Upload
network-utility-force
View
573
Download
7
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
IPv6 on the INTEROPNET
Interop, Wednesday, 9 May 2013Brandon Ross, Routing Team Lead
Chief Network Architect, Network Utility Forcehttp://www.netuf.net/
Jeff Enters, Chief Infrastructure Architect, HPhttp://www.hp.com/services
Agenda
• Background and Goals• IPv6 Basics• How IPv6 works on the InteropNET• Subnetting and Addressing• Challenges and Lessons Learned• Conclusions
RFC 6540
• Are you aware of this requirement?• Are your nodes IPv6 capable?
IPv6 Support Required for All IP-Capable Nodes – RFC 6540
• “Given the global lack of available IPv4 space, and limitations in IPv4 extension and transition technologies, this document advises that IPv6 support is no longer considered optional.”
• “IPv6 support must be equivalent or better in quality and functionality when compared to IPv4 support in a new or updated IP implementation.”
Background• IPv4 depletion is already occurring• IPv6 adoption is accelerating• Most network hardware supports IPv6• For the most part, dual stack Just Works
http://www.potaroo.net/tools
IPv4 Free Pool Depletion
http://www.ipv6actnow.org/info/statistics/#alloc
IPv6 Routing Table Growth
US Feds Lesson Learned
The US federal government had a mandate for all public facing web services to support IPv6 by September 30, 2012.287 of 1494 sites had IPv6 web support by the deadline.
Today 961 of 1355 sites support IPv6. That’s over 70%. Not 100%, but far ahead
of most other large organizations.Source: http://usgv6-deploymon.antd.nist.gov//
Europe out of Free Pool
• Asia (APNIC) effectively ran out of free addresses in April, 2011
• Europe (RIPE) is also out of addresses as of September 14th, 2012
• ARIN predicted to run out of free space in April, 2014 (Geoff Huston, http://www.potaroo.net/tools/ipv4/index.html)
Goals
• Network must be fully dual stack (IPv4+IPv6)
• All IPv4 services should be reachable over IPv6
• Connections to IPv6-enabled websites should use IPv6 by default
• Nothing should break
Agenda
• Background and Goals• IPv6 Basics• How IPv6 works on the InteropNET• Subnetting and Addressing• Challenges and Lessons Learned• Conclusions
Building on IPv4, IPv6 addresses contemporary networking needs
IPv6 Advantages Overview
Features IPv4 IPv6
Address length 32 bits 128 bits
NAT Often necessary Not necessary
Header size Variable length, 20 bytes + many options
Fixed-length, 40 bytes + extension headers
Configuration Manual, DHCPv4 Manual, stateless automatic, stateful automatic (DHCPv6)
Types of addresses Broadcast, multicast, unicast Multicast, unicast, anycast
Addresses per-interface Single Multiple
Neighbor discovery, router discovery, Address resolution, NUD, redirects, etc.
A variety of separate protocols Neighbor Discovery Protocol (built in)
IPsec Optional Integrated
QoS Some Better
Unlock the potential of IPv6
IPv6 Operational Advantages• Robust, Effective, Efficient. Unlimited
Address space. Extensibility. Optimized for next generation networks.
• End to End Services and applications.
• Enable Service Automation. • Better Support for QoS.• Enhanced Mobility.• Policy driven operations.• Free manpower from ordinary tasks.• Rapid deployment.
• Much more than just a larger addressing space
IPv6 Features useful in Internet facing devicesInternet Presence
TransitionDual Stack IPv4 and IPv6 – on all publically available servers Translation NAT64
ConnectivityMake sure your mBGP is able to advertise and receive both IPv4
and IPv6 Internet route updatesUnderstand how DNS server, OS, and application will interact.
Make sure DNS server can store AAAA (IPv6 Address) records. Ensure records can be retrieved over both IPv4 and IPv6 transport.
Enable Load balancer for both IPv4 and IPv6 trafficSecurity
Deploy IPv6 Firewall and IDS/IPSIPsec – Now integrated into the IPv6 protocol, but not widely
deployedVPN – IPv6 VPN is very similar to IPv4 VPN
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13
IPv6 Network Architecture Options
Address Allocation choice• Provider Independent versus Provider Aggragatable address allocation scheme
Addressing Mechanisms choice• Manual, Stateless autoconfiguration and/or Stateful autoconfiguration
Transition Mechanisms choice• Dual Stack to allow coexistence of both IPv6 and IPv4 on the same infrastructure
And/or Tunneling and/or Translation
IPv6 Internet presence only• BUT do not stop there!
Having a longer term plan for full end-to-end IPv6 enablement is the recommended approach
Security Concerns• Similar to IPv4 + new IPv6 specific security concerns and need to include access media
securityRemember IPv6 is almost certainly already in your internal network, just unmonitored!
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14
Transition Strategies
Three main methodsDual Stack• Provides complete support for IPv4 and
IPv6 protocols
Tunneling• Encapsulates IPv6 packets in IPv4
headers (and in later IPv4 packets in IPv6 headers)
• Requires dual-stack devices at either end of the connection
Translation• Translates IPv6 addresses and into IPv4
addresses
CampusLAN
WirelessLAN Core / DC
Remote offices and branches
IPv4Internet
WAN
IPv6Internet
Example Today State Disconnected from IPv6 Internet
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15
Dual Stack Use IPv4 or IPv6• IPv4 and IPv6 protocol stacks
implemented on the same device. • + Most simple and recommended
approach, network is the same+ Applications can select which network protocol to be used
• - IPv4-only cannot communicate with IPv6-only- Need to maintain 2 routing tables, 2 firewall rule sets, 2 network management configurations etc..- Network applications must distinguish between IPv6 and IPv4 peers
Simple and widely used. Recommended Strategy
Transition Strategies Explained
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16
Dual Stack Use IPv4 or IPv6• IPv4 and IPv6 protocol stacks
implemented on the same device. • + Most simple and recommended
approach, network is the same+ Applications can select which network protocol to be used
• - IPv4-only cannot communicate with IPv6-only- Need to maintain 2 routing tables, 2 firewall rule sets, 2 network management configurations etc..- Network applications must distinguish between IPv6 and IPv4 peers
Tunneling
6-in-4 or 4-in-6• One transport protocol is
encapsulated as the payload of the other (and vice versa).
• + Connect Islands of IPv6 or IPv4 + Compatible across incompatible networks + Recommended for site-to-site
• - Security issues with tunneled protocols - Trough FW (FW can’t inspect payload) - Reduced performance- Complicated network management and troubleshooting
Simple and widely used. Recommended Strategy
Simple and widely used
Transition Strategies Explained
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17
Dual Stack Use IPv4 or IPv6• IPv4 and IPv6 protocol stacks
implemented on the same device. • + Most simple and recommended
approach, network is the same+ Applications can select which network protocol to be used
• - IPv4-only cannot communicate with IPv6-only- Need to maintain 2 routing tables, 2 firewall rule sets, 2 network management configurations etc..- Network applications must distinguish between IPv6 and IPv4 peers
Tunneling
6-in-4 or 4-in-6• One transport protocol is
encapsulated as the payload of the other (and vice versa).
• + Connect Islands of IPv6 or IPv4 + Compatible across incompatible networks + Recommended for site-to-site
• - Security issues with tunneled protocols - Trough FW (FW can’t inspect payload) - Reduced performance- Complicated network management and troubleshooting
Translation
Between IPv4 and IPv6 (NAT64/DNS64)• Translates IPv6 names & addresses into
IPv4 names & addresses (and vice versa).
• + Enables IPv6-only host to communicate with IPv4-only hosts (and vice versa), + No modification to IPv4 or IPv6 end nodes, only at boundary routers
• - Application incompatibilities (e.g. VoIP), need for ALG, and has all NAT drawbacks- Increased complexity in network topology- Reduced Performance (dep. on HW)- Complicated troubleshooting
Simple and widely used. Recommended Strategy
Simple and widely usedIf you must!
