Suggestion for an IPv6 Roll Out

3,042 views
2,937 views

Published on

With the IPv4 free address pool decreasing in size daily, it is high time for an organisation to start work on implementing IPv6. But such an important process is complex, so where does one start?
This presentation proposes a novel way to roll-out IPv6 in an organisation by starting with the easiest services first.

Feedback is welcome.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,042
On SlideShare
0
From Embeds
0
Number of Embeds
23
Actions
Shares
0
Downloads
112
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • This document is an introduction towards a step by step approach to IPv6 migration in a corporate network. Contrary to popular belief, IPv6 implementation is not the “great big unknown”. Done correctly, it can be a seamless process causing as little disruption as possible to a corporate network. Here’s how.
  • These are some of the questions we can all ask ourselves today.
  • The total Regional Internet Registry address allocation is the thick blue line. It is clear that this figure is rising.
  • The red line denotes the Internet Address Numbering Authority (IANA) pool of IPv4 addresses. The RIR pool of addresses starts declining 6-8 months after the IANA pool has reached NIL. Can you see how it’s all aiming to hit the ground? When it does, things will get painful.
  • Not developing a policy for IPv6 adoption in time, will make it a lot more “painful” when IPv4 addresses run-out. How averse to pain are you?
  • IPv6 implementation should not be a question of “if” but of “when”. Traditionally, the backbone was built first and services were then migrated. The trouble with this order of events is that a high entry cost in building the network is a barrier of entry. In the current economic climate and cost cutting, this is less acceptable to corporates.
  • So here’s a typical corporate network. Say, this is ACME Co.’s network, run by Joe the Plumber. Where do we start testing IPv6?
  • In a textbook roll-out, we build the backbone first, following the tradition of: design, build, implement. This means a large upfront investment with no initial wins. Great for a company with great cash reserves evolving in a boom market, but it might not be acceptable to shareholders in 2009.
  • It is the traditional way of implementing a network. Start with the plumbing, including getting IPv6 connection from the outside world, get your staff educated with IPv6, and then roll-out local services, including email, Web servers etc. Great in theory. In practice, there are no quick wins and early difficulty might slow down implementation, with no visible results.
  • Displaying the traditional roll-out order graphically, it is clear that the early steps, 1, 2, 3 are both costly and bear technical complexity. So-called “quick wins”, minimum cost, maximum effect implementations, only appear at stage 6, 7 and 8. By that time, so many hurdles have already appeared and there is friction between finance & engineering.
  • One common misconception is that migration to IPv6 needs to be done all at once. As a result, stumbling blocks with the more complex migration scenarios also hinder migration of services which might be easy to migrate. This is not an un-surmountable mountain! Like any strategic engagement, start with “quick wins”.
  • First things first: a network starts with a central router. So the first step is to get some of your backbone routers to run dual IPv4/IPv6 stacks. Start with a subset of your network. Your servers etc. will be able to link onto this. This “test network” is your first step to IPv6 adoption. This is also where you design your new numbering plan. Design it carefully!
  • Designing the numbering plan is very important. All addresses will be directly routable from the outside world, so you need to get it right. What you are doing here will influence your company’s network for the foreseeable future and should last well into the future. Remember sub-netting and make provisions for future services such as IP telephony etc.
  • The key to any network is DNS. Before you implement any kind of IPv6 network in your company, get your DNS server to run dual stack and include what’s called “IPv6 glue”, that is, it has an IPv6 address, and responds to queries on its IPv6 address. Once that works well, the ball is rolling.
  • Custom-written front end software is often used in Registrars, Registries, and larger corporate networks, in order to stop employees from doing things they should not do to the DNS. It might also be a Web interface. This will need to be re-written in order to accept IPv6 addresses.
  • Once your DNS is working on dual IPv4 / IPv6 stack, it’s time to get your E-mail servers running IPv6. Connect them to your IPv6 backbone and you’ve got a useful IPv6 network running.
  • The advantage of running E-mail servers with IPv6 is that it introduces some IPv6 traffic in your network, as well as with outside networks, but should any connection fail, traffic automatically falls back to IPv4.
  • So now you’ve got a test IPv6 network running, it’s time to get connected to the outside world. Traditionally, this is done using a Firewall and/or Network Address Translation (NAT), where most IPv4 addresses inside the network are not routable to/from the outside. Using NAT as a Firewall is *wrong*. There, I’ve said it.
  • Now that every IPv6 address is routable from/to the outside world, Firewall rules need to be precisely defined for each address and block of addresses. This is where security can be tightened, if done right. Make sure this is done correctly, because if not, this is where things are likely to go very wrong, resulting in network intrusions.
  • In an ideal world, every Internet Service Provider (ISP) would be offering IPv6 connectivity today (May 2009). Alas, the chicken and egg scenario plays a great part in the currently poor offering by ISPs. Ask for native IPv6 connectivity from your ISP, and soon enough they will offer it. In the meantime, use IPv6 tunneling in IPv4 – but only for smaller networks.
  • Once your company intranet is working, and there’s access to the outside world, and you’ve tested the network with a little bit of traffic, it’s time to step up to the next level by getting your Web Servers on the IPv4/IPv6 dual stack. The good thing is that by this stage, your IT personnel has already acquired some real IPv6 experience and exposure.
  • For standard Web servers, it’s pretty much straight forward. Complex systems with Load Balancing are more tricky. But then, if you have such a system, you’re relying on recent technology and critical applications require critical investment.
  • By then, most “off the mill” services will be running IPv4/IPv6 dual stack quite smoothly. It is time to attack the next challenge: database servers, some of which are legacy servers which might *never* be able to run IPv6.
  • The IPv6 – IPv4 NAT implementation will evolve into a small island of IPv4 connectivity in a few years, until that server will be replaced through natural replacement cycle.
  • Expanding your company’s intranet to run dual stack IPv4 / IPv6 is the next step. Please note that IPv6 runs on the same cables as IPv4. You can also start connecting a few client PCs through the network – probably your IT personnel.
  • Some hardware needs to be replaced. However, by that time, you and your network support staff have experience in implementing and running IPv4/IPv6 dual stack. Upgrading of local hubs can become integrated in the natural replacement cycle during standard maintenance periods.
  • It is finally time to get the bulk of the clients connected! By that time, they’re probably eagerly waiting to “get onto IPv6”. Why? Because this will open the door to the new VPN services in Windows 7 & MAC OSX – without requiring a VPN. It’s more secure and it requires less overheads.
  • The cost associated with this stage are directly related to the (lack of) investment in hardware & software end-user client systems. All new hardware & software will support IPv6 by the time you reach this stage, so costs might even be lower than they are estimated today. Unsupported Legacy software and hardware might be a problem.
  • After the testing phase, comes the full roll-out, bringing resilience to the IPv6 network cohabiting with the IPv4 network.
  • Experience acquired during the testing phase reduces risk during company-wide roll-out. Well done – your enterprise network now runs IPv6!
  • It is now time to connect all remaining devices to your IPv6 network. This might include specialized legacy servers for storage/applications which might require front-end IPv6 – IPv4 NAT. This might also include IP telephony, WIFI networks and any remaining device. Some services might take much effort to migrate, but at least you’ve not missed the boat.
  • Full IPv6 allows for a complete integration of all services, whether desktop computers, hand-held devices, sensors, cameras, telephones, and many others. Gradually, more devices will communicate using IPv6. Then, some will offer turning IPv4 off. This will start IPv4’s decline in some applications. Well done, you’ve completed the transition!
  • This is a summary of our proposal for steps required to transit from IPv4 to IPv6. It is a long road, so your organization needs to start now. For a smoother transition, count about 12 to 18 months, including time to train your staff to run an IPv6 network. Once you’re through it, you will never look back at IPv4 in the same way again.
  • This shows reduced early costs and ease of implementation in the early phases in order to kick-start transition to IPv6.
