2. UTC TELECOM 2013
IPv6 Support Required for All IP-Capable Nodes – RFC 6540
Given the global lack of available IPv4 space, and
limitations in IPv4 extension and transition technologies,
this document advises that IPv6 support is no longer
considered optional. It also cautions that there are places in
existing IETF documents where the term "IP" is used in a
way that could be misunderstood by implementers as the
term "IP" becomes a generic that can mean IPv4 + IPv6,
IPv6-only, or IPv4-only, depending on context and
application.
3. UTC TELECOM 2013
RFC 6540
• Are you aware of this requirement?
• Are your nodes IPv6 capable?
4. UTC TELECOM 2013
Background
• IPv4 depletion is already occurring
• IPv6 adoption is accelerating
• Most network hardware supports IPv6
• For the most part, dual stack Just Works
http://www.potaroo.net/tools
IPv4 Free Pool Depletion
http://www.ipv6actnow.org/info/statistics/#alloc
IPv6 Routing Table Growth
5. UTC TELECOM 2013
US Feds Lesson Learned
The US federal government had a mandate for all public facing web
services to support IPv6 by September 30, 2012.
287 of 1494 sites had IPv6 web support by the deadline.
Today 961 of 1355 sites support IPv6.
That’s over 70%. Not 100%, but far ahead
of most other large organizations.Source: http://usgv6-deploymon.antd.nist.gov//
6. UTC TELECOM 2013
What next?
“Okay, my organization is convinced it’s time
to begin IPv6 deployment, what do I need to
consider?”
7. UTC TELECOM 2013
Consider the Fundamentals of Best Practice
The fundamentals haven’t changed a bit for
IPv6, consider:
• Security
• Maintainability
• Scalability
• Performance
• Flexibility
8. UTC TELECOM 2013
Apply the Fundamentals
What areas need the most attention?
• Addressing plan
• Interconnectivity
• Bootstrapping/AAA
• Security issues
• Staff training
• Transition
9. UTC TELECOM 2013
IPv6 Address Space is VAST
“IPv6 uses a 128-bit address, allowing 2128, or approximately
3.4×1038 addresses, or more than 7.9×1028 times as many as
IPv4, which uses 32-bit addresses.” (Wikipedia)
That’s 340 Undecillion!
Undecillion is a number with 36 zeros.
We must change our thinking about how to allocate address
space to meet our best practice goals.
10. UTC TELECOM 2013
State of Assignments
• All of the registries, for the most part, assign initial blocks
for
Service provider /32
Enterprise /48
11. UTC TELECOM 2013
What makes up a good addressing plan?
• Depends on the type of network, the size of the
network, and problem to be solved
• Points to consider
Documentation
Ease of troubleshooting
Aggregation
Standards compliance
Growth
SLAAC
Existing IPv4 addressing plan
Human factors
12. UTC TELECOM 2013
Algorithmic Approaches
• Interop took an algorithimic approach to IPv6
numbering
• Encode every IPv4 address in your network in an
IPv6 address
10.10.10.10 (A0A0A0A)
2001:DB8:A0A:A0A::
13. UTC TELECOM 2013
Interconnectivity
• Routing protocols have been updated, but the fundamental
concepts remain the same
– Run routing protocols such that they fail when the underlying transport
fails
• That means separate v4 and v6 protocols
– For ease of management, configure IPv4 and IPv6 connectivity to
follow the same paths
– Also use the same routing policies whenever possible
• Ask your Internet traffic peers, suppliers, partners and clients
to begin transporting IPv6 traffic
14. UTC TELECOM 2013
Bootstrapping/AAA
• Some fundamental changes have been made to the
bootstrap process to join an IPv6 network, all part of the
Neighbor Discovery process
– Router Advertisements (RA) – Tells potential clients about the routers
and prefixes available on the network
– StateLess Address Auto Configuration (SLAAC)
• New in IPv6, allows a device to generate it’s own address
• Supported universally
– Dynamic Host Configuration Procotol v6 (DHCPv6)
• Very similar to v4, can distribute address, DNS server, other information
about the network
• Good support, but far from universal
15. UTC TELECOM 2013
Security Issues
• Use the same diligence you used for IPv4
• Ask equipment vendors to support specific protections in IPv6
– RA-Guard – prevents an attacker from sending rogue RAs into the
network and becoming a man-in-the-middle
– DHCP-Shield – similar to RA-Guard in that it blocks fake DHCP
servers from giving out false information
• Ensure equipment supports all IPv4 features you use in IPv6
as well such as ACLs, anti-spoof filtering (RPF), etc. Why
should v6 be any different in these areas?
• Where firewalls are needed, ensure your choice of firewall
supports v6 as well as v4.
• NAT is NOT a security feature and v6 doesn’t have it
16. UTC TELECOM 2013
Staff Training
• Find an experienced organization to provide training
• Service providers require a different level of scalability and
maintainability than enterprise, use a trainer that understands
SP’s unique challenges
• Build a lab, get a tunnel to experiment with IPv6
17. UTC TELECOM 2013
Transition
• 3 types of transition technologies
– Dual Stack
• Hopefully will be the most common
• Simply means running both v4 and v6 at the same time
– Tunneling
• Putting either IPv4 packets inside IPv6 packets or vice versa, depending on the situation
• Can be useful to solve problems in certain areas, but in general, tunneling hurts performance
and should be avoided when possible
• Examples: 6rd, 6in4, 4in6, DS-Lite, MAP
– Translation
• Converting an IPv4 packet into an IPv6 packet or vice versa
• Like in tunnels, can be useful in certain circumstances, especially for rapid deployment of IPv6
on public facing services such as web servers
• Example: NAT64
18. UTC TELECOM 2013
Conclusions
• IPv6 works in the real world
• There are challenges to implementing IPv6, but nothing
show-stopping
• Much of the Internet’s content is reachable over IPv6 (and
growing fast) including all of Google, FaceBook and 3000
other sites
• A much smaller percentage of Internet users have IPv6
connectivity (though this may change quickly with IPv4
depletion)