I am SME
What's the IPv6 situation now in Hong Kong?
Hong Kong already has the internet infrastructure in place for IPv6 deployment
. The Hong Kong Internet Exchange (HKIX) has been providing exchange services to support IPv6 since March 2004. As of February 2012, more than 80 organisations, institutes and Internet Service Providers (ISPs) have IPv6 connections to HKIX. Major Internet Services Providers in Hong Kong are also aware of the IPv4 address exhaustion issue, and have enabled IPv6 in their network backbone. Commercial IPv6 access services have been available since 2000. Currently a number of ISPs in Hong Kong provide commercial IPv6 services to corporate customers through Dedicated Internet Access packages or business broadband.
In terms of Internet domains, the Hong Kong Internet Registration Corporation (HKIRC), which runs the Registry that oversees registration policies for domain names ending with ".hk" and ".香港", can now support IPv6 addresses for all types of domains
. The government is throwing its support behind IPv6 as well – in December 2009, over 200 government websites were IPv6-enabled. As of February 2012, most government email accounts can also receive email over IPv6.
With all the pieces falling into place, you can play a part too.
So what does your organisation need to deploy IPv6?
There are 4 checkpoints to ensure that your devices, security measures, network and other equipment are IPv6-compliant.
- Internet-enabled devices: Check if the version of operating system you’re using is up-to-date with IPv6 standards – your software manual should have that information. In general, most current operating systems, including Linux, Windows Vista or above, and Apple Mac OS X or above, are IPv6-enabled by default.
- Network devices:The devices you use to connect to the Internet, such as routers, wireless modems, as well as the Customer Premises Equipment (CPE), the device that is provided by your ISP, such as ADSL modem, VDSL modem and cable modem, have to be IPv6-ready. Check with your software vendors and your ISP to make sure your devices’ versions are able to manage IPv6 web and network traffic, as IPv6 firewalls might accidentally filter out important information.
- ISP: Your connection will be IPv6-enabled if your ISP is offering an IPv6 service. If you are not sure, check directly with your ISP.
- Hosting services: Check if equipment of the hosting service providers, including web and email servers, are IPv6 ready.
APNIC has also launched a new tool to provide information on the IPv6 readiness of the websites in your network. It is a simple script that utilises Google Analytics to measure site visitors
The Internet Society Hong Kong is also working with Hurricane Electric to run a series of IPv6 Certification and Training programmes in Hong Kong. These feature real-world IPv6 concepts and deployment techniques, while incorporating hands-on exercises, so it will be a great starting point.
Deploying IPv6 in Your Business Network
While everyone's IT networks are set up differently, one of the most common approaches to begin IPv6 deployment is to use the dual stack method.
It implements IPv4 and IPv6 software either independently or in a hybrid form, allowing both IPv4 and IPv6 networks to work concurrently. If you need more information on dual IP stack implementation, please contact your technical consultant.
To prepare for IPv6 deployment, here are some basic questions to consider
- Have you assessed IPv6-related risk and security and put the necessary measures in place? Are the relevant members of staff trained for IPv6?
- Has an IPv6 assessment of your ISP's infrastructure and applications been performed?
- Did you get IPv6 address space from the Regional Internet Registry (RIR) such as APNIC or your service provider with an addressing plan?
- Are your purchasing, development and service policies and guidelines aligned for IPv6?
- Do you have a deployment and maintenance plan in place?
- Are your network equipment are all IPv6-ready?
You and your service provider need to address the above questions seriously in order to effectively plan the implementation of IPv6 solutions.
The IPv6 Forum is running the IPv6 Ready Logo program to certify products that comply with IPv6 standards. It is highly recommended to buy IPv6-enabled products that bear the "IPv6 Ready" logo.
The IPv6 Forum also maintains a list of IPv6-ready equipment
, so check your current and shopping list for the latest updates.
How should your organisation select a suitable Internet Service Provider (ISP)?
There are now over 180 licensed ISPs in Hong Kong. At this moment, IPv6 services are offered by PCCW Limited, Wharf T&T Limited, Hutchison Global Communications Limited, NTT Com Asia Limited, PACNET and CITIC Telecom International CPC Limited.
The path to IPv6 can be a challenging one, with different routes to different solutions, all of them unique to each company's infrastructure setup. There is not one single, easy path for all, so it is best to work closely with a knowledgeable, trained service provider who can address your requirements and current situation.
There is no big difference between selecting a broadband service provider and an IPv4/IPv6 service provider, but there are some special points you need to take note of:
- Does your service provider support IPv6 and provide IPv6 enabled services? Have you negotiated service agreements for it?
- What is the network coverage of your ISP? Does the network cover your office location?
- How many IP addresses they would provide for your contract?
- What is the speed of the provided service?
If you would like to know more, please refer to the broadband tips from OFCA
for more information.
Fundamentally, the IPv6 protocol was designed to address some of the security problems found in IPv4, but it is important to note that not all security issues have been solved
Transitioning Securely to IPv6
Since most organisations cannot change all their networks to IPv6 overnight, IPv6 will be gradually deployed while IPv4 is supported for legacy clients and services. This presents a challenge, since a dual protocol environment increases the complexity and potentially also security risk.
If you're interested to know more about IPv6 security, the U.S. Department of Commerce's National Institute of Standards and Technology has made its Guidelines for the Secure Deployment of IPv6
downloadable to the public.
In addition, it is critical to note that IPv6 cannot prevent certain attacks such as:
- Viruses and malicious code
- Brute-force attacks and password guessing
- Rogue (unauthorised) devices being introduced into the network
- Denial of Service (DoS) attacks
- Spamming, phishing and so on
Here are some of the best practices recommended by the HK InfoSec website
in building and maintaining secure IPv6 networks:
- Use standard, non-obvious static addresses for critical systems;
- Ensure adequate filtering capabilities for IPv6;
- Filter internal-use IPv6 addresses at border routers;
- Block all IPv6 traffic on IPv4-only networks;
- Filter unnecessary services at the firewall level;
- Pay close attention to the security aspects of inter-protocol transition mechanisms.
If you need more advice, you may consult your ISP or technical consultant for any IPv6 related security issue. For common technical information on deployment IPv6, please visit the FAQ.
1.OGCIO - http://www.ogcio.gov.hk/en/business/tech_promotion/ipv6/ipv6_development_in_hk.htm
2.HKIRC - https://www.hkirc.hk/content.jsp?id=279
3.IPv6INT.net - http://ipv6int.net/systems/
4.APNIC - http://www.apnic.net/publications/news/2011/ipv6-tracker
5.ISOC HK - http://www.isoc.hk/IPv6%20Deployment.pdf
6.InfoSec HK - http://www.infosec.gov.hk/english/technical/files/ipv6s.pdf