There are many reasons why an organization would want to make their web site reachable over IPv6 transport. One reason is that due to IPv4 address exhaustion and more carriers deploying Carrier Grade NAT (CGN) and Large Scale NAT (LSN), your web site may perform better with IPv6. A second reason, related to IPv4 address exhaustion, is that someday soon there may be IPv6-only end-users that may have difficulty reaching a legacy IPv4-only site. A third reason is that, in some cases, IPv6 Internet connectivity can actually be faster than the IPv4 variety and this could be another strong motivation for enabling IPv6. Regardless of the exact reason, the choice to make your web site accessible by the “whole Internet” using either IPv4 or IPv6 is a solid technical risk-mitigation strategy.
If you are a U.S. federal government organization, then your motivation for IPv6-enabling your site comes from guidance provided by the OMB, NIST, and the Federal CIO Council in their memorandum M-05-22 published on August 2, 2005 and the subsequent memorandum drafted by Vivek Kundra, the Federal CIO, on September 28, 2010. As a result of this mandate, many federal departments and agencies were able to IPv6-enable their DNS, web, and e-mail Internet-facing services.
Making your Own Site Natively Reachable with IPv6
If you have your own on-premises data center and are hosting your web site locally, then there are many steps required to IPv6-enable your site. Following are some of the typical steps required to make your self-hosted web site natively reachable to the Internet using IPv6.
- Call your ISP and request adding IPv6 to your upstream link(s)
- Get your IPv6 address allocation (from your RIR or from your ISP)
- Advertise that IPv6 address block to your upstream ISP(s), and verify Internet reachability
- Configure IPv6 addressing to and through your firewall, adding the minimum permit policies
- Configure IPv6 addressing on your web server and testing Internet reachability
- Add IPv6 address(s) to your authoritative DNS server(s) for your web site, and test as necessary
These steps may be similar if you are hosting your public web site at a colocation facility on your own servers. But what would you do if your marketing department has put your company’s web site on an IPv4-only hosting provider?
If you are using a cloud service provider or a hosting provider to service your web site, then you are reliant on that service provider for IPv6-enabling your site. In the best case, you can contact your IPv6-capable cloud provider, like AWS, to request assistance enabling IPv6. In the worst case, you may be in the difficult situation of having to change service providers to one that offers IPv6 Internet connectivity along with IPv6 web server application support.
Content Delivery Networks and IPv6
If your organization’s own data center or cloud service provider does not yet support IPv6 connectivity for your web site, then one technique you can employ to gain IPv6 support is to use a Content Delivery Network (CDN). Content Delivery Networks (CDNs) leverage their globally distributed network footprint to cache static and streaming content provided by their customers to end-users worldwide. CDNs help accelerate the delivery of the online content to the end-users providing a better experience by facilitating a high-performance and high-redundancy service.
The CDN will cache the content of your web site and then deliver it to your clients over both IPv4 and IPv6. Your web site that is on the back-end of the CDN provider’s proxy function can remain IPv4 for service of the content, but to the Internet-based user, the site would appear as if it were IPv6-reachable. This is a technique that many U.S. federal organizations used to help them meet the September 30, 2012 IPv6 Internet-edge deployment mandate.
CDN companies have been quick to realize the benefits of using IPv6 to facilitate connecting their customer’s content to clients. Therefore, most of the larger CDN providers made early progress on their IPv6 offerings and now many offer IPv6 connectivity for their customer’s content. In some cases, configuration of the IPv6 functionality is a simple check-box on a web form that the content owner submits when establishing CDN service.
- Akamai has supported IPv6 for many years now and is one of the world’s largest CDN providers. Akamai offers CDN services, but also added web security and DDoS mitigation services. Akamai has created an IPv6 Adoption Visualization site that shows which countries are using more IPv6.
- In October of 2016, AWS announced IPv6 connectivity for CloudFront, S3 buckets, and WAF services. This was just one of many IPv6-related service announcements AWS made in the Fall of 2016.
- Microsoft Azure CDN is now starting to offer IPv6 services to customers in specific regions. In the highly competitive world of public cloud IaaS, you can be sure that Microsoft Azure and AWS will strive to offer similar IPv6 services.
- BelugaCDN is a very economical CDN provider that offers competitive features at competitive prices. BelugaCDN claims to be the world’s first fully-featured IPv6-enabled CDN.
- Fastly is a modern CDN that is gaining momentum among their cloud-enabled customers. Fastly started to provide limited IPv6 services for clients last summer. Jason Evans of Fastly wrote a recent article on the benefits of enabling IPv6 with Fastly and how to configure it and test.
