siit dc ipv4 service contjnuity for ipv6 data centres
play

SIIT-DC: IPv4 Service Contjnuity for IPv6 Data Centres Tore Anderson - PowerPoint PPT Presentation

Nov 18, 2022 •397 likes •550 views

SIIT-DC: IPv4 Service Contjnuity for IPv6 Data Centres Tore Anderson Redpill Linpro AS UKNOF36, London, January 2017 Incremental IPv6 deployment in DC IPv4-only IPv4-only + IPv6 via NAT/proxy/etc Dual-stacked public frontend, IPv4 BE Full

  1. SIIT-DC: IPv4 Service Contjnuity for IPv6 Data Centres Tore Anderson Redpill Linpro AS UKNOF36, London, January 2017

  2. Incremental IPv6 deployment in DC • IPv4-only IPv4-only + IPv6 via NAT/proxy/etc Dual-stacked public frontend, IPv4 BE Full dual-stack Dual-stacked public frontend, IPv6 BE IPv6-only + IPv4 via NAT/proxy/etc IPv6-only

  3. IPv4 sucks • Not enough addresses • Default route through stateful NAPT44 boxes • Overlap with customer use of RFC1918 • Renumbering/resizing server LANs • No IPv6 for customers who want / require it (such as the entjre Norw€gian pub£ic $ector)

  4. Dual stack sucks MORE • Needs IPv4 - see previous slide for why it sucks • Dual stack = Dual WORK and Dual COMPLEXITY – 2x ACLs / fjrewall rules – 2x monitoring targets – 2x places where errors can occur (esp. human errs) – 2x protocols the server and apps guys must learn – N x possible applicatjon commicatjon patuerns • IPv4 becomes like a spreading cancer which it's almost impossible to safely remove later

  5. What's realistjc today? • IPv4-only IPv4-only + IPv6 via NAT/proxy/etc Dual-stacked public frontend, IPv4 BE Full dual-stack Dual-stacked public frontend, IPv6 BE IPv6-only + IPv4 via NAT/proxy/etc IPv6-only more than 80% of end-users world-wide do not have IPv6! (source: https://www.google.com/intl/en/ipv6/statistics.html)

  6. So let's take a shortcut... • IPv4-only IPv4-only + IPv6 via NAT/proxy/etc Dual-stacked public frontend, IPv4 BE Full dual-stack Dual-stacked public frontend, IPv6 BE IPv6-only + IPv4 via NAT/proxy/etc IPv6-only

  7. SIIT-DC: Stateless IP/ICMP Translatjon for IPv6 Data Centre environments (RFC 7755) The IPv4 Internet The IPv6 Internet SIIT -DC Border relays IPv6 data centre network

  8. SIIT-DC operatjon in a nutshell • The IPv4 internet is mapped into an IPv6 translatjon prefjx – IPv4 0.0.0.0/0 -> IPv6 2001:db8:: 0.0.0.0 /96 [same as 2001:db8::/96] – For example: 203.0.113.10 -> 2001:db8:: 203.0.113.10 [same as 2001:db8:: cb00:710a ] • A table of explicit 1:1 IPv4:IPv6 mappings determine which IPv6 addresses are reachable through which IPv4 addresses – A pool of public IPv4 addresses is required - use your last /22, for example • 185.47.43.0 -> 2001:db8:dc1::80 (“web server in data centre 1”) • 185.47.43.1 -> 2001:db8:dc2::25 (“smtp server in data centre 2”) • 185.47.43.2 -> 2001:db8:dc1::389 (“ldap server in data centre 1”) • 185.47.43.3 -> 2001:200:dfg:fgf1:216:3efg:feb1:44d7 (kame.net - somewhere on the Internet) • [...] IPv6 IPv4 IPv6-mapped IPv4 ::/0 0.0.0.0/0 2001:db8::0.0.0.0/96 (not to scale)

  9. SIIT-DC packet fmow IPv4-only IPv6-only 2001:db8:dc1::80 203.0.113.50 • A completely normal IPv4-only client wants to connect to a web site hosted on an IPv6-only server • A redundant pair of SIIT-DC Border Relays provides the glue between IPv4 and IPv6

