Post on 12-May-2015
description
transcript
Steve Simlo Product Manager NOSTG, IPv6 High Impact Project
ssimlo@cisco.com
IPv6 is taking off
© 2012 Cisco and/or its affiliates. All rights reserved. 2
Agenda • The global view / technology and market drivers……it’s not
all about IPv4 address famine !
• Some myths surrounding IPv6 deployment……and some real data !
• IPv6 Migration Strategies….no one size fit’s all !
• Cisco’s own experience with IPv6…..what works for us today and where we are going
• Conclusion….places to find out more information
© 2012 Cisco and/or its affiliates. All rights reserved. 3 Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 3
© 2012 Cisco and/or its affiliates. All rights reserved. 4
Content
User
ISP
Device
“A deadlock, stalemate, impasse; a roughly equal (frequently unsatisfactory) outcome to a conflict in which there is no clear winner or loser,”
Where is the content? Too much pain &
no gain
Where is the network?
Do I pay less ? Any new
applications?
NAT’s are good. RFC1918 gives me security, and IPv4 address runout is my ISP’s problem.
The network is not ready, users don’t care and I don’t
want to risk a poor end-user experience today for potential gains tomorrow
Enterprise
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
RIPE ARIN AFRINIC LACNIC
IANA
Meanwhile …IPv4 run-out is very real
http://ipv6.he.net/statistics/
APNIC
Last /8 policy
© 2012 Cisco and/or its affiliates. All rights reserved. 6
The world will run out of IPv4 addresses in the next few years.
By 2016 there will be 7.5 billion people...
...and 19 billion fixed and mobile-connected devices.
Mobile devices are growing faster than the mobile subscribers that use them.
© 2012 Cisco and/or its affiliates. All rights reserved. 7
Companies around the world have come together to permanently enable IPv6 for their products and services.
IPv6 128-bit number 340 undecillion addresses
Devices can more easily connect to each other or the cloud while alleviating the growth limitations that come with the IPv4 address shortage.
vs IPv4 32-bit number 4.3 billion addresses
That’s one IP address for every drop of water on earth, 10 trillion fold.
© 2012 Cisco and/or its affiliates. All rights reserved. 8
Modern Devices Support IPv6 • Prefer IPv6 connectivity (RFC 5221)
• Use SLAAC/DHCPv6 and have Link Local Addresses (RFC 4862)
• Can run IPv6 over an IPv4 network under certain circumstances
Tunneled over an IPv4 core, And/or on L2 segment
• Will try to use IPv6 if they receive a AAAA record from DNS
• Don’t always display IPv6 information (mobile devices)
• Use privacy addresses (RFC 4961)
• Modern browsers implement RFC 6555 (Happy Eyeballs)
• Use IPv6 link-local capabilities for plug and play protocols
© 2012 Cisco and/or its affiliates. All rights reserved. 9
Connections won't be limited to devices—everyday things will have IP addresses.
When a vending machine is running out of product, it can automatically schedule its own restock.
Elderly patients can wear a small wireless device that monitors their heart condition. In an emergency, healthcare providers would automatically be contacted.
Your network enabled car will automatically turn on the air-conditioning in your house, when you’re on your way home.
© 2012 Cisco and/or its affiliates. All rights reserved. 10 Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 10
© 2012 Cisco and/or its affiliates. All rights reserved. 11
0 10 20 30 40 50 60
In Progress
6 months
12 months
24 months
No plans
“When are you planning to deploy IPv6 in production”
July 2010
0 10 20 30 40 50 60
Done
6 months
12 months
24 months
No plans
March 2012
32%
40%
65%
15%
© 2012 Cisco and/or its affiliates. All rights reserved. 12
CGN
IPv4
IPv4 sessions traverses Statefull NAT’s. Challenges for Content: Transparency to application, Location, Security Challenges for SP: CAPEX/OPEX of CGN due to statefulness
© 2012 Cisco and/or its affiliates. All rights reserved. 13
!"
#!"
$!!"
$#!"
%!!"
%#!"
!"#$%"$#&'()$&*&
&'(")*+," -&./")*+,"
!"
#!"
$!!"
$#!"
%!!"
%#!"
