IPv6 on the INTEROPNET

Interop, Wednesday, 9 May 2013Brandon Ross, Routing Team Lead

Chief Network Architect, Network Utility Forcehttp://www.netuf.net/

Jeff Enters, Chief Infrastructure Architect, HPhttp://www.hp.com/services

Agenda

• Background and Goals• IPv6 Basics• How IPv6 works on the InteropNET• Subnetting and Addressing• Challenges and Lessons Learned• Conclusions

RFC 6540

• Are you aware of this requirement?• Are your nodes IPv6 capable?

IPv6 Support Required for All IP-Capable Nodes – RFC 6540

• “Given the global lack of available IPv4 space, and limitations in IPv4 extension and transition technologies, this document advises that IPv6 support is no longer considered optional.”

• “IPv6 support must be equivalent or better in quality and functionality when compared to IPv4 support in a new or updated IP implementation.”

Background• IPv4 depletion is already occurring• IPv6 adoption is accelerating• Most network hardware supports IPv6• For the most part, dual stack Just Works

http://www.potaroo.net/tools

IPv4 Free Pool Depletion

http://www.ipv6actnow.org/info/statistics/#alloc

IPv6 Routing Table Growth

US Feds Lesson Learned

The US federal government had a mandate for all public facing web services to support IPv6 by September 30, 2012.287 of 1494 sites had IPv6 web support by the deadline.

Today 961 of 1355 sites support IPv6. That’s over 70%. Not 100%, but far ahead

of most other large organizations.Source: http://usgv6-deploymon.antd.nist.gov//

Europe out of Free Pool

• Asia (APNIC) effectively ran out of free addresses in April, 2011

• Europe (RIPE) is also out of addresses as of September 14th, 2012

• ARIN predicted to run out of free space in April, 2014 (Geoff Huston, http://www.potaroo.net/tools/ipv4/index.html)

Goals

• Network must be fully dual stack (IPv4+IPv6)

• All IPv4 services should be reachable over IPv6

• Connections to IPv6-enabled websites should use IPv6 by default

• Nothing should break

Agenda

• Background and Goals• IPv6 Basics• How IPv6 works on the InteropNET• Subnetting and Addressing• Challenges and Lessons Learned• Conclusions

Building on IPv4, IPv6 addresses contemporary networking needs

IPv6 Advantages Overview

Features IPv4 IPv6

Address length 32 bits 128 bits

NAT Often necessary Not necessary

Header size Variable length, 20 bytes + many options

Fixed-length, 40 bytes + extension headers

Configuration Manual, DHCPv4 Manual, stateless automatic, stateful automatic (DHCPv6)

Types of addresses Broadcast, multicast, unicast Multicast, unicast, anycast

Addresses per-interface Single Multiple

Neighbor discovery, router discovery, Address resolution, NUD, redirects, etc.

A variety of separate protocols Neighbor Discovery Protocol (built in)

IPsec Optional Integrated

QoS Some Better

Unlock the potential of IPv6

IPv6 Operational Advantages• Robust, Effective, Efficient. Unlimited

Address space. Extensibility. Optimized for next generation networks.

• End to End Services and applications.

• Enable Service Automation. • Better Support for QoS.• Enhanced Mobility.• Policy driven operations.• Free manpower from ordinary tasks.• Rapid deployment.

• Much more than just a larger addressing space

IPv6 Features useful in Internet facing devicesInternet Presence

TransitionDual Stack IPv4 and IPv6 – on all publically available servers Translation NAT64

ConnectivityMake sure your mBGP is able to advertise and receive both IPv4

and IPv6 Internet route updatesUnderstand how DNS server, OS, and application will interact.

Make sure DNS server can store AAAA (IPv6 Address) records. Ensure records can be retrieved over both IPv4 and IPv6 transport.

