Suggestion for an IPv6 Roll Out

IPv4 address depletion

How quickly are new addresses allocated?

How soon are we running out of addresses?

Why do I need to think about this now?

Why has it taken so much time to get there?

Can’t I just wait until IPv4 addresses run out?

Isn’t this going to be costly?

Okay – so where/how do I start?

IPv4 address depletion

Pool of IANA unallocated IPv4 address blocks depleted by about mid-2011. Pool of Regional Internet Registry (RIR) IPv4 address blocks depleted 6-8 months later.

3 options for a new project: 100% IPv6, or using IPv4 Network Address Translation (NAT), or (after 2012) purchase IPv4 address on the market. By that time, IPv4 address market will likely make those addresses more expensive to obtain.

The only sustainable way out of this dilemma is to start transferring services to IPv6 now!

So where do we start?

The difficulty in implementing dual stack, ie. IPv4/IPv6 dual capability, varies from service to service.

Since IPv6 is different to IPv4, a period of training, testing and adaptation is required for the network installers and operators.

Start as soon as possible in order to be able to perform a tidy and natural network upgrade.

The traditional method in rolling out new networks is to start with the backbone and then implement services

This leads to faster implementation but because it triggers the need to upgrade everything at once, it looks expensive to managers who will need to sign for the project.

Textbook roll-out in a large successful IT focused organization

Traditionally , roll-out of a network starts in the following order:

Access: set-up access router/firewall and IPv6 access. Defining a clear networking numbering plan

Install Client Computers / Backbone / Local Offices

Implement full dual-stack resilience in network

Set-up DNS, Email, Web Servers, Database Servers etc.

Draft a comprehensive IPv6 company policy

Where are the barriers to this implementation?

The textbook roll-out Problem: high implementation difficulty and high costs at early stages of implementation act as a barrier to entry, to which a corporation might be unwilling to commit. (*) these stages can take place simultaneously. © 2009 Global Information Highway Ltd Test $$ 2/5 Dual Stack Resilience 5 Test $$ 2/5 Local Hubs 4 Test $$ 3/5 Backbone Router 3 Test $$$ 1/5 Client Computers 2 Test $$ 3/5 Access Router/FW 1 $$ 5/5 Write IPv6 policy 10 Test $$$ 3/5 Database Server 9 (*) Test $ 1/5 Web Server 8 (*) Test $ 1/5 Email Server 7 (*) Test $ 1/5 DNS Server 6 (*) Status Cost Difficulty Title Stage

So where do we start?

Regardless of network topology (which we’ll ignore in our example diagram), start with the “ easier ” services first! Go for quick wins!

Those are services already running on hosts which are naturally IPv6 compatible and can run dual stack in a stable way:

You will be surprised how many such hosts exist;

You will be surprised how easy it is to make them run IPv4 & IPv6 simultaneously.

A step by step approach

Most recent routers support IPv6 and IPv4 dual stack.

Software upgrade required for older routers.

If your backbone routers cannot support IPv6, it might be time to consider replacing them (except in some cases when you could run IPv6 on IPv4)

It might be costly to upgrade front end router management software, although manufacturers are releasing new versions.

New numbering plan is required. Design it carefully.

Most DNS servers run on Unix/Linux hosts which are inherently IPv6 compatible.

Software upgrade required for older servers.

Can be batched with other DNS server upgrades, such as, for example, DNSSEC, DKIM text, SPF, etc.

Custom-written Front End input software is the stumbling block here because it might be more costly to upgrade.

Most Email servers run on Unix/Linux hosts which are inherently IPv6 compatible * .

If IPv6 does not work, email automatically falls back to IPv4.

Use of IPv6 for Email opens the door to IP whitelisting and possible future anti-spam & authentication methods.

Most recent Firewalls support IPv6 and IPv4 dual stack.

Software upgrade required for older Firewalls.

If your Firewalls cannot support IPv6, it is time to get ready to replace them.

New numbering plan is required etc.

New company-wide Firewall rules are required.

Access Router/FW can access native IPv6 directly or through a tunnel.

No more Network Address Translation (NAT) so Firewall rules need to be precise!

IPv6 Internet Service Provider?

Is your ISP IPv6 compatible?

Yes: no problem – you can now connect to the Internet using IPv6

No: your Firewall/Access Router can access the Internet through a Tunnel to an IPv6 tunneling service:

This is not as hard as it sounds. Many ISPs offer IPv6 tunneling and setting up is no harder than setting up a Virtual Private Network.

