NMSaaS Blog

IP Address Management for IPv6

Posted by John Olson on Sep 26, 2018, 4:18:05 PM
Find me on:

IPv4 is the zombie that won't die. Its address space has been exhausted for years, yet it still dominates the Internet. Still, it's giving ground at a rapid rate, and IPv6 support is becoming a necessity. For the foreseeable future, that means maintaining a dual stack. Public websites, at least, can't give up the old protocol yet.

IPv6 requires new ways of thinking. It's simpler in some ways. Finding enough addresses isn't a problem, and NAT is no longer a requirement. On the other hand, the size of the addresses makes it harder to work with them manually. People can remember and copy an IPv4 address, but 32 hex digits are more than most people can easily deal with. The newer protocol has more kinds of addresses with reserved prefixes. It has more options and features.

In a pinch, it's possible to configure a simple IPv4 network entirely by hand. This just isn't feasible with IPv6. Address management becomes more important.

IP Address Management for IPv6

Managing the dual stack

A dual stack doesn't require that every device have both types of address. Some older devices may not support IPv6. Ones which don't need legacy compatibility can do without IPv4. What's important is to identify all devices on the network by all their addresses, and to have a mapping between the addresses that belong to the same device.

Tunneling is sometimes necessary for devices that handle only the older protocol. With this approach, an IPv6 packet is encapsulated in an IPv4 packet. Doing this has its problems and should be used only with caution. Monitoring a network with a lot of tunnels is problematic.

Your devices may be using IPv6 even though you don't know it. Microsoft regards it as a mandatory part of Windows and uses it for Exchange services, among others. Assuming that the protocol is present only where it was explicitly enabled is a mistake. Any computer running a modern operating system could be using it some of the time.

Saying goodbye to NAT

Network address translation (NAT) was born of necessity. It's a way to get enough local addresses for a network even though they're scarce on the public Internet. It's not a security measure, or at least not a good one. It's easy for intruders to locate devices on a network even if they're NAT mapped.

It's possible to do NAT with IPv6, but there's no good reason to. The firewall should protect devices from inappropriate access, rather than relying on address mapping. Using mapped addresses just complicates Internet access. If a device shouldn't be on the Internet at all, it can use a ULA (unique local address) as its only address.

Dealing with multiple addresses

With IPv4, a device has one primary address. An IPv6 device typically has more than one, and all of them have equal status. There are three main kinds of addresses: link-local, site-local, and global. Different types of addresses are distinguished by their prefixes, which are the highest-order bits of the address.

Every device has a link-local address. The protocol doesn't work without it. It can be generated from the MAC address but doesn't have to be, as long as it's locally unique. It's valid only within the network segment.

In addition, a device will normally have a site-local or global address, or both. A site-local one is valid within an organization. Unlike a link-local address, it can be routed. One type of site-local address is a unique local address, or ULA. It's useful when a device should be reachable only on the local network and never needs to connect to the Internet. It's an independent address, not a NAT mapping.

A global address is one which is visible on the Internet. The address specifies a subnet ID, an interface ID, and a unique address within that scope.

Devices can have multicast addresses as well as unicast. They're similar to IPv4's broadcast addresses but more selective. A device can belong to any number of multicast groups, joining or leaving them as necessary. A packet sent to a multicast address goes to all devices that use the address.

This multiplicity of addresses would be overwhelming to anyone trying to manage a network manually. Software to assign addresses based on device and system requirements is necessary.

Assigning IPv6 addresses

DHCP works for IPv6, but it's just one of the options. It has the advantage of familiarity and provides central control. It's also called stateful assignment, because the DHCPv6 server maintains state information on every device. This approach requires each device to request an address from the central server.

An alternative approach is stateless address auto-configuration, aka SLAAC. It takes advantage of IPv6's advertisement and discovery protocols to let devices get addresses in a decentralized way. It's easier to manage in a large network, and it doesn't have a single point of failure. Addresses are based on the EUI-64 identifier, which is constructed from the network interface's MAC address. Used consistently, this approach guarantees there won't be any address conflicts, even without a central server's mediation.

Whichever assignment method is used, it's necessary to track all devices to make sure that everything which should have an IPv6 address does, and to confirm that no duplicates or rogue addresses exist. IPAM software plays an important role.

Addressing security issues

In a dual-stack network with older devices, IPv6 tunneling is sometimes needed. As mentioned earlier, this can introduce problems. An attacker can set up a packet with addresses such that the extracted IPv6 packet goes back to the router that sent the tunneling packet, looping until the forwarding limit is reached. A DoS attack could use this method to overload a router. In some cases, tunneling could bypass firewall protection.

Multicast addresses aid in discovery within a network, but if they're carelessly used, they also help outsiders to engage in reconnaissance. The network should limit outside access to multicast addresses as much as possible.

IPv6 isn't less safe, but moving to a new technology always has its dangers. A lack of administrative experience with the newer protocol can increase security risks. Firmware and application software is less mature and may have bugs. Good IPAM software reduces the chances that human error and software problems will cause serious trouble.

Keeping control with IPAM

The growth of IPv6 has been dramatic. In 2010, it was a rarity. Currently, to cite just one measure, it accounts for a quarter of Google traffic. This increase is sure to continue. Mobile networks, which account for a growing proportion of the Internet, typically have over 60% IPv6 deployment. Not only are IPv4 addresses exhausted, but cloud systems and the IoT have drastically increased the need for a large address space. Devices which need their own Internet address, such as VoIP phones, can't settle for NAT tricks. Networks simply have to make IPv6 a first-class participant.

IPAM software let you keep control of the more complex world of 128-bit addresses. These are some of the benefits:

  • Scanning and discovery of addresses. There are probably more IPv6 devices on the network than you realize, and keeping track of them all helps to identify any issues and keep problems from arising. It makes sure there are no duplicate addresses.

  • Identification of subnets. Proper allocation of subnets makes a network more secure, minimizing the exposure which servers and other critical systems have. Seeing the organization of subnets and identifying the systems which belong to them makes the management task easier.

  • Location of non-IPv6 devices. Some older devices may not be IPv6-capable or have it disabled. Upgrading them, if possible, will let the network run more smoothly.

  • Identification of unauthorized devices. Tracking all IP addresses helps in identifying "shadow IT'" devices that network administrators didn't know about. Learning about them lets administrators diagnose or prevent network problems.

The days of 192.168.1.1 were a simpler time. With IPv6, management of addresses is more complicated. It's necessary to understand all the options and not try to do everything the old way. Having a good set of software tools, as an aid to expert management, is more important than ever.

Topics: IPAM

NMSaaS.  Cloud Based Network Monitoring

NMSaaS provides advanced Network Discovery, Monitoring, Backup and Configuration Management of your IT Assets.

NMSaaS Delivers:

  • An easy to set up and use platform
  • Best of Breed features for small and large organizations
  • No hassle, simple pricing

Subscribe to Email Updates

Recent Posts