IPv6 Transition in Corporate Infrastructure

RIPE NCC announced in September 2012 that the last block of IPv4 addresses in Europe had been allocated. World IPv6 Launch in June 2012 marked the permanent activation of IPv6 by major providers. For corporate IT, the question is no longer whether to transition to IPv6, but how quickly.

Why IPv6 Concerns Every Company¶

IPv4 has approximately 4.3 billion addresses. With the number of connected devices — servers, computers, phones, tablets, printers, sensors — that’s no longer enough. NAT extended the life of IPv4, but brings its own problems: configuration complexity, difficulties with peer-to-peer communication, complications with VPN and video conferencing.

IPv6 offers 340 undecillion addresses — practically unlimited space. Every device can have a global address. This simplifies routing, eliminates the need for NAT, and enables end-to-end connectivity.

For Czech companies it’s important that CZ.NIC and Czech ISPs actively support IPv6. Seznam.cz, Google.cz, and other key services are already accessible over IPv6. Ignoring this trend means risking availability problems in the future.

Dual-Stack as the Recommended Strategy¶

We do not recommend switching to pure IPv6 — most internal applications and services do not yet natively support IPv6. Instead, we recommend a dual-stack approach: every device and server has both an IPv4 and an IPv6 address.

Dual-stack requires:

• Routers and switches with IPv6 support — most enterprise devices from Cisco, Juniper, and HP from the last 3–4 years handle IPv6. Older devices may need a firmware upgrade.
• DHCP and DNS — Windows Server 2008 R2 and later support DHCPv6. DNS must be able to serve AAAA records. BIND 9 and Windows DNS both handle this.
• Firewall rules for IPv6 — this is a critical point. Many companies have sophisticated IPv4 rules while IPv6 traffic passes unchecked.
• Monitoring — tools like Nagios, Zabbix, and PRTG must monitor both protocols.

Address Plan for the Corporate Network¶

With IPv6 you typically receive a /48 prefix from your provider, which gives you 65,536 subnets, each with 2^64 addresses. We recommend a structured address plan:

2001:db8:abcd:0001::/64 — Management VLAN
2001:db8:abcd:0010::/64 — Production servers
2001:db8:abcd:0020::/64 — Dev/test servers
2001:db8:abcd:0100::/64 — User workstations
2001:db8:abcd:0200::/64 — Wi-Fi / BYOD
2001:db8:abcd:0300::/64 — Guest network
2001:db8:abcd:0f00::/64 — DMZ

Use logical subnet numbering that corresponds to your existing VLAN structure. This will make management and troubleshooting easier.

IPv6 Security Aspects¶

IPv6 introduces specific security risks that we’ve encountered with clients:

Unmanaged IPv6 traffic. Windows Vista and later have IPv6 enabled by default. If your network has no IPv6 infrastructure, systems will create link-local addresses and may communicate outside the reach of your firewall. Either actively manage IPv6 or disable it on workstations.

Rogue Router Advertisement. In IPv6, devices can auto-configure using Router Advertisement messages. An attacker can send a fake RA and redirect traffic. The solution is RA Guard on switches.

Larger packet headers. The IPv6 header is 40 bytes compared to 20 bytes for IPv4. Some older firewalls and IDS/IPS systems cannot properly analyze IPv6 packets — test before deployment.

Tunneling. Mechanisms such as 6to4, Teredo, and ISATAP can bypass firewall rules. We recommend blocking these protocols on the corporate network and using only native dual-stack.

Applications and Middleware¶

Most modern application servers already support IPv6. Apache Tomcat 7, JBoss AS 7, WebLogic 12c — all work on dual-stack without issues. Watch out for:

• Hardcoded IP addresses — applications with IPv4 addresses in their config or code instead of DNS names won’t work over IPv6
• Socket programming — older Java code using java.net.Socket with explicit IPv4 addresses must be updated
• Logs and auditing — IPv6 addresses are longer. Verify your log parsers and SIEM can handle the IPv6 format
• Databases — Oracle 11g, PostgreSQL 9.x, and MySQL 5.6 support IPv6 connections

Test Environment¶

Before deploying to production, we recommend creating a test IPv6 segment. The process:

1. Designate one VLAN for IPv6 testing
2. Configure the router with RA for automatic configuration
3. Connect test servers with dual-stack
4. Test key applications — email, web, database, VPN
5. Verify firewall rules — are IPv6 packets filtered correctly?
6. Check monitoring — can you see IPv6 traffic in your graphs?

The entire test takes 2–3 weeks. The result is a clear picture of your infrastructure’s readiness.

Transition Timeline¶

We recommend a phased approach:

• Phase 1 (1–2 months): Infrastructure audit. Which devices support IPv6? Which applications have hardcoded IPv4?
• Phase 2 (2–3 months): Test environment. Dual-stack on selected segments.
• Phase 3 (3–6 months): Production deployment. Dual-stack on all segments, IPv6 on external services.
• Phase 4 (ongoing): Optimization. Gradually eliminating IPv4 dependencies.

Summary¶

IPv6 is not the future — it’s the present. World IPv6 Launch in June 2012 confirmed that. Czech companies have the advantage of quality infrastructure and active support from CZ.NIC. Dual-stack is the safe path that allows a gradual transition without risk of outages. Start with an audit and a test environment — the first steps are easier than they seem.