Transition Strategies Explained
Agenda
• Background and Goals• IPv6 Basics• How IPv6 works on the InteropNET• Subnetting and Addressing• Challenges and Lessons Learned• Conclusions
Connectivity and Routing
Autoconfiguration
• All client-facing networks use SLAAC to allow clients to auto-assign themselves an IPv6 address and default gateway on the correct subnet– Supported by all IPv6-capable devices
Auto-assigned IPv6 address
Default Gateway (Link-local from RA)
DNS
• All DNS services are provided by DynDNS and load-balanced by F5
• Using anycast to direct traffic to it’s nearest DNS server, either show floor or Denver
InteropNET NOC Services
• Goal was to provide all internal services over IPv6 as well as IPv4
• This required coordination with vendors to enable IPv6, make sure services were bound to their IPv6 ports, and publish AAAA records
• Most (but not all) services ended up reachable over IPv6
Wireless
• InteropNET wireless is provided by Xirrus• Purpose-built VLANs are shared across all
APs and all are dual-stack
IPAM
IPv6 Attack TrafficSrc. Port Dst. Addr. Dst. Port Seg. Port In
50854 2607:f8b0:4001:c02::bd 443 356597 2607:f8b0:400f:800::100a 443 356593 2607:f8b0:400f:800::1005 443 356598 2607:f8b0:400f:800::1000 443 349336 2404:6800:4003:802::1001 443 353427 2607:f8b0:400f:800::1000 80 349875 2607:fae0:1:1:426c:8fff:fe59:5172 22 351154 2607:f8b0:400f:800::100f 80 353425 2607:f8b0:400f:800::1006 80 349717 2607:fae0:1:1:426c:8fff:fe59:5172 22 351654 2607:f8b0:400f:800::1003 443 349221 2607:f8b0:400f:801::1006 443 349233 2607:fae0:1:1:426c:8fff:fe59:5172 22 353616 2a03:2880:10:6f01:face:b00c::5 80 363077 2607:f8b0:4001:c02::bd 443 353419 2607:f8b0:400f:800::1002 80 358448 2607:f8b0:400f:800::1005 443 353416 2607:f8b0:400f:801::100e 80 360311 2607:f8b0:400f:800::100c 80 362773 2607:f8b0:4001:c02::bd 443 350390 2607:f8b0:400f:800::1003 443 353406 2607:f8b0:400f:800::1009 80 362751 2607:f8b0:4001:c02::bd 443 362320 2607:f8b0:4001:c02::bd 443 362059 2607:f8b0:400f:800::1006 443 350117 2001:4860:4007:801::1007 443 351679 2607:f8b0:400f:801::100f 443 3
Agenda
• Background and Goals• IPv6 Basics• How IPv6 works on the InteropNET• Subnetting and Addressing• Challenges and Lessons Learned• Results and Statistics• Conclusions
State of Assignments
• All of the registries, for the most part, assign initial blocks for Service provider /32 Enterprise /48
What makes up a good addressing plan?
• Depends on the type of network, the size of the network, and problem to be solved
• Points to consider Documentation Ease of troubleshooting Aggregation Standards compliance Growth SLAAC Existing IPv4 addressing plan Human factors
Algorithmic Approach
• Encode every IPv4 address in the network in an IPv6 address
10.10.10.10 (A0A0A0A)
2001:DB8:A0A:A0A::
Link Numbering Issues
• OSPFv3 masks this problem, unlike in IPv4• Separation of addressing from the link state
database means that OSPFv3 neighbor relationships will establish, even on links with mismatched addressing and/or masks
• Link-local based forwarding prevents address mismatches from being easily detected because traffic flows normally and traceroutes don’t appear too strange
Link Numbering Issues• To detect link numbering errors, look for “Uturn” routing:
$ traceroute6 2620:144:B0C::traceroute to 2620:144:B0C:: (2620:144:b0c::), 30 hops max, 80 byte
packets 1 2620:144:8fc:: (2620:144:8fc::) 26.747 ms 26.730 ms 26.716 ms 2 2620:144:b0c::2 (2620:144:b0c::2) 29.137 ms 29.222 ms 29.264 ms 3 2620:144:8fc:: (2620:144:8fc::) 29.355 ms 29.335 ms 29.350 ms 4 2620:144:8fc:: (2620:144:8fc::) 29.438 ms !H 29.433 ms !H 29.413
ms !H
Note hop 2 is the misnumbered address. This traceroute should have looked like this:
$ traceroute6 2620:144:B0C::traceroute to 2620:144:B0C:: (2620:144:b0c::), 30 hops max, 80 byte
packets 1 2620:144:8fc:: (2620:144:8fc::) 32.473 ms 32.447 ms 32.427 ms
Link Numbering Issues
Link Numbering Issues
• Should you number your links at all or just use link-local?
