Updating global networking through IPv6: technicalities, caveats and

implications

Research paper for JPM611 Cybersecurity in International Relations

Lecturer: Mgr. Nikola Schmidt

The issue of depletion of IPv4 address space is a long known phenomenon. Yet as of 2014 the three-decade

old protocol is still very much alive and firmly in control of the global network. This paper will discuss its

envisioned alternative – Ipv6. The structure of the argument will start with a look on the technicalities of

the concerned protocols dissecting v4 first and v6 second. Next it will discuss the current state of affairs

and the issues connected to governing the structure of the network. Finally, it would put forth certain

propositions related to policy matters, network growth facilitation and strategic concepts such as

deterrence and compellence. The issue is far from straightforward. Even if the Network would succeed in

transforming itself to the new v6 standard it is by no means clear that some of the persistent problems of

cyberspace would be resolved – most importantly the attribution problem. Additionally, there is a risk that

the predominantly technical matter of address exhaustion will be hijacked for policy goals that could

change the prevalently liberal nature of the Global Network.

When the Internet Corporation for Assigned Names and Numbers (ICANN), effective

ruler of the internet, announced in 20111 it has run out of IPv4 (v4) addresses it came as no

surprise. As a matter of fact it was a problem seen coming since the massive proliferation of

global internet in early 1990s. Given the finite amount of available addresses in 32 bit space

of v4 numbering just over 4,3 bn it seemed a fantasy in the 1980s, yet fairly day to day issue

with global explosion of connectivity and rather poor address space utilization. We are still

far from every person owning a connectible device, but some own more and with new

developments it is possible to e.g. connect every robot in a factory as a separate network

device. Even current 3g mobile network can consume more than a billion of IP addresses

(IEEE-USA 2009). Moreover, the IPv4 space was designed to be used within specialized

network, predominantly scientific and familiar with other means of communication available

1 (ICANN 2011)

as well. It is in fact rather ironical that the tremendous success v4 has achieved threatens to

discard it. The problem has since the 2011 announcement trickled down to two of the five

Regional Internet Registries (RIRs) who have since ran out of new IPv4 addresses – the

European RISE and Asia-Pacific APNIC – with others following them in the next few years

(Ermert 2013).

One notable factor of IPv4 is its underutilization. The actual utilization is measured

with a lot of variation but it is quite obvious that especially early IPv4 requests were treated

with light-minded approach and thus up to 70pct of allocated addresses in the US are

unused (Early 2009). This is partly due to the initial system of allocation of IPv4s. The

network IP allocation was classful from 1981 till 1993 and addresses were given out in

portions know as classes A to D ranging in number of addresses available. For example a

class B assignment would have the network portion of the IP 16bit long, thus allowing the

other 16bits to be used for unique IP addresses – corresponding to 216 or 65 536 addresses.

Companies or institutions would be allocated these even though in reality they might only

need several thousand addresses (Russell 2004). This was partially addressed by the

introduction of Classless Inter-Domain Routing (CIDR) in which IP allocation could be scaled

more freely as a power of 2.

Even with these conservation policies, the IP allocations were not intended to

become a market on its own – they were and remained essentially free, apart from an

annual fee that the ISPs had to pay. However, for companies to demonstrate their need of IP

addresses means to foresee their development or behavior of customers several years

ahead which can be a daunting task. With the depletion of new IPs pressure has been

mounting to liberalize the market and allow unused IPv4s to be traded and re-assigned.

These would be typically legacy IPs (pre 1993) and easily acquired addresses from the early

Internet era as well as allocations from ICT underdeveloped areas and bankruptcies. Due to

the nature of the network, however, it is inefficient to chop up allocated blocks and trade

them as it leads to fragmentation and longer route required to reach desired target thus

imposing negative externalities on other network users (Edelman, Schwarz 2011).

Additionally, ICANN and the five RIRs have only limited ability to influence the companies’

behavior, e.g. prevent emergence of a black market which is a common phenomenon when

faced with scarcity of resources. One notable power of these large network facilitators is the

maintenance of a WHOIS list, essentially a record indicating which IPs belong to which

company. The North American RIR ARIN has threatened to not update this list if transactions

of IPs take place outside of its framework – basically upholding the “based on needs

principle” (Mueller, Kuerbis, Asghari 2013).

