View
471
Download
1
Embed Size (px)
Citation preview
Objec;ves A0er this session, you should be able to: • Get an idea about IPv6 address • Understand the value of an IPv6 address plan • Plan how you will assign IPv6 subnets • EsBmate the IPv6 addressing needs of your network • Subnet an IPv6 prefix
bdNOG 3, Dhaka, Bangladesh [email protected] 2
Why We Need an IPv6 Address Plan? • RouBng tables can be smaller and more efficient • Security policies can be easier to implement • ApplicaBon policies can be implemented • Network management/provisioning can be easier • TroubleshooBng can be easier, parBcularly with visual idenBficaBon • Easier scaling as more devices or locaBons are added
bdNOG 3, Dhaka, Bangladesh [email protected] 3
Philosophy Change IPv4 • Conserve (Limited address space) • How many addresses do I need? IPv6 • Aggregate (Huge address space) • How many subnets do I need?
bdNOG 3, Dhaka, Bangladesh [email protected] 4
IPv6 Address Distribu;on
bdNOG 3, Dhaka, Bangladesh [email protected] 5
IANA
RIR
LIR
Org.
/3
/12
/32
/48 /48 /60
Assignments to customers
• How many subnets do I give my customers? • /64 (1 subnet) • /60 (16 subnets) • /56 (256 subnets) • /52 (4096 subnets) • /48 (65536 subnets)
bdNOG 3, Dhaka, Bangladesh [email protected] 6
Default Alloca;on size = /32
• How many assignments can I make ? • 4 billion /64’s • 268 million /60’s • 17 million /56’s • 1million /52’s • 65536 /48’s
bdNOG 3, Dhaka, Bangladesh [email protected] 7
SubneIng
• Why do we do subnebng? • IPv4: Conserve address space • IPv6: planning and opBmizaBon for rouBng and security
• Subnets vs hosts – number of hosts irrelevant in IPv6 • There will rarely be a need to expand a /64 subnet (264 hosts) • 264 = 18,446,744,073,709,551,616 hosts
bdNOG 3, Dhaka, Bangladesh [email protected] 8
IPv6 Prefix
2001:db8:2468:1c5:23a7:1357:331c:a5b
bdNOG 3, Dhaka, Bangladesh [email protected] 9
/16
/32
/48
Host (/64)
A Typical Host Address
2001:db8:2468:1c5:23a7:1357:331c:a5b
bdNOG 3, Dhaka, Bangladesh [email protected] 10
Prefix (/64)
Host (/64)
/32 Prefix
2001:db8:1234:5678:23a7:2e19:331c:a5b
bdNOG 3, Dhaka, Bangladesh [email protected] 11
Prefix (/32)
Host (/64)
Subnet (32 Bits)
/48 Prefix
bdNOG 3, Dhaka, Bangladesh [email protected] 12
2001:db8:1234:5678:23a7:2e91:331c:a5b
Prefix (/48)
Host (/64)
Subnet (16 Bits)
Common Subnet Prefixes
bdNOG 3, Dhaka, Bangladesh [email protected] 13
2001:db8:1234:5678:23a7:2e91:331c:a5b
Prefix (/52) Subnet (12 Bits)
2001:db8:1234:5678:23a7:2e91:331c:a5b
Prefix (/56) Subnet (8 Bits)
2001:db8:1234:5678:23a7:2e91:331c:a5b
Prefix (/60) Subnet (4 Bits)
"Nibbles" Boundaries • A "nibble" is one hexadecimal digit (or 4 bits) • You don't have to subnet based on nibbles. You can use other prefixes, ex. /49, /51, /55 etc. • But it is MUCH easier to idenBfy addresses if you do
bdNOG 3, Dhaka, Bangladesh [email protected] 14
Hex: 1234
Binary: 0001001000110100
If /x is a mul;ple of 4
bdNOG 3, Dhaka, Bangladesh [email protected] 15
0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
2 0 0 1 0 d b 8 1 2 3 4 0 0 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 0
/48 48 fixed bits 80 freely variable bits
12 fixed hex digits 20 hex digits can take any values
: : : : : : :
0 0 0 0
0
If /x is NOT a mul;ple of 4
bdNOG 3, Dhaka, Bangladesh [email protected] 16
0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
2 0 0 1 0 d b 8 1 2 3 4 8 0 0 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 0
/ 50
1 hex digit can only take certain values! example: 8, 9, a or b
: : : : : : :
50 fixed bits 78 freely variable bits
12 fixed hex digits
19 hex digits can take any values
Only certain hex values possible
bdNOG 3, Dhaka, Bangladesh [email protected] 17
1 0 0 0 Fixed bits Variable bits
8
1 0 0 0
1 0 0 1 1 0 1 0 1 0 1 1
8, 9 , a or b only!
