4 to 6: It is time

IPv6 in Mission Critical EnvironmentsMay 2012

1

Agenda

» Intro» Why IPv6?» How to get there?» What can we do?» Q & A

2

Intro

» IPv6 Taskforce: it is all about awareness!» V6 World Congress 2012, February 2012, Paris» IPv6 World Launch Day, the Future is forever (June 6th)

What will it mean to us?

3

Why IPv6?

» IPv6 is inevitable

» It’s a transition (coexistence)

» The ‘Chicken-egg‘ problem:– End users– Content providers Ref: Geoff Huston’s Run-down model -

http://www.potaroo.net/tools/ipv4/index.html

4

RIPE NCC – last 2.67 /8 with <40Mio IPv4 addrAPNIC – last /8 with <16Mio IPv4 addresses

IPv4 versus IPv6

» The Internet protocol (IPv4):– In operation since 1980s– 4 billion unique addresses:

4,294,967,296 2^32

– IPSec back-ported from IPv6– NAT– ARP broadcast

» IPv6:– In operation since 1998– 340 sextillion addresses:

340,282,366,920,938,463,463,374,607,431,768,211,456 = 2^128This equals to 2^96 times the IPv4 address space

– Native IPSec support– No NAT– Neighbor discovery multicast– Simplified headers– Native QoS– Native Mobile IP– Auto configuration– Privacy extensions– Optimized packet structure (jumbograms)

5

The protocol stack

6

IPv6 address notation

An IPv6 address is represented as eight groups of four hexadecimal digits, each group representing 16 bits (two octets). The groups are separated by colons (:). An example: 2a00:1188:5:2:207:e9ff:fe24:cf71

C:\Users\eblekkenhorst>nslookup www.cupfighter.netServer: sbpodc101.sbp.lanAddress: 10.71.2.10

Non-authoritative answer:Name: www.cupfighter.netAddresses: 2001:67c:20c8:aa00::20 195.66.90.18

Groups of zeros can be replaced by a double colon (::). This can only be done once:a::b::c can be interpreted as a:0:b:0:0:0:0:c or a:0:0:b:0:0:0:c etc.Reverse DNS: 1.7.f.c.4.2.e.f.f.f.9.e.7.0.2.0.2.0.0.0.5.0.0.0.8.8.1.1.0.0.a.2.ip6.arpa

7

IPv4 versus IPv6 header format

8

IPv6 Internals by Iljitsch van Beijnum Network protocol specialist

The future of IPv4

» First IPv4 and then IPv6; whatever happened to IPv5?» Will IPv4 ever go away?

Coexistence

9

How to get there?

» It’s a ‘journey’ – An iterative step-by-step approach– Have a sound strategy and implementation plan

» Critical success factor: awareness and training» Involvement of all stake holders» Involvement of vendors and suppliers

‘Try before you die’10

The Mission Critical ecosystem

11

What can we do - Implementation scenarios

» Dual stack (‘bilingual’) is preferred

» Any NAT implementation e.g. CGN or NAT64 has disadvantages– It breaks the end-to-end principle– It has significant security, scalability, and reliability problems, by virtue of

being stateful– CGN makes it impossible to host services on well known ports

12

Implementation scenario one

» Do nothing– Single stack IPv4– Actively disabling the IPv6 stack– Changing landscape: isolation– Losing the competitive advantage

13

Implementation scenario two

» NAT64– Dual stack on perimeter

14

Implementation scenario three

» Dual stack– IPv4 and IPv6 hybrid

15

Implementation scenario four

» NAT46– IPv6 centric with IPv4

‘legacy’ entry point

16

Implementation Scenarios

» Things to keep in mind: IPv4 versus IPv6:– ARP (broadcast) is obsoleted by RDP and NDP (multicast) in IPv6– IP address auto-configuration mechanisms (SLAAC)– With IPv6 first hop security becomes an additional point of attention– IPv4 private IP address space, just like NAT, does not exist anymore in IPv6

» The ‘waste’ paradigm shift: Think big! An IPv4 mind set doesn’t compute anymore– The smallest routable IPv6 subnet is /64…– 18,446,744,073,709,551,616 unique IPv6 addresses in one subnet

» IP address management is essential and automation is key

» Industry best practice for IP address space allocation:– /32 for any Service Provider and thus the Schuberg Philis prefix– /48 per customer environment– /64 per smallest subnet (VLAN)– /120 - /127 potentially for point-to-point links

(on demand, implementation specific, not internet routable)

17

IP address space allocation

» Provider Aggregatable– IP address allocation

convention for service providers

– Minimum size /32

» Provider Independent– IP address allocation

for multihomed customers (most of our customers)

– Minimum size /48

18

From a Schuberg Philis perspective

» The customer teams to address IPv6 with their customer» Use this presentation or the White Paper as a starting point» The IPv6 task force as an advisory board and facilitator for all customer teams

» V6 as a best practice: have an IPv6 implementation strategy as an option in every– new customer (green field)– refresh project– any additional infrastructure or external connection in existing customer

environments

19

Tools

» White paper» Presentation / workshop» Campaign / marketing material» IPv6 PoC environment in CORP-IT» Office environment» IPv6 World Launch Day on June 6th 2012: SBP participation» The taskforce

20

IPv6 in practice

» IPv6 on Office LAN is already working

» www.cupfighter.net is v6 enabled

» SBP McInfra bastion, mx and dns are v6 enabled

» Next step:– Enable access to internal and

public services

21

McInfra access

» VPN AnyConnect Client» IPv6 via IPv4 VPN tunnel

22

McInfra bastion, far end of VPN

tunnel

While at the same time IPv6 on the

internet is reachable!

Customer specific discussion topics

» Challenges» Impact analysis» Strategy» Roadmap

23

Q & A

24