Upload
tim-martin
View
685
Download
1
Embed Size (px)
Citation preview
Cisco Confidential 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Agenda • Why IPv6, Why Now • Strategic Planning Steps • IPv6 Design Considerations • Conclusion
• Boomers are retiring, GenX is “tech savvy”, GenY is “tech dependent”
• 2016 GenY (the millennia's (18-34)) become the largest workforce segment
• 43% of 18-24 year-olds say that texting is just as meaningful as a phone conversation -eMarketer
• 40% of GenY believe that blogging about workplace issues is acceptable –Iconoculture
• 24% of GenY say that technology use is what makes their generation unique -Pew Research
• 74% of GenY used a smartphone for work purposes in the last year, compared to 37 percent of Baby Boomers -CompTIA
Market Factors Driving IPv6 Adoption
IPv6
IPv4 Address Depletion
2011
National IPv6 Strategies STEM
Mandate
Infrastructure Evolution
4G, DOCSIS 3, 6598, CGN
IPv6 OS, Content & Applications
Preferred by App’s & Content
RF Mesh (IEEE 802.15.4), PLC (IEEE 1901.2), LTE, Bluetooth LE, 6LoWPAN, RPL
• Early Adopters, from ~2001-2005 (6bone)
• Chasm, Refinement from 2005-2009 (Tunneling)
• Early Majority, Launch June 2012 (Transitioning)
Why IPv6, Why Now?
58% 42% 72%
53% 25%
Mobile Provider Using IPv6 Only
4 CLAT
6
Legacy Application
Intelligent Application
4 PLAT
6
IPv4 IPv6 Only
Edge Services
IPv6
Internet Handset Carrier Network
§ Legacy applications using embeded literals in their code § RFC6877 464xLAT, “fixes” broken code for now
iOSv9 and IPv6
• As of iOS 9, all iPhone/iPad apps will support IPv6! • Use the networking frameworks (i.e. “NSURLSession”) • Avoid use of IPv4-specific APIs • Avoid hard-coded IP addresses
“If your application doesn’t work properly with IPv6, it will simply not function on those networks, those carriers and for those customers.”
- Sebastien Marineau VP Core OS
Architectural Model
Planning and coordination is required from many across the organization, including … v Network engineers & operators v Security engineers v Application developers v Desktop / Server engineers v Web hosting / content developers v Business development managers v …
v Create a project team & plan v Identify business value, requirements & impacts v Assess equipment & applications for IPv6 v Begin training & develop training plan v Develop the architectural solution v Obtain a prefix and build the address plan v Define an exception process for legacy systems v Update the security policy v Deploy IPv6 trials in the network v Test and monitor your deployment
IPv6 Planning Steps Outline
§ Project Manager (PM) § Executive Sponsor
§ Team Member
§ Team Member
§ Team Member
§ Across IT § Security § Server Admins § Desktop Support § Application Developers
IPv6 Project Team
§ Create Executive Briefing § Assign key IT resources, Project Manager (PM)
§ Build the team
§ Document the process § Aligned to overall IT strategy
§ Develop timeline § Define measurable
§ Align to lifecycle management § Include IPv6 as part of upcoming projects § Vendor selection, RFP’s, cloud, SDN, etc..
IPv6 Project Plan
§ The adoption of IPv6 worldwide provides a practically unlimited number of device addresses
§ Globalization has necessitated the need to communicate with customers and branch offices in regions that had only IPv6 accessibility
§ ARIN, the North American address authority has exhausted its public IPv4 address allocation
§ As IPv6 is adopted worldwide, Public Internet resources will be transitioning to IPv6
§ Ability to provide IPv6 support to current and potential I-NET customers
Benefits of IPv6
§ "You don’t need a business case for IPv6. It’s a business continuity solution.” – IPspace.net
§ Communications with agencies and partners using IPv6 security framework
§ Our Internet providers and peers currently support IPv6 § IPv6 features more efficient routing and improved data transmission
speeds § Our network infrastructure is IPv6 ready
Benefits of IPv6 Cont.
20
§ Must be low-cost and low-risk § Must co-exist with existing IPv4 infrastructure
§ Must allow access to public IPv4 Internet
§ Must be incrementally deployable
§ Must understand the cost of adding a new services
§ Must not impact existing services.