Subnet at Nibble Boundaries
bdNOG 3, Dhaka, Bangladesh [email protected] 18
2001:db8:1234:1000::/56
Prefix (/48) Subnet (16 Bits)
2001:db8:1234:1f00::/56
2001:db8:1234:1100::/56 2001:db8:1234:1200::/56 ......
Subnet not at Nibble Boundaries
bdNOG 3, Dhaka, Bangladesh [email protected] 19
2001:db8:0001:8000::/50
Prefix (/50) Subnet (14 Bits)
2001:db8:1234:b000::/50
2001:db8:1234:9000::/50 2001:db8:1234:a000::/50
“Easy” & “complicated” ranges
• 2001:db8:7::/48 • 2001:db8:7:xxxx:xxxx:xxxx:xxxx:xxxx
• 2001:db8:7:8000::/50 • 2001:db8:7:8xxx:xxxx:xxxx:xxxx:xxxx • 2001:db8:7:9xxx:xxxx:xxxx:xxxx:xxxx • 2001:db8:7:axxx:xxxx:xxxx:xxxx:xxxx • 2001:db8:7:bxxx:xxxx:xxxx:xxxx:xxxx
bdNOG 3, Dhaka, Bangladesh [email protected] 20
Key Point: Focus on the 16 bits (4 Nibbles)
bdNOG 3, Dhaka, Bangladesh [email protected] 21
2001:db8:1234:5678:23a7:2e91:331c:a5b
Prefix (/48)
Host (/64)
Subnet (16 Bits)
Next Step: Plan Your Subnet Scheme
• MulBple ways to use the 4 nibbles (assuming a /48) • Plan nibbles by: • Region and site • LocaBon • Use type (ex. employees, students, guests) • Business units • ApplicaBons (ex. data, voice, video) • CombinaBons of some of the above
• THERE IS NO SINGLE RIGHT ANSWER! • Will depend upon your site and your objecBves
bdNOG 3, Dhaka, Bangladesh [email protected] 22
Planning Considera;ons
• Do you want to opBmize for your security policies? • Do you want to make it easy for firewalls to filter based on… locaBon? user type? applicaBons?
• Do you want to opBmize for router policies and performance? • Do you want to have the smallest and most efficient rouBng table possible?
• Do you have a higher or lower quanBty of certain types of objects? • For example, do you only have 2 locaBons but 20 types of applicaBons?
bdNOG 3, Dhaka, Bangladesh [email protected] 23
Example: ISP with /32 Prefix (I) • Parent Block: 2402:f500::/32 • StarBng with LocaBon (Region/Division):
• Dhaka 2402:f500:1000::/36 • Chimagong 2402:f500:2000::/36 • Khulna 2402:f500:3000::/36 • Rajshahi 2402:f500:4000::/36 • Sylhet 2402:f500:5000::/36 • Barisal 2402:f500:6000::/36 • So on and so forth…
bdNOG 3, Dhaka, Bangladesh [email protected] 24
Example: ISP with /32 Prefix (II) • Then the PoP (Region – DistribuBon PoP):
• Dhaka -‐ UGC 2402:f500:1000::/40 • Dhaka -‐ BUET 2402:f500:1100::/40 • Dhaka -‐ NSU 2402:f500:1200::/40 • Dhaka -‐ NU 2402:f500:1300::/40 • So on and so forth…
• Then the Site (Region – DistribuBon PoP – Edge Router): • Dhaka – BUET – BUET 2402:f500:1100::/44 • Dhaka – BUET – DU 2402:f500:1110::/44 • Dhaka – BUET – BSMMU 2402:f500:1120::/44 • Dhaka – BUET – JNU 2402:f500:1130::/44 • So on and so forth…
bdNOG 3, Dhaka, Bangladesh [email protected] 25
Example: ISP with /32 Prefix (III) • Infrastructure and Customer Assignment: /48
• Infrastructure 2402:f500:1110::/48 • Customer 1 2402:f500:1111::/48 • Customer 2 2402:f500:1112::/48 • Customer 3 2402:f500:1113::/48 • Customer 4 2402:f500:1114::/48 • So on and so forth
bdNOG 3, Dhaka, Bangladesh [email protected] 26
Example #1: Loca;on and Use Type
bdNOG 3, Dhaka, Bangladesh [email protected] 27
2001:db8:1234:5678:23a7:2e91:331c:a5b
Prefix (/48) Subnet (16 Bits)
LocaBon (16): • Building 1 • Building 2 • Building 3
Use Type (16): • Employees • Servers • Infrastructure
Individual Networks (256): • LAN • Interface
Example #2: Loca;ons (many) and Use Type
bdNOG 3, Dhaka, Bangladesh [email protected] 28
2001:db8:1234:5678:23a7:2e91:331c:a5b
Prefix (/48) Subnet (16 Bits)