Another tool that was implemented to mitigate the problem of v4 address

exhaustion is Network Address Translation (NAT). This approach would effectively shield a

network behind a router that has only one public IP and then distributes data to hosts that

need not have unique IP. While it performs the task of prolonging the feasibility of v4

internet it does place constraints on what is possible, notably direct Peer2Peer connections

and effective implementation of security features into layer 3 (IP) protocol. The inability of

devices to connect directly to each other does require more work from servers to take of the

routing. Possibly more importantly, the IPSec protocol, a simple cryptographic method using

hashes to determine whether data has been tampered with is not functional under NAT due

to the middle step of subnetworking.

Another IPv4-conserving instrument is the current usage of dynamic IP allocation.

This means that IP addresses are not fixed to a particular network interface but are

reallocated on ISP level to make more effective use of unused IPs. The DHCP protocol allows

for more clients to share one IP at different times. The downside of this is only limited

usability of caching of DNS mappings, which slows down the Network as such. Additionally,

with addresses being untied from network interfaces it is rather hard to attribute particular

network activity to a particular actor. Similarly to NAT, it reduces the possibility to

communicate directly via end to end solution with any desired device. It is estimated that

there can be currently up to 3 bn connected devices, even though unique IP utilization itself

is around 40 % (2 bn) which shows that underutilization was mitigated (Huston 2013a).

The usage of v4 has both widened and deepened to make use of a theoretical

analogy. One of the core characteristics that have made v4 so widespread – that is its

simplicity – also causes worries to strategic analysts and policy makers. One can argue that

the virtual security-effectiveness trade-off is skewed toward the latter in the current

structure of the global Network. The following section will discuss if v6 can serve to address

perceived shortcomings, what are the strategic implications of these changes and whether

more regulated internet is about to emerge.

IPv6 – the silver bullet or just si lver lining?

IPv6 was designed to address the shortcomings of v4 discussed above and

significantly push Internet’s boundaries. With address space of 128bits it can provide almost

unimaginable number of unique addresses2. The IPsec protocol originally designed for v6,

but due to periods of delayed implementation also adapted to v4, is built into the protocol

header itself. With this enormous amount of possible addresses there is no need for NAT

and DHCP and thus the hash cryptography can function as intended. Furthermore, CIDR

which was also implemented later in v4 is now integral part of v6 and addresses do not have

to be allocated in either too small or too big chunks. Additionally, the Stateless Auto

Configuration enables devices to connect to a network even without the help of a server.

This plug-and-play feature can be cost-effective as well as socially enhancing by lowering the

barriers to successful connection i.e. narrowing the digital divide. Moreover, the possibility

of static or interface specific IPs enables peer to peer connections on a massive scale as well

as enhanced user-activity attribution – at least for the common user.

The new version has been designed well before the discussed scarcity problem was a

day to day concern. The Internet Engineering Task Force published call for white papers

regarding “next generation” IP addressing in 1993 (Mankin, Bradner 1993). One can say that

shortage-mitigation tools of v4 had adverse effects on the development and implementation

of v6. The quasi ruler of the network ICANN added v6 routing to root servers in 2008 (ICANN

2008). The official launch of IPv6 was the IPv6 day in 2011 (ENISA 2011). The data in figure 1

present a clear trend of v6 adoption, albeit still on a small scale. Figure 1 only depicts IPv6

accesses to Google servers, which is certainly relevant indicator but not descriptive of the

overall network traffic as such. Figure probably comes closer to reality with estimated total

native v6 traffic being only 0.2% of v4 traffic, yet over 100% increase year to year.

2 The possible combinations equal 3.4×1038

Figure 1 source (Google 2014)

Figure 2 source (Nash 2013)

The new protocol and its implementation have its downsides as well. Firstly, it is not

a fundamental game changer as it would be sometimes presented. The method of delivering

packets stays the same and it would only be the layer 3 internet protocol that will change.

