Rapid IPv6 Deployment for ISP Networks
by Skeeve Stevens of eintellego Pty Ltd
Apricot 2010 – Kuala Lumpur, Malaysia v1.3.4
Too expensive to implement
Who can help me?
Little Vendor Support
Too hard to implement
No one is asking for it
What is IP...
Where to start?
Templates
IPv6 isn’t hard – but it is big... There are a lot of OS systems, network
devices, operating sys...
Break it down into stages
IPv6 is too big to think about as a whole
Enable your core
Enable Customer Services
Easiest to h...
Start issuing
IPv6 addresses
to end
customers
VLAN’s are used to
bypass legacy
equipment which
doesnt support IPv6
– i.e. ...
Scenario
Delivery of content to the Internet and Peering
• 	
  Load	
  Balancing	
  
• 	
  Reverse	
  Proxy	
  
• 	
  Cont...
How rapid is rapid?
Rapid IPv6 Deployment
• Assumptions
• Already have APNIC allocation of IPv6 (2-4 days if not)
• Transi...
Rapid IPv6 Deployment continued…..
• IPv6 Addressing Overview – half day
• IPv6 assignment to loopbacks and interconnects ...
Rapid IPv6 Deployment continued…..
• Linux box build and test – 4 hours
• Most ISPs use Linux of some kind – good to test ...
Rapid IPv6 Deployment continued…..
Conduct an IPv6 readiness assessment:
• Network Infrastructure – Routers and Switches
•...
2406:9800::F:127:0:0:1
Simplified Addressing
We have developed a strategy which helps network and server administrators be...
Simplified Addressing continued…
Address format:
2406:9800::F:203:18:102:99
This allows you to represent ANY IPv4 address ...
IPv6 is not hard….
Router#conf te
Router(config)# ipv6 unicast-routing
Router(config)# int loop0
Router(config-if)# ipv6 e...
Example: Loopback on Cisco router
interface Loopback0
desc loopback
ip address 10.76.128.1 255.255.255.255
ipv6 address 24...
Example: Interconnect on Cisco router (with dynamic routing)
interface VlanXXX
description Layer3_to_Router
ip address 10....
Example: Interconnect on Cisco router (without dynamic routing)
interface VlanXXX
description Layer3_to_Router
ip address ...
Simplified Addressing – End User Connections
Example: End User connecting to a Cisco router
interface VlanXXX
description ...
Carrier Grade NAT (CGN)/Large Scale NAT (LSN)
Templates
• To deal with exhaustion we are going to need CGN/LSN –
which is ...
•  Enabling IPv6 leaves you wide open
•  Every aspect of security needs to be replicated to IPv6
•  SSH, Telnet, Access Li...
•  Networking
•  SSH
•  IPTables-v6
•  Postfix/Sendmail
•  Bind
•  FTP
•  NTP
•  Apache (WWW)
•  SQL
•  SNMP
•  Virtualisa...
•  Networking
•  SSH (Remote Management)
•  Exchange 2010
•  Active Directory
•  FTP
•  NTP
•  IIS
•  MSSQL
•  SNMP
•  Mic...
•  ILO / DRAC
•  Blade Management
•  Storage Systems (SAN/NAS/etc)
Management interfaces
•  Printers / MFC / Photocopiers
...
Who can help you with IPv6?
Templates
• Commercially - very few companies in the region – most expertise is
either in-hous...
•  If you have no access to IPv6 transit you may need to tunnel (talk to HE)
•  If your carrier doesn’t do IPv6 today – st...
•  The resource gold rush will happen – we’re seeing it now. IPv4 resource requests
for no reason other than they can. We ...
Thanks for listening – Questions?
?www.eintellego.net
Upcoming SlideShare
Loading in …5
×

Rapid IPv6 Deployment for ISP Networks

1,106 views

Published on

Rapid IPv6 Deployment for ISP Networks - delivered at APNIC/Apricot 2010

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,106
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Rapid IPv6 Deployment for ISP Networks

