Enterprise IPv6 Deployment CLEUR

Enterprise IPv6 Deployment Strategies BRKRST-2301

Tim Martin CCIE #2020

Solutions Architect @bckcntryskr

© 2014 Cisco and/or its affiliates. All rights reserved. BRKRST-2301 Cisco Public

Reference Materials

3

§  IPv6 Knowledge Base Portal: http://www.cisco.com/web/solutions/netsys/ipv6/knowledgebase/index.html

§ Deploying IPv6 in the Internet Edge: http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Internet_Edge/InternetEdgeIPv6.html

§ Deploying IPv6 in Campus Networks: http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/CampIPv6.html

§ Deploying IPv6 in Branch Networks: http://www.cisco.com/en/US/docs/solutions/Enterprise/Branch/BrchIPv6.html

§  Smart Business Architecture – IPv6 Guides:http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html


Recommended Reading

4


IPv6-Related Sessions

5

Session Title

BRKRST-2301 Enterprise IPv6 Deployment BRKRST-2311 IPv6 Planning, Deployment and Operation Considerations BRKRST-2022 IPv6 Routing Protocols BRKRST-2044 Enterprise Multi-Homed Internet Edge Architectures BRKRST-2304 Hitchhiker’s Guide to Troubleshooting IPv6 BRKSEC-2003 IPv6 Security Threats and Mitigations BRKSEC-3003 Advanced IPv6 Security: Securing Link Operations at First Hop TECMPL-2192 IPv6 for Dummies PNLCRS-2303 Experiences with Deploying IPv6 COCRST-3464 Inside Cisco IT: Making the Leap to IPv6 LTRSEC-3033 IPv6 Network Threat Defense, Countermeasures and Controls BRKSPG-2602 IPv4 Exhaustion: NAT and Transition to IPv6 for Service Providers BRKSPG-2603 How to Securely Operate an IPv6 Network BRKSPG-2606 IPv6 Strategies for Addressing IPv4 Address Exhaustion BRKEWN-2010 Design and Deployment of Enterprise WLANs BRKUCC-2699 IPv6 SIP Dual Stack End Node Support for UCM


Agenda

§ Why are we here? §  IPv6 Address Considerations §  Planning and Deployment Summary §  Infrastructure Deployment

–  Access Layer –  Multicast –  Data Center –  Internet Edge

6

Why are we here?


The Internet of Everything

8


Market Factors Driving IPv6 Adoption

National IPv6 Strategies

IPv6

IPv4 Address Depletion

Infrastructure Evolution IPv6 OS, Content & Applications

2011 Mandate

Pref. by App’s in W7, S2008, OSX 4G, DOCSIS 3.0, CGN

RFC 6540 - IPv6 support is no longer considered optional.

IPv6 Address Considerations http://www.cisco.com/web/strategy/docs/gov/IPv6_WP.pdf


IPv6 Address Family

IPv6 Address Family

Multicast Anycast Unicast

Assigned Solicited Node

Unique Local Link Local Global Special Embedded

*IPv6 does not use broadcast addressing

Well Known Temp


Unicast IPv6 Address Types Link-Local – Non routable within layer 2 domain (FE80::/10) FE80:0000:0000:0000::HHHH:HHHH:HHHH:HHHH

Unique-Local – Routable within administrative domain (FC00::/7)

Global – Routable across the Internet (2000::/3)

FC0G:GGGG:GGGG:SSSS::HHHH:HHHH:HHHH:HHHH FD0G:GGGG:GGGG:SSSS::HHHH:HHHH:HHHH:HHHH

2000:NNNN:NNNN:SSSS::HHHH:HHHH:HHHH:HHHH 3FFF:NNNN:NNNN:SSSS::HHHH:HHHH:HHHH:HHHH


IANA & Regional Internet Registries

13

Registries

Level Four Entity

IANA

ISP Org

PA

/48

2000::/3

/12

/32

2000::/3

/48

/12

PI

/32

•  Recommended Alloca,ons •  Consumer, SMB /56 /60 /64 •  Municipal Government, Enterprise, Single AS /48 •  State Governments, Universi,es (LIR) /32 /36 /40 /44 /48


IPv4 and IPv6 Header Comparison

Fragment Offset Flags

Total Length Type of Service IHL

Padding Options Destination Address

Source Address

Header Checksum Protocol Time to Live

Identification

Version

IPv4 Header (20)

Next Header Hop Limit

Flow Label Traffic Class

Destination Address

Source Address

Payload Length

Version

IPv6 Header (40)

•  Length is constant in IPv6 •  Fragmentation occurs in (EH) •  Option’s occur in (EH) •  UDP must have valid Checksum, unlike v4. •  Upper layer checksums use the Pseudo Header format: SRC/DST Addr + Next Header


Type Code Data

Checksum

ICMPv6

§ Neighbor Discovery, Router Discovery, Path MTU Discovery and (MLD) –  Type – (1-127) = Error Messages, (128-255) = Informational Messages –  Code – More Granularity within the Type –  Checksum – computed over the entire ICMPv6 –  Data - Original Header Return (8 bytes), then fill to Min MTU (1280)

58

1 Destination Unreachable

2 Packet Too Big

3 Time Exceeded

4 Parameter Problem ICMPv6 Header

Next Header 58


Solicited-Node Multicast Address

§  Every Unicast and Anycast address has a corresponding solicited-node multicast

§ Multicast for resolution, Unicast for reachability

§  Solicited-node multicast consists of FF02::1:FF/104 {lower 24 bits from IPv6 Unicast interface ID}

FF02 0000 0000 0000 0000 0001 FFBC FC0F 0000 0000 0000 1234 5678 9ABC FC0F

FF02 0000 0000 0000 0000 0001 FF23 3544 0DB8 4646 0000 0400 56FF FE23 3544

FE80

2001


Neighbor Solicitation & Advertisement §  Local Link only, Not Routed

§  ARP replacement, Map’s L3 to L2.

§ Multicast for resolution, Unicast for reachability

A! B!

ICMP Type 135 NS IPv6 Source FE80::A

IPv6 Destination B Solicited Node Multicast FF02::1:FF00:B

Target Address 2001:db8:1:46::B Code 0 (need link layer) Query What is B link layer

address?

ICMP Type 136 NA IPv6 Source FE80::B

IPv6 Destination FE80::A Target Type 2

Data Link Layer address of B *Flags R = Router

S = Response to Solicitation O = Override cache information

NS NA

Planning and Deployment Summary


IPv6 Integration Outline

19

•  Establish the network starting point

•  Importance of a network assessment and available tools

•  Obtain addressing

•  Build initial addressing architecture

•  What content are you serving?

Pre-Deployment Phases Deployment

Phases

•  Peering capabilities •  Internet Edge (ISP, Apps)

•  Campus IPv6 integration options

•  Data Center integration options

•  WAN IPv6 integration options

•  Execute on gaps found in assessment


Architectural Scope of IPv6 Deployment

Planning and coordination is required from many across the organization, including … ü Network engineers & operators ü Security engineers ü Application developers ü Desktop / Server engineers ü Web hosting / content developers ü Business development managers ü …

Moreover, training will be required for all involved in supporting the various IPv6 based network services Build your IPv6 Transition Team


Building the IPv6 Address Plan

§ Methods –  Follow IPv4 (/24 only), Organizational, Location, Function based

§ Hierarchy is key (using 16 bits for subnetting) –  8 bits = (256) Regions (states, counties, agencies, etc..) –  4 more bits = (16) Sub Levels within those Regions –  4 more bits = (16) Traffic Types (Admin, Guest, Telephony, Video, etc..)

§ Cisco IPv6 Addressing White Paper –  http://www.cisco.com/go/IPv6

§ Monotonically (1000, 2000, 3000, etc.) vs. Sparse (0000, 4000, 8000, c000 )

21


Prefix Length Considerations

22

§  /64 everywhere a host

§  /127 Point to Point –  out of a single /64 –  1&2 not in same subnet

§  /128 Loopback –  out of a single /64

§  /64, /64, /64

Pt 2 Pt /127

WAN

Core /64 or /127

Servers /64

Hosts /64

Loopback /128


ULA, ULA or LL + Global, Global-only

23

Corporate Backbone Branch 2

Branch 1 Corp HQ

ULA Space FD9C:58ED:7D73::/48 Global – 2001:DB8:CAFE::/48

FD9C:58ED:7D73:2800::/64 2001:DB8:CAFE:2800::/64

Internet

FD9C:58ED:7D73:3000::/64 2001:DB8:CAFE:3000::/64

FD9C:58ED:7D73::2::/64 2001:DB8:CAFE:2::/64

Global – 2001:DB8:CAFE::/48

LL – Topology Hiding, Reduces Prefix Count, Need ULA or Global to Manage Devices ULA – Topology Hiding, No External Troubleshooting w/o Global Loopbacks

Global – Enablement of Applications & Management, Requires Good FW Skills


RFC 6724 – Default Address Selection

§  Scope, Preferred over Deprecated, Native over Transitional, Temporary over Public

§ Must support application override API, Choice of v6 or v4 is application dependent

§ Network Connection Status Indicator (NCSI)

Application Layer

TCP/UDP

IPv6 IPv4

Network Interface Card

Temporary Preferred 2001:0db8:2301:1:bd86:eac2:f5f1:39c1 DHCP Preferred 2001:0db8:2301:1:202:8a34:bead:a136 Link Preferred fe80::202:8a34:bead:a136

RFC 6555


RIPng – UDP 521, 15 hops FE80::/64 Source à FF02::9 Destination

IS-IS – CLNS, Wide Metric Support IPv4 & IPv6 (2 new TLV’s added) Single Topology, Multi Topology, Multi Instance

OSPFv3 – IP 89 FE80::/64 Source à FF02::5 (all), FF02::6 (DR’s) Link-LSA (8) – Local Scope, NH Intra-Area-LSA (9) – Routers Prefix’s Use Inter-Area-Prefix (3) – Between ABR’s

EIGRP – IP 88 FE80::/64 Source à FF02::A Destination 2 New TLV’s – internal-type & external-type No Split Horizon, Auto Summary Disabled

IGP’s

25


IPv6 Deployment Options

Translation Services IPv4 IPv6

Tunneling Services

IPv4 over IPv6 IPv6 over IPv4

Dual Stack

Recommended Enterprise Co-existence Strategy

IPv6 IPv4


Where do I start? § Core-to-Access – Gain experience with v6

§  Turn up your servers – Enable the experience

§  Access-to-Core – Securing and monitoring

§  Internet Edge – Business continuity

Servers

Branch Access

WAN

Campus Core ISP ISP

Internet Edge

Access Layer


IPv6 Host Portion Address Assignment Similar to IPv4 New in IPv6

Manually configured State Less Address Auto Configuration SLAAC EUI64

SLAAC Ephemeral Addressing

Assigned via DHCPv6

*Secure Neighbor Discovery SeND


Router Solicitation and Advertisement § Router solicitations (RS) are sent by nodes at boot up

§ Host needs an RA to finish building it’s Address’s

RS

ICMP Type 133 IPv6 Source FE80::A IPv6 Destination FF02::2 Option 1 SRC Link Layer Address

RA

ICMP Type 134 IPv6 Source FE80::2

IPv6 Destination FE80::A Data Options, subnet prefix,

lifetime, autoconfig flag

RS RA

A


RA Message § M-Flag – Stateful DHCPv6 to acquire an IPv6 address

§ O-Flag – Stateless DHCPv6 in addition to SLAAC

§ H-Flag – Mobile IP home agent

§  Preference Bits – Low, Med, High

§ Router Lifetime – Must be >0 for Default

§ Options - Prefix Information, Prefix Length

§  L bit – Only way a host get a On Link Prefix

§  A bit – Set to 0 for DHCP to work properly

Type: 134 (RA) Code: 0 Checksum: 0xff78 [correct] Cur hop limit: 64 ∞ Flags: 0x84 1… …. = Managed (M flag) .0.. …. = Not other (O flag) ..0. …. = Not Home (H flag) …0 1… = Router pref: High Router lifetime: 1800 Reachable time: 60000 Retrans timer: 1000 ICMPv6 Option 3 (Prefix Info) Prefix length: 64 ∞ Flags: 0x80 1… …. = On link (L Bit) .0.. …. = No Auto (A Bit) Prefix: 2001:0db8:4646:1234:: RA


Disabling Ephemeral Addressing

32

§  Enable DHCPv6 via the M flag §  Disable auto configuration via the A bit in option 3 §  Enable Router preference to high §  Enable DHCPv6 relay

ipv6 unicast-routing ! interface fastEthernet 0/0 ipv6 address 2001:db8:6666:acc1::/64 eui-64 ipv6 nd managed-config-flag ipv6 nd prefix 2001:db8:6666:acc1::/64 no-autoconfig ipv6 nd router-preference high ipv6 dhcp relay destination 2001:db8:add:café::1


IPv6 Snooping

IPv6 First Hop Security (FHS)

IPv6 FHS RA

Guard DHCPv6 Guard

Source/Prefix Guard

Destination Guard

Protection: •  Rouge or

malicious RA •  MiM attacks

Protection: •  Invalid DHCP

Offers •  DoS attacks •  MiM attacks

Protection: •  Invalid source

address •  Invalid prefix •  Source address

spoofing

Protection: •  DoS attacks •  Scanning •  Invalid

destination address

RA Throttler

ND Multicast Suppress

Reduces: •  Control traffic

necessary for proper link operations to improve performance

Core Features Advance Features Scalability & Performance

Facilitates: •  Scale

converting multicast traffic to unicast


First Hop Security for Wireless IPv6 Clients

34

IPv6 VLAN

Ethernet

IPv6 802.11

IPv6 RA 802.11

§  RA Guard - enabled at AP by default, always on at the controller §  DHCPv6 Guard – blocks client side DHCPv6 Advertise packets §  Source Guard – prevents client spoofing, enabled at controller by default §  Address Accounting – RADIUS “Framed-IP-Address” attribute


ipv6 snooping policy HOST tracking enable limit address-count 2 ! interface GigabitEthernet1/0/2 switchport access vlan 200 switchport mode access ipv6 snooping attach-policy HOST

Access Layer Configuration Example

35

ipv6 nd raguard policy HOST ipv6 nd raguard policy ROUTER device-role router ! interface vlan 200 ipv6 nd raguard attach-policy HOST ! interface GigabitEthernet1/0/0 description Router Port ipv6 nd raguard attach-policy ROUTER

§ RA Guard Host & Router –  Host = RA/DHCP Guard, no Redirect

§  IPv6 ND Inspection –  Incl. RA/DHCP Guard, Src/Dst Gaurd


RA Throttler

Router Solicitation (RS)

Triggered (RA)

§  Scaling the 802.11 multicast reliability issues §  NDP process is multicast “chatty”, consumes airtime §  Rate limit RA’s from the legitimate router §  Inspect the RS, convert the responding RA to L2 Unicast

Periodic (RA’s)


ND Multicast Suppression

(NS)

00:24:56:75:44:33 2001:db8:0:20::2 00:24:56:11:93:28 2001:db8:0:20::4

(Unicast NA)

§  Scaling the 802.11 multicast reliability issues §  NDP process is multicast “chatty”, consumes airtime §  Caching allows the Controller to “proxy” the NA, based on gleaning §  Intercepting the NS and unicasting it over L2 to the target

2

4


How Does Cisco Solve IPv6 Mobility?

38

R1

R2

Anchor

Foreign

Mobility Tunnel

Unicast RA

Mcast RA

Roaming Client

§  Roaming client must be able to receive the original router advertisement §  Controllers must be part of the same mobility group domain §  The anchor controller sends the RA to the foreign in the mobility tunnel §  AP convert’s multicast RA to an L2 unicast (MC2UC)


HSRP for IPv6

First Hop Router Redundancy Options

§  Modification to Neighbor Advertisement, router Advertisement, and ICMPv6 redirects

§  Virtual MAC derived from HSRP group # and virtual IPv6 LLA

HSRP Standby

HSRP Active

Neighbor Unreachability Detection •  For rudimentary HA at the first HOP, that is slow to detect

failures

•  Hosts use NUD “reachable time” to cycle next known default GW

RA Reach-time

GLBP for IPv6 •  Modification to Neighbor Advertisement, Default Gateway is

announced via RA’s from Virtual MAC

•  Active Virtual Gateway (AVG), assigns MAC’s, responds to NDP and directs hosts to Active Virtual Forwarder (AVF)

GLBP AVG AVF

GLBP AVG AVF

Default Gateway . . . . . . . . . : 10.121.10.1 fe80::211:bcff:fec0:d000%4 fe80::211:bcff:fec0:c800%4

Multicast


Address Scope Meaning FF01::1 Node-Local This Node

FF05::2 Site-Local All Routers

FF02::1 Link-Local All Nodes

FF02::2 Link-Local All Routers

FF02::5 Link-Local OSPFv3 Routers

FF02::6 Link-Local OSPFv3 DR Routers

FF02::9 Link-Local RIPng

Well Known Multicast Addresses

§  FF02, is a permanent address and has link scope

§  Link Operations, Routing Protocols, Streaming Services


IPv6 over Ethernet

§  IPv6 has a specific Ethernet Protocol ID §  IPv6 relies heavily on Multicast

Destination Ethernet Address!