Moreover, security breaches occur mostly on application level, quite often through human

factor errors and exploitations (Convery, Miller 2004) Secondly, due to the need of

tunnelling, that is encapsulating v6 traffic in existing v4 infrastructure creates potential

attack surface on both protocols thus arguably lowering the added value of security

enhancements built into v6 (Geers 2011, pp. 89-91). Possibly, one of the crucial decisions

made by v6 designers to make it incompatible with v4 has complicated the matters deeply.

The user-friendly nature of auto configuration is offset by security concerns e.g. rogue router

responding to legitimate queries and redirecting user to illicit server to handle its traffic

(Barker 2013).

The overall picture is such that the network, decentralized as it is, has been rather

slow in moving in one direction. From a policy standpoint most Governments and

International organizations would state support for v6 yet fail to provide robust incentives to

private ISPs and other network facilitators to move forward with the implementation. The

need for more IPs is also globally skewed. The US has about four IPv4 addresses per capita,

while states in Western Europe have one or two. Africa and Asia hold even significantly

fewer v4 addresses than inhabitants (van Beijnum 2011). This presents a very real

development hurdle in a World where connectivity is integral to business, functioning of

government, various societal functions as well as modern armed forces. Europe is leading in

IPv6 deployment and could break the apparent “waiting game” that is related to v6 (Huston

2013b). While the cyberspace is predominantly cooperative, with states’ and businesses’

united in support for universal connectivity the infrastructure shows signs of common goods

in that no one is willing to lead the way in investment in the new technology. The quasi

market with v4 addresses could further reduce motivations to invest in v6 if means are

instead spend on acquisition of the legacy addresses. As of now however it seems that v4 IP

market and v6 growth are taking place side by side (Mueller, Kuerbis, Asghari 2013). This is

interesting from a theoretical point of view and research on tipping point toward favouring

v6 would certainly be illuminating.

The fluid nature of cyberspace creates an almost universal problem of attribution as

things stand now with applicability of International by jurisdiction difficult to say the least.

Assigning unique address to every interface would theoretically solve the problem. However

with options like onion routing, that is randomizing routes to make the origin of data

impossible to find the problem would stay the same under v6. As a matter of fact it is likely

that privacy would decrease for the common user not using these anonymizing methods

whilst allowing anyone who chooses to hide his or her identity including state actors to stay

in the grey zone. To put it in wise of words of Sun Tzu: “all warfare is based on deception”3.

Thus with comprehensive penetration of ICT into military and strategic matters one can see

the motivation of states to leave the virtual space as fluid as it is now and take advantage of

it. The most common hostile cyber-activity CNE4 would fit into the category of espionage

which is currently also non-regulated by international law. Cyber in this case serves the age-

old endeavour of espionage albeit with different means. If CNE operations are understood as

an act of force or act of war than a dangerous casus belli would be present virtually always

(Libicki 2009, pp. 64-66).

With cyber penetrating traditional security categories a proliferation of cyber

strategies has emerged in the recent years5. One of the discussed postures is cyber-

deterrence and possibly compellence in the form of cyber-sanctions. In the case of deterring

hostile activity the core assumptions lie on knowing who is responsible. In the complex man-

made domain of cyberspace this can prove close to impossible. Whether IPv6 can serve to

provide this crucial tenet of deterrence remains to be seen but due to other means of

evading attribution one has reason to be sceptical. Current landscape of cyber realm makes

passive defence always one step behind, especially with Advanced Persistent Threats that

can go unnoticed for months or even years. Thus cyber-attacks are deemed to be cheap and

cyber-defence expensive. As for attribution which is crucial for deterrence to prove effective

several potential problems are present. Firstly, with the lack of forensic evidence attribution

rarely rests on solid ground. Secondly, it is possible that attackers would deliberately use

false-flagging – that is attempting to put the blame on another state. Misattribution would

