IPv6 Are we there yet?. 2IPv6@Belnet9/09/2015 Problem The Internet keeps growing Running out of IPv4...
40
IPv6 Are we there yet?
-
Upload
aubrey-atkinson -
Category
Documents
-
view
214 -
download
0
Transcript of IPv6 Are we there yet?. 2IPv6@Belnet9/09/2015 Problem The Internet keeps growing Running out of IPv4...
IPv6
Are we there yet?
2IPv6@Belnet19/04/23
Problem
The Internet keeps growing
Running out of IPv4 addresses
Running out of time!
Problem
3IPv6@Belnet19/04/23
4IPv6@Belnet19/04/23
Original Design
Network of networks
Packet-based network
Unique addresses
End-to-end connectivity
Layered design
5IPv6@Belnet19/04/23
Quick fixes
Address Resource Management
CIDR
NAT
Rethinking IP, start in 1992
6IPv6@Belnet19/04/23
Extending IPv4 lifetime
NAT– CPE NAT
– Carrier-grade
CIDR
7IPv6@Belnet19/04/23
8IPv6@Belnet19/04/23
Internet Resources
Addresses (IPv4/IPv6) + ASN
Hierarchical manner (top-down)
Goals of the Internet Registry System– Uniqueness
– Aggregation
– Conservation
– Registration
9IPv6@Belnet19/04/23
IPv4 depletionHow many IPv4 addresses?
232 = ~4,3 billion IPv4 addresses
10IPv6@Belnet19/04/23
What is left?
IANA allocates /8 to RIRs
256 /8s is the entire IPv4 Internet
Beginning of 2010, IANA had 26 /8s left
In February 2011, IANA allocated the last /8
Even RIR’s are running out…– APNIC handed out last /8 in April 2012
– Microsoft – Nortel trade of IPv4 blocks
– Asking legacy holders to become LIR or sponsorship.
– Ripe is exhausting rapidly
http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml
11IPv6@Belnet19/04/23
What is left?
12IPv6@Belnet19/04/23
What is left?
http://www.potaroo.net/tools/ipv4/index.html
13IPv6@Belnet19/04/23
IPv6 Islands…
Addresses (IPv4/IPv6) + ASN
Hierarchical manner (top-down)
Goals of the Internet Registry System– Uniqueness
– Aggregation
– Conservation
– Registration
14IPv6@Belnet19/04/23
IPv6 to the rescue
It is clear that we need a better solution
IPv6 to solve address exhaustion
Extra features built in
IPv6 exists for 16 years
Time to act now!
IPv6 to the rescue
15IPv6@Belnet19/04/23
16IPv6@Belnet19/04/23
Improved features
Better support for mobility
Security, IPSec
Auto-configuration
Routing (simpler header, flexible
extensions, aggregation)
IPv6 Multicast, more addresses
17IPv6@Belnet19/04/23
More…
…IP addresses !!!!!
128 bits instead of 32 bits
2128 addresses, 3.4×1038 addresses
340 sextiljoen (undecillion) addresses
Let’s just say … a lot of addresses
Restore end-to end connectivity
Internet as it was meant to be!
21IPv6@Belnet19/04/23
Differences
Different types and scope of addresses
No broadcast, thus no ARP
Relies heavily on multicasting
Auto-configuration instead of DHCP?
Common to have multiple addresses on an
interface. What IP will be used to source
traffic?
22IPv6@Belnet19/04/23
IPv6 @ Belnet
2001:6a8::/32
Native, dual-stack since Jan 2003
Multiple IPv6 peerings– Geant– Transit– BNIX– Other IXes
Various services already available on IPv6
FTP, DNS, Jabber, NTP, WWW, SMTP,
Antispam Pro…
23IPv6@Belnet19/04/23
Text
Text
Text
IPv6 assignments
24IPv6@Belnet19/04/23
Belnet: active use of IPv6 (live traffic) 2013
• 10% of the Belnet customer base
IPv6: current status
Why you should run IPv6
Belnet: active use of IPv6 (live traffic) 2014
19/04/23 IPv6@Belnet 25
26IPv6@Belnet19/04/23
IPv6 elsewhere
Equipment vendors (routers, firewall, …)
Software (OS, applications, …)
Networks– Content: google, facebook (IPv6 day 8/06/2011)
– IXes
– ISPs: Comcast (US), XS4all (NL)
– CDNs: Akamai (end of 2010)
27IPv6@Belnet19/04/23
Why you should run IPv6
Experimental users
Power users
Global audience
Get your content available over IPv6
Interesting Sites
https://www.vyncke.org/ipv6status/
19/04/23 IPv6@Belnet 28
Enabling IPv6 on your network
Your action plan
Equipment inventory
Raise awareness
Get your assignment
Prepare your address plan
Get IPv6 on your DMZ
Get IPv6 on your LAN
30IPv6@Belnet19/04/23
Equipment inventory
Routers and firewalls Does it support IPv6? At full performance?
