SlideShare a Scribd company logo
1 of 76
Download to read offline
DEVELOPING AN IPV6 ENTERPRISE PILOT
PROGRAM

James Small
CDW Advanced Technology Services
SESSION OBJECTIVES

    • Creating Your IPv6 Pilot Plan
    • Initial Pilot Roadmap
    • IPv6 Changes
    • IPv6 Security
    • Pilot Phase 2
    • Parting Thoughts



    Q&A throughout, I may postpone questions
    until the end depending on time

GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   2
                                                                2
ROADMAP

    • Creating Your IPv6 Pilot Plan
    • Initial Pilot Roadmap
    • IPv6 Changes
    • IPv6 Security
    • Pilot Phase 2
    • Parting Thoughts




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM             3
                                                                          3
INITIAL PILOT PLAN

    • Scope
      » Production Impact
      » Goals
      » Hardware
    • Team
      » Implementers
      » Testers
      » Project management
    • Location
      » Deployment
      » Testing


GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   4
                                                                4
INITIAL PILOT PLAN

    • Schedule
      » Duration
      » Deployment
      » Testing
    • Training
      » Material
      » Tailored
      » Support
    • Communication
      » Infrastructure status
      » Solution/Application issues
      » Testing issues/progress
GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   5
                                                                5
INITIAL PILOT PLAN

    • Evaluation
      » Infrastructure goals
      » Success criteria
    • Risks and Contingencies
      » Incident response
      » Project failures




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   6
                                                                6
PILOT PLAN – INITIAL HARDWARE

    Key Infrastructure Items:
    • Internet Router – 2900 series
    • Internet/DMZ/LAN Switches – 3560 E, X, or
      C-Series
    • Internet Firewall – ASA
    • WLC – 2504/5508/vWLC and one or more
      supported APs
    • Beefy server or blade chassis to run
      Hypervisor host(s)
    • Lots of laptops

GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   7
                                                                7
PILOT PLAN – INITIAL HARDWARE

    Bonus Items:
    • Load Balancer
    • Forward and Reverse Proxy
    • ASR 1k
    • ACS 5.4
    • SIEM Server with IPv6 support
    • NetFlow Collector with NetFlow v9 support




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   8
                                                                8
PILOT PLAN – INITIAL SOFTWARE

    Key Services
    • Dual Stack DNS Server with DNS64 support
    • Dual Stack DHCP/DHCPv6 Server
    • Dual Stack File Server
    • Dual Stack Web Server
    • Key Applications
    Bonus Items:
    • IPAM Solution




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   9
                                                                9
ROADMAP

    • Creating Your IPv6 Pilot Plan
    • Initial Pilot Roadmap
    • IPv6 Changes
    • IPv6 Security
    • Pilot Phase 2
    • Parting Thoughts




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM             10
                                                                          10
DESIGN YOUR INITIAL PILOT TOPOLOGY




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   11
                                                                11
INITIAL PILOT ROADMAP

       • Obtain IPv6 /48 Prefix
       • Pilot Addressing Plan
       • Design and Build Out
       • Address Provisioning
       • DMZ Setup
       • Internal Network Setup




                                                                Image source: northerntrust.com




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                                     12
                                                                                                  12
OBTAIN AN IPV6 NETWORK ADDRESS

       • Sign up for free IPv6 Internet access from Hurricane Electric
            (http://tunnelbroker.net)
       • With your account, request a /48 prefix


       • Q: Why start with Hurricane Electric?
       • A: It works great, service is available from anywhere on the
            Internet, and you get a /48 all for free.


       • Most important aspect of starting with HE:
            » You need practice creating an addressing
                 plan and deploying IPv6. It will take you
                 at least 3 times to get your addressing
                 plan right so let’s get started…

                                                                Image source: beachdecorshop.com




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                                      13
                                                                                                   13
PILOT ADDRESS PLAN GUIDELINES

       Developing a great address plan takes
       practice
       • Site - /48
       • Loopback Network - /64
       • Loopback - /128
       • Translation Services - /56
       • Point-to-Point - /126
       • Everything else - /64


                                                                Image source: spatial.scholarslab.org




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                                           14
                                                                                                        14
EXAMPLE HIGH LEVEL PILOT ADDRESS PLAN

       Create your addressing plan on nibble boundaries:
       • Split up your address allocation by Place In
         Network (e.g. 2001:db8:babe:X000::/52)
         » 2001:db8:babe:0000::/52 – Management
                 - 2001:db8:babe:0000::/64 – Loopbacks
            » 2001:db8:babe:1000::/52 – Labs
            » 2001:db8:babe:2000::/52 – DMZs
            » 2001:db8:babe:3000::/52 – Servers
            » 2001:db8:babe:4000::/52 – User/Desktop
            » (…)
            » 2001:db8:babe:F000::/52 – Special Purpose
                 - 2001:db8:babe:FF00::/56 – Reserved for translation
                     services

GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM           15
                                                                        15
PILOT ADDRESS PLAN THOUGHTS

       Prefixes
       • Basic subnet plan - spreadsheet
       • 65k prefixes per /48 - not scalable!
       Nodes
       • > 18 quintillion possible per subnet
       • Sizeable deployments - IPAM desirable



       Reference:
       IPv6 Subnetting Best Current Operational Practices

GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   16
                                                                16
THOUGHTS ON INITIAL TOPOLOGY

       • Network Types
         » Dual Stack
         » IPv4 Only
         » IPv6 Only


       • Areas to Look at:
                                                                Image source: fcit.usf.edu

         » Static/Dynamic Routing
         » Load Balancing
         » Proxying
         » Tunneling
         » NAT
         » Dual data/control/management planes

GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                                17
                                                                                             17
A WORD OF CAUTION ON NAT


       • NAT was invented for address conservation
       • Address conservation not needed for IPv6
       • Think carefully before using NAT
         » What applications will this degrade or break?
         » How much is operational complexity increasing?
         » How difficult does support become?
       • More thoughts in Appendix




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   18
                                                                18
BUILD OUT INITIAL PILOT

       • Infrastructure setup
       • Hypervisor setup
       • Physical and Virtual Nodes with
         representative Operating Systems
       • Key Applications




                                                                Image source: dspace.mit.edu




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                                  19
                                                                                               19
IPV6 SUPPORT INFRASTRUCTURE

       • DNS
         » Transport
         » Accessibility
         » Dynamic DNS
       • DHCPv6
         » Stateless
         » Stateful                                             Image source: jranderson.photoshelter.com




       • WINS/NetBIOS
         » Viability
         » Recommendations

GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                                               20
                                                                                                            20
IPV6 ADDRESS PROVISIONING OPTIONS

       • Static
         » Gotchas
       • SLAAC
         » Options
         » RDNSS
         » Stateless DHCPv6
       • DHCPv6
         » Stateful DHCPv6
         » SLAAC



GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   21
                                                                21
IPV6 ADDRESS PROVISIONING THOUGHTS

       Address Options and Applicable Systems:
       • Pure Static
       • Static with Options
       • SLAAC, no DHCPv6
            » Basic
            » RDNSS
            » Dynamic VLAN Assignment
       • SLAAC with (Stateless) DHCPv6
       • DHCPv6 (Stateful DHCPv6)



GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   22
                                                                22
BUILD YOUR IPV6 DMZ

       In order of preference:
       • Option 1 – Dual Stack
       • Option 2 – Load balanced (SLB64)
       • Option 3 – Dual Stack Reverse Proxy
       • Option 4 (Discouraged) – Use NAT64




                                                                Image source: flickr.com




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                              23
                                                                                           23
BUILD YOUR IPV6 INTERNAL NETWORK

       • Connect Internal IPv6 Network to IPv6
            Internet
            » Option 1                               (Preferred) – Dual Stack
            » Option 2                               – Forward Proxy
            » Option 3                               – (Legacy) Tunneling
            » Option 4                               – Stateful NAT64 (IPv6 Only)




                                                                Image source: wikipedia.org




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                                 24
                                                                                              24
ROADMAP

    • Creating Your IPv6 Pilot Plan
    • Initial Pilot Roadmap
    • IPv6 Changes
    • IPv6 Security
    • Pilot Phase 2
    • Parting Thoughts




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM             25
                                                                          25
CHANGES WITH IPV6

    • QoS Syntax                                                • VRF Syntax
    IPv4-Only                            Dual Stack             IPv4-Only                 Dual Stack
    match ip dscp                        match dscp             ip vrf Red                vrf definition Red
                                                                 rd 65001:1                rd 65001:1
    match ip precedence                  match precedence
                                                                !                          !
    set ip dscp                          set dscp               interface G0/0             ! Must explicitly declare each
                                                                 ip vrf forwarding Red     ! address family to use
    set ip precedence                    set precedence
                                                                 ip address 192.168.1.1    address-family ipv4
                                                                255.255.255.0              exit-address-family
                                                                                           !
                                                                                           address-family ipv6
    Protocol Updates:                                                                      exit-address-family
                                                                                          !
    • From HSRPv1 to HSRPv2                                                               interface G0/0
    • From NTPv[1-3] to NTPv4                                                              vrf forwarding Red
                                                                                           ip address 192.168.1.1
    • Anything with “IP” in the                                                           255.255.255.0
         command suspect                                                                   !
                                                                                           ipv6 enable
                                                                                           ipv6 address 2001:db8:babe::1/64




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                                                                 26
                                                                                                                              26
MULTI-PROTOCOL REALITIES

    IPv4 and IPv6 are ships in the night!
   • IPv4 L2 Cache                                              • IPv6 L2 Cache
   ip access-list ext example1                                  ipv6 access-list example2
    permit ip 192.168.0.0                                        permit ipv6
   0.0.255.255 any                                              2001:db8:babe:1::/64 any
   !                                                            !
   interface G0/0                                               interface G0/0
     ip access-group example1 in                                ipv6 traffic-filter example2 in




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                                     27
                                                                                                  27
MULTI-PROTOCOL REALITIES

    IPv4 L2 Cache:
    show ip arp
    Protocol               Address                              Age (min)   Hardware Addr    Type   Interface
    Internet               192.168.232.1                               -    0000.0c9f.f05a   ARPA   Vlan90
    Internet               192.168.232.3                              54    0011.bba6.1e80   ARPA   Vlan90
    Internet               192.168.232.12                              0    0023.ebe1.5d16   ARPA   Vlan90
    Internet               192.168.234.149                             0    Incomplete       ARPA



    IPv6 L2 Cache:
    show ipv6 neighbors
    IPv6 Address                                                               Age Link-layer Addr State Interface
    FE80::90:2                                                                   0 02d0.2bff.74db    REACH Vl90
    2001:470:C4E8:1:108E:7EC3:BCDA:AF5C                                         47 000c.29f9.ed0b    STALE Vl101
    2001:470:C4E8:2::2                                                           0 02d0.2bff.74db    DELAY Vl90
    FE80::3974:DC3C:AF4D:7239                                                   47 000c.29f9.ed0b    STALE Vl101
    2001:470:C4E8:2::3                                                           0 -                 INCMP Vl90


GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                                                        28
                                                                                                                     28
EIGRP - BASICS

    From IPv4 to IPv6
   interface Loopback0                                          ipv6 unicast-routing
    ip address 172.31.255.1 255.255.255.255                     !
   !                                                            interface Loopback0
   interface FastEthernet0/0                                    ipv6 enable
     ip address 10.1.1.1 255.255.255.0                          ipv6 address 2001:DB8::1/128
   !                                                            ipv6 eigrp 1
   router eigrp 1                                               !
     network 10.1.1.0 0.0.0.255                                 interface FastEthernet0/0
     network 172.31.255.1 0.0.0.0                               ipv6 enable
     passive-interface Loopback0                                ipv6 address 2001:DB8:1001::1/64
                                                                ipv6 eigrp 1
                                                                !
                                                                ipv6 router eigrp 1
                                                                passive-interface Loopback0

GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                                      29
                                                                                                   29
EIGRP - ADVANCED

    Integrated Multi-Address Family
    router eigrp DualStack                                       address-family ipv6 unicast autonomous-
     !                                                          system 2

    address-family ipv4 unicast autonomous-                      !
    system 2                                                     af-interface default
      !                                                           shutdown
      af-interface Loopback0                                     exit-af-interface
         passive-interface                                       !
      exit-af-interface                                          af-interface Loopback0
      !                                                           passive-interface
      network 10.1.1.0 0.0.0.255                                 exit-af-interface
      network 172.31.255.2 0.0.0.0                               !
     exit-address-family                                         af-interface FastEthernet1/0
                                                                  no shutdown
                                                                 exit-af-interface
                                                                 !
                                                                exit-address-family
GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                                              30
                                                                                                           30
OSPF - BASICS

    From IPv4 (OSPFv2) to IPv6 (OSPFv3)
   interface Loopback0                                          ipv6 unicast-routing
    ip address 172.31.255.1 255.255.255.255                     !
   !                                                            interface Loopback0
   interface FastEthernet0/0                                    ipv6 enable
    ip address 10.1.1.1 255.255.255.0                           ipv6 address 2001:DB8::1/128
   !                                                            ipv6 ospf 1 area 0
   router ospf 1                                                !
    passive-interface Loopback0                                 interface FastEthernet0/0
    network 10.1.1.0 0.0.0.255 area 0                           ipv6 enable
    network 172.31.255.1 0.0.0.0 area 0                         ipv6 address 2001:DB8:1001::1/64
                                                                ipv6 ospf 1 area 0
                                                                !
                                                                ipv6 router ospf 1
                                                                passive-interface Loopback0

GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                                      31
                                                                                                   31
OSPF - ADVANCED

    Integrated Multi-Address Family
   interface Loopback0                                          router ospfv3 2
    ip address 172.31.255.1 255.255.255.255                     !
    ipv6 enable                                                 address-family ipv4 unicast
    ipv6 address 2001:DB8::1/128                                    passive-interface Loopback0
    ospfv3 2 ipv4 area 0                                        exit-address-family
    ospfv3 2 ipv6 area 0                                        !
   !                                                            address-family ipv6 unicast
   interface FastEthernet1/0                                        passive-interface Loopback0
    ! (…)                                                       exit-address-family
    ospfv3 2 ipv6 area 0                                        !
    ospfv3 2 ipv4 area 0
   !




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                                     32
                                                                                                  32
BGP - BASICS

    From IPv4 to IPv6
  router bgp 65203                                              ipv6 unicast-routing

   network 203.0.113.0 mask 255.255.255.0                       !
                                                                router bgp 65001
   neighbor 198.51.100.1 remote-as 65301
                                                                bgp log-neighbor-changes
   neighbor 198.51.100.1 description IPv4_ISP
                                                                 neighbor 2001:DB8:1001::2 remote-as
                                                                65002
                                                                !
                                                                address-family ipv6
                                                                    network 2001:DB8:1001::/64
                                                                    neighbor 2001:DB8:1001::2 activate
                                                                exit-address-family




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                                            33
                                                                                                         33
BGP - ADVANCED

      Integrated Multi-Address Family
  ipv6 unicast-routing                                          address-family ipv4
  !                                                             neighbor 198.51.100.1 activate
  router bgp 65203                                              network 203.0.113.0 mask 255.255.255.0
   no bgp default ipv4-unicast                                  exit-address-family
   !                                                            !
   neighbor 198.51.100.1 remote-as 65301                        address-family ipv6
   neighbor 198.51.100.1 description IPv4_ISP                   neighbor 2001:db8:0:1::1 activate
   !                                                            network 2001:db8:ace::/48
   neighbor 2001:db8:0:1::1 remote-as 65301                     exit-address-family
   neighbor 2001:db8:0:1::1 description
  IPv6_ISP



      IPv6 Peering Best Current Operational Practices Draft

GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                                            34
                                                                                                         34
ROADMAP

    • Creating Your IPv6 Pilot Plan
    • Initial Pilot Roadmap
    • IPv6 Changes
    • IPv6 Security
    • Pilot Phase 2
    • Parting Thoughts




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM             35
                                                                          35
MONITORING AND CONTROLLING IPV6

         Service                                  Number Description
  IPv6 Encapsulation                                   IPv4/41
                                      Tunnel IPv6 over IPv4
    Teredo/Miredo                                     UDP/3544
                                      Tunnel IPv6 over UDP (NAT Traversal)
                                      IPv6 destination starting with
    Teredo/Miredo      Non-Standard 2001:0000::/32 over UDP over IPv4
                                      IPv6 Tunnel Broker using the Tunnel Setup
         TSP           TCP|UDP/3653 Protocol (RFC 5572)
                                      IPv6 Tunnel Broker using Anything in
        AYIYA          TCP|UDP/5072 Anything (www.sixxs.net/tools/ayiya/)
                                      Starting with IPv6 source address of
      Public 6to4                     2002::/16
     Anycast Relay   IPv4:192.88.99.1 Destined to 192.88.99.0/24 for IPv4
  IPv6 Encapsulation      TCP/443     IPv6 over IPv4 SSL Tunnel, many variants
    IPv6 Ethertype        0x86DD      Distinct from IPv4 Ethertype (0x0800)
                                      AAAA, updated PTR records - can be
  DNS IPv6 Records        Several     transported over IPv4 or IPv6




                                                                Image source: gfi.com   36
GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                           36
IPV6 SECURITY

    Common IPv6 Security Issues and Options:


                           Issue                                               Solution
  Spoofed/Illegitimate RAs                                      RA Guard (or PACL)

  Spoofed NDP NA                                                MLD Snooping, DHCPv6 Snooping, NDP
                                                                Inspection, SeND
  (Spoofed) Local NDP NS                                        NDP Inspection, NDP Cache Limits, CoPP
  Flood
  (Spoofed) Remote NDP NS                                       Ingress ACL, CoPP, NDP Cache Limits
  Flood
  (Spoofed) DAD Attack                                          MLD Snooping, NDP Inspection

  (Spoofed) DHCPv6 Attack                                       DHCPv6 Guard

  Spoofed/Illegitimate                                          DHCPv6 Guard
  DHCPv6 Replies

GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                                            37
                                                                                                         37
SWITCH IPV6 SECURITY OPTIONS

    3560/3750 E+X, 2960/3560 C, 2960S - 15.0(2)SE:
    • IPv6 First Hop Security Features Include:
      » IPv6 Snooping
         » IPv6 FHS Binding
         » NDP Address Gleaning
         » IPv6 Data Address Gleaning
         » IPv6 DHCPv6 Address Gleaning
         » IPv6 Device Tracking
         » NDP Inspection
         » IPv6 PACL
         » IPv6 DHCPv6 Guard
         » IPv6 RA Guard
         » IPv6 Source Guard



GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   38
                                                                38
IPV6 ACCESS CONTROL

    • Firewall Policy
         » Don’t block all ICMPv6!!!
         » Simple Examples for transit traffic, can get more granular:




         » Reference NIST SP 800-119 (Section 3.5, Table 3-7)
         » Reference RFC 4890 (Recommendations for Filtering
              ICMPv6 Messages in Firewalls)
GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM            39
                                                                         39
IPV6 ACCESS CONTROL

    • Router/Switch Policy
         » Don’t block the NDP’s NS/NA functionality or you will break
              IPv6!

    ipv6 access-list Example1
      permit any host 2001:db8::1
      permit icmp any any nd-ns
      permit icmp any any nd-na
      deny ipv6 any any




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM            40
                                                                         40
THINGS TO REVISIT WITH IPV6

    • IPsec
         » Consider migrating to IKEv2/IPsecv3
    • Secure Hashes:
         » Migrate from MD5 (broken) to SHA2
    • Diffie Hellman Groups:
         » Migrate from 1/2/5 to 14+ (14 is only 2048 bits!)
    • Implement Anti-Spoofing functionality (RPF)
    • Look at implementing IPv6 Bogon filtering from
      Team Cymru
    • Build it right from the start!




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   41
                                                                41
ROADMAP

    • Creating Your IPv6 Pilot Plan
    • Initial Pilot Roadmap
    • IPv6 Changes
    • IPv6 Security
    • Pilot Phase 2
    • Parting Thoughts




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM             42
                                                                          42
DESIGN YOUR OVERLAY PILOT TOPOLOGY




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   43
                                                                43
ENTERPRISE PILOT – PHASE 2

    • Move from Out-Of-Band to an Overlay
    • Request and setup full IPv6 BGP Peering
    • Expanding your pilot coverage
    • Begin leveraging your standard security solutions
         » IDS/IPS               Web Application Firwall
      » Load Balancer            Production SIEM
      » Web Security Gateway     E-mail Security Gateway
    • Build up your operational and planning abilities for
      IPv6 deployment




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   44
                                                                44
ROADMAP

    • Creating Your IPv6 Pilot Plan
    • Initial Pilot Roadmap
    • IPv6 Changes
    • IPv6 Security
    • Pilot Phase 2
    • Parting Thoughts




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM             45
                                                                          45
SOME THOUGHTS ON IPV6 PROJECTS

       • IPv6 is a large topic
       • Don’t try to do everything at once – break
         deployment into manageable pieces
       • Start simple – phase in more advanced features,
         don’t try to enable all options from day 1
       • IPv6 touches everything – as your get closer to
         production make sure you involve personnel from
         all impacted areas




                                                                Image source: blog.lib.umn.edu




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                                    46
                                                                                                 46
COSTS

       • All applications, systems, network/infrastructure
         need to be inventoried for IPv6
         » Some may have no support
         » Some may have limited/software only (slow)
           support
         » Some will have full support or full support with
           upgrades
       • No hard deadline, but judicious planning will
         minimize expenditures




                                                                Image source: fisherpreciousmetals.com


GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                                            47
                                                                                                         47
MORE DETAILS ON GETTING STARTED

       Additional Appendix Topics:
       • Building Business Support (More Ideas)
       • Building Your Project Plan (More Ideas)
       • Build Your Team
       • Develop Your Architecture
       • Assess Your Infrastructure
       • Training
       • Deployment Approaches
       • IPv6 Address Planning


                                                                Image source: drawingdownthevision.com




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                                            48
                                                                                                         48
MORE THOUGHTS ON IPV6

       Additional Appendix Topics:
       • IPv6 Mindset Changes
       • Operational Issues/Risks
       • Thoughts on NAT
       • Issues with Disabling IPv6
       • Application Compatibility
       • Windows IPv6 CLI Basics
       • IPv6 Solutions MIA



                                                                Image source: brides.com




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                              49
                                                                                           49
RECOMMENDED READING




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   50
                                                                50
QUESTIONS




                                                                   ?
                                                                            My IPv6 Blogs:
                   @netsec14                                                Packet Pushers
GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                                51
                                                                                             51
APPENDIX

   • Building Business Support                                       • IPv6 Mindset Changes
   • Building Your Project Plan                                      • Operational Issues/Risks
   • Build Your Team                                                 • Thoughts on NAT
   • Develop Your Architecture                                       • Issues with Disabling IPv6
   • Assess Your Infrastructure                                      • Application Compatibility
   • Training                                                        • Windows IPv6 CLI Basics
   • Deployment Approaches                                           • IPv6 Solutions MIA
   • IPv6 Address Planning




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                                       52
                                                                                                    52
BUILD BUSINESS SUPPORT

       Additional IPv6 Business Case
       • Specific Use Cases
         » Internet of Things (Gartner – A top 10 strategic
           technology in 2012)
         » Industry specific (SmartGrid, Embedded
           Networks, Building controls/sensors, etc.)
       • Proxy Mobile IPv6 (PMIPv6) allows seamless
         roaming from 4G connections to Wireless
         connections and is getting rolled out soon




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   53
                                                                53
BUSINESS VALUE PROPOSITION

       • Universal access (no NAT!)
            » Eliminating NAT dramatically simplifies connectivity while
                 only marginally complicating security
       • Low power wireless sensors and embedded networking open
            a new realm of possibilities
            » Smart Grid, Smart Home, Intelligent Sensors
       • Peer to Peer Communication and Innovation Flourish
            » Voice Calls/Conferencing, Collaboration




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM              54
                                                                           54
NEW MARKET OPPORTUNITIES

       • SOHO/Consumer Space (now possible without
            NAT complexity)
            » Managed services (Health and Security Monitoring,
                 Appliance maintenance, Telemedicine)
       • New Network Realms
            » Personal Sports & Entertainment (Networked Treadmills)
            » Asset Management, Environmental Monitoring
            » Advanced Metering Infrastructures, Industrial Automation
       • Easy Peer to Peer Communication Opens Markets
            » More Efficient Video Consultation for Professionals
            » Widespread Telepresence and Video Conferencing




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM            55
                                                                         55
INNOVATION AND EFFICIENCY

       • Embedded networking allows facility automation
            » Possible savings of 30% or more on energy costs
           (apricot.net)
       • Easy market entry with anything to anything
         connectivity available to all
         » Easy communication from anywhere to anything
         » People to people
         » Device to device




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   56
                                                                56
BUILDING YOUR PROJECT PLAN

       • Secure management commitment
       • Incremental, measurable, and achievable steps
       • Be realistic, start simple – IPv6 Multicast Routing
         may not be required on day 1
       • Effective risk analysis and containment
       • Managing/motivating non-compliant vendors and
         teams




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   57
                                                                57
BUILD YOUR TEAM

       IPv6 is a systemic change, in addition to the
       network team you’ll need:
       • Systems/System Administration
       • Development/Applications/DBAs
       • Security
       • Desktop
       • Operations – Monitoring/Tools, Help Desk




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   58
                                                                58
DEVELOP YOUR PERIMETER ARCHITECTURE

       • Accessible Web Servers
       • Accessible VPN Concentrators
       • Accessible E-mail Servers/Gateways
       • Accessible Portals/Applications
       • Supporting Back Ends/Tiers




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   59
                                                                59
ASSESS YOUR INFRASTRUCTURE

       • Network/Security Equipment
            » IPv6 done in hardware/line rate?
            » IPv6 done in software (degraded performance)?
            » Upgrade(s) required?
            » Roadmapped support but not current?
            » Incompatible?




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   60
                                                                60
ASSESS YOUR INFRASTRUCTURE

       • Operating Systems
            » Which versions fully support IPv6?
                 - Windows Vista, 7, 8, Server 2008, Server 2012
                 - OS X 10.7+
                 - Fedora 17, Ubuntu 12.04+
                 - UNIX, FreeBSD 9.0
            » Which versions have issues/limitations?
                 - Windows XP, Server 2000, Server 2003
                 - OS X before 10.7
                 - Some quirks with older versions of Linux/BSD




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM      61
                                                                   61
ASSESS YOUR APPLICATIONS

       • Web Servers and supporting software
       • E-mail
       • Databases
       • Network Management Systems
       • COTS and custom applications




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   62
                                                                62
TRAINING

       What is your development plan for:
       • Network staff
       • Systems staff
       • Developers
       • DBAs
       • Security staff
       • Desktop staff
       • Operations – Monitoring/Tools, Help Desk




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   63
                                                                63
IPV6 ADDRESS PLANNING

       • Probably the most important part of your
            deployment!
       •    PI or PA?
       •    Smallest advertised prefixes which won’t be
            filtered (BGP, PI, PA)
       •    ULAs?
       •    IPAM?




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   64
                                                                64
IPV6 MINDSET CHANGES

       • Learning to think in networks instead of hosts
       • Letting go of the address scarcity mentality
       • Effective use of IPAM tools become crucial
       • Running a multiprotocol network – back to the
            IPX/AppleTalk/DECNet days




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   65
                                                                65
OPERATIONAL ISSUES/RISKS

       • Rogue RAs (Windows Internet Connection
            Sharing)
       •    Rogue Tunnels
       •    Overlay containment when tunneling (ISATAP
            reach/control)
       •    DNS Issues
       •    Broken IPv6 and Happy Eyeballs




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   66
                                                                66
PROBLEMS WITH NAT

   • Some protocols do not work correctly through NAT
        and require “fix-ups” (ALG’s) or extra configuration
        » E.g. ICMP, FTP, SIP, H.323, RTSP, some VPNs
   • NAT breaks end-to-end connectivity
        » Connection establishment and/or packet data requires a 3rd
          party
        » Affects Voice Calls, Video Conferencing, file sharing,
          Collaboration, etc. For example, Skype, Facetime, Webex,
          and Microsoft Sharepoint Workspace work better without NAT.
        » Note: Multiple NAT tiers can totally break these applications
   • NAT for address overlap is technically challenging
   • Limits innovation, increases costs/barriers for new
        ideas/solutions

GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM             67
                                                                          67
BENEFITS OF NAT

   • NAT simplifies changing ISPs (If PI Addresses not
     used)
   • NAT hides the network topology and foils many
     simple network scans
        » NAT alone is not secure, but it has been a helpful safety net
          against sloppy firewall policies
        » Without NAT, firewall policies must be more robust and
          actively managed
   • NAT can easily solve some complex network issues
        » Multi-homing ISP’s, return path selection, asymmetric routing
   • NAT is ubiquitous
        » Today, software is developed with an expectation of NAT
        » Tomorrow…?


GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM             68
                                                                          68
NAT – PROS/CONS

   Pros                                                         Cons
   Easier ISP Mobility                                          Hidden Costs
   Avoid Renumbering                                            Breaks End to End
   Small Site Multihoming                                       Many Apps Need ALGs
   Identical Small Sites                                        Overlapping Networks
   Topology Hiding                                              Increased Complexity
   Some Added Security                                          False Sense of Security
   Path Selection/Hiding                                        Inhibits Innovation




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                             69
                                                                                          69
THE HIDDEN COSTS OF NAT

                   Something to consider when evaluating NAT:




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   70
                                                                70
NAT – ALTERNATE SOLUTIONS

   Problem                                                      IPv6 Solution
   Avoid Renumbering                                            PI or ULA + GUA
   Small Site Multihoming                                       LISP or ULA + TTLd GUA
   Identical Small Sites                                        Standardized Link-Locals
   Topology Hiding                                              Proxies/MIPv6
   Perceived Security                                           Stateful Firewall




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                              71
                                                                                           71
REDMOND’S STANCE

       Per the Microsoft IPv6 FAQ:
       “From Microsoft's perspective, IPv6 is a mandatory part
       of the Windows operating system and it is enabled and
       included in standard Windows service and application
       testing during the operating system development
       process. Because Windows was designed specifically
       with IPv6 present, Microsoft does not perform any
       testing to determine the effects of disabling IPv6. If IPv6
       is disabled on Windows 7, Windows Vista, Windows
       Server 2008 R2, or Windows Server 2008, or later
       versions, some components will not function. Moreover,
       applications that you might not think are using IPv6—
       such as Remote Assistance, HomeGroup, DirectAccess,
       and Windows Mail—could be.”

GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM        72
                                                                     72
DISABLING IPV6 IN WINDOWS

   What breaks if IPv6 is disabled on Windows Vista and
   Later?
   • Hyper-V Cluster - It is not possible to add a new
     node to an existing cluster
   • TMG Server - RRAS breaks
   • Exchange - Mail flow & Installation problems
   • SBS Server - Exchange services fail to start &
     network shows offline
   • DirectAccess - Does not work
   • HomeGroup - Does not work
   • Applications using Windows Peer-to-Peer Networking
     will not work
GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   73
                                                                73
APPLICATION COMPATIBILITY

   • Things to look for:
        » Embedded IPv4 addresses/literals (e.g.
          “198.43.84.7”)
        » Fields allow IPv6 addresses to be entered
        » Can it handle both DNS A and AAAA (IPv6)
          records?
        » Does it use the socket API or anything else that is
          IPv4 specific?
        » Where IP addresses are stored, can the
          database/storage mechanism deal with IPv6?




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   74
                                                                74
EDUCATION - IPV6 BASICS

       New Windows Commands - netsh interface ipv6:

   show addresses                      Detailed information on IPv6 interface addresses
   show                                Displays the contents of the destination cache, sorted by interface; the
   destinationcache                    destination cache stores the next-hop addresses for destination addresses

   show global                         Shows global configuration parameters such as interface address randomization
                                       Detailed interface list including index numbers/zone identifiers, also try
   show interfaces                     level=verbose
                                       Displays contents of the neighbor cache, sorted by interface; the neighbor
   show neighbors                      cache stores the link-layer addresses of recently resolved next-hop addresses

   show prefixpolicies Shows prefix policy table (IPv6 versus IPv4 preference order)

   show privacy                        Shows interface address privacy configuration parameters


       Note: netsh commands can be abbreviated:
       • netsh interface ipv6 show interface
       Abbreviate as:
       • netsh int ipv6 sh int
GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM                                                          75
                                                                                                                       75
CISCO SOLUTIONS MISSING IPV6

    • WAAS
    • Nexus 1000V
    • VSG
    • ASA 1000V




GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM   76
                                                                76

More Related Content

Recently uploaded

GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxNeo4j
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIVijayananda Mohire
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxNeo4j
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameKapil Thakar
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1DianaGray10
 
20140402 - Smart house demo kit
20140402 - Smart house demo kit20140402 - Smart house demo kit
20140402 - Smart house demo kitJamie (Taka) Wang
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarThousandEyes
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.IPLOOK Networks
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Muhammad Tiham Siddiqui
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTopCSSGallery
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updateadam112203
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)IES VE
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Alkin Tezuysal
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0DanBrown980551
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3DianaGray10
 

Recently uploaded (20)

GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAI
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First Frame
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1
 
20140402 - Smart house demo kit
20140402 - Smart house demo kit20140402 - Smart house demo kit
20140402 - Smart house demo kit
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? Webinar
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development Companies
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 update
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile Brochure
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3
 
SheDev 2024
SheDev 2024SheDev 2024
SheDev 2024
 

Featured

AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity -  Best PracticesTime Management & Productivity -  Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 

Featured (20)

AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity -  Best PracticesTime Management & Productivity -  Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 

Developing an Enterprise Pilot Program by James Small at gogoNET LIVE! 3 IPv6 Conference

  • 1. DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM James Small CDW Advanced Technology Services
  • 2. SESSION OBJECTIVES • Creating Your IPv6 Pilot Plan • Initial Pilot Roadmap • IPv6 Changes • IPv6 Security • Pilot Phase 2 • Parting Thoughts Q&A throughout, I may postpone questions until the end depending on time GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 2 2
  • 3. ROADMAP • Creating Your IPv6 Pilot Plan • Initial Pilot Roadmap • IPv6 Changes • IPv6 Security • Pilot Phase 2 • Parting Thoughts GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 3 3
  • 4. INITIAL PILOT PLAN • Scope » Production Impact » Goals » Hardware • Team » Implementers » Testers » Project management • Location » Deployment » Testing GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 4 4
  • 5. INITIAL PILOT PLAN • Schedule » Duration » Deployment » Testing • Training » Material » Tailored » Support • Communication » Infrastructure status » Solution/Application issues » Testing issues/progress GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 5 5
  • 6. INITIAL PILOT PLAN • Evaluation » Infrastructure goals » Success criteria • Risks and Contingencies » Incident response » Project failures GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 6 6
  • 7. PILOT PLAN – INITIAL HARDWARE Key Infrastructure Items: • Internet Router – 2900 series • Internet/DMZ/LAN Switches – 3560 E, X, or C-Series • Internet Firewall – ASA • WLC – 2504/5508/vWLC and one or more supported APs • Beefy server or blade chassis to run Hypervisor host(s) • Lots of laptops GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 7 7
  • 8. PILOT PLAN – INITIAL HARDWARE Bonus Items: • Load Balancer • Forward and Reverse Proxy • ASR 1k • ACS 5.4 • SIEM Server with IPv6 support • NetFlow Collector with NetFlow v9 support GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 8 8
  • 9. PILOT PLAN – INITIAL SOFTWARE Key Services • Dual Stack DNS Server with DNS64 support • Dual Stack DHCP/DHCPv6 Server • Dual Stack File Server • Dual Stack Web Server • Key Applications Bonus Items: • IPAM Solution GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 9 9
  • 10. ROADMAP • Creating Your IPv6 Pilot Plan • Initial Pilot Roadmap • IPv6 Changes • IPv6 Security • Pilot Phase 2 • Parting Thoughts GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 10 10
  • 11. DESIGN YOUR INITIAL PILOT TOPOLOGY GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 11 11
  • 12. INITIAL PILOT ROADMAP • Obtain IPv6 /48 Prefix • Pilot Addressing Plan • Design and Build Out • Address Provisioning • DMZ Setup • Internal Network Setup Image source: northerntrust.com GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 12 12
  • 13. OBTAIN AN IPV6 NETWORK ADDRESS • Sign up for free IPv6 Internet access from Hurricane Electric (http://tunnelbroker.net) • With your account, request a /48 prefix • Q: Why start with Hurricane Electric? • A: It works great, service is available from anywhere on the Internet, and you get a /48 all for free. • Most important aspect of starting with HE: » You need practice creating an addressing plan and deploying IPv6. It will take you at least 3 times to get your addressing plan right so let’s get started… Image source: beachdecorshop.com GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 13 13
  • 14. PILOT ADDRESS PLAN GUIDELINES Developing a great address plan takes practice • Site - /48 • Loopback Network - /64 • Loopback - /128 • Translation Services - /56 • Point-to-Point - /126 • Everything else - /64 Image source: spatial.scholarslab.org GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 14 14
  • 15. EXAMPLE HIGH LEVEL PILOT ADDRESS PLAN Create your addressing plan on nibble boundaries: • Split up your address allocation by Place In Network (e.g. 2001:db8:babe:X000::/52) » 2001:db8:babe:0000::/52 – Management - 2001:db8:babe:0000::/64 – Loopbacks » 2001:db8:babe:1000::/52 – Labs » 2001:db8:babe:2000::/52 – DMZs » 2001:db8:babe:3000::/52 – Servers » 2001:db8:babe:4000::/52 – User/Desktop » (…) » 2001:db8:babe:F000::/52 – Special Purpose - 2001:db8:babe:FF00::/56 – Reserved for translation services GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 15 15
  • 16. PILOT ADDRESS PLAN THOUGHTS Prefixes • Basic subnet plan - spreadsheet • 65k prefixes per /48 - not scalable! Nodes • > 18 quintillion possible per subnet • Sizeable deployments - IPAM desirable Reference: IPv6 Subnetting Best Current Operational Practices GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 16 16
  • 17. THOUGHTS ON INITIAL TOPOLOGY • Network Types » Dual Stack » IPv4 Only » IPv6 Only • Areas to Look at: Image source: fcit.usf.edu » Static/Dynamic Routing » Load Balancing » Proxying » Tunneling » NAT » Dual data/control/management planes GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 17 17
  • 18. A WORD OF CAUTION ON NAT • NAT was invented for address conservation • Address conservation not needed for IPv6 • Think carefully before using NAT » What applications will this degrade or break? » How much is operational complexity increasing? » How difficult does support become? • More thoughts in Appendix GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 18 18
  • 19. BUILD OUT INITIAL PILOT • Infrastructure setup • Hypervisor setup • Physical and Virtual Nodes with representative Operating Systems • Key Applications Image source: dspace.mit.edu GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 19 19
  • 20. IPV6 SUPPORT INFRASTRUCTURE • DNS » Transport » Accessibility » Dynamic DNS • DHCPv6 » Stateless » Stateful Image source: jranderson.photoshelter.com • WINS/NetBIOS » Viability » Recommendations GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 20 20
  • 21. IPV6 ADDRESS PROVISIONING OPTIONS • Static » Gotchas • SLAAC » Options » RDNSS » Stateless DHCPv6 • DHCPv6 » Stateful DHCPv6 » SLAAC GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 21 21
  • 22. IPV6 ADDRESS PROVISIONING THOUGHTS Address Options and Applicable Systems: • Pure Static • Static with Options • SLAAC, no DHCPv6 » Basic » RDNSS » Dynamic VLAN Assignment • SLAAC with (Stateless) DHCPv6 • DHCPv6 (Stateful DHCPv6) GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 22 22
  • 23. BUILD YOUR IPV6 DMZ In order of preference: • Option 1 – Dual Stack • Option 2 – Load balanced (SLB64) • Option 3 – Dual Stack Reverse Proxy • Option 4 (Discouraged) – Use NAT64 Image source: flickr.com GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 23 23
  • 24. BUILD YOUR IPV6 INTERNAL NETWORK • Connect Internal IPv6 Network to IPv6 Internet » Option 1 (Preferred) – Dual Stack » Option 2 – Forward Proxy » Option 3 – (Legacy) Tunneling » Option 4 – Stateful NAT64 (IPv6 Only) Image source: wikipedia.org GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 24 24
  • 25. ROADMAP • Creating Your IPv6 Pilot Plan • Initial Pilot Roadmap • IPv6 Changes • IPv6 Security • Pilot Phase 2 • Parting Thoughts GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 25 25
  • 26. CHANGES WITH IPV6 • QoS Syntax • VRF Syntax IPv4-Only Dual Stack IPv4-Only Dual Stack match ip dscp match dscp ip vrf Red vrf definition Red rd 65001:1 rd 65001:1 match ip precedence match precedence ! ! set ip dscp set dscp interface G0/0 ! Must explicitly declare each ip vrf forwarding Red ! address family to use set ip precedence set precedence ip address 192.168.1.1 address-family ipv4 255.255.255.0 exit-address-family ! address-family ipv6 Protocol Updates: exit-address-family ! • From HSRPv1 to HSRPv2 interface G0/0 • From NTPv[1-3] to NTPv4 vrf forwarding Red ip address 192.168.1.1 • Anything with “IP” in the 255.255.255.0 command suspect ! ipv6 enable ipv6 address 2001:db8:babe::1/64 GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 26 26
  • 27. MULTI-PROTOCOL REALITIES IPv4 and IPv6 are ships in the night! • IPv4 L2 Cache • IPv6 L2 Cache ip access-list ext example1 ipv6 access-list example2 permit ip 192.168.0.0 permit ipv6 0.0.255.255 any 2001:db8:babe:1::/64 any ! ! interface G0/0 interface G0/0 ip access-group example1 in ipv6 traffic-filter example2 in GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 27 27
  • 28. MULTI-PROTOCOL REALITIES IPv4 L2 Cache: show ip arp Protocol Address Age (min) Hardware Addr Type Interface Internet 192.168.232.1 - 0000.0c9f.f05a ARPA Vlan90 Internet 192.168.232.3 54 0011.bba6.1e80 ARPA Vlan90 Internet 192.168.232.12 0 0023.ebe1.5d16 ARPA Vlan90 Internet 192.168.234.149 0 Incomplete ARPA IPv6 L2 Cache: show ipv6 neighbors IPv6 Address Age Link-layer Addr State Interface FE80::90:2 0 02d0.2bff.74db REACH Vl90 2001:470:C4E8:1:108E:7EC3:BCDA:AF5C 47 000c.29f9.ed0b STALE Vl101 2001:470:C4E8:2::2 0 02d0.2bff.74db DELAY Vl90 FE80::3974:DC3C:AF4D:7239 47 000c.29f9.ed0b STALE Vl101 2001:470:C4E8:2::3 0 - INCMP Vl90 GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 28 28
  • 29. EIGRP - BASICS From IPv4 to IPv6 interface Loopback0 ipv6 unicast-routing ip address 172.31.255.1 255.255.255.255 ! ! interface Loopback0 interface FastEthernet0/0 ipv6 enable ip address 10.1.1.1 255.255.255.0 ipv6 address 2001:DB8::1/128 ! ipv6 eigrp 1 router eigrp 1 ! network 10.1.1.0 0.0.0.255 interface FastEthernet0/0 network 172.31.255.1 0.0.0.0 ipv6 enable passive-interface Loopback0 ipv6 address 2001:DB8:1001::1/64 ipv6 eigrp 1 ! ipv6 router eigrp 1 passive-interface Loopback0 GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 29 29
  • 30. EIGRP - ADVANCED Integrated Multi-Address Family router eigrp DualStack address-family ipv6 unicast autonomous- ! system 2 address-family ipv4 unicast autonomous- ! system 2 af-interface default ! shutdown af-interface Loopback0 exit-af-interface passive-interface ! exit-af-interface af-interface Loopback0 ! passive-interface network 10.1.1.0 0.0.0.255 exit-af-interface network 172.31.255.2 0.0.0.0 ! exit-address-family af-interface FastEthernet1/0 no shutdown exit-af-interface ! exit-address-family GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 30 30
  • 31. OSPF - BASICS From IPv4 (OSPFv2) to IPv6 (OSPFv3) interface Loopback0 ipv6 unicast-routing ip address 172.31.255.1 255.255.255.255 ! ! interface Loopback0 interface FastEthernet0/0 ipv6 enable ip address 10.1.1.1 255.255.255.0 ipv6 address 2001:DB8::1/128 ! ipv6 ospf 1 area 0 router ospf 1 ! passive-interface Loopback0 interface FastEthernet0/0 network 10.1.1.0 0.0.0.255 area 0 ipv6 enable network 172.31.255.1 0.0.0.0 area 0 ipv6 address 2001:DB8:1001::1/64 ipv6 ospf 1 area 0 ! ipv6 router ospf 1 passive-interface Loopback0 GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 31 31
  • 32. OSPF - ADVANCED Integrated Multi-Address Family interface Loopback0 router ospfv3 2 ip address 172.31.255.1 255.255.255.255 ! ipv6 enable address-family ipv4 unicast ipv6 address 2001:DB8::1/128 passive-interface Loopback0 ospfv3 2 ipv4 area 0 exit-address-family ospfv3 2 ipv6 area 0 ! ! address-family ipv6 unicast interface FastEthernet1/0 passive-interface Loopback0 ! (…) exit-address-family ospfv3 2 ipv6 area 0 ! ospfv3 2 ipv4 area 0 ! GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 32 32
  • 33. BGP - BASICS From IPv4 to IPv6 router bgp 65203 ipv6 unicast-routing network 203.0.113.0 mask 255.255.255.0 ! router bgp 65001 neighbor 198.51.100.1 remote-as 65301 bgp log-neighbor-changes neighbor 198.51.100.1 description IPv4_ISP neighbor 2001:DB8:1001::2 remote-as 65002 ! address-family ipv6 network 2001:DB8:1001::/64 neighbor 2001:DB8:1001::2 activate exit-address-family GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 33 33
  • 34. BGP - ADVANCED Integrated Multi-Address Family ipv6 unicast-routing address-family ipv4 ! neighbor 198.51.100.1 activate router bgp 65203 network 203.0.113.0 mask 255.255.255.0 no bgp default ipv4-unicast exit-address-family ! ! neighbor 198.51.100.1 remote-as 65301 address-family ipv6 neighbor 198.51.100.1 description IPv4_ISP neighbor 2001:db8:0:1::1 activate ! network 2001:db8:ace::/48 neighbor 2001:db8:0:1::1 remote-as 65301 exit-address-family neighbor 2001:db8:0:1::1 description IPv6_ISP IPv6 Peering Best Current Operational Practices Draft GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 34 34
  • 35. ROADMAP • Creating Your IPv6 Pilot Plan • Initial Pilot Roadmap • IPv6 Changes • IPv6 Security • Pilot Phase 2 • Parting Thoughts GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 35 35
  • 36. MONITORING AND CONTROLLING IPV6 Service Number Description IPv6 Encapsulation IPv4/41 Tunnel IPv6 over IPv4 Teredo/Miredo UDP/3544 Tunnel IPv6 over UDP (NAT Traversal) IPv6 destination starting with Teredo/Miredo Non-Standard 2001:0000::/32 over UDP over IPv4 IPv6 Tunnel Broker using the Tunnel Setup TSP TCP|UDP/3653 Protocol (RFC 5572) IPv6 Tunnel Broker using Anything in AYIYA TCP|UDP/5072 Anything (www.sixxs.net/tools/ayiya/) Starting with IPv6 source address of Public 6to4 2002::/16 Anycast Relay IPv4:192.88.99.1 Destined to 192.88.99.0/24 for IPv4 IPv6 Encapsulation TCP/443 IPv6 over IPv4 SSL Tunnel, many variants IPv6 Ethertype 0x86DD Distinct from IPv4 Ethertype (0x0800) AAAA, updated PTR records - can be DNS IPv6 Records Several transported over IPv4 or IPv6 Image source: gfi.com 36 GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 36
  • 37. IPV6 SECURITY Common IPv6 Security Issues and Options: Issue Solution Spoofed/Illegitimate RAs RA Guard (or PACL) Spoofed NDP NA MLD Snooping, DHCPv6 Snooping, NDP Inspection, SeND (Spoofed) Local NDP NS NDP Inspection, NDP Cache Limits, CoPP Flood (Spoofed) Remote NDP NS Ingress ACL, CoPP, NDP Cache Limits Flood (Spoofed) DAD Attack MLD Snooping, NDP Inspection (Spoofed) DHCPv6 Attack DHCPv6 Guard Spoofed/Illegitimate DHCPv6 Guard DHCPv6 Replies GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 37 37
  • 38. SWITCH IPV6 SECURITY OPTIONS 3560/3750 E+X, 2960/3560 C, 2960S - 15.0(2)SE: • IPv6 First Hop Security Features Include: » IPv6 Snooping » IPv6 FHS Binding » NDP Address Gleaning » IPv6 Data Address Gleaning » IPv6 DHCPv6 Address Gleaning » IPv6 Device Tracking » NDP Inspection » IPv6 PACL » IPv6 DHCPv6 Guard » IPv6 RA Guard » IPv6 Source Guard GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 38 38
  • 39. IPV6 ACCESS CONTROL • Firewall Policy » Don’t block all ICMPv6!!! » Simple Examples for transit traffic, can get more granular: » Reference NIST SP 800-119 (Section 3.5, Table 3-7) » Reference RFC 4890 (Recommendations for Filtering ICMPv6 Messages in Firewalls) GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 39 39
  • 40. IPV6 ACCESS CONTROL • Router/Switch Policy » Don’t block the NDP’s NS/NA functionality or you will break IPv6! ipv6 access-list Example1 permit any host 2001:db8::1 permit icmp any any nd-ns permit icmp any any nd-na deny ipv6 any any GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 40 40
  • 41. THINGS TO REVISIT WITH IPV6 • IPsec » Consider migrating to IKEv2/IPsecv3 • Secure Hashes: » Migrate from MD5 (broken) to SHA2 • Diffie Hellman Groups: » Migrate from 1/2/5 to 14+ (14 is only 2048 bits!) • Implement Anti-Spoofing functionality (RPF) • Look at implementing IPv6 Bogon filtering from Team Cymru • Build it right from the start! GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 41 41
  • 42. ROADMAP • Creating Your IPv6 Pilot Plan • Initial Pilot Roadmap • IPv6 Changes • IPv6 Security • Pilot Phase 2 • Parting Thoughts GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 42 42
  • 43. DESIGN YOUR OVERLAY PILOT TOPOLOGY GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 43 43
  • 44. ENTERPRISE PILOT – PHASE 2 • Move from Out-Of-Band to an Overlay • Request and setup full IPv6 BGP Peering • Expanding your pilot coverage • Begin leveraging your standard security solutions » IDS/IPS Web Application Firwall » Load Balancer Production SIEM » Web Security Gateway E-mail Security Gateway • Build up your operational and planning abilities for IPv6 deployment GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 44 44
  • 45. ROADMAP • Creating Your IPv6 Pilot Plan • Initial Pilot Roadmap • IPv6 Changes • IPv6 Security • Pilot Phase 2 • Parting Thoughts GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 45 45
  • 46. SOME THOUGHTS ON IPV6 PROJECTS • IPv6 is a large topic • Don’t try to do everything at once – break deployment into manageable pieces • Start simple – phase in more advanced features, don’t try to enable all options from day 1 • IPv6 touches everything – as your get closer to production make sure you involve personnel from all impacted areas Image source: blog.lib.umn.edu GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 46 46
  • 47. COSTS • All applications, systems, network/infrastructure need to be inventoried for IPv6 » Some may have no support » Some may have limited/software only (slow) support » Some will have full support or full support with upgrades • No hard deadline, but judicious planning will minimize expenditures Image source: fisherpreciousmetals.com GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 47 47
  • 48. MORE DETAILS ON GETTING STARTED Additional Appendix Topics: • Building Business Support (More Ideas) • Building Your Project Plan (More Ideas) • Build Your Team • Develop Your Architecture • Assess Your Infrastructure • Training • Deployment Approaches • IPv6 Address Planning Image source: drawingdownthevision.com GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 48 48
  • 49. MORE THOUGHTS ON IPV6 Additional Appendix Topics: • IPv6 Mindset Changes • Operational Issues/Risks • Thoughts on NAT • Issues with Disabling IPv6 • Application Compatibility • Windows IPv6 CLI Basics • IPv6 Solutions MIA Image source: brides.com GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 49 49
  • 50. RECOMMENDED READING GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 50 50
  • 51. QUESTIONS ? My IPv6 Blogs: @netsec14 Packet Pushers GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 51 51
  • 52. APPENDIX • Building Business Support • IPv6 Mindset Changes • Building Your Project Plan • Operational Issues/Risks • Build Your Team • Thoughts on NAT • Develop Your Architecture • Issues with Disabling IPv6 • Assess Your Infrastructure • Application Compatibility • Training • Windows IPv6 CLI Basics • Deployment Approaches • IPv6 Solutions MIA • IPv6 Address Planning GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 52 52
  • 53. BUILD BUSINESS SUPPORT Additional IPv6 Business Case • Specific Use Cases » Internet of Things (Gartner – A top 10 strategic technology in 2012) » Industry specific (SmartGrid, Embedded Networks, Building controls/sensors, etc.) • Proxy Mobile IPv6 (PMIPv6) allows seamless roaming from 4G connections to Wireless connections and is getting rolled out soon GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 53 53
  • 54. BUSINESS VALUE PROPOSITION • Universal access (no NAT!) » Eliminating NAT dramatically simplifies connectivity while only marginally complicating security • Low power wireless sensors and embedded networking open a new realm of possibilities » Smart Grid, Smart Home, Intelligent Sensors • Peer to Peer Communication and Innovation Flourish » Voice Calls/Conferencing, Collaboration GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 54 54
  • 55. NEW MARKET OPPORTUNITIES • SOHO/Consumer Space (now possible without NAT complexity) » Managed services (Health and Security Monitoring, Appliance maintenance, Telemedicine) • New Network Realms » Personal Sports & Entertainment (Networked Treadmills) » Asset Management, Environmental Monitoring » Advanced Metering Infrastructures, Industrial Automation • Easy Peer to Peer Communication Opens Markets » More Efficient Video Consultation for Professionals » Widespread Telepresence and Video Conferencing GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 55 55
  • 56. INNOVATION AND EFFICIENCY • Embedded networking allows facility automation » Possible savings of 30% or more on energy costs (apricot.net) • Easy market entry with anything to anything connectivity available to all » Easy communication from anywhere to anything » People to people » Device to device GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 56 56
  • 57. BUILDING YOUR PROJECT PLAN • Secure management commitment • Incremental, measurable, and achievable steps • Be realistic, start simple – IPv6 Multicast Routing may not be required on day 1 • Effective risk analysis and containment • Managing/motivating non-compliant vendors and teams GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 57 57
  • 58. BUILD YOUR TEAM IPv6 is a systemic change, in addition to the network team you’ll need: • Systems/System Administration • Development/Applications/DBAs • Security • Desktop • Operations – Monitoring/Tools, Help Desk GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 58 58
  • 59. DEVELOP YOUR PERIMETER ARCHITECTURE • Accessible Web Servers • Accessible VPN Concentrators • Accessible E-mail Servers/Gateways • Accessible Portals/Applications • Supporting Back Ends/Tiers GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 59 59
  • 60. ASSESS YOUR INFRASTRUCTURE • Network/Security Equipment » IPv6 done in hardware/line rate? » IPv6 done in software (degraded performance)? » Upgrade(s) required? » Roadmapped support but not current? » Incompatible? GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 60 60
  • 61. ASSESS YOUR INFRASTRUCTURE • Operating Systems » Which versions fully support IPv6? - Windows Vista, 7, 8, Server 2008, Server 2012 - OS X 10.7+ - Fedora 17, Ubuntu 12.04+ - UNIX, FreeBSD 9.0 » Which versions have issues/limitations? - Windows XP, Server 2000, Server 2003 - OS X before 10.7 - Some quirks with older versions of Linux/BSD GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 61 61
  • 62. ASSESS YOUR APPLICATIONS • Web Servers and supporting software • E-mail • Databases • Network Management Systems • COTS and custom applications GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 62 62
  • 63. TRAINING What is your development plan for: • Network staff • Systems staff • Developers • DBAs • Security staff • Desktop staff • Operations – Monitoring/Tools, Help Desk GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 63 63
  • 64. IPV6 ADDRESS PLANNING • Probably the most important part of your deployment! • PI or PA? • Smallest advertised prefixes which won’t be filtered (BGP, PI, PA) • ULAs? • IPAM? GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 64 64
  • 65. IPV6 MINDSET CHANGES • Learning to think in networks instead of hosts • Letting go of the address scarcity mentality • Effective use of IPAM tools become crucial • Running a multiprotocol network – back to the IPX/AppleTalk/DECNet days GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 65 65
  • 66. OPERATIONAL ISSUES/RISKS • Rogue RAs (Windows Internet Connection Sharing) • Rogue Tunnels • Overlay containment when tunneling (ISATAP reach/control) • DNS Issues • Broken IPv6 and Happy Eyeballs GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 66 66
  • 67. PROBLEMS WITH NAT • Some protocols do not work correctly through NAT and require “fix-ups” (ALG’s) or extra configuration » E.g. ICMP, FTP, SIP, H.323, RTSP, some VPNs • NAT breaks end-to-end connectivity » Connection establishment and/or packet data requires a 3rd party » Affects Voice Calls, Video Conferencing, file sharing, Collaboration, etc. For example, Skype, Facetime, Webex, and Microsoft Sharepoint Workspace work better without NAT. » Note: Multiple NAT tiers can totally break these applications • NAT for address overlap is technically challenging • Limits innovation, increases costs/barriers for new ideas/solutions GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 67 67
  • 68. BENEFITS OF NAT • NAT simplifies changing ISPs (If PI Addresses not used) • NAT hides the network topology and foils many simple network scans » NAT alone is not secure, but it has been a helpful safety net against sloppy firewall policies » Without NAT, firewall policies must be more robust and actively managed • NAT can easily solve some complex network issues » Multi-homing ISP’s, return path selection, asymmetric routing • NAT is ubiquitous » Today, software is developed with an expectation of NAT » Tomorrow…? GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 68 68
  • 69. NAT – PROS/CONS Pros Cons Easier ISP Mobility Hidden Costs Avoid Renumbering Breaks End to End Small Site Multihoming Many Apps Need ALGs Identical Small Sites Overlapping Networks Topology Hiding Increased Complexity Some Added Security False Sense of Security Path Selection/Hiding Inhibits Innovation GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 69 69
  • 70. THE HIDDEN COSTS OF NAT Something to consider when evaluating NAT: GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 70 70
  • 71. NAT – ALTERNATE SOLUTIONS Problem IPv6 Solution Avoid Renumbering PI or ULA + GUA Small Site Multihoming LISP or ULA + TTLd GUA Identical Small Sites Standardized Link-Locals Topology Hiding Proxies/MIPv6 Perceived Security Stateful Firewall GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 71 71
  • 72. REDMOND’S STANCE Per the Microsoft IPv6 FAQ: “From Microsoft's perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008, or later versions, some components will not function. Moreover, applications that you might not think are using IPv6— such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be.” GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 72 72
  • 73. DISABLING IPV6 IN WINDOWS What breaks if IPv6 is disabled on Windows Vista and Later? • Hyper-V Cluster - It is not possible to add a new node to an existing cluster • TMG Server - RRAS breaks • Exchange - Mail flow & Installation problems • SBS Server - Exchange services fail to start & network shows offline • DirectAccess - Does not work • HomeGroup - Does not work • Applications using Windows Peer-to-Peer Networking will not work GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 73 73
  • 74. APPLICATION COMPATIBILITY • Things to look for: » Embedded IPv4 addresses/literals (e.g. “198.43.84.7”) » Fields allow IPv6 addresses to be entered » Can it handle both DNS A and AAAA (IPv6) records? » Does it use the socket API or anything else that is IPv4 specific? » Where IP addresses are stored, can the database/storage mechanism deal with IPv6? GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 74 74
  • 75. EDUCATION - IPV6 BASICS New Windows Commands - netsh interface ipv6: show addresses Detailed information on IPv6 interface addresses show Displays the contents of the destination cache, sorted by interface; the destinationcache destination cache stores the next-hop addresses for destination addresses show global Shows global configuration parameters such as interface address randomization Detailed interface list including index numbers/zone identifiers, also try show interfaces level=verbose Displays contents of the neighbor cache, sorted by interface; the neighbor show neighbors cache stores the link-layer addresses of recently resolved next-hop addresses show prefixpolicies Shows prefix policy table (IPv6 versus IPv4 preference order) show privacy Shows interface address privacy configuration parameters Note: netsh commands can be abbreviated: • netsh interface ipv6 show interface Abbreviate as: • netsh int ipv6 sh int GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 75 75
  • 76. CISCO SOLUTIONS MISSING IPV6 • WAAS • Nexus 1000V • VSG • ASA 1000V GOGONET LIVE! 3 – DEVELOPING AN IPV6 ENTERPRISE PILOT PROGRAM 76 76