This document is intended to clear up a few of the most common prejudices and rumours around IPv6 and its introduction to the Internet. We try to address these issues and problems in a fair way neither denying them outright nor confirming them without explanation. We rather focus on where specific concerns are coming from and most importantly why they are right or wrong and - if possible - how some existing problems might be solved.

Q1: Will we really run out of IPv4 addresses?
Q2: When will we run out of IPv4 addresses?
Q3: Didn't NAT solve the address problem?
Q4: Why are so many IP addresses even needed?
Q5: Is IPv6 going to replace IPv4?
Q6: Can IPv4 communicate with IPv6?
Q7: Are there providers already offering IPv6 connectivity ?
Q8: Is IPv6 (support) even available anywhere yet?
Q9: Is IPv6 only being forwarded in software?
Q10: Is IPv6 slower than IPv4?
Q11: Does IPv6 facilitate (illegal) peer-to-peer file sharing?
Q12: Will the new program code necessary for IPv6 contain more security holes?
Q13: Does IPv6 protect against viruses and spam?
Q14: When should be migrated to IPv6 networks?
Q15: Is IPv6 "better" than IPv4?
Q16: Does IPv6 lessen network security?

Q1: Will we really run out of IPv4 addresses?

IPv6 was originally developed to resolve the issue of the threatening depletion of IPv4 address space which amounts to a maximum of 4 billion addresses out of which 2.5 billion have already been assigned to customers all over the world.

This sounds as if there still are a lot of free addresses but this notion is wrong, because an IP(v4) address isn't just used to designate a specific network node on the Internet. It is also used for routing purposes. This means that for every single host a rather significant portion of address; space is reserved around the address that was actually assigned to the host. For example even with a relatively small /28-subnet with 9 actual hosts 7 addresses are "wasted". With bigger subnets even more addresses are lost.

According to professional estimates (RFC3194) the 4 billion available addresses for IPv4 are enough for approximately 250 million devices without causing too much pain in administration. This number has already been exceeded(see also http://www.isc.org/index.pl?/ops/ds/).

It is questionable if these estimates are still applicable since the assignment of new IP addresses is a lot more restrictive today. At the cost of more complexity and consequently harder, much "more painful" administration, the ratio of wasted address space has been considerably reduced.

Q2: When will we run out of IPv4 addresses?

There are several prognoses as to when the regional registries (RiRs) really won't have any more address space to delegate to applicants reaching from 2005 to 2020.

Only a few years ago, when IPv4 addresses were assigned at an exponentially growing rate, estimates even implied the year 2003 as a worst case and 2005 at best. Obviously the worst case didn't happen and 2005 is highly unlikely because IPv4 addresses are assigned at a much slower rate today.

The reason for this is hardly the fact that the 90's Internet boom is long since over. The Internet is still growing and with it IPv4 addresses are in high demand. However the regional registries simply don't hand them out as freely any more. They have a restricted policy now on who can get address space and who can not and even tell their applicants to use NAT.

Still, a correct estimate as to when IPv4 addresses will run out with this assignment policy is still not easy. Who knows how and when a completely new application/service will become available/popular that is based on global addresses for everyone? Actually this situation has already arisen in the mobile world in a way where new backbones (e.g. UMTS) are based on IPv6 today.

Q3: Didn't NAT solve the address problem?

The problem of IPv4 addresses running out was realized relatively early. Even while a new address protocol was being developed, measures were taken to prolong the period of time while there were still free IPv4 addresses to delegate. These mechanisms include (in some sense) CIDR (Classless Inter-Domain Routing, RFC1519) and NAT (Network Address Translation, RFC3022).

With NAT it is possible to connect nearly an infinite amount of hosts behind one globally unique IP(v4) address using private (RFC1918) addresses and address translation. With this mechanism the maximum number of 4 billion available IPv4 addresses is certainly no longer valid.

But aside from offering a large address space to virtually everybody the use of NAT also causes significant problems because, as a side-effect, end-to-end connectivity (transparency) is lost, a concept the Internet was originally built on. A NAT router is like a one-way route for the hosts behind it. From behind a NAT one can connect to servers/hosts outside but not the other way around. From outside, a host behind a NAT is unreachable. Therefore NAT can not be used for servers and makes peer-to-peer services like voice-over-IP or distributed gaming extremely difficult, if not impossible, too.

Another side effect of NAT routers is that they often constitute a "single point of failure" and bottleneck because all the traffic must go through the device. With less intelligent devices connectivity might be lost completely if the NAT service goes down, even if the line is still operational. With high availability devices though, mechanisms are usually built in, to offer some kind of load-sharing and redundancy.

A more important problem and one that occurs more and more often now is address collisions when people use VPN from one NAT-site to another NAT-site. It is quite likely that two sites use the same RFC1918 address space behind their NAT box. This problem cannot really be solved at all.

NAT also makes the use of secure (IPSec) communications difficult if not impossible, because packet headers are modified at a NAT router and therefore the integrity of the packet is violated.

If one would continue with the NAT approach, the Internet would someday just consist of a few "visible" servers and NAT boxes. All client hosts would be hidden behind NATs and could no longer communicate with one another directly. This might be the dream of a few regulation and policy agencies who want to monitor all traffic but the idea of a "free use of the Internet" is then certainly lost completely.

Q4: Why are so many IP addresses even needed?

For decades interest in the Internet concentrated on America and Europe, only a very few locations in other parts of the world were connected. With the 90s and the growing popularity of e-mail and the world wide web this interest also spread to Asia and later Latin America and the metropolitan areas of Africa. Until then however IP(v4) addresses had been handed out on a "first come, first serve" basis and about half of the available address space had already been delegated mainly to the US and European countries. Even then it was clear that there was not enough address space left to equitably accommodate the growing need of the rest of the world. Asia with it's fast evolving economy and much bigger nations than Europe was the first region where NAT had to be implemented massively.

Next to the still exponentially growing Internet, new technologies have been developed which extend the use of the world wide network to new applications causing even more addresses to be needed. UMTS, GPRS and IP-telephones are only a few examples. So far these technologies are not yet so widely used. Private addresses are used to compensate, but this will not be enough when these devices some day become as important as normal cell phones are today.

It should be clear now that already today the need for IP address space is very great and without such workarounds like NAT, which come with their own problems, and a very strict assignment policy for new address space that makes it a very painful process for everyone involved, we would have run out of address space long ago. So it doesn't take futuristic visions like networked fridges or power plugs with IP anymore to show, that the Internet is in desperate need of IPv6.

Q5: Is IPv6 really going to replace IPv4?

Not in the short term but eventually, YES.

IPv6 was never meant to replace IPv4 from one day to the next. IPv6 is simply another layer 3 protocol that can independently exist in parallel to IPv4 (like IPX). To facilitate the migration to IPv6 quite a few mechanisms were developed along with IPv6. These mechanisms for example bridge non IPv6 capable network devices or provide a way of communication between IPv4 and IPv6 devices, so IPv6 can be introduced to the Internet on a step-by-step basis without a flag-day.

For the moment and most likely for some time to come the ideal state for any network is a dual-stack IPv4/IPv6 infrastructure. Only after that is in place does it make sense to move more and more parts of the network to IPv6-only operating mode.

There are numerous estimates as to how and when the Internet is going to evolve into a full IPv6 network. All in all it is very hard to make a correct forecast as there are quite a few factors and groups of people who both promote the use of IPv6 and others who work against it. A lot of money is involved as well as politics and not all parties put all their cards on the table.

It is however very likely that IPv6 will become more and more important during the coming years, but will not replace IPv4 for some time to come. IPv4 will probably stay around for several years if not decades. In parallel however, IPv6 will become the prevalent protocol on the Internet as IPv4 is now. Over time there will be more and more IPv6-only islands and people will probably discover that by the time most of the Internet is at least dual-stack it is much more convenient to drop IPv4 from their networks and with that save the time and money needed to operate the second protocol.

The only problem with IPv6 migration really are IPv4-only and later IPv6-only hosts. They are and will only be able to communicate with one another through the use of transition techniques. These mechanism might pose as yet unknown security risks and in any case have a few of the same problems as NAT today in that they destroy end-to-end connectivity and transparency. This is the reason why the step to at least dual-stack networks everywhere is so very important right now. It is mainly only the non-availability of IPv6 support in either networks or applications that makes IPv6 today a bit complicated to use today.