!"#$%"$#&'()$&*&
&'()" *+)" &'+,-"./0("/12("
VoD/TV Replay platforms: • Canalplus : 70 sessions • Pluzz.fr: 95 sessions • BBC : 45 sessions
Portals/Social • Facebook: 40 sessions • Yahoo: 110 sessions • Bing: 30 • G+: 30 • Wikipedia: 50 • Twitter : 20
Peer to Peer: • Bittorent : 700
© 2012 Cisco and/or its affiliates. All rights reserved. 14
Web 2.0 (ex: AJAX) Application Behavior Under Constrained NAT Resources
20 NAT Sessions 15 NAT Sessions 10 NAT Sessions 30 NAT Sessions times millions of users
© 2012 Cisco and/or its affiliates. All rights reserved. 15
CGN
IPv4
IPv6
DNS <AAAA, A>
Restoring End to End
© 2012 Cisco and/or its affiliates. All rights reserved. 16
2011 2013 2015
CGN Only
2011 2013 2015
6rd + CGN
- CGN44 Capex and Opex is growing driven by Subcribers growth, AND application complexity (session per user)
- CGN44 Cost is capped as Content switches to IPv6. - 6rd cost does not increase much as a function of # IPv6 users, AND Application complexity is transparent
© 2012 Cisco and/or its affiliates. All rights reserved. 17
IPv6 Estimated Adoption Timeframes
Early Adopters
Globalization IPv6 Government
Mandate Deadlines
IPv4/IPv6 Co-existence
High Risk Low Risk Moderate Risk
2010 2012 2014
Transition Planning
• 2012: Mandates take effect – Globalization - WorldIPv6Launch - Massive Mobile deployment. Transition to IPv6 forces customers to acquire product or managed services to sustain business and customer reach
IPv6 Business Impact – The Cost of Waiting Goes Up
• 2010: Low Impact – Buying behavior shift limited to mandated and early adopters
• 2014: IPv6 is mainstream – customers without transition infrastructure experience reduced service levels, diminished customer reach
© 2012 Cisco and/or its affiliates. All rights reserved. 18 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
6lab.cisco.com/stats
• ~80 % of Internet Core transit (top 5% AS’s) is IPv6 enabled
• ~ 35% of global Internet content/Web pages are reachable over IPv6
• ~1% of Internet users have IPv6 Great disparities across countries
Jim Barksdale,
former Netscape CEO
© 2012 Cisco and/or its affiliates. All rights reserved. 19 © 2010 Cisco and/or its affiliates. All rights reserved. 19
6lab.cisco.com/stats
© 2012 Cisco and/or its affiliates. All rights reserved. 20 © 2010 Cisco and/or its affiliates. All rights reserved. 20
6lab.cisco.com/stats
© 2012 Cisco and/or its affiliates. All rights reserved. 21
http
://6l
ab.c
isco
.com
/sta
ts/
IPv6 Transit AS
IPv6 Enabled AS
Definitions: “IPv6 Transit” implies current IPv6 transit to at least one other AS “IPv6 Enabled” implies a terminal node in IPv6 but Transit in IPv4
© 2012 Cisco and/or its affiliates. All rights reserved. 22 © 2010 Cisco and/or its affiliates. All rights reserved. 22
6lab.cisco.com/stats
Internet Transit
Content
Users
© 2012 Cisco and/or its affiliates. All rights reserved. 23 Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 23
© 2012 Cisco and/or its affiliates. All rights reserved. 24
IPv4 Access Network
IPv4 Core
Subscriber Network
NAT
IPv4 Carrier Grade NAT
NAT
IPv6 Access Network
Dual Stack Core
Subscriber Network
CE
IPv6-Only Subscriber
6↔4
Dual Stack
Core +
Access (ex: DOCSIS 3.0)
Subscriber Network
PE
Native Dual Stack
For more info see: http://www.cisco.com/go/cgv6
PE
CE
Subscriber Network
v4 over v6
Dual Stack Core
MA
P or DS
-Lite
IPv6-Only Access Network
NAT MAP BR AFTR
CE
