Wednesday, September 15, 2010

Before we get too far...

... Lets talk about where we've been.

IPv4 is an old protocol, devised when the world was young.  It is battle hardened and well tested.  Its design goals were to have a reasonably scalable network, connecting the only places on the planet that could support a computer network (which was believed to be a very finite number on the order of a few hundred, a thousand at most).  It was made to withstand a nuclear explosion due to its distributed nature.  It was made to ride the dozens of physical layer types that the average international connection might need to traverse.  There was no security, and everyone was connected to everyone else provided there was a path.  Networks were simple, subnets were large, and systems did relatively few things, mostly via the existing methodologies of the time like terminal traffic and the occasional file transfer.

Society has added to it over the years, bolting on more and more, changing methodologies as we go.  Now, there are so many computers we have to rigorously maintain our subnets using many administrative services and tools.  The market produces thousand of devices which monitor, block, augment, and transform data as it passes through it.  All the tools are well-documented, robust, and work within common expectations.  Almost everyone and everything is connected via Ethernet over copper or fiber.  When I choose to use a sniffer, I can be reasonably assured its going to detect all layers properly until I get to the layer I'm trying to debug.

IPv6 throws all those preconceptions out the window.

IPv6 is a completely separate protocol.  Put anything you know out of your head, it will be easier to deal with.  IPv6 has nothng to do with IPv4 except it has the letters 'I', 'P', and has some similar fields .  It was ratified in 1998 and was designed to better handle a number of scenarios, most notably the limited size of the addressable fields in IPv4.  In IPv6, networks can configure themselves, handle larger packets, configure themselves, and handle scenarios that were foreseeable in 1998.

I want to stress the fact this was ratified in 1998.  That puts its 'standardization' well before many of the mass-infection viruses in the early part of the last decade, well before the ubiquity of wireless, well before rapid, often mindless, deployment of security 'tools' and 'policies' of all kinds.  These are things IPv6 was not designed to solve.  IPv6 has some security mechanisms, but many are bolted on, just like IPv4.  If you are planning to deploy IPv6 and instantly get a security network, you are mistaken.

Despite IPv6's standardization over a decade ago, few have adopted it, even to this day.  This means it is likely the current assumptions you have for your network (That the protocol works, has no bugs, is handled consistently by all parties on your network, is supported by all the tools and software you have, and meets the needs of current policy and procedures, etc) are wrong.

Welcome to IPv6.

No comments:

Post a Comment