UTC TELECOM 2013IPv6 Support Required for All IP-Capable Nodes – RFC 6540Given the global lack of available IPv4 space, andlimitations in IPv4 extension and transition technologies,this document advises that IPv6 support is no longerconsidered optional. It also cautions that there are places inexisting IETF documents where the term "IP" is used in away that could be misunderstood by implementers as theterm "IP" becomes a generic that can mean IPv4 + IPv6,IPv6-only, or IPv4-only, depending on context andapplication.
UTC TELECOM 2013RFC 6540• Are you aware of this requirement?• Are your nodes IPv6 capable?
UTC TELECOM 2013Background• IPv4 depletion is already occurring• IPv6 adoption is accelerating• Most network hardware supports IPv6• For the most part, dual stack Just Workshttp://www.potaroo.net/toolsIPv4 Free Pool Depletionhttp://www.ipv6actnow.org/info/statistics/#allocIPv6 Routing Table Growth
UTC TELECOM 2013US Feds Lesson LearnedThe US federal government had a mandate for all public facing webservices to support IPv6 by September 30, 2012.287 of 1494 sites had IPv6 web support by the deadline.Today 961 of 1355 sites support IPv6.That’s over 70%. Not 100%, but far aheadof most other large organizations.Source: http://usgv6-deploymon.antd.nist.gov//
UTC TELECOM 2013What next?“Okay, my organization is convinced it’s timeto begin IPv6 deployment, what do I need toconsider?”
UTC TELECOM 2013Consider the Fundamentals of Best PracticeThe fundamentals haven’t changed a bit forIPv6, consider:• Security• Maintainability• Scalability• Performance• Flexibility
UTC TELECOM 2013Apply the FundamentalsWhat areas need the most attention?• Addressing plan• Interconnectivity• Bootstrapping/AAA• Security issues• Staff training• Transition
UTC TELECOM 2013IPv6 Address Space is VAST“IPv6 uses a 128-bit address, allowing 2128, or approximately3.4×1038 addresses, or more than 7.9×1028 times as many asIPv4, which uses 32-bit addresses.” (Wikipedia)That’s 340 Undecillion!Undecillion is a number with 36 zeros.We must change our thinking about how to allocate addressspace to meet our best practice goals.
UTC TELECOM 2013State of Assignments• All of the registries, for the most part, assign initial blocksfor Service provider /32 Enterprise /48
UTC TELECOM 2013What makes up a good addressing plan?• Depends on the type of network, the size of thenetwork, and problem to be solved• Points to consider Documentation Ease of troubleshooting Aggregation Standards compliance Growth SLAAC Existing IPv4 addressing plan Human factors
UTC TELECOM 2013Algorithmic Approaches• Interop took an algorithimic approach to IPv6numbering• Encode every IPv4 address in your network in anIPv6 address10.10.10.10 (A0A0A0A)2001:DB8:A0A:A0A::
UTC TELECOM 2013Interconnectivity• Routing protocols have been updated, but the fundamentalconcepts remain the same– Run routing protocols such that they fail when the underlying transportfails• That means separate v4 and v6 protocols– For ease of management, configure IPv4 and IPv6 connectivity tofollow the same paths– Also use the same routing policies whenever possible• Ask your Internet traffic peers, suppliers, partners and clientsto begin transporting IPv6 traffic
UTC TELECOM 2013Bootstrapping/AAA• Some fundamental changes have been made to thebootstrap process to join an IPv6 network, all part of theNeighbor Discovery process– Router Advertisements (RA) – Tells potential clients about the routersand prefixes available on the network– StateLess Address Auto Configuration (SLAAC)• New in IPv6, allows a device to generate it’s own address• Supported universally– Dynamic Host Configuration Procotol v6 (DHCPv6)• Very similar to v4, can distribute address, DNS server, other informationabout the network• Good support, but far from universal
UTC TELECOM 2013Security Issues• Use the same diligence you used for IPv4• Ask equipment vendors to support specific protections in IPv6– RA-Guard – prevents an attacker from sending rogue RAs into thenetwork and becoming a man-in-the-middle– DHCP-Shield – similar to RA-Guard in that it blocks fake DHCPservers from giving out false information• Ensure equipment supports all IPv4 features you use in IPv6as well such as ACLs, anti-spoof filtering (RPF), etc. Whyshould v6 be any different in these areas?• Where firewalls are needed, ensure your choice of firewallsupports v6 as well as v4.• NAT is NOT a security feature and v6 doesn’t have it
UTC TELECOM 2013Staff Training• Find an experienced organization to provide training• Service providers require a different level of scalability andmaintainability than enterprise, use a trainer that understandsSP’s unique challenges• Build a lab, get a tunnel to experiment with IPv6
UTC TELECOM 2013Transition• 3 types of transition technologies– Dual Stack• Hopefully will be the most common• Simply means running both v4 and v6 at the same time– Tunneling• Putting either IPv4 packets inside IPv6 packets or vice versa, depending on the situation• Can be useful to solve problems in certain areas, but in general, tunneling hurts performanceand should be avoided when possible• Examples: 6rd, 6in4, 4in6, DS-Lite, MAP– Translation• Converting an IPv4 packet into an IPv6 packet or vice versa• Like in tunnels, can be useful in certain circumstances, especially for rapid deployment of IPv6on public facing services such as web servers• Example: NAT64
UTC TELECOM 2013Conclusions• IPv6 works in the real world• There are challenges to implementing IPv6, but nothingshow-stopping• Much of the Internet’s content is reachable over IPv6 (andgrowing fast) including all of Google, FaceBook and 3000other sites• A much smaller percentage of Internet users have IPv6connectivity (though this may change quickly with IPv4depletion)
Delivering Your FutureQuestions?Brandon Ross – email@example.com - +1-404-635-6667Download the presentation here:http://is.gd/19ckWMOr using this QR code: