One of the items on the research agenda for this year is IPv6. In almost every survey we launch, we have a question about IPv6 to keep a pulse on what is happening in and around the topic. To date while the topic is acknowledged and recognized as something that needs to be addressed, we find over and over again, it is just not a priority for the typical enterprise. Everyone appears to be taking a wait and see attitude. This approach seems logical in light of the very low level of IPv6 traffic that is currently traversing the Internet. So unless the enterprise business is dependent on the public facing Internet or for some reason has the need for a large number of IPv6 addresses in the near future, there does not appear to be any driving need to implement IPv6 across the board. In recent weeks, several network infrastructure vendors including Blue Coat and Akamai have stepped up their abilities to handle IPv6 traffic and this points to some issues that could provide the ultimate tipping point, if not for full IPv6 adoption in the enterprise, at the very least a reason for better IPv6 readiness.
On April 3, Blue Coat announced version 9.0 of the PacketShaper operating system that runs on the Blue Coat PacketShaper appliances. The focal point of this announcement, in addition to added support for video and other rich media, is IPv6 visibility. Blue Coat makes a case for what you don’t know might be hurting you. Blue Coat argues that the growing number of IPv6 enabled endpoints (i.e. smartphones and tablets) coupled with dual stack implementations of routing code, address management, and WAN services (with IPv6 turned-on) are generating new unseen traffic on the enterprise networks, which Blue Coat is calling “shadow networks.” In a report by Arbor Networks, DDoS attacks are being reported on IPv6 enabled networks. The report goes on to state that network operators are concerned about having sufficient visibility and mitigation capabilities to protect IPv6-enabled properties. Users expressed further concerns that IPv6 security features were not yet on par with those found on IPv4 devices.
While Akamai’s business model requires that they adopt IPv6 sooner rather than later, even though only .5% of their current Internet traffic is IPv6 today, Akamai has spent nearly two years getting its network infrastructure ready. Akamai has dedicated a web page to IPv6 readiness and migration. In April, Akamai began rolling out built-in IPv6 support for its major product lines. What is worth noting is what was uncovered in the testing process. First, Akamai observed malware, which is already out there and can scan and attack sites over IPv6. Second, Akamai also discovered that several major ISP networks are not peering with each other over IPv6 and thereby causing backbone routing issues. For a globally distributed enterprise doing IPv6 on their own, it would mean that some percentage of IPv6 clients might experience connectivity issues which may be difficult to detect and troubleshoot from inside the corporate data center since the problem is on the service provider end.
Options for the Enterprise
Any business with an outward, public facing Internet presence does not want to prevent legitimate IPv6 traffic from reaching its web-based applications. However, the prospect of updating all the firewall, networking, and web server equipment to accommodate IPv6 is a daunting prospect from both a resource and financial perspective. So what can an enterprise do in the near term to protect against IPv6-based threats on their network? There are two possible options that do not require a major forklift upgrade to the existing infrastructure. Companies that have existing ADCs can leverage built-in IPv6 Web Application Firewalls (WAFs) and other IPv6 enabled security features available on these devices if they have not already done so to prevent DDoS attacks and help mitigate security risks that IPv6 traffic might represent. A second option would be to leverage services like those of Akamai, in which case Akamai servers become the public facing Internet. Since, Akamai servers are already dual-stacked configured, customers do not need to make any changes to their backend infrastructure. Either of these options provides at least an interim step to protect against threats from IPv6 until internal IPv6 policies and upgrades can be fully implemented. In the meantime, it seems that security issues and concerns might just be the tipping point for IPv6 readiness and adoption. It would also appear to be a point of convergence for IT security and networking teams to work together, since visibility and mitigation in this case, go hand in hand.
Note: For more information on IPv6 enabled ADCs, Network World recently preformed a Clear Choice test on IPv6 enabled ADCs.