Source Ethernet Address!

0x0800!!

IPv4 Header and Payload!

Destination Ethernet Address!

Source Ethernet Address!

0x86DD!!

IPv6 Header and Payload!

xx 33 33 xx xx xx

I bit = Local Admin, L bit = Multicast/Broadcast

0000 00IL


Multicast Mapping over Ethernet (RFC 2464) §  IPv6 multicast address to Ethernet mapping

§ Destination address based mechanism

FF02:0000:0000:0000:0000:0001:FF17:FC0F IPv6 Solicited Node Multicast Address

Corresponding Ethernet Address 33 33 17 FC 0F FF

FF3E:0040:2001:0DB8:CAFE:0001:11D7:4CD3 IPv6 Temporary Multicast Address

Corresponding Ethernet Address 33 33 D7 4C D3 11


IPv6 Multicast Address (RFC 4291) §  Prefix FF00::/8

8-bit 4-bit 4-bit 112-bit

1111 1111 0 R P T Scope Variable format

Flags

O Reserved

R = 0 R = 1

No embedded RP Embedded RP

P = 0 P = 1

Without Prefix Address based on Prefix

T = 0 T = 1

Well Known Address (IANA assigned) Temporary address (local assigned)

Scope 1 Node

2 Link

3 Subnet

4 Admin

5 Site

8 Organization

E Global


IPv6 Multicast Address – Unicast Based (RFC 3306)

§  Every Unicast prefix can build custom multicast addresses

§  Last 32 bits of unicast address mapped into Group ID (112 Bits) 8 Bits 4 Bits 4 Bits 8 Bits 8 Bits 64 Bits 32 Bits

1111 1111 0 0 1 1 1110 Rsvd plen Unicast Prefix Group ID

Example plen 40 = 64 bits

Prefix 2001:db8:cafe:1::

Group ID 11d7:4cd3

FF3E:0040:2001:DB8:CAFE:1:11D7:4CD3


IPv6 Embedded RP Multicast Address (RFC 3956) §  Static mapping of RP into Multicast group

§  Solves MSDP and scaling issues 8 Bits 4 Bits 4 Bits 4 Bits 4 Bits 8 Bits 64 Bits 32 Bits

1111 1111 0 1 1 1 1110 Rsvd RPid plen Unicast Prefix Group ID

Example Rsvd/RPid 0000 | 0101

Prefix 2001:db8:cafe:1::

Group ID 645

FF7E:0540:2001:DB8:CAFE:1:0000:0645

FF7E:540:2001:db8:cafe:1::645

2001:db8:cafe:1::5


IPv6 Multicast Listener Discovery (MLD) § MLD uses LL source addresses § 3 msg types: Query, Report, Done

§ MLD packets use “Router Alert” in HBH § MLDv1 = (*,G) shared, MLDv2 = (S,G) source

MLD snooping

MLD IGMP Message Type

ICMPv6 Type Function

MLDv1 (RFC2710) IGMPv2 (RFC 2236) Listener Query

Listener Report

Listener Done

130

131

132

Used to find out if there are any multicast listeners

Response to a query, joins a group

Sent by node to report it has stopped listening

MLDv2 (RFC 3810) IGMPv3 (RFC 3376) Listener Query

Listener Report

130

143

Used to find out if there are any multicast listeners

Enhanced reporting, multiple groups and sources


MLDv1 Joining a Group (REPORT)

ICMP Type 131 IPv6 Source FE80::A

IPv6 Destination FF38::276 Hop Limit 1

Group Address FF38::276 Hop-by-Hop Header

Router Alert Yes

MLD Report

A

MLD Report

B

ICMP Type 131 IPv6 Source FE80::B


Group Address FF38::276 HBH Extension Header

Router Alert Yes (S, G

) Source

FF38::276


MLDv1 Leaving a Group (Done)


IPv6 Dst. FF02::2 Hop Limit 1

Group FF38::276 Hop-by-Hop Header

Router Alert Yes

MLD Done

A

MLD Report

B

ICMP Type 130 IPv6 Source FE80::C

IPv6 Dst. FF38::276 Hop Limit 1

Hop-by-Hop Header Router Alert Yes

Query

C ICMP Type 131

IPv6 Source FE80::B IPv6 Dst. FF38::276 Hop Limit 1

Group FF38::276 Hop-by-Hop Header

Router Alert Yes


MLDv2 Joining a Group (Report)



# of Records Include/exclude Group Address FF38::4000:BA11

Hop-by-Hop Header Router Alert Yes

MLD Report

A I wish to receive FF38:4000:BA11

(S, G)

Source FF38::4000:BA11


MLD Multicast Maintenance (Query)

§ General Query §  FF02::1 §  Group list empty, who’s listening?

