Zivaro Blog

How to IPv6-Enable a Website Using a Content Delivery Network

There are many reasons why an organization would want to make their web site reachable over IPv6 transport.  One reason is that due to IPv4 address exhaustion and more carriers deploying Carrier Grade NAT (CGN) and Large Scale NAT (LSN), your web site may perform better with IPv6.  A second reason, related to IPv4 address […]

There are many reasons why an organization would want to make their web site reachable over IPv6 transport.  One reason is that due to IPv4 address exhaustion and more carriers deploying Carrier Grade NAT (CGN) and Large Scale NAT (LSN), your web site may perform better with IPv6.  A second reason, related to IPv4 address exhaustion, is that someday soon there may be IPv6-only end-users that may have difficulty reaching a legacy IPv4-only site.  A third reason is that, in some cases, IPv6 Internet connectivity can actually be faster than the IPv4 variety and this could be another strong motivation for enabling IPv6.  Regardless of the exact reason, the choice to make your web site accessible by the “whole Internet” using either IPv4 or IPv6 is a solid technical risk-mitigation strategy.

If you are a U.S. federal government organization, then your motivation for IPv6-enabling your site comes from guidance provided by the OMB, NIST, and the Federal CIO Council in their memorandum M-05-22 published on August 2, 2005 and the subsequent memorandum drafted by Vivek Kundra, the Federal CIO, on September 28, 2010.  As a result of this mandate, many federal departments and agencies were able to IPv6-enable their DNS, web, and e-mail Internet-facing services.

Making your Own Site Natively Reachable with IPv6

If you have your own on-premises data center and are hosting your web site locally, then there are many steps required to IPv6-enable your site.  Following are some of the typical steps required to make your self-hosted web site natively reachable to the Internet using IPv6.

  • Call your ISP and request adding IPv6 to your upstream link(s)
  • Get your IPv6 address allocation (from your RIR or from your ISP)
  • Advertise that IPv6 address block to your upstream ISP(s), and verify Internet reachability
  • Configure IPv6 addressing to and through your firewall, adding the minimum permit policies
  • Configure IPv6 addressing on your web server and testing Internet reachability
  • Add IPv6 address(s) to your authoritative DNS server(s) for your web site, and test as necessary

These steps may be similar if you are hosting your public web site at a colocation facility on your own servers.  But what would you do if your marketing department has put your company’s web site on an IPv4-only hosting provider?

If you are using a cloud service provider or a hosting provider to service your web site, then you are reliant on that service provider for IPv6-enabling your site.  In the best case, you can contact your IPv6-capable cloud provider, like AWS, to request assistance enabling IPv6.  In the worst case, you may be in the difficult situation of having to change service providers to one that offers IPv6 Internet connectivity along with IPv6 web server application support.

Content Delivery Networks and IPv6

If your organization’s own data center or cloud service provider does not yet support IPv6 connectivity for your web site, then one technique you can employ to gain IPv6 support is to use a Content Delivery Network (CDN).  Content Delivery Networks (CDNs) leverage their globally distributed network footprint to cache static and streaming content provided by their customers to end-users worldwide.  CDNs help accelerate the delivery of the online content to the end-users providing a better experience by facilitating a high-performance and high-redundancy service.

The CDN will cache the content of your web site and then deliver it to your clients over both IPv4 and IPv6.  Your web site that is on the back-end of the CDN provider’s proxy function can remain IPv4 for service of the content, but to the Internet-based user, the site would appear as if it were IPv6-reachable.  This is a technique that many U.S. federal organizations used to help them meet the September 30, 2012 IPv6 Internet-edge deployment mandate.

CDN companies have been quick to realize the benefits of using IPv6 to facilitate connecting their customer’s content to clients.  Therefore, most of the larger CDN providers made early progress on their IPv6 offerings and now many offer IPv6 connectivity for their customer’s content.  In some cases, configuration of the IPv6 functionality is a simple check-box on a web form that the content owner submits when establishing CDN service.