  1. 1. Rapid IPv6 Deployment for ISP Networks by Skeeve Stevens of eintellego Pty Ltd Apricot 2010 – Kuala Lumpur, Malaysia v1.3.4
  2. 2. Too expensive to implement Who can help me? Little Vendor Support Too hard to implement No one is asking for it What is IPv6? What is stopping ISPs Implementing IPv6? 1 2 3 4 5 6 7 Don’t know where to start What you need to get past, before you can rapidly deploy
  3. 3. Where to start? Templates IPv6 isn’t hard – but it is big... There are a lot of OS systems, network devices, operating systems, and other devices to look into. • Firstly start where you can’t break things • In the lab • External Co-location (US) •  Allocate a small amount of time – few hours a week to analyse where IPv6 will most impact your network – Prepare a IPv6 readiness report • Build a lab – You don’t need much to test BGP, OSPFv3, interfaces and so on – Dynampis is a great thing to replicate most of your core network • Start at the border – bring BGP to your edge and then pause and reflect (don’t forget security – mentioned later) Notes
  4. 4. Break it down into stages IPv6 is too big to think about as a whole Enable your core Enable Customer Services Easiest to hardest 1.  Ethernet based (Colo, MetroE, Virtualisation Platforms) 2.  Hosting – DNS, Web, Mail 3.  OSS – Radius, Netflow, Accounting, User Portals 4.  xDSL Technologies Enable Operational Support Systems Enable some of YOUR hosting Enable your desktop    Enable your core Enable your edge (BGP) Get your allocation from APNIC Experiment Externally
  5. 5. Start issuing IPv6 addresses to end customers VLAN’s are used to bypass legacy equipment which doesnt support IPv6 – i.e. Cisco 3550’s Cisco switches need rebooting to enable IPv6. Outages need to be planned and executed For existing members, IPv6 is easy. For new members, plan for $4000ex in setup Initially, bringing up IPv6 BGP on Pipe Peering was safest – with no DNS using it yet Scenario Provider of Colocation, Cloud Services, Dedicated and Shared Hosting •   BGP  on  peering   •   BGP  on  Transit   •   Get  Alloca3on   from  APNIC   •   Enable  Core  Switching   •   Enable  OSPFv3   •   New  VLANs  for   dedicated  v6  paths   •   Bypass  legacy   equipment.   •   Customer  Access   The Hosting Company Less than 1 week! •   Hos3ng  PlaKorms   -­‐  Windows   -­‐   Linux   -­‐  Plesk,  CPanel,  etc  
  6. 6. Scenario Delivery of content to the Internet and Peering •   Load  Balancing   •   Reverse  Proxy   •   Content  Switching   •   GeoDNS?   •   Hos3ng  PlaKorms    -­‐  Windows   -­‐   Linux   -­‐  Plesk,  CPanel,  etc   •   Akamai   •   Limelight   •   etc   •   Special  content   genera3on   -­‐   Streaming   -­‐   Mul3cast   •   Content  Hardware   The Content Provider •   As  per  first  scenario  
  7. 7. How rapid is rapid? Rapid IPv6 Deployment • Assumptions • Already have APNIC allocation of IPv6 (2-4 days if not) • Transit Provider with Dual-stack Transit • Cisco/Juniper edge with BGPv4 • Cisco/Juniper/HP/Brocade Switching Infrastructure • Engineer familiarity with vendor hardware & BGP/OSPF • Transit/Peering Providers have allowed announcements (2-4 days if not)
  8. 8. Rapid IPv6 Deployment continued….. • IPv6 Addressing Overview – half day • IPv6 assignment to loopbacks and interconnects – half day • IPv6 BGP – 2 hours • OSPFv3 from Edge to Core – 2 hours • Debugging and testing routing – 2 hours – it is just fun! • VLANs to bypass legacy equipment – few hours at most • Direct from IPv6 compatble layer 3 aggregation to VM’s on Vmware Heads * ISP Sizes – 1-4 Edge routers, 1-30 switches
  9. 9. Rapid IPv6 Deployment continued….. • Linux box build and test – 4 hours • Most ISPs use Linux of some kind – good to test Apache, Bind, Postfix, SSH, FTP, etc • Ethernet based end-user IPv6 assignments – 4 hours • Colocation, VMs, MetroE, Wireless, Hosting • Access Technology – xDSL (L2TP) Design Discussion - • Depends on size of network, LNS’s involved, wholesalers involved – much more complex than the core – we treat this generally as a separate project once the rest is done