Enable Load balancer for both IPv4 and IPv6 trafficSecurity

Deploy IPv6 Firewall and IDS/IPSIPsec – Now integrated into the IPv6 protocol, but not widely

deployedVPN – IPv6 VPN is very similar to IPv4 VPN

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13

IPv6 Network Architecture Options

Address Allocation choice• Provider Independent versus Provider Aggragatable address allocation scheme

Addressing Mechanisms choice• Manual, Stateless autoconfiguration and/or Stateful autoconfiguration

Transition Mechanisms choice• Dual Stack to allow coexistence of both IPv6 and IPv4 on the same infrastructure

And/or Tunneling and/or Translation

IPv6 Internet presence only• BUT do not stop there!

Having a longer term plan for full end-to-end IPv6 enablement is the recommended approach

Security Concerns• Similar to IPv4 + new IPv6 specific security concerns and need to include access media

securityRemember IPv6 is almost certainly already in your internal network, just unmonitored!

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14

Transition Strategies

Three main methodsDual Stack• Provides complete support for IPv4 and

IPv6 protocols

Tunneling• Encapsulates IPv6 packets in IPv4

headers (and in later IPv4 packets in IPv6 headers)

• Requires dual-stack devices at either end of the connection

Translation• Translates IPv6 addresses and into IPv4

addresses

CampusLAN

WirelessLAN Core / DC

Remote offices and branches

IPv4Internet

WAN

IPv6Internet

Example Today State Disconnected from IPv6 Internet

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15

Dual Stack Use IPv4 or IPv6• IPv4 and IPv6 protocol stacks

implemented on the same device. • + Most simple and recommended

approach, network is the same+ Applications can select which network protocol to be used

• - IPv4-only cannot communicate with IPv6-only- Need to maintain 2 routing tables, 2 firewall rule sets, 2 network management configurations etc..- Network applications must distinguish between IPv6 and IPv4 peers

Simple and widely used. Recommended Strategy

Transition Strategies Explained

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16

Dual Stack Use IPv4 or IPv6• IPv4 and IPv6 protocol stacks

implemented on the same device. • + Most simple and recommended

approach, network is the same+ Applications can select which network protocol to be used

• - IPv4-only cannot communicate with IPv6-only- Need to maintain 2 routing tables, 2 firewall rule sets, 2 network management configurations etc..- Network applications must distinguish between IPv6 and IPv4 peers

Tunneling

6-in-4 or 4-in-6• One transport protocol is

encapsulated as the payload of the other (and vice versa).

• + Connect Islands of IPv6 or IPv4 + Compatible across incompatible networks + Recommended for site-to-site

• - Security issues with tunneled protocols - Trough FW (FW can’t inspect payload) - Reduced performance- Complicated network management and troubleshooting

Simple and widely used. Recommended Strategy

Simple and widely used

Transition Strategies Explained

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17

Dual Stack Use IPv4 or IPv6• IPv4 and IPv6 protocol stacks

implemented on the same device. • + Most simple and recommended

approach, network is the same+ Applications can select which network protocol to be used

• - IPv4-only cannot communicate with IPv6-only- Need to maintain 2 routing tables, 2 firewall rule sets, 2 network management configurations etc..- Network applications must distinguish between IPv6 and IPv4 peers

Tunneling

6-in-4 or 4-in-6• One transport protocol is

encapsulated as the payload of the other (and vice versa).

• + Connect Islands of IPv6 or IPv4 + Compatible across incompatible networks + Recommended for site-to-site

• - Security issues with tunneled protocols - Trough FW (FW can’t inspect payload) - Reduced performance- Complicated network management and troubleshooting

Translation

Between IPv4 and IPv6 (NAT64/DNS64)• Translates IPv6 names & addresses into

IPv4 names & addresses (and vice versa).

• + Enables IPv6-only host to communicate with IPv4-only hosts (and vice versa), + No modification to IPv4 or IPv6 end nodes, only at boundary routers

• - Application incompatibilities (e.g. VoIP), need for ALG, and has all NAT drawbacks- Increased complexity in network topology- Reduced Performance (dep. on HW)- Complicated troubleshooting

Simple and widely used. Recommended Strategy

Simple and widely usedIf you must!