§ Group Specific Query §  FF38::4000:BA11 §  Anyone still interested in this stream?

§ Group & Source Specific Query §  2001:DB8:CAFÉ::1, FF38::4000:BA11

§  Filter Mode, Change Record

§ Multiple routers on link §  Lowest address value assumes Querier role

A Q

uery


IPv6 Anycast RP Redundancy

§ Designate a primary and a secondary RP for the Anycast group.

§ Configure Primary RP with longest prefix, secondary has the shorter prefix

§ Distribute loopback interfaces routes into IGP

Primary RP Secondary RP

Loopback 1 2001:db8:fab0::1/48

Loopback 1 2001:db8:fab0::1/47


Zeroconf over IPv6 §  Apple (Bonjour) has a light weight approach, adopted quicker

§  FF02::FB – Multicast DNS – mDNS

§ Microsoft (Rally) has a more robust, heavier implementation, has moved slower

§  FF02::C – Simple Service Discovery Protocol – SSDP, UPnP

§  FF02::1:3 – Link Local Multicast Name Resolution – LLMNR (File Sharing enabled)

Personal Computer Operating Systems •  Windows •  Mac OS X •  Linux

Appliances & Networking •  Printers •  Access Points •  Switches •  Routers

AV Equipment •  Speakers •  Cameras •  Displays •  AV Receivers


Why Service Discovery Gateway

Same L2 Domain

Where’s my Printer?

Different L2 Domain

I’m here! Talk to me...


Why Service Discovery Gateway

L2 Domain

Where’s my

Printer?

Different L2 Domain

Nobody's talking to

me!?

Service Browsing


Service Discovery GW

§ Cached at Gateway. Service, Type, Location

§  Service Discovery & Access Control = Better Together

VLAN 200 Training ATV RAOP VLAN 100

CTO Office IPP VLAN 200

name Other VLAN XYZ R

AO

P!

IPP

!

VLAN 200

VLAN 100

Data Center


Migrating Applications to IPv6

58

§  If an application is protocol centric (IPv4): § Needs to be rewritten – Probably not going to happen

§ Pressure vendors to move to protocol agnostic framework § RFC 3493 – Open Socket Call, 64 bit structure align to HW § RFC 3542 – Raw Socket, ping, Traceroute, r commands § Know whether your app displays or accept an IPv6 address § 198.51.100.44:8080 à [2001:db8:café:64::26]:8080


NDP Scaling Issues in the DC

§  Large DCs with very dense hosts populations can cause severe performance problems on the control plane of switches due to IPv4 and IPv6 ‘control’ traffic

§ NDP scaling paper (Lessons learned from production deployments)

59

§ NUD Reachable Time: ipv6 nd reachable-time time-in-milliseconds

§ NUD Retry Interval: ipv6 nd nud retry base interval-in-milliseconds max-attempts

§  Scavenge and Refresh Timer: ipv6 nd cache expire time-in-seconds § Unsolicited NA Glean: ipv6 nd na glean § Glean rate limiter: mls rate-limit unicast cef glean <pps> <burst>


DHCPv6 Protocol Details

DHCP Messages IPv4 IPv6 Client à Server (1) DISCOVER SOLICIT Server à Client (2) OFFER ADVERTISE Client à Server (3) REQUEST REQUEST Server à Client (4) ACK REPLY

§  FF02::1:2 = All DHCP Agents (servers or relays, Link-local scope) §  FF05::1:3 = All DHCP Servers (Site-local scope) §  Clients listen on UDP port 546; Servers/relays on UDP port 547 §  Rapid Commit, 2 packet exchange. Solicit/Reply, client sets for options §  ipv6 dhcp relay destination replaces ip helper address


IPv6 and DNS

Function IPv4 IPv6

Hostname to

IP Address

A Record www.abc.test. A 192.168.30.1

AAAA Record (Quad A) www.abc.test AAAA 2001:db8:C18:1::2

IP Address To

Hostname

PTR Record 1.30.168.192.in-addr.arpa. PTR www.abc.test.

