Guest Column | October 10, 2012

Managing The Transition To IPv6

Greg Smith of Citrix discusses practical tips for implementation as well as the benefits of IPv6

On June 6, 2012, many large Internet properties and Internet service providers (ISPs) enabled support for public IPv6 addresses. What this means for the average Internet user is a higher degree of confidence that the websites they access now and in the future will continue to be available from any device, anywhere in the world as this new standard is increasingly adopted.

Participants included Microsoft, Google, Facebook, Free Telecom, AT&T, Time Warner and Comcast. Such broad-based support for IPv6 does not mean that IPv4 will be turned off. It simply signals that mainstream production deployments will support both IPv4 and IPv6 technologies.

The primary motivation to support IPv6 is the standard’s nearly unlimited space for Internet addresses. There are, however, other advantages that benefit web site operators, Internet service providers (ISPs) and Internet users. These include:

  • Simplified Routing and Faster Performance – IPv6 is built to support better organized and smaller routing tables to make routing faster and more efficient, which will drive superior Internet performance and more responsive applications
  • Efficient Packet Processing – Simplified IPv6 headers makes packet processing efficient, which lessens the burden on Internet infrastructure
  • Security – Built-in support for IPSec providing native, end-to-end security for applications and end users
  • New Applications – Unique IP addresses for each device gives application developers opportunities to build next generation Web applications and add new innovations into existing services
  • Easier Network Management – Features like address auto-configuration ease the administrative overhead on ISPs, which will ultimately make the Internet more efficient and more reliable

Because the IPv6 standard is not backward compatible with IPv4, the new standard will force IPv6 and IPv4 networks to co-exist for some time. However, there are multiple technologies that support the straightforward transition to public IPv6 addressing so that transparency is preserved for all users.

IPv4 ← → IPv6 Network Address Translation (NAT)

To make this IPv6 to IPv4 address transformation practical, it is best executed in a high-speed networking device so that high performance and address transparency is fully preserved. In other words, Internet users should not perceive any difference in their user experience.

Traditional network address translation (NAT) has been used for more than a decade. It is often leveraged within enterprise networks to provide Internet connectivity to multiple users with private IP addresses – while still using one or more public IP addresses. NAT functionality is broadly available in routers (even home and consumer products), and application delivery controllers (ADCs). ADCs also provide load balancing and other technologies that optimize the delivery of applications over networks.

NAT technology can also be used to provide broader accessibility to users at organizations of all sizes that need to connect to various legacy apps that they would otherwise be unable to connect to because they were designed to only support IPv4 Internet addresses.

Encapsulation Technologies
Encapsulation technologies are those that enable one type of protocol to be transported over another. The concept of encapsulation is very common across Internet technologies. Two prime encapsulation examples found in supporting IPv6 standards are 6rd and DS-Lite.

Understanding 6rd
6rd, or IPv6 Rapid Deployment as it was originally known, is a transition technology popularized by Free Telecom in France. It is a technique that enables service providers to broadly assign IPv6 addresses to their end customers, but with no requirement to upgrade their core infrastructure so that it supports IPv6 natively.

Through the use of encapsulation, 6rd enables IPv6 hosts (e.g. web sites and Internet users) to communicate with one another, even when they are separated by IPv4 networks. This is done by establishing an IPv4 tunnel. The tunnel origination point on the sender’s side of the tunnel encapsulates the IPv6 traffic within IPv4 packets, and sends it over IPv4 to the device at the remote end of the tunnel. The device on the other end of the tunnel decapsulates the packets and sends the traffic over the IPv6 network to the final destination.

For this sort of encapsulation technology to function properly, service providers must provide 6rd support both at the Customer Edge (CE) of the customer network, as well as at the ISP’s network edge – at the Border Relay (BR). 6rd gateways at both locations (CE and BR) act as encapsulators and decapsulators for tunneled IPv6 traffic across IPv4 network.  Any traffic destined to cross ISP network crosses the 6rd border relay and gets routed natively to IPv6 Internet. At the same time, traffic destined for IPv6 network in the same ISP’s 6rd domain gets routed internally. 6rd tunneled traffic follows IPv4 routing as 6rd devices communicate to each other on their IPv4 addresses.

Though 6rd helps ISPs to provision IPv6 connectivity to end users, it does not allow IPv6 clients to talk with IPv4 servers. For that to work, solutions like NAT64 / SLB64 are required.

Understanding DS-Lite
DS-Lite is a tunneling technology that encapsulates IPv4 packets, and then transports those packets over IPv6 transport network for delivery to a final IPv4 destination. DS-Lite combines IPv4-in-IPv6 tunneling with NAT (discussed above). NAT functionality performs the IPv4-IPv4 translation before sending packets to public IPv4 network.

DS-Lite enables service providers to natively allocate IPv6 addresses to new customers, while continuing to support IPv4 customers. Main functional components involved in DS-Lite are B4 (Basic Bridging BroadBand) and AFTR (Address Family Translation Router) as shown in figure below.

In a DS-Lite enabled network, devices located at the customer premise provide B4 functionality. These customer devices allocate private IPv4 addresses to hosts in customer networks. B4 connects with service provider access network using the IPv6 address allocated by service provider, and then uses this IPv6 address to establish tunnel with the AFTR device.

AFTR is usually deployed at the edge of service provider IPv6 network and terminates the tunnel created with customer B4 element. AFTR also provides IPv4-IPv4 NAT to translate customer private IPv4 address to public IPv4 address before sending packets out to the public network.

Following sequence describes the connection establishment process using DS Lite:

  1. Host with private IPv4 address initiates a connection to a resource on the public Internet
  2. Traffic is sent to B4, which is the default gateway
  3. B4, using its service provider network-facing IPv6 addresses, establishes the tunnel with AFTR. Address of the AFTR can be pre-configured or can be discovered using DHCPv6
  4. B4 encapsulates the IPv4 packets in IPv6 transport and sends across to AFTR
  5. AFTR terminates the tunnel and de-capsulate the IPv4 packet
  6. AFTR device performs IPv4-IPv4 NAT before sending traffic to the destination IPv4 network

There are many DS-Lite benefits:

  • A lightweight solution to allow IPv4 connectivity over IPv6 network
  • Avoids the need of multiple levels of NAT, which reduces complexity and latency
  • Allows service providers to move their core and access networks to IPv6 to realize the other advantages of the technology (discussed above)
  • Enables coexistence of IPv4 and IPv6 addressing to support broad-scale migration to the newer and larger IP addressing space
  • Helps resolve IPv4 address scarcity issue so that web site operators and Internet service providers can continue to provide reliable access to the growing number of Internet-attached devices
  • Allows incremental migration to native IPv6 environment, thus avoiding expensive, wholesale changeover to the next-generation of equipment

These benefits, however, come with challenges:

  • DS Lite does not allow IPv6 and IPv4 hosts to talk directly with each other
  • Increases the size of traffic due to tunnel headers, and often requires MTU management to avoid fragmentation, which increased complexity in order to minimize any loss of performance
  • Requires management of bindings between customer addresses and public addresses used for translation in the AFTR device