Transition Strategies Explained

Agenda

• Background and Goals• IPv6 Basics• How IPv6 works on the InteropNET• Subnetting and Addressing• Challenges and Lessons Learned• Conclusions

Connectivity and Routing

Autoconfiguration

• All client-facing networks use SLAAC to allow clients to auto-assign themselves an IPv6 address and default gateway on the correct subnet– Supported by all IPv6-capable devices

Auto-assigned IPv6 address

Default Gateway (Link-local from RA)

DNS

• All DNS services are provided by DynDNS and load-balanced by F5

• Using anycast to direct traffic to it’s nearest DNS server, either show floor or Denver

InteropNET NOC Services

• Goal was to provide all internal services over IPv6 as well as IPv4

• This required coordination with vendors to enable IPv6, make sure services were bound to their IPv6 ports, and publish AAAA records

• Most (but not all) services ended up reachable over IPv6

Wireless

• InteropNET wireless is provided by Xirrus• Purpose-built VLANs are shared across all

APs and all are dual-stack

IPAM

IPv6 Attack TrafficSrc. Port Dst. Addr. Dst. Port Seg. Port In

50854 2607:f8b0:4001:c02::bd 443 356597 2607:f8b0:400f:800::100a 443 356593 2607:f8b0:400f:800::1005 443 356598 2607:f8b0:400f:800::1000 443 349336 2404:6800:4003:802::1001 443 353427 2607:f8b0:400f:800::1000 80 349875 2607:fae0:1:1:426c:8fff:fe59:5172 22 351154 2607:f8b0:400f:800::100f 80 353425 2607:f8b0:400f:800::1006 80 349717 2607:fae0:1:1:426c:8fff:fe59:5172 22 351654 2607:f8b0:400f:800::1003 443 349221 2607:f8b0:400f:801::1006 443 349233 2607:fae0:1:1:426c:8fff:fe59:5172 22 353616 2a03:2880:10:6f01:face:b00c::5 80 363077 2607:f8b0:4001:c02::bd 443 353419 2607:f8b0:400f:800::1002 80 358448 2607:f8b0:400f:800::1005 443 353416 2607:f8b0:400f:801::100e 80 360311 2607:f8b0:400f:800::100c 80 362773 2607:f8b0:4001:c02::bd 443 350390 2607:f8b0:400f:800::1003 443 353406 2607:f8b0:400f:800::1009 80 362751 2607:f8b0:4001:c02::bd 443 362320 2607:f8b0:4001:c02::bd 443 362059 2607:f8b0:400f:800::1006 443 350117 2001:4860:4007:801::1007 443 351679 2607:f8b0:400f:801::100f 443 3

Agenda

• Background and Goals• IPv6 Basics• How IPv6 works on the InteropNET• Subnetting and Addressing• Challenges and Lessons Learned• Results and Statistics• Conclusions

State of Assignments

• All of the registries, for the most part, assign initial blocks for Service provider /32 Enterprise /48

What makes up a good addressing plan?

• Depends on the type of network, the size of the network, and problem to be solved

• Points to consider Documentation Ease of troubleshooting Aggregation Standards compliance Growth SLAAC Existing IPv4 addressing plan Human factors

Algorithmic Approach

• Encode every IPv4 address in the network in an IPv6 address

10.10.10.10 (A0A0A0A)

2001:DB8:A0A:A0A::

Link Numbering Issues

• OSPFv3 masks this problem, unlike in IPv4• Separation of addressing from the link state

database means that OSPFv3 neighbor relationships will establish, even on links with mismatched addressing and/or masks

• Link-local based forwarding prevents address mismatches from being easily detected because traffic flows normally and traceroutes don’t appear too strange

Link Numbering Issues• To detect link numbering errors, look for “Uturn” routing:

$ traceroute6 2620:144:B0C::traceroute to 2620:144:B0C:: (2620:144:b0c::), 30 hops max, 80 byte

packets 1 2620:144:8fc:: (2620:144:8fc::) 26.747 ms 26.730 ms 26.716 ms 2 2620:144:b0c::2 (2620:144:b0c::2) 29.137 ms 29.222 ms 29.264 ms 3 2620:144:8fc:: (2620:144:8fc::) 29.355 ms 29.335 ms 29.350 ms 4 2620:144:8fc:: (2620:144:8fc::) 29.438 ms !H 29.433 ms !H 29.413

ms !H

Note hop 2 is the misnumbered address. This traceroute should have looked like this:

$ traceroute6 2620:144:B0C::traceroute to 2620:144:B0C:: (2620:144:b0c::), 30 hops max, 80 byte

packets 1 2620:144:8fc:: (2620:144:8fc::) 32.473 ms 32.447 ms 32.427 ms

Link Numbering Issues

Link Numbering Issues

• Should you number your links at all or just use link-local?