3 (Tzu 2010, article 18) 4 Computer Network Exploitation 5 For a comprehensive list see for example https://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/national-cyber-security-strategies-in-the-world

also run the risk of having to deal with two enemies – the original attacker and the

wrongfully accused / counter-attacked. Thirdly, with lack of “flags” in cyber-space retaliation

could be framed by third parties as aggression (Libicki 2009). Additionally, with offensive

cyber-capabilities resting on exploiting vulnerabilities threatened retaliation might not be

repeatable. If these known and exploitable vulnerabilities are fixed it would throw the

deterrence equilibrium off balance – in a similar vein as effective ABM defence threatened

to imbalance Cold war nuclear deterrence. Even with these problematic aspects it seems

that cyber-deterrence has moved into mainstream strategic thinking at least in the US with

conventional reaction to cyber-attacks on the table and the perceived environment of cyber

hostilities currently shifting from “exploitation to disruption to destruction”(Lynn 2011).

Tools of coercive diplomacy such as cyber-sanctions would also rest on attribution and

targeting correct systems. Denying communication and ostracizing a state that is violating

the rules can be effective since it does not require physical coercion such as a military

blockade would require (Even, Siman-tov 2012). UNSC could authorize the use of cyber-

sanctions under chapter VII of the UN charter and possibly even authorize regional

organizations to enforce these under chapter VIII provisions (Benatar, Gombeer 2011). With

the attribution problem and decentralized nature of the network these potential tools can

inflict either disproportionate damage on civilian population as well as sub-par effects on

prepared hostile governments. It is important to distinguish though that cyber means should

not be used for collective punishment by extension of the customary international law

(Schmitt 2013. p. 193)

The Internet so to speak has outgrown itself, yet there are no robust institutional

mechanisms in place. The limited powers of ICANN and RIRs leave a lot of space to harmful

activities that are being reported as rising in all categories, including state-sponsored cyber

exploitation (ENISA 2013). Any form of international regulatory body is subject to consensus

and thus problematic. The US is steadfast in signalling that intergovernmental approach

should work best and resists relegation of regulatory power to independent UN-backed

body. Russia on the other hand seeks to introduce tighter regime, constraint cyber offence

and shift Network regulation onto a more neutral ground with a lot of space being left to

states to control their national networks (e.g. the Great Firewall of China)(Markoff, Kramer

2009). Moreover, the EU together with the US would hold Budapest convention on

cybercrime as a model, whereas Russia would seek to build a regime more similar to the

CWC.

While it is true that militaries are increasingly dependent on information

technologies, it seems plausible to argue in line with Thomas Rid (2012) that war in virtual

space is as of now within the realm of (science) fiction. Moreover, the shift in framing cyber

space as a military-strategic domain comes with its own costs and threatens to

fundamentally change the decentralized, emancipated structure of the internet (Cavelty

2012). These questions of a political and social nature are however qualitatively different to

the predominantly technical nature of v6 addressing. On the other hand, just as the

designers of v4 in Internet stone age did not foresee what was to come, we might also be

forced to expand our frameworks to grasp possible future developments e.g. the “internet of

things” – a notion that every device, appliance, computer, car, robot will connected

independently to the network of networks. With the driver of address exhaustion cited as

the most pressing issue companies signal they will eventually switch to v6 protocol (ENISA

2009).

The v6 addressing protocol will not by itself make the internet a safer place. It is my

position that the enormous advantages of the network that have revealed themselves are

necessarily offset by variable degree of cyber in/security. Networks do not form randomly

even in unregulated space, but follow cluster formations and generally create focal points

(e.g. (Barabasi 2003)). This does not mean that networks will become secure by themselves.

Thus another dilemma presents itself: whether to regulate or aim to regulate the global

network which runs the risk of fundamentally altering it and initiate undesired outcomes

such as balkanization. I would argue that possible scenario that can unfold is the tying of

implementation of v6 which is predominantly technical issue with overall political control of

the internet – which as of now is still seen as neutral. Clearly it is not neutral in the sense

that it originates in the Western world and serves as carrier of inherent liberal values. To

conclude, it is fair to say that IPv6 is not a silver bullet, but rather an almost necessary

upgrade. The silver lining of this reform ought not to be used to constrain the emancipatory

nature of the global web. As a rule of thumb v6 should make the internet safer in that hash

cryptography will work more efficiently and show whether data transfer has been tampered

with – this could prove invaluable in CIP as well as military affairs. The attribution problem

however will likely keep its daunting characteristics and it is naïve to believe that IPv6 will

change this fundamental facet of the global Network. Additionally, there is a privacy concern

where v6 implementation can be used or abused by governments to enact tighter control

over network users, possibly making it harder for unsophisticated hackers to mount an

attack while still leaving considerable space for the more advanced and evermore commonly

state-sponsored cyber-attacks. Strategic concepts originating in the traditional security

thinking such as deterrence, identification of armed force, distinction between combatants

and civilians that come from a different era will continue to struggle no matter what address

protocol the Network uses.

