Upload
kristof-quintens
View
63
Download
0
Tags:
Embed Size (px)
Citation preview
IPV6: Migration and beyondDec, 2010
2010 Infoblox Inc. All Rights Reserved.
1
Agenda
IPV6: What is it? Why Migrate? Migration Challenges Infoblox Solutions
2010 Infoblox Inc. All Rights Reserved.
IP Device Explosion
2010 Infoblox Inc. All Rights Reserved.
IPv4 Address Space Utilization
Unavailable Available Allocated
*as of 30 November 2010This despite increasingly intense conservation efforts PPP / DHCP address sharing CIDR (classless inter-domain routing) NAT (network address translation) plus some address reclamation
Theoretical limit of 32-bit space: ~4 billion devices Practical limit of 32-bit space: ~250 million devices (RFC 3194)4 2010 Infoblox Inc. All Rights Reserved.
ARINs Guidelines
Organization typeBroadband Providers
Recommendation Your customers want access to the entire Internet, and this means IPv4 and IPv6 websites. Offering full access requires running IPv4/IPv6 transition services and is a significant engineering project. Multiple transition technologies are available, and each provider needs to make its own architectural decisions. Plan out how to connect businesses via IPv6-only and IPv4/IPv6 in addition to IPv4-only. Businesses are beginning to ask for IPv6 over their existing Internet connections and for their co-located servers. Communicate with your peers and vendors about IPv6, and confirm their timelines for production IPv6 services. Content must be reachable to newer Internet customers. Content served only via IPv4 will be accessed by IPv6 customers via transition solutions run by access providers. Plan on serving content via IPv6 in addition to IPv4 as soon as possible. Mail, web, and application servers must be reachable via IPv6 in addition to IPv4. Open a dialogue with your Internet Service Provider about providing IPv6 services. Each organization must decide on timelines, and investment level will vary. Coordinate with industry to support and promote awareness and educational activities. Adopt regulatory and economic incentives to encourage IPv6 adoption. Require IPv6 compatibility in procurement procedures. Officially adopt IPv6 within your government agencies. Introduce IPv6 support into your product cycle as soon as possible
Internet Service Providers
Content providers
Enterprise Government
Equipment Manufacturers
2010 Infoblox Inc. All Rights Reserved.
About IPv4 and IPv6IP versionDeployed Address Size Address Format
IPv41981 32-bit number Dotted Decimal Notation: 192.0.2.76
IPv61999 128-bit number Hexadecimal Notation: 2001:0DB8:0234:AB00: 0123:4567:8901:ABCD 2128 = 340,282,366,920,938,463, 463,374,607,431,768,211,456 2001:0DB8:0234::/48 2600:0000::/12 IPSec Mandated, works End-to-End Mobile IP with Direct Routing Differentiated/Integrated Service
Number of Addresses Examples of Prefix Notation Security Mobility Quality of Service IP Multicast
232 = 4,294,967,296
192.0.2.0/24 10/8 IPSec Mobile IP Differentiated/Integrated Service
IGMP/PIM/Multicast BGP
MLD/PIM/Multicast, BGP, Scope Identifier
6 2010 Infoblox Inc. All Rights Reserved.
IPv6 Benefits
Expanded addressing capabilities Structured hierarchy to manage routing table growth Server less auto-configuration and reconfiguration Streamlined header format and flow identification Improved support for options / extensions
2010 Infoblox Inc. All Rights Reserved.
IPv6 Adoption Drivers
ADDRESS ISSUES Exhaustion M&A Business Growth Geographic Expansion
GOVERNMENT MANDATES US DoD China NGI EU
IPV6 ONLY DEVICES New wireless phones Carrier offerings
INFRASTRUCTURE SmartGrid Meters DOCSIS 3.0 4G/LTE
2010 Infoblox Inc. All Rights Reserved.
IPv4 & IPv6 - The Bottom Line
WererunningoutofIPv4addressspace. IPv6deploymenthasbegun. Regulationsandneedaredrivingmigration
IPv6isnotbackwardscompatiblewithIPv4. WemustmaintainIPv4andIPv6simultaneouslyfor manyyears.
NewIPv6onlydevicesandP2Papplicationswill notworkwithIPv4onlyinfrastructure IPV6clientsoninternetmayneedtoaccess yournetworks E.g.Email,Websites,Applications ServiceproviderIPv6>IPv4translationwilllosecritical userinformationinyourwebsitelogs
9 2010 Infoblox Inc. All Rights Reserved.
