The transition to IPv6 DNS can be easier
Let’s be honest: The prospect of having to move to IPv6 DNS may seem daunting. Like most enterprises, you’re probably trying to remain IPv4 only as long as possible.
But if the corporate call comes to jump off the cliff and transition, BlueCat’s platform is at the ready to help cushion your landing.
In this post, we’ll provide a primer on IPv6 and IPv4, and look at why there’s some resistance to the move. Then we’ll delve into how BlueCat tools can help ease the transition.
Let’s get some basic terminology out of the way first. IP, which stands for internet protocol, is the internet’s principal form of communications. And IP addressing is a logical means of assigning addresses to devices on a network.
What is IPv4?
IPv4, or internet protocol version 4, has been in place for more than 35 years. IPv4 uses 32-bit addresses (for example, 192.0.2.246), to route most of today’s internet traffic.
A 32-bit address space limits the number of unique hosts to 232, which is nearly 4.3 billion IPv4 addresses. But in today’s ultra-connected world, 4.3 billion isn’t nearly enough.
In 2011, the Internet Assigned Numbers Authority (IANA), the global coordinator of IP addressing, ran out of IPv4 addresses to allocate to regional registries. Since then, regional registries have exhausted those allocations.
In short, we’ve run out of address space.
Seeing that this would be a problem, IANA's Internet Engineering Task force (IETF) came up with a new way of providing Internet Protocol (IP) address assignments.
IPv6, the most recent version of the internet protocol, uses 128-bit address space. Unlike IPv4, both letters and numbers are used as identifiers (for example, 2002:db8::8a3f:362:7897). By implementing these changes, IANA created 2128 new IP addresses, which is about 340 undecillion or 340 billion billion billion billion. A whole lot.
With IPv6, a single network can have more addresses than the entire IPv4 address space. IPv6 exhaustion is basically impossible. (There is a hypothetical world IPv6 exhaustion counter out there. Nine million AD, anyone?).
Furthermore, routing tables are simpler. Admins can start from square one and be thoughtful and logical about deploying an addressing scheme. And there's plenty of room to add more.
Security was also at the forefront when the IPv6 address space was built, while IPv4 has modern-day security measures tacked on after the fact. However, that’s not to say that you get a free pass to omit IPv6 space from your network security model. And the first IPv6 DDoS attack served as an important reminder.
Eliminating private networks
About 18 million IPv4 addresses were set aside for private addressing, drawn from a range known as RFC 1918. Most organizations use IPv4 private addresses on internal networks. However, devices with private addresses have no direct path to the public internet.
To access the public internet, these devices require a complex and resource-intensive workaround called network address translation (NAT).
IPv6 is NAT-free, enabling every device to communicate directly without intermediary steps.
The challenges of implementing IPv6 DNS
All of this change was born of necessity, but not everyone is on board. This is not just a configuration change. Think of it more like a challenging system migration.
Examples of IPv6 challenges
- IPv4 and IPv6 are not directly interoperable. IPv6 is managed differently than IPv4, requiring a steep learning curve to master. IPv6 address formats are also longer, so they can’t be easily memorized or transcribed.
- It’s a lot of work to test all of your applications end-to-end in an IPv6 environment. And what may work well in a small test lab may fall apart when implemented at scale.
- Every part of your network chain (including every IPv6 DNS server) has to be compliant. Legacy network applications or devices hard-coded for IPv4 may lack IPv6 support.
- Specifically, most IoT devices do not support IPv6. If critical IoT devices on your network aren’t IPv6-ready, then you can’t transition your network at all. This a particularly tough conundrum for the healthcare industry.
- Tertiary content addressable memory (TCAM) quickly gets depleted when adding IPv6 addresses. TCAM stores access control lists on network routers. Routing vendors have allowed admins to tune how much TCAM to allocate to IPv4 and IPv6, with mixed results. Ultimately, enterprises end up having to buy more pricey TCAM.
Complex enterprise implementation
Enterprise implementation itself can be complex, with segmented steps and testing required at each point.
You might first start with your external-facing networks and services like web servers. Then go to your perimeter (or DMZ) networks and your data centers. And finally, your internal networks and devices. Just like your current network, you'll need an IPv6 nameserver, DNS server, and all the rest.
It’s enough to say “thanks but no thanks” and stick with IPv4. Sure, the more workarounds that you add to your IPv4 network, the more you have to manage. But it works, you understand it, and you know the network won’t break.
There is no driving event such as a government mandate forcing the transition en masse. As a result, institutional inertia will be strong enough in most organizations to keep the status quo in place. The work involved in a transition simply isn’t worth it… yet.
IPv6 DNS made easier with BlueCat
If you decide to leap (or someone else decides for you), BlueCat’s platform can help you manage this transition. To better assess your IPv6 readiness, we also offer virtual instructor-led training on IPv6 for DNS, DHCP, and IP address management.
Address records, or A records, map domain names to IP addresses in IPv4. Because IPv6 addressing is four times as long—again, instead of a 32-bit address, it’s a 128-bit address—an IPv6 record is an AAAA record (also known as quad A).
Your DNS server addresses will have both types—IPv4 and IPv6. With BlueCat, DNS resolvers—the servers that respond to users’ DNS queries to resolve a domain name and translate it to an IP address—can return the quad A record in addition to the A record. And the user’s device can decide which way it wants to go to try to reach you.
With BlueCat address manager, quad A records are simple to add.
DHCPv6 server pairs and dual-stack
To provide redundancy, BlueCat’s platform allows a pair of IPv6 DHCP servers to serve the same network. Doing so has been considered undesirable for IPv4 networks because of the limited IP address space available. But with 340 undecillion IP addresses on the IPv6 network, address exhaustion is no longer a concern.
Devices with dual-stack implementation in the operating system have an IPv4 and IPv6 address. They can communicate using either protocol. BlueCat’s implementation of DHCPv6 allows enterprises to dual-stack their entire network. This allows the network to handle both connections simultaneously as the broader IP version ecosystem remains in flux. BlueCat’s platform gives you single-pane visibility, regardless of the IP version. And if you want to single stack with just an IPv6 network, BlueCat supports that, too.
BlueCat’s platform also has built-in support for DNS64. This is a tunneling strategy to let IPv6-only devices access other devices on an IPv4 network.
The value of an IPv6 presence
Trepidation about IPv6 deployments is understandable. Today, only about 25 percent of the Alexa top 1,000 websites have sites reachable over IPv6. But that number continues to grow as large areas of the world undergo IPv6 adoption. Some emerging markets (particularly in Asia) only have IPv6 network connections.
Enterprises are realizing that they’ll lose business—or miss out on e-commerce opportunities entirely—without an IPv6 internet presence. We often hear from our customers that they at least plan to implement IPv6 migration strategies for public-facing networks so they don’t get left behind.
When your moment to transition comes, we’re ready to help. Learn more about the BlueCat platform and how it supports both networks.