§ Nobody should know the integration occurred
Requirements for any IPv6 Transition Strategy
§ Need of large volume of devices that have to be readdressed § Need of security rules and functions to be addressed (IPv6 maturity in security
products) § Requirement of Staff with technical knowledge of IPv6 § Possibility of attack as the attackers might have more expertise with IPv6 than
an organization in the early stages of deployment. § Need of good understanding of addressing impact on hardware requirement § Requirement of Audit of any associated services and devices that may be
impacted by IPv6 transition. § Difficulty in detecting and managing unknown or unauthorized IPv6 assets on
existing IPv4 production networks.
Challenges in migration from IPv4 to IPv6
§ A key and mandatory step to evaluate the impact of IPv6 integration
§ May be split in several phases § Infrastructure – networking devices and services systems § Applications, servers, storage, services, clients § Hardware type, memory size, interfaces, CPU load… § Software version, features enabled, license type… § Known limitations, best practices, etc…
§ Defined set of features per device’s category for a specific environment
§ Break down into “places in the network” for a more accurate assessment § Core, data center, Internet edge, WAN, wired access, wireless access § Cost analysis and time lines
Readiness Assessment
22
§ Core & Distribution § Access Layer
§ ISP
§ Applications
§ Host OS’s
§ Security devices (FW, IPS, SEIM)
IPv6 Assessment Results
§ Pre architecture deployment team training § Onsite § Online § Confernece, Cisco Live, Task Force
§ Security team § Application developers § Expertise garnered by the initial deployment team is spread throughout
the organization § Server Admin’s, desktop support, operations
IPv6 Training Plan
§ PI vs. PA, spanning RIR geography § Infrastructure addressing
§ Dual Stack
§ Network, subnet planning
§ ULA vs. Global
§ Host assignment (SLAAC or DHCPv6)
§ Multi home, multi provider (BGP)
IPv6 Architectural Strategy
§ Do you support dual stack peering? § Do you have a separate (SLA) for IPv6?
§ Do you support BGP peering over IPv6?
§ Do you have a FULL IPV6 route table?
§ What is the maximum prefix length?
§ What is your PI policy?
§ What about DNS…
Checking in with the ISP
§ Similarities to IPv4 § ICMPv6 (PTB, NA, NS)
§ Extension Headers
§ Bogons
§ BCP38, RFC2827
§ Access layer (Wired & Wireless)
Update to Security Policy
§ Internal phase § Core, Distribution § Access (Wired, Wireless) § WAN § Data Center
§ External Phase § Carrier, provider capabilities § Web, Mail, DNS, SLB § Security (FW, IPS, Edge Router)
IPv6 Deployment Phases
§ Security Event Incident Management (SEIM) § NOC, network management tools
§ Configuration management database
§ Handheld Testing tools (LanDroid, IPv6 toolkit)
§ Wireshark
§ IPAM, DHCPv6, Radius logs
§ Server logs
Testing & Monitoring IPv6
IPv6 Only
Dual Stack Core
IPv6-Only
Preserve Prepare Prosper
464-xlatDual-Stack
IPv6 Only
Dual Stack Core
MA
P, LW46…
4 over 6
2016
World IPv6 Day
2011 2012 2013 2014
World IPv6 Launch IPv6 in the laboratory IPv6-Centric Networking
2010
IPv6 at Scale
6
Internet
IPv4 Only
IPv4 Core
IPv4-OnlyNAT
NAT
Dual Stack Core
IPv4 Only
Dual-Stack
6rd, L2TP…
NAT6 over 4 4
Dual Stack
Dual-Stack
4 6
Data Center WAN Internet
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSiSiSi SiSi
SiSi SiSi
Access
Core
Distribution
Distribution
Access
Enterprise IPv6 Deployment Guidance
• Updated White Paper – Cisco.com • Distilling RFC 7381 • No Major change to 2/3 Tier Architecture
• RecommendedAlloca,ons• Consumer,SMB/56/60/64• MunicipalGovernment,Enterprise,SingleAS/40/44/48• StateGovernments,Universi,es(LIR)/32/36/40
• Addressing Plan, Site Count • IPv4 Allocation, Multi-homed ISP • 1 - 12 sites, a /44 assignment • 13 - 192 sites, a /40 assignment • 193 - 3,072 sites, a /36 assignment • 3,073 - 49,152 sites, a /32 assignment
Registries
Level Four Entity
IANA
ISP Org
PA
/48
2000::/3
/12
/32
2000::/3
/48
/12
PI
/32
/48
ARIN
Global Address Assignment
Subordinate
§ Methods § Follow IPv4 (/24 only), Organizational, Location, Function based
§ Hierarchy is key (A /48 example) § Bit twiddle's dream (16 bit subnet strategy) § 4 or 8 bits = (16 or 256) Regions (states, counties, agencies, etc..) § 4 or 8 more bits = (16 or 256) Sub Levels within those Regions § 4 more bits = (16) Traffic Types (Admin, Guest, Telephony, Video, etc..)