Bibliography

BARABASI, Albert-Laszlo, 2003, Linked: The New Science Of Networks Science Of Networks. Basic Books. ISBN 0786746963.

BARKER, Keith, 2013, The security implications of IPv6. Network Security [online]. June 2013. No. 6, p. 5–9. [Accessed 17 January 2014]. DOI 10.1016/S1353-4858(13)70068-0. Available from: http://linkinghub.elsevier.com/retrieve/pii/S1353485813700680

BENATAR, M and GOMBEER, K, 2011, Cyber Sanctions: Exploring a Blind Spot in the Current Legal Debate. ESIL 2011 4th Research Forum [online]. 2011. No. 9, p. 26–28. [Accessed 12 February 2014]. Available from: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1989786

CAVELTY, Myriam Dunn, 2012, The militarisation of cyber security as a source of global tension. In : Strategic Trends 2012 [online]. Zurich : Center for Security Studies, ETH Zurich. ISBN 978-3-905696-36-3. Available from: http://www.css.ethz.ch/publications/pdfs/Strategic-Trends-2012-Cyber.pdf

CONVERY, Sean and MILLER, Darin, 2004, IPv6 and IPv4 Threat Comparison and Best- Practice Evaluation ( v1 . 0 ) 1 Introduction.

EARLY, James P., 2009, An Introduction to IPv6 by James P. Early, Ph.D. [online]. 2009. Project Advance. Available from: http://www.youtube.com/watch?v=uNb7wd0-jpI

EDELMAN, Benjamin and SCHWARZ, Michael, 2011, Pricing and Efficiency in the Market for IP Addresses. WINE [online]. 2011. P. 1–25. [Accessed 16 January 2014]. Available from: http://www.benedelman.org/publications/ipmarkets-060913.pdf

ENISA, 2009, STOCK TAKING REPORT ON THE TECHNOLOGIES ENHANCING RESILIENCE OF PUBLIC COMMUNICATION NETWORKS IN THE EU MEMBER STATES. Athens.

ENISA, 2011, World IPv6 Day -8th June; time to take action & switch to the future — ENISA. [online]. 2011. [Accessed 14 January 2014]. Available from: http://www.enisa.europa.eu/media/news-items/world-ipv6-day-8th-june-time-to-take-action-switch-to-the-future

ENISA supports the World IPv6 Day, 8th June, and encourages more companies, authorities and organisations to take action and start using IPv6.

ENISA, 2013, ENISA Threat Landscape 2013 Overview of current and emerging cyber-threats. Athens.

ERMERT, Monika, 2013, Dispute over future IP address policy – stop managing scarcity? | Internet Policy Review. Internet Policy Review [online]. 2013. [Accessed 12 January 2014]. Available from: http://policyreview.info/articles/news/dispute-over-future-ip-address-policy-%E2%80%93-stop-managing-scarcity/130130

EVEN, Shmuel and SIMAN-TOV, David, 2012, Concepts and Strategic Trends Cyber Warfare : Tel Aviv.