LocaBon (256): • Building 1 • Building 2 • Building 3
Use Type (16): • Employees • Servers • Infrastructure
Individual Networks (16): • LAN • Interface
Example #3 – Business Units First (I) • Start by allocaBng based on business units:
• Corporate: 2001:db8:1a:0000::/52 • Finance: 2001:db8:1a:1000::/52 • MarkeBng: 2001:db8:1a:2000::/52 • Engineering: 2001:db8:1a:3000::/52 • Customer Support: 2001:db8:1a:4000::/52
• Then allocate on applicaBons (here for one unit): • Engineering -‐ Data: 2001:db8:1a:3000::/56 • Engineering -‐ Voice: 2001:db8:1a:3200::/56 • Engineering -‐ Video: 2001:db8:1a:3400::/56 • Engineering -‐ Wireless: 2001:db8:1a:3800::/56 • Engineering -‐ Management: 2001:db8:1a:3c00::/56
bdNOG 3, Dhaka, Bangladesh [email protected] 29
Example #3 – Business Units First (II) • Next allocate based on region (here for "Data"):
• Engineering -‐ Data – Eastern region: 2001:db8:1a:3000::/60 • Engineering -‐ Data – Northern region: 2001:db8:1a:3080::/60 • Engineering -‐ Data – Western region: 2001:db8:1a:3040::/60 • Engineering -‐ Data – Southern region: 2001:db8:1a:30c0::/60
• Then allocate on individual sites: • Engineering -‐ Data -‐ Northern region -‐ Site 0: 2001:db8:1a:3080::/64 • Engineering -‐ Data -‐ Northern region -‐ Site 1: 2001:db8:1a:3081::/64 • Engineering -‐ Data -‐ Northern region -‐ Site 2: 2001:db8:1a:3082::/64
bdNOG 3, Dhaka, Bangladesh [email protected] 30
Example #4 – Applica;ons First (I) • Start by allocaBng based on applicaBons:
• Data: 2001:db8:1a:0000::/52 • Voice: 2001:db8:1a:8000::/52 • Video: 2001:db8:1a:4000::/52 • Wireless: 2001:db8:1a:c000::/52 • Management: 2001:db8:1a:2000::/52
• Then allocate on regions (here for one unit): • Voice – Eastern region: 2001:db8:1a:8000::/56 • Voice – Northern region: 2001:db8:1a:8800::/56 • Voice – Western region: 2001:db8:1a:8400::/56 • Voice – Southern region: 2001:db8:1a:8c00::/56
bdNOG 3, Dhaka, Bangladesh [email protected] 31
Example #4 – Applica;ons First (II) • Next allocate based on business unit:
• Voice – Southern region – Corporate: 2001:db8:1a:8c00::/60 • Voice – Southern region – Finance: 2001:db8:1a:8c10::/60 • Voice – Southern region – MarkeBng: 2001:db8:1a:8c20::/60 • Voice – Southern region – Engineering: 2001:db8:1a:8c30::/60 • Voice – Southern region – Cust Support: 2001:db8:1a:8c40::/60
• Then finally on individual sites: • Voice – Southern– MarkeBng – Site 1: 2001:db8:1a:8c2a::/64 • Voice – Southern– MarkeBng – Site 2: 2001:db8:1a:8c29::/64 • Voice – Southern– MarkeBng – Site 3: 2001:db8:1a:8c2e::/64
bdNOG 3, Dhaka, Bangladesh [email protected] 32
Make an addressing plan (I)
• Number of hosts is irrelevant • MulBple /48s per pop can be used • Separate blocks for infrastructure and customers • /64 for all subnets • autoconfiguraBon works • less typo errors because of simplicity
bdNOG 3, Dhaka, Bangladesh [email protected] 33
Make an addressing plan (II)
• Routers: • Give all routers the same size block (Typically /56 or /52) • Minimum: One /64 per interface • Allow for more interfaces in future
• VLAN Numbers • OrganizaBon may already have locaBon/type planned into VLANs
bdNOG 3, Dhaka, Bangladesh [email protected] 34
Make an addressing plan (III)
• Use one /64 block (per site) for loopbacks • One /128 per device
• Point-‐to-‐Point ConnecBons • Reserve a /64, assign a /127
bdNOG 3, Dhaka, Bangladesh [email protected] 35
Subnet Numbering: Planning For Growth • MulBple ways for numbering individual subnets: • Numerical (monotonic) – just increment by 1:
