The adoption of IPv6 will take place through different stages and there are technological prerequisites for each of these stages. The journey progresses from an IPv4-only to a dual stack to an IPv6-only network. To run an IPv6-only network, you will have to handle numerous challenges that may quite distinct from those you face while handling a dual stack or an IPv4 network. So, the IPv6 adoption process is definitely not a cakewalk and may be made complex by several factors like a faulty and poor understanding of technological change effects, lack of senior leadership to control this process across the various teams, lack of fundamental skills like training and education, lack of planning and a host of financial and technical reasons.
In the IPv4-only stage which is right at the start, it is necessary for companies to adopt IPv6 even when they may be using an IPv4 network. This is because all key operating systems today are installed for dual stack; this means that IPv6 will be on by default. Moreover, every key operating system will also prefer the availability of Ipv6. The only thing you actually need to make IPv6 operational is router advertisement. Furthermore, the existing Ipv4-only devices have no idea about whatever is happening and you can seamlessly tunnel the IPv6 traffic over the Ipv4.
There are therefore many things which you will need to ensure for the IPv4-only network in order to secure it and make it ready for IPv6.
- To begin with, you must put in place the FHS or First Hop Security measures for the IPv6 to make sure that a misconfiguration is not able to put their RA on Ethernet Layer 2.
- You must have proper inspection systems for monitoring the IPv6 traffic.
- You need to establish link-local network addresses for identifying equipments in the monitoring system.
- You must insert blocking ACLs as well as firewall rules for the IPv6 and block the ICMPv6 traffic besides the IPv6 traffic.
- You need to inspect the IPv4 traffic.
- You must also modify the DDI platform in order to respond with IPv4 values for DHCP and DNS.
- IPv6 has to be removed from Linux system kernels
- For the guest wireless or wired networks, you need to place specific segmentation in order to avoid peer-to-peer IPv6 traffic.
These afore-mentioned requisites suggest that these are protective measures which one needs to adopt to ensure that he is running an optimal IPv4 network. It is important to run many IPv6-enabled functions so that you do not have IPv6 on your network which can leave for external networks. Regardless of measures that you may adopt to stop IPv6 from appearing on the network, it is bound to run because there is always some guest printer or operating system trying to use the IPv6. In such a case, your network ceases to be an IPv4-only network and transforms into a dual stack network.
The technologies that you control in the Ipv4-only network are centered primarily on security, firewalling etc and you want to identify when the IPv6 is present in order to block it. You will also want to stop someone from running the IPv6 and taking over your hosts. In other words, these refer to situations where others establish a rogue IPv6 router to send out RAs on a network segment. To handle this, you can either use FHS measures from certain manufacturers or create ACLs for protecting your own network segments. This means that you will require alerting enabled to deal with such situations to identify when a specific device is trying to send RAs. For those who are using Windows server or RRAS, their servers will send out RAs automatically. They will need to disable this RRAS function which is not possible always. So, the RA has to be blocked on routers to stop other hosts from viewing them.
To detect the critical traffic that leaves your network you will need a firewall platform or content filter. This must have IPv6 support and the power to check multiple tunnel layers so as to understand whether IPv6 network is being used or not. They must also be configured to stop native IPv6 traffic. Alerts must be produced wherever the IPv6 traffic has global unicast or non-link-local addresses. You may even need to introduce specific filters for suppressing alerting; this depends on the network segments you watch.
In the dual stack stage, you will require transition methods for all those systems which stick to IPv4-only because of protocol. Not all systems in the network will support IPv6. When the system does not support, you can tunnel IPv6 within the IPv4 till you find replacements for the equipments. Else, you will need a translation technology. The dual stack will consume more memory, bandwidth and processing power compared to single IP stacks. It demands extensive testing and you must provide training and education for troubleshooting and validating applications and protocol behavior on such a network.
Finally, you should know your requisites in a dual stack network to make it optimum for an IPv6-only network. Similar to the Ipv4-only, you have to first place the FHS measures, followed by inspection systems to monitor IPv6 traffic.