GEERS, Kenneth, 2011, Strategic cyber security [online]. Tallinn : CCD COE Publication. [Accessed 25 April 2013]. ISBN 9789949904051. Available from: http://books.google.com/books?hl=en&lr=&id=4h6KIDAfGhAC&oi=fnd&pg=PA9&dq=Strategic+Cyber+Security&ots=sUl23FeiED&sig=sztDn3KPQMgrzSeo3iCQ1xqQKqs

GOOGLE, 2014, IPv6 – Google Statistics. [online]. 2014. [Accessed 12 January 2014]. Available from: http://www.google.com/ipv6/statistics.html#tab=ipv6-adoption

HUSTON, Geoff, 2013a, Valuing IP Addresses. RIPE Labs [online]. 2013. [Accessed 12 January 2014]. Available from: https://labs.ripe.net/Members/gih/valuing-ip-addresses

HUSTON, Geoff, 2013b, Launch + 365. [online]. 2013. [Accessed 12 January 2014]. Available from: https://ripe67.ripe.net/presentations/115-2013-10-16-ipv6-launch-365.pdf

ICANN, 2008, IPv6 Address Added for Root Servers in the Root Zone | Addition enhances end-to-end connectivity for IPv6 networks. [online]. 2008. [Accessed 14 January 2014]. Available from: http://www.icann.org/en/news/announcements/announcement-04feb08-en.htm

ICANN, 2011, Available Pool of Unallocated IPv4 Internet Addresses Now Completely Emptied. Press Release [online]. 2011. [Accessed 10 January 2014]. Available from: http://www.icann.org/en/news/press/releases/release-03feb11-en.pdf

IEEE-USA, 2009, Next Generation Internet : IPv4 Address Exhaustion , Mitigation Strategies and Implications for the U . S . [online]. Available from: http://www.ieeeusa.org/policy/whitepapers/IEEEUSAWP-IPv62009.pdf

LIBICKI, MC, 2009, Cyberdeterrence and cyberwar [online]. Santa Monica : Rand Corporation. [Accessed 11 February 2014]. ISBN 9780833047342. Available from: http://books.google.com/books?hl=en&lr=&id=MJX6jL6IeF0C&oi=fnd&pg=PP1&dq=Cyberdeterrence+and+Cyberwar&ots=HrticJwZFk&sig=B8cMfeA39YAnDJIts3ssieMscB8

LYNN, William, 2011, Remarks on Cyber at the RSA Conference [online]. [Accessed 7 February 2014]. Available from: http://www.defense.gov/speeches/speech.aspx?speechid=1535

MANKIN, A. and BRADNER, S., 1993, IP: Next Generation (IPng) White Paper Solicitation [online]. [Accessed 15 January 2014]. Available from: http://tools.ietf.org/html/rfc1550

MARKOFF, John and KRAMER, Andrew E., 2009, U.S. and Russia Differ on a Treaty for Cyberspace. The New York Times [online]. New York, 2009. [Accessed 11 February 2014]. Available from: http://www.nytimes.com/2009/06/28/world/28cyber.html?pagewanted=all&_r=1&

MUELLER, Milton, KUERBIS, Brenden and ASGHARI, H, 2013, Dimensioning the elephant: an empirical analysis of the IPv4 number market. info [online]. 2013. Vol. 15, no. September, p. 1–14. [Accessed 16 January 2014]. Available from: http://www.emeraldinsight.com/journals.htm?articleid=17099271&show=abstract

NASH, Steve, 2013, IPv6 Trends Worldwide Infrastructure Security Report & Arbor ATLAS IPv6 Roll-Out Moves Forward.

RID, Thomas, 2012, Cyber war will not take place. Journal of strategic studies [online]. 2012. Vol. 35, no. April. [Accessed 31 May 2013]. Available from: http://books.google.com/books?id=hSolAQAAIAAJ&pgis=1

RUSSELL, Brian, 2004, IPv4 Will Not Be Sufficient For The Next 30 Years. [online]. 2004. [Accessed 10 January 2014]. Available from: http://www.cs.rutgers.edu/~rmartin/teaching/fall04/cs552/papers/001.pdf

SCHMITT, Michael N, 2013, Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge : Cambridge University Press. ISBN 1107024439.

TZU, Sun, 2010, On The Art of War. Aziloth Books. ISBN 978-1907523175.

VAN BEIJNUM, Iljitsch, 2011, Trading IPv4 addresses will end in tears | Ars Technica. Ars Technica [online]. 2011. [Accessed 12 January 2014]. Available from: http://arstechnica.com/tech-policy/2011/08/trading-ipv4-addresses-will-end-in-tears/