- Imperva/Incapsula is another CDN provider that offers IPv6 connectivity and provides security features such as WAF and DDoS mitigation for their customers.
- Limelight Networks has been a long-time supporter of IPv6 connectivity for their CDN customers. In fact, Tom Coffeen, our very own IPv6 COE teammate and Chief IPv6 Evangelist at Infoblox, formerly worked at Limelight on their IPv6 service offering.
- OVH is a Roubaix France-based service provider that offers dedicated virtual servers and cloud hosting, all with IPv6 Internet connectivity. OVH also provides an IPv6-capable SSL Gateway and CDN service.
- Verizon Digital Media Services EdgeCast CDN service offers IPv6 connectivity, similar to how Verizon and their wireless divisions provide IPv6 Internet connectivity for their customers and subscribers. EdgeCast Networks has supported IPv6 since 2012 and participated in World IPv6 Launch Day.
Note: There can be many more IPv6-enabled CDNs. This was a list of the larger CDNs offering IPv6 connectivity to their customers that my personal research revealed.
CloudFlare IPv6 Enabled CDN Service
One notable CDN that has been a strong proponent of IPv6 is Cloudflare. Cloudflare has been on the forefront of IPv6 adoption and several years ago started automatically enabling IPv6 for their customer’s content. By making IPv6 the default setting, this helped their customers unknowingly implement it and it seamlessly worked. Because most web browsers on computers and mobile devices use the Happy Eyeballs algorithm (RFC 6555), they connect using the best performing IP protocol version. This occurs transparently to the user and they have happy eyeballs because they have better end-user experience. CloudFlare made IPv6 the default and required you to manually disable IPv6 and have an IPv4-only web service. During that change you would have seen the following error message when deviating from the defaults:
As a result of making IPv6 the default, in June of 2016, Cloudflare observed a point where IPv6 surpassed IPv4 connections. The following graph tweeted by Matthew Prince (@eastdakota) shows the crossover between IPv6 and IPv4 occurring in the Summer of 2016. After years of this practice of enabling IPv6 by default, 98% of Cloudflare’s customers use IPv6.
Dani Grant, product strategy team memeber from Cloudflare, will be presenting “IPv6 – A View From The Edge” at the 2017 North American IPv6 Summit at LinkedIn’s headquarters in Sunnyvale, CA on April 25-26.
Dual-Protocol Reachable Content Increasing
The good news is that, despite many large CSP’s and CDN’s historic lack of IPv6 connectivity, the number of web content providers and popular web sites accessible over IPv6 transport has significantly increased. Many have had concerns that a lack of IPv6 service by the largest CSPs would prevent the Alexa 1M from reaching higher IPv6 adoption rates. However, now over 19% of the Alexa top web sites have a AAAA DNS record. Dan Wing, protocol architect, long-time IPv6 advocate and co-author of Happy Eyeballs IETF RFC 6555, has created a site that automatically calculates this statistic every day. You can see how the numbers have risen from 9% just a year ago to around 18% in 2016. From Dan’s data set you can see a spike in dual-protocol web sites during World IPv6 Day, a rise after World IPv6 Launch, and a dramatic increase since August of 2016. Eric Vyncke, Distinguished Engineer with Cisco, my friend and co-author, also collects this type of IPv6 usage data. His site shows this pattern of IPv6 adoption across all countries.
Source: Eric Vyncke, https://www.vyncke.org/ipv6status/plotsite.php?metric=w&global=y&pct=y
Remember, for every web page loaded over IPv6, that is one less web page loaded over IPv4. There is evidence that the tipping point of more connections using IPv6 compared to those using IPv4 is nearing. IPv6 usage is accelerating and starting to slow the growth of IPv4 usage.
Summary
CDNs provide many valuable features to their customers. In addition to caching and broadening the reach of your web site content, they can also provide DDoS mitigation services, Web Application Firewall (WAF) capabilities (among other features). You may choose a CDN provider to help you secure and improve the performance of your web site. But using a CDN would also be an easy way to provide an IPv6-face to that same web site. Furthermore, not all the CDN’s service may support IPv6. For example, maybe their CDN services support IPv6, but their DDoS mitigation services operate only with IPv4.
Using a CDN to provide an IPv6 face on an IPv4-only site may not be the idealized end-to-end native IPv6 connectivity we are ultimately seeking to achieve. However, using a CDN to at least provide some IPv6 connectivity to your web site is a start and a step in the right direction.
This post originally appeared on Infoblox community: https://community.infoblox.com/t5/IPv6-CoE-Blog/Using-a-Content-Delivery-Network-to-IPv6-Enable-your-Site/ba-p/9528.
Scott Hogg is the Chief Technology Officer (CTO) for GTRI.