Dual Stack Core
v6 over v4
Subscriber Network
IPv6 Rapid Deployment
6rd or L2TP
6rd BR
CE
LNS
Preserve Prepare Prosper
IPv6 Internet
IPv4 Internet
Today’s focus: W6L Dual-Stack Core
6rd or Dual-stack access Residential IPV6 service
DSL, FTTH Cable, DSL
Prosper phase: IPv6 only Infrastructure,
IPv4: Legacy Service (ex: T-Mobile US, DT, China T., KDG)
Same for MSDC
Mobile-LTE Cable, DSL All
1-Enable Core • Dual-Stack • MPLS/6(v)PE
© 2012 Cisco and/or its affiliates. All rights reserved. 25
• 1- IPv6 Transit + CDN • 2- Full Spectrum Internet • 3- CGN Bypass • 4- LTE/4G + Mobile growth
© 2012 Cisco and/or its affiliates. All rights reserved. 26
!"# $"# %!"# %$"# &!"# &$"#
'()*#
+,()-./#
%&,()-./#
&0#,()-./#
1(#234)#
%5#6
.*)#47*#8(9#:*
23(8;)<#
=>?+#;)#27(:9
@A()
#!"#$%"$#&'%$($")$&
65% of Cisco Enterprise Technology Advisory Board members will have IPv6 WEB sites by Q2 2013
© 2012 Cisco and/or its affiliates. All rights reserved. 27
!"# $"# %!"# %$"# &!"# &$"# '!"#
()*+,)+*#+-./01.)#
2/.34/5641.)#
7+)8.,#9*,4*+:;#
<+-5=+>?9#@AB?<C#
D4)84*+#
E+48+,6F5G#
?*F+,#
&H#I
F4*#4
,+#J.G
#'#8,5-
+,6#K
#
Internet Business Continuity B2C, B2B
© 2012 Cisco and/or its affiliates. All rights reserved. 28
Inside – Out • Globalization • Technology Leadership • Industry mandate • BYOD-Security-Visibility • Flatten management plane
Dual-Stack Enterprise IPv4 Internet
Outside – In • Internet Evolution • Business Continuity • B2C, B2B
IPv4 Enterprise IPv6 Internet
http://www.cisco.com/en/US/netsol/ns817/networking_solutions_program_home.html
© 2012 Cisco and/or its affiliates. All rights reserved. 29
IPv6
IPv4
IPv4-only Server
a) Server Load Balancer http reverse proxy
IPv6 Internet
ACE30
IPv4
Bac
k-E
nd
WEB
DMZ
IPv4-only Server
b) Software Proxy Web Tier
IPv6
IPv4
Apache MSFT PortProxy
IPv6 Internet
IPv4
DMZ
WEB
c) Statefull NAT64
IPv4-only Server
IPv6
IPv4
IPv6 Internet
ASR1000
IPv4
DMZ
Email VPN WEB
ASA
© 2012 Cisco and/or its affiliates. All rights reserved. 30
IPv6 Internet
IPv4
Ser
vice
s
DMZ
WEB Email ..etc..
Datacenter Block
Core - WAN
Campus Block
Branch
Ser
vice
s
• Life-Cycle management, depends on Timing and Use case • Native/Dual-Stack where you can, Tunnels where you must • Security – Visibility – Management • IPv6 Host Configuration.
© 2012 Cisco and/or its affiliates. All rights reserved. 31
IPv6 Internet
IPv4
Ser
vice
s
DMZ
WEB Email ..etc..
Orderly Transition – Slow to dual-Stack all the way to user • Dual-Stack Core – Network based Tunnel to connect island • ISATAP for IPv6 services to users… Design gotchas • Dual-Stack selected part of DC (server front-end)
Datacenter Block
Core - WAN
Campus Block
Branch
Ser
vice
s
ISATAP
© 2012 Cisco and/or its affiliates. All rights reserved. 32
IPv6 Internet
IPv4
Ser
vice
s
DMZ
WEB Email ..etc..
End User and Service first - Challenging but Doable • First Hop Security • Network based Tunnel to connect Islands • Dual-Stack selected part of DC (server front-end)
Datacenter Block
Core - WAN
Campus Block
Branch
Ser
vice
s
AnyC
onne
ct
© 2012 Cisco and/or its affiliates. All rights reserved. 33
BYoD Best Practice : Deploy Dual-Stack
IPv6 Internet
IPv4
Ser
vice
s
DMZ
WEB Email ..etc..
Datacenter Block
Core - WAN
Campus Block
Branch
Ser
vice
s
• Life-Cycle management, depends on Timing and Use case • Native/Dual-Stack where you can, Tunnels where you must • Security – Visibility – Management • IPv6 Host Configuration.
