IPv6 Are we there yet?
IPv6 Are we there yet?. Problem. The Internet keeps growing Running out of IPv4 addresses Running out of time!. Problem. Original Design. Network of networks Packet-based network Unique addresses End-to-end connectivity Layered design. Quick fixes. Address Resource Management
IPv6 Are we there yet?
E N D
Presentation Transcript
Problem The Internet keeps growing Running out of IPv4 addresses Running out of time! IPv6@Belnet
Problem IPv6@Belnet
Original Design Network of networks Packet-based network Unique addresses End-to-end connectivity Layered design IPv6@Belnet
Quick fixes Address Resource Management CIDR NAT Rethinking IP, start in 1992 IPv6@Belnet
Extending IPv4 lifetime NAT CPE NAT Carrier-grade CIDR IPv6@Belnet
Internet Resources Addresses (IPv4/IPv6) + ASN Hierarchical manner (top-down) Goals of the Internet Registry System Uniqueness Aggregation Conservation Registration IPv6@Belnet
IPv4 depletionHow many IPv4 addresses? 232 = ~4,3 billion IPv4 addresses IPv6@Belnet
What is left? IANA allocates /8 to RIRs 256 /8s is the entire IPv4 Internet Beginning of 2010, IANA had 26 /8s left In February 2011, IANA allocated the last /8 Even RIR’s are running out… APNIC handed out last /8 in April 2012 Microsoft – Nortel trade of IPv4 blocks Asking legacy holders to become LIR or sponsorship. Ripe is exhausting rapidly http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml IPv6@Belnet
What is left? IPv6@Belnet
What is left? http://www.potaroo.net/tools/ipv4/index.html IPv6@Belnet
IPv6 Islands… Addresses (IPv4/IPv6) + ASN Hierarchical manner (top-down) Goals of the Internet Registry System Uniqueness Aggregation Conservation Registration IPv6@Belnet
IPv6 to the rescue It is clear that we need a better solution IPv6 to solve address exhaustion Extra features built in IPv6 exists for 16 years Time to act now! IPv6@Belnet
IPv6 to the rescue IPv6@Belnet
Improved features Better support for mobility Security, IPSec Auto-configuration Routing (simpler header, flexible extensions, aggregation) IPv6 Multicast, more addresses IPv6@Belnet
More… …IP addresses !!!!! 128 bits instead of 32 bits 2128 addresses, 3.4×1038 addresses 340 sextiljoen (undecillion) addresses Let’s just say … a lot of addresses Restore end-to end connectivity Internet as it was meant to be! IPv6@Belnet
Differences Different types and scope of addresses No broadcast, thus no ARP Relies heavily on multicasting Auto-configuration instead of DHCP? Common to have multiple addresses on an interface. What IP will be used to source traffic? IPv6@Belnet
IPv6 @ Belnet 2001:6a8::/32 Native, dual-stack since Jan 2003 Multiple IPv6 peerings Geant Transit BNIX Other IXes Various services already available on IPv6 FTP, DNS, Jabber, NTP, WWW, SMTP, Antispam Pro… IPv6@Belnet
IPv6 assignments • Text • Text • Text IPv6@Belnet
IPv6: current status • Belnet: active use of IPv6 (live traffic) 2013 • 10% of the Belnet customer base IPv6@Belnet
Why you should run IPv6 Belnet: active use of IPv6 (live traffic) 2014 IPv6@Belnet
IPv6 elsewhere Equipment vendors (routers, firewall, …) Software (OS, applications, …) Networks Content: google, facebook (IPv6 day 8/06/2011) IXes ISPs: Comcast (US), XS4all (NL) CDNs: Akamai (end of 2010) IPv6@Belnet
Why you should run IPv6 Experimental users Power users Global audience Get your content available over IPv6 IPv6@Belnet
Interesting Sites https://www.vyncke.org/ipv6status/ IPv6@Belnet
Your action plan • Equipment inventory • Raise awareness • Get your assignment • Prepare your address plan • Get IPv6 on your DMZ • Get IPv6 on your LAN IPv6@Belnet
Equipment inventory • Routers and firewalls • Does it support IPv6? • At full performance? • Server & Desktop OS • Should be no-brainer for recent OSes • Application software • Does it depend on hard coded IPv4 addresses/ranges? • If built on Apache or IIS no other problems expected... • Other networked gear • Printers? • Switches? RA guard, PACL; RA snooping… IPv6@Belnet
Raise awareness • Your ICT colleagues/Management • Awareness of network changes • No surprises • End users • Migration should be transparent to them • Only warn when deployed on LAN and/or Wi-Fi • Via Intranets? IPv6@Belnet
Prepare your address plan (1) 2001:6a8:3c80:8004:ca2a:14ff:fe15:9cb6 Belnet /32 Customer /48 Host address 65536 assignable /64 ranges 8 0 0 4L V A A1000 0000 0000 0100 azerty IPv6@Belnet
Prepare your address plan (2) • Map your IPv4 address plan into your IPv6 prefix • 10.50.60.0/24 -> 2001:6a8:1234:5060::/64 • Easy, but not always a good idea • Large networks need a decent IPv6 address plan • Use location / VLAN id / type of service... • 2001:6a8:1234:<location><vlan>::/64 • e.g. 2001:6a8:1234:0165::/64 (site 0, vlan 165) • 16 bits to play with IPv6@Belnet
Get IPv6 on your DMZ (1) • Requirement: firewall support! • Use a separate zone if you want to test in advance • Use firewall policies similar to IPv4 policies • ICMP! • Enable IPv6 on your public servers • OS + Applications • Publish AAAA records in your DNS for IPv6-enabled services IPv6@Belnet
Get IPv6 on your servers (1) • Web servers • IIS and Apache: no problem • Application-specific, legacy, unknown,… • Use reverse-proxy • HTTPS: One domain per IP • DNS servers • Windows 2008’s DNS, BIND: no problem • Windows 2003: support very limited • But IPv6 DNS server not mandatory to serve AAAA records IPv6@Belnet
Get IPv6 on your servers (2) • Mail servers • Very few MTA supported • Even less antispam software • IPv6 blacklisting still experimental • Our advise : do not port MTA now • Get Belnet Antispam Pro (Fully IPv6 compliant) ! IPv6@Belnet
Get IPv6 on your LAN(s) • Use a separate zone if you want to test in advance • One LAN at a time • admin, students, guests, eduroam, ... • Use firewall policies similar to IPv4 policies • Do not forget inbound connections as there is no more NAT! • Filtering inbound ports <1024 is good practice • Filter everything incoming if you want a perfect match between policies • Warn your power users about network changes • You want to know if something is no longer working… IPv6@Belnet
Get IPv6 on your LAN (cont'd) • Distribution of IPv6 addresses • Router advertisement • Widely supported • Limited autoconfiguration options (only DNS server, if at all) • Perfect for dual stack: DHCPv4 + RAdvd • DHCPv6 • Not widely supported yet (only recent MS products) • Can coexist with router advertisement (DNS servers etc) Our advice : go DHCPv4 + RA IPv6@Belnet
Transitioning technologies • Tunneling technologies • Tunnel broker • Belnet hosts a SiXXs.net PoP server • Native addresses • Specific software on routers/stations • 6to4 • Built-in in Windows, OSX, Apple Airport & other home routers • Teredo • Built-in in Windows, • Miredo • Teredo port for Unix/Linux IPv6@Belnet
Transitioning technologies • Native connectivity • Dual stack • IPv6 and IPv4 on same wire/lan/frames • Advantages • Easier to put on desktops, routers • Control/inspect your traffic • Stability, ISP support Our advice : go dual stack IPv6@Belnet
Briefly • Follow the steps • Inventory • Awareness • Network plan • DMZ + LAN • Go Dual stack • On the WAN • On the LAN • Belnet is a partner • Ask us questions ! IPv6@Belnet
