Building an IPv6 Test Lab by Ron Broersma at gogoNET LIVE! 3 IPv6 Conference

1,362 views

Published on

gogo6 IPv6 Video Series. Event, presentation and speaker details below:

EVENT
gogoNET LIVE! 3: Enterprise wide Migration. http://gogonetlive.com
November 12 – 14, 2012 at San Jose State University, California
Agenda: http://gogonetlive.com/4105/gogonetlive3-agenda.asp

PRESENTATION
Building an IPv6 Test Lab
Presentation video: http://www.gogo6.com/video/building-an-ipv6-test-lab-by-ron-broersma-at-gogonet-live-3-ipv6
Interview video: http://www.gogo6.com/video/interview-with-ron-broersma-at-gogonet-live-3-ipv6-conference

SPEAKER
Ron Broersma - Network Security Manager, SPAWAR
Bio/Profile: http://www.gogo6.com/profile/RonBroersma

MORE
Learn more about IPv6 on the gogoNET social network
http://www.gogo6.com
Get free IPv6 connectivity with Freenet6
http://www.gogo6.com/Freenet6
Subscribe to the gogo6 IPv6 Channel on YouTube
http://www.youtube.com/subscription_center?add_user=gogo6videos
Follow gogo6 on Twitter
http://twitter.com/gogo6inc
Like gogo6 on Facebook
http://www.facebook.com/pages/IPv6-products-community-and-services-gogo6/161626696777

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,362
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Building an IPv6 Test Lab by Ron Broersma at gogoNET LIVE! 3 IPv6 Conference