IPv4-IPv6 Transition / Co-Existence
A wide range of techniques have been identified and implemented Dual-stack techniques, to allow IPv4 and IPv6 to co-exist in the same devices and networks Tunneling techniques, to avoid order dependencies when upgrading hosts, routers, or regions Translation techniques, to allow IPv6-only devices to communicate with IPv4-only devices
Expect all of these to be used, in combination.
2010 Infoblox Inc. All Rights Reserved.
IPv4->IPv6 Transition Map
Required to ensure IPv6 only devices can access website, email, apps etc.
Make External Services IPv6 Capable
Preserves identity of users since origin IP etc. is not lost in translation by carrier Uses DNS AAAA records and IPv6 addresses
Core and edge routers
Dual stack Internal Infrastructure and End Points
End point devices and hosts DHCPv6 and DNS AAAA
Applications or infrastructure components that cannot support IPv6 dual
Create Temporary Islands for IPv4-Only Apps/Servers/Infrastructure
stack should live in the island Use NAT64 and DNS64 to allow IPv6 devices to access these Slowly migrate components out to dual stack infrastructure
2010 Infoblox Inc. All Rights Reserved.
Migration Considerations Security policies need to be revised Security issues with IPv4 are well documented; IPv6 remains unexplored
Application compatibility needs to be verified Not all of your existing applications are IPv6 compliant Upgrades may be required
V6 compatibility in networking equipment often comes with performance risks Unlike IPv4 several IPv6 implementations not yet optimized
Backend tools are lacking Current management and troubleshooting tools and methods may not work
SPAM tools need to be reinvented. Heavy reliance on DNS
Testing v6 Services for Compatibility Few reference implementations to test against
2010 Infoblox Inc. All Rights Reserved.
IPv6 IP Assignments
Manual Manually configured by an administrator
Link Local Auto assigned to itself by the device
IPv6 IP Assignment Techniques Stateless Devices configure an IP themselves based on information from router Stateful Devices use DHCPv6 to receive an IP address and other configuration information
2010 Infoblox Inc. All Rights Reserved.
IPV6 Migration Challenges
Dual infrastructure for foreseeable future IPV4 and IPV6 will coexist requiring infrastructure support for both
IPV6 expertise is scarce Existing management tools/scripts wont work IP Address Management with spreadsheets will not scale IP assignments/reclaiming will be difficult Subnet creation will require new methods DNS management will be error prone
2010 Infoblox Inc. All Rights Reserved.
Network configuration and DDI are fragile Manual change one by oneRepetitive tasks for expensive staff Hope for no fat fingers or bad copy and paste
Custom scripts (i.e. PERL)One expert, hope they never leave Always adding more and more over time
We are the expertsAssume it works, hope for the best If it breaks, go fix it
Rely on the change management processNo one ever makes an undocumented change All changes occur within the window and process Assume all details are up to date and correct
IPV6 migration will expose these risks 2010 Infoblox Inc. All Rights Reserved.
Network Automation: Key to a successful migration
Automate Network configuration and change Change management for IPV6 enabled devices IP Address Assignments and reclaiming Replace spreadsheets based IP space management Subnet calculation and allocation Automated calculation and documentation DNS configuration AAAA records are hard to manage manually Reverse DNS zones with IPV6
2010 Infoblox Inc. All Rights Reserved.
Infoblox solutions enable IPV6 migration
DNS/DHCP/IPAM AutomationDNS/DNSSEC configuration automation IP address management automation
IPV6 Enabled Network Configuration AutomationNetwork change automation Configuration management Compliance, policy enforcement and auditing
2010 Infoblox Inc. All Rights Reserved.
Infoblox tools for IPv6 migration and managementIPv6 Capable External Presence DNS for IPv6 Dual Stack DNS Appliance
Internal IPv6 Migration Planning
-
Current Network Equipment Inventory (with OS version running) Current Network Topology and Connectivity Current Subnet Inventory
Internal IPv6
-
IPv6 IP Address Allocation, Tracking and Reclaiming IPv6 Subnet Allocation and Tracking Dual Stack Devices Tracking (Smart Folders) Reduced Complexity of Dual Stack Environment and IP Address Explosion
IPv6 Network Infrastructure Management
-
Automated Network Change and Configuration for IPv6 Compliance, Policy Enforcement and Auditing
2010 Infoblox Inc. All Rights Reserved.
IPV6 Support in Infoblox Solution (DDI) IPv6 Networkingo o o Members can have an IPv6 address (HA supported) Members will respond to DNS queries from/to IPv6 addresses Members will respond to zone transfers from/to IPv6 addresses
DNSo o o AAAA records in the forward zone ip6.arpa reverse zone ACLs for IPv6 addresses and networks
IPv6 IPAMo o o o IPV6 subnets IPV6 address assignment Split/Join IPV6 networks Host objects with IPv6 IP address
