© 2013 Utilities Telecom Council
Brandon Ross Chief Network Architect and CEO
Network Utility Force www.netuf.net
@NetUF
IPv6 Implementation Best Practices For Service Providers
COMPTEL Webinars powered by Copper Services
1 COMPTEL Webinars powered by Copper Services
RFC 6540 - IPv6 Support Required for All IP-Capable Nodes -
Given the global lack of available IPv4 space, and limitations in IPv4 extension and transition technologies, this document advises that IPv6 support is no longer considered optional. It also cautions that there are places in existing IETF documents where the term "IP" is used in a way that could be misunderstood by implementers as the term "IP" becomes a generic that can mean IPv4 + IPv6, IPv6-only, or IPv4-only, depending on context and application.
2 COMPTEL Webinars powered by Copper Services
RFC 6540
• Are you aware of this requirement? • Are your nodes IPv6 capable?
3 COMPTEL Webinars powered by Copper Services
IPv6 Background • IPv4 depletion is already occurring • IPv6 adoption is accelerating • Most network hardware supports IPv6 • For the most part, dual stack Just Works
4 COMPTEL Webinars powered by Copper Services
IPv4 Free Pool Depletion
http://www.potaroo.net/tools/ipv4/index.html
5 COMPTEL Webinars powered by Copper Services
IPv6 Enabled Networks
http://www.ipv6actnow.org/info/statistics/
6 COMPTEL Webinars powered by Copper Services
US Federal Lesson Learned
- federal government had mandated for all public facing web services to support IPv6 by September 30, 2012 –
(287 of 1494 sites had IPv6 web support by the deadline)
Today 962 of 1332 sites support IPv6 - over 70% (far ahead of most other large organizations)
Source: http://usgv6-deploymon.antd.nist.gov//
7 COMPTEL Webinars powered by Copper Services
What next?
“Okay, my organization is convinced it’s time to begin IPv6 deployment, what do I need to consider?”
8 COMPTEL Webinars powered by Copper Services
Best Practices
The fundamentals haven’t changed a bit for IPv6, consider: • Security • Maintainability • Scalability • Performance • Flexibility
9 COMPTEL Webinars powered by Copper Services
Apply the Fundamentals
What areas need the most attention? • Addressing plan • Interconnectivity • Bootstrapping/AAA • Security issues • Staff training • Transition
10 COMPTEL Webinars powered by Copper Services
IPv6 Address Space is VAST
“IPv6 uses a 128-bit address, allowing 2128, or approximately 3.4×1038 addresses, or more than 7.9×1028 times as many as IPv4, which uses 32-bit addresses.” (Wikipedia) That’s 340 Undecillion! Undecillion is a number with 36 zeros. We must change our thinking about how to allocate address space to meet our best practice goals.
11 COMPTEL Webinars powered by Copper Services
State of Assignments
• All of the registries, for the most part, assign initial blocks
for Service provider /32
Enterprise /48
12 COMPTEL Webinars powered by Copper Services
What makes up a good addressing plan?
• Depends on the type of network, the size of the network, and problem to be solved
• Points to consider Documentation
Ease of troubleshooting
Aggregation
Standards compliance
Growth
SLAAC
Existing IPv4 addressing plan
Human factors
13 COMPTEL Webinars powered by Copper Services
Algorithmic Approaches
• Interop took an algorithmic approach to IPv6 numbering
• Encode every IPv4 address in your network in an IPv6 address
10.10.10.10 (A0A0A0A) 2001:DB8:A0A:A0A::
14 COMPTEL Webinars powered by Copper Services
Interconnectivity
• Routing protocols have been updated, but the fundamental concepts remain the same – Run routing protocols such that they fail when the underlying transport
fails
• That means separate v4 and v6 protocols
– For ease of management, configure IPv4 and IPv6 connectivity to follow the same paths
– Also use the same routing policies whenever possible
• Ask your Internet traffic peers, suppliers, partners and clients to begin transporting IPv6 traffic
15 COMPTEL Webinars powered by Copper Services
Bootstrapping/AAA
• Some fundamental changes have been made to the bootstrap process to join an IPv6 network, all part of the Neighbor Discovery process – Router Advertisements (RA) – Tells potential clients about the routers
and prefixes available on the network
– StateLess Address Auto Configuration (SLAAC)
• New in IPv6, allows a device to generate it’s own address
• Supported universally
– Dynamic Host Configuration Protocol v6 (DHCPv6)
• Very similar to v4, can distribute address, DNS server, other information about the network
• Good support, but far from universal
16 COMPTEL Webinars powered by Copper Services
Security Issues
• Use the same diligence you used for IPv4 • Ask equipment vendors to support specific protections in IPv6
– RA-Guard – prevents an attacker from sending rogue RAs into the network and becoming a man-in-the-middle
– DHCP-Shield – similar to RA-Guard in that it blocks fake DHCP servers from giving out false information
• Ensure equipment supports all IPv4 features you use in IPv6 as well such as ACLs, anti-spoof filtering (RPF), etc. Why should v6 be any different in these areas?
• Where firewalls are needed, ensure your choice of firewall supports v6 as well as v4.
• NAT is NOT a security feature and v6 doesn’t have it
17 COMPTEL Webinars powered by Copper Services
Staff Training
• Find an experienced organization to provide training • Service providers require a different level of scalability and
maintainability than enterprise, use a trainer that understands SP’s unique challenges
• Build a lab, get a tunnel to experiment with IPv6
18 COMPTEL Webinars powered by Copper Services
Transition Technologies • 3 Types
– Dual Stack • Hopefully will be the most common
• Simply means running both v4 and v6 at the same time
– Tunneling • Putting either IPv4 packets inside IPv6 packets or vice versa, depending on the situation
• Can be useful to solve problems in certain areas, but in general, tunneling hurts performance and should be avoided when possible
• Examples: 6rd, 6in4, 4in6, DS-Lite, MAP
– Translation • Converting an IPv4 packet into an IPv6 packet or vice versa
• Like in tunnels, can be useful in certain circumstances, especially for rapid deployment of IPv6 on public facing services such as web servers
• Example: NAT64
19 COMPTEL Webinars powered by Copper Services
Conclusions
• IPv6 works in the real world • There are challenges to implementing IPv6, but nothing
show-stopping • Much of the Internet’s content is reachable over IPv6 (and
growing fast) including all of Google, FaceBook and 3000 other sites
• A much smaller percentage of Internet users have IPv6 connectivity (though this may change quickly with IPv4 depletion)
© 2013 Utilities Telecom Council
Network Utility Force www.netuf.net
@NetUF
Thank You!
COMPTEL Webinars powered by Copper Services
- download this presentation here: or here: http://bit.ly/17yKwnj - meet with us at booth 501