  1. 1. IPv6 TestbedsTesting IPv6-only configurations gogoNET LIVE! 3 13 Nov, 2012 San Jose, CA Ron Broersma DREN Chief Engineer SPAWAR Network Security Manager Federal IPv6 Task Force ron@spawar.navy.mil
  2. 2. Purpose of a Testbed•  Test new products and capabilities without breaking your production network•  To test how well equipment supports IPv6•  To serve as a learning environment•  Experiment with various configurations13-Nov-2012 2
  3. 3. Are IPv6 testbeds still a necessity?•  Rarely –  IPv6 on mainstream switches, routers, and operating systems works well, and won’t break your production network. –  Implementing IPv6 on production networks can be done incrementally, in ways that will not impact operations.•  But testbeds are needed where you know things might break –  IPv6-only environments13-Nov-2012 3
  4. 4. Easy Testbeds•  “Learning” testbed – Your Home Network –  IPv6 capable home router plus HE tunnel. –  take the HE IPv6 certification.•  Parallel infrastructure –  e.g. IPv6 firewall next to production firewall•  “Test” subnet on production network –  on a separate VLAN –  or over wireless on separate SSID•  Existing isolated network•  Tools: dumb hub, wireshark, RFCs, IPvFoo, IPvFox, Little Snitch, etc.13-Nov-2012 4
  5. 5. Some IPv6-only Experiments•  IPv6-only Management LAN•  Client environments –  pure IPv6-only –  IPv6-only + NAT64/DNS64•  IPv6-only Server farm13-Nov-2012 5
  6. 6. IPv6-Only Management LAN
  7. 7. Management LAN•  Can you do all your network management using IPv6?•  Can you turn off IPv4 on your management LAN?•  How well do various products operate in this environment?13-Nov-2012 7
  8. 8. Findings•  Very few products can be fully managed using IPv6•  You won’t learn what’s missing or broken unless you try it in production –  remove the training wheels, and live on it•  Bugs take 6 to 12 months to get fixed•  Feature requests take 18 to 48 months to get fixed•  You can’t turn off IPv4 completely (yet) –  always some devices with no IPv6 •  T-1 and DSL bridges, microwave radios, old dialup and VPN servers, ATM switches, cameras, etc.13-Nov-2012 8
  9. 9. Management over IPv6 in some productsPreviously (June ‘2011): SSH DNS Syslog SNMP NTP RADIUS Unified MIB Flow export TFTP CDP HTTPS RFC4293 FTP LLDP Cisco Brocade JuniperNow: SSH DNS Syslog SNMP NTP RADIUS Unified MIB Flow TFTP CDP IPv6 No v4 HTTPS RFC4293 export FTP LLDP MTUCisco3 6Brocade1 9Juniper 5ALU 4A10 8 7 1.  Can’t reboot using SNMP over IPv6 2.  . 3.  15.2(2)TR 4.  10.0R6 (Nov 2012) 5.  12.3R1 Nov 2012 (beta in August) 6.  ASR1K:3.7S (July 2012) 7.  3.0 release, 2012Q4 13-Nov-2012 8.  No plans 9 9.  fix planned for Apr 2013
  10. 10. Example of an IPv6-only bug (recently fixed)•  when disabling IPv4 on Brocade FESX switches, they start responding to all ip- subnet-broadcasts, and start ARPing (from 0.0.0.0), and other strange behaviors.•  Example: echo request to x.x.x.255/24:13-Nov-2012 10
  11. 11. IPv6-only client networks
  12. 12. IPv6-only client network•  My test environment: –  enterprise sub-network with ONLY IPv6 turned on (no IPv4 configuration or routing) •  “A” bit enabled (SLAAC) •  “M” and “O” enabled (for DHCPv6) –  delivered over wireless on SSID “IPv6 Only”, and on separate wired VLAN. –  DHCPv6 service –  Many operating systems connected, to see how they behave •  Windows, MacOSX, Linux (multiple distributions), FreeBSD •  iPhone, iPad, Android•  Anything without a dhcpv6-client won’t get DNS addresses –  Windows XP, MacOSX before Lion, Android13-Nov-2012 12
  13. 13. IPv6-only•  Observation (MacOSX Lion): –  You can browse OK with Safari, but Chrome and Firefox hang when trying to browse to IPv6-only web sites •  happy-eyeballs not working –  tcpdump shows it ARPing for Internet addresses –  … because there is a default-route-to-interface installed in the routing table –  … because it assigns IPv4 link-local (RFC 3927) and implements “ARP for everything” (paragraph 2.6.2) –  … so it “thinks” it has full IPv4-internet reachability (unlike IPv6 behavior)•  Most other OS’s exhibit similar behavior•  Work-arounds?13-Nov-2012 13
  14. 14. IPv6-only + NAT64/DNS64•  Add NAT64/DNS64 to previous experiment –  maps entire IPv4 Internet into 64:ff9b::/96 –  DNS64 server maps the addresses on the fly –  NAT64 provides stateful v6/v4 translation•  Yes, NAT is evil, but here the breakage is local to your NAT64 domain. –  may be a viable means to reduce OP-EX of dual-stack13-Nov-2012 14
  15. 15. IPv6-only + NAT64/DNS6413-Nov-2012 15
  16. 16. IPv6-only + NAT64/DNS64•  Most things actually work pretty well•  Things that don’t work –  sites with broken IPv6 (won’t fall back to IPv4) •  e.g. www.ntia.doc.gov –  web sites and apps with embedded IPv4 literals –  skype, games, P2P, some IM•  Read RFC 6586 for detailed experiences•  Watch the IETF “Sunset4” working group –  http://tools.ietf.org/wg/sunset4/13-Nov-2012 16
  17. 17. IPv6-only servers
  18. 18. IPv6-only servers•  Scenario #1 – weaning –  run server as dual-stack –  when client base is (mostly) IPv6-enabled, remove the “A” record from DNS –  works well for corporate Intra-nets that are largely dual-stack –  great incentive for stragglers to IPv6-enable their clients –  helps network administrators find the stragglers and special cases, without totally breaking things. –  IPv4 is still there as a fall-back for special cases, using explicit IPv4 address. •  Intranet users coming in over IPv4-only VPNs.13-Nov-2012 18
  19. 19. IPv6-only servers•  Scenario #2 – remove training wheels –  run server as IPv6-only (IPv4 disabled) –  do this when all issues in Scenario #1 are resolved. –  works in Intranet environment, not when Internet access is required. •  see next scenario•  Scenario #3 – legacy IPv4 reachability –  use a dual-stack reverse proxy or LB –  use SIIT (RFC 6145) •  read draft-anderson-siit-dc-0013-Nov-2012 19
  20. 20. END Contact me:ron@spawar.navy.mil

×