ARIN's John Curran warns of IPv6 misconfigurations, but sees migration issues dwindling

John Curran, ARIN

 

John Curran, President of the American Registry Internet for Internet Numbers (ARIN), who once spent stints at XO Communications, is leading the Internet's ongoing migration from IPv4 to IPv6. While World IPv6 Day in June went off with little, if any, impact on traditional users, Curran points out that the main issues will be found in users that have devices that aren't configured correctly for IPv6, meaning that if you're connected to v6 Internet, but you don't actually have a connection to v6, you won't be able to access certain websites.

To counteract potential IPv6 connection issues, Curran argues that the goal of the IT and Internet industry should be to drive down the cases of people with misconfigured devices to access to IPv6 to a minimum.

FierceTelecom's Editor Sean Buckley recently caught up with Curran to talk about the ongoing migration to IPv6 and what it means to the everyday consumer and business user.

FierceTelecom: We're about a month out from World IPv6 Day. What were some of the lessons learned by ARIN and others during the event?


"What we're really going to find is (that) people who have v6 turned on their PC, but aren't actually connected to Internet with v6, are the ones that will experience problems."

John Curran: Users who are configured to access websites and only have v4 turned on won't see a change, and users who have had v4 and v6 turned on will suddenly access these websites via v6, but that's also working fine since it's been standardized now for a dozen years. What we're really going to find is (that) people who have v6 turned on their PC, but aren't actually connected to Internet with v6, are the ones that will experience problems.

It's not a protocol problem, but rather a misconfiguration problem. It won't be a surprise if you turn on your machine and tell your machine you're connected to v6 Internet, but you don't actually have a connection to v6--it shouldn't be a surprise to anyone you can't access it. Those are the cases we're really finding. It's simply a matter of telling people: 'we'd like you to turn on v6 as an access service and state that, but if not, just make sure however you connect to the Internet is how you configured your machine.'

FT: One of the other growing concerns for service providers and customers centers on the broadband home gateway. Do you think there will be more activity around the home network by service providers implementing IPv6 in the home network?

JC: There are a lot of folks, including Comcast which has a fairly large v6 broadband initiative, and I am sure their users who have v6 didn't have a problem. It's really a question of trying to make sure when a content company wants to turn on v6 to be ready for the future, that the number of users impacted is relatively low. You could have had IPv6 configured on your machine for years and not even know, so they want to make sure it isn't the case anymore. The point is to drive those cases where people who have it misconfigured down to a very low number so it's safe for content providers to use IPv6 every day.

FT: Are there any actions consumer users need to take to ensure they are ready to take advantage of IPv6 as service providers roll it out in their last mile network and the devices they use on the home network will work appropriately?

JC: This all has to do with your desktop. If you have gone in and turned on connection to IPv6 on your laptop when you actually don't have an IPv6 connection to the Internet, it's possible to your Web browser is going to be confused and try sending IPV6 packets. It's a local configuration problem. ARIN, for example, has turned on IPv6. We'll get a call that says our website is not accessible, but that's because the user needs to get real IPv6 capability or turn it off. I don't mind that because it's only a call or two a month. You can't safely turn on v6 if there's a significant amount of people who have had it misconfigured and never knew it.

FT: In making the ongoing transition from IPv4 to IPv6, security has been cited as another concern. Do you see any major issues regarding security?


"I had one CIO tell me he did not want to turn on V6 because he was worried about security. I said that's the exact wrong answer."

JC: Again, IPv6 is not that different than IPv4. We know the protocol works. You can run firewalls; you can run load balancers; and you can run your security infrastructure. It is true that organizations need to pay attention to IPv6 because it's another item to be secured. I had one CIO tell me he did not want to turn on V6 because he was worried about security. I said that's the exact wrong answer. IPv6 can be turned on and because of tunneling and Network Address Translation (NAT) someone could be using it on your network and you don't even know it.  The answer is not to ignore the situation, but rather to realize that there's two network protocols in use--IPv4 and IPv6--and you have to plan for both on your security model.

You have to realize that if you're using a model that's 10 years old it's possible that someone is tunneling those packets straight through your firewall because you did not look at it. It's not that there are not security issues, but they have to consciously look at v6 and turn on the same security configuration they have in place already for IPv4.

FT: So really it's all about applying similar precautions you'd apply today in an IPv4 environment?

JC: Right. It's possible your firewall may be set up to pass all IPv6 packets. Even if you have turned off the firewall to block IPv6 packets, that's really probably not the right answer. Why? IPv6 can be tunneled in IPv4 and vice versa. What you want to do is look at the outside of the network and figure out how will I support IPv6 and IPv4 because if I just try to block it it's possible someone will tunnel through that and run a translation like a NAT device. It's not a question of 'how I safely ignore this,' but rather doing the work and the configuration because it's a matter of there's going to be more and more v6 on your network and whether you're paying attention to it or not.

FT: In talking with Global Crossing, Anthony Christie thinks the migration for businesses will be based on specific triggers such as network upgrades or changing a service provider. Do you agree with that assessment?

JC: Well, everyone sees it a bit differently. The major backbone providers that are busy providing services to business already have services in beta or are in production to do IPv6 transport. If you go to a large carrier and say 'I have a GigE Internet connection and I want IPv4 and IPv6,' many will say 'IPv6 is another way to address it and we'll turn that on.' For them it's not a big issue.


"You'll find if you don't support (IPv6), you'll end up becoming that business that only supports fax but not e-mail."

When you look at the business users, there are a lot of people realizing they should pay attention to it but they won't deploy it until they see customer demand. The problem is the customer is all of those mobile devices out there. The problem is all of those parts of the Internet globally that have run out of IPv4 addresses and are going to start using IPv6. This isn't a case of when you get a choice when you need it, but it's a case of when are you going to do your preparation. This is in control in the Internet. You'll find if you don't support it, you'll end up becoming that business that only supports fax but not e-mail.

FT: Of course, as businesses make this transition, it appears that service providers are offering consulting IPv6 transition consulting. Do you see that as a big or just a niche opportunity?

JC: I think there's going to be demand for education, training and consulting for IPv6, but it's not a huge market. If you think about what a typical IT staff needs to know today: They have to be experts in servers; they have to be experts in security, and they have to know how they all work and work together.

IPv4 is just one set of identifiers. It's like having a website written in English, whereas IPv6 is French. All of the concepts don't change from IPv4 and IPv6. The IT staff already knows most of this. In fact at a lot of organizations putting something on the Internet means configuring it for IPv4 and IPv6. That's the way it is a lot of companies. It's not a separate expense of running around and doing something on IPv6. This is inherently part of the Internet and you should make it part of your IT process.

ARIN's John Curran warns of IPv6 misconfigurations, but sees migration issues dwindling
Read more on