Internet Address Reinforcements Are on the Way

The countdown is on and the day of the last new IPv4 address is coming in about three years. Most of the world has gotten the message and is ramping up for the new Internet protocol with enough Internet addresses for all. But, Western civilization is mostly asleep at the wheel, still heading down an IPv4 road to nowhere.

By David Geer
24 www.afcom.com

lobal customers are increasingly searching for Web content delivered by Internet Protocol version 6 (IPv6), which is not backward compatible with IPv4. The longer organizations take to learn to speak IPv6 to their World Wide Web customers, the more customers they lose to companies who already have the new protocol turned up. Organizations that want to reach global audiences bent on using IPv6 need to get their data centers up and running with support for IPv6. Data center managers need to prepare now to support IPv6 and reap benefits that will secure their futures and make their dayto-day hustle inside the data center easier. IPv6 is the latest Internet protocol deployment (1999) from the Internet Engineering Task Force (IETF, www.ietf.org). The new protocol provides limitless Internet addresses to guide traffic from machine to machine inside the data center and across the Internet. IPv6 will eventually replace the flawed legacy protocol IPv4 that most people use today. IPv4 addresses are 32-bit dotted decimal addresses. IPv4 configured addresses look like: 207.168.13.195. Data centers enter these addresses in computers and hardware manually as static IPs or assign them automatically via the Dynamic Host Configuration Protocol (DHCP) as dynamic IPs. Like snail mail in legacy postal systems, data goes nowhere on the Information Highway apart from these addresses. The new IPv6 addresses are 128-bit hexadecimal addresses, which are represented in many ways, including: 2001:500:4:1::80. These addresses consist of prefixes, headers, and other large numbers, making it possible to have billions of billions of unique addresses. One of the main drivers behind IPv6 adoption is that IPv4 addresses will effectively run out by 2011, according to Geoff Huston, chief scientist, Asian Pacific Network Information Centre (APNIC), Brisbane, Australia. In contrast, IPv6 offers a virtually inexhaustive supply. Once the Internet registries dole out all the address space left on IPv4, service providers will still have space (IP addresses) to assign to data centers. This will come from individual organizations that already have more IP addresses than they really need. People may put up chunks of IPv4 space for sale over eBay to ISPs who need it, says Dave Siegel, vice president of IP services product management, Global Crossing, Florham Park, N.J. But, no new numbers will be available apart from IPv6. So, data centers should prepare now to support the protocol and the new addresses they will soon need to acquire directly from Regional Internet Registries like ARIN, RIPE and APNIC. The data center has more benefits to look forward to from IPv6 than simply an endless supply of IP addresses. The data center that prepares for IPv6 today will see increased marketability of products and services, greater ease and simplicity of network management and an increase in network security. In the Marketplace IPv4 supports approximately 4.3 billion globally routable IP addresses. That may sound like a big number, but those addresses are running out. That is because many large and developing countries like China (with 1.3 billion consumers) and Africa have yet to assign IP addresses for most of their constituents. The remaining IPv4 addresses are simply not enough to meet demand. Rather than adopt IPv4 and shoul-

der the added expense of migrating to IPv6 so soon after, these countries are simply choosing to adopt IPv6 now, which they know wont run out of space. Approximately 15 percent of Chinas 1.3 billion access the Internet and they do it via IPv6. That percentage is doubling each year, says Stan Barber, vice president of network operations, The Planet, Houston, Tex. Because IPv4 and IPv6 are not compatible, enterprises seeking Web consumers in these locations have a hard time without adding IPv6 support to their data centers. China already heavily regulates imported Internet content, making it hard for Chinese citizens to get foreign content. By running IPv4 alone, organizations add another obstacle to getting content to those people. Companies interested in being part of the global economy should be concerned. Network Management The IETF based the IPv4 protocol on routing technology from the 1980s, which is impractical for the Internet that has come to be. But, over the years, Internet engineers have become familiar with the strengths and weaknesses of IPv4. IPv6 takes advantage of that knowledge and experience, maintaining the advantages of IPv4 and correcting its faults. The IETF once defined the Routing Information Protocol (RIP) to route packets under IPv4. To do that, they originally designed RIP to broadcast routing information to all computers on the network. Every computer on the network had to process these broadcast packets even though most of them did not need this information. Even end user computers had to process these packets. The IETF intended RIP for use with small networks of only a few hundred computers and very few routers. It was clearly not meant for massive data center networks or the modern Internet. RIP was discontinued because data centers risked generating inordinate levels of broadcast traffic on the network. This extra traffic wasted valuable bandwidth. Data centers with 10MB of bandwidth might have used 7MB just to process routing packets, according to Barber. In IPv6, RIP uses multicast rather than broadcast technology. Multicast allows computers that do not need to use routing packets to ignore them. This creates an efficiency for RIP that revives its viability for data centers and the Internet. The advantage for data center managers is that they do not have to train or hire people to use more complex routing protocols. They can simply turn on RIP instead. Security Data centers use network address translation (NAT) devices to connect networks from separate organizations so they can share sensitive, proprietary data between them in partnering relationships. But, NATs are not entirely secure. In this partnering scenario, NATs inside each company try to disallow any data that is not a communication between a specific system in the one organization and a specific system in the other. The rest of the data is appropriate and passes through mostly unabated. To attack these kinds of communications, hackers use something called threading to reach through NATs to get to computers inside the data center. First, attackers develop a picture of how data travels through a port to a computer with a private
January/February 2009 Data Center Management 25

