Of course, I realize the need to go to IPv6 out on the open Internet since we are running out of addresses, but I really don't understand why there is any need to use it on an internal network. I have done zero with IPv6, so I also wonder: Won't modern firewalls do NAT between internal IPv4 addresses, and external IPv6 addresses?
I was just wondering since I have seen so many people struggling with IPv6 questions here, and wonder why bother?
There is no NAT for IPv6 (as you think of NAT anyway). NAT was an $EXPLETIVE temporary solution to IPv4 running out of addresses (a problem which didn't actually exist, and was solved before NAT was ever necessary, but history is 20/20). It adds nothing but complexity and would do little except cause headaches in IPv6 (we have so many IPv6 Address we unabashedly waste them). NAT66 does exist, and is meant to reduce the number of IPv6 addresses used by each host (it's normal for IPv6 hosts to have multiple addresses, IPv6 is somewhat different than IPv4 in many ways, this is one).
The Internet was supposed to be end-to-end routable, that is part of the reason IPv4 in invented and why it gained acceptance. That is not to say that all address on the Internet were supposed to be reachable. NAT breaks both. Firewalls add layers of security by breaking reachability, but normally that it's at the expense of routability.
You will want IPv6 in your networks as there is no way to specify an IPv6 endpoint with a IPv4 address. The other way around does work, which enables IPv6-only networks using DNS64 and NAT64 to access the IPv4 Internet still. It's actually possible today to ditch IPv4 all together, though it's a bit of hassle setting it up. It would be possible to proxy from IPv4 internal addresses to IPv6 servers. Adding and configuring a proxy server adds configuration, hardware, and maintenance costs to the network; usually much more than simply enabling IPv6.
NAT causes it's own problems too. The Router has to be capable of coordinating every connection running through it, keeping track of endpoints, ports, timeouts, and more. All that traffic is being funneled through that single point usually. Though it's possible to build redundant NAT routers, the technology is massively complex and generally expensive. Redundant simple routers are easy and cheap (comparatively). Also, to re-establish some of the routability, forwarding and translating rules have to be established on the NAT system. This still breaks protocols which embed IP addresses, such as SIP. UPNP, STUN, and other protocols were invented to help with this problem too - more complexity, more maintenance, more that could go wrong.
Running out of internal (rfc1918) ipv4 addresses can also be a very valid reason to go ipv6.
Comcast explained at Nanog37 why they were going ipv6 for their management addresses.
And this is only for video, not data/modems.
They exhausted the RFC1918 pools in 2005. Then they used public addresses pools (as nat isn't an option for management), and went ipv6 to solve their needs.
Couple of reasons:
IPv6 doesn't support broadcasting. It is replaced with multicasting. Broadcasting enables one node to send traffic to all nodes on a subnet. Management of broadcast domains is a major issue with keeping large IPv4 networks running fast and smoothly. Multicasting requires that nodes that want to receive "broadcast"-style actually "sign-up" for it, so the network isn't flooded with traffic that hits all hosts.
IPv6 supports IPsec style encryption natively.
IPv6 supports autoconfiguration. It's possible for hosts behind a router to configure themselves without the need for DHCP, although you still need a DHCP server to hand out DHCP options such as DNS server, TFTP server, etc.
My old job, at a large University, would use an IPv6 allocation internally. They were assigned an IPv4 /16 back in the day and even today is passing out IPv4 addresses to nearly every internal client. The RFC1918 networks were restricted to the telecom-only network and certain specialized usages (the PCI standards required RFC1918 usage until October 2010).
Because of this, they were actively planning to use IPv6 internally as well. There were some hardware issues still to work out, the edge switches weren't supporting v6 well enough, but the core was ready. The idea was that getting v6 support at the publicly visible end (okay, the publicly responsive end) of the network would involve 70% of the work to deploy it to everyone, may as well do the extra 30% and go end-to-end with it.
Having lived with a public IP allocation for so long, our people were very aware of the adage: "just because it is public, does not mean it is reachable." As Chris S said, routeable does not imply reachable.
That is why at least one class of organization would deploy IPv6 internally: because they're already using non-RFC1918 IPv4 internally.
Working for a small company I can only think of reasons NOT to use IPv6.
It just doesn't make sense for a company like ours to make the change, as it would take considerable expense and effort with absolutely nothing to gain from it.
Quite frankly, I like NAT and the benefits we get from dealing with local addresses. If it ever becomes necessary (as opposed to being a geek want-to-do) for us to interact with IPv6 on the Internet we'll do so at the gateway.
I'm not expecting this current IPv6 fad to become a necessity for the very vast majority of the world, internally at least, for a decade or more. As I expect to be retired by then there's not a whole lot of incentive for me personally to waste time and effort on it.
