In the previous installment of our series of IPv6 posts, we covered some of the ways ICMP has changed in IPv6 compared to IPv4. In this post, we’ll talk about how addressing has changed in IPv6 compared to IPv4.

While IPv4 addresses are 32 bits log, the IPv6 address space has been extended to 128 bits, which will make it virtually impossible to remember the numeric representation of the address for a given host. This will definitely lead to more reliance on DNS. It will be difficult to operate even very simple test networks  without relying on DNS to resolve host names to IPv6 addresses. Because of this, more attacks will be targeted against your DNS servers. Making sure your DNS configuration and servers are secure will be very more important in IPv6. DNS will also be targeted by attackers to attempt to locate systems on the network by trying to resolve “common host names,” since scanning a remote IPv6 network is essentially impossible due to the size of the IPv6 address space.

Read More »

Tags: IPv6, IPv6-security, security

Most people already have IPv6 capability whether they know it or not.  All Microsoft operating systems such as Windows Vista and all MacOS releases since 10.2 have IPv6 installed enabled by default.  Mobile devices running Android 2.1, Apple iOS 4.0, and Symbian 7.0 are configured likewise as is nearly every *nix variant you can name.  Even the venerable and ubiquitous Windows XP has a latent IPv6 stack which can be activated with a single command.

Typically, IPv6 enabled systems will prefer IPv6 connections over IPv4, so a misconfigured or malfunctioning IPv6 network will cause connectivity problems.  Many popular troubleshooting regimens simply prescribe disabling IPv6 as the “solution,” which really does nothing more than to hide the underlying problem with the IPv6 network.  When you have a network problem that is “solved” by disabling IPv6, you have masked the symptom of a bigger problem that warrants further investigation.

Read More »

Tags: firewall, IPv6

You can make your named network services available via IPv6 with a few simple steps.  First, your DNS server or DNS service provider should first hand out AAAA DNS records (pronounced quad-A record) which map hostnames to IPv6 addresses.  Second, you should provide PTR records to allow IPv6 Reverse DNS (rDNS) lookups.  Finally, you should take steps to make the DNS server itself reachable via IPv6.

Setup your DNS Server to start serving AAAA records

To allow resolution of hostnames to IPv6 addresses, your DNS Server must respond to requests for AAAA records.  Adding AAAA records to your forward zones will enable clients with IPv6 connectivity to learn the IPv6 addresses of your resources. Be aware there is a small risk that if a requesting client is among the minority with broken IPv6 connectivity, it can appear to the client that your website is down.  Some companies use DNS whitelisting to mitigate such issues, but there are concerns around that approach.

Read More »

Tags: AAAA, CNR, dns, IPv6, network infrastructure, PTR

In the previous installment of our series of IPv6 posts, we covered some common myths regarding IPv6. In this post, we’ll talk about how the role of ICMP has changed in IPv6 compared to IPv4.

In IPv4, ICMP provides error reporting, flow control and first-hop gateway redirection. This functionality, which is also available in IPv6, is usually not essential to the operation of your network. With IPv6, however, ICMP has gained a much more significant and essential role because of new functionality that is now performed through ICMP. Fragmentation, Neighbor Discovery, and StateLess Address AutoConfiguration (SLAAC) represent essential functionality which is now performed using ICMP messages. Furthermore, many ICMP messages are designed to be sent to multicast addresses instead of only unicast addresses. Therefore, ICMP in IPv6 gains a whole new importance along with a new set of security concerns.

Read More »

Tags: ICMP, IPv6, IPv6-security, security

Unless you have been living under a rock, you should know by now that the IPv4 address pool is exhausted and you need to start using IPv6.  In fact, you may even be convinced.   How can you get your network connected to the growing IPv6 capable Internet, ideally in time for World IPv6 Day? 

Start with your Internet service provider (ISP).  Although not every ISP currently provides IPv6 service, the list grows in proportion to customer demand.  Free, Comcast, and Softbank are just some examples of prominent ISPs who have large scale public IPv6 trials and rollouts.  Even if your ISP has not announced an IPv6 plan, contact them.  You might be able to become early adopter on an unannounced trial.

In the event that your provider has not yet seized the opportunity to provide IPv6 service, you can seek out a public tunnel broker, a service that allows you to “tunnel” IPv6 packets across an IPv4-only connection to the IPv6 capable Internet.  A number of tunnel broker providers like Hurricane Electric, SixXS and Freenet6 provide tunneling points of presence at many locations worldwide and will gladly issue an IPv6 prefix (or several!) for no charge.  Some tunnel brokers will even provide a BGP feed.  This is an excellent way to start gaining experience with IPv6 connectivity in your network.

Read More »

Tags: IPv6, World IPv6 Day