• Loopback interfaces usually show up so you know which routers traffic is following, so why waste address space on links?
Link Numbering Issues
• Using equal cost multipath?
• $ traceroute6 2001:DB8::5:2• traceroute to 2001:DB8::5:2 (2001:DB8::5:2),
30 hops max, 80 byte packets• 1 2001:DB8::6:1 (2001:DB8::6:1) 22.723 ms
26.730 ms 26.716 ms• 2 2001:DB8::1:1 (2001:DB8::1:1) 80.233 ms
* ms 72.173 ms• 3 2001:DB8::5:2 (2001:DB8::5:2) * ms
99.223 ms 29.350 ms
• Which link did it take?
Link Numbering Issues
• Does your management system use link numbering for monitoring or circuit identification?
• Are you really saving any significant addressing by not assigning addresses?
Link Numbering Issues
• $ traceroute6 2001:DB8::5:2• traceroute to 2001:DB8::5:2
(2001:DB8::5:2), 30 hops max, 80 byte packets
• 1 2001:DB8::6:1 (2001:DB8::6:1) 22.723 ms 26.730 ms 26.716 ms
• 2 2001:DB8::4 (2001:DB8::4) * ms 88.322 ms * ms
• 3 2001:DB8::5:2 (2001:DB8::5:2) * ms 90.123 ms 100.110 ms
• Better, now we know which link is having issues.
Standards Compliance
Networks smaller than /64 can be desirable, especially using /127s for point to point links (RFC 6164)
To avoid future breakage, allocate a /64 in your documentation but use the smaller block
Similarly, reserve /48s for EVERYTHING you can, there’s no reason to allocate densely, there’s plenty of space
If you have a complex network, allocate in a sparse way to enable easy aggregation
Agenda
• Background and Goals• IPv6 Basics• How IPv6 works on the InteropNET• Subnetting and Addressing• Challenges and Lessons Learned• Conclusions
DUID
• When a Windows machine is cloned, you can get two or more machines with the same DHCPv6 Unique IDentifier (DUID)
• This DUID is used by the DHCPv6 server to identify the client, so when two clients with the same DUID request IPv6 addresses with DHCPv6, they will both be given the same address
• When the second machine receives its address from the DHCPv6 server, it does IPv6 Duplicate Address Detection, determines there is an IP address conflict, and refuses the lease
Rogue RAs
• When a client is configured to run 6to4 (an automatic tunneling protocol) and Internet Connection Sharing, it will advertise itself as an IPv6 router by sending out RAs on its wireless interface
• Clients receiving such RAs will auto-assign themselves an address in the wrong subnet
• Routers are generally configured with RA guard or equivalent on their wired ports
• Unfortunately there is no way to block rogue RAs over wireless APs (and some wired switches)
Agenda
• Background and Goals• IPv6 Basics• How IPv6 works on the InteropNET• Subnetting and Addressing• Challenges and Lessons Learned• Conclusions
Conclusions
• IPv6 works in the real world• There are challenges to implementing IPv6,
but nothing show-stopping• Much of the Internet’s content is reachable
over IPv6 (and growing fast) including all of Google, FaceBook and 3000 other sites
• A much smaller percentage of Internet users have IPv6 connectivity (though this may change quickly with IPv4 depletion)
Learn More!
• http://www.getipv6.info/• http://tunnelbroker.net/• http://www.sixxs.net/• http://www.ipv6ready.org• https://www.arin.net/knowledge/ipv6_info_center.html• Contact us:
– Brandon Ross, • Chief Network Architect and CEO• Network Utility Force• [email protected] +1-404-635-6667
– Jeff Enters• Chief Infrastructure Architect• HP TS Networking• [email protected] +1-414-412-3268