IT Brief New Zealand logo
Technology news for New Zealand's largest enterprises
Story image

What you need to know about IPv6

Tue 21 Jan 2014
FYI, this story is more than a year old

IPv4 Exhaustion is here. In the IT industry we all (or we all should) know about it but some are experiencing it faster than others. For us here in New Zealand we are part of APNIC, the regional RIR who provide IP addressing.  The only new IPv4 address being provided are for companies just registering for their ASN (autonomous system number - what you need to be your own "entity" on the internet) - i.e. companies new to running their own IP space. And then they only get a /22 (around 500 addresses). When selling my previous company (which was in the hosting business) I had been asked about registering for an ASN so the buyer could get that extra IP space of barely 1000 addresses!

500 IPv4 addresses sounds like a lot and it is, until you have to start breaking it up. The company was a hosting (dedicated server and colocation) and every customer had at least their own /30 subnet with many having /29 (8 addresses), /28 (16 addresses) or even larger routed to them. It's amazing what you can achieve on a single server using virtualization. The customers would have their own firewall running a router VM, usually PFsense with multiple other VMs sitting behind it, sometimes 10 or more on a single 1u rack server! A /30 uses 4 addresses so at a minimum, one customer would use 4 addresses. Some reading this will say that it could have been done more efficiently and i guess it could but it wouldn't have been so clean.

So back to the IPv4 story in today's timeframe. Luckily Xtracta's main hosting provider here in NZ, called Orcon have had enough IPv4 addresses to provide really any amount of space their customers want. That's coming to an end however with it becoming tougher and tougher for us to get space from them. The obvious answer is IPv6. I have made it a personal policy that any device we have acquired for the last 2 years must be IPv6 capable and most are. These include our:

  • Desk Phones
  • Smartphones
  • Printers/Multifunctions
  • Computers
  • Servers
Computers and servers have been easy. We run mainly Ubuntu Linux which has full support and Windows Server 2008/2012 have full support for IPv6 on literally every service - email, DNS, FTP. I've actually been pleasantly surprised with just how much out there is IPv6 capable and does work.Xtracta's Network StrategyOur network design strategy at Xtracta revolves around dual stack IPv4/IPv6. We run different network segments, at least one for our publicly facing servers and at least one those that don't need public access. The reason for this extends beyond security; it allows us to put the small amount (/28) of public space we have only on those servers which really need them. This is for things like our web server, file transfer server, DNS nameserver etc.

The other subnet has private IPv4 space (also known as RFC1918) for things such as our processing servers, Smart OCR artificial intelligence (yes quite a mouthful) servers, testing servers, development servers, storage servers. So many servers! This usually runs a /24 like -

Both segments have a /64 IPv6 subnet. Now this is important, try and make EVERY ONE of your IPv6 subnets /64. It's the semi agreed upon standard size so we don't need to worry about variable length subnetting anymore. The biggest advantage is we can now run this great technology called stateless autoconfig. Stateless autoconfig is the replacement for DHCP where complexity isn't required. It works based on the the subnet itself, a device can use it's MAC address to come up with its own unique address on that subnet which is guaranteed unique - you no longer need a server to handle that important requirement. It also brings static addressing naturally without needing to keep track of what devices are using what addresses simply by the fact its IPv6 address is built on the MAC address; something that doesn't change.Route ProperlyI talk with lots of people who think port forwarding is the be all and end all. And I've seen for myself some of the problems it creates. Often people will have a number of addresses with their ISP which are provided on their linking interface - ie the WAN side of their router. They then proceed to port forward these to servers they have internally which sit on a private IPv4 address space e.g. or This is really messy and can cause real issues with things like DNS. Do things properly, for IPv4 get your ISP to route you a subnet via the WAN IP on your router, then set the public IP directly up on your server. Most routers should support firewall rules to protect your servers and you should only allow connection on ports relevant to each server from the general internet. E.g. perhaps port 25 is open to your mail server or 80 to your web server.

