In a perfect world, the transition to IPv6 would be automatic: enable the new protocol on your computers and servers (since all the major operating systems have had IPv6 support for ages), and things should work seamlessly.
It’s unlikely to happen that way, and VoIP – an increasingly familiar part of the business technology landscape – provides a good example of the challenges IPv6 might pose for familiar applications.
IPv4 Address Exhaustion
The background is common knowledge: more than a decade after IPv6 was first developed to provide an upgrade path for the day when IPv4 addresses were exhausted, its time is finally arriving.
IPv4 exhaustion is becoming a current problem – a “real and present danger” in the language of the military. Last August, APNIC’s Geoff Houston wrote that IANA was expected to exhaust its pool of available addresses in the first half of 2012. After this, as the Regional Internet Registries (RIRs) exhaust the pools already allocated to them, IANA will not be able to assign any new pools to them.
“It may well be that 2012 will see IPv4 addresses cease to be generally available in most parts of the world”, Houston concluded.
Gartner’s Geoff Johnson, research vice-president for enterprise communications applications, notes that the fast growth of the Internet in Asia has put pressure on the address space in this region.
He says Gartner’s position has been that businesses should be “alert but not alarmed”, to borrow a cliché. Agreeing with Houston’s exhaustion analysis, Johnson says it’s now clear that business networks will find themselves living with “dual stack” environments for some time.
In simple terms, a business with an existing IPv4 network, running a private IPv4 address scheme behind a NAT (network address translation) device will retain its current addressing scheme. The NAT will get the job of translating IPv4 addresses on the inside to IPv6 addresses on the outside, and the service provider will handle the business of routing IPv6 packets over the Internet.
The business user will then put into place an IPv4-to-IPv6 migration plan that will probably align with equipment refresh.
“By about 2015, most organizations will have to have about 20% of their infrastructure operating on IPv6,” Johnson said. “So the focus will have to be how you operate with dual stack.”
But as we’ll see, living in a dual-stack world has the potential to create a world of pain for the applications that lie behind the firewall.
James Spenceley, CEO of wholesaler Vocus, identified three of those pain points: the VoIP systems themselves, particularly the hardware; security; and the complexity of managing a dual-stack environment.
Both hardware VoIP phones and softphones will need to be upgraded, Spenceley says, since neither market segment has shown much interested in enabling IPv6 addressing.
Back at the server end, the same problem exists: most VoIP environments Spenceley is aware of aren’t IPv6-aware at this point. The good news, however, is that since the server OSs are, upgrading an Asterisk or proprietary VoIP server probably won’t be as troublesome as replacing (or even firmware-upgrading) LAN phones.
VoIP, IPv6 and security
Security is a different challenge.
Today’s VoIP systems almost universally live behind a NAT, and while Spenceley agrees that NAT shouldn’t be regarded as a “secure” firewall, it at least obscures systems like VoIP servers from direct exposure to the Internet.
As can be seen from recent news stories, VoIP systems are becoming a honeypot for Internet-borne attacks.
“There’s a huge amount of people scanning masses of IP addresses looking for SIP servers, and trying to hack those servers to make free phone calls,” he said.
In general, the attackers work by polling the most common SIP port, 5060, and if the targeted system responds on that port, they then try to login using either default passwords (still one of the world’s most common vulnerabilities) or trying brute-force attacks in the hope they’ve identified a VoIP server with a weak password.
If the login is successful, the attacker can then access the target VoIP system to make outgoing phone calls to PSTN destinations, with the cost falling to the owner of the hacked system.
Businesses should already be looking to the security of their VoIP servers to prevent such attacks, but Spenceley says in any “pure” IPv6 implementation, they will have to work doubly hard to make sure their systems are hardened to survive direct exposure to the outside world.
Provider NAT and dual-stack nightmares
But it’s the transitional world that Spenceley expects to cause the most nightmares.
For example, one solution for service providers managing an exhausted IPv4 address pool is to implement provider NAT: the ISP presents one IP address to the outside world, and shares that address between multiple customers (just as your home LAN currently presents one address to the outside world and shares it among different computers).
In this scenario, the problem occurs not at the address level, but at the IP port level.
“The issue is getting services mapped on a port number for more than one user. If Port 5060 is mapped to one place, it’s not available to others sharing that address.”
Certainly, the issue can be worked around simply enough – for example, by users configuring their systems to avoid a port collision – but only if they know the problem exists and can work with their service provider to overcome it.
Other problems present themselves in a dual-stack world.
For example, there’s the way VoIP systems map users to their IP addresses.
In IPv4, techniques like STUN (Simple Traversal of UDP NAT) are used to get packets from outside your firewall to your VoIP client (a similar proprietary system is used by Skype). The public server maps the user ID to the IP address of their firewall when they log in (which, apart from providing PSTN gateway services, forms part of the technical basis for VoIP services).
In IPv6, user discovery is much simpler, since there are enough addresses for everybody to have one, for every machine in their home LAN. Instead of traversing the firewall, the VoIP service needs to offer nothing more than a presence server, letting users know if each other is available to take a call.
But what about that dual-stack “hybrid” environment?
Spenceley says that the number of permutations of NAT likely to emerge as businesses and service providers try to cope with address exhaustion could be nightmarish for VoIP users.
“There will still be single-level NAT users; there will be people who are behind two layers of NAT [their own and the ISP’s]. There will be people with IPv6-to-IPv4 translation, and there will still be those users who hold their own IPv4 native addresses.”
A related issue, he said, is how systems will choose the network they use to send calls over the Internet, since both the originating and destination systems might be connected to IPv4, IPv6 or both.
Future VoIP systems, Spenceley said, will need to be designed so they can respond to all these permutations with a minimum of intervention by systems administrators.
Planning, planning, planning
The most likely transition scenario, according to Gartner’s Johnson, will be that businesses will rely on service providers and outsourcers to do the heavy lifting in their transition to IPv6.
Even so, they will experience all of the technical complexities, even if they’re only manifested in the need to make repeated adjustments to system setup and configuration while they go through the transition.
Johnson emphasizes planning as the key to the smoothest possible transition.
“Review and understand your existing IPv4 addressing, and understand how you expect to make the transition to IPv6,” he said.
And now is a good time to start that process. “For example, we’re in the early days of SIP trunking services ... and it will provide a classic example for the impact of the transition.
“In business-level language, you have to make sure you create your own opportunities, so you know when you’re going to make a move.”
The big problem, Johnson said, is the same as it always has been: everybody needs to move to IPv6 someday, but nobody’s going to make any money from it. If you prepare for the way the IPv6 migration will impact applications like VoIP, you’ll at least minimize the pain – and the cost.
This was first published in October 2010