PTR Record 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0.8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test.

§  Add AAAA records in DNS server for hostnames that have IPv6 enabled

§  Automatically generate accompanying (PTR) records

§  Enable IPv6 access to the authoritative DNS servers

§  Be sure that TCP/53 and UDP/53 can be accessed through IPv6

§  Enable IPv6 connectivity to external resolvers that send DNS queries


FCIPv6

62

§  Tunnel Protocol for Fiber Channel over an IP infrastructure

§ RFC 4404 – Entity Address Size IPv4 (4) or IPv6 (16)

§ MDS 9x00 Series –  out-of-order delivery, jumbo frames, traffic shaping, TCP optimization


iSCSI/VRRP for IPv6

§  Same configuration requirements and operation as with IPv4

§ Configure VRRP address to be the same as physical interface of “primary”


•  Server supports IPv4 and IPv6

•  Internal & external

•  Server supports IPv4 & IPv6

•  Standards compliant

•  Integrated DNS and DHCP

•  Configuration and reporting

•  DNSSEC caching •  DNS64 support

DHCP DNS IPAM DNS Caching

§  SNMPv3 over IPv6 and managing IPv6 MIB’s §  Protocol Version Independent (PVI) manage the same OID’s (RFC’s 4292, 4293) §  NetFlow, Deep Packet Inspection, IPSLA, all work with IPv6 §  Wireshark, Packet analysis, MRTG, Netflow collectors, etc..

Network Management

Internet Edge


Internet Edge to ISP §  Do you support dual stack peering? §  Do you have a separate (SLA) for IPv6? §  Do you support BGP peering over IPv6? §  What is the maximum prefix length?

§  What about DNS…

Hosted Cloud Service §  Maximum prefix length offered by the cloud provider? §  Access to provisioning and billing portal over IPv6? §  Global IPv6 addressing for VM’s in your environment?

ISP-A ISP-B

Routing

Switching

Services


Internet Edge to ISP

67

Single Link Single ISP

Dual Links Single ISP

Multi-Homed Multi-Region

Enterprise

ISP 1

Default Route

Enterprise

POP1

POP2

ISP 1

Enterprise

ISP 1

ISP2

USA

ISP4

ISP3

BGP BGP IPv6

Tunnel IPv4-only

Your ISP may not have IPv6 at the local POP Europe


Dual Stack the Internet Edge

§  Most design elements should be like IPv4

§  No translation in this design

§  Single ISP or multi-ISP will change BGP slightly

§  Keep a careful eye out on limitations in SW/HW and/or security details

§  You may have to embrace SLB64/Proxy/NAT64 for IPv4-only apps

§  Dual stack along the traffic flow from client-to-server

§  LISP (Locator/ID Separation Protocol) as a means to deal with non-IPv6 capable ISPs

ISP 1 ISP 2 Internet

Enterprise Core

Web, Email, Other

Internal Enterprise

Edge Router

Outer Switch

Security Services

Inner switching/ SLB/Proxy/ Compute


Translation Techniques

69

Application Support

Server Load Balancer Stateful NAT64

IPv6

IPv4

Client Visibility

IPv4

IPv6

SW = Poor Performance

Proxy

IPv6

IPv4

IPv6 Internet

IPv4 Internet

IPv6 Internet


IPv6/IPv4 Translation

70

§ Easy to get – Router, Firewall, SLB, Proxies §  Instantly hooked – Fastest path to delivering

apps over IPv6 § Both methods are useful with caution

§ Need to examine the best location for translation

§ Put translation as deep into DC/IE as possible (get full visibility of IPv6)

SLB64 v6 v4 v4

v4

v4

v6 v4

Stateful NAT64

NAT64 – Routers/ASA


ISP-A

Enterprise Core

N5k

Servers WWW

ISP-B

UCS Servers

SLB64 – Citrix Netscaler

§  OS/App dictate design parameters

§  Time to deploy

§  IPv6 North

SLB Boundary

§  IPv4 South

§  Translation & SLB are done on same platform


X-Forwarded-For (XFF)

72

§  Source IP of client requests will be logged as the SNAT or other NAT’ed address

§  You want to log the real source address – X-Forwarded-For (XFF) in HTTP

cisco@ie-web-01:/$ tail -f /var/log/apache2/access.log 10.140.19.250 - - [25/Oct/2011:11:41:03 -0600] "GET / HTTP/1.1" 304 210 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)”

Hypertext Transfer Protocol GET / HTTP/1.1\r\n x-forward: 2001:db8:ea5e:1:49fa:b11a:aaf8:91a5\r\n

serverfarm WEB_V6_V4_SF

insert-http x-forward header-value "%is" ACE Policy Map – “is” = Source IP Address


NAT64

73

§  Stateless NAT (~ASA static) –  RFC 6145 (IP/ICMP Translation Algorithm) –  Consumes an IPv4 address for each IPv6-only device

§  Stateful NAT (~ASA dynamic) –  RFC 6146 (Framework for IPv4/IPv6 Translation) –  Can aggregate many IPv6 users to single (or more) IPv4 address –  Used mainly where IPv6-only clients need to access IPv4 servers –  Only supports IPv6-initiated flows –  Similar as IPv4-to-IPv4 PAT works, a translation table is required

Version IHL Type of Service Total Length

Identification Flags Fragment Offset

Time to Live Protocol Header Checksum

Source Address

Destination Address

Version Traffic Class Flow Label

Payload Length Next Header Hop Limit

Source Address

Destination Address

§  TCP/UDP/ICMP Unicast traffic only


To NAT or NOT

74

§  Today, NAT44 & RFC1918 §  All PA or all PI and peering in multiple regions

–  PI from one region and run it everywhere? –  ISP in one region reject PI block from another? –  What about translation?

§ NPTv6 – Translating your prefix for multi-homing –  RFC6296 – IPv6-to-IPv6 Network Prefix Translation –  STUN, TURN, ICE will all be used like with IPv4

§ NAT ≠ Firewall – RFC 4864 (Local Network Protection)

§ NAT ≠ Firewall – RFC 7021 (Impact of CGN on Applications)

Firewall+NAT Internet

Some enterprises are getting a prefix per RIR and only deploying one.

Building backup plans with the others

Available on ASR, ISR G2 and more in the future


IPv6 Bogon and Anti-Spoofing Filtering

75

§  Bogon filtering (data plane & BGP route-map): http://www.cymru.com/Bogons/ipv6.txt

§  Anti-spoofing (RFC2827, BCP38), Multi homed filtering (RFC3704, BCP 84)

§  uRPF – Unicast Reverse Path Forwarding

IPv6 Intranet

Inter-Networking Device with uRPF Enabled

XIPv6 Intranet/Internet

No Route to SrcAddr => Drop


Securing the Edge, FW and/or Perimeter Router

§  Address Range –  Source of 2000::/3 at minimum vs. “any”

§  ICMPv6 –  Error types thru, NDP too, RFC 4890

§  Extension Headers –  Allow Fragmentation, block HBH, block RH type 0, others as needed

§  Ingress Filter –  RFC 2827, BCP 38

§  IPv6 ACL’s


Key Take Away

77

§ Gain Operational Experience now

§  Security enforcement is possible

§ Control IPv6 traffic as you would IPv4

§  “Poke” your Provider’s

§  IPv6 is here now are you?


Call to Action… §  Visit the Cisco Campus at the World of Solutions to experience the following

demos/solutions in action: Speaker to add relevant demos/areas to visit from the campus demos list

§ Get hands-on experience with the following Walk-in Labs Speaker to add the relevant walk in labs from the list

§ Meet the Engineer Speaker to specify when will they be available for ad-hoc meetings at the MTE village, and provide other recommended names…

§ Discuss your project’s challenges at the Technical Solutions Clinics §  Attend one of the Lunch Time Table Topics, held in the main Catering Hall § Recommended Reading: For reading material and further resources for this

session, please visit www.pearson-books.com/CLMilan2014 §  CL365 -Visit us online after the event for updated PDFs and on-demand

session videos. www.CiscoLiveEU.com

78


Maximize your Cisco Live experience with your free Cisco Live 365 account. Download session PDFs, view sessions on-demand and participate in live activities throughout the year. Click the Enter Cisco Live 365 button in your Cisco Live portal to log in.

Complete Your Online Session Evaluation

§ Complete your session evaluation online now through either the mobile app or internet kiosk stations.

79

Technology

Enterprise IPv6 Deployment CLEUR