© 2012 Cisco and/or its affiliates. All rights reserved. 34
IPv6 and BYOD
Cisco Prime • Data collection and
Reports • Address
management
ISE • Client authentication and authorization
Cisco Catalyst Switches
Cisco WLAN Controller
ISE
iOS or Android Devices
AD/LDAP
User X User Y
MDM Mgr
NCS Prime
ASA Firewall
CSM / ASDM
WLC
• IPv6 Client Bridging • First Hop Security • Mobility (7.2) • Security and optimization (7.2) • Client Management (7.2) • VideoStream (7.2)
© 2012 Cisco and/or its affiliates. All rights reserved. 35
L2
IPv6/IPv4 Dual Stack Hosts
IPv6 SLA: E2E test, measurement (UDP-Jitter, UDP-Echo, ICMP Echo, TCP Connect)
IPv6 Traffic Metering with NAM and Flexible Netflow, including tunnel (export over IPv4)
IPv6 Apps and Tunnel detection with NBAR2
L3
Solution: IPv6 Traffic Visibility
Campus
IPv6 MIBs and host support
IPv6 over IPv4 tunnel
IPv4 WAN
NAM Traffic Analyzer Integrated Management & Reporting Console
ASA and IOS Tunnel Filtering
© 2012 Cisco and/or its affiliates. All rights reserved. 36
38,98% of WiFi devices were Apple devices (13,53% iPhone, 7,28% iPad), 30,56% Intel devices 45,4% are doing 802.11n (up to 144Mbps on 2,4GHz band), 37,25% are doing 802.11n (300Mbps / 5GHz), 13,88% are doing 802.11g (54Mbps / 2,4GHz), 3,47% are doing 802.11a (54Mbps / 5GHz)
Example from IPv6 World Congress, Jan 2012
Know your end point with Cisco Prime
© 2012 Cisco and/or its affiliates. All rights reserved. 37 © 2010 Cisco and/or its affiliates. All rights reserved. 37
• Support for many IPv6 addresses per client is necessary because: Clients can have multiple address types per interface Clients can be assigned addresses via multiple methods such as SLAAC and
DHCPv6 Most clients automatically generate a temporary address in addition to assigned
addresses.
Up to 8 IPv6 Addresses are
Tracked per Client.
Multiple IPv6 addresses per client
© 2012 Cisco and/or its affiliates. All rights reserved. 38 © 2010 Cisco and/or its affiliates. All rights reserved. 38
IPv6 VLAN
Ethernet
IPv6 802.11
CAPWAP Tunnel
Router Advertisement Guard
RA From Client Dropped at the Access Point (Local and FlexConnect modes)
Undesired IPv6 Addresses/Prefix
IPv6 Source Guard Drops Undesired Packets at Controller
DHCPv6 Server Guard
DHCPv6 Advertisement Blocked at the Controller.
IPv6 RA 802.11
First Hop Security for wireless clients
© 2012 Cisco and/or its affiliates. All rights reserved. 39
L2
IPv6/IPv4 Dual Stack Hosts Access
Layer
Distribution Layer
Core Layer
L3
Solution: IPv6 First Hop Security
WLC 7.2
Dual-Stack WAN
802.1x and Port ACL • Authorize Device • Filter traffic on Layer 2 ports
IPv6 RA Guard / Throttler • Stops Rogue Router Advertisement
threats
IPv6 NDP inspection • Enforce Mac/IPv6 binding • Prevents Neighbor Discovery spoofing
attacks
IPv6 uRPF Blocks spoofed traffic in hardware
NDP Address Gleaning • Discover Address binding • Audit Trail • Revoke inactive devices
Source Guard: • Stops traffic from un-authorized sources.