2010 Infoblox Inc. All Rights Reserved.
IPV6 Support in Infoblox Solution (NCCM) Automated network change automation and configuration management for IPv6o o o o o o o Understand Cause & Effect Management view to health, policy and compliance Collect & analyze network infrastructure configurations Identify violations of best practice rules Identify security policy violations See the affect of change on health and policy Identify, verify and remediate issues proactively
Compliance, policy enforcement and auditing for IPv6o o o o o Hundreds of packaged analysis rules Built-in remediation and compliance reports Proactive alerts for policy violations Live and historical status, trends and reports Wizard for encoding complex rule logic
2010 Infoblox Inc. All Rights Reserved.
BACKUP
2010 Infoblox Inc. All Rights Reserved.
21
DHCPv6 Operation Client sends messages to link-local multicast address Server unicasts response to client Information-Request / Reply - provide client configuration information but no addresses Confirm / Reply - assist in determining whether client moved Reconfigure - allow servers to initiate a client reconfiguration Basic client/server authentication capabilities in base standard DHCP Unique Identifier (DUID) used to identify clients & servers Identity Association ID (IAID) used to identify a collection of addresses Relay Agents used when server not on-link Relay Agents may be chained
2010 Infoblox Inc. All Rights Reserved.
DHCPv6 Basic Message Format0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | msg-type | transaction-id | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . options . . (variable) . | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
SOLICIT ADVERTISE REQUEST CONFIRM RENEW REBIND REPLY
RELEASE DECLINE RECONFIGURE INFORMATION-REQUEST RELAY-FORW RELAY-REPL
2010 Infoblox Inc. All Rights Reserved.
DHCPv6 Option Format and Base Options0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | option-code | option-len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . Option Data . . (option-len octets) . | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Client Identifier Server Identifier Identity Association for Non-temporary Addresses Identity Association for Temporary Addresses IA Address Option Request Preference Elapsed Time Relay Message Server Unicast 2010 Infoblox Inc. All Rights Reserved.
Authentication Status Code Rapid Commit User Class Vendor Class Vendor-specific Information Interface-Id Reconfigure Message Reconfigure Accept
NAT64 OverviewDNS64 Translator
IPv6
IPv6 + IPv4 Network IPv4
IPv6 Client
NAT64 Router
IPv4 Server Farm
IPv6 Prefix dedicated to mapped IPv4 addresses DNS64 used to convert A records to equivalent AAAA records NAT64 router uses prefix to correctly route/attract IPv6 packets for routing to IPv4 network
2010 Infoblox Inc. All Rights Reserved.
DNS64: How does it work?DNS64 Translator
IPv6
IPv6 + IPv4 Network IPv4
IPv6 ClientAAAA for mycompany.com
NAT64 Router
IPv4 Server Farm
AAAA for mycompany.com ERROR A for mycompany.com
Mycompany.com (A) = 192.168.0.55
DNS64 translationMycompany.com (AAAA) = 64:ff9b::192.168.0.55
2010 Infoblox Inc. All Rights Reserved.
NAT64: How does it work?DNS64 Translator
IPv6
IPv6 + IPv4 Network IPv4
IPv6 ClientTCP SYN S=C-v6 D=WKP-v6
NAT64 Router
IPv4 Server Farm
Translate v6 to v4; Pick free IPv4 address and build NAT session entryTCP SYN S=NP-v4 D=S-v4
TCP ACK=NP-v4 D=S-v4
Translate v4 + port to v6TCP ACK S=WKP-v6 D=C-v6
2010 Infoblox Inc. All Rights Reserved.
IPv6 Enablers in Infoblox solutionFeatureJITC IPv6 Certification IPAM / Create IPv6 Networks IPAM / Split/Join IPv6 Networks IPAM / Auto-create ip6.arpa zones IPAM / Dual-stack hosts IPAM / Create IPv6 address based on MAC IPAM / IPv6 Network Utilization Bars IPv6 Network Interfaces DNS / AAAA records DNS / AAAA Shared Records DNS / IP6.ARPA Zone DNS / Mixed v4 and v6 ACLs Network Configuration and Change Management 2010 Infoblox Inc. All Rights Reserved.
Infoblox
Notes
Key feature. Typing in ip6.arpa zones is prone to errors IP Address management for dual stack devices
Services can be configured to work with IPV4, IPV6 or both
Just like IPv6
NetMRI NCCM solution has full support for IPV6