  10. The IPv4 client connectjng IPv4-only IPv6-only SRC: 203.0.113.50 DST: 185.47.43.0 HTTP GET /foo [...] 2001:db8:dc1::80 203.0.113.50 • The IPv4 service address is published as a regular A record for the service in DNS • It's routed to the provider's SIIT-DC border relay using standard IPv4 routjng techniques • IPv4 clients connect to it in a normal way

  11. IPv4->IPv6 translatjon IPv4-only IPv6-only SRC: 203.0.113.50 SRC: 2001:db8:: 203.0.113.50 DST: 185.47.43.0 DST: 2001:db8: dc1::80 HTTP GET /foo [...] HTTP GET /foo [...] 2001:db8:dc1::80 203.0.113.50 • The pre-defjned /96 prefjx is prepended to the IPv4 packet's SRC fjeld by the SIIT-DC BR • The DST address is swapped according to confjgured 1:1 IPv4:IPv6 mapping by the SIIT-DC BR • Layer 4 payload is copied verbatjm • The packet is then routed to the server as a completely ordinary IPv6 packet

  12. IPv6 server processing IPv4-only IPv6-only SRC: 203.0.113.50 SRC: 2001:db8:: 203.0.113.50 DST: 185.47.43.0 DST: 2001:db8: dc1::80 HTTP GET /foo [...] HTTP GET /foo [...] 2001:db8:dc1::80 203.0.113.50 SRC: 2001:db8: dc1::80 DST: 2001:db8:: 203.0.113.50 HTTP 200 OK [...] • The server responds to the packet just as it would with any other IPv6 packet • The original IPv4 source address isn't lost • The /96 prefjx (equivalent to the IPv4 default route) is routed to closest SIIT-DC BR

  13. IPv6->IPv4 translatjon IPv4-only IPv6-only SRC: 203.0.113.50 SRC: 2001:db8:: 203.0.113.50 DST: 185.47.43.0 DST: 2001:db8: dc1::80 HTTP GET /foo [...] HTTP GET /foo [...] 2001:db8:dc1::80 203.0.113.50 SRC: 185.47.43.0 SRC: 2001:db8: dc1::80 DST: 203.0.113.50 DST: 2001:db8:: 203.0.113.50 HTTP 200 OK [...] HTTP 200 OK [...] • The /96 prefjx is stripped from the IPv6 packet's DST fjeld • 1:1 IPv4:IPv6 mapping is used to swap SRC fjeld • Again, layer 4 payload is untouched • The resultjng IPv4 packet is returned to the client which processes it normally

  14. SIIT-DC features / highlights • No special sofuware needed on endpoints (IPv4 client thinks he's talking to a IPv4 server; IPv6 server thinks he's talking to an IPv6 client) • IPv4 SRC address not lost (think if server/app wants to do geo-loc, logging, etc.) • It's STATELESS! Anycast, ECMP, no session tables or connectjon tracking. • Server admins, monitoring, ACLs - IPv6 only • Super easy to eventually decommission

  15. It's really, really simple to set up (use the cofgee break!) • A complete Cisco ASR/CSR ! interface GigabitEthernet1 ip address 192.168.1.2 255.255.255.252 nat64 enable example confjg to the right nat64 settings mtu minimum 1500 ipv6 address 2001:db8::2/64 ! • Other implementatjons exist ip route 0.0.0.0 0.0.0.0 192.168.1.2 ip route 185.47.43.0 255.255.255.0 Null0 ! – Brocade ADX, F5 BIG-IP LTM, ipv6 route ::/0 2001:db8::1 ! nat64 prefix stateful 2001:db8:46::/96 Linux/TAYGA, Linux/Jool, nat64 v6v4 static 2001:db8:dc1::80 185.47.43.0 nat64 v6v4 static 2001:db8:dc2::25 185.47.43.1 nat64 v6v4 static 2001:db8:dc1::389 185.47.43.2 Linux/fd.io/VPP nat64 v6v4 static 2001:200:dff:fff1:216:3eff:feb1:44d7 185.47.43.3 nat64 settings fragmentation header disable nat64 settings flow-entries disable – On server: Linux/clatd/TAYGA ! • Incremental deployment [Never mind the «stateful» , it's really stateless because of «flow-entries disable» . The 10 lines that are directly related to SIIT-DC are highlighted in bold, the rest are just standard – It doesn't require an IPv6- only IPv4/IPv6 network connectivity. Note that 185.47.43.0/24 and 2001:db8:46::/96 must be routed to the ASR/CSR box somehow.] network, just an IPv6 one (dual-stack networks like the Internet included)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Life with IPv6 Journe Cohabitation IPv4-IPv6 16 Fvrier 2005 Keiichi SHIMA