Port Security: • Prevents TCAM overflow
DHCP Guard • Prevent rogue DHCP server
IPv6
Firs
t Hop
Sec
urity
Sui
te
© 2012 Cisco and/or its affiliates. All rights reserved. 40 Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 40
© 2012 Cisco and/or its affiliates. All rights reserved. 41
IPv6 User Access @ Cisco • Secured broad executive support • Progress requires multi-functional teams – not just a networking problem • Pursuing Outside-In and Inside-Out in parallel
• Coordinated equipment upgrades and software updates with fleet upgrade program
• Made sure common client configurations were tested • Made operational changes e.g. IPv6-specific security mechanisms and
monitoring solutions for IPv6 traffic • To date
• Provided IPv6 access in approximately one-third of global offices – tunnel access for interim connectivity
• IPv6-enabled 100% of the core network • Observed Happy Eyeballs (RFC 6555) in action • Observed IPv6 attacks • Monitor worldwide usage with 6lab.cisco.com/stats
© 2012 Cisco and/or its affiliates. All rights reserved. 42 Dual stack topology
© 2012 Cisco and/or its affiliates. All rights reserved. 43
Measure: Unique MACs with IPv6 LL address IPv6 global address IPv6 with global EUI address IPv4 global address Measurements de-duplicate privacy addresses
http://blogs.cisco.com/borderless/ipv6-at-ciscolive-san-diego/
* Between IPv6 World Congress, Jan 2012 And Cisco Live US: June 2012 Dual stack capable : IPv4 global + IPv6 LL IPv6 using : IPv6 global
Dual stack-capable devices increased from 47.5% to 77.5%
IPv6-using devices increased by 87.3%
In 6 months *:
© 2012 Cisco and/or its affiliates. All rights reserved. 44
IPv6 IPv4
Cisco.com Web Servers
Server Load Balancer (ACE)
DMZ Network, Security
Database
App Platforms
Data Center Network
Internet
Svc A
ssurance S
vc A
ssurance
Middleware
Content IdM, Authz
AKAMAI
ww
w.cisco.com
ww
w.cisco.com
Cisco.com Web Servers
Server Load Balancer (ACE)
DMZ Network, Security
Database
App Platforms
Data Center Network
Svc
Assurance
Svc
Assurance
Middleware
Content IdM, Authz
AKAMAI
Cisco.com Web Servers
Server Load Balancer (ACE)
DMZ Network, Security, Proxy
Database
App Platforms
Data Center Network
Svc
Assurance
Middleware
Content IdM, Authz
AKAMAI
IPv6 IPv4 Internet
ww
w.cisco.com
ww
w.cisco.com
IPv6 IPv4 Internet
ww
w.cisco.com
ww
w.cisco.com
Model 1 - Proxy at Internet Edge
Model 2 – SLB64 Model 3 – Dual Stack Web Servers
© 2012 Cisco and/or its affiliates. All rights reserved. 45
www.cisco.com www.webex.com home.cisco.com
© 2012 Cisco and/or its affiliates. All rights reserved. 46 Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 46
© 2012 Cisco and/or its affiliates. All rights reserved. 47
Next Steps
1. Audit and Assess: determine IPv6 readiness and processes that need to be upgraded
2. Train and try: develop technical skills and best practices for your environment
3. Build a Transition Plan: create a strategy for transitioning your current network to support IPv6
1. Deploy IPv6 dual stack: Progressively add IPv6 capability to IT infrastructure for a smooth transition, including network, end-points, security and applications
2. IPv6 and BYOD: ensure IPv6 is included in any BYOD strategy, include security and visibility tools
© 2012 Cisco and/or its affiliates. All rights reserved. 48
• IPv6 Education • Training: IPv6 FD • Certified Pro. CCIE/CCDE/CCDP/CCNA/CCNP • CiscoLive, Conferences & Webinars • Cisco Press
• IPv6 Knowledge Portal
• Comprehensive Advanced Services
• IPv6 Support Community
• IPV6 adoption Statistics
• Leading in Certification
www.cisco.com/go/ipv6
© 2012 Cisco and/or its affiliates. All rights reserved. 49
Hurricane Electric, IPv4 exhaust
IPv6 adoption statistics
ISOC, World IPv6 Launch
Cisco IPv6 home page
Cisco IPv6 Knowledge portal
Cisco IPv6 Support community
Cisco Blog IPv6 Tag
Lippis Report Podcast Interview - Alain Fiocco
Certification, USGv6/IPV6RL Ph2
Tweeter
LinkedIn Group
http://ipv6.he.net/statistics/
http://6lab.cisco.com/stats/
www.worldipv6launch.org
www.cisco.com/go/ipv6
http://www.cisco.com/web/solutions/netsys/ipv6/knowledgebase/index.html
https://supportforums.cisco.com/community/netpro/network-infrastructure/ipv6-transition
blogs.cisco.com/tag/ipv6
http://lippisreport.com/2012/07/world-ipv6-day-marks-massive-transition-in-ip-addressing-what-it-means-to-you/
https://www.iol.unh.edu/services/testing/ipv6/usgv6tested.php
#IPv6, @alainfiocco, @Deploy360, @TeamARIN
http://www.linkedin.com Groups: IPv6, IPv6 Enthusiasts, IPv6Security
© 2012 Cisco and/or its affiliates. All rights reserved. 50 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
What have you enabled IPv6 on today ?
Winston Churchill
© 2012 Cisco and/or its affiliates. All rights reserved. 51
Agenda • The global view / technology and market drivers……it’s not
all about IPv4 address famine !
• Some myths surrounding IPv6 deployment……and some real data !
• IPv6 Migration Strategies….no one size fit’s all !
• Cisco’s own experience with IPv6…..what works for us today and where we are going
• Conclusion….places to find out more information