Network Automation for IPv6 - Association G6g6.asso.fr/wp-content/uploads/2012/04/infoblox.pdf ·...

© 2011 Infoblox Inc. All Rights Reserved.

Anton Holleman, Senior Consulting Engineer, EMEA

[email protected]

Network Automation for IPv6

1


The Network and its core services

Core Network Services:

DNS, DHCP, IPAM

Applications

Network:

Glue between network and all applications Track and automate change Secure and reliable service delivery

Discovery and inventory Track and automate change Proactive check against policy

© 2011 Infoblox Inc. All Rights Reserved. 3

What are the benefits?

Implementing IPv6


Drivers to IPv6

!  You can’t get enough IPv4 addresses

!  Your business partners are using IPv6

!  Clean up your current network architecture

!  Performance and security enhancements

4


How do we get there?

IPv6 Implementation Challenges


What do you have now?

!  Make sure you know what you have:

–  Current/accurate network inventory and map

–  Inventory of all firewalls, NATs, load balancers, anything with ACLs

–  Current/accurate desktop and server inventory

–  Inventory of all software/apps and services you use

6


IP devices and network infra

!  Do you need to:

– Replace

– Upgrade

– Buy new/additional hardware

– Reconfigure existing hardware

7


IPv6 Migration Challenges

!  Dual infrastructure for foreseeable future

!  IPv4 and IPv6 will coexist

requiring infrastructure support

for both

!  IPv6 expertise is scarce

!  Existing management

tools/scripts won’t work

!  IP Address Management with

spreadsheets will not scale

!  Subnet creation will require new

diligence

!  DNS management will be error

prone 8


Why Automate?

IPv6 Deployment


Is everyone ready for that? Or, do we need new tools?

Are you ready? Old methods just don’t work.

10.34.12.5

2001:1868:ad01:1::33

2001:1868:ad01:1::c62c:3ff:fe30:16c1

Can you remember?

10


Traditional IP Allocation Process

!  Spreadsheet tracks inventory

!  To add a host –  User request starts procedure

–  Help desk forwards the request to the network or server team

–  Network team determines allocation

–  DNS administrator:

•  Edits forward-mapping zone file and adds an AAAA record, updates zone’s serial number and saves file

•  Edits reverse-mapping zone file and adds a PTR record, updates zone’s serial number and saves file

•  Restarts/reloads name server

!  Spreadsheet gets updated with new information

!  Troubleshoot if needed 11


Automation Use Case: Address Allocation Process

!  To add a host with IPAM

– Coordinate IPv4 and IPv6 addresses

–  Instant feedback

– Easy to resolve conflicts

!  DNS and DHCP records are updated instantly

!  Change logged and classified in audit log

– Who changed it

– What changed

– When it changed

12

Name

IPv4 Address

IPv6 Address


Automating Network Allocation

Benefits !  Shorten planning cycle

-  View network

-  Select available or existing

-  Reduce or enlarge

!  Eliminate dependencies and procedural delays

!  Built-in error checking

-  Closed loop update

-  Synchronize changes to both DNS and DHCP configuration

-  Logged and classified in the audit log

IPv6 Containers IPv6 Networks

Bounds of IPv6 Address Space

Quickly view available IPv6 address space

13


IPAM – Knowledge is Power

Without a clear understanding of your IP assets and utilization, it is impossible to automate your network environment effectively

–  Allocate address ranges for specific function or applications

–  Real time decision making

–  Coordinate IP allocation between different organizations/groups –  Time to determine what is available

•  Ping before assign is not always accurate

•  Checking spreadsheets is time intensive and difficult to manage

14


Network Change Control and Management

Making decisions based on outdated or inaccurate information about IP addresses, DNS and DHCP can effect the stability of the network

Discovery: !  You need to know when new assets are added to the network

!  Not everything follows the right process!

Capacity planning !  As new services are to be deployed, you need to know if

the address space is available.

!  Tracking switch ports in use is also critical to planning

15


DHCPv6 – Stateful vs. Stateless

!  Client receives all required information from the router to configure default gateway and address

!  Generally no DHCP options – However, additional options provided by DHCP if available

!  Very similar to IPv4 DHCP

!  Client receives address from the DHCP server

!  Client receives options from the DHCP server

!  Server can track which IP address is in use by which client

16

Stateless Deployments Stateful Deployments

Which one will you use?


Infoblox solutions enable IPv6 migration

DNS/DHCP/IPAM Automation IPv6 Enabled Network Configuration Automation !  Network change automation !  Configuration management !  Compliance, policy enforcement & auditing

!  DNS/DNSSEC configuration automation

!  IP address management automation

17


Conclusions

!  IPv6 gives you the opportunity to design and build a new network

!  Execution without a plan is planning for failure

!  Timing is right to start to plan now

!  Without automation, your plan will fail

18


DNS64 – The Universal Translator Needed When IPv6 Only Clients Reach IPv4 Only Hosts

IPv4 IPv6

Dual Stack Web Server

Dual Stack SMTP Server

Dual Stack External DNS

DMZ

Firewall with IPv4 NAT

Translation

Internal IPv4 Network

I only speak IPv6

I only speak IPv4

19


For More Information…

20

IPv6 Center of Excellence www.infoblox.com/IPv6CoE Cricket IPv6 White Paper – 7 deadly traps www.infoblox.com/en/resources/white-papers/seven-deadly-traps-of-ipv6-deployment.html Cricket O’Reilly book www.infoblox.com/en/landing/dns-on-windows-server.html


[email protected]

Questions?


Internet

DNS64 – The Inner Workings

Recursive Name Server

running DNS64

IPv4 IPv6

NAT64 Protocol

Translator

www.v4only.com

ns1.v4only.com Client sends query for www.v4only.com/AAAA to local recursive name server

64:ff9b::/64 1

2

2

3 4

5

6

7

1

2

3

4

5

6

7

Recursive name server sends www.v4only.com/AAAA query to name server, gets negative response, sends www.v4only.com/A query, gets response

Recursive name server synthesizes an IPv6 address to return to client in AAAA record using 64:ff9b::/64 prefix

Client sends packet to synthesized IPv6 address, which routes to NAT64

NAT64 sends packet to destination IPv4 address

IPv4-only web server returns response over IPv4 to NAT64

NAT64 converts packet to IPv6, returns to originating client

22


To Learn More


Get your own tunnel

!  Hurricane Electric – http://ipv6.he.net

!  SIXXS - http://www.sixxs.net/main

!  HE Certification: –  On the Hurricane Electric IPv6 site is a certification program.

Completing the program is an excellent introduction to IPv6 in a working environment.

24


Books to look at

!  IPv6 Essentials - Silvia Hagen

!  Running IPv6 - Iljitsch van Beijnum

!  IPv6 Security – Scott Hogg and Eric Vyncke

25


Handy Web Resources

!  NIST Guidlines for the Secure Deployment of IPv6 –  http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf

!  ARIN IPv6 Wiki –  http://www.getipv6.info

!  IPv6 Forum –  http://ipv6forum.com

!"#


Anton Holleman, [email protected]

Thank you!

Date post:	15-Jul-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Network Automation for IPv6 - Association G6g6.asso.fr/wp-content/uploads/2012/04/infoblox.pdf ·...

Documents