§ Cisco IPv6 Addressing White Paper § http://www.cisco.com/go/IPv6
§ Monotonically (1000, 2000, 3000, etc.) vs. Sparse (0000, 4000, 8000, c000 )
Building the IPv6 Address Plan
36
Prefix Length Considerations
Pt 2 Pt /127
WAN
Core /64 or /127
Servers /64
Hosts /64
Loopback /128
• Anywhere a host exists /64
• Point to Point /127 Should not use all 0’s or 1’s
in the host portion Nodes 1&2 are not in the
same subnet
• Loopback or Anycast /128
• RFC 7421 /64 is here
• RFC 6164 /127 cache exhaust
§ Core-to-Access – Gain experience with v6 § Turn up your servers – Enable the experience
§ Access-to-Core – Securing and monitoring § Internet Edge – Business continuity
Where do we start?
Servers
Branch Access
WAN
Campus Core
Access Layer
ISP ISP
Internet Edge
Dual Stack Mode
Distribution Layer
Access Layer
Core Layer
Aggregation Layer (DC)
Access Layer (DC)
IPv6/IPv4 Dual-stack
Server
IPv6/IPv4 Dual-stack Hosts
Data Center Block
Access Block
• Preferred Method, Versatile, Scalable and Highest Performance
• No Dependency on IPv4, runs in parallel on dedicated HW
• No tunneling, MTU, NAT or performance degrading technologies
• Does require IPv6 support on all devices
IPv4 & IPv6 Combined
• Should we use both on the same link at Layer 3?
• Separate links, possibly to collect protocol specific statistics
• Routing protocols OSPFv3, EIGRP combined or separate?
• Fate sharing between the data and control planes per protocol
OSPFv3
EIGRP
Internet
2001:db8:1:1::/64 198.51.100.0/24
IPv4 & IPv6
IPv4 & IPv6
2001:db8:6:6::/64 192.168.4.0/24
§ Link Local (fe80::/10) is required for any device with IPv6 enabled § At least 2 addresses per interface for global connectivity
§ Majority of access layer devices will have LL as their Default Gateway
Address, Which Address?
Host Addresses Router Addresses
DfGW
Ethernet B8:E8:56:1A:2B:3C IPv6 Link Local fe80::b8e8:56ff:fe1a:2b3c IPv6 Global 2001:db8:1:46:a1b2:c:3:d4e5 Default Gwy. fe80::46:1
Ethernet 02:00:0C:3A:8B:18 IPv6 Link Local fe80::46:1 IPv6 Global 2001:db8:1:46::1 RA Prefix 2001:db8:1:46::/64
Infrastructure using Link Local Addressing • Topology hiding, Interfaces cannot be seen by off link devices
• Reduces routing table prefix count, less configuration
• Need to use ULA or GUA for generating ICMPv6 messages
• What about DNS?, Traceroute, WAN Connections, etc..
• RFC7404 – Details pros and cons
WAN/MAN
Internet FE80::/64
FE80::/64
ULA/GUA
FE80::/64
ULA/GUA
ULA/GUA
ULA/GUA
ULA/GUA
Unique Local Address (ULA)
Corporate Backbone Branch 2
ULA Space FD9C:58ED:7D73::/48 Global – 2001:DB8:CAFE::/48
Internet
FD9C:58ED:7D73:3000::/64 2001:DB8:CAFE:3000::/64
FD9C:58ED:7D73::2::/64
Global
2001:DB8:CAFE::/48
• Automatic Prefix Generation (RFC 4193) non sequential /48, avoid M&A challenges
• Need to use Global for troubleshooting beyond the internal network
• Caution with older OS’s (RFC 3484) using ULA & IPv4
• Multiple policies to maintain (ACL, QoS, Routing, etc..)