  10. 10. Rapid IPv6 Deployment continued….. Conduct an IPv6 readiness assessment: • Network Infrastructure – Routers and Switches • Servers & PCs (i.e. operating systems) • Network Devices – Appliances, KVM, OoB and so on • Network management tools (HP, Cisco, etc) • Security – everywhere you have it now – needs to be replicated • Applications – dealing with IPv6 addresses • OSS systems – Billing, Accounting, Radius, etc • In-house skills
  11. 11. 2406:9800::F:127:0:0:1 Simplified Addressing We have developed a strategy which helps network and server administrators be able to understand & deploy IPv6 rapidly while not requiring a huge time investment in training. This strategy uses the network’s existing IPv4 topology so that the address can be instantly recognised and built upon over time. This strategy is all about the rapid deployment of IPv6, getting it into the network and being used day to day. eintellego believes that this is the quickest and most rapid method of building and educating resource and time poor organisations with the fast approaching IPv4 exhaustion. Simplified Addressing is a short to medium term strategy – and is not for long term use.
  12. 12. Simplified Addressing continued… Address format: 2406:9800::F:203:18:102:99 This allows you to represent ANY IPv4 address – Public or RFC1918 •  This means you can even use it internally: 2406:9800::F:10:255:0:16, and with overlaps you could just use ::F0:… and keep reusing the same ranges. •  Using /128’s for addresses can initially increase internal routing tables – but with summarisation this can be overcome in the short term. •  In IPv4 we refer to the numbers as an ‘octet’ (in 8 bit terms). IPv6 has no official name we can find – so we refer to it as a Chazwazza ;-) Props to Nathan Ward and Kurt Bales for many opportunities to confuse people
  13. 13. IPv6 is not hard…. Router#conf te Router(config)# ipv6 unicast-routing Router(config)# int loop0 Router(config-if)# ipv6 enable Router(config-if)# ipv6 address 2406:9800::F:10:0:0:1/128 Router(config-if)# end Router#ping 2406:9800::F:10:0:0:1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2406:9800:0:F:10::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms Router# •  On some Cisco switches you have to set SDM and reboot before you can use IPv6
  14. 14. Example: Loopback on Cisco router interface Loopback0 desc loopback ip address 10.76.128.1 255.255.255.255 ipv6 address 2406:9800:0:F:10:76:128:1/128 (IPv6 has no concept of secondary addresses) ipv6 enable (turns IPv6 on which generates a link local address) ipv6 ospf 2 area 0 (Use a different process ID) Changing an IPv6 address is no longer an ‘up arrow-change’. You have to clean up after yourself. Simplified Addressing – Network Equipment
  15. 15. Example: Interconnect on Cisco router (with dynamic routing) interface VlanXXX description Layer3_to_Router ip address 10.76.132.65 255.255.255.252 ipv6 address 2406:9800:0:F:10:76:132:65/128 ipv6 enable ipv6 ospf 2 area 0 We rely on the link-local addressing for OSPF to function and establish neighbor relationships. Simplified Addressing – Network Equipment
  16. 16. Example: Interconnect on Cisco router (without dynamic routing) interface VlanXXX description Layer3_to_Router ip address 10.76.132.65 255.255.255.252 ipv6 address 2406:9800:0:F:10:76:132:65/128 ipv6 address 2406:9800:0:1C::4001:2/112 ipv6 enable ipv6 ospf 2 area 0 ! ipv6 route ::0/0 2406:9800:0:1C::4001:1 With no dynamic routing you need a default route out of the device Simplified Addressing – Network Equipment
  17. 17. Simplified Addressing – End User Connections Example: End User connecting to a Cisco router interface VlanXXX description VMHEAD02.samplenetwork.net ip address 10.76.128.233 255.255.255.252 ipv6 address 2406:9800:0:F:10:76:128:233/128 ipv6 address 2406:9800:0:4019::1/64 ! ipv6 route 2406:9800:0:F:10:76:128:234/128 2406:9800:0:4019::2 We use /64 for all end customer assignments (to appease the purists) Static route needed on the interconnection device to make v4-in-v6 work.