Server & Desktop OS Should be no-brainer for recent
OSes
Application software Does it depend on hard coded IPv4 addresses/ranges? If built on Apache or IIS no other problems expected...
Other networked gear Printers? Switches? RA guard, PACL; RA snooping…
31IPv6@Belnet19/04/23
Raise awareness
Your ICT
colleagues/Management Awareness of network changes
No surprises
End users Migration should be transparent
to them
Only warn when deployed on LAN
and/or Wi-Fi Via Intranets?
32IPv6@Belnet19/04/23
Prepare your address plan (1)
33IPv6@Belnet19/04/23
2001:6a8:3c80:8004:ca2a:14ff:fe15:9cb6
Belnet/32
Customer/48
Host address65536 assignable
/64 ranges
8 0 0 4L V A A
1000 0000 0000 0100
azerty
Prepare your address plan (2)
Map your IPv4 address plan into your IPv6
prefix 10.50.60.0/24 -> 2001:6a8:1234:5060::/64
Easy, but not always a good idea
Large networks need a decent IPv6 address plan
Use location / VLAN id / type of service... 2001:6a8:1234:<location><vlan>::/64
e.g. 2001:6a8:1234:0165::/64 (site 0, vlan 165)
16 bits to play with
34IPv6@Belnet19/04/23
Get IPv6 on your DMZ (1)
Requirement: firewall support! Use a separate zone if you want to test in advance
Use firewall policies similar to IPv4 policies
ICMP!
Enable IPv6 on your public servers OS + Applications
Publish AAAA records in your DNS for IPv6-
enabled services
35IPv6@Belnet19/04/23
Get IPv6 on your servers (1)
Web servers IIS and Apache: no problem
Application-specific, legacy, unknown,… Use reverse-proxy
HTTPS: One domain per IP
DNS servers Windows 2008’s DNS, BIND: no problem
Windows 2003: support very limited But IPv6 DNS server not mandatory to serve AAAA
records
39IPv6@Belnet19/04/23
Get IPv6 on your servers (2)
Mail servers Very few MTA supported
Even less antispam software IPv6 blacklisting still experimental Our advise : do not port MTA now Get Belnet Antispam Pro (Fully IPv6
compliant) !
40IPv6@Belnet19/04/23
Get IPv6 on your LAN(s)
Use a separate zone if you want to test in advance
One LAN at a time admin, students, guests, eduroam, ...
Use firewall policies similar to IPv4 policies Do not forget inbound connections as there is no more NAT!
Filtering inbound ports <1024 is good practice Filter everything incoming if you want a perfect match between
policies
Warn your power users about network changes You want to know if something is no longer working…
41IPv6@Belnet19/04/23
Get IPv6 on your LAN (cont'd)
Distribution of IPv6 addresses Router advertisement
Widely supported Limited autoconfiguration options (only DNS server, if at all) Perfect for dual stack: DHCPv4 + RAdvd
DHCPv6 Not widely supported yet (only recent MS products) Can coexist with router advertisement (DNS servers etc)
42IPv6@Belnet19/04/23
Our advice : go DHCPv4 + RA
Transitioning technologies
Tunneling technologies Tunnel broker
Belnet hosts a SiXXs.net PoP server Native addresses Specific software on routers/stations
6to4 Built-in in Windows, OSX, Apple Airport &
other home routers
Teredo Built-in in Windows,
Miredo Teredo port for Unix/Linux
43IPv6@Belnet19/04/23
Transitioning technologies
Native connectivity Dual stack
IPv6 and IPv4 on same wire/lan/frames
Advantages Easier to put on desktops, routers Control/inspect your traffic Stability, ISP support
44IPv6@Belnet19/04/23
Our advice : go dual stack
Briefly
• Follow the steps• Inventory
• Awareness
• Network plan
• DMZ + LAN
• Go Dual stack• On the WAN
• On the LAN
• Belnet is a partner• Ask us questions !
46IPv6@Belnet19/04/23
Thank You