• NAT allows for client/server model, difficult to deploy peer-to-peer
• UDP/TCP only, ALG’s & protocol fixups, what about SCTP & DCCP..
• IETF does NOT recommend the use of NAT66 w/IPv6
• NAT ≠ Firewall – RFC 4864 (Local Network Protection)
• Wait, who did what – RFC 6269 (Issues with IP address sharing)
To NAT or NOT
Firewall+NAT Internet
Dual Stack Host OS Decisions
DNS Server!
2001:db8:1::1!
IPv4
IPv6
192.168.0.3!
www IN A 192.168.0.3 www IN AAAA 2001:db8:1::1
• In a dual stack case, an application can: Query DNS for IPv4 and/or IPv6 records
Parallel connection request vs. serial
• Give IPv6 300ms Head Start RFC 6555
§ PA or PI from each region you operate in § Coordination of advertised space within each RIR, policy will vary
§ Most run PI from primary region
Multi-national Model
§ How about both.. Reality for the foreseeable future
§ SLAAC address tracking, Radius Accounting, Syslog, CAM table Scrapes § Microsoft wont support RDNSS in RA’s
§ DHCPv6 Challenges, MAC Address for Reservations, Inventory, Tracking § Android doesn’t support DHCPv6
§ Understand the Implications of Switching Methods § Inconsistent amongst the OS’s
Client Provisioning DHCPv6 & SLAAC
A! B! C!
Internet DHCPv6 Server
IPv6 Snooping
IPv6 First Hop Security (FHS)
IPv6 FHS RA
Guard DHCPv6 Guard
Source/Prefix Guard
Destination Guard
Protection: • Rogue or
malicious RA • MiM attacks
Protection: • Invalid DHCP
Offers • DoS attacks • MiM attacks
Protection: • Invalid source
address • Invalid prefix • Source address
spoofing
Protection: • DoS attacks • Scanning • Invalid
destination address
RA Throttler
ND Multicast Suppress
Reduces: • Control traffic
necessary for proper link operations to improve performance
Core Features Advance Features Scalability & Performance
Facilitates: • Scale
converting multicast traffic to unicast
Routing Considerations
• Enable IPv6 routing “ipv6 unicast-routing”
• IPv6 Next Hop Link local addresses
• Router ID Unique 32-bit number that identifies the router
• Applied to Link • Addressing considerations
Hierarchical Summarization
Management Routing Switching Services
Translation Techniques
Application Support
Server Load Balancer
IPv6
IPv4
IPv6 Internet
Stateful NAT64
Client Visibility
IPv6
IPv4
IPv6 Internet
SW = Poor Performance
Proxy
IPv6
IPv4
IPv6 Internet
Internet Edge to ISP Dual Links
Dual Provider
ISP1
ISP2
Medium Enterprise
NPTv6 LISP
Multi-Homed Multi-Prefix
Large Enterprise
ISP2
ISP4
ISP3
ISP 1
BGP LISP
Single Link Single ISP
Small Enterprise
ISP 1
Default Route ::/0
§ Address Range Source of 2000::/3 at minimum vs. “any”, permit assigned space
Bogon Filtering, Anti-spoofing § ICMPv6
Error types thru, NDP to, RFC 4890 § Extension Headers
Allow Fragmentation, others as needed. Block HBH & RH type 0 § IPv6 ACL’s
IPv6 traffic-filter – to apply ACL to an interface 3 Implicit lines at the end of the ACL
Securing the Internet Edge
Cisco IPv6 Services
A Phased-Plan Approach for Successful IPv6 Adoption
IPv6 Assessment Service • Determine how your network needs to change to support your IPv6 strategy
IPv6 Discovery Service • Guidance in the early stages of considering a transition to IPv6
IPv6 Planning and Design Service • Designs, transition strategy, and support to enable a smooth migration
IPv6 Implementation Service • Validation testing and implementation consulting services
Network Optimization Service • Absorb, manage, and scale IPv6 in your environment
§ Gain Operational Experience now § IPv6 is already here and running well
§ Control IPv6 traffic as you would IPv4
§ “Poke” your Provider’s
§ Lead your OT/LOB’s into the Internet
Key Take Away