IPv6 deployment in ONEAuthor: Goran Rumenovski

Packet Transport Network Engineere-mail:goran.rumenovski@one.mk

Co-Author: Vladimir StefanovPacek Transport Network Engineere-mail:vladimir.stefanov@one.mk

On 03 Feb 2011 RIPE NCC (Network Coordination Center) stated that in next period IPv4 address space

will be exausted

http://www.ripe.net/internet-coordination/ipv4-exhaustion

What does this mean?When the RIPE NCC starts to allocate from the last /8 of IPv4 address space, an LIR

may receive only a /22 (1,024 IPv4 addresses), even if they can justify a larger allocation. No new IPv4 Provider Independent (PI) space will be assigned.

In our company this statement raised an alarm and pushed us to find solution

SOLUTION:- NAT IPv4 implementation

- IPv6 deployment

IPV6 development in ONE:2009: Getting aware about new technology2010: First Ipv6 Tunnel using tunnel broker and first published web site2011: IPv6 allocation from RIPE. Native IPv6 peering.Participate in World IPv6 day. 3 star Ripenness2012: Dual Stack enabled enterprises services. Participation in World IPv6 day. 4 star Ripennes

How to get started:- IPv6 Discovery- IPv6 Assestment- IPv6 Planning and Designing

* dual stack, hybrid, block model* get your own v6 prefix

- IPv6 Implementation- Network optimization

IPv6 prefix assignements:- Service provider (LIR): /32- Large end user, Organization: /48- Small end user: /56- SOHO: /64 or /60

Do not count available hosts per subnet…………..It doesn’t have sense!!!!

Planning and Designing your own IPv6 infrastructure:

- