KINBER 2013 Member MeetingIPv6 Support Required for All IP-Capable Nodes – RFC 6540Given the global lack of available IPv4 space, andlimitations in IPv4 extension and transition technologies,this document advises that IPv6 support is no longerconsidered optional. It also cautions that there are places inexisting IETF documents where the term "IP" is used in away that could be misunderstood by implementers as theterm "IP" becomes a generic that can mean IPv4 + IPv6,IPv6-only, or IPv4-only, depending on context andapplication.
KINBER 2013 Member MeetingRFC 6540• Are you aware of this requirement?• Are your nodes IPv6 capable?
KINBER 2013 Member MeetingBackground• IPv4 depletion is already occurring• IPv6 adoption is accelerating• Most network hardware supports IPv6• For the most part, dual stack Just Workshttp://www.potaroo.net/tools/ipv4/IPv4 Free Pool Depletionhttp://bgp.potaroo.net/v6/as2.0/IPv6 Routing Table Growth
KINBER 2013 Member MeetingUS Feds Lesson LearnedThe US federal government had a mandate for all public facing webservices to support IPv6 by September 30, 2012.287 of 1494 sites had IPv6 web support by the deadline.Today 958 of 1351 sites support IPv6.That’s over 70%. Not 100%, but far aheadof most other large organizations.Source: http://usgv6-deploymon.antd.nist.gov//
KINBER 2013 Member MeetingBut Can We Afford to Deploy IPv6?• Well, what are the costs?– See Lee Howard’s talks on IPv6 deployment costs (and costs of NOTdeploying IPv6) (http://www.youtube.com/watch?v=vXf8ZIew1j0)– A good estimate for the cost of renumbering existing devices to free upIPv4 space is $2.50/device– Sale of an IPv4 address is likely to bring in $10-15 per address for thenext year or two– After ARIN free space run-out, each IPv4 address is likely to bring intwice that, $20-30, and up
KINBER 2013 Member MeetingPaying for IPv6 Deployment• Many educational institutions have large address allocations– Some math for an example institution that has a /16 (historically calleda “Class B”)– /16 = 65,384 addresses– Let’s assume that by renumbering ¼ of that address space, that ½ of itwill be freed• ¼ of 65,384 is 16,346• ½ of 65,384 is 32,692• It costs $2.50 to renumber 16,346 devices. 2.50*16346=$40,865• At sale, addresses fetch $20 each. 20*32,692=$5,081,730.• Net proceeds: $5,081,730-$40,865=$5,040,865!!!
KINBER 2013 Member MeetingWhat next?“Okay, my organization is convinced it’s timeto begin IPv6 deployment, what do I need toconsider?”
KINBER 2013 Member MeetingConsider the Fundamentals of Best PracticeThe fundamentals haven’t changed a bit forIPv6, consider:• Security• Maintainability• Scalability• Performance• Flexibility
KINBER 2013 Member MeetingApply the FundamentalsWhat areas need the most attention?• Addressing plan• Interconnectivity• Bootstrapping/AAA• Security issues• Staff training• Transition
KINBER 2013 Member MeetingIPv6 Address Space is VAST“IPv6 uses a 128-bit address, allowing 2128, or approximately3.4×1038 addresses, or more than 7.9×1028 times as many asIPv4, which uses 32-bit addresses.” (Wikipedia)That’s 340 Undecillion!Undecillion is a number with 36 zeros.We must change our thinking about how to allocate addressspace to meet our best practice goals.
KINBER 2013 Member MeetingState of Assignments• All of the registries, for the most part, assign initial blocksfor Service provider /32 Enterprise /48
KINBER 2013 Member MeetingWhat makes up a good addressing plan?• Depends on the type of network, the size of thenetwork, and problem to be solved• Points to consider Documentation Ease of troubleshooting Aggregation Standards compliance Growth SLAAC Existing IPv4 addressing plan Human factors
KINBER 2013 Member MeetingInterconnectivity• Routing protocols have been updated, but the fundamentalconcepts remain the same– Run routing protocols such that they fail when the underlying transportfails• That means separate v4 and v6 protocols– For ease of management, configure IPv4 and IPv6 connectivity tofollow the same paths– Also use the same routing policies whenever possible• Ask your Internet traffic peers, suppliers, partners and clientsto begin transporting IPv6 traffic
KINBER 2013 Member MeetingSecurity Issues• Use the same diligence you used for IPv4• Ask equipment vendors to support specific protections in IPv6– RA-Guard – prevents an attacker from sending rogue RAs into thenetwork and becoming a man-in-the-middle– DHCP-Shield – similar to RA-Guard in that it blocks fake DHCPservers from giving out false information• Ensure equipment supports all IPv4 features you use in IPv6as well such as ACLs, anti-spoof filtering (RPF), etc. Whyshould v6 be any different in these areas?• Where firewalls are needed, ensure your choice of firewallsupports v6 as well as v4.• NAT is NOT a security feature and v6 doesn’t have it
KINBER 2013 Member MeetingStaff Training• Find an experienced organization to provide training• Education and research institutions require a different level ofscalability and maintainability than enterprise, use a trainerthat understands education’s unique challenges• Build a lab, get a tunnel to experiment with IPv6
KINBER 2013 Member MeetingHow to get there from here• IPv6 transition technologies have been designed bystandards organizations to make a transition to an IPv6 worldeasier• They all involve compromises in performance or functionality(or both) because inherently IPv4-only devices CAN NOTspeak to IPv6-only devices without help• These technologies bridge between those worlds, or allowone to operate on top of the other
KINBER 2013 Member MeetingTransition• 3 types of transition technologies– Dual Stack• Hopefully will be the most common• Simply means running both v4 and v6 at the same time– Tunneling• Putting either IPv4 packets inside IPv6 packets or vice versa, depending on the situation• Can be useful to solve problems in certain areas, but in general, tunneling hurts performanceand should be avoided when possible• Examples: 6rd, 6in4, 4in6, DS-Lite, MAP– Translation• Converting an IPv4 packet into an IPv6 packet or vice versa• Like in tunnels, can be useful in certain circumstances, especially for rapid deployment of IPv6on public facing services such as web servers• Example: NAT64
KINBER 2013 Member MeetingCase Study - InteropNet• InteropNet is the network that supports the Interop tradeshow, known as one of the largest portable, rapid deploymentnetwork in the world• The network supports 100’s of exhibitor booths and 10’s ofthousands of attendees to the show• Native IPv6 has been consistently supported everywhere inthe network for the last 3 years (and supported in a lessubiquitous manner for over 15 years)• Users inside the InteropNET used IPv6 to reachwww.interop.com without knowing it• 4 GB delivered over IPv6• 13 GB delivered over IPv4
KINBER 2013 Member MeetingCase Study – City of Douglasville, GA• One of the first, free, metro Wifi projects to support nativeIPv6• Covers 60 acres in Douglasville, a suburb of Atlanta includingparks and a downtown pedestrian area
KINBER 2013 Member MeetingConclusions• IPv6 works in the real world• There are challenges to implementing IPv6, but nothingshow-stopping• Much of the Internet’s content is reachable over IPv6 (andgrowing fast) including all of Google, FaceBook and 3000other sites• A much smaller percentage of Internet users have IPv6connectivity (though this may change quickly with IPv4depletion)
Questions?Brandon Ross – email@example.com - +1-404-635-6667Download thepresentation using thisQR code: