B u i l d i n g I P v 6 i n t o y o u r s c h - - PowerPoint PPT Presentation

aarnet

Australia's Academic and Research Network

A I S I C T M a n a g e m e n t a n d L e a d e r s h i p C

• n

f e r e n c e C a n b e r r a 2 1 5

• 5
• 6

G l e n T u r n e r

B u i l d i n g I P v 6 i n t

• y
• u

r s c h

• l

' s n e t w

• r

k

T h i s w

• r

k s h

• p

1)The technology of IPv6 2)The process of IPv6 deployment 3)A discussion about managing the building of IPv6 in schools 4)Q&A

T h e t e c h n

• l
• g

y

• f

I P v 6

IPv4

I P v 4 f

• r

m a t

L

• n

g e s t

• m

a t c h f

• r

w a r d i n g

• Take the destination address from the packet
• Look up the address in a forwarding table of

(prefix, prefix length, next hop address, next hop interface)

• Taking the matching prefix with the longest

prefix-length

I P f

• r

w a r d i n g

L e t ' s l

• k

a t t h e f

• r

w a r d i n g t a b l e

• Router> show ip route

Router> show ip cef linux$ route -n linux$ ip route show C:\> route print C:\> netsh interface ipv6 show route PS C:\> Get-NetRoute

• Windows has three ways of networking

commands

– BSD commands

– netsh commands

– PowerShell cmdlets in Windows 2012R2, 8.1

• No one command works on all platforms

L i n k

• l

a y e r a l s

• h

a s a n e x t

• h
• p
• ARP request

Destination: e0:f8:47:42:79:c2 (e0:f8:47:42:79:c2) Source: b8:27:eb:f1:71:fc (b8:27:eb:f1:71:fc) Type: ARP (0x0806) Address Resolution Protocol (reply) Hardware type: Ethernet (1) Protocol type: IP (0x0800) Hardware size: 6 Protocol size: 4 Opcode: reply (2) Sender MAC address: b8:27:eb:f1:71:fc Sender IP address: 192.168.255.254 Target MAC address: e0:f8:47:42:79:c2 Target IP address: 192.168.255.69

• ARP request

Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Source: e0:f8:47:42:79:c2 (e0:f8:47:42:79:c2) Type: ARP (0x0806) Address Resolution Protocol (request) Hardware type: Ethernet (1) Protocol type: IP (0x0800) Hardware size: 6 Protocol size: 4 Opcode: request (1) Sender MAC address: e0:f8:47:42:79:c2 Sender IP address: 192.168.255.69 Target MAC address: 00:00:00:00:00:00 Target IP address: 192.168.255.254

L e t ' s l

• k

a t t h e A R P t a b l e

• Router> show arp

linux$ arp -s linux$ ip neigh show C:\> arp -a C:\> netsh interface ipv4 show neighbors PS C:\> Get-NetNeighbor

W h y t h i s d e s i g n ?

• Stateless

– No records are kept: if we forward one packet or

• ne million packets the same amount of memory

is used for forwarding: one record per route

• ARP is soft-state, we can re-do it any time
• The forwarding table allows forwarding and

routing to be done independently

– Forwarding is moving packets from a ingress to

egress interface

– Routing is placing entries in the forwarding table – In IP routers are just ordinary user-space

programs

– Compare with ethernet transparent bridging

T h e t e c h n

• l
• g

y

• f

I P v 6

IPv4 in 2015

N A T –

• u

t g

• i

n g t r a ffjc

• Inspect outgoing traffic

– Collect (src_addr, src_port, dst_addr, dst_port)

• Re-write src_addr to my exterior interface, find

an unused source port on my exterior interface and re-write src_port to that

• Record these addresses and ports in the

expectation table

(10.1.1.1, 10000, 202.158.201.38, 80) (150.101.30.33, 20000, 202.158.201.38, 80) (150.101.30.33, 20000, 10.1.1.1, 10000, 202.158.201.38, 80)

N A T i n c

• m

i n g t r a ffjc

• Inspect incoming traffic
• Is the incoming (src_addr, src_port, dst_addr,

dst_port) in the expectation table?

• Re-write the dst_addr and dst_port to the
• riginal values in the table

(202.158.201.38, 80 10.1.1.1, 10000) (202.158.201.33, 80 150.101.30.33, 20000) (150.101.30.33, 20000, 10.1.1.1, 10000, 202.158.201.38, 80)

N A T h a s b e n e fj t s

• Deep packet inspection

– A necessary part of NAT – But a DPI firewall can also work without altering

the data passing through it, and is more robust when doing so

• Address re-numbering

– The disconnect between exterior and interior

address allows easy change of exterior address

N A T i s s t a t e f u l

• One record per connection, aka “state”

– Router memory is proportional to usage

• about 6,000 flows per gigabit

– Except when the traffic has lots of flows

• Port scanning
• DNS
• “Unused” records are timed out

– Internet of Things device has to turn on the WLAN

interface to send a “keepalive packet”

– Over 50% of battery use for small embedded

devices

• Rebooting the device flushes all state

– Arrgh, all my web banking just broke

N A T r

• u

t e s c a n ' t b e a s y m m e t r i c

• Fully redundant network, but no traffic :-(

FAIL

W h

• m

e v e r c

• n

t r

• l

s t h e N A T , w i n s

• Carrier-grade NAT is NAT by a ISP
• This can lead to anti-competitive market

– The ISP chooses who can run a server – The ISP can choose not to take action, and thus

block some traffic which might disadvantage the ISPm such as SIP

• How do new services get developed in the first

place?

• How do we teach students how to write

services

N A T i s i n s a n e l y c

• m

p l e x

• From Introduction to iptables

L e t ' s l

• k

a t t h e N A T t a b l e

• Router> show nat translation

linux$ conntrack -L C:\> netsh routing ip nat show PS C:\> Get-NetNATSession

• conntrack is in the conntrack-tools package
• NAT is often bundled only in “value-added”

product lines

T h e t e c h n

• l
• g

y

• f

I P v 6

I P v 6 r e t u r n s I P t

• t

h e 1 9 8 ' s I P

• Plenty of addressing

– Cheap, easy

• End-to-end visibility of addresses

– No address shortage, so let's IP forward

rather than NAT

'80s hair optional

I n t h e ' 8 s h a i r I P h a d p r

• b

l e m s

• Not enough addresses

– 252 hosts a subnet – 255 subnets per university – One address per interface

• No automatic configuration

– Even Novell's IPX and Apple's EtherTalk had that!

• No privacy
• No QoS model which scaled
• No resource discovery

– Even Banyan VINES and EtherTalk...

I P v 6 = I P v 4 + b u g fj x e s

• Lots of addressing

– Address more networks and hosts

• Can address every host ever made
• A school can have 64000 subnets, a home 16.

– But also to trade off address space for features

• Stateless automatic address configuration
• IPsec for secure communication
• DiffServ for QoS
• Link-local addresses and mDNS for local

resource discovery

T h i n k i n g a b

• u

t p r

• t
• c
• l

s

• Formats

– On the wire: drawings are best – Textual representations

• Procedures

– State diagrams

• Look at real traffic using a sniffing and pretty-

printing tool like Wireshark

• Look at the data structures your computer has

from this real traffic

– Interfaces, tables, log messages

F

• r

m a t s

• f

a d d r e s s e s

T h e t e c h n

• l
• g

y

• f

I P v 6

F

• r

m a t s – a d d r e s s e s a r e l a r g e r

• 128 bits
• Divided into network, subnet and host portions,

via a prefix-length, exactly as for IPv4

• Schools will most commonly be allocated a /48

A d d r e s s f

• r

m a t – t e x t u a l

• IPv6 addresses are written in hexadecimal,

base 16 (0, 1, …, 9, a, b, …, f)

20010388000100000000000000000003

• Add a colon between each 16-bit word

2001:0388:0001:0000:0000:0000:0000:0003

• Remove leading zeros from each word

2001:0388:1:0:0:0:0:3

• Replace longest run of zero words with ::

2001:388:1::3

• It is conventional to add the prefix length

2001:388:1::3/128

• For link-local addresses, add the related

interface so they become unique

fe80::e2f8:47ff:fe42:79c2%eth0

T h a t ' s i m p r e s s i v e , s

• r

t

• f
• A lot of work has been done to make the

addresses convenient to type

• Especially for lots of zeros, so there's a hint for

numbering your network infrastructure

• The cost is that IPv4 addresses are not regular

– Write a regular expression which captures all IPv6

• addresses. Compare with

[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+

• Modifying programs isn't just a matter of

increasing sizes

– IPv6 addresses are unique in not being regular, so

lots of programs won't handle them

A p p l i c a t i

• n

s a n d t e x t u a l a d d r e s s e s

• URLs containing IPv6 addresses

http://[2001:388:4000:4001:ba27:ebff:fed3:9fa1]/

• Some commands have a -6 flag

ssh -6 2001:388:4000:4001:ba27:ebff:fed3:9fa1

• Some commands have 6 variants

ping6 2001:388:4000:4001:ba27:ebff:fed3:9fa1

• Sometimes you just can't win
• URLs containing IPv6 addresses

[http://\[2001\:388\:4000\:4001\:ba27\:ebff\:fed3\:9fa1\]/]

• And your phone's autocorrect will helpfully

change ba27 to back

L i n k l

• c

a l a d d r e s s

• Every interface gets a link-local address

– Even without global connectivity – Automatically configures – Good only for talking within a subnet

• A lot of people who “aren't running IPv6” have

these interfaces (sometimes with no IPv6 ACL)

S

• m

e s p e c i a l a d d r e s s e s

::/0 Default route ::/128 Unspecified address ::1/128 Localhost ffff:0:0::/96 IPv4-mapped addresses fc00::/7 Unique local address fe00::/10 Link-local unicast ff00::/8 Multicast

F

• r

m a t s

• f

p a c k e t s

T h e t e c h n

• l
• g

y

• f

I P v 6

H e a d e r f

• r

m a t –

• n

t h e w i r e

S

• m

e n e w fj e l d s

• Next header

– Options are in headers which appear before the

data

– The last option indicates the Protocol of the data

• Hop limit

– A better name for Time To Live

• Flow label

– IPv6 was designed at the height of interest in “flow

forwarding”

– This lost popularity as offering differing resource

usage to some flow opens the router to complexity attacks

– We now don't have a use for it

S

• m

e n e w fj e l d s

• Next header

– Options are in headers which appear before the

data

– The last option indicates the Protocol of the data

• Hop limit

– A better name for Time To Live

S

• m

e r e m

• v

e d fj e l d s

• Header checksum

– Corrupting an address will lead to re-transmission

by upper layers

– And a similar argument for the other fields

• Identifier

– Please explain what this does

P r

• c

e d u r e f

• r

f r a g m e n t a t i

• n

T h e t e c h n

• l
• g

y

• f

I P v 6

N

• p

e r

• h
• p

f r a g m e n t a t i

• n
• IPv4 fragmentation a mis-feature

– Fragmentation is difficult to implement in hardware – But if you implement it in software then bad people

will only ever send you fragments.

• IPv6 responds with a ICMP Packet Too Big

which contains the MTU of the egress interface

A t

• s
• u

r c e f r a g m e n t a t i

• n

r e m a i n s

• The application has already sent the data, it

can't be asked to write() it again.

• Upon a ICMP Packet Too Big the TCP MSS for

the path is set to the PTB's MTU

• Packets in system buffers larger than the Path

MTU are fragmented before transmission

• UDP-speaking applications have a socket() API

issue: how does the OS tell them of the new Path MTU so the application can alter its PDU size?

I P v 6 f r a g m e n t a t i

• n

s e l f

• c
• r

r e c t s

P r

• c

e d u r e f

• r

n e i g h b

• u

r d i s c

• v

e r y

T h e t e c h n

• l
• g

y

• f

I P v 6

L i k e I P v 4 ' s A R P

• Given the address of a neighbour, how do we

find it's link-layer address?

• In IPv4 we wrote an ARP “adaptation layer” for

every media

• In IPv6 we have one neighbour discovery

mechanism for all multicast-capable media

• Firewall hint: don't block multicast link-local

addresses, unless you like a very quiet network

N e i g h b

• u

r s

• l

i c i t a t i

• n

Ethernet II Destination: e0:f8:47:42:79:c2 Source: b8:27:eb:f1:71:fc Type: IPv6 (0x86dd) Internet Protocol Version 6 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 32 Next header: ICMPv6 (58) Hop limit: 255 Source: fe80::ba27:ebff:fef1:71fc Destination: 2001:44b8:1d2:bb00:e2f8:47ff:fe42:79c2 Internet Control Message Protocol v6 Type: Neighbor Solicitation (135) Code: 0 Checksum: 0xc2e3 Reserved: 00000000 Target Address: 2001:44b8:1d2:bb00:e2f8:47ff:fe42:79c2 ICMPv6 Option Type: Source link-layer address (1) Length: 1 (8 bytes) Link-layer address: b8:27:eb:f1:71:fc

N e i g h b

• u

r a d v e r t i s e m e n t

Ethernet II Destination: b8:27:eb:f1:71:fc Source: e0:f8:47:42:79:c2 Type: IPv6 (0x86dd) Internet Protocol Version 6 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 24 Next header: ICMPv6 (58) Hop limit: 255 Source: 2001:44b8:1d2:bb00:e2f8:47ff:fe42:79c2 Destination: fe80::ba27:ebff:fef1:71fc Internet Control Message Protocol v6 Type: Neighbor Advertisement (136) Code: 0 Checksum: 0x9902 Flags: 0x40000000 Target Address: 2001:44b8:1d2:bb00:e2f8:47ff:fe42:79c2

L

• k

a t y

• u

r n e i g h b

• u

r c a c h e

• Router> show ipv6 neighbors

linux$ ip -f inet6 neigh show C:\> netsh interface ipv6 show neighbors PS C:\> Get-NetNeighbors

P r

• c

e d u r e f

• r

l

• c

a l a d d r e s s i n g

T h e t e c h n

• l
• g

y

• f

I P v 6

L i n k

• l
• c

a l a d d r e s s

• Prefix is fe00::/10
• Lowest 64 bits is an Interface ID
• Formed using some mechanism which gives a

unique address

– The EUI-64 format of a MAC address – A random number

• A scope is added

– Typically the interface name or its SNMP ifIndex

• Duplicate address detection then runs

– If DAD fails interface won't come up

M A C , E U I

• 6

4 a n d I n t e r f a c e I D

I n t e r f a c e a d d r e s s i n g s t a t e s

• Tentative

– DAD yet to run

• Preferred

– DAD has succeeded, new connections use this

address

• Deprecated

– DAD has succeeded, some connections have

used this address, but new connections cannot use this address

• Invalid

– Address lifetime has expired, traffic to this address

is discarded

D u p l i c a t e a d d r e s s d e t e c t i

• n
• ICMPv6 Neighbor Solicitation send to the All-

nodes multicast address (ff02::1)

• Target Address = the tentative address

Source Address = ::

• If you own this address you send a ICMPv6

Neighbor Advertisement to the All-nodes multicast address

– because the system can't use its tentative address

L

• k

a t y

• u

r a d d r e s s e s

• Router> show ipv6 interface

linux$ ip -f inet6 addr show C:\> netsh interface ipv6 show addresses

P r

• c

e d u r e f

• r

g l

• b

a l a d d r e s s i n g

T h e t e c h n

• l
• g

y

• f

I P v 6

P a r t s

• f

t h e p r

• b

l e m

• IPv6 global address = Prefix + Interface ID
• A host can decide its own Interface ID

– EUI-64 – Randomly – Configuration

• So how does a host learn the subnet's prefix?
• Routers must know the prefix, let's ask them

– A global address is pointless without a router

anyway

H

• w

d

• e

s t h e r

• u

t e r l e a r n ?

• Manually

ipv6 unicast-routing ipv6 multicast-routing no ipv6 source-route interface Ethernet0 ipv6 enable ipv6 address 2001:DB8:1234:1234::/64 eui-64 ipv6 verify unicast source reachable-via rx ipv6 traffic-filter ETH0-IN-LIST6 in ipv6 traffic-filter ETH0-OUT-LIST6 out ipv6 nd router-preference medium

R

• u

t e r d i s c

• v

e r y

• Routers send everything needed to set up an

interface in a Router Advertisement

– Prefixes – Hop limit – Interface MTU – Recently, DNS forwarder and domain name suffix

• A host can send a Router Solicitation to prompt

a router to send a Router Advertisement immediately

• Router discovery implicitly allows multiple

routers and failover

L e t ' s t r y i t

• ndisc6 has a good set of diagnostic tools

$ sudo dnf install ndisc6 $ sudo rdisc -n eth0

Soliciting ff02::2 (ff02::2) on em1... Hop limit : 64 ( 0x40) Stateful address conf. : No Stateful other conf. : No Router preference : medium Router lifetime : 1800 (0x00000708) seconds Reachable time : unspecified (0x00000000) Retransmit time : unspecified (0x00000000) Source link-layer address: 00:0F:23:A3:EC:01 MTU : 9000 bytes (valid) Prefix : 2001:388:4000:4002::/64 Valid time : 2592000 (0x00278d00) seconds

• Pref. time : 604800 (0x00093a80) seconds

from fe80::20f:23ff:fea3:ec01

L

• k

a t y

• u

r i n t e r f a c e s & r

• u

t e s

• Router> show ipv6 route

linux$ ip -f inet6 route show C:\> netsh interface ipv6 show route

T h e r e ' s a l s

• a

D H C P 6

• Used to be the recommended way to obtain

DNS configuration details

– This has moved into the Router Advertisement – This use is stateless: the same answer is give to

every host

• Stateful DHCP6 is likely to be a misfeature

– Client support is poor – Much less resilient to network faults that SLAAC

• Host knows if to use SLAAC or DHCP6 based
• n the Router Advertisement

H

• w

d

• I

P v 4 a n d I P v 6 c

• e

x i s t ?

T h e t e c h n

• l
• g

y

• f

I P v 6

R

• u

t i n g

• Choices

– Ships in the night: distinct protocols, two routing

processes

– Extensions to IPv4 protocol to carry IPv6 prefixes

• Differing protocols made differing choices

– OSPFv3 – BGP and IS-IS already multiprotocol – EIGRP extended

• Extended protocols may not have fate sharing

– IPv6 forwarding fails – But IPv6 routing still learned from protocol using

IPv4

R

• u

t i n g

• Some extended protocols can be configured for

fate-sharing

– BGP: run two neighbours, IPv4 routes over IPv4

neighbouring, IPv6 routes over IPv6 neighbouring

– More CPU

• IPv6 offers an opportunity to change routing

protocol

– eg: use OSPFv3 for IPv6, continue to use EIGRP

for IPv4

– Once IPv6 deployed, you can log into routers on

their IPv6 address, and so changing IPv4 from EIGRP to OSPF isn't a highwire act

D

• m

a i n n a m e s y s t e m – s e r v e r s

T h e t e c h n

• l
• g

y

• f

I P v 6

A A A A f

• r

n a m e t

• a

d d r e s s

• A new AAAA (“quad A”) record type
• Works as you would expect

yoyo.adelaide.aarnet.edu.au. AAAA 2001:388:4000:4002:230:48ff:fefd:d2de

P T R u s e d f

• r

a d d r e s s t

• n

a m e

• Exactly the same PTR record as for IPv4
• But the text in the record is different

e.d.2.d.d.f.e.f.f.f.8.4.0.3.2.0.2.0.0.4. 0.0.0.4.8.8.3.0.1.0.0.2.ip6.arpa. PTR yoyo.adelaide.aarnet.edu.au.

• The reversed nybble format means that you'll

go insane if you don't use 4-bit boundaries in IPv6 addressing plans

D N S s e r v e r s c a n b e

• n

I P v 6

• Like any server, a DNS server can have a IPv6

address

• A DNS server gives the same answers if the

question was asked over IPv4 or over IPv6

• In particular, a “dual-stack” host can ask a

AAAA question using a IPv4 connection to the server

D

• m

a i n n a m e s y s t e m – r e s

• l

v i n g

T h e t e c h n

• l
• g

y

• f

I P v 6

W h a t i s D N S r e s

• l

v i n g ?

• An application hands the C library the name

“www.example.edu.au” and wants to convert that to an address, preliminary to connecting to that address

• The resolver will often offload parts of this task

to DNS forwarders, asking them to do a “recursive query” and simply tell then the host the results

– This allows very effective DNS caching – The genius of DNS is that it is hugely inefficient

but that is hidden by the caches

– So despite hosts being very powerful we still use

forwarders

R e s

• l

v i n g i s m i g r a t i

• n

m e c h a n i s m

• Let's say we have a working IPv6 global

address

• We want to use IPv6 connections to IPv6-

capable servers, but still use IPv4 connections to IPv4-only servers. Where a server does both protocols we want to use a IPv6 connection.

• Resolve a AAAA record

– It exists? Well use that IPv6 address – NXDOMAIN? Typo, fail – Answers = 0? Try to resolve a A record

• It exists? Well use that IPv4 address
• Answers = 0? Fail

P r

• b

l e m s

• In a world of mostly IPv4 websites, IPv6

machines will be slower

– AAAA lookup will almost always fail, wasting that

time

– Libraries often send the AAAA and A queries in

parallel

• Some libraries disable IPv6 on the merest error

– Since there will be a IPv4 answer – But if it's a IPv6-only website, that's bad news

• Blackholing if you have a IPv6 global address

but no IPv6 actual connectivity

E x p l

• r

i n g r e s

• l

v i n g

• gethostbyname() can't be extended to IPv6
• As part of porting program to IPv6 replace

these with getaddrinfo(). This returns a ordered list of (protocol, address) to hand to socket(), bind() and connect()

import socket print socket.getaddrinfo('www.facebook.com', 'http', 0, socket.SOCK_STREAM) [( 2, 1, 6, '', ('179.60.193.3', 80)), (10, 1, 6, '', ('2a03:2880:f019:2:face:b00c:0:1', 80, 0, 0))]

D e p l

• y

i n g I P v 6

A d d r e s s p l a n s

D e p l

• y

i n g I P v 6

I P v 6 h a s / 6 4 I n t e r f a c e I D s

• Every subnet has enough address space for

every router ever made

• You should not change the prefix length for

host-facing subnets. It is essentially fixed at /64.

T h e I S P g i v e s a n a l l

• c

a t i

• n
• /48 for a school

– 16 bits of subnetting – free

• /32 for a large institution

– 32 bits of subnetting – Ongoing APNIC membership

H

• w

t

• u

s e t h a t 1 6 b s u b n e t t i n g

• Lots of schemes
• The best one uses VLAN IDs

R

• u

t e s u m m a r i s a t i

• n
• OSPF can have areas
• At the area/core (aka “area 0”) edge summarise

longer prefixes into a single summary prefix

– Fewer routes advertised – Backbone doesn't see events which only happen

to a single subnet (eg, a flapping interface)

• No one does this, because IPv4 lacks enough

address space

• IPv6 has enough address space

– eg: Use the top four bits of the subnet ID – Remember to keep 0 free so save typing – So start numbering sites from 1

L

• p

b a c k a d d r e s s e s

• These are the control plane address of a router
• Type them often, as DNS isn't useful
• So they go into the 0000 subnet

S e r v e r s a n d t h e i r s e r v i c e s

D e p l

• y

i n g I P v 6

S e r v i c e a d d r e s s i n g

• IPv6 encourages multiple addresses on a

interface

– Not a risk like with IPv4

• We can assign an address per service

– We often put routers on the ::1 address – So put services on the :1: address

• Use the “bind” configuration directive to assign

the daemon to that IPv6 address

• Now if we want to move a service to another

server in the subnet, we move its address.