Life with IPv6 Journe Cohabitation IPv4-IPv6 16 Fvrier 2005 Keiichi SHIMA

Life with IPv6 Journe Cohabitation IPv4-IPv6 16 Fvrier 2005 Keiichi SHIMA <keiichi@iijlab.net> IIJ Research Laboratory / WIDE project Contents IPv6 service in Japan How I live Example of IPv6 configuration Some news of IPv6

653 views • 16 slides
IPv6 Avanzado Introduccin Toms Lynch LACNOG WHERE ARE WE? IPv4 Yes, the IPv4 pool

IPv6 Avanzado Introduccin Toms Lynch LACNOG WHERE ARE WE? IPv4 Yes, the IPv4 pool

IPv6 Avanzado Introduccin Toms Lynch LACNOG WHERE ARE WE? IPv4 Yes, the IPv4 pool IPv4 with NAT/Tunnels But we can use IPv4 and NAT or Tunnels!!! Yeah, right IPv6 IPv6 Readiness Laptops, pads, mobile phones, dongles,

477 views • 19 slides
Large-scale introduction of IPv6 system - 280 sites all over Japan VoIP carrier IPv4 - IPv6 Node

Large-scale introduction of IPv6 system - 280 sites all over Japan VoIP carrier IPv4 - IPv6 Node

Large-scale introduction of IPv6 system - 280 sites all over Japan VoIP carrier IPv4 - IPv6 Node as many as 20,000 IPv6/IPv4 The IP Centrex service, "IP Business Phone", Translator developed by FreeBit, has got a major contract with

752 views • 5 slides
Introducing IPv6-only in the Internet: Balkanisation or Translation? Alain.Durand@sun.com

Introducing IPv6-only in the Internet: Balkanisation or Translation? Alain.Durand@sun.com

Introducing IPv6-only in the Internet: Balkanisation or Translation? Alain.Durand@sun.com When will IPv6-only deployment happen? Hypothesis 1 1st node is All IPv4 nodes dual-stack speak also IPv6 IPv4-only IPv4 & IPv6 IPv6-only

675 views • 25 slides
IPv6 Yourself Jumping Bean What is IPv6? Replacement for IPv4, 128 bit IP address

IPv6 Yourself Jumping Bean What is IPv6? Replacement for IPv4, 128 bit IP address

IPv6 Yourself Jumping Bean What is IPv6? Replacement for IPv4, 128 bit IP address IPv4 allowed for 4.3 billion possible addresses, IPv6 allows for 340 undecillion addresses 3.40E38, 7.9E28 more than IPv4 addresses, ~ 4.8x10

1.07k views • 28 slides
Comparing IPv4 and IPv6 from the perspec7ve of BGP dynamic

Comparing IPv4 and IPv6 from the perspec7ve of BGP dynamic

Comparing IPv4 and IPv6 from the perspec7ve of BGP dynamic ac7vity Geoff Huston APNIC February 2012 The IPv4 Table: 2004 - now The IPv6

770 views • 47 slides
Introduction to IPv6 - I Basics of IPv6 Alvaro Vives | 26 June 2017 | Workshop on Open Source

Introduction to IPv6 - I Basics of IPv6 Alvaro Vives | 26 June 2017 | Workshop on Open Source