  18. 18. Carrier Grade NAT (CGN)/Large Scale NAT (LSN) Templates • To deal with exhaustion we are going to need CGN/LSN – which is a strategy access providers will HAVE to employ to get us through the migration period which is at least 3-5 years unless they have a lot of IPv4 in reserve • China has had success with CGN with local hardware • Very little vendor support – Cisco came very late – others are still yet to come • Cisco have just (Oct09) announced their CGv6 framework and actual products with the CGSE blade for the CRS-1, and the ASR9000 and ASR1000 with CGv6 services • Cisco have also apparently released some CGN functionality in the latest Service Provider product set (but we’re not sure what that means?) • ISC have released AFTR (Address Family Translation Router) – ???????????????? Notes CGSE for CRS-1 ASR9000, ASR1000
  19. 19. •  Enabling IPv6 leaves you wide open •  Every aspect of security needs to be replicated to IPv6 •  SSH, Telnet, Access Lists, SNMP, CoPP – All are immediately open and accessible when you turn on IPv6. •  It isn’t hard to do the security – you just HAVE to do it – or else •  Nothing has changed with the basic tenants of security – just all new commands for some platforms – and in strange places •  The only consideration is that IPv6 requires ICMP for PMTU (Path MTU Discovery) – disabling it WILL break things (in ways that you can’t easily troubleshoot) Oh oh. Security
  20. 20. •  Networking •  SSH •  IPTables-v6 •  Postfix/Sendmail •  Bind •  FTP •  NTP •  Apache (WWW) •  SQL •  SNMP •  Virtualisation RedHat/CenOS 5.x The Example Linux Test bed
  21. 21. •  Networking •  SSH (Remote Management) •  Exchange 2010 •  Active Directory •  FTP •  NTP •  IIS •  MSSQL •  SNMP •  Microsoft Server Products - Windows 2008 The Example Windows Test bed
  22. 22. •  ILO / DRAC •  Blade Management •  Storage Systems (SAN/NAS/etc) Management interfaces •  Printers / MFC / Photocopiers •  VOIP handsets / ATA •  Hardware Firewalls –  Cisco ASA – from 8.2 –  Netscreen – ScreenOS 5 –  Juniper SRX – JUNOS platform supports IPv6 •  Time-clock/Biometric Scanners •  IP Cameras & DVRs •  Cell Phones / PDAs •  Access Points •  CPEs / Home Gateways •  Media Players •  Game consoles •  Video Conferencing •  Security Systems •  Building Automation •  UPS (with network support) Not Just Routers, Switches, Servers and Apps
  23. 23. Who can help you with IPv6? Templates • Commercially - very few companies in the region – most expertise is either in-house, especially ISP’s and Vendors at the moment • A businesses that operates in the internet industry is generally on the cutting edge of technology – when they don’t know what to do – who do they ask? • Help each other – community – • Training courses – IPv6Now (AU), APNIC, Fast Lane, Men & Mice (Not sure about .au/.nz), Dimension Data & New Horizons offer Cisco Cert module for IPv6 training (IP6FD) – DD was AU$4600 for a 5 day course - ouch • Consulting and/or Implementation – eintellego (AU, NZ, FJ, AP), IPv6Now (AU), Braintrust (NZ), Prophecy (NZ), Avonsys (FJ, PAC), and Cisco Professional Services in some countries. Notes
  24. 24. •  If you have no access to IPv6 transit you may need to tunnel (talk to HE) •  If your carrier doesn’t do IPv6 today – start turning up the pressure •  Same applies to your vendors (hardware, software, etc) – start demanding or consider a vendor which does support it •  Within 6 months after all our implementations, most staff were fully conversant with IPv6 and had started to deploy other services – they were using it every day! •  Convincing management isn’t that hard – Explain how much it will cost them later as opposed to now •  Some parts won’t happen overnight – it takes time to migrate some services such as IPv6 DNS Servers to clueful registrars which support nameserver records for IPv6. But just because they don’t advertise it – they might be able to do it. Most can’t yet though. Advice
  25. 25. •  The resource gold rush will happen – we’re seeing it now. IPv4 resource requests for no reason other than they can. We believe that once this starts – the hype and outrage will accelerate it even faster. APNIC will have a massive surge in membership of people not wanting to be left behind – and also from those hoping to capitalise on the resource shortage. There is nothing APNIC can do to prevent this happening •  This may bring forward exhaustion by 6-9 months – but we will see it coming •  A secondary market will appear for IPv4 – APNIC will lose control of who has what Predictions
  26. 26. Thanks for listening – Questions? ?www.eintellego.net

×