Q6: Can IPv4 communicate with IPv6?

No not really. It can get translated though.

IPv4 and IPv6 are independent layer 3 protocols. They have no way of communicating with one another by themselves. But since IPv6 was developed as being introduced to the networks in parallel to IPv4, quite a few so called "transition mechanisms" to facilitate the migration were developed with it. These mechanisms put the question into another perspective, so it can be answered with a Yes after all.

One has to differentiate between two types of transition mechanisms; one, where it is simply a requirement that IPv6 traffic may be able to cross parts of the Internet, which are IPv4-only (also called "tunnelling techniques), the other where IPv6-only hosts actually need to talk to IPv4-only hosts and "translation" of IPv4-traffic into IPv6-traffic of some kind comes into play.

The former scenario is much more common today and solved by many mechanisms including IPv6-in-IPv4 tunnelling like 6to4, ISATAP or manually configured tunnels. With these mechanisms an IPv6 packet is simply encapsulated in an IPv4 packet and then send to the other endpoint of the tunnel, where it is decapsulated again.

For the more complicated scenario, where IPv6-only hosts actually need to talk to IPv4-only hosts, the mechanisms mainly are NAT-PT (Network Address Translation - Protocol Translation), TRT (Transport Relay Translator), DSTM (Dual-Stack Transition Mechanism) or dual-stack proxies. This however, usually only works in the direction in which communications initiated by the IPv6-only host are going to the IPv4-only host.
The other way around, where IPv4-only nodes want to talk to IPv6-only nodes is the most difficult scenario and not yet solved on a general basis. For specific applications this might be possible through the use of ALGs (Application Layer Gateways). Also a standard for bi-directional NAT-PT (RFC 2766) has been developed within the IETF. Generally however, the problem is the automatic mapping of IPv6 addresses to IPv4 addresses which can not be easily done due to the much larger number of IPv6 addresses in comparison to IPv4.

Q7: Is IPv6(-support) even available anywhere yet?

Most definitely Yes!

The times where IPv6 was a rare feature only available in early development versions of software, or the only way to get IPv6 connectivity was a remote 6bone PoP somewhere on the other side of the world are long over.

But let us go into more detail on this.

The Internet protocol is of great importance in a lot of places. For the migration from IPv4 to IPv6 consequently a lot of things have to be changed and carefully considered. Operating Systems, any network operating software, hardware network products as well as providers and their services have to be changed/modified to accommodate the new protocol.

The fact is however, that this by now has been accomplished in most areas. There's hardly a modern operating system without IPv6 support. From Linux to MacOS (X), from Solaris to AIX, from BSD to HP-UX, IPv6 is integrated in all *nix OSes. For the Redmond faction, IPv6 is available from Windows XP (better with SP1) and Windows 2003 server on, with development implementations available for Windows 2000. For the next version of the windows operating systems reliable rumors have it that IPv6 isn't just included but more likely to be an integral part of it, in that home networking/ad hoc networking will be based on it by default.

With applications the unix world is much further ahead. IPv6 has been in the programmer's heads for quite a few years now and there is no half-popular application type for which there isn't at least a small choice of IPv6 capable implementations, servers and clients alike.
For windows applications the news is a bit more conservative. Libraries and APIs were ported and (more importantly) released much later than for the unix world and consequently application-wise the Microsoft OSes are a little behind but not by much. These days they are catching up fast and all the important Windows applications (FTP, MSIE, for W2003 server also IIS) are IPv6 capable as well as quite a few other implementations for popular network applications freely available on the net.

In terms of hardware, IPv6 functionality is available for routers/switches from most vendors. Especially the "big players" like Cisco, Juniper, Hitachi, Extreme or Foundry have developed their first IPv6 software upgrades quite a while ago and are well into the process of implementing IPv6 packet forwarding in hardware or state-of-the-art features like IPv6 multicast, mobile-ip, IPv6 stateful firewalling or IPv6 management solutions. Unfortunately cheap/small home-access devices like low budget DSL-routers are not yet easily available with IPv6 support. Here one should revert to software/pc-solutions for the time being, which isn't really a problem anyway.

The area where IPv6 support is the most behind/lacking is actual IPv6 connectivity. There are a few providers which offer IPv6 with their normal service but none of the really big companies like the Deutsche Telekom or AOL in Germany. The same is true for most European countries as well as the US. Asia alone is leading in that regard. They adopted IPv6 years ago and there are far less IPv4-only networks there than IPv6-only.

However, even without native IPv6 connectivity through the provider, everybody has the possibility to get initial IPv6 connectivity through transition mechanisms like IPv6-in-IPv4 tunnelling. Either 6to4 or one of the tunnel brokers like freenet6 or cselt/sixxs is available to anyone regardless of the real provider or type of connection.

Q8: Are there providers today already offering IPv6 connectivity?

Yes, sure, but not as much as we'd like there to be.

IPv6 has been tested and used now for quite a few years also in backbone networks. Production quality IPv6 networks have been built since 2001. Still, the IPv6 infrastructure is of course not yet as far along as IPv4, but global connectivity is there and available to anyone, if not natively by the normal provider. Through the use of transition mechanisms and providers who specialize on providing IPv6 connectivity via tunnel brokers, anyone can get connected today.

BTW: Last year (2003) registries noticed a particularly strong interest in IPv6 prefixes for providers. Germany is actually leading in the number of assigned prefixes to local ISPs. Currently 35 prefixes out of 280 assigned prefixes in Europe as a whole are registered by German companies alone. In January 2004 500 prefixes were assigned worldwide.

Q9: Is IPv6 only being fowarded in software?

No, but it's not done in hardware everywhere (yet).

Companies like Juniper or Hitachi developed fast IP Switching for IPv6 in hardware already years ago. Cisco has been preparing its products for a corresponding upgrade for a while now. This list of vendors is in no way complete though. All hardware manufacturers have tackled this task or at least have concrete plans to do so.

Q10: Is IPv6 slower than IPv4?

This question cannot really be answered correctly in a general statement. Speed is such a relative term and more importantly much less dependent on the protocol used for the transmission of data than on it's implementation on the different devices that need to be crossed by the traffic and of course the lines in between. Fundamentally, IPv6 is not slower than IPv4 at all, maybe even more efficient (see below).

However IPv6 connections today may indeed be slower.

Unfortunately IPv6 is hardly a production service everywhere yet. While there are already quite a few networks and nodes that are IPv6 enabled, IPv6 packets often still need to cross parts of the Internet which are IPv4-only by some tunnelling method or other.

The problem with tunnelling often is that two endpoint, that are topologically far away from each other in the IPv4 network, appear as close neighbors with one hop distance in IPv6. This has been and still is one of the biggest problems with the global IPv6 test backbone 6BONE which is built up exclusively by IPv6-in-IPv4 tunnels. The latencies are very high which sometimes even results in broken BGP sessions and the like.
With tunnels that are very close to the real IPv4 topology one still loses some speed to encapsulation and decapsulation. The impact of the last issue on performance however is much smaller and not that much of a problem.

Even when comparing native IPv6 traffic with IPv4 on the same equipment IPv6 might be slower at the moment. Here the better performance of IPv4 results from 30 years of experience and optimization of IPv4 packet forwarding. Every ounce of speed has been squeezed out of those processors and implementations. The much younger Internet protocol version 6 has not been tested as excessively yet and sometimes isn't even available as a hardware feature yet but routed in software which of course can compete even less with the super-optimized throughput of IPv4 hardware packet forwarding. It is just a question of time though until IPv6 catches up.

There are even quite a few promising features with IPv6 that might make IPv6 packet forwarding faster in the end than IPv4 could ever be. For example the IPv6 header is much cleaner and is of fixed length. Optional parameters are enclosed in so called extension headers which only get processed when needed. Also the header checksum parameter, which with IPv4 needs to be computed and verified on every router, is no longer present in IPv6.

Q11: Does IPv6 facilitate (illegal) peer-to-peer file sharing?

This question hints at the fact that today more and more services are developed that are not based on strict client-server communication but where the clients interact point-to-point. For this to work, clients have to be able to talk to each another directly which is easiest with globally unique (and reachable) IP addresses, addresses that IPv6 makes available to everyone and everything.

