IPv6 Are we there yet?

1
IPv6Are we there yet?
2
Problem

• The Internet keeps growing
• Running out of IPv4 addresses
• Running out of time!

3
Problem
4
Original Design

• Network of networks
• Packet-based network
• Unique addresses
• End-to-end connectivity
• Layered design

5
Quick fixes

• Address Resource Management
• CIDR
• NAT
• Rethinking IP, start in 1992

6
Extending IPv4 lifetime

• NAT
• CPE NAT
• Carrier-grade
• CIDR

7
(No Transcript)
8
Internet Resources

• Addresses (IPv4/IPv6) ASN
• Hierarchical manner (top-down)
• Goals of the Internet Registry System
• Uniqueness
• Aggregation
• Conservation
• Registration

9
IPv4 depletionHow many IPv4 addresses?

• 232 4,3 billion IPv4 addresses

10
What is left?

• IANA allocates /8 to RIRs
• 256 /8s is the entire IPv4 Internet
• Beginning of 2010, IANA had 26 /8s left
• In February 2011, IANA allocated the last /8
• Even RIRs are running out
• APNIC handed out last /8 in April 2012
• Microsoft Nortel ? trade of IPv4 blocks
• Asking legacy holders to become LIR or
  sponsorship.
• Ripe is exhausting rapidly

http//www.iana.org/assignments/ipv4-address-space
/ipv4-address-space.xml
11
What is left?
12
What is left?
http//www.potaroo.net/tools/ipv4/index.html
13
IPv6 Islands

• Addresses (IPv4/IPv6) ASN
• Hierarchical manner (top-down)
• Goals of the Internet Registry System
• Uniqueness
• Aggregation
• Conservation
• Registration

14
IPv6 to the rescue

• It is clear that we need a better solution
• IPv6 to solve address exhaustion
• Extra features built in
• IPv6 exists for 16 years
• Time to act now!

15
IPv6 to the rescue
16
Improved features

• Better support for mobility
• Security, IPSec
• Auto-configuration
• Routing (simpler header, flexible extensions,
  aggregation)
• IPv6 Multicast, more addresses

17
More

• IP addresses !!!!!
• 128 bits instead of 32 bits
• 2128 addresses, 3.41038 addresses
• 340 sextiljoen (undecillion) addresses
• Lets just say a lot of addresses
• Restore end-to end connectivity
• Internet as it was meant to be!

18
IPv6 subnetting
19
IPv6 addresses
20016a83c80800022219fffe14a617/64 200106
a83c8000000000000000000039 20016a83c8039
0001 1001 1111 1111
20
IPv6 interoperability
20016a824c0/48
193.190.162.0/24
1
.1
20016a824008003/64
2
193.191.2.0/30
.2
/0
0/0
21
Differences

• Different types and scope of addresses
• No broadcast, thus no ARP
• Relies heavily on multicasting
• Auto-configuration instead of DHCP?
• Common to have multiple addresses on an
  interface. What IP will be used to source traffic?

22
IPv6 _at_ Belnet

• 20016a8/32
• Native, dual-stack since Jan 2003
• Multiple IPv6 peerings
• Geant
• Transit
• BNIX
• Other IXes
• Various services already available on IPv6 FTP,
  DNS, Jabber, NTP, WWW, SMTP, Antispam Pro

23
IPv6 assignments

• Text
• Text
• Text

24
IPv6 current status

• Belnet active use of IPv6 (live traffic) 2013
• 10 of the Belnet customer base

25
Why you should run IPv6
Belnet active use of IPv6 (live traffic) 2014
26
IPv6 elsewhere

• Equipment vendors (routers, firewall, )
• Software (OS, applications, )
• Networks
• Content google, facebook (IPv6 day 8/06/2011)
• IXes
• ISPs Comcast (US), XS4all (NL)
• CDNs Akamai (end of 2010)

27
Why you should run IPv6

• Experimental users
• Power users
• Global audience
• Get your content available over IPv6

28
Interesting Sites
https//www.vyncke.org/ipv6status/
29
Enabling IPv6 on your network
30
Your action plan

• Equipment inventory
• Raise awareness
• Get your assignment
• Prepare your address plan
• Get IPv6 on your DMZ
• Get IPv6 on your LAN

31
Equipment inventory

• Routers and firewalls
• Does it support IPv6?
• At full performance?
• Server Desktop OS
• Should be no-brainer for recent OSes
• Application software
• Does it depend on hard coded IPv4
  addresses/ranges?
• If built on Apache or IIS no other problems
  expected...
• Other networked gear
• Printers?
• Switches? RA guard, PACL RA snooping

32
Raise awareness

• Your ICT colleagues/Management
• Awareness of network changes
• No surprises
• End users
• Migration should be transparent to them
• Only warn when deployed on LAN and/or Wi-Fi
• Via Intranets?