IP address inside the data center from a system outside the NAT. Then they build a datagram, a piece of data that routes itself from one place to another on its own, to manipulate the computers inside the network, explains Fred Baker, chair, IPv6 Operations, the IETF, Santa Barbara, Calif. Threading assumes that the inside computer is already exchanging datagrams with an outside computer via routing as part of some application. The attacker sends the loaded datagram into the dataflow as if it was part of that legitimate exchange of data. The datagram then attacks the inside computer within the parameters of those exchanges. With IPv6, instead of depending on NATs and firewalls to provide a certain measure of network security, data center managers can use routing. In a solution proposed by Baker, data centers would route a specific IP address prefix through a connection such as a VPN, a tunnel or a direct link. (A prefix is a number representing a block of IP address space or a network.) Data center technicians would assign addresses with that prefix to machines inside each data center that are allowed to talk to the machines in the other data center. So, information from an attackers machine could never be routed to either data center because the attackers machine could not be assigned an address with that prefix. Therefore, instead of blocking these attacks with NATs and firewalls, data centers simply prevent them from being routed into the data center.

There are a few, basic technical differences between the Internet Protocol version 4 (IPv4) and the Internet Protocol version 6 (IPv6). IPv6 makes billions of times more Internet addresses available than IPv4 does.
(Courtesy of the American Registry for Internet Numbers.)

It is important to note that threading is one reason why data centers must protect each individual computer on the network in addition to using NATs and firewalls. These NATs and firewalls work only as filters to reduce the likelihood of attacks. Each node on the network has to be responsible for securing itself. That is also why security experts like Baker recommend Internet Protocol Security (IPsec), which ensures that a

26

www.afcom.com

datagram that appears to be from a peer computer inside a network at another organization is actually from that peer and not from a hacker on a third-party system somewhere. IPsec is a group of security protocols that offer security at the network level to protect Internet data packets. IPv6 supports IPsec. Preparing for IPv6 Most data centers are already doing something important to get ready for IPv6 deployment. By maintaining their hardware and replacing servers every three years, they are ensuring hardware support for IPv6. Most hardware vendors are already compatible with IPv6. The hardware simply ships with IPv6 turned off by default, but data centers can turn it on at any time. There are many reasons for inherent IPv6 hardware support, not the least of which is the U.S. governments mandate that all federal agencies migrate to IPv6. In most cases, data centers do not need to plan for or purchase other hardware than they normally would in order to be hardware ready for IPv6.

Network Address Translationlation

Network address translation (NAT) was introduced by the Internet Engineering Task Force (IETF) in 1994 to slow the depletion of the IPv4 address space, which is limited to about 4.3 billion publicly routable IP addresses (globally routable on the Internet). NAT accomplished this by enabling the translation of individual IPv4 addresses into many private IP addresses that sit behind a NAT device (a router or firewall with NAT capabilities) off the public Internet. Using private IPs and NAT, organizations connect many computers to the Internet using a single IPv4 address. The IPv4 address space would likely have been depleted by 1998 without the introduction of NAT and private address ranges, according to Lawrence Hughes, chairman, InfoWeapons Inc., Duluth, Ga. The IETF has set aside addresses in the following address ranges for use by anyone on any private network as private IPs. These addresses do not appear on the public Internet and are not globally routable:

Training people to manage an IPv6 network is an added tuting a total of 16,777,216 addresses) expense. However, you are not really teaching them anything Addresses in the range from 172.16.0.0 to 172.31.255.255 completely new, you are just teaching them a variation on (numbering 1,048,576 addresses) a theme. IPv6 is like IPv4 but with bigger addresses, says Barber. Addresses ranging from 192.168.0.0 to 192.168.255.255 (including 65,536 total addresses) Companies will also need to locate Internet providers that can get them on the IPv6 Internet. Today, that service is available Because these addresses are not publicly routable, they may be mostly from the large global Internet providers. re-used repeatedly on private networks. Most organizations will want to transition to IPv6 over time IPv6 supports 3.4x1038 public IP addresses. When fully dewhile they continue to support IPv4, since most people are still ployed it is expected to eliminate the need for NATs. using the latter. The recommended means for supporting both protocols simultaneously is dual stack transition mechanism (DSTM). Unless you have some nodes that simply cannot support DSTM due to insufficient memory or you are using a WiMax system that supports only IPv6, for example, you should deploy dual stack, says Lawrence Hughes, chairman, InfoWeapons Inc., Duluth, Ga. DSTM enables every node (computer) on the network to fully support IPv4 and IPv6 at the same time. Western civilization is behind the rest of the world in IPv6 deployment in large part because it has the lions share of IPv4 addresses. Coming late to the IPv6 party may lead to rushed deployment at higher costs to Ideal for retro tting existing data centers or new installations, Easy to install catch up and keep customers happy who may Sealeze CoolBalance oor seals economically seal cable want IPv6 addresses to connect to the IPv6 Economical access holes, facilitating control and regulation of critical Internet. Now is the right time for data centers air ow that cools computer room equipment. to prepare and turn on IPv6. Dyna-Seal strip brush technology provides an In-floor and surface mount effective seal* David Geer is a freelance writer in Ohio. Circular seal Seal around cable Through-wall openings in walls or floors

Addresses ranging from 10.0.0.0 to 10.255.255.255 (consti-

C B CoolBalance
TM

Install CoolBalance. Save the servers.

Quick and easy on-site installation

* For more information about Dyna-Seal Technology, visit www.sealeze.com/dyna-seal.htm

Through-wall round Standard strip brush with holder

800.787.7325
CoolBalance Ad DCM 0708.indd 1

e-mail: coolbalance@sealeze.com

www.coolbalance.biz

January/February 2009 Data Center 7/15/2008 Management 10:57:37 AM 27