Your SlideShare is downloading. ×

Managing IPv6 Deployments

1,464
views

Published on

IPv6 is rapidly becoming an important …

IPv6 is rapidly becoming an important
network technology to service providers,
government agencies and enterprises.
Deployment of IPv6 requires new management strategies, practices and tools to enable deployment and effective operation.
Because most deployments of IPv6 will be in dual-stack networks that use IPv4 and IPv6 in parallel, the IPv4 management infrastructure will be extended for IPv6 for integrated IPv4-IPv6 operation. It will be
crucial for IPv6 deployments to be carefully
planned and managed to ensure successful
implementation and avoid significant
increases in management overhead. This
article provides some background information
on IPv6 deployment and management
strategies.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,464
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
116
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Managing IPv6 Deployments by Jeffrey Wheeler and Ralph Droms Abstract been a ‘hot topic.’ The management of IPv6 deployments is not as simple an effort for the deploying and managing of IPv6 infrastructures which has led in part IPv6 is rapidly becoming an important as extending existing IPv4 management to several vendor specific proprietary network technology to service providers, solutions to accommodate a longer IPv6 solutions and BCPs. government agencies and enterprises. Deployment of IPv6 requires new man- address space. IPv6 is not just a single new protocol but an entirely new technical • Requirements for additional institutional agement strategies, practices and tools to knowledge in support staff solution with many protocols and services enable deployment and effective opera- tion. Because most deployments of IPv6 being introduced. • Managing nodes’ transitions from IPv4 to IPv6 entities will be in dual-stack networks that use IPv4 Hence the management of IPv6 is not and IPv6 in parallel, the IPv4 management about managing a new network ‘feature’ or • Management and design strategies for infrastructure will be extended for IPv6 for ‘functionality’ but about managing a funda- the new addressing structure, hierarchy integrated IPv4-IPv6 operation. It will be mentally new IP paradigm truly supporting and attendant policies crucial for IPv6 deployments to be carefully planned and managed to ensure success- end-to-end services with full mobility and other advanced features. Eventually the • The introduction of additional DHCP and DNS services for IPv6 and the ful implementation and avoid significant focus will then be on network manage- management of those increases in management overhead. This ment tools becoming ‘IP agnostic’ which article provides some background informa- tion on IPv6 deployment and management will introduce abstraction layers new to • Managing the coexistence of the IPv4 applications and developers of IP manage- and IPv6 security infrastructures strategies. ment solutions. • Tool visibility, insight and analysis into Introduction IPv6 Network utilization specific to IPv6 traffic and uti- lization that is a part of the whole IPv4/ Fulfilling many of the technical proph- esies of the Internet’s near-past, IPv6 has Management Strategy IPv6 traffic load and performance stats. Regardless of the size or purpose of the reached a high degree of importance and Creating a High Level IPv6 deployment of an IPv6 network, there will credibility as well as has reached the fore- Management Strategy be a workload increase on all staff from the front of many discussion regarding NGN To address the complexities introduced by architects to the administrators. Most initial Architectures. The main driver behind the deployment of IPv6, a high level IPv6 deployments will be dual-stack based, in the focus on IPv6 is the acknowledged management strategy should be devel- which IPv6 is deployed in parallel with an impending exhaustion of the IPv4 address oped before beginning an IPv6 deploy- existing IPv4 network. Those dual-stack space. The consumption of IPv4 address ment. The first step in that strategy is the networks may, in fact, require more than space has been accelerated by the rapid development of subject matter expertise twice as much effort to manage as an IPv4 expansion of IP into mobile devices, NGN in IPv6 and IPv6 management in network network, because the IPv6 network will es- Enterprise and Service Provider infrastruc- operations staff. While IPv6 operates much sentially be a parallel network that interacts tures providing Play and 4Play services, like IPv4 and provides similar services, the with the IPv4 network. The challenge in as well as the rapid growth of virtualization. details are different, and operations staff network management of these dual-stack Service providers are also looking at IPv6 will need to learn those details to deploy networks is to reduce the cost of operation as a way of restoring end-to-end Internet and operate IPv6. An IPv6 management as close as possible to the cost of running service. At the same time, the DoD 2008 strategy will focus on appropriate stan- an IPv4 network. mandate for IPv6 readiness, along with dards for architecture and designs incor- similar mandates from other countries and The introduction of IPv6 into an existing porating current RFCs and Drafts. Vendors international organizations, has stimulated IPv4 infrastructure creates new complexi- can contribute to a strategy through shar- development of IPv6 deployment solutions. ties for network management such as: ing experience and BCPs, and by provid- Although network devices have had IPv6 • Managing the actual transition process ing management tools that offer: since the late 10s, the focus on Network Management for IPv6 has only recently itself. The standards bodies have yet to facilitate a standardized approach • Handling the 128-bit IPv6 addresses with multiple formats and expressions CISCO PUBLIC
  • 2. and allow for multiple datatypes in IPv6 transition management strategies and . The management of translators which databases. transition architectures: will no doubt be deployed in the final • Facilitate management of the expanded • Many, if not all, of the transition manage- phases of the transition period. address scoping and hierarchy intro- ment tools and processes will undergo Developing and Integrating an IPv6 duced by IPv6 evolutionary change as the IPv6 infra- Event Management Strategy • The ability to manage multiple ad- structures are moved from conception to maturity. It is assumed that the initial rollouts of IPv6 management will focus largely on dresses on each interface / sub-inter- face including a mix of IPv4 and IPv6 • IPv6 management will support multiple events as any additional processes and methodologies for management of IPv6, addresses (and evolutionary as well) transition the harmonized IPv4/IPv6 environment • Manage and provide for auto configura- mechanisms for IPv6 like DSTM, SSTM, NAT-PT… and the transition aspects are developed. tion Following are a number of key recommen- • Manage the dual-stack deployments • Most of the efforts involved in manag- dations applicable to any new IPv6 hybrid ing the IPv6 transition process and deployment: fully Managing the Transition period will be new to the management lifecycle established for IPv4 networks. • Determine and document what IPv6 events are key and critical to initial Every network will have a transition period during which IPv6 is deployed and tested • Separate data repositories specific to rollouts before the IPv6 service is considered to the transition period will need to be created and managed. • Identify sources for all of the IPv6 be fully operational. Management of this events determined and categorize transition includes the architecture of the The transition management will need to against available tools. For example: IPv6 service, which may combine full IPv6 take into the account the most likely o Are there available tools to manage service to parts of the network with IPv6 phases that will be found in all Transition these events? transport over IPv4 where full IPv6 ser- Strategies: vice is not required, accommodation of o Are there standard MIBs or propri- 1. Management of the Dual-Stack environ- legacy devices and services that may not etary MIBs for these events? ments be upgradeable to IPv6 and integration of o Is RMON supported for these IPv6 capabilities into legacy management 2. Management of the integrated use of events? tools for management of the actual IPv6 tunneling solutions, which by default deployment for the duration of the transi- then presents the IPv6 infrastructure as • Map the IPv6 events and the flow of tion period. an overlay to the initial IPv4 transport; events to the identified tools. IPv6 and presents new scenarios for events as There are a number of tacit assumptions in most cases IPv6 will initially be run that can be considered reality for most IP NGN ARCHITECTURE THOUGHT LEADERSHIP JOURNAL - Q1 FY2010
  • 3. tion: Given the relative immaturity of the management designs and solutions, the initial IPv6 management solutions will no doubt be centralized and oper- ated from a ‘command and control’ paradigm. Focus should be made upon the need to move quickly to a distributed environment with that new IPv6 distributed management solution integrated with other legacy solutions. This rapid migration from a centralized to a distributed management strategy should be well documented and build upon the lessons’ learned early in the centralized deployment. Since the IPv6 management strategy will include the initial dual-stack deployments, and that these dual-stack deployments will eventually give way to native IPv6 the management strategy implementation in a dual-stack environment and as an must not be viewed as a closed canon but must keep in lockstep with the actual overlay on the existing IPv4 transport as an evolving and living strategy. Initially IPv6 rollouts in network designs. Coor- infrastructure. the strategy will have a total and exclusive dination is critical. o Key is to separate the IPv4 events IPv6 focus but must migrate to being IP agnostic. Focusing initially on the goal of • Security Management consider- from the IPv6 events ations for both IPv4 and IPv6 because of being IP agnostic will present a scope (and • Perform a gap analysis and identify any scope creep) that is so large that the effort IPv6 new IPv6 events that will need addi- will not likely find completion. o Firewall updates for IPv6 secu- tional tools not yet identified. rity strategy and reporting must be IPv6 Management • Integrate the initial toolsets and results planned for and should address and into a common reporting solution. Issues and Concerns incorporate impacts to both IPv4 and IPv6. This of course assumes that the • Create a Correlation solution to transfer Within an overall IPv6 management strategy there are key areas of technical network architects and designers are the intelligence from the IPv4 event working closely with the IPv6 security detail that should be included in any initial data to the IPv6 environment and the folk. Serious consideration must be IPv6 management strategy and resulting reciprocal. This will be a key aspect of given initially to hardware and network task list. The areas listed below provide the overall strategy and will be required designs that could exacerbate an al- high-level identification of efforts that could if the intent is to reduce the TCO and ready fragile and exposed IPv4 network each launch a separate article in and of mitigate admin’s time. infrastructure. Without a well-reasoned themselves but for the sake of brevity we’ll design the IPv4 infrastructure could be • Consider the entire process as iterative. address them here in abbreviated form: impacted and put at risk by any IPv6 Refine the IPv6 Event Management Strat- • Renumbering impact on ACL policies attack or penetration. egy as each ‘lessons learned’ phase is and Reflexive ACL support strategy. o Security exposure of IPv4 due to passed. The refinement of the IPv6 Event Since IPv6 addresses do not follow the the complexity and additional code Management Strategy will go through sev- convention or model of IPv4 addresses required to support iPv6. This expo- eral large-scale changes as the infrastruc- any management application or report- sure is not just limited to operational ture moves from a dual-stack through to ing tool will require rewrites to the code equipment but includes those manage- the final IPv6 primary and native environ- base. ment platforms and solutions that are ment. The Event management strategy • Distributed IPv6 management integra- CISCO PUBLIC
  • 4. being introduced to support IPv6 in o Coincident with IPv6 rollouts are ment solution for IPv6. Following are dual-stack deployments. advanced network services and appli- some key elements included in this cations. This mandates that a manage- Network Virtualization architecture: o The introduction of new avenues for ment strategy should focus on spoofing security risks due largely to the inex- o Access Edge IPv6 strategy attacks at all layers of applications and perience of IPv6 of network admin and services. o IPv6 transport strategy design staff. o ARP and DHCP attacks (mixed IPv4 o Core and Services IPv6 manage- o Tools and processes that identify and IPv6) should be assumed given the ment strategy reconnaissance attacks by blocking information to attacker at any and all dual-stack architecture. • The lack of ‘backward compatibility’ of IPv4/IPv6 points. o Since initial IPv6 deployments will IPv6 management tool roll outs based not be fully automated the IPv6 man- on legacy IPv4 code bases. Immedi- o Enhanced policy management and agement strategy should identify appli- ate demands for management tools AAA management for IPv6 limiting the cation layer attacks and rogue devices required for DoD and Federal IPv6 exploitation due to unauthorized ac- and apps in the most automated way as compliance could lead to disparate cess possible. products under the same product o Mitigate IPv6 routing information and IPv6 routing protocol attacks and • IPv6 will place new and immediate heading. spoofing. Ensure that IPv6 routing demands on syslog type solutions due to ICMP changes for IPv6. ICMPv6 Summary information is given the same security As seen, IPv6 poses considerable chal- is new for IPv6. Traditional tools and and management considerations as lenges to any network infrastructure and home-grown scripts will need to be IPv4 even though IPv6 traffic is moved management strategy. IPv6 Network scrutinized for necessary changes to initially over an IPv4 transport. Do not Management tools and solutions will support IPv6. The level of effort put into assume that since the transport most evolve slightly behind the standards as this aspect of any IPv6 management likely will be IPv4 that the transport will well as network equipment IPv6 features solutions will be on par with the Y2K not be a viable target. and functionalities. IPv6 instrumentation efforts looking for issues deep in code. roadmaps in products traditionally take 18 o Since IPv6 offers a radically new and more complex header architecture • Assuming a dual-stack architecture- month plans. This pushes the impetus and focus on separating management importance of IPv6 management initially to the IPv6 management strategy must strategies as if the IPv6 network were a scripting tools, CLI and existing IPv4 code- identify header manipulation attacks at virtualized network. Cisco provides a base tools. The evolution of IPv6 man- the least. well articulated ‘network virtualization’ agement solutions and tools will pace the o Smurf attacks will always be a con- strategy with multiple BCPs that can migration from IPv4 to dual-stack to native cern regardless of IPv4 and / or IPv6. be utilized to set up this initial manage- IPv6 implementations. IP NGN ARCHITECTURE THOUGHT LEADERSHIP JOURNAL - Q1 FY2010
  • 5. Americas Headquarters Asia Pacific Headquarters Europe Headquarters Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV San Jose, CA Singapore Amsterdam, The Netherlands Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices. CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0903R) Americas Headquarters Asia Pacific Headquarters Europe Headquarters Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV San Jose, CA Singapore Amsterdam, The Netherlands Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices. CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0903R)

×