33
Prepare your address plan (1)
20016a83c808004ca2a14fffe159cb6
Belnet /32
Customer /48
Host address
65536 assignable /64 ranges
8 0 0 4L V A
A1000 0000 0000 0100
azerty
34
Prepare your address plan (2)

• Map your IPv4 address plan into your IPv6 prefix
• 10.50.60.0/24 -gt 20016a812345060/64
• Easy, but not always a good idea
• Large networks need a decent IPv6 address plan
• Use location / VLAN id / type of service...
• 20016a81234ltlocationgtltvlangt/64
• e.g. 20016a812340165/64 (site 0, vlan 165)
• 16 bits to play with

35
Get IPv6 on your DMZ (1)

• Requirement firewall support!
• Use a separate zone if you want to test in
  advance
• Use firewall policies similar to IPv4 policies
• ICMP!
• Enable IPv6 on your public servers
• OS Applications
• Publish AAAA records in your DNS for
  IPv6-enabled services

36
Get IPv6 on your DMZ (2)

• Sample interface config for JunOS devices
• ge-0/0/0
• unit 0
• family inet
• address 10.21.0.1/24
• family inet6
• address 20016a83d0080001/64

37
Get IPv6 on your DMZ (3)

• Sample default route for JunOS devices
• routing-options
• rib
• inet6.0
• static
• route 0/0 next-hop
  20016a83d0080012

38
Get IPv6 on your DMZ (4)

• Sample config for Cisco IOS devices
• Router(config) interface ethernet 0/0
• Router(config-if) ipv6 address
  20016a83d0080001/64
• or
• Router(config-if) ipv6 address
  20016a83d008000/64 eui-64
• static default route
• Router(config) ipv6 unicast-routing
• Router(config) ipv6 route 0/0
  20016a83d0080002

39
Get IPv6 on your servers (1)

• Web servers
• IIS and Apache no problem
• Application-specific, legacy, unknown,
• Use reverse-proxy
• HTTPS One domain per IP
• DNS servers
• Windows 2008s DNS, BIND no problem
• Windows 2003 support very limited
• But IPv6 DNS server not mandatory to serve AAAA
  records

40
Get IPv6 on your servers (2)

• Mail servers
• Very few MTA supported
• Even less antispam software
• IPv6 blacklisting still experimental
• Our advise do not port MTA now
• Get Belnet Antispam Pro (Fully IPv6 compliant) !

41
Get IPv6 on your LAN(s)

• Use a separate zone if you want to test in
  advance
• One LAN at a time
• admin, students, guests, eduroam, ...
• Use firewall policies similar to IPv4 policies
• Do not forget inbound connections as there is no
  more NAT!
• Filtering inbound ports lt1024 is good practice
• Filter everything incoming if you want a perfect
  match between policies
• Warn your power users about network changes
• You want to know if something is no longer
  working

42
Get IPv6 on your LAN (cont'd)

• Distribution of IPv6 addresses
• Router advertisement
• Widely supported
• Limited autoconfiguration options (only DNS
  server, if at all)
• Perfect for dual stack DHCPv4 RAdvd
• DHCPv6
• Not widely supported yet (only recent MS
  products)
• Can coexist with router advertisement (DNS
  servers etc)

Our advice go DHCPv4 RA
43
Transitioning technologies

• Tunneling technologies
• Tunnel broker
• Belnet hosts a SiXXs.net PoP server
• Native addresses
• Specific software on routers/stations
• 6to4
• Built-in in Windows, OSX, Apple Airport other
  home routers
• Teredo
• Built-in in Windows,
• Miredo
• Teredo port for Unix/Linux

44
Transitioning technologies

• Native connectivity
• Dual stack
• IPv6 and IPv4 on same wire/lan/frames
• Advantages
• Easier to put on desktops, routers
• Control/inspect your traffic
• Stability, ISP support

Our advice go dual stack
45
Transitioning technologies (cont'd)

• NAT64 DNS64

46
Briefly

• Follow the steps
• Inventory
• Awareness
• Network plan
• DMZ LAN
• Go Dual stack
• On the WAN
• On the LAN
• Belnet is a partner
• Ask us questions !

47
Thank You
48
NAT64 DNS64
49
NAT64 DNS64