A thought about the speed of IPv6 deployment

November 3, 2007

The following thought about the push for IPv6 deployment struck me recently, so I'm going to dump it here.

One of the problems with IPv6 is that its major benefit is to expand the available address space, and the expansion of address space doesn't benefit people who are already on the Internet. Instead they are being asked to do a great amount of work for the benefit of other people, which rarely goes down very well.

(The people who are already on the Internet by and large already have address space; it is the people not yet on the Internet who may not be able to get it.)

One way to reduce the amount of work necessary and thus make IPv6 more likely is to have a genuinely IPv6 ready environment. By this I don't mean things that can in theory do IPv6 if you really want to find lurking problems, I mean things that are ready to do it at the flip of an option, and do it just the same as IPv4, so that adding IPv6 is a transparent thing that you don't have to think about.

(For example, if your 'IPv6 capable' firewall is not defaulting to giving you exactly the same restrictions on IPv6 traffic that you are configuring for IPv4 traffic, it is not IPv6 ready in this sense, because you would have to write and test a bunch of new firewall rules if you added IPv6. And just how are you supposed to take a current NAT-based architecture and move it to IPv6? (Hint: 'stop doing NAT' is not an answer that will get you very far in the field.))

That systems today are not like that is why I think that IPv6 is not going to happen any time soon. In fact, I think you can extrapolate the timing from system replacement schedules, so I don't expect IPv6 to get very much traction much until five or six years after everything you buy will be IPv6 ready. (And that will just be the start of things, since many bits of hardware and software live far longer than six years.)

Of course there is a chicken and egg problem here, because making things IPv6 ready takes a bunch of work and it is stupid to do that work if customers aren't demanding it. Especially when the effects of some IPv6 issues may not be fully understood until people start using it at Internet scale in the field (for example, the effect of pervasive endpoint IPSec on current firewall and IDS/IPS technology and policies).

Written on 03 November 2007.
« Note to self: check for gigabit Ethernet
Thinking through salts for passwords »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Nov 3 22:18:41 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.