assume v6 available, average cost to implement

Eric_Brunner-William · August 3, 2011, 3:14pm

Folks,

In the never ending game of policy whack-a-mole, we are offered the claim that
that the cost to a small to medium business to make its operational purpose
v6 address enabled is in the mid-five figures.

For those of you who do smb consults, some numbers to make a hypothetical
shop consisting of a quarter rack of gear running nothing more goofy than
a couple of applications on a couple of ports, basicially, a dbms plus a
bit of gorp, say in central Kansas, to which some provider, say Kansas
Telekenesis and Telefriend has just made v6 happy.

Having renumbered hq.af.mil some time ago, I'm expecting the 50k bogie to
add colons to some retail insurance office or mortuary in central Kansas
to be on the exceedingly good dope high side.

Thanks in advance for real numbers, which I'll sanitize before using to
attmept to keep one policy playpen slightly less crazy than normal.

Eric

Pete_Carah · August 3, 2011, 7:53pm

I have dual-stacked 4 networks so far, 3 small (soekris freebsd router)
and one larger (3 7206vxr, all border+core). The first small one
started with the soekris in v4-only (comcast), added a tunnel and then
took a week or two of evenings to straighten out. The second (also
comcast v4-only) changed out a netscreen to the soekris when we
multihomed, then added a v6 tunnel and dual-stacked all 10 internal
vlans; this took a few days of my time spread over a week or two (never
v6-enabled the xp or win2003 systems, though. Linux, BSD, and
vista+win7 all "just worked". I'm not sure if samba is properly
v6-configured yet but it doesn't (so far) matter). The third small one
took one evening (it was a duplicate of the first small one, both
single-homed home systems with soekris freebsd routers.)

The 7206 one is still progressing without (so far) a v6 IGP, and only a
few vlans actually dual-stacked. It does have BGP6 working on two of
the borders (and ibgp to all 3) so the system is native and not tunneled
(except for one remote location with a v4-only T1 connection).

So the most for a "small business" size system was the home one with the
learning curve at maybe 2 weeks of evenings (probably 30 hours). The
last was probably 4.

-- Pete

Ray_Soucy · August 4, 2011, 3:50pm

As much of an IPv6 advocate as I am, I think the TCO for the SMB
regarding IPv6 is often cost- prohibitive. Not because of CapEx, mind
you, but OpEx. That's something we need to fix within the next year
if we want to see real IPv6 adoption.

Strong IPv6 knowledge is still very rare, especially in the SMB IT workforce.

Right now, deploying IPv6 doesn't mean just deploying one technology
but several. Do you have an IPv6 firewall? IPS? IPv6 address
management solution? Monitoring? Security Policy? The list goes on.

To be honest, I'd put the TCO of IPv6 for an SMB to be much closer to
six figures than five.

There is simply no good solution for them right now. Remember that
for IPv4, most of the systems mentioned above are provided through a
unified, inexpensive, and easily managed, multi-function firewall. No
such product exists for the IPv6 world, at least not in a mature
state; so the knowledge required is much higher; the number of systems
and services required is much higher; the cost is... higher.

I'm sure a few consultants making bank on "deploying" IPv6 for
organizations without giving any thought to security, operational, or
performance concerns will be more than happy to chime in and say how
wrong I am. But trust me, the majority of SMBs aren't completely
brainless, and all you have to do is talk to them to know that they
have the exact concerns and conclusions mentioned here.

Owen_DeLong · August 4, 2011, 7:45pm

As much of an IPv6 advocate as I am, I think the TCO for the SMB
regarding IPv6 is often cost- prohibitive. Not because of CapEx, mind
you, but OpEx. That's something we need to fix within the next year
if we want to see real IPv6 adoption.

Strong IPv6 knowledge is still very rare, especially in the SMB IT workforce.

Right now, deploying IPv6 doesn't mean just deploying one technology
but several. Do you have an IPv6 firewall? IPS? IPv6 address
management solution? Monitoring? Security Policy? The list goes on.

To be honest, I'd put the TCO of IPv6 for an SMB to be much closer to
six figures than five.

You're looking at a much larger SMB than most SMBs actually are.

For a very large proportion of SMBs, replacing a single CPE device
covers the firewall, address management, and if you think they've got
IPS, monitoring, or a security policy today for IPv4, well, you're simply
delusional. There are a few CPE devices out today that can do this,
but, we definitely need more and a wider variety of feature sets.

There is simply no good solution for them right now. Remember that
for IPv4, most of the systems mentioned above are provided through a
unified, inexpensive, and easily managed, multi-function firewall. No
such product exists for the IPv6 world, at least not in a mature
state; so the knowledge required is much higher; the number of systems
and services required is much higher; the cost is... higher.

Seems to me that the SRX-100 comes reasonably close and has relatively
proximal capabilities in IPv4 and IPv6. However, at $600, it's probably
a bit on the pricey side of many SMB resources.

I'm sure a few consultants making bank on "deploying" IPv6 for
organizations without giving any thought to security, operational, or
performance concerns will be more than happy to chime in and say how
wrong I am. But trust me, the majority of SMBs aren't completely
brainless, and all you have to do is talk to them to know that they
have the exact concerns and conclusions mentioned here.

As a consultant making "bank" to some extent helping others to
deploy IPv6, I resent your generalization that we must be ignoring
all of those concerns. It's simply not true. I agree that many SMBs
aren't completely brainless, but, to say most ignores the reality that
most SMBs are someone running a shop to make money doing what
they are passionate about, such as SCUBA, sewing, or whatever.
The majority of money comes from larger SMBs, but, the vast majority
of SMBs in the US are actually single-proprietor businesses with
1-5 employees almost always without any sort of dedicated IT
person in the mix. They aren't brainless, but, networking isn't their
focus and all they know about any of those issues is the FUD they
occasionally hear on TV about someone getting hacked.

A responsible consultant will help them apply reasonable measures
to protect themselves and explain the cost/benefit tradeoffs of various
solutions so that they can make a (more) informed decision.

There may be IPv6 consultants out there deploying SMBs on IPv6
irresponsibly, but, not all of us fall into that category.

Owen