IPv6 and IPsec in the Enterprise Todayby Mitch Tulloch
As a follow-up to my previous articles on Windows DevCenter about the enhanced IPv6 and IPsec support in Windows Vista, I wanted to share with readers the following interview I had with William Dixon, president of V6 Security and former Microsoft program manager for Windows Networking. I asked William a number of questions about the current state of IPv6 deployment around the world and the changing use of IPsec in enterprise environments. Here are his answers.
Tulloch: William, ever since IPv6 was developed, it seems to me that most network administrators have pushed it to the back of their minds as something they may or may not have to deal with someday. Is this mindset changing?
Dixon: Yes, I hope it is clear to network administrators that IPv6 is finally deployable. But there are different scenarios. For example, it can be used only on the internal LAN, to communicate between peers on the same switch. Or some hosts can be IPv6-accessible while others are not (using dual-stack hosts). Network admins should definitely review Tony Hain's analysis that indicates new IPv4 address allocations may not be available in as soon as five years. So large organizations simply must start planning the transition.
IT admins in the United States have probably heard that the U.S. Department of Defense and federal government have mandates to buy IPv6-capable systems and to transition to IPv6-capable networks within a few years. Windows XP SP2, Windows Mobile 5.0, and Mac OS X support IPv6 now, though not all platforms support a full IPsec implementation. A deployable IPsec implementation for IPv6 should be in Windows Vista. So administrators will start seeing IPv6 on their network soon if it isn't already there.
I also would expect software developers to realize they have to make their applications IPv6-capable and thus have an IPv6 environment for testing. Microsoft has published the Checkv4.exe tool for developers to check whether IPv4 dependencies exist in their source code. It is not sufficient to just test between two IPv6 peers on the local link. They should test with routed native IPv6-to-IPv6 and the major transition scenarios of 6-to-4, ISATAP, and Teredo (if home users are intended to use the software). Microsoft has said they plan to make IPv6 active and preferred by default in Windows Vista. So they should pay particular attention to this in their testing of the Vista beta release. Microsoft recommends home gateways have 6-to-4 on by default. So both host and network admins are going to have to spend the time to understand the basics, just like they understand how to provide and manage IPv4 connectivity today. This would include VPN remote access. There is an opportunity now to avoid the cost and management burden of VPN tunnels by using native IPv6 IPsec capabilities. But it will take some planning to achieve the same level of safety with IPv6 IPsec.
Companies with personnel traveling to Asian countries should expect to ramp up on IPv6 faster. When your employee is trying to connect from a hotel in Tokyo, for example, they may get an IPv6 address instead of an IPv4 address. This means IT admins are going to have to test the IPv6 compatibility of applications and internet services used on laptops, PDAs, and tablet PCs, and contact their software vendors about IPv6 compatibility. They will also need to train the Help Desk personnel to recognize this situation. Imagine all the networked equipment, wireless internet, and cellular service needed for staff, participants, facilities, and attendees at the 2008 Beijing Olympics where IPv6 will be dominant.
Tulloch: If large enterprises are starting to consider IPv6 deployments, what about small and mid-sized businesses? Are they facing any pressure to deploy IPv6?
Dixon: I don't think small companies have any special pressure to deploy other than what I mentioned above. But because their networks are less likely to be managed, they are more likely to be using IPv6, at least between peers on the local LAN. The transition should be seamless if the applications aren't IPv4 dependent. Sometimes you will get an IPv4 address; sometimes you get an IPv6 address; hopefully you won't care.