Embed Size (px)
DESCRIPTION
gogo6 IPv6 Video Series. Event, presentation and speaker details below: EVENT gogoNET LIVE! 3: Enterprise wide Migration. http://gogonetlive.com November 12 – 14, 2012 at San Jose State University, California Agenda: http://gogonetlive.com/4105/gogonetlive3-agenda.asp PRESENTATION Tunnels and Translators and Proxies for Enterprise Deployment Presentation video: http://www.gogo6.com/video/tunnels-translators-and-proxies-for-enterprise-by-tony-hain-at Interview video: http://www.gogo6.com/video/interview-with-tony-hain-at-gogonet-live-3-ipv6-conference SPEAKER Tony Hain - CEO, Hain Global Consulting MORE Learn more about IPv6 on the gogoNET social network http://www.gogo6.com Get free IPv6 connectivity with Freenet6 http://www.gogo6.com/Freenet6 Subscribe to the gogo6 IPv6 Channel on YouTube http://www.youtube.com/subscription_center?add_user=gogo6videos Follow gogo6 on Twitter http://twitter.com/gogo6inc Like gogo6 on Facebook http://www.facebook.com/pages/IPv6-products-community-and-services-gogo6/161626696777
Citation preview
Copyright 2012 - Hain Global Consulting, Inc. Copyright 2012 - Hain Global Consulting, Inc.
Tony Hain CEO
Hain Global Consulting, Inc.
IPv6 … Tunnels / Translators / Proxies
2012 gogo6
Copyright 2012 - Hain Global Consulting, Inc.
Agenda
• Transition goals
• Tunnels
• Translators
• Proxies
• Trade-offs
• Wrap up
Copyright 2012 - Hain Global Consulting, Inc.
Transition goals
• Decouple deployment dependencies – Applications : End system OS : Network topology
• Allow application deployment at a business-needs rather than network-driven pace – Start early: before network needs force the issue
• Minimize complexity – Avoid translation to the other version & back
• Avoid addiction to transition technology
– Long term the traffic should naturally flow away
Copyright 2012 - Hain Global Consulting, Inc.
Tunnels
• Logical overlay The Internet grew as a tunnel over the voice network
• From the application perspective is virtually identical to dual-stack
• Path MTU discovery important due to additional header
• Tunnel asymmetry often worse than IPv4 path
• Controlled vs. automated trade-offs
• Firewalls often overlook/fail encapsulated pkts
Copyright 2012 - Hain Global Consulting, Inc.
Translators
• IP header mangling intermediary
• May need to be application-aware along entire path to also translate addresses embedded in data stream
• Payload length concerns arise due to header length, and fragmentation rule differences
• Daisy-chain (4-6-4, 6-4-6) will lose some context as IP options do not map identically
• Lawful intercept may require per-connection 5-tuple/time logging
Copyright 2012 - Hain Global Consulting, Inc.
L
S
N
IPv6 End System
Private IPv4 End System
Public IPv4 End System
Public IPv6 Internet
Public IPv4 Internet
Troubleshooting Connectivity Models
Single Stack / Translated Traffic
Dual Stack End System
Public IPv6 Internet
Public IPv4 Internet
Dual Stack Traffic
L
S
N
IPv6 End System
Private IPv4 End System
Public IPv4 End System
Dual Stack End System
Copyright 2012 - Hain Global Consulting, Inc.
Proxies
• Protocol intermediary creating state-independent connections on either side
– Application layer; semantic awareness
– Socks5 layer; arbitrary applications, may pass udp
– TCP layer; ‘appears’ to interlock state
• Payload length may cause reassembly and/or a different number of packets on either side
• If currently used for IPv4 security demarcation, it is a natural continuation, with the ability to do independent IP versions on either side
Copyright 2012 - Hain Global Consulting, Inc.
Trade-offs
• Deployment / placement of any or all is a local need’s-based decision
• May be used in combination
• Application awareness is a primary selection factor
• Fundamental security models require audit-trail. Translators inherently break the audit-trail.
Copyright 2012 - Hain Global Consulting, Inc.
Bottom line ...
There is no ‘one size fits all’ deployment model for the IPv4 Internet --- Sooooo ...
There is no ‘one size fits all’ transition deployment technology or approach.
Like it or not, multiple approaches will exist throughout the network until IPv4 is finally weaned out of the system. This will happen in the core faster than at the edge, just as it has with every other preceding network technology.
Copyright 2012 - Hain Global Consulting, Inc.
Wrap up
• IPv6 deployment is about business continuity ...
• Plan for a 3-5 year deployment timeframe
• Transition tools are about decoupling dependencies
• There is no one-size-fits-all transition model
Get started now!
Copyright 2012 - Hain Global Consulting, Inc.
Mental & Emotional preparation
For many, IPv4 knowledge is their justification of value in the market. As demand for that knowledge withers, and demand for the unfamiliar grows, people progress through the stages of grief in a futile attempt to avoid the inevitable.
IPv4 to IPv6 transition and the stages of grief
Denial
Anger
Negotiation
Depression
Acceptance
Copyright 2012 - Hain Global Consulting, Inc.
What does your organization value?
Heroic Rescue Safety of the pack
Independent Thinking & Strategic Avoidance
Copyright 2012 - Hain Global Consulting, Inc.
Projecting RIR IPv4 pool depletion
• IANA exhausted the central pool Feb. 3, 2011
• APnic activated their ‘final /8 policy’ April 15, 2011
• RIPE activated their ‘final /8 policy’ Sept. 14, 2012
• ARIN slowed for awhile but has been picking up lately.
0
2
4
6
8
10
12
14
16
18
20
RIR pool exhaust dates
apnic ripencc
arin
lacnic
afrinic
0
1
2
3
4
5
6
7
8
RIR pool exhaust dates (zoomed)
apnic ripencc arin
lacnic
afrinic
Copyright 2012 - Hain Global Consulting, Inc.
Collective RIR IPv6 Allocations
0
10
20
30
40
50
60
70
80
Tho
usa
nd
s
RIR -- IPv6 /32 equivalent allocations
Afrinic
Apnic
ARIN
Lacnic
RIPE
0.001
0.01
0.1
1
10
100
Tho
usa
nd
s
RIR -- IPv6 /32 equiv. per year
Afrinic
Apnic
ARIN
Lacnic
RIPE
0
1
2
3
4
5
6
Tho
usa
nd
s
RIR - IPv6 allocation events
Afrinic
Apnic
ARIN
Lacnic
RIPE
0.001
0.01
0.1
1
10
100
1000
Mill
ion
s
RIR -- IPv6 avg. /48 equiv. per allocation event
Afrinic
Apnic
ARIN
Lacnic
RIPE