Note: There can be many more IPv6-enabled CDNs.  This was a list of the larger CDNs offering IPv6 connectivity to their customers that my personal research revealed.

CloudFlare IPv6 Enabled CDN Service

One notable CDN that has been a strong proponent of IPv6 is Cloudflare.  Cloudflare has been on the forefront of IPv6 adoption and several years ago started automatically enabling IPv6 for their customer’s content.  By making IPv6 the default setting, this helped their customers unknowingly implement it and it seamlessly worked.  Because most web browsers on computers and mobile devices use the Happy Eyeballs algorithm (RFC 6555), they connect using the best performing IP protocol version.  This occurs transparently to the user and they have happy eyeballs because they have better end-user experience.  CloudFlare made IPv6 the default and required you to manually disable IPv6 and have an IPv4-only web service. During that change you would have seen the following error message when deviating from the defaults:

As a result of making IPv6 the default, in June of 2016, Cloudflare observed a point where IPv6 surpassed IPv4 connections.  The following graph tweeted by Matthew Prince (@eastdakota) shows the crossover between IPv6 and IPv4 occurring in the Summer of 2016.  After years of this practice of enabling IPv6 by default, 98% of Cloudflare’s customers use IPv6.

Dani Grant, product strategy team memeber from Cloudflare, will be presenting “IPv6 – A View From The Edge” at the 2017 North American IPv6 Summit at LinkedIn’s headquarters in Sunnyvale, CA on April 25-26.

Dual-Protocol Reachable Content Increasing

The good news is that, despite many large CSP’s and CDN’s historic lack of IPv6 connectivity, the number of web content providers and popular web sites accessible over IPv6 transport has significantly increased.  Many have had concerns that a lack of IPv6 service by the largest CSPs would prevent the Alexa 1M from reaching higher IPv6 adoption rates.  However, now over 19% of the Alexa top web sites have a AAAA DNS record.  Dan Wing, protocol architect, long-time IPv6 advocate and co-author of Happy Eyeballs IETF RFC 6555, has created a site that automatically calculates this statistic every day.  You can see how the numbers have risen from 9% just a year ago to around 18% in 2016.  From Dan’s data set you can see a spike in dual-protocol web sites during World IPv6 Day, a rise after World IPv6 Launch, and a dramatic increase since August of 2016.  Eric Vyncke, Distinguished Engineer with Cisco, my friend and co-author, also collects this type of IPv6 usage data. His site shows this pattern of IPv6 adoption across all countries.

Source: Eric Vyncke, https://www.vyncke.org/ipv6status/plotsite.php?metric=w&global=y&pct=y

Remember, for every web page loaded over IPv6, that is one less web page loaded over IPv4.  There is evidence that the tipping point of more connections using IPv6 compared to those using IPv4 is nearing.  IPv6 usage is accelerating and starting to slow the growth of IPv4 usage.

Summary

CDNs provide many valuable features to their customers.  In addition to caching and broadening the reach of your web site content, they can also provide DDoS mitigation services, Web Application Firewall (WAF) capabilities (among other features).  You may choose a CDN provider to help you secure and improve the performance of your web site.  But using a CDN would also be an easy way to provide an IPv6-face to that same web site.  Furthermore, not all the CDN’s service may support IPv6.  For example, maybe their CDN services support IPv6, but their DDoS mitigation services operate only with IPv4.

Using a CDN to provide an IPv6 face on an IPv4-only site may not be the idealized end-to-end native IPv6 connectivity we are ultimately seeking to achieve.  However, using a CDN to at least provide some IPv6 connectivity to your web site is a start and a step in the right direction.

This post originally appeared on Infoblox community: https://community.infoblox.com/t5/IPv6-CoE-Blog/Using-a-Content-Delivery-Network-to-IPv6-Enable-your-Site/ba-p/9528.

Scott Hogg is the Chief Technology Officer (CTO) for GTRI.