Edit:
I'm getting downvotes but not a single logical and sensible opposing view. Makes me think it's just a bunch of bandwagon jumping geeks who want to follow the trend without thinking about it. There has to be a REASON to make such a drastic change to a network and I don't have one. Further, I strongly suspect only a very few SF users do have one.
IPv6 does offer some potential real-world improvements over IPv4, such as a simpler auto-configuration and auto-discovery mechanism, it's also safer in the sense that it becomes unfeasible for malware to replicate across a network by port-scanning an IP range -- there are just too many IPs. But those improvements aren't particularly dramatic, and certainly not worth the switching cost.
But note that it's not an either/or decision, you can run both in parallel, and if you develop software, you probably should, as many people have mentioned, for testing purposes. There's no reliable way to make a program IPv6-compatible without having an internal IPv6 infrastructure to test on. Most modern OSes will set up an internal IPv6 network automatically between them -- it's just a matter of using it.
10 years ago I built a bit of software for an employer customers use to fetch program updates. When building the network component, I had to decide between building in IPv6 compatibility, or just assuming all IP addresses will be 4 bytes. I decided to take the simple route, saving myself about 4 hours of work, and made the application IPv4-only. I figured it would be replaced in a few years anyway. They're still using it today, and are therefore locked out of some smaller markets.
We are talking two things here - running internal network on pure IPv6 or running IPv4/IPv6 dual-stack. I think it is premature to talk about running pure IPv6 - on many operating systems it is even impossible using IPv6 without IPv4. However, you may consider running dual-stack for the following reasons (a) if you develop software (b) in order to prepare your network for inevitable migration to IPv6. If you situation is A then you should act now, if it is B then by my estimate you have about 1-2 years to think about it (but the sooner you start the more prepared you will be).
My situation is A and we are running dual-stack for 6 month now. During this time we identified and solved some issues with our public/private DNS, address allocation, DHCP, routing, firewalling and we could not even anticipate many of these issues without trying. Now, we are fully IPv6 ready and we even have IPv6 public access via tunneling. From my experience I can say with confidence that IPv6 is much simpler and more elegant solution in comparison to ageing IPv4, so I'll be very happy when time comes to switch to IPv6, but before this time comes - dual-stack is the way to go.
Aside from lager address space, absence of broadcast, IPSec and simpler auto-configuration there are some "not so known" advantages of IPv6:
Bigger address space means that address has more bits that can be used as data storage. For example hop-count between two nodes then can be a function of their IPv6 addresses e.g.:
IPv6 address can be in format
PREFIX:Country&Region:DC&Line:Rack&Unit:VM&ID
so closer nodes will have more Most-Significant-Bits same. This is just an example, of course "closeness" metrics could be stored in some kind of external database like DNSTXT|SRV
records.There are some techniques of using address space of IPv6 for cryptographic purposes such as Cryptographically Generated Addresses (CGA) and SEND (SEcure Neighbor Discovery)
When IPv6 is enabled all nodes in network have link-local IPv6 address(if not configured otherwise). So there is a chance that you can access even mis-configured node.
You can get nodes' MAC addresses directly from link-local IPv6 address (if IPv6 privacy extensions are not configured)
There is no way you can possibly use IPv4 in subnets with thousands of nodes - your network will be overloaded with broadcast traffic (e.g. ARP).
You can query node for additional information using node information, e.g. in BSD you can query host for ICMPv6 Node Information Node Addresses:
$ ping6 -a Aacgsl ::1
I can think of two reasons to use IPv6 for an internal host.
You may find in the future that this host now needs to be externally available at least on certain ports.
You may find that this host needs to connect to another host who has also chosen the same internal address. For example you need to connect to 10.0.0.5 at Acme corporation and your own address at Emca corporation is also 10.0.0.5. I remember this happening at a previous job, we had both used the same internal addresses.
I would say that in the modern world most computers are not 100% internal. Most desktops can make some limited connections to the outside world or vice versa.
The only good reason to go IPv6 internally is to be ready when the world switches to IPv6, and I think that's a pretty bad reason, given the rate of adoption. Since most internal IPs won't be externally reachable, it wouldn't be a big deal to translate the rest.
My corporation will probably never switch to IPv6 internally. It would require a fundamental shift in policy so massive I can't honestly conceive how it could come about. A lot of people would have to get killed, and a lot of inexplicable hiring choices would have to be made. Likewise, any attempt by individual business units to switch to IPv6 on their LANs would be squashed with prejudice by the corporate networking overlords based on interoperability and maintainablity concerns (we allow a lot of leeway locally, but not that much.)
Basically, if switching to IPv6 was painless, we'd have done it years ago.