• 2001:db8:1234:0000::/64 • 2001:db8:1234:1000::/64 • 2001:db3:1234:2000::/64
• Sparse allocaBon (RFC 3531) • 2001:db8:1234:0000::/64 • 2001:db8:1234:8000::/64 • 2001:db3:1234:4000::/64
• Random allocaBon • Randomly choose numbers
bdNOG 3, Dhaka, Bangladesh [email protected] 36
Calcula;ng Requirement of Subnet
• Determine primary factor you want to use • Ex. locaBon
• Determine number of needed groups • Ex. 15 locaBons, 2 administraBve groups, 5 future = 22 total
• Round up to nearest nibble • Ex. 22 would fit within 2 nibbles (256 values)
• Decide what to do with remaining nibbles (if any) • ConBnue subnebng with a secondary factor • Don't subdivide and just have large subnets
bdNOG 3, Dhaka, Bangladesh [email protected] 37
Servers
• For servers you want manual configuraBon • Use port numbers for addresses
bdNOG 3, Dhaka, Bangladesh [email protected] 38
-‐ DNS Server: 2001:db8:1234:5678::53 -‐ Web Server: 2001:db8:1234:5678::80 -‐ POP Server: 2001:db8:1234:5678::110 -‐ etc…
Customer assignments
• Give your customers enough addresses • Up to a /48 • Register every assignment in the APNIC whois database
• Customers and their /48 • Customers have no idea how to handle 65536 subnets! • Give them informaBon
bdNOG 3, Dhaka, Bangladesh [email protected] 39
IPv6 Address Management
• Your Excel sheet might not scale • There are 65,536 /48s in a /32 • There are 65,536 /64s in a /48 • There are 16,777,216 /56s in a /32
• Find a suitable IPAM soluBon • Free: GesBóIP, NIPAP, TeamIp, phpIPAM, NOC Project, NetDot, HaCi, IPplan, 6Connect, Infoblox • Commercial: Infoblox, BlueCat, SolarWinds, Crypton, BTDiamondIP, Icognito, EfficientIP, Men and Mice
bdNOG 3, Dhaka, Bangladesh [email protected] 40
IPv6 Address (2402:F500::/32)
bdNOG 3, Dhaka, Bangladesh [email protected] 42
2402 F500 Host (/64) 0000 0000
Subnet (32 Bits)
Subnet (16 Bits)
Subnet Plan (/48)
bdNOG 3, Dhaka, Bangladesh [email protected] 43
2402 F500 Host (/64) 0000 0000
Region (16): Dhaka: 1 Chimagong: 2 Khulna: 3 So on…
PoP (16): UGC: 1 BUET: 2 NU: 3 So on…
Client (256) SBAU: 1 JU: 2 BUTex: 3 So on…
Client Assignment (/48)
bdNOG 3, Dhaka, Bangladesh [email protected] 44
2402 F500 /48 1202
Region (16) – DistribuBon PoP (16) – Edge Router(256)
Dhaka – BUET – DU
Client Assignment Region DistribuOon PoP Client Assignment
Dhaka (2402:F500:1000::/36)
UGC (2402:F500:1000::/40)
BdREN 2402:F500:1000::/48
SAU 2402:F500:1002::/48
JU 2402:F500:1004::/48
BUTex 2402:F500:1006::/48
BUET (2402:F500:1100::/40)
BUET 2402:F500:1100::/48
DU 2402:F500:1102::/48
BSMMU 2402:F500:1104::/48
JNU 2402:F500:1106::/48
BUP 2402:F500:1108::/48
NU (2402:F500:1200::/40)
NU 2402:F500:1200::/48
BOU 2402:F500:1202::/48
DUET 2402:F500:1204::/48
BSMRAU 2402:F500:1206::/48 bdNOG 3, Dhaka, Bangladesh [email protected] 45
Facts and Challenges Facts:
• BdREN is a green field • All the equipment are brand new, supports IPv6 • BdREN has limited IPv4 addresses • Does not deals with CPEs, less hassle • No DHCPv6 or NAT64 issues
Challenges: • Lack of experBse in IPv6 address planning • Trials and errors • Dual stack from day 1
bdNOG 3, Dhaka, Bangladesh [email protected] 46
IPv6 Address (2402:F500:1004::/48)
bdNOG 3, Dhaka, Bangladesh [email protected] 48
2402 F500 Host (/64) 1004 0000
Subnet (16 Bits)
Subnet Plan (/64)
bdNOG 3, Dhaka, Bangladesh [email protected] 49
2402 F500 Host (/64) 1004 0000
Service (16): Data: 1 Voice: 2 Wi-‐Fi: 3 So on…
Dept. (256): Physics: 1 Math: 2 MMH Hall: 3 So on…
