Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IPv6 strategy for deployment at ETH Switzerland


Published on

IPv4 Usage at ETH Zurich
Changing IPv6 range before rollout

  • Be the first to comment

  • Be the first to like this

IPv6 strategy for deployment at ETH Switzerland

  1. 1. IPv6 at ETH ZurichArmin Wittmann
  2. 2. Agenda  IPv4 usage at ETH Zurich  Changing IPv6 range before rollout  RoadmapDr. A. Wittmann November 2012
  3. 3. IPv4: free 64 (/26) subnets # free /26 64-Subnets 300 250 200 150 100 50 0 2007 2008 2009 2010 2011 11.2012Dr. A. Wittmann November 2012
  4. 4. # devices detected last 90 days vs. IPv4-Range250000200000150000 # different MAC addresses (last 90 days) # assigned IPv4 addresses100000 50000 0 2005 2006 2007 2008 2009 2010 2011 9.2012 Dr. A. Wittmann November 2012
  5. 5. IPv6-Traffic (last 12 months)Dr. A. Wittmann November 2012
  6. 6. Changing IPv6 range before rollout BCM analysis BIA analysis new Provider Independent (PI) IPv6 range will replace old one Request: Request made by SWITCH: 13.9.2012 Routing to ETH done: 21.9.2012Dr. A. Wittmann November 2012
  7. 7. IPv6-Roadmap: Management view IPv6 pilot projekt started important infrastructures (Exchange, CMS, Hosting, Storage) Instruction initiative Server-Admins, IT-Supporter, end user, students documentation must be made first DHCPv6 release in December 2012 produktive per April 2013 client networks will be forced IPv6-only network zone offered for all ETH IPv4-NAT/PAT project started (usage for next 10 years ) Dr. A. Wittmann November 2012
  8. 8. IPv6 @ ETH ZurichDerk Valenkamp
  9. 9. Agenda My personal impression about IPv6 Roadmap IPv6-Concept (ID ICT-Networks) DHCPv6 Firewall IPv6 SSID ‚eth‘ design Multicast What is done ?Dr. A. Wittmann November 2012
  10. 10. My personal impression about IPv6 No way around IPv6 to connect all the devices to the Internet/Intranet Phase 4 in Gartner‘s Hype Cycle (Slope of enlightenment) It is not enterprise ready yet (DHCP, OS-Support,...) It is mainly designed for ISP‘s Nearly no IPv6 rollout-project‘s in other Universities/Companies Client-side: no fallback to IPv4 (DNS) – new rfc announcedDr. A. Wittmann November 2012
  11. 11. Roadmap 1H 2013 Network Ready for IPv6 large scale deployment (Firewall; DHCP-Relay; IPv6-only test-VPZ) 2014 get experience 2015 start IPv6 Rollout (Dualstack) 2020 start a ‚get rid of IPv4‘-projectDr. A. Wittmann November 2012
  12. 12. IPv6-Concept (2001:067C:10ec::/48 PI) 49 Bit 50 Bit 1 x Reserve (not used) 256 /58 Bereiche für VPZ Jedes VPZ erhält somit 64 /64 Subnetze diese 1 VPZ-Prefix können auch für interne Cluster- oder Managementadressierung verwendet werden. 0 1 VPZ-Prefix 128 /58 Bereiche für weitere VPZ 0 1 4096 /64 Subnetze für Tests bis IPv6 produktive eingesetzt wird 0 4096 /64 Subnetze für Network 0 (Links/Loopback/NET-Admin) 49 Bit 50 Bit 51 Bit 52 Bit 58 Bit
  13. 13. IPv6 Concept One IPv6-Range (/58; Prefix) per VRF -> 64 subnets One /64-Subnetz reserved per VLAN But on the Router will be configured only a /118 subnet configured for Server (1024 IPv6’s) /115 subnet Docking/Client (8192 IPv6’s) Prevent for DoS (Router breaks down during scans) No auto configured addresses allowed. - No MAC-Addresses leave the ETH Zurich - No Random IPv6 Addresses (IDS, Support) Always configured in Dual Stack with IPv4 (no 6to4-NAT) Source-Routing will be blocked Some Multicast addresses will be blocked (DHCP,DNS..) Incoming IPv6 RAs will be blocked on access ports.Dr. A. Wittmann November 2012
  14. 14. DHCPv6 DHCPv6-Relay standard ... use outgoing interface of the router, which is IPv4 only ...will change ‚No‘ redundant server -> 2 standalone Server with independent ranges (2x 4096 = 8192) DHCPv6 lease depend to DUID (DHCP Unique ID), which is assigned by the OS...PXE-Boot? Not all OS Support DHCPv6 – Android 4.xDr. A. Wittmann November 2012
  15. 15. Firewall IPv6 Old Firewall Service Module not capable New Hardware onsite, migration by end 2012 Separate ACL for IPv4 and IPv6 → new Firmware available now → CSM Release in Q1.2013Dr. A. Wittmann November 2012
  16. 16. IPv6 SSID ‚eth‘ design VTP-Zone WPA DHCP-Client vrf red DHCP-Client vrf red Cat4500/Cat3750 10x MPLS trunk eBGP FWSM (vrf-global) Fusion Routers trunk Central DHCP-Server Central DHCP-ServerDr. A. Wittmann November 2012
  17. 17. What is done 2001:067c:10ec::/48 = ETH Zurich Subnet 10-Gig Dual-Stack-connection to SWITCH Core is ready, but some issues with DHCP DHCP (with limitations) DNS IPv6 rough concept IPv6 Firewall IPv6 VPN-Client (IPv6 tunneled over IPv4) Mgmt Tool ‘Netcenter’ (Reports, IP-Tool, Firewall) IPv6 LoadbalancerDr. A. Wittmann November 2012
  18. 18. What is not planed yet SEND/CGA (secure arp) Router performance, whole Subnet have to be open IPv6 to IPv4 NAT nor IPv4 to IPv6 NAT DNS-Problems, IPv4-NAT is easier IPv6 HTTP-Proxy IPv6 Multicast (Not supported yet)Dr. A. Wittmann November 2012
  19. 19. ?Dr. A. Wittmann November 2012