Introduction to IPv6 - I Basics of IPv6 Alvaro Vives | 26 June 2017 | Workshop on Open Source Solutions for the IoT Contents Digital Data Transmission Packet-Switched Networks Layered Model IPv4 and IPv6 basics - IPv4 Header -

1.38k views • 32 slides
Data Structures for IPv6 Network Traffic Analysis Using Sets and Bags John McHugh, Ulfar

Data Structures for IPv6 Network Traffic Analysis Using Sets and Bags John McHugh, Ulfar

Data Structures for IPv6 Network Traffic Analysis Using Sets and Bags John McHugh, Ulfar Erlingsson The nature of the problem IPv4 has 2 32 possible addresses, IPv6 has 2 128 . IPv4 sets can be realized as bit arrays. (0.5GB) IPv4

585 views • 20 slides
IPv6 Presentation Template (Make this title your own!) Whats happening with IPv4? IPv4

IPv6 Presentation Template (Make this title your own!) Whats happening with IPv4? IPv4

IPv6 Presentation Template (Make this title your own!) Whats happening with IPv4? IPv4 exhaustion (link to RIRs and highlight relevant trends for your region) Regional Internet Authorities are in various phases of IPv4 exhaustion

486 views • 13 slides
Dual-stack IPv4+IPv6 monitoring with Nagios Teemu Kiviniemi, CSC/Funet 6th June 2012 6th TF-NOC

Dual-stack IPv4+IPv6 monitoring with Nagios Teemu Kiviniemi, CSC/Funet 6th June 2012 6th TF-NOC

Dual-stack IPv4+IPv6 monitoring with Nagios Teemu Kiviniemi, CSC/Funet 6th June 2012 6th TF-NOC meeting Dublin, Ireland Introduction World IPv6 Launch is today! When enabling IPv6 support in services, it is crucial to monitor with both IPv4

1.09k views • 27 slides
1. IPv6 address (abbreviated representation) 2. IPv6 address (abbreviation and expansion

1. IPv6 address (abbreviated representation) 2. IPv6 address (abbreviation and expansion

1. IPv6 address (abbreviated representation) 2. IPv6 address (abbreviation and expansion practice) 3. IPv6 advantages over IPv4 4. IPv4 address structure 5. IPv6 address structure IPv4 Address 32 bit address (computer stores information

655 views • 53 slides
IPv4 address exhaustion and IPv6 Glen Turner 2008-12-09 AARNet staff meeting aar net

IPv4 address exhaustion and IPv6 Glen Turner 2008-12-09 AARNet staff meeting aar net

IPv4 address exhaustion and IPv6 Glen Turner 2008-12-09 AARNet staff meeting aar net Australia's Academic and Research Network IPv6 policy Going forward, we seek to support IPv6 to the same extent as we support IPv4. Exceptions require

631 views • 52 slides
Labcourse Routerlab Internet Protocol Version 6 (IPv6) IPv4 Shortcomings IPv4

Labcourse Routerlab Internet Protocol Version 6 (IPv6) IPv4 Shortcomings IPv4

Labcourse Routerlab Internet Protocol Version 6 (IPv6) IPv4 Shortcomings IPv4 addresses have 32 bits only not enough for 1 IP address per person dynamic IPs, NAT, Manual configuration time consuming (in larger

655 views • 16 slides
IPv4 Exhaus,on And IPv6 Deployment Carlos Mar)nez @Sint-Maarten Internet Week IPv4 There

IPv4 Exhaus,on And IPv6 Deployment Carlos Mar)nez @Sint-Maarten Internet Week IPv4 There

IPv4 Exhaus,on And IPv6 Deployment Carlos Mar)nez @Sint-Maarten Internet Week IPv4 There are 4,294,967,296 IPv4 addresses (32 bits long) but not all of them can be used Looks like a lot, right? But... World popula)on currently stands

501 views • 27 slides
Transicin a IPv6 rea de Ingeniera Telemtica Dpto. Automtica y Computacin

