Ron Broersma dren-stavanger-22 nov2011


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Ron Broersma dren-stavanger-22 nov2011

  1. 1. Enterprise IPv6 Deployment Experiences - and - Deployment to U.S. Government Norwegian IPv6 Conference 22Nov, 2011 Stavanger, Norway Ron Broersma DREN Chief Engineer SPAWAR Network Security Manager Federal IPv6 Task Force
  2. 2. DREN/SPAWAR Progress22-Nov-2011 Source: 2
  3. 3. The major issues for us• Lack of IPv6/IPv4 feature parity – taking too long to get there• Vendors not eating own dogfood – but starting to turn around• Rogue RAs – set router priority to “high” as workaround• Privacy Addresses (RFC4941) – no good solution yet• MacOSX 10.6 – but starting to get much better (10.6.8, 10.7)• Network Management over IPv6• Operational Complexity22-Nov-2011 3
  4. 4. Lack of “feature parity”• “feature parity” between IPv4 and IPv6 is something we expect in all products. – If the device supports a capability in IPv4, we want it to support that same capability in IPv6.• Nobody delivers feature parity today. – Some vendors are working to fix this.• Until we achieve feature parity... – IPv6 is something less than IPv4 – You may need to re-engineer your network to accommodate missing features.22-Nov-2011 4
  5. 5. Privacy Addresses (RFC 4941)• Incompatible with many Enterprise environments – Need address stability for many reasons •Logging, Forensics, DNS stability, ACLs, etc.• Enabled by default in Windows – Breaks plug-n-play because we have to visit every Windows machine to disable this feature.• Just added in Mac OS X “Lion”.• Now default in latest openSuSE (12.1)• Ubuntuthinking about making it default.[Privacy addresses] are horrible and I hope nobody really uses them, but theyre better than NAT.… Owen DeLong, Hurricane Electric22-Nov-2011 5
  6. 6. Living with Privacy addresses • Where your clients support DHCPv6, use that to assign addresses – No DHCPv6 client support in Windows XP, Mac OSX before 10.7 (Lion), etc. • If all your Windows systems are in Active Directory, use GPO to disable privacy addresses • Options for other systems: – configure system to disable privacy addresses • registry setting in Windows (see below) – configure addresses statically on the hosts – keep a historical record of all MAC address to IPv6 address mappings for every host, for correlation in IDS and forensics toolsnetsh interface ipv6 set privacy state=disabled store=persistentnetsh interface ipv6 set global randomizeidentifiers=disabled store=persistent 22-Nov-2011 6
  7. 7. Rogue Router Advertisements See RFC 6104• Router Advertisements (RAs) inform hosts of the default router/gateway• Windows systems with Internet Connection Sharing (ICS) enabled, and IPv6 enabled, will announce itself as the default router using RAs (“Rogue RAs”). – VERY common problem• Hosts then start sending all their default traffic to the Windows system• Workaround: set router preference to “high” (RFC 4191) – Doesn’t work on JunOS• Long term: “RA Guard” (RFC 6105) or SeND (RFC 3971) 22-Nov-2011 7
  8. 8. Network Management• Can you do all your network management over IPv6? • Not yet, but very soon • Most products cannot be managed over IPv6-only• Goal: IPv6-only on management LAN by January 2011 • already removed all IPv4 configuration from all layer-2 switches • changed vendors in some cases • eliminated old hardware that will never support IPv6 • awaiting software updates to resolve last remaining issues22-Nov-2011 8
  9. 9. Management over IPv6 in some products • Previously (June)… SSH DNS Syslog SNMP NTP RADIUS Unified MIB Flow export TFTP CDP HTTPS RFC4293 FTP LLDPCiscoBrocade 1 2 3 4Juniper 5 • Now… SSH DNS Syslog SNMP NTP RADIUS Unified MIB Flow export TFTP CDP HTTPS RFC4293 FTP LLDP Cisco6 Brocade 1 2 3 4 Juniper ALU 5 7 22-Nov-2011 9
  10. 10. Operational Complexity • Added complexity increases security risk • dual-stack can be more complex than IPv4 alone • example: firewalls – are all your policies equivalent? – how do you keep them in sync? – twice as much work?This may incentivize us to shut down IPv4 sooner than later 22-Nov-2011 11
  11. 11. World IPv6 day• For DREN and SPAWAR, nothing new to turn on for the day – every day is IPv6 day for us• What does it look like from an enterprise perspective, where ALL clients (users) are dual-stack?22-Nov-2011 12
  12. 12. Percentage of Internet traffic over IPv6• 1% (2009, before Google whitelisting)• 2.5% (Google whitelisted)• 10% (late Jan 2010, Youtube added)• World IPv6 day… (peak at 68%)22-Nov-2011 13
  13. 13. After IPv6 day• Percentages across a day (5 min averages):22-Nov-2011 14
  14. 14. After IPv6 day• Past week (hourly averages):• Month (daily averages):22-Nov-2011 15
  15. 15. Many enterprises have not started their IPv6 deployment• Reasons: – Lack of incentives and resources – Other higher priorities (improving security) – It all seems overwhelming, and dont know where to start. – No “business case”• My answer: – If you havent started, youre late and at risk – It doesnt take additional resources if you do it right. – For U.S. Federal agencies, there is a new mandate. – Dont waste time on developing a business case. • Its a matter of business continuity. – “Dont be afraid to break some glass”22-Nov-2011 16
