Migrating your network to IPv6
New Address
Migration Technologies: Dual Stacks and Tunnels
It is only possible to roll out IPv6 all at once in very small environments. In most cases, you will need to adopt technologies that enable a smooth migration and facilitate IPv6's coexistence with IPv4. You can combine these technologies, depending on the scenario.
The most important transition technology is the dual stack, which allows IPv4 and IPv6 to operate in parallel on a system. The advantage lies in a largely safe migration, because in case of problems, you can immediately resort to IPv4.
The disadvantage of operating a dual stack is a higher administration overhead, which can lead to a higher potential for error because, in principle, any change to the IP configuration and communication needs to be carried out for both IPv4 and IPv6. Nevertheless, dual stack is a popular migration option, since it minimizes the effect on the existing infrastructure.
If you cannot implement a dual-stack solution across the board, you can use the island solution to transition part of your infrastructure while maintaining communication through tunnels. IPv6 packets are typically tunneled in IPv4 and transferred from island to island (Figure 4) via the IPv4 infrastructure.
Tunnel technologies are always a second choice because they don't provide native IPv6 communication. In some scenarios, tunnels are useful as temporary solutions and should be considered, where appropriate, for migration planning. Various tunnel solutions exist, including:
- 6to4, 6rd: connection to the Internet
- ISATAP: IPv6 communication over IPv4 infrastructure on intranets
- Teredo: IPv6 communication across NAT devices
- DS-Lite: IPv4 communication over IPv6-only provider access networks
Keep in mind that tunnel technology is only a temporary solution that you will need to remove and replace with a native IPv6 solution.
If neither a dual-stack or tunnel solution is available, your last option is to translate from IPv6 to IPv4 or vice versa. Various translation methods have evolved for this purpose. Translation has major disadvantages and should be considered if you have no other way to communicate. Techniques include the obsolete NAT-PT, which has been replaced by the NAT64/DNS64 approach and complemented by 464 XLAT, as well as other mechanisms.
Switches and Routers
Switches are generally not directly involved in IPv6 communication; however, several reasons exist for involving switches in migration considerations, including:
- Management access to the switch is handled via IP.
- Some IPv6-capable switches have IPv6 security features, such as RA-Guard.
- Some switches have multilayer capabilities and thus support routing, as well as other higher-level capabilities like firewall and QoS.
Routers are the essential connection points for IP(v6) communication. If the routers do not support IPv6, no cross-subnet network communication via IPv6 is possible. Router migration therefore plays a crucial role within the framework of the IPv6 transition. Fortunately, most router manufacturers have implemented good IPv6 support in their products. But beware of pitfalls! You need to test the products and remember to include performance tests. In the case of some routers from well-known manufacturers, the routing logic for IPv4 was implemented at a very low level, but this level of care does not apply to IPv6 routing; systems thus route IPv6 at speeds an order of magnitude slower than IPv4. The IPv6 addressing solution is very closely connected with migrating the routers. Without defining subnets, router migration is not possible on IPv6.
Security Components
Before you even think about using IPv6 to talk to the Internet, you need to ensure that your security components can provide the same level of security for IPv6 as for IPv4. Of course, this applies first and foremost to the firewall. The firewall must fully map the IPv4 framework on IPv6. You'll need to add special filters that are relevant only to IPv6, such as extension headers.
One essential point in the scope of firewall configuration is eliminating NAT for IPv6. In plain talk: All systems that communicate directly with the Internet use globally unique (global unicast multiple) addresses. This address is routed to your location, so internal systems are potentially vulnerable. It is thus essential that the perimeter firewall provides a suitable filter. You get good protection in this scenario if you add intermediate proxy systems that handle the communication for the internal clients. This configuration is already part of best practices for IPv4.
Remember also that proxies must support communication from IPv6 to IPv4 systems and vice versa. But other components, such as VPN gateways, must be checked for their IPv6 capability and thoroughly tested. If you are using an IDS or IPS, these systems must support IPv6 and be configured for it in the scope of the migration. Ensure that the following security components are taken into consideration at an early stage in the migration to IPv6:
- Network firewalls
- Application gateways
- Proxies (HTTP/HTTPS, FTP, mail, etc.)
- Remote access and VPN gateways
- Desktop firewalls and Internet security suites
- IDS/IPS
- PKI systems
- RADIUS/TACACS
- Management and monitoring systems
The last point is especially important, because quite a few management and monitoring software vendors have neglected IPv6.