Ittechtips.com’s Blog

What are the trends pressuring us into IPv6 adoption, making it a business continuity issue for continued Internet operations and growth? We have been tracking several trends  like IPv4 address depletion which are well known, while others may be less obvious. Here are several of the major trends:

• -IPv4 Address block depletion
• -Growth of the routing tables in the Internet core
• -The growth of the number of Internet subnets
• -The growth of IPv6 Internet subnets
• -The growth of the ‘Internet of Things’ - thin devices, sensors, etc. communicating to each other on the Internet
• -The growth of eCommerce and its impact to the worldwide economy

An overlay of these trends show that there will be an increasing gap beginning in approximately 2011 where there will be more “operational pain” as the current IPv4 Internet will have major scaling problems, causing operational issues until IPv6 catches up everywhere in approximately 2015.

For years, there have been many warnings from the top experts in the Internet community about these trends:

• “In order to sustain the impressive speed of Internet innovation and ensure a healthy Internet economy for the future, we recommend that content providers make their services available over IPv6,” - Axel Pawlik, Managing Director RIPE NCC. 
• “.. With only 19% of IPv4 address space remaining, ARIN is now compelled to advise the Internet community that migration to IPv6 is necessary for any applications that require ongoing availability of contiguous IP number resources.” –ARIN Board 2007
• “If deployment <of IPv6> is delayed, the future growth and global connectivity of the Internet will be negatively impacted.” –Internet Society (ISOC) FAQ on IPv4/v6
• “.. in 2011, IPv6 must be in use by public-facing servers” –John Curran, ARIN Chairman, COO ServerVault  
•  “.. the Internet has been evolving, and IPv6 is the next major revolution that has to happen soon. ” –Vint Cerf, Internet Pioneer

What is a simple enterprise network upgrade plan, to truly “Operationalize IPv6”, that will stay just ahead of these trends in a cost effective way? Here’s Command Information’s suggested timeline:

2008-2009:

o   Change your procurement to require IPv6-capable applications, IT infrastructure, and IT service – and actually test for conformance! This step allows you to use regular tech refresh to really get IPv6-optimized IT components in place by 2012, and pushes your vendors to actually build them!

o   Train your IT staff on IPv6 security and network operations, and ensure your support contractors are experts in IPv6

o   Create your IPv6 transition plan – and be sure to address security compliance and IPv6 in strategic IT technology implementation

By 2010:

o   Get your external facing servers and application (web portals, e-mail, DNS, etc…) working on production-grade IPv6 connections

o   Get your IPv6 security/IA plan in place and activated. IPv6 may already be running in your enterprise and IPv6 tunneling bypasses most current firewalls and IA infrastructure.

2010 - 2011

o   Pilot IPv6 ISP connections in to your enterprise – after your v6 security infrastructure  is in place and tested!

o   Pilot native IPv6 connections to users on your operational network

o   Pilot IPv6 user and desktop applications via new common desktop and server builds.

o   “Operationalize” IPv6 throughout your enterprise, slice by slice, to ensure that all applications, IT systems, and software within your enterprise are running IPv6 NLT Q4  2011

Original article was written by Mr. Dave Green of Command Information and can be found here http://www.commandinformation.com/blog/?p=80

Domain Name System (DNS) is perhaps the most critical application running on the Internet since most every other applications utilizes it to look up IP addresses associated with domain names. The recent US Federal Government OMB M-08-23 memorandum “Securing the Federal Government’s Domain Name System Infrastructure“ mandates US Government Agencies to upgrade their DNS servers for DNS Security (DNSSec) cryptographic authentication and data integrity services by December 2009.

This update will be combined with a requirement to serve IPv6 AAAA records, and the combination of the two cause DNS performance to drop to about 33% of current levels - maybe worse if you have an older server. DNSSEC will require both servers and resolvers/validators to do more work, but the projected impact depends on where the particular component is in relation to the DNS.  Authoritative servers do not, for the most part, generate signatures during runtime, but will be constructing larger replies to queries (especially negative replies). To mitigate this risk, Federal agencies should add more DNS server capability, increase the network bandwidth assigned to service DNS servers, and seek out DNS server implementations with increased memory, processor speed, and optimized architecture for serving these new requirements. More information on DNSSec impact is available from:

Command Information is currently evaluating DNS servers for optimization with IPv6 AAAA records and DNSSec. Currently the following vendors are undergoing evaluation by our CommandReady team:

• Exploring the Overhead of DNSSEC” (PDF file)  
• NIST DNS Security Site
• RFC 4641 DNSSec Operational Procedures

• Infoblox DNSOne

• InfoWeapons SolidDNS

 Vendors of other products should add their product name to this blog and contact us if they need product development or validation services.

Original article was written by Mr. Dave Green of Command Information and can be found here http://www.commandinformation.com/blog/?p=76