Wednesday, February 2, 2011

Are IPv4 Addresses Exhausted?

On June 9, 2003 the DoD/OSD CIO issued a memorandum that the DoD goal is to complete the transition from IPv4 addresses to IPv6 addresses by FY08 for all inter and intra networking. This was necessary to enable the transition of all National Security Systems and the GIG, to be completed by FY07. DISA would act as the Central Registration Authority for all DoD systems.

The directed transition to IPv6 by FY08 never happened except for minor installations.

On September 28, 2010 the Federal Chief Information Officer issued a memorandum that the “The Federal government is committed to the operational deployment of Internet Protocol IPv6”. * Agencies and Departments of the Federal Government will have to upgrade externally facing servers (such as web services, email, DNS and ISP services) to use IPv6 by the end of FY12. For internal applications that communicate with the public Internet servers, the upgrade to IPv6 would be implemented the end of FY14.

The major benefits to be derived from migration from IPv4 to IPv6 are the much larger address spaces. IPv6 offers improved routing and enhanced security, especially how transactions are handled within Internet routers and switches. For instance, IPv6 reduces complexity of Internet services by eliminating the reliance on Network Address Translation (NAT) technologies. IPv6 also enables added security services for end-to-end mobile communications.

With a continuous growth of new facilities in DoD the question is whether IPv4 addresses are easily converted so that DoD systems will remain completely interoperable and show improved communications performance.

DoD has so far used only about half of all of the IPv4 addresses that have been assigned to it. As of February 2008 there were over 200 million IP addresses still available for DoD, which should maintain communications for a time. ** If DoD proceeds with its adoption of IPv6 it would acquire 42 million billion billion billion IP addresses. That means that DoD would have enough IP addresses to give each grain of sand on earth 90 billion IP addresses. Such a number is nice to have, but the question is whether there are funds available to make the conversions to IPv6 with the urgency that has been dictated.

The alleged shortage of IPv4 addresses is result of allocations that were  made over 30 years ago. For instance IBM, HP, Apple and Ford each received a block of 16.8 million addresses. Xerox, with only 53,500 employees "owns" 16.8 million IP numbers. DoD was one of the largest recipients of IP addresses and has now 134.2 million IP numbers.

DoD has now backed off IPv6 implementation even though upgrading from IPv4 to IPv6 would allow for better network mobility, mission expedition and the widespread adoption of Radio Frequency Identification (RFID)s. *** Although some DoD components have already started migration to IPv6 the differences between applications staying on IPv4 and those communicating using IPv6 will increase the complexity of network software.  A mixed environment will require DoD to launch efforts that add to all IPv4 locations added interoperability capabilities until such time when all IPv4 addresses will be retired.

At this time there are no major funded programs for proceeding with IPv4 conversion on a tight schedule. OSD policy has now saddled all programs, whether they are legacy or new, with the need to acquire additional transformation software and hardware while in transition to IPv6. That will surely take longer than the policies have dictated. Migrating to IPv6 involves much more than just re-setting the protocol options on a single device:

To fix a complex environment, such as in DoD, would require revisions and upgrades throughout the entire network. In addition exhaustive testing is required. To achieve verified compliance, companies must pass over 450 tests that inspect core IPv6 functionality. *******

Transition hardware and software is available from several vendors but it is questionable whether the current budgetary limits will permit spending money on projects with only a transitory life.  **** To maintain interoperability during the conversion from IPv4 to IPv6 thousands of DoD locations will need a capability to translate IPv4 addresses to more options, as illustrated below.

Address transformation will add complexity to every site that communicates either within DoD or externally.

Meanwhile the task of implementing IPv6 remains technically a demanding task.  Due care must be taken to ensure that the existing communications are not impeded as more software is placed into the path of every transaction. GIG IPv6 network performance will also have to improve, especially for auto-configuration, prioritization, converged voice and video, multicast and mobility. A recent survey by Arbor Networks shows the following difficulties with IPv6 implementation: *****

In more than half of the 111 reports from network technicians inadequate IPv4 vs. IPv6 parity had to be overcome with software fixes.

The global registry of IPv4 addresses, the Internet Assigned Numbers Authority (IANA), indicates further shrinkage of available IPv4 addresses, but by no means exhaustion. Only the organization that assigns Internet addresses to China and to India (APNIC) shows that they will be using up their address pool by the end of 2011. However, with a reallocation from existing poorly utilized address pools elsewhere in the world there are more than adequate IPv4 numbers available globally for an indefinite future.

Meanwhile Internet Service Providers (ISP’s) are already upgrading network switches as well as routers to handle IPv6 addresses in addition to retaining the capacity to process every IPv4 addresses. Therefore, the availability of dual handling of addresses does not impose on DoD any short-term urgency to achieve IPv4 to IPv6 conversions.

IPv4 allows 32 bits for the Internet Protocol and supports 4.3 billion addresses. IPv6 uses a 128-bit address and supports a practically infinite number of addresses. As of the end of 2010 only 533 million unique IP addresses have been assigned. ****** Though the USA currently has 26.4% of the global IP population, it has obtained more than 50% of the IP addresses, while the quickly growing China is exhausting its allocation. Clearly, there are enough IP addresses, on the average, except that they have been misallocated. An immediate rush into IPv6 cannot be therefore justified provided that IANA can take corrective actions.

Given poor progress in IPv6 implementation DoD contractors will have every incentive to continue enhancing IPv4 capabilities rather than working on the conversion to IPv6.

IPv6 is not necessarily more secure than IPv4 provided that added security fixes are installed. Security features are now available for IPv4 from a number of sources.  From the standpoint of DoD applications there will be few practical differences in security protection if the fixes are implemented. Therefore, keeping IPv4 in place makes sense unless DoD decides to proceed with a full implementation of RFIDS, which is not the case right now on account of enormous initial costs.

There is another option open: the IPv6 Native Dual Stack solution, now in testing. Can access services natively over both IPv6 and IPv4. Users do not need to use any IPv6 or IPv4 tunneling, translating, or NAT solutions. Access to both IPv6 and IPv4 can take place directly at high-speed. When the Dual Stack solution is ready, DoD may save money by avoiding costly software fixes.

Despite high-level policy mandates promulgated in 2003 and in 2010 the IPv4 to IPv6 conversions will not happen very soon. It will require a redirection how future DoD networks will be upgraded before DoD internal and external networks can start communicating using the identical address formats.

The best choice for DoD is to proceed with the adoption of IPv6 as a requirement for any upgrades rather than to confront every Component with fixed immediate deadlines.

****** Akamai State of the Internet, 2010.