However: when your ISP will offer Native IPv6, the move from tunneled IPv6 to native IPv6 will be require renumbering, so this is only advisable for smaller networks.

Most Web servers run on Unix/Linux hosts + Apache which are inherently IPv6 compatible * .

Load balancing software and other custom-written front end software might be the stumbling block here because it might be more costly to upgrade or rewrite. However, not all Web sites use this.

Many database servers run on Unix/Linux hosts which are inherently IPv6 compatible.

Older Operating Systems and custom-written software are the stumbling blocks here.

Some of these systems might be legacy systems which cannot be upgraded. This is where investment is required for an IPv6 – IPv4 NAT implementation.

If your local routers cannot support IPv6, it is time to get ready to replace them.

It might be costly to upgrade front end router management software, although manufacturers are releasing new versions.

Knowledge has already been acquired from upgrading backbone.

Ease of use depends on operating system:

Pre-windows XP: unlikely to upgrade.

Windows XP: possible to upgrade but not ideal.

Windows Vista: IPv6 compatible.

Windows 7: 100% IPv6 compatible + special added features.

Mac OSX: IPv6 compatible.

Not all software compatible either.

Consider upgrading to latest O/S + Software in next replacement cycle.

If your backbone routers cannot support IPv6, it is time to get ready to replace them.

By that time, hands-on experience has already been acquired thanks to test phase. Less time is spent testing.

Includes interfacing with legacy databases.

Includes WIFI access, as well as IP telephony.

New numbering plan is followed etc.

By that time, valuable hands-on experience has already been acquired thanks to test phases so costs are reduced.

The challenge is integration of all new devices.

Summary A stage by stage roll-out of IPv6/IPv4 dual stack, leading to a migration towards IPv6 is possible and can be seamless if started today. Costs can be spread over time and training can take place in early testing stages. © 2009 Global Information Highway Ltd Test $$ 3/5 Backbone Router 1 $$ 5/5 Full Roll-out 10 $$ 2/5 Dual Stack Resilience 9 Test $$$ 1/5 Client Computers 8 Test $$$ 3/5 Database Server 6 Test $$ 2/5 Local Hubs 7 Test $ 1/5 Web Server 5 Test $$ 3/5 Access Router/FW 4 Test $ 1/5 Email Server 3 Test $ 1/5 DNS Server 2 Status Cost Difficulty Title Stage

Conclusion

Immediately: Ensure that IPv6 compatibility is compulsory for all new purchases of IT & Telecom Equipment (whether directly or through bids).

Do not wait for a need to push you to transition: starting this gradual process immediately , will ensure a smoother transition process.

Starting immediately , your IT personnel will more easily be introduced to IPv6.

A more serene approach to resolve this challenge.

Reduced Risks; Reduced costs.

Treat this as “inside information”

Proprietary document. By taking delivery of this Presentation (hereafter “Presentation”), you accept on behalf of your company or organization to comply with the following. No other property rights are granted by the delivery of this Presentation than the right to read it and reproduce it in its entirety, for the sole purpose of information. This Presentation, its content, illustrations and photos shall not be modified without prior written consent of Global Information Highway Ltd (hereafter “GIH”). It can be reproduced in part provided its source is duly acknowledged. Some parts of this Presentation (illustrations and basic Mask/Layout) are copyrighted by third parties including but not limited to Microsoft® as well as Sources quoted. This Presentation and the materials it contains shall not, in whole or in part, be sold, rented, or licensed to any third party subject to payment or not. This Presentation may contain market-sensitive or other information that is correct at the time of going to press. This information involves a number of factors which could change over time, affecting the true public representation. GIH assumes no obligation to update any information contained in this document or with respect to the information described herein. The statements made herein do not constitute an offer or form part of any contract. They are based on GIH information and are expressed in good faith but no warranty or representation is given as to their accuracy. When additional information is required, its author can be contacted to provide further details. GIH shall assume no liability for any damage in connection with the use of this Presentation and the materials it contains, even if GIH has been advised of the likelihood of such damages. This licence is governed by English law and exclusive jurisdiction is given to the courts and tribunals of England without prejudice to the right of GIH to bring proceedings for infringement of copyright or any other intellectual property right in any other court of competent jurisdiction. All Rights Reserved. © 2009 Global Information Highway Ltd. Global Information Highway Ltd 7 Kensington Church Court London W8 4SP United Kingdom