Transicin a IPv6 rea de Ingeniera Telemtica Dpto. Automtica y Computacin

Transicin a IPv6 rea de Ingeniera Telemtica Dpto. Automtica y Computacin http://www.tlm.unavarra.es/ Soluciones Doble pila Dispositivos con IPv4 e IPv6 Tneles Comunicar IPv6 a travs de zonas IPv4 Traduccin

631 views • 24 slides
From IPv4 to IPv6 From IPv4 to IPv6 T.R. Dua, Deputy Director General, COAI July 21, 2009

From IPv4 to IPv6 From IPv4 to IPv6 T.R. Dua, Deputy Director General, COAI July 21, 2009

From IPv4 to IPv6 From IPv4 to IPv6 T.R. Dua, Deputy Director General, COAI July 21, 2009 @ New Delhi

312 views • 27 slides
Challenges in Mining Whole Software Universe Katsuro Inoue Osaka University Software

Challenges in Mining Whole Software Universe Katsuro Inoue Osaka University Software

Challenges in Mining Whole Software Universe Katsuro Inoue Osaka University Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Analyzing Evolution of

450 views • 19 slides
TMS Bobcats want to say... Ron Melton Anna Palumbos Grandpa Jeanie Melton Anna Palumbos

TMS Bobcats want to say... Ron Melton Anna Palumbos Grandpa Jeanie Melton Anna Palumbos

TMS Bobcats want to say... Ron Melton Anna Palumbos Grandpa Jeanie Melton Anna Palumbos Grandma Chad Solomon Anthony Solomons Family Ronald Palumbo Anna Palumbos Grandpa Adam Labotka Allison Labotkas Father Bradley Baker Family

537 views • 17 slides
National Leadership Area National Leadership Area Reading and Language Mastery The Forums

National Leadership Area National Leadership Area Reading and Language Mastery The Forums

National Leadership Area National Leadership Area Reading and Language Mastery The Forums Advisory Advisory Panel Panel Dr. Elfrieda H. Hiebert, University of California at Berkeley, Dr. M. Susan Burns, George Mason University.

414 views • 9 slides
Security Framework for the IPv6 Era SUZUKI, Shinsuke (Hitachi, Ltd. / KAME Project / WIDE Project

Security Framework for the IPv6 Era SUZUKI, Shinsuke (Hitachi, Ltd. / KAME Project / WIDE Project

Security Framework for the IPv6 Era SUZUKI, Shinsuke (Hitachi, Ltd. / KAME Project / WIDE Project Secure-6 WG) suz@crl.hitachi.co.jp / suz@kame.net HIROMI, Ruri (Intec NetCore, Inc. / WIDE Project Secure-6 WG) hiromi@inetcore.com Apricot2005,

628 views • 18 slides
Securely Moving Your Business Into the Cloud Alex Stamos Partner

Securely Moving Your Business Into the Cloud Alex Stamos Partner

Securely Moving Your Business Into the Cloud Alex Stamos Partner Takeaways Current conventional wisdom on cloud computing is missing the point You cannot

793 views • 37 slides
IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer fmajstor@cisco.com Cisco Systems, Inc. 1 fmajstor@cisco.com, IPv6 Security Agenda IPv6 Primer IPv6 Protocol

241 views • 21 slides
The adventures of a Suricate in eBPF land . Leblond Stamus Networks Oct. 6, 2016 . Leblond

The adventures of a Suricate in eBPF land . Leblond Stamus Networks Oct. 6, 2016 . Leblond

The adventures of a Suricate in eBPF land . Leblond Stamus Networks Oct. 6, 2016 . Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 1 / 41 Introduction to Suricata 1 Whats this ? A few words on

848 views • 56 slides
Centralized user management and Single Sign On for the WeNMR gateway through the WeNMR Virtual

Centralized user management and Single Sign On for the WeNMR gateway through the WeNMR Virtual

Centralized user management and Single Sign On for the WeNMR gateway through the WeNMR Virtual Research Community Marc van Dijk , Andrea Giachetti, Marco Verlato, Antonio Rosato, Alexandre Bonvin EGI Technical Forum 2012 zondag 16 september 12

413 views • 13 slides

More recommend