  • YES WE CAN!
  • We hope that this presentation has been helpful and look forward to see you on the IPv6 Internet! Please do not hesitate to contact us for professional services on IPv6 planning and implementation.
  • Suggestion for an IPv6 Roll Out

    1. 1. IPv6 Roll-out Where do we start ? Olivier MJ Crépin-Leblond PhD http://www.gih.com/ocl.html - [email_address] Version 200908.1 © 2009 Global Information Highway Ltd
    2. 2. IPv4 address depletion <ul><li>How quickly are new addresses allocated? </li></ul><ul><li>How soon are we running out of addresses? </li></ul><ul><li>Why do I need to think about this now? </li></ul><ul><li>Why has it taken so much time to get there? </li></ul><ul><li>Can’t I just wait until IPv4 addresses run out? </li></ul><ul><li>Isn’t this going to be costly? </li></ul><ul><li>Okay – so where/how do I start? </li></ul>© 2009 Global Information Highway Ltd
    3. 3. RIR IPv4 Address Assignments Source: http://www.potaroo.net/tools/ipv4/ Figure 9 © 2009 Global Information Highway Ltd
    4. 4. IPv4 Address Depletion Source: http://www.potaroo.net/tools/ipv4/ Figure 30 © 2009 Global Information Highway Ltd
    5. 5. IPv4 address depletion <ul><li>Pool of IANA unallocated IPv4 address blocks depleted by about mid-2011. Pool of Regional Internet Registry (RIR) IPv4 address blocks depleted 6-8 months later. </li></ul><ul><li>3 options for a new project: 100% IPv6, or using IPv4 Network Address Translation (NAT), or (after 2012) purchase IPv4 address on the market. By that time, IPv4 address market will likely make those addresses more expensive to obtain. </li></ul><ul><li>The only sustainable way out of this dilemma is to start transferring services to IPv6 now! </li></ul>© 2009 Global Information Highway Ltd
    6. 6. So where do we start? <ul><li>The difficulty in implementing dual stack, ie. IPv4/IPv6 dual capability, varies from service to service. </li></ul><ul><li>Since IPv6 is different to IPv4, a period of training, testing and adaptation is required for the network installers and operators. </li></ul><ul><li>Start as soon as possible in order to be able to perform a tidy and natural network upgrade. </li></ul><ul><li>The traditional method in rolling out new networks is to start with the backbone and then implement services </li></ul><ul><li>This leads to faster implementation but because it triggers the need to upgrade everything at once, it looks expensive to managers who will need to sign for the project. </li></ul>© 2009 Global Information Highway Ltd
    7. 7. A typical corporate network © 2009 Global Information Highway Ltd
    8. 8. Textbook roll-out in a large successful IT focused organization <ul><li>Traditionally , roll-out of a network starts in the following order: </li></ul><ul><ul><li>Access: set-up access router/firewall and IPv6 access. Defining a clear networking numbering plan </li></ul></ul><ul><ul><li>Install Client Computers / Backbone / Local Offices </li></ul></ul><ul><ul><li>Implement full dual-stack resilience in network </li></ul></ul><ul><ul><li>Set-up DNS, Email, Web Servers, Database Servers etc. </li></ul></ul><ul><ul><li>Draft a comprehensive IPv6 company policy </li></ul></ul><ul><li>Where are the barriers to this implementation? </li></ul>© 2009 Global Information Highway Ltd
    9. 9. The textbook roll-out Problem: high implementation difficulty and high costs at early stages of implementation act as a barrier to entry, to which a corporation might be unwilling to commit. (*) these stages can take place simultaneously. © 2009 Global Information Highway Ltd Test $$ 2/5 Dual Stack Resilience 5 Test $$ 2/5 Local Hubs 4 Test $$ 3/5 Backbone Router 3 Test $$$ 1/5 Client Computers 2 Test $$ 3/5 Access Router/FW 1 $$ 5/5 Write IPv6 policy 10 Test $$$ 3/5 Database Server 9 (*) Test $ 1/5 Web Server 8 (*) Test $ 1/5 Email Server 7 (*) Test $ 1/5 DNS Server 6 (*) Status Cost Difficulty Title Stage
