Policy makers and standards bodies have long been trying to push IP networks worldwide to switch to IPv6. At the time of publication, according to the Internet Society, only 45% of the top 1000 websites on the Internet support IPv6. While this is lower than what we would hope to have seen, progress has been steady. IPv6 is a key element to ensuring secure and seamless access to information for users everywhere as enterprises embrace digital transformation. Zscaler has been steadily upgrading our Zero Trust Exchange to ensure you are ready to move to an IPv6-only future.
Is 6 better than 4?
The Internet today uses two versions of addressing and routing schemes to identify devices and forward traffic: version 4, also known as IPv4, which uses 32 bit addressing, and version 6, also known as IPv6, which uses 128 bit addressing. IPv6 was developed and deployed in response to an anticipated shortage of IP addresses. Even though IPv4 supports 4.3 billion unique addresses, the address space is allocated in hierarchical chunks which makes it difficult to ensure everyone has enough addresses. Large chunks of the address space are reserved for special use, such as private addresses or multicast which further reduces the number of available addresses.
The use of private addresses in offices and homes and Network Address Translation (NAT) has given us some reprieve on the address space problem but it’s not going to last us forever. As more and more aspects of our daily lives become digitized and more users and devices come online, the pressure on address space usage is already growing. The right answer to this is the eventual migration of the entire Internet to IPv6. However, that's easier said than done. The Internet is vast and global, with many different entities, businesses and policy makers driving best practices. The IPv4 Internet is going to continue to exist in far corners of the world for a very long time.
Ships in the night
While IPv6 solved the address shortfall, it also addressed a few more limitations of the original IPv4 protocol. An unfortunate consequence is that the two versions of IP do not interoperate. Networks on the Internet have to make a choice between running only IPv4, dual stack with both IPv4 and IPv6, or only IPv6. Dual stack networks support maximum compatibility but don’t help with the IPv4 address space exhaustion problem since every device needs both an IPv4 and an IPv6 address. So for a period of time, we will have devices on the Internet that only support IPv6 and devices that only support IPv4. When a device on an IPv6-only network wants to talk to another device on an IPv4-only network, we need to use NAT64 — which changes the outer IP header so that the payload can be carried between the two networks. Until the entire Internet is 100% transitioned, IPv6-only networks will require a NAT64 function somewhere to ensure they can still communicate with IPv4 devices and services remaining on the Internet.
Another key element of the IPv6 transition is DNS. IPv6 endpoints typically issue DNS AAAA queries, looking for IPv6 destinations corresponding to a domain name. If the destination exists, the DNS resolver is able to return the corresponding AAAA record. However when there is no available IPv6 destination for that domain, the resolver can use a mechanism called DNS64 to synthesize a AAAA record from an IPv4 address record using a special well-known (or configurable) IPv6 prefix. This allows IPv6 and dual stack endpoints to connect to IPv4-only endpoints.
Current state of IPv6
According to Google, over 40% of users are now able to access Google services over IPv6. This number has been growing roughly linearly since 2017. On a per-country basis, we see IPv6 availability has crossed 50% in the US and close to 70% in India.
Global IPv6 adoption statistics from Google
Source: https://www.google.com/intl/en/ipv6/statistics.html
While the march towards IPv6 is trending in the right direction, it is also highly uneven across geographies, which means IPv6 and IPv4 will have to coexist on the Internet for a very long time.
Policy makers globally are introducing federal mandates to force a speedier shift to IPv6. In the U.S., the Office of Management and Budget (OMB) has set forth a transition schedule for federal agencies to develop a staged plan towards full IPv6 implementation by the end of 2025. Similarly, the National Telecom Policy in India required a full migration of all government systems to dual-stack IPv6 by 2017.
Zero Trust Exchange
Zscaler’s Zero Trust Exchange is designed to connect any user or device to any application, based on identity and context, regardless of the underlying network connectivity — whether it is IPv4 or IPv6.
Enterprises that are deploying IPv6-only networks can use the Zero Trust Exchange to connect users and devices to IPv6-only or dual-stack applications. The Zscaler Client Connector (ZCC) will tunnel IPv6 client traffic over Z Tunnel 2.0, and deliver it to a Zscaler Data Center over the IPv4 Internet. Note that if you’re running an IPv6-only network, this will require a NAT64 function to ensure that this traffic can be routed through “IPv4 islands” on the Internet to a Zscaler Data Center.
The Zero Trust Exchange can inspect the IPv6 request, and proxy it to the website or SaaS application over either IPv6 or IPv4, depending on what the service supports. Note that the Zero Trust Exchange will prefer IPv4 when both options are available.
Source Solution brief
The Zero Trust Exchange also supports an IPv6-aware DNS resolver that can synthesize AAAA records for IPv4 destinations using the DNS64 mechanism. See Zscaler DNS64 documentation for additional details.
|
Client type |
Destination type |
Forwarding mode |
Support details |
|
IPv6-only |
Dual stack Internet destination |
Z Tunnel 2.0 |
End-to-end IPv6 supported, but ZIA will prefer IPv4 destination and fall back to IPv6. [Note: tunnel over the Internet must be IPv4 to ensure reachability to Zscaler data centers.] |
|
|
Dual stack Internet destination |
Z Tunnel 1.0 |
Supported with NAT64 between customer network and Zscaler. Note that this method will connect to the IPv4 service. |
|
|
IPv6-only Internet destination |
Z Tunnel 2.0 |
End-to-end IPv6 supported. [Note: tunnel over the Internet must be IPv4 to ensure reachability to Zscaler data centers.] |
|
|
IPv6-only Internet destination |
Z Tunnel 1.0 |
Not supported. Recommend switching to Z Tunnel 2.0 for full support. |
|
IPv6-only |
IPv6-only private destination (ZPA) |
DTLS |
End-to-end IPv6 support for TCP apps. [Note: tunnel over the Internet must be IPv4 to ensure reachability to Zscaler data centers.] |
|
|
IPv4 private destination (ZPA) |
DTLS |
Support for TCP, UDP and ICMP apps. [Note: tunnel over the Internet must be IPv4 to ensure reachability to Zscaler data centers.] |
|
IPv4 |
IPv6-only Internet destination |
Z Tunnel 2.0 |
Supported with ZIA initiating an IPv6 connection with the destination service. [Note: tunnel over the Internet must be IPv4 to ensure reachability to Zscaler data centers.] |
|
|
IPv6-only Internet destination |
Z Tunnel 1.0 |
Supported for web traffic, with ZIA initiating an IPv6 connection to the destination service. [Note: tunnel over the Internet must be IPv4 to ensure reachability to Zscaler data centers.] |
|
|
IPv6-only private destination (ZPA) |
DTLS |
Support for TCP apps. [Note: tunnel over the Internet must be IPv4 to ensure reachability to Zscaler data centers.] |
For a full list of data centers that have been enabled with IPv6, please consult Zscaler documentation.
Zscaler Private Access (ZPA)
Zscaler Private Access (ZPA) supports IPv4 for TCP-, UDP-, and ICMP-based connections, and supports IPv6 for TCP-based applications. App Connectors, ZPA Public Service Edges, and ZPA Private Service Edges are dual stack aware, meaning IPv4 and IPv6 run simultaneously alongside each other. For additional details on ZPA support, see Zscaler documentation.
Client Connector Support
Zscaler highly recommends using Zscaler Client Connector as your preferred forwarding method for IPv6 traffic whenever feasible. ZCC supports dual stack IPv4 and IPv6 forwarding. Customers using Z-Tunnel 2.0 will be able to tunnel traffic from IPv6-only clients to a Zscaler data center, allowing end-to-end IPv6-only communication between clients and destinations. Customers using Z Tunnel 1.0 will need a NAT64 function to reach a Zscaler Data Center over the Internet since this method does not use encapsulation. See Zscaler documentation and ZCC release notes for the latest support details for IPv6.
Next Steps
Zscaler IPv6 support will enable customers to continue along on their network and security transformation journey and help meet IPv6 regulatory mandates. Customers wishing to enable IPv6 with Zscaler can consult the documentation for detailed steps or reach out to their support team for assistance in mapping out a deployment strategy. You can also download our new IPv6 + Zero Trust Exchange Solution Brief for more information on how Zscaler supports IPv6.
