Looking at IPv6 deployment graphs like the one I tweeted below, it becomes clear that IPv6 still is not widely deployed in the enterprise space.
Global IPv6 deployment, “user perspective”, as of late Oct 2017
src: https://t.co/vMLefXn2n7 pic.twitter.com/CNsrqEQ3hl— Enno Rey (@Enno_Insinuator) November 4, 2017
Note: the reason for the apparent oscillation in that curve is the difference between working days – where people use their office computers – and weekend, where they prefer to use their smartphones or their home equipment connected by means of broadband networks.
There are good reasons for this, some of which I presented on at RIPE 74 recently (see my slides and watch the video below on the reluctance of certain companies to deploy IPv6).
In a nutshell, the overall IPv6 architecture is oriented around, and benefits from, the decoupling of mostly autonomous, self-organized endpoints from a well-managed/provider-managed network infrastructure, which isn’t exactly the operations model many large enterprise organizations have in mind for their networks.
On the other hand, let’s consider how many enterprise-level network projects we see today that face the following situations:
- The ambition to perform (network) infrastructure projects in an ‘agile’/driven-by-MVPs way does not surprisingly create cases where some ‘provisional’ addresses are assigned to segments and systems (without proper foresight or coordination within the organization, not least because the latter might require time and resources).
- The need to bring together/connect previously separate[d] network segments and systems (think of ‘lift and shift’ type data centre migration projects or all those occasions where you face terms from the ‘cloud exchange’, ‘express-sth’ or ‘direct-sth’ realm).
I have to say, the more network projects with the above situations that I work on, the more I value the end-to-end nature of global IPv6 addressing. Therefore, when I’m asked about the benefits of IPv6 in the enterprise space I usually respond with something along the lines of: “Given the above type of phenomena I strongly advise to use IPv6 with global addresses from the very beginning otherwise you/we’ll have to renumber later”.
From my operational experience “Renumbering Still Needs Work” (as RFC5887 states it in the title) is a euphemism at best. Avoiding it by clutching to things like NAT — or whatever-type-of-overlay stuff — doesn’t help in terms of complexity or operations-wise (and, of course, NAT wouldn’t work with IPv6 anyway).
So when you want (or have to) perform network projects following the above situations it certainly makes sense to use IPv6 (with global addresses) from the beginning. Some lucky person who doesn’t have to renumber (or NAT) in the future will certainly thank you for doing so.
Original post appeared on Insinuator.
Enno Rey is a German security researcher who runs a company that specializes in performing security assessments for large corporations and governmental agencies.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.