• Loopback interfaces usually show up so you know which routers traffic is following, so why waste address space on links?

Link Numbering Issues

• Using equal cost multipath?

• $ traceroute6 2001:DB8::5:2• traceroute to 2001:DB8::5:2 (2001:DB8::5:2),

30 hops max, 80 byte packets• 1 2001:DB8::6:1 (2001:DB8::6:1) 22.723 ms

26.730 ms 26.716 ms• 2 2001:DB8::1:1 (2001:DB8::1:1) 80.233 ms

* ms 72.173 ms• 3 2001:DB8::5:2 (2001:DB8::5:2) * ms

99.223 ms 29.350 ms

• Which link did it take?

Link Numbering Issues

• Does your management system use link numbering for monitoring or circuit identification?

• Are you really saving any significant addressing by not assigning addresses?

Link Numbering Issues

• $ traceroute6 2001:DB8::5:2• traceroute to 2001:DB8::5:2

(2001:DB8::5:2), 30 hops max, 80 byte packets

• 1 2001:DB8::6:1 (2001:DB8::6:1) 22.723 ms 26.730 ms 26.716 ms

• 2 2001:DB8::4 (2001:DB8::4) * ms 88.322 ms * ms

• 3 2001:DB8::5:2 (2001:DB8::5:2) * ms 90.123 ms 100.110 ms

• Better, now we know which link is having issues.

Standards Compliance

Networks smaller than /64 can be desirable, especially using /127s for point to point links (RFC 6164)

To avoid future breakage, allocate a /64 in your documentation but use the smaller block

Similarly, reserve /48s for EVERYTHING you can, there’s no reason to allocate densely, there’s plenty of space

If you have a complex network, allocate in a sparse way to enable easy aggregation

Agenda

• Background and Goals• IPv6 Basics• How IPv6 works on the InteropNET• Subnetting and Addressing• Challenges and Lessons Learned• Conclusions

DUID

• When a Windows machine is cloned, you can get two or more machines with the same DHCPv6 Unique IDentifier (DUID)

• This DUID is used by the DHCPv6 server to identify the client, so when two clients with the same DUID request IPv6 addresses with DHCPv6, they will both be given the same address

• When the second machine receives its address from the DHCPv6 server, it does IPv6 Duplicate Address Detection, determines there is an IP address conflict, and refuses the lease

Rogue RAs

• When a client is configured to run 6to4 (an automatic tunneling protocol) and Internet Connection Sharing, it will advertise itself as an IPv6 router by sending out RAs on its wireless interface

• Clients receiving such RAs will auto-assign themselves an address in the wrong subnet

• Routers are generally configured with RA guard or equivalent on their wired ports

• Unfortunately there is no way to block rogue RAs over wireless APs (and some wired switches)

Agenda

• Background and Goals• IPv6 Basics• How IPv6 works on the InteropNET• Subnetting and Addressing• Challenges and Lessons Learned• Conclusions

Conclusions

• IPv6 works in the real world• There are challenges to implementing IPv6,

but nothing show-stopping• Much of the Internet’s content is reachable

over IPv6 (and growing fast) including all of Google, FaceBook and 3000 other sites

• A much smaller percentage of Internet users have IPv6 connectivity (though this may change quickly with IPv4 depletion)

Learn More!

• http://www.getipv6.info/• http://tunnelbroker.net/• http://www.sixxs.net/• http://www.ipv6ready.org• https://www.arin.net/knowledge/ipv6_info_center.html• Contact us:

– Brandon Ross, • Chief Network Architect and CEO• Network Utility Force• bross@netuf.net +1-404-635-6667

– Jeff Enters• Chief Infrastructure Architect• HP TS Networking• Jeff.enters@hp.com +1-414-412-3268