IPv4 Sunset

Agenda

• The costs of dual-stack operation
• Going IPv6-only
• Islands of IPv4
• IPv4 sunset in the Internet
• Purchase

The cost of dual stack operation

Dual-Stack = Dual-Costs

• Running a network in "Dual-Stack" mode with both IPv6 and IPv4 enabled creates additional costs
  • Additional network and routing configuration
  • Almost double the cost for network security (additional Firewall configuration, security audit, patches, more complexity = bad for security)
  • Extra work for troubleshooting, network issues can appear in either IPv6 or IPv4 or can be a interaction between the two protocols

Move IPv4 to "historic" status

• While there has been attempts in the IETF to deprecate IPv4 (see IETF: End Work on IPv4), IPv4 is still needed in the Internet
  • The Internet will be "dual-stack" for a long time
  • External Services (Web-Server, E-Mail-Server, DNS-Server …) will require Dual-Stack connectivity for the foreseeable future
• However it is possible to remove IPv4 in some (possibly not all) internal networks

Going "IPv6-only"

How to remove IPv4 from the network

• In most networks, it is not feasible to remove IPv4 entirely
  • There are devices that don't (fully) support IPv6 and probably never will (e.g. older medical equipment, expensive factory machines, long living infrastructure devices)
  • But every network segment without IPv4 reduces the operational costs
  • Compare the costs of modernizing parts of the network infrastructure vs the costs of operating a "dual-stack" network

Selecting IPv6-only networks

• Watch out for networks that …
  • have a low diversity in the devices operating systems and applications
  • have a high level of operational/administrative control over the devices in the network

Find "low hanging fruits"

• Wireless Networks
  • Dedicated IPv6-only wireless network for the administration team
    • Good way to gain experience with IPv6-only networks
  • IPv6-only network for application developer
    • Developer of Apple iOS application require this, as they need to test applications in IPv6-only networks as demanded by the Apple App-Store

Find "low hanging fruits"

• Guest-Wireless-Networks
  • Mobile devices (Phones, Tablets, Laptops) with "standard" applications (E-Mail, MS Office, Web-Browser) work fine in an IPv6-only environment
  • Use DNS64/NAT64 to allow access to IPv4-only resources on the Internet

Find "low hanging fruits"

• Phone/VoIP networks
  • Limited number of device types
  • High level of operational control
  • Work with the vendor towards an IPv6-only VoIP network

Find "low hanging fruits"

• Data-center networks
  • Data-Center networks are usually a very controlled environment (unless you offer hosting services)
  • IPv4 traffic can be terminated at the entry gateway to the data-center and "converted" to IPv6 (via protocol-proxy or application-proxy)

Find "low hanging fruits"

• All data-center internal traffic will be IPv6
• The IETF have published some documents about transition technologies that help with IPv6-only data-center
  • SIIT-DC: Stateless IP/ICMP Translation for IPv6 Data Center Environments
  • Stateless IP/ICMP Translation for IPv6 Internet Data Center Environments (SIIT-DC): Dual Translation Mode
  • Explicit Address Mappings for Stateless IP/ICMP Translation

Find "low hanging fruits"

• Administration networks (dedicated networks that are separate from the production networks)
  • Highly controlled
  • Limited number of users with higher-than-normal networking skills
  • be aware of monitoring applications
    • The Monitoring should still be able to reach IPv4 devices and services

Find "low hanging fruits"

• Office Networks can be a candidate for IPv6-only networks
  • degree of "control" and "device diversity" differs between organizations
  • Case study: IPv6-only at Microsoft

IPv6 "mostly"

IPv6 "mostly"

• Internet Draft: IPv6-Mostly Networks: Deployment and Operations Considerations
• An IPv6-mostly network is very much similar to a dual-stack one with two additional key elements:
  • The network provides NAT64 functionality, enabling IPv6-only clients to communicate with IPv4-only destinations
  • The DHCPv4 server infrastructure offers DHCPv4 Option 108 (RFC 8925 - "IPv6-Only Preferred Option for DHCPv4").
• A client indicates (via DHCP) that it does not need an IPv4 address if the network provides IPv6-only connectivity

IPv6 "mostly"