    10. 10. Order of Traditional Roll-out Digit color: cost / Box color: difficulty © 2009 Global Information Highway Ltd
    11. 11. So where do we start? <ul><li>Regardless of network topology (which we’ll ignore in our example diagram), start with the “ easier ” services first! Go for quick wins! </li></ul><ul><li>Those are services already running on hosts which are naturally IPv6 compatible and can run dual stack in a stable way: </li></ul><ul><ul><li>You will be surprised how many such hosts exist; </li></ul></ul><ul><ul><li>You will be surprised how easy it is to make them run IPv4 & IPv6 simultaneously. </li></ul></ul>© 2009 Global Information Highway Ltd
    12. 12. Set-up dual stack backbone test © 2009 Global Information Highway Ltd
    13. 13. A step by step approach <ul><li>Most recent routers support IPv6 and IPv4 dual stack. </li></ul><ul><li>Software upgrade required for older routers. </li></ul><ul><li>If your backbone routers cannot support IPv6, it might be time to consider replacing them (except in some cases when you could run IPv6 on IPv4) </li></ul><ul><li>It might be costly to upgrade front end router management software, although manufacturers are releasing new versions. </li></ul><ul><li>New numbering plan is required. Design it carefully. </li></ul>© 2009 Global Information Highway Ltd Test $$ 3/5 Backbone Router 1 Status Cost Difficulty Title Stage
    14. 14. Implement dual stack DNS © 2009 Global Information Highway Ltd
    15. 15. A step by step approach <ul><li>Most DNS servers run on Unix/Linux hosts which are inherently IPv6 compatible. </li></ul><ul><li>Software upgrade required for older servers. </li></ul><ul><li>Can be batched with other DNS server upgrades, such as, for example, DNSSEC, DKIM text, SPF, etc. </li></ul><ul><li>Custom-written Front End input software is the stumbling block here because it might be more costly to upgrade. </li></ul>© 2009 Global Information Highway Ltd Test $ 1/5 DNS Server 2 Status Cost Difficulty Title Stage
    16. 16. Implement dual stack E-mail /SMTP © 2009 Global Information Highway Ltd
    17. 17. A step by step approach <ul><li>Most Email servers run on Unix/Linux hosts which are inherently IPv6 compatible * . </li></ul><ul><li>Software upgrade required for older servers. </li></ul><ul><li>If IPv6 does not work, email automatically falls back to IPv4. </li></ul><ul><li>Use of IPv6 for Email opens the door to IP whitelisting and possible future anti-spam & authentication methods. </li></ul>( * ) http://smtpsurvey.stillhq.com/smtp-survey.cgi?dashboard=1 © 2009 Global Information Highway Ltd Test $ 1/5 Email Server 3 Status Cost Difficulty Title Stage
    18. 18. Connect to outside world via IPv6 © 2009 Global Information Highway Ltd
    19. 19. A step by step approach <ul><li>Most recent Firewalls support IPv6 and IPv4 dual stack. </li></ul><ul><li>Software upgrade required for older Firewalls. </li></ul><ul><li>If your Firewalls cannot support IPv6, it is time to get ready to replace them. </li></ul><ul><li>New numbering plan is required etc. </li></ul><ul><li>New company-wide Firewall rules are required. </li></ul><ul><li>Access Router/FW can access native IPv6 directly or through a tunnel. </li></ul><ul><li>No more Network Address Translation (NAT) so Firewall rules need to be precise! </li></ul>© 2009 Global Information Highway Ltd Test $$ 3/5 Access Router/FW 4 Status Cost Difficulty Title Stage
    20. 20. IPv6 Internet Service Provider? <ul><li>Is your ISP IPv6 compatible? </li></ul><ul><ul><li>Yes: no problem – you can now connect to the Internet using IPv6 </li></ul></ul><ul><ul><li>No: your Firewall/Access Router can access the Internet through a Tunnel to an IPv6 tunneling service: </li></ul></ul><ul><ul><ul><li>This is not as hard as it sounds. Many ISPs offer IPv6 tunneling and setting up is no harder than setting up a Virtual Private Network. </li></ul></ul></ul><ul><ul><ul><li>However: when your ISP will offer Native IPv6, the move from tunneled IPv6 to native IPv6 will be require renumbering, so this is only advisable for smaller networks. </li></ul></ul></ul>© 2009 Global Information Highway Ltd Test $ 2/5 Access Router/FW 4. 5 Status Cost Difficulty Title Stage