This native, non-hacked approach to routing/firewalling is the approach the internet was originally designed for and its structure is just so much better than port forwarding.It is the approach you will need to take with IPv6 also so its best to follow it as a standard within your network.Make IPv6 support a PolicyOne of the key things to rolling out IPv6 is that your equipment actually supports it. A lot of equipment already does but a lot doesn't and you should be avoiding equipment which doesn't have support. A quick run down:

  • Operating Systems: Windows From Vista and Server 2008 has excellent, near native support for all services. Only thing I have found lacking is the ability to pass DNS server information in SLAAC which still isn't possible even with Server 2012. It's really annoying as you have to run DHCP just to provide a DNS server which is really all that is needed besides IP address and gateway information. Linux support really depends on your distro but we have used Ubuntu from 10.04 onwards and support is top notch. One thing to watch our for is that Ubuntu creates multiple "fake" addresses by default - probably to hide the MAC address. The proper SLAAC address is there. Try the following command and look for a "global dynamic" address:
    ip -6 addr
  • Routers: Routers are where the big issues around IPv6 rollout happen. Besides the OSes, in most networks routers are the only critical layer 3 device required to make IPv6 a reality. Most small office home office brands have a very poor track record here such as Dlink, Netgear etc. I am a STRONG proponent of the PFsense project, I manage around 15 PFsense routers and they are amazing. What's even more amazing is the fact they can run on any hardware or as we do, as virtualized machines on our ESXi infrastructure. Another good option could be Mikrotik.One you start entering into the mid tier market e.g. Juniper, Cisco etc. support starts to come in but often while it will say its IPv6 ready, the implementation is very poor and in many cases unworkable. Basic services won't be supported and you can become highly frustrated! Read the reviews and talk to other users with the devices and running IPv6 before you take the plunge (online discussion boards are a great place to ask about this).
  • ISP: This is an obvious one, if you want to use IPv6 your ISP must support it. Yes you can use tunnels like SIXXS or but its much better to go native as otherwise you are tunneling all your traffic through an unknown node which may increase your latency and decrease your bandwidth (and increase risk if that tunnel provider is down for eample). Choose an ISP who have native IPv6 support and will actually provision it rather than just tell you they do then when it comes to crunch time say they can't do it.
  • Network Devices: Besides your computers you probably run a number of other layer 3 network devices like printers, VOIP phones, managed network switches, CCTV cameras etc.. support in these devices is a bit hit and miss. I have been pleasantly surprised on how many do support IPv6 however. Our Konica MFDs and Cisco SMB switches (SG300 series) have full support and it works. Our phones, Yealink T22P claim to have IPv 6 support but in fact have none at all or if they do, require immense firmware hacking which doesn't count as IPv6 capable in my book. Our wireless access points and CCTV cameras, both from Ubiquiti have no IPv6 support (but nor do they claim to). Check this out before you buy the device, while there always is a possibility of a firmware upgrade bringing IPv6, don't rely on it.
Rollout - Gradual or Rapid, either way make it happenRolling out IPv6 in your network can be approached in two ways:
  1. One big "hit"
  2. Gradually service by service, device by device over a period of time
Both methods have their pros and cons. I would generally recommend method 2 as its less risky. However in saying that for some cases where you have limited time (such as those doing IT consulting and doing work for a client in a single visit), option 1 needs to be employed. Also, option 1 does allow impetus to be maintained as often what will happen with a gradual rollout is more pressing issues will come up and it will be put aside an neglected. It doesn't necessarily need to be much more risky as long as every service is well tested during the rollout.Test your DNS and ServicesOnce you are up and running with IPv6 make sure you test! Remember that even if your server supports IPv6, the services that run on it may not, or if they do, require extra configuration. A lot of people use IP addresses directly when mapping services, printers etc. and this is not a good practice in my book. This is even more true with IPv6, remember that if you ever change ISP your entire IP addressing will change, even for your internal network. Partly for this reason and partly to make the transition to IPv6 smoother, I suggest setting all of your devices up with a DNS entry e.g. for us it may look like printer1.ororke.akl.xtracta.local. This would then have both the A record (for IPv4) and the AAAA record (for IPV6) setup for the device. If the service on that device, in this case a print server supports IPv6 then great, otherwise it should automatically fall back to IPv4.

This approach does have the downside that you won't know what services are running IPv6 and which are running IPv4 since they both work. But you can go through each one by one to ensure that IPv6 is running and they are responding to it. A tell tale sign that IPv6 isn't working are delays caused by IPv6 timeout. Typically if one device is trying to connect to another on IPv6 it will try and wait for a preset amount of time before falling back to IPv4. This is a good indication the particular service being connected to is not configured for IPv6.

