Erik Giesa profile picture

Erik Giesa

Thursday, July 12, 2018

When the internet took off, it quickly became clear that the finite number of IPv4 addresses would soon be tapped out. The protocol allows for about 4 billion IP addresses, and there are already more than 4 billion connected devices—with many more on the way as a result of the adoption of cloud, the Internet of Things (IoT), and software containers.

Anticipating that shortage, IPv6 was introduced in 1998. With the potential for trillions of addresses, the number of devices that can be connected is virtually infinite. But don’t wait around expecting IPv6 to solve your problems. IP addresses function not only as an identifier but also as a locator, which is a frequent cause of IT headaches. The location function causes conflicts, adds to management overhead, creates security holes, and often raises availability issues.

In the meantime, network address translation (NAT) provided an acceptable workaround, as it allowed for a single public IPv4 address to accommodate multiple private IP addresses. But NAT creates a multitude of problems, ranging from the need to manually update port addresses to incompatibilities between NAT and IPSec. IPv6 eliminates the need for NAT because every device can have its own unique IP address. That makes for a more secure environment, although it creates its own headache of having to keep track of those unique addresses.

As Hans Proenen, Chief Information Security Officer at GE Europe, told ComputerWeekly:

Because there are so many IPv6 IP addresses, it is virtually impossible to do a scan of the network to find rogue devices, which makes securing an IPv6 network a lot more demanding.

Adoption of IPv6 has been relatively slow, but it’s starting to accelerate. For 2017, Google’s data on user access revealed a steady climb of IPv6 users from 16% at the beginning of the year to over 20% just past the midway point. But it’s a complex process, that involves upgrading, reconfiguring, and testing of the hardware and software. Worse, IPv6 doesn’t address the fundamental flaw of TCP/IP with addresses being used for both location and identity. This provides bad actors with essentially a roadmap to create mischief by targeting IP addresses of enterprises or individuals.

If you’re going to upgrade your internet addressing scheme, why not step outside the box and switch to an approved standard that relies on cryptographic identities? That’s the essence of the IETF-approved Host Identity Protocol (HIP), which separates the locator and identity elements of IP addresses and inserts a secure namespace that makes it possible to quickly and simply set up secure network overlays.