Site (16): Building: 1 Building: 2 Building: 3 So on…
0105
Subnet Plan (/64)
bdNOG 3, Dhaka, Bangladesh [email protected] 50
Service (16) – Department (256) – Building (16)
Data – Physics – Building 1
2402 F500 Host (/64) 1004
Address Plan: Before
bdNOG 3, Dhaka, Bangladesh [email protected] 51
Descrip6on Summary IPv6 Address VLAN Physics Building 10.1.0.0/16 10
Chemistry Building 10.2.0.0/16 20
Admin Building 10.3.0.0/16 30
… … … … … … … … …
… … … … … … … … …
• IPv4 only without proper plan • Wi-‐Fi was provided with stand-‐alone Wireless Router with DHCP • Mostly manual addressing, no DHCP for wired users
Address Plan: Ajer
bdNOG 3, Dhaka, Bangladesh [email protected] 52
Category Descrip6on Summary IPv6 Address VLAN Infrastructure 192.168.0.0/16
2402:F500:1004:0000::/52
Loopback 192.168.10.0/24 2402:F500:1004:0000::/60 Point to point 192.168.20.0/24 2402:F500:1004:0010::/60 Remote Access 192.168.30.0/24 2402:F500:1004:0020::/60 100
… … … … … … … … … … … … Service
10.0.0.0/8 2402:F500:1004:1000::/52
Wired User 10.10.0.0/16 2402:F500:1004:1100::/56 10 Wireless User 10.20.0.0/16 2402:F500:1004:1200::/56 20
Voice 10.30.0.0/16 2402:F500:1004:1300::/56 30 Server Firm 10.40.0.0/16 2402:F500:1004:1400::/56 40 Surveillance 10.50.0.0/16 2402:F500:1004:1500::/56 50
Facility 10.60.0.0/16 2402:F500:1004:1600::/56 60 … … … … … … … … … … … …
Migra;on Step 1: Survey and Analysis
• Any change required in current Network/ConnecBvity? • Minor change to make it a hierarchical fashion
• Any equipment that doesn’t support IPv6? • Upgrading OS • Replacing with new one • No change required
• VLAN and IPv4 plan changed? • Before: Building-‐wise • A0er: Service-‐wise
• Prepare IPv6 plan • Similar plan as IPv4 • Dual-‐Stack
bdNOG 3, Dhaka, Bangladesh [email protected] 53
Migra;on Step 2: ConfiguraBon (Ongoing)
• Started with WAN/Upstream connecBvity • P2P Peering • StaBc and default route • ConfiguraBon test
• Step by step towards access • Core • DistribuBon • Edge • ConfiguraBon test
• Test from user PC • Wired user • Manual IPv6 address
• DHCPv6 • Separate server • Stateful
bdNOG 3, Dhaka, Bangladesh [email protected] 54
Challenges in General • IPv4 inerBa
• We think IPv4 is running fine • IPv6 seems complicated • Some thinks they have enough IPv4 addresses, why IPv6?
• Lack of experBse • Fear to learn IPv6 • Less hands-‐on experience
• Incapability/IncompaBbility of devices and CPEs • Upgrade OS • Purchase new equipment • Involves cost
bdNOG 3, Dhaka, Bangladesh [email protected] 55
Recommenda;ons • Play with the whole block, don’t take a small porBon • Ensure that all prefixes fall on nibble boundaries • Plan a hierarchical scheme for easy aggregaBon or enforcement of policies • Allocate /64 prefixes for all end subnets • Consider scalability and future potenBal growth • Think about how well your plan might handle renumbering • Document your planning thoroughly
bdNOG 3, Dhaka, Bangladesh [email protected] 56
Reference and Useful Informa;on • Internet Society Deploy360 Program
• hmp://www.internetsociety.org/deploy360/ipv6/basics/ • hmp://www.internetsociety.org/deploy360/resources/ipv6-‐address-‐planning/
• hmp://www.geBpv6.info/ • hmp://www.ipv6actnow.org/ • hmp://datatracker.iet.org/wg/v6ops/ • hmp://www.ripe.net/ripe/docs/ripe-‐554.html • hmps://www.ripe.net/lir-‐services/training/material/IPv6-‐for-‐LIRs-‐Training-‐Course/Preparing-‐an-‐IPv6-‐Addressing-‐Plan.pdf
bdNOG 3, Dhaka, Bangladesh [email protected] 57