One of the other benefits of this approach is that, especially for remotely connected sites/services (e.g. connecting from an office in one city to another over a VPN tunnel for example), if you are having connectivity issues with one protocol - it could well be the other is still working. We have experienced this a few times now where IPv4 connectivity between our sites has been down while IPv6 has remained up - leading to greater reliability for us.

For more information about preparing for IPv6 then visit

Author: Jonathan Spence

Related stories
Top stories
Story image
Red Sift
Entrust expands strategic partnership with Red Sift
Entrust has expanded its strategic partnership with Red Sift to make it easier for businesses to adopt Brand Indicators for Message Identification (BIMI) standards for email identification and security.
Story image
Hybrid Cloud
Barracuda expands cloud-native SASE platform
"The expansion of Barracuda's cloud-native SASE platform for hybrid deployment models and IIoT environments solves a number of challenges."
Story image
Digital Transformation
Digital transformation increasing business complexities
A new survey suggests businesses must re-examine their digital transformation approach to better help employees adapt to change.
Story image
Data Protection
Information management capabilities to meet privacy requirements
Organisations with customers or operations across more than one country face a spate of new and proposed privacy and data protection laws.
Story image
Comcast to use ThreatQuotient for cybersecurity operations
Comcast, the parent company of NBC Universal and SKY Group, has chosen ThreatQ Platform and ThreatQ Investigations to meet their cybersecurity needs.
Story image
Cybersecurity prompts upgrade for 1.3 billion electricity meters
ABI Research finds Advanced Metering Infrastructure (AMI) and cybersecurity concerns are prompting the upgrade of 1.3 billion electricity meters by 2027.
Story image
GapMaps Live to improve brand decisions on physical locations
GapMaps has released its latest service GapMaps Live, giving more insights and features to help brands make better decisions about physical locations.
Story image
Equinix announces milestones on sustainability commitments
Equinix has released its 2021 Sustainability Report which outlines progress, innovation and accomplishments on key ESG commitments.
Story image
i-PRO releases smallest AI-based surveillance camera on the market
The new i-PRO mini network camera is now available, with a pocket-sized form factor and full AI analytics functionality.
Story image
Alteryx releases updates, empowers data insights for enterprise
Alteryx has released new advancements designed to aid enterprises with cloud analytics, democratise insights and ensure data governance.
Story image
Manhattan Associates
Shortening the click-to-customer cycle through smart technologies
Speed of delivery without accuracy is a dealbreaker for consumers. How can retailers operating in an omnichannel environment overcome the challenge of click-to-customer cycle times.
Story image
Digital Marketing
Similarweb acquires SEO and rank tracking company Rank Ranger
Digital intelligence company Similarweb, which specialises in analysing web traffic, has acquired Rank Ranger, a market leader in SEO and rank tracking.
Story image
Managed service provider
Barracuda MSP Day 2022 highlights MSP opportunities
Barracuda Networks has released a report showing global services-related MSP revenue is set to increase by more than a third in 2022 compared to 2021.
Story image
NetApp launches Spot PC, a new Desktop-as-a-Service solution
This is a new managed cloud DaaS solution with security, automation, observability and optimisation capabilities, designed for the needs of today.
Story image
Trojan cyber attacks hitting SMBs harder than ever - Kaspersky
In 2022 the number of Trojan-PSW detections increased by almost a quarter compared to the same period in 2021 to reach 4,003,323.
Find out how a behavioural analytics-driven approach can transform security operations with the new Exabeam commissioned Forrester study.
Link image
Story image
Maintaining secure systems with expectations of flexible work
Most office workers feel they've proved they can work successfully from home, and as much as employers try, things aren't going back to the way they were anytime soon.
Story image
ChildFund launches new campaign to protect children online
ChildFund says WEB Safe & Wise aims to protect children from sexual exploitation and abuse online while also empowering them to become digitally savvy. 
Story image
SPS network now available to CrescoData eCommerce customers
CrescoData, a Pitney Bowes Company and PaaS business in the commerce space, says its customers can now connect to the SPS Commerce Retail Network.
Story image
New Relic
New Relic launches vulnerability management platform
New Relic has introduced New Relic Vulnerability Management to help organisations find and address security risks faster and with greater precision.
Story image
CERT NZ releases first Cyber Security Insights for 2022
CERT NZ has released Quarter One: Cyber Security Insights 2022, which offers an overview of reports about cybersecurity incidents affecting New Zealanders.