    21. 21. Set-up dual stack Web Server © 2009 Global Information Highway Ltd
    22. 22. A step by step approach <ul><li>Most Web servers run on Unix/Linux hosts + Apache which are inherently IPv6 compatible * . </li></ul><ul><li>Software upgrade required for older servers. </li></ul><ul><li>Load balancing software and other custom-written front end software might be the stumbling block here because it might be more costly to upgrade or rewrite. However, not all Web sites use this. </li></ul>( * ) http://news.netcraft.com/archives/web_server_survey.html © 2009 Global Information Highway Ltd Test $ 1/5 Web Server 5 Status Cost Difficulty Title Stage
    23. 23. Upgrade Intranet Databases to Dual Stack © 2009 Global Information Highway Ltd
    24. 24. A step by step approach <ul><li>Many database servers run on Unix/Linux hosts which are inherently IPv6 compatible. </li></ul><ul><li>Software upgrade required for older servers. </li></ul><ul><li>Older Operating Systems and custom-written software are the stumbling blocks here. </li></ul><ul><li>Some of these systems might be legacy systems which cannot be upgraded. This is where investment is required for an IPv6 – IPv4 NAT implementation. </li></ul>© 2009 Global Information Highway Ltd Test $$$ 3/5 Database Server 6 Status Cost Difficulty Title Stage
    25. 25. Set-up local hub dual stack tests © 2009 Global Information Highway Ltd
    26. 26. A step by step approach <ul><li>Most recent routers support IPv6 and IPv4 dual stack. </li></ul><ul><li>Software upgrade required for older routers. </li></ul><ul><li>If your local routers cannot support IPv6, it is time to get ready to replace them. </li></ul><ul><li>It might be costly to upgrade front end router management software, although manufacturers are releasing new versions. </li></ul><ul><li>New numbering plan is required etc. </li></ul><ul><li>Knowledge has already been acquired from upgrading backbone. </li></ul>© 2009 Global Information Highway Ltd Test $$ 2/5 Local Hubs 7 Status Cost Difficulty Title Stage
    27. 27. Set-up dual stack clients © 2009 Global Information Highway Ltd
    28. 28. A step by step approach <ul><li>Ease of use depends on operating system: </li></ul><ul><ul><li>Pre-windows XP: unlikely to upgrade. </li></ul></ul><ul><ul><li>Windows XP: possible to upgrade but not ideal. </li></ul></ul><ul><ul><li>Windows Vista: IPv6 compatible. </li></ul></ul><ul><ul><li>Windows 7: 100% IPv6 compatible + special added features. </li></ul></ul><ul><ul><li>Mac OSX: IPv6 compatible. </li></ul></ul><ul><li>Not all software compatible either. </li></ul><ul><li>Consider upgrading to latest O/S + Software in next replacement cycle. </li></ul>© 2009 Global Information Highway Ltd Test $$$ 1/5 Client Computers 8 Status Cost Difficulty Title Stage
    29. 29. Expand dual stack resilience © 2009 Global Information Highway Ltd
    30. 30. A step by step approach <ul><li>Most recent routers support IPv6 and IPv4 dual stack. </li></ul><ul><li>Software upgrade required for older routers. </li></ul><ul><li>If your backbone routers cannot support IPv6, it is time to get ready to replace them. </li></ul><ul><li>New numbering plan is required etc. </li></ul><ul><li>By that time, hands-on experience has already been acquired thanks to test phase. Less time is spent testing. </li></ul>© 2009 Global Information Highway Ltd $$ 2/5 Dual Stack Resilience 9 Status Cost Difficulty Title Stage
    31. 31. Full dual stack IPv6 Roll-out © 2009 Global Information Highway Ltd
    32. 32. A step by step approach <ul><li>Includes interfacing with legacy databases. </li></ul><ul><li>Includes WIFI access, as well as IP telephony. </li></ul><ul><li>New numbering plan is followed etc. </li></ul><ul><li>By that time, valuable hands-on experience has already been acquired thanks to test phases so costs are reduced. </li></ul><ul><li>The challenge is integration of all new devices. </li></ul>© 2009 Global Information Highway Ltd $$ 5/5 Full Roll-out 10 Status Cost Difficulty Title Stage
    33. 33. Summary A stage by stage roll-out of IPv6/IPv4 dual stack, leading to a migration towards IPv6 is possible and can be seamless if started today. Costs can be spread over time and training can take place in early testing stages. © 2009 Global Information Highway Ltd Test $$ 3/5 Backbone Router 1 $$ 5/5 Full Roll-out 10 $$ 2/5 Dual Stack Resilience 9 Test $$$ 1/5 Client Computers 8 Test $$$ 3/5 Database Server 6 Test $$ 2/5 Local Hubs 7 Test $ 1/5 Web Server 5 Test $$ 3/5 Access Router/FW 4 Test $ 1/5 Email Server 3 Test $ 1/5 DNS Server 2 Status Cost Difficulty Title Stage
    34. 34. Graphical Summary of proposal © 2009 Global Information Highway Ltd
    35. 35. Conclusion <ul><li>Immediately: Ensure that IPv6 compatibility is compulsory for all new purchases of IT & Telecom Equipment (whether directly or through bids). </li></ul><ul><li>Do not wait for a need to push you to transition: starting this gradual process immediately , will ensure a smoother transition process. </li></ul><ul><li>Starting immediately , your IT personnel will more easily be introduced to IPv6. </li></ul><ul><li>A more serene approach to resolve this challenge. </li></ul><ul><li>Reduced Risks; Reduced costs. </li></ul><ul><li>Treat this as “inside information” </li></ul>© 2009 Global Information Highway Ltd
    36. 36. Proprietary document. By taking delivery of this Presentation (hereafter “Presentation”), you accept on behalf of your company or organization to comply with the following. No other property rights are granted by the delivery of this Presentation than the right to read it and reproduce it in its entirety, for the sole purpose of information. This Presentation, its content, illustrations and photos shall not be modified without prior written consent of Global Information Highway Ltd (hereafter “GIH”). It can be reproduced in part provided its source is duly acknowledged. Some parts of this Presentation (illustrations and basic Mask/Layout) are copyrighted by third parties including but not limited to Microsoft® as well as Sources quoted. This Presentation and the materials it contains shall not, in whole or in part, be sold, rented, or licensed to any third party subject to payment or not. This Presentation may contain market-sensitive or other information that is correct at the time of going to press. This information involves a number of factors which could change over time, affecting the true public representation. GIH assumes no obligation to update any information contained in this document or with respect to the information described herein. The statements made herein do not constitute an offer or form part of any contract. They are based on GIH information and are expressed in good faith but no warranty or representation is given as to their accuracy. When additional information is required, its author can be contacted to provide further details. GIH shall assume no liability for any damage in connection with the use of this Presentation and the materials it contains, even if GIH has been advised of the likelihood of such damages. This licence is governed by English law and exclusive jurisdiction is given to the courts and tribunals of England without prejudice to the right of GIH to bring proceedings for infringement of copyright or any other intellectual property right in any other court of competent jurisdiction. All Rights Reserved. © 2009 Global Information Highway Ltd. Global Information Highway Ltd 7 Kensington Church Court London W8 4SP United Kingdom

    ×