• Being a client/server protocol, DHCPv4 allows IPv4 to be selectively disabled on a per-host basis on a given network segment
• Statistics from the DHCP server allow the admin to see the percentage of IPv6-only capable hosts (or if IPv4 is still needed in a particular network segment)

IPv6 "mostly" benefits

• Drastically reduced IPv4 consumption
• Controlled and incremental phase-out of IPv4
• Reduced dependency on DHCPv4
• Simplified troubleshooting due reduced impact of Happy Eyeballs

IPv6 "mostly" - Support for "IPv6-Only Preferred Option"

• Kea DHCP since version 2.2
• FreeBSD "dhcpd"
• Trivial to implement this option in almost any DHCP server

IPv6 "mostly" - Support for "IPv6-Only Preferred Option"

• Apple macOS versions starting with version 12.01
• Apple iOS
• Linux with Systemd since version 255
• Microsoft plans to support the "IPv6-Only Preferred Option" in a future version of Windows 11

Keeping islands of IPv4 where needed

IPv4 in IPv6-only networks

• Devices and applications that require IPv4 connectivity can operate in an IPv6-only network with the help of IPv6-to-IPv4 translation services (aka "IPv4 as a Service" or IPv4aaS):
  • RFC 6877 - 464XLAT: Combination of Stateful and Stateless Translation
  • RFC 6146 - "Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers

IPv4 in IPv6-only networks

• RFC 8925 defines a new DHCPv4 option that helps implementing IPv6-mostly (or IPv4-on-demand) segments where IPv6-only hosts coexist with legacy dual-stack devices: IPv6-Only Preferred Option for DHCPv4
  • Modern client machines can indicate that they can operate in an IPv6-only environment
  • DHCPv4 server can inform the DHCPv4 clients that the current attached network permits/prefers IPv6-only operation

Protocol Switch with the help of Application-Proxies

• Application Proxies can be used to switch an TCP/IP connection from IPv4 to IPv6 or back
  • This is an application level gateway type of service
  • It can negatively affect performance and latency of a network or a service
  • Examples:
    • HTTP/Web-Proxy from an IPv6-only LAN towards the Dual-Stack Internet
    • HTTP Reverse-Proxy to offer a website on an IPv6-only web-server towards IPv4 clients
• Application Proxies break end-to-end encryption and might not work with all protocols

Protocol Switch with the help of Protocol-Proxies

• Protocol proxies, unlike application proxies, work at the routing layer.
  • The transport layer (TCP and UDP) and the application layer are not touched
  • The IP header of the packets is exchanged (IPv4 <-> IPv6)
  • Protocol proxies are also called protocol NAT systems
  • Popular protocol proxy variants are "IP/ICMP Translation Algorithm" (SIIT) and "SIIT-DC: Stateless IP/ICMP Translation for IPv6 Data Center Environments"

Protocol Switch with the help of Protocol-Proxies

• Proxies can be set up separately from target systems and applications

  • They are transparent to most applications (i.e., no customization, such as a special proxy configuration, is required on either the client side or the target system)
  • Application and protocol proxies are available as open source Software (e.g. HA-Proxy, NGINX, OpenBSD "relayd") and as commercial solutions (mostly appliances).

IPv4 sunset on the Internet

Quality of IPv4

• Because of the use of IPv4-in-IPv6 tunneling, the quality of IPv4 connectivity is decreasing
  • DS-Lite
  • 464XLAT
• IPv4 might be broken for users on the Internet

IPv6 Service offerings must work IPv6-only

• Internet-User with broken IPv4 are using an IPv6-only Internet
• Websites and other Internet Services must work in this IPv6-only scenario
• Test external facing services in IPv6-only mode
  • Websites (do all resources load over IPv6?)
  • API Endpoints
  • Authoritative DNS server
  • SMTP Mail

Purchase of ITC Equipment

Purchase of ITC Equipment

• RFPs, Contracts, etc: All products, support sites, etc MUST NOT require IPv4
  • Communicate to vendors early to give them time to find and fix problems
  • Get confirmation about IPv6(-only) support (RFC 8504) in writing from vendors

Purchase of ITC Equipment

• Documents that help with ITC RFPs:
  • RFC 8504 - IPv6 Node Requirements
  • RIPE 772 "Requirements for IPv6 in ICT Equipment"

Questions?