Posted on Jun 6th, 2012 by Eric Ogren

Are you ready for this? It is just not becoming more commonly seen even though it has been around since 1999. That is what an IPv6 address looks like and you are in good company if you believe the new IP address format will break custom scripts, firewall management spreadsheets, and cause integration headaches as you evolve to the new world of IPv6. June 6th marks World IPv6 Launch day (http://www.worldipv6launch.org/ and http://www.ipv6actnow.org/) which will showcase major service providers demonstrating IPv6 connectivity between thousands of network devices. While there are definite functionality benefits of IPv6 networking, the main reason for its existence is the need for more IP addresses than can be supported under IPv4. In fact, it is the need to express 340,282,366,920,938,463,463,374,607,431,768,211,456 unique addresses that results in a longer hex address syntax that will cause the most compatibility troubles for your existing IPv4-based network and security management tools.

For all of you, the transition to IPv6 is a process that is going to take years. You simply have too many network devices and servers running the business for any kind of rapid switch-over to be pragmatic. That means you will be dual stacking IPv4 and IPv6 in your environment, with address schemes that are not directly compatible.

Attention to detail in network and security management tools will save you significant pain later. Imagine those first calls to the IT service desk with errors induced by long IPv6 addresses that are too long to accurately read over the phone and compounded by tools that do not easily accommodate IPv4 and IPv6 requirements! You can avoid those invigorating moments of pandemonium by ensuring that your firewall and network management tools properly handle IPv6:

Require all new devices to support IPv6. Clearly specify IPv6 support in RFPs and include dual stacking requirements in all proof of concept projects.  You cannot afford to have software, servers, or communications equipment in your network that cannot participate when the business mobilizes towards IPv6.

Switch to automated management tools. Many of you still maintain relationships between IPv4 addresses in spreadsheets and use custom scripts to help perform administrative activities. You can certainly invest in upgrading your home-grown capabilities, but now is a good time to investigate alternatives. Debugging spreadsheets of IPv6 and IPv4 addresses, along with dynamic access rules and relationships, is notoriously difficult and complex. There are tools such as that shown by Tufin that can help you evolve smoothly to IPv6.

Detect IPv6 servers and objects as they come online. This is actually a tool requirement that is important enough to call out separately. You will need to be able to automatically detect and locate IPv6 elements as they come online, and then check firewall rules and access control lists to ensure connectivity and adherence to security policy. You should be looking to automate detection and policy compliance checking to ensure seamless evolution of connectivity without opening the business to the risk of a disclosure incident.

There can no longer be any question that IPv6 is coming. The original allocations of IPv4 addresses expired in February, 2011 and the present system of recycling used IP addresses cannot be sustained forever. Deriving and executing a strategy for the evolution to IPv6 is something that all organizations should be involved in. Instituting administrative processes with modern security and network management tools is a critical first step in ensuring a smooth transition for the business and compliance with network security policy in an IPv6 world. fdfe:dcba:9876:2:20e:cff:fee4:2ee6 is coming - get ready!