Gartner Blog Network

Guest Blogger: Lawrence Orans on IPv6 and Security

by John Pescatore  |  June 11, 2010  |  5 Comments

Back in 1798, Thomas Malthus published “An Essay on the Principle of Population” and made the famous Malthusian Prediction:

… the power of population is indefinitely greater than the power in the earth to produce subsistence for man.

About 200 years later, many began predicting that the lure of the Internet is indefinitely greater than the power in IPv4 to produce IP addresses for humankind. Thus, IPv6 was born.

Now,  just as Malthus underestimated humankind’s ability to get more efficient at food production, many underestimated cyber-kind’s ability to squeeze more use out of IPv4’s range of IP addresses. Below, Gartner analyst Lawrence Orans comments on recent news in the IPv6 area:

IPv6 stories always get my attention, and Cisco’s blog post earlier this week is no exception. Cisco announced IPv6 support for its IronPort Email Security portfolio. Anytime a major vendor delivers IPv6-based services or products, it can only help to advance the IPv6 cause. Still, I can’t help but wonder how this story might get overhyped and misinterpreted , as is the case so often with IPv6. For example, just retweeting the blog headline  “So Long v4! Here’s to v6 Being Secure! “ could be misleading.

Below are a couple of points to keep in mind about IPv6 adoption and security issues:

Yes, the IPv4 address space is running low. But, Gartner receives very few inquiries about IPv6. Why? Because most enterprises are not feeling any pain from IPv4. They are using private IP addresses, network address translation (NAT) and DHCP – which is a very efficient approach to managing an IPv4 address space. That’s the approach utilized worldwide, even in the Asia-Pacific region, which is definitely IPv4 address constrained. Enterprises in AP are running the same packaged applications(from Oracle, SAP, and others) that are not v6-compatible, and they are also using NAT and DHCP, and they are managing just fine.

Many security solutions don’t support IPv6 very well today. Many IPS vendors are “light” with their IPv6 signatures and v6-based anomaly detection is also light. Support for IPv6 amongst SIEM vendors varies widely. And then, there’s network management – how well does your console support IPv6?

Sure, IPv6 holds great promise. The initial benefits will be toservice providers who that support IPv6-enabled mobile devices. That means that IPv6 will be deployed first in service provider networks and external networks well before it is implemented in internal enterprise networks. Which means that you need to be paying attention to IPV6, but there is still no need to panic – IPv4 will be around for a very long time.

Lawrence Orans

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research


John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio

Thoughts on Guest Blogger: Lawrence Orans on IPv6 and Security

  1. John Curran says:

    “Yes, the IPv4 address space is running low. But, Gartner receives very few inquiries about IPv6. Why? Because most enterprises are not feeling any pain from IPv4.”

    It’s quite true: enterprises will not feel any pain from IPv4 depletion (after all, they are already connected to the Internet) and this will continue right up until depletion occurs and service providers have to make use of IPv6 to continue their growth. This means that the effect on enterprises will occur very suddenly, and in potentially unpredictable ways. You do not know if its your latest online application to be impacted (because new broadband users over IPv6 lack security or geolocation information when gatewayed into IPv4) or whether it will be a new innovative business partner that you want to leverage but can’t because they only can get connected via IPv6.

    The good news is that there are strategies you can employ today to mitigate these risks, and many organizations are doing exactly that type of planning including the hundreds of organizations that participated in World IPv6 Day on June 8 of this year . The depletion of the free IPv4 address space will dramatically impact the entire Internet, even those enterprises already connected, and despite the lack of inquires about it from enterprises today.


    John Curran
    President and CEO

  2. Keith Moore says:

    I also think it’s a stretch to say that enterprises do not feel any pain from the current situation of IPv4 depletion.

    Many enterprise networks have been dealing for many years with operational difficulties caused by needing to interconnect between multiple networks, each behind NATs, each using private IPv4 address space. Granted, this is not new pain. But for some enterprises, it is a signifiant burden.

    Also, the depletion of IPv4 address space threatens new enterprises which need public Internet presence, particularly if their business model requires more public presence than email and a web site.

  3. Jeff Doyle says:

    Most existing enterprises will continue to happily grow behind their NATs using private IPv4 addresses, unaffected by IPv4 address depletion. But the Internet’s engine of growth has always been the combination of a) convenient, cheap network access (PCs, laptops, tablets, handhelds); b) relatively cheap bandwidth (cable, DSL, and mobile); and c) easy access to information and services (“the web”). That enormous pool of users is the driver for most businesses to create a public presence on the Internet.

    And IPv6 is the only way to sustain the growth of that pool of potential business customers. Rapidly increasing numbers of end-users will be accessing enterprise services either using native IPv6 or through some IPv4 kludge like Large-Scale NAT.

    So while IPv4 address depletion and the ever-elusive “IPv6 killer app” do not make a compelling case for internal IPv6 deployment, businesses are well-advised to look to their edge services now and insure that they are prepared for the changes in how new customers reach them.

    Jeff Doyle
    Jeff Doyle and Associates, Inc.

  4. What a difference a year makes. While we still don’t hear a lot about IPv4 “pain” from our clients, they are engaging us far more frequently on IPv6-related topics. For example, last month, searches on for IPv6 content increased approximately 100% over the same period in 2010. Press coverage on IANA depleting its IPv4 address space in February, and recent coverage of World IPv6 Day has helped to raise awareness of the issues. Since my blog post from last year, Gartner has updated our position on IPv6 (the title says it all Internet Protocol Version 6: It’s Time for (Limited) Action), and we will soon publish a note about IPv6-related security issues. I track IPv6 mainly from a security perspective, and the feedback that I receive from security vendors is that, outside of government agencies, they see very little IPv6 push from their customers. As a result, IPv6 support overall remains relatively untested in production environments and is even absent from many security products on the market today. However, Gartner believes that once market forces mature (in other words, once it becomes a money making opportunity), security vendors will be able to respond quickly and strengthen their IPv6 support.

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.