In 2001, I attended a RIPE training in Copenhagen where they showed us the estimated timeline predicting when IPv4 address space would reach depletion. They mentioned the “new and fancy” IPv6 protocol. When I returned from the training, I started to lab with 6Bone and moved over to SIXXS after a while. At this time, we only had one auth DNS and one mailserver with IPv6 capabilities, and only about one mail per month was delivered via IPv6. There was no pressing need for IPv6 this early, except that my employees and I could learn it and make mistakes without any disturbance for us or our customers. The only real content over IPv6 at this time was the the dancing turtle.
In 2007 we received native IPv6 from our ISP (AS16117) and it has worked well since then. My company, Interlan, has been an early adopter of IPv6 for many years and all our internal network and public services are dual-stacked. We work in the middle of the Internet industry as an ISP with hosting and consulting for enterprises. Our opinion is that the Internet can’t scale any longer and be secure and stable with IPv4 and more and more NAT44, NAT444, etc.
Here is my advice to anyone who wants to enable IPv6 in their network with a static configuration from an ISP:
- Make sure the ISP is ready with the setup (e.g. Ping from the inside interface from the firewall to make sure the routing is correct).
- Create every firewall policy in advance.
- Manually configure servers that need static addresses and let the others use dynamic addresses. In a Windows AD environment it’s almost only the DC, DNS and mailservers who need static addresses. The rest can use dynamic address assignment.
- When the set-up above is ready and you need it, add some AAAA RR in the DNS to activate IPv6 on public services like a webserver.
You will find out that it isn’t hard to make it work if you know your IPv4.
Today, it is extremely important to enable IPv6 correctly. Global IPv6 is about to reach 20% according to Google’s measurement, and you can’t afford to not be connected to the whole Internet. Hosts, firewall, DNS, etc. must all be done correctly.
In Sweden, we unfortunately have a common problem with broken IPv6 from authorities who think they set it up correctly, but IPv6 doesn’t work properly. Even if we have only 4.57% IPv6 in Sweden, that is a huge problem for citizens trying to reach those authorities. The best solution for that kind of problem is to enable IPv6 all the way in the internal network, not only the public servers. Internal users are the best monitors.
When you have enabled IPv6:
- Don’t be surprised when you see that more than 50% of your Internet traffic will be IPv6.
- Remember to have the same security functions for IPv6 as for IPv4. Antivirus, webbfilter, IPS, App control should work for IPv6 as well.
- Test your firewall rules, so ICMPv6 PTB can be sent to your webserver.
- Disable IPv4 on your workstation and connect to your website to see where there are IPv4 dependencies.
But do you really need dual stack in your enterprise? Can’t you use NAT64 instead of NAT44? I wrote an earlier blog here about that. I run default native IPv6 with NAT64 in my office now, and it works consistently, and for a “normal user” there should be no problems at all.