D e p l

• y

m e n t s t r a t e g i e s

D e p l

• y

i n g I P v 6

H

• w

n

• t

t

• d
• i

t

• “This morning we will turn on IPv6”
• We will use IPv6 for this demo project

I f a t r e e f a l l s i n t h e f

• r

e s t

• If we deploy IPv6 into our network backbone,

who is to know?

– We can then solve firewall transition issues

• If we deploy IPv6 into the IT “junk” subnet, who

is to care?

– So we get real hosts and can look at how our

standard environment works

• If we deploy IPv6 into a “test” SSID, who is to

care?

– Get early adopters on board – Easy opt-in for people who want to check their

applications work

– Brings up traffic control and accounting

T h e I n t e r n e t a l r e a d y r u n s I P v 6

• Internet-facing servers will already be capable
• f running IPv6

– Many have supported IPv6 for a decade

• So transitioning those is low risk

– The bulk of the school is IPv4 users, they don't

care

R e c e n t O S s r u n I P v 6 w e l l

• Labs are a good target

– We know the operating system – We have good control and visibility

• Use that experience to field an updated

standard OS image during a non-critical time for the bulk of users

– The rubber hits the road – Status information and communication essential

E n t e r p r i s e a p p l i c a t i

• n

s

• SAP and co have never run IPv6
• We don't want to be first

B e s p

• k

e a p p l i c a t i

• n

s

• Three things the programmer needs to update

– Replace gethostbyname() with getaddrinfo() – Alter fields and text parsing for the longer and

different IPv6 address

– IPv4 and IPv6 are different protocols, so modify

application to add a protocol ID

• Was: (addr)
• Now: (ip-version, addr)
• Can cheat on the last one

– ffff::1.2.3.4 – Semantically valid, unroutable

• Optionally, add the bind feature

P a i n p

• i

n t s

• Firewalls

– Need to write another set of firewall rules – Convention is to use existing name with 6 at end

interface Ethernet 0 ip access-list ETH0-IN-LIST ipv6 filter-list ETH0-IN-LIST6

• Accounting

– Often assumes fixed IP addresses – Sometimes assumes a tap into DHCP database – Large amount of textual messing about – Netflow version change, you want IPFIX for IPv6

A c c

• u

n t i n g v S L A A C

• Sometimes people use DHCP6 to continue with

their accounting design

• They almost always regret this
• Other accounting architectures are possible

– Small scale: MAC addresses, or 802.1x – Large scale: SCU/DCU

T h e “ b u s i n e s s c a s e ”

D e p l

• y

i n g I P v 6

W e ' r e r u n n i n g

• u

t

• f

I P v 4 a d d r e s s e s

• That's distorting our networks' designs

– For so long and so badly that it's often hard to see

how badly until after you deploy IPv6

– I rebooted my home router and none of my

connections died

• Scarce resources are allocated using money

– You want to address 100,000 Internet-visible

virtual machines

– It's going to cost you a million dollars – The sum's aren't going to get better

L

• w
• i

m p a c t c h a n g e s t a k e t i m e

• If you choose not to do a gradual deployment of

IPv6

• Then you are choosing a high-impact network

change

• Fine example here today

“ B u s i n e s s c a s e ” c y n i c i s m

• Enterprise networks have already deployed a

new protocol

• It doesn't do much at all: faster convergence for

vastly increased configuration complexity

• MPLS

D i s c u s s i

• n

D e p l

• y

i n g I P v 6

T

• p

i c s

• Deployment in your network
• Particular example networks
• Items of interest

E O F

I P v 6