defined to address these privacy concerns. Privacy extensions are enabled by default in Windows, Mac OS X (since 10.7), and iOS since version 4.3. Some Linux distributions have enabled privacy extensions as well. IPsec initially was an integral part of the base IPv6 protocol suite, but has since been made optional.
The Internet Society states that of the G20 nations, 13 are in the list of nations delivering more than 5% of their traffic to Google over IPv6. The seven G20 countries that have less than 5% IPv6 measurable are China, Indonesia, Italy, Russian Federation, South Africa, Spain and Turkey. This report conflicts with the China’s China Next Generation Internet (CNGI), a five-year plan to gain a significant position in Internet development via early adoption of IPv6. China showcased CNGI's IPv6 infrastructure during the 2008 Summer Olympic Games, the first time a major world event had a presence on the IPv6 Internet. That Olympics provided the largest showcase of IPv6 technology since the inception of IPv6 in 1995.
Many broadband ISPs have IPv6 deployed to the majority of their subscribers and send the majority of their traffic over IPv6 to major content providers. For example, Comcast is actively deploying IPv6 in the US. Per the World IPv6 Launch website, Comcast has an IPv6 deployment measurement of over 66%. British Sky Broadcasting has IPv6 deployment in excess of 86%. Deutsche Telekom in Germany is at 56%, the Netherlands’ XS4ALL is at 71%, and in Belgium VOO at 73% and Telenet at 63% all have very significant IPv6 deployment.
Google, LinkedIn, Akamai, and Facebook are actively deploying IPv6 within their networks, and connecting to IPv6 users outside. An interesting point is that they report that delivering their services using IPv6 appears to improve user experience in terms of download times. IPv6-only datacenters are reducing operational complexity for these very large service providers.[xii]
According to APNIC, IPv6 has emerged from the “Innovators” and “Early Adoption” stages of deployment, and is now in the “Early Majority” phase. The price of an IPv4 address is near its projected 2018 peak, and cloud hosting providers are starting to charge for IPv4 addresses while leaving IPv6 services free from additional charges for address space. Increasingly, IPv4 is an unnecessary cost, and a speculative asset in one view. However, when the IPv6 protocol was first designed, it was thought of in the same terms as the telephone network — as a peer network. Every connected device was meant to be able to both initiate transactions and respond to transaction requests. Addresses were both a network locator and a persistent endpoint identifier. When we were projected to run out of IPv4 addresses the consequence was that the network could no longer admit more endpoints.[xiii]
The current view is that it is a client-server network. Clients do not need a persistent network-wide identity and only need addresses as and when they communicate with servers. Servers do not need persistent identity either these days, as the identity of a server is a name-based distinguisher rather than an address-based identifier. IP addresses are in a different role and no longer need to associate a unique public IP address with every connected endpoint. Address sharing technologies have allowed the growth of connected devices far beyond the number of unique addresses in the protocol. We’ve managed to completely redesign the architecture of the Internet. While some might suggest this effort was undertaken simply to avoid the transition to IPv6, that’s an extreme view.[xiv] But the picture of IPv6 today is certainly puzzling.
[i] https://www.networkworld.com/article/3254575/what-is-ipv6-and-why-aren-t-we-there-yet.html SEP 27, 2018
[ii] https://www.internetsociety.org/resources/2018/state-of-ipv6-deployment-2018/
[iii] https://www.theregister.co.uk/2018/09/17/microsoft_mothballs_ipv6only_network/
[iv] NOSC includes the Navy’s Cybersecurity Readiness Office which supports cybersecurity sustainment and the establishment of fleet cyber readiness through cyber baseline delivery and certification during installations. It is the conduit to turn fleet cyber readiness experiences into enterprise knowledge, ensuring continual improvement of the fleet’s cyber posture. By isolating cyber threats, improving maintenance processes, addressing operational process gaps with technical feedback to Fleet Forces Command/CPF, U.S. Fleet Cyber Command / U.S. 10th Fleet, NetOps commander, type commanders and system owners, NAVWAR unifies efforts to attain and sustain Cyber Readiness Certification.
https://www.public.navy.mil/navwar/Pages/default.aspx
[v] https://fedv6-deployment.antd.nist.gov/cgi-bin/generate-gov
[vi]https://fedv6-deployment.antd.nist.gov/cgi-bin/generate-gov
[vii] https://www.worldipv6launch.org/measurements/
[viii] https://gist.github.com/simonster/e22e50cd52b7dffcf5a4db2b8ea4cce0
[ix] https://www.internetsociety.org/resources/2018/state-of-ipv6-deployment-2018/
[x] Ibid.
[xi] Ibid.
[xii] Ibid.
[xiii] https://blog.apnic.net/2018/05/21/what-drives-ipv6-deployment/
[xiv] Ibid.