Ask the Wi-Fi Guru About IPv6
Page 1 of 1
Our monthly Q&A series offers advice to those seeking help with home or small business WLANs. This month our guru offers some insight into the looming IPv4 crisis and explains the best way to secure a network comprised of devices with public IP addresses.
Would you like to ask the guru a question? Write the editor.
If you haven't yet heard, there is a growing sense of crisis in the networking community over the rapidly depleting supply of IP addresses. While not quite worthy of Y2K-style hysteria, the issue is one that, visibly or invisibly, affects both wired and wireless network users. Wi-Fi users in particular should take note because changes are coming that could require updating or replacing your wireless routers.
An IP address, of course, is the four octet number like 220.127.116.11 which identifies a computer or other network device. A public IP address is one that is "routable" across the Internet -- meaning that data can be sent to that device from another Internet-connected device. A private IP address is one that is only routable within your LAN, but not directly visible to the Internet. Today, many networks are composed of a mixture of public and private IP addresses.
In a typical home scenario, the cable or DSL modem is the device with a public IP address. All of your other devices like desktops, laptops, and anything else using Wi-Fi, are assigned private IP addresses by the wireless router.
When the current IP address system was implemented in 1981 -- known as IPv4 -- its designers believed that the 4 billion public IP addresses it could support would be more than enough. But here we are in 2011, in a world where the number of mobile devices is exploding, and Internet use in general is steeply rising globally, and it turns out that 4 billion addresses are not nearly enough.
In fact, earlier this year the last available blocks of public IP addresses were finally assigned. These blocks contain millions of addresses, and it will still take some time for those individual addresses to be handed out to devices. Organizations with an IP address crunch can also make better use of private IP addressing to extend the life of their IPv4 networks. In short, the network world is not coming to an apocalyptic end, but IPv4 has reached the end of its useful life.
Our savior comes by the name IPv6 -- the next-generation version of IP addressing. In contrast to IPv4, an IPv6 address is made up of 8 hexadecimal octets, such as 2f1e:1800:3445:0003:100:f2fe:fa20:61fa. Thanks to its larger address space, IPv6 is not likely to run out of addresses any time soon. Maybe even any time ever. Just how many public IP addresses does IPv6 support? Try 340,282,366,920,938,000,000,000,000,000,000,000,000.
So ... problem solved? Not yet. Because now we actually need to migrate the entire Internet, including software and hardware, from IPv4 to IPv6. In this regard, some corners of the industry have been more responsive than others. For example, Windows Vista/7, Mac OS X, and most current Linux distributions all include built-in support for IPv6. But ISPs and many wireless router vendors have been much slower to implement IPv6 support. Sooner or later, ISPs will have to get on the bandwagon. But at this point, it is not safe to assume that any Wi-Fi routers you have now will work with IPv6.
Even users of our oft-mentioned preferred router firmware alternatives like DD-WRT and Tomato cannot be complacent. IPv6 support in DD-WRT involves working with some router-based scripting, while Tomato users need to migrate to a Tomato fork project like TomatoUSB to get IPv6 support, which is still missing from the parent version.
All of which brings us to this month's question:
What's the most secure setup for multiple static IP addresses on my LAN? Where does IPv6 fit in?
Q: I have Verizon FIOS with 12 static IP addresses coming into my office. Currently, I have the internet connected to a gigabit switch which the Web server and email server are plugged into (these use 11 of the static IPs). Then I set up a wireless router to use the other static IP address, which I use for our LAN. Is this setup ok? Or do I need a security appliance (perhaps the cisco 5505?) to protect the entire network - or just the servers?
What do we have to know about IPv6? Are we safe using IPv4 for the next few years? - Al
A: In many home and small office networks, the wireless router acts as a first line of defense against attacks. Today's routers include built-in firewalls, although some are more sophisticated than others. A basic firewall can prevent some basic, common types of attacks, and also be configured to limit external access to certain portions of the LAN. A more sophisticated firewall, such as the kind with "deep packet inspection", can analyze incoming packets looking for known attack signatures. Even more sophisticated firewalls -- such as dedicated appliances including the Cisco 5505 -- can do all this and more, including updated anti-virus scanning, plus the ability to handle larger quantities of traffic than a typical consumer-grade router.
In this setup, there is effectively no perimeter firewall protecting the web and email server. It is certainly important to be sure that both of these servers are configured and maintained with smart security settings, but any recommendation would be meaningless without a thorough knowledge of each system.
Plus, it sounds like the wireless devices connected to the router are using public IP addresses, rather than private LAN addresses. This, too, could make them more vulnerable even with the wireless router's firewall in place.
In short, yes--with a network setup like this, there is a good argument to be made for some kind of perimeter security appliance in place before your servers and wireless clients.
Speaking of IPv6 and ISP support, Verizon FIOS is one of the major ISPs currently in a testing phase for IPv6. There is no official word on when the company will migrate. It is indeed possible to run your LAN on IPv6, even with an IPv4 ISP, although you will need a router which can tunnel IPv6 to IPv4. There may not be a compelling reason to do this. For many users, the push to upgrade to IPv6 will come when your ISP does so.
In that sense, it will be safe to use IPv4 until your ISP themselves make the switch. It is likely that many ISPs will continue to support both IP address systems for awhile, possibly years. That said, my recommendation will be to update to IPv6 at the time your ISP does so, rather than prolong the inevitable and potentially invite quirks and incompatibilities into your network.