Story image
Cyber attacks
Devastating cyber attacks expected to hit energy sector
Energy executives anticipate life, property, and environment-compromising cyber attacks on the sector within the next two years.
Story image
Customer experience
Gartner recognises Okta for abilities in Access Management
Okta has announced it has been recognised as a Customers' Choice for the fourth time in a row in the Gartner Peer Insights "Voice of the Customer" report.
Story image
Data Protection
Barracuda launches new capabilities for API Protection
"Every business needs this type of critical protection against API vulnerabilities and automated bot attacks," Barracuda says.
Story image
Ponemon Institute
Email revealed to be riskiest channel for data loss
More than half (60%) of organisations experienced data loss or exfiltration caused by an employee mistake on email in the last 12 months.
Story image
Vectra AI
Vectra’s inaugural Partner of the Year Awards revealed
APAC companies Baidam, Firmus, ShellSoft and Macnica have been recognised in Vectra AI's inaugural Partner of the Year Awards.
Story image
Sysdig unveils new Kubernetes troubleshooting and cloud innovations
Sysdig has introduced two new innovations that look to help bolster cloud services and simplify Kubernetes troubleshooting.
Story image
Fastly acquires Glitch, enables faster developer innovation
"This acquisition brings together two of the worlds best ecosystems for application development into a single, seamless developer experience."
Story image
Infosec unveils role-guided cybersecurity training roadmaps 
Infosec Skills Roles maps hands-on training and certifications to the 12 most in-demand cybersecurity roles to maximise training efficiency.
Story image
Alarming surge in Conti Ransomware Group activity - report
A new report has identified a 7.6 per cent increase in the number of vulnerabilities tied to ransomware in Q1 2022.
Threat actors are exploiting weaknesses in interconnected IT/OT ecosystems. Darktrace illuminates your entire business and takes targeted action to stop emerging attacks.
Link image
Story image
Remote Working
Successful digital transformation in the hybrid work era is about embracing shifting goalposts
As organisations embraced remote working, many discovered they lacked the infrastructure needed to support history’s first global load test of remote work capabilities.
Booster Innovation Fund. A fund of Kiwi ingenuity – for Kiwi investors.
Link image
Story image
More than 40% of banks worried about cloud security - report
Publicis Sapient's new report finds security and the lack of cloud skills and internal understanding of business benefits are big obstacles for banks moving to the cloud.
Story image
Sift shares crucial advice for preventing serious ATO breaches
Are you or your business struggling with Account Takeover Fraud (ATO)? One of the latest ebooks from Sift can provide readers with the tools and expertise to help launch them into the new era of account security.
Story image
Tech job moves - Forcepoint, Malwarebytes, SolarWinds & VMware
We round up all job appointments from May 13-20, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Digital Signage
MAXHUB's Digital Signage range to bolster boardroom productivity
The new MAXHUB Digital Signage technology is purpose-built to make every kind of team meeting more effective.
Story image
Silver Peak
The path to an adaptive, modern network
Managing and securing the network looks different than it did just two years ago—especially given that most of these networks are made up of multi-generations of infrastructure stitched together over time.
Story image
Women in Technology
Huawei webinar emphasises the importance of women in tech
Industry findings by Coursera discussed as part of a webinar jointly organised by Huawei and Reuters Events found 6% more women enrolled in tech courses this year than in 2021.
Story image
Artificial Intelligence
Frost & Sullivan recognises Genesys as leader in new reports
Frost & Sullivan has recognised Genesys as a leader in the cloud contact centre market for its robust cloud and digital capabilities.
Story image
Data Center
Preventing downtime costs and damage with Distributed Infrastructure Management
Distributed Infrastructure Management (DIM) can often be a lifeline for many enterprises that work with highly critical ICT infrastructure and power sources.
Story image
Aligned Data Centers increases sustainability-linked loan
Aligned Data Centers has increased its sustainability-linked loan from $375 million to $1.75 billion to speed up the next phase of its strategic growth.
Story image
Vectra AI
Understanding the weight on security leader’s shoulders, and how to shift it
Millions of dollars of government funding and internal budgets are being funnelled into cybersecurity to build resilience against sophisticated threats, indicating how serious this issue has become.
Story image
APAC organisations fail to disclose ransomware breaches
85% of organisations in APAC were breached by ransomware at least once in the past five years, but only 28% publicly disclosed the incident.