Quickest IPv6 migration route is dual-stack followed by IPv6-only
Microsoft and other big IT firms are busy migrating their internal networks to IPv6-only. Migration invariably entails using a dual-stack configuration as an intermediate step, then gradually whittling out IPv4. "After a while we stopped calling IPv6 the new protocol, and started referring to IPv4 as the old protocol."
The essential reason why network-intensive IT firms are switching to IPv6-only is, of course, that they're running out of IPv4 addresses. However, the issue is considerably more complex than the availability of public (i.e. routable) IPv4 addresses. For example, Microsoft's IT department had to transfer all its IPv4 addresses to the Azure group back in 2011. That was necessary because external customers' cloud-based systems and services all needed to have public IPv4 addresses for user access. In the end, however, even the private 10.0.0.0/8 address space, with its 16 million addresses (combined with NAT44) wasn't big enough to support all Microsoft's internal systems and users. Half of that address space is now used by Microsoft for the internal systems on the Azure network. The other half is available to the 220,000 in-company users and their equipment. But those users are distributed across eight hundred locations scattered around the world. So eight million addresses is actually a meagre number, because much of the address space is 'lost' as a consequence of division into practically routable subnetworks.
Routability is also the reason why buying more IPv4 addresses isn't a sustainable solution for big organisations. Addresses are available at prices that hover around 25 dollars per address, but only in small blocks. Small blocks mean long and complex routing tables and cumbersome address management. For example, Microsoft uses an IPv6 prefix for each continent, so that it's immediately clear what part of the world an address relates to. And the company needs contiguous address blocks in order to create large virtualised test environments. Another problem with using the shared 10.0.0.0/8 address space is that conflicts arise when acquired companies need to be integrated. In some situations, an acquired company's entire IPv4 infrastructure may need to be renumbered. Carrier-grade NAT (CGNAT) -- a two-layer NAT set-up -- is currently popular with big access providers. However, we don't know of any large corporations or government agencies that use it, because it would have a serious detrimental effect on the reachability of internal users. Although a few private organisations have their own /8 address blocks, that was very unusual even in the early days of the modern internet. On IANA's current IPv4 address list, the only /8 assignees are AT&T, Apple, Ford, PSINet (now Cogent), Daimler and the US Postal Service, all of whom received their blocks in the early nineties.
Phase-out of IPv4
As well as ending the routing and overlap problems faced by corporations like Microsoft, IPv6-only ultimately fixes another significant issue: technical staff often complain that a dual-stack infrastructure requires twice as much management as a single stack set-up. After all, many security and problem-resolution activities have to be duplicated. And that obviously has cost implications. Naturally, all that complexity disappears when you scrap your internal IPv4 network. In order that your users can go on accessing IPv4-only servers on the internet, a 464XLAT gateway has to be installed, as described in this article. Such set-ups are popular with large telecom operators in emerging nations, because they enable tens or hundreds of millions of mobile users to be provided with internet access.
Other major users who have opted for IPv6-only internal network strategies include Google, Facebook [1, 2] and LinkedIn [1, 2, 3, 4, 5]. For us, it's not so much about pushing IPv6 as getting rid of IPv4, says Franck Martin, responsible for IPv4-to-IPv6 transition at LinkedIn. Once all systems are running on a dual-stack basis, IPv4 can be whittled out of the organisation. Within LinkedIn's IPv6 (AAAA) team, that's the responsibility of IPv4 disposal experts. All IPv6 transitions within large organisations follow much the same pattern: first the organisation goes from IPv4 to dual-stack. Then all traffic is switched to IPv6, and finally IPv4 can be phased out. New systems and networks created during the transition are, where possible, IPv6-only from the start.
Software and services
One potential stumbling block that requires attention is software support for IPv6. At LinkedIn, attempted IPv6 access to dual-stack systems with incompatible software is prevented by not setting a corresponding AAAA record, which would mean IPv6 was always preferred. On LinkedIn's website you can read how they set up two parallel networks with a view to facilitating subsequent IPv4 phase-out, without the IPv6 network having to be encrypted. The approach involves using a shared IPAM for both IP networks. Software developers are now obliged to remove IPv4-dependency from their code. And that involves putting some in IPv6-only environments. Systems and applications are tested in the same way: by disabling IPv4. On its website, Facebook explains how internal IPv6-only data centres are made accessible to external service users using IPv4. Incoming connections are routed via a combined proxy/load-balancer with a two-layer architecture: an IP layer, followed by an HTTP layer. The set-up means a comeback for the Demilitarised Zone (DMZ).
Now's the time to start
The big corporations mentioned above have several things in common: they adopted an IPv6-only strategy years ago, migration is still ongoing, and the process has several more years to run. The implication? If you put off switching until your IPv4 situation becomes problematic, you'll be too late.