  16. 16. IPv6 Deployment to U.S. Government
  17. 17. US Federal Agencies• Earlier mandates didn’t work• New mandate to IPv6-enable public facing services by Sept 2012• Transition managers assigned in each agency• Lots of planning, with little or no operational experience• Addressing plans have problems• Almost no progress on actually IPv6-enabling anything• Major Carriers are not ready – even though they claim otherwise in public• World IPv6 Day – missed opportunities22-Nov-2011 18
  18. 18. US GovtDeployment Status (or just search for “USG IPv6 Status”)22-Nov-2011 19
  19. 19. Something is missing: IPv6 Operational Experience• Lots of planning is underway – transition planning – address planning• Much of this planning is done by individuals who have never touched an IPv6 packet• Too much energy is being wasted on plans that are flawed, because they are not based on operational experience• It is more important to turn on IPv6 now and start moving some IPv6 traffic, than it is to have a complete plan22-Nov-2011 20
  20. 20. Some Lessons Learned• Gain operational IPv6 experience before putting too much effort into enterprise-wide planning• Addressing Plans – everyone makes the same mistakes• Go native (dual stack)• Start from outside, and work in – focus now on public facing services• There will be challenges (surprises) along the way• You can automate the DNS updates• It doesn’t require significant resources, if you start early and leverage tech refresh22-Nov-2011 21
  21. 21. Addressing Plans• Without sufficient operational experience with IPv6 deployment, you WILL get it wrong at first. – usually takes the 3rd time to get it right• Planners are hindered by IPv4-thinking – being conservative with address space – thinking “hosts” instead of “subnets”22-Nov-2011 22
  22. 22. Addressing Plans• Common mistakes – Doing other than /64 for subnets • Didn’t read RFC 4291 nor 5375 – Thinking that the addressing plan has to be perfect the first time • because you can’t afford to re-address – Choosing allocations for sites based on size of site • because /48 for all sites is too wasteful – Justification “upwards”, instead of pre-allocation “downwards” – Host-centric allocation instead of subnet-centric22-Nov-2011 23
  23. 23. Making the paradigm shift• You may be un-qualified to develop an IPv6 addressing plan if you think: – /64 for subnets is wasteful – /64 for point-to-point links is wasteful – /48 for small sites is wasteful22-Nov-2011 24
  24. 24. Once again… When doing an address plan, a major driver in IPv4 was efficiency and conservation In IPv6, efficiency and conservation is NOT a major driver, but instead it is all about better alignment with network topology, accommodation of security architecture, and operational simplicity through standardization22-Nov-2011 25
  25. 25. Addressing Plans• After operational experience, you realize: – you never have to “grow” subnets, so you don’t need to accommodate that situation – if you don’t use /64’s for subnets, you can’t do SLAAC, DHCPv6, Multicast with Embedded-RP, etc. – there is a huge opportunity to align addressing with security topology, to simplify ACLs – you can better align subneting and aggregation with existing topology – it is a bad idea to embed IPv4 addresses in IPv6 – nibble (4 bit) boundaries align better with PTR records – every interface has multiple IPv6 addresses – internal aggregation is not as important as you initially thought – you can do a lot of pre-allocation22-Nov-2011 26
  26. 26. Feedback received after I presented the above• From one of the Federal Agency Engineers: – “using /64 everywhere including point-to-point links is crazy” – “RFCs aren’t rules... There will be new RFCs” – “wait with deploying IPv6 until these problems are worked out” – “If everybody in the world did what the presenter did, then we will indeed run out of IPv6 addresses” – “I hope all agencies don’t follow his aggressive recommendations like sheep”22-Nov-2011 27
  27. 27. Other common mistakes• Working from inside out• Thinking that “native IPv6” means that you have to disable IPv4• Too much use of translators• Missed opportunities22-Nov-2011 28
  28. 28. Final Thoughts, Summary• Only use providers and suppliers that have a good IPv6 story• IPv6 is ready for deployment to the Enterprise• Most important to IPv6-enable the public Internet now• Large bureaucracies have major challenges ahead – we need to help, and it may also require standards cast into strong policy22-Nov-2011 29
  29. 29. ENDAny Questions? Contact me at:
  30. 30. Benefits of IPv6 today (examples)• Addressing – can better map subnets to reality – can align with security topology, simplifying ACLs – sparse addressing (harder to scan/map) – never have to worry about “growing” a subnet to hold new machines – auto-configuration, plug-n-play – universal subnet size, no surprises, no operator confusion, no bitmath – shorter addresses in some cases – at home: multiple subnets rather than single IP that you have to NAT• Multicast is simpler – embedded RP – no MSDP22-Nov-2011 31