However, Hunt and other experts warned that centralized, large-scale NAT has many dangers. The systems that perform the translation could become bottlenecks if asked to process too many requests. Having so many users share a single IPv4 address might also cause errors and security problems. For example, if a host suffers a DOS (denial-of-service) attack from behind the NAT device, it might associate the attack with the shared IPv4 address and respond in a way that affects all the users sharing the address, according to Verizon's Schiller. That could even involve those users getting blocked for a few minutes.
Large-scale NAT could also make troubleshooting harder for the service provider and interfere with application acceleration or even targeted advertising, if an advertiser tried to build a profile based on a shared IP address. "If the guy next to you is into hunting and fishing, and you're not, you might start seeing ads for hunting and fishing," Schiller said.
For those reasons, Verizon hopes to avoid deploying NAT for this purpose on its own network. Instead, it recommends users set up NAT on their own premises.
Even organizations that do the right thing and deploy IPv6 may run into challenges to securing their networks, because most security systems today are built around the properties of IPv4, security experts said.
For example, there are so many addresses in IPv6 that the typical supply handed out to one organization is too large to scan for threats on the internal network. "The networks are so large that to scan a typical net block would take 5 billion years," said Misha Govshteyn, vice president of technology and service provider solutions at security vendor Alert Logic. Scanning a typical IPv4 address range takes no more than a few minutes. Govshteyn added that his company is developing a new type of vulnerability assessment that will work with IPv6 networks.
This problem isn't as bad as it might seem, because there are other methods of finding potential threats, according to Danny McPherson, vice president of network security research at VeriSign Labs. A security tool can watch activity on the network or the allocation of devices through a method such as DHCP (Dynamic Host Configuration Protocol). Not being able to scan all the IP addresses in a network does prevent discovery of passive listening devices, but those devices might resist identification anyway, he added.
However, there will be headaches for companies upgrading to IPv6, McPherson said. Security products for IPv6 typically are more expensive than their IPv4 counterparts because the economies of scale haven't driven down costs yet, he said.
Partly as a result of these challenges, IPv4 will be with us for a long time, McPherson and others warned. Many systems that don't get replaced often, such as industrial SCADA platforms, could remain in place using old IPv4 addresses for years, McPherson said. IPv4 will probably remain for decades.
To deal with this, Verizon's advice to enterprises is to set up dual protocol stacks, allowing users both inside and outside to keep accessing Internet resources regardless of what kind of address they have been assigned. Verizon Business offers professional services to help businesses plan and carry out a transition.
Because carriers have IPv6-capable gear ready in their networks, enterprises in the U.S. don't need to rush into an upgrade, said Hunt at Current Analysis. "If you have communication devices that are going to be in your network for the next three to five years, you're probably not going to change them just so you can go to IPv6," Hunt said. "But when you upgrade that server or that data center interconnect ... then is probably the time." He thinks the momentum toward IPv6 will pick up in the next two to three years and there will be significant progress within five to seven years.