Some people see a problem in this because they fear that this functionality will specifically make peer-to-peer applications easier to use where files are shared illegally. Due to the direct client-to-client interaction these services cannot be monitored as easily and therefore perpetrators have less chance of being caught.

Generally however client-to-client communication is something good and very much needed for example for IP telephones or secured connections where no third party should be involved.

Thinking about it more closely it is not really understandable why IPv6 should facilitate the illegal sharing of files over the Internet that much because even now we see that NAT is not hindering it, too. It was probably more complicated to implement but obviously not impossible.

On the other hand, there might also even be an advantage to IPv6 where no NATs need to be crossed/circumvented. With IPv6 everybody connects with his own unique and quite traceable IPv6 address. Even if privacy addresses (RFC3041) are used at least the site's administrator should be able to find the source of a given IPv6 packet. It is rather unlikely though, that peer-to-peer applications will even work with these privacy addresses.

Q12: Will the new program code necessary for IPv6 contain more security holes?

It is totally pointless to ask this question with the intent to then refuse to use IPv6. Of course new program code is a bit more likely to contain errors which might lead to security holes, than older, much more often revised code. New software is used everywhere everyday on the net, which also have security bugs, but most people seem to care a lot less about those.

The other way around IPv6 is even a new chance in terms of finding and not making old mistakes again which are deeply buried in decades old TCP/IP routines. Quite a few of these bugs have in fact been found during the course of re-implementing those routines for IPv6, revealing as yet unknown potential vulnerabilities in IPv4.

Q13: Does IPv6 protect against viruses and spam?

No, unfortunately but most definitely not.

IPv6 is in essence just an addressing protocol, a very basic mechanism located low in the protocol layer model. Usually viruses or mail have absolutely no idea how they are transmitted through the Internet and which protocol is used. The two functionalities are completely independent of each other. Therefore IPv6 itself can neither protect against viruses nor spam.

Q14: When should be migrated to IPv6 networks?

From the beginning it was clear that IPv4 couldn't and wouldn't vanish from the Internet from one day to the next, so it was decided that IPv6 should be introduced to the networks in parallel to IPv4 without a given flag-day.

The transition to IPv6 should happen smoothly. In a way IPv6 kind of sneaks into networks, operating systems and applications here and there. It's only a question of time until it will be available everywhere in soft- and hardware and until networks are dual-stack by default. IPv4 is most likely going to stay the prevalent protocol being used for a while but IPv6 will take this role over time. Once it is possible to do without IPv4 completely it is probably not long until it will be gone, because while dual stack networks are the best choice for the moment, they also mean more work in monitoring and maintenance. Because of this some people even think it's bad to not have a flag day for the transition to IPv6. More work effectively also means that more money is involved in maintaining such a network. This is especially true for backbone providers.

Q15: Is IPv6 "better" than IPv4?

IPv6 is a further development of IPv4. Aside from the much bigger address space it also comes with quite a few other improvements and enhancements. Several mistakes that were made with IPv4 were rectified and the header and protocol itself was stripped from redundant information. It includes IPSec and QoS functionality which had to be painstakingly added to IPv4 as a not quite satisfying optional feature. Based on this experience with IPv4 the new version of the Internet protocol is now also much easier extendible with as yet unknown new features and options.

Seitenanfang

Q16: Does IPv6 lessen network security?

This question is often asked by Internet users that use NAT and feel secure that way, because most of their hosts can not be (directly) reached from the Internet. The fact that this will no longer be the case with IPv6 and its abundance of address space scares them.

This line of thought however contains a basic mistake. In these scenarios it isn't really the NAT that provides security for the hosts behind it but the firewall that usually comes with the NAT box. This firewall mostly protects the NAT itself which is globally reachable from the Internet, because if this NAT router is hacked, all security for the network behind it is lost.

This is actually the point where the above question nevertheless has to be answered with "Yes", because the firewalls currently present and configured for normal IPv4 traffic do not guard against attacks/unauthorized access via IPv6 because they usually don't even understand the new protocol. To defend a network against IPv6 attacks, special IPv6 firewalls and IPv6 firewall rules need to be put in place. If configured properly, "mirroring" the IPv4 firewall ruleset the network will be as secure as before even though every host in it is globally reachable via IPv6. Maybe the network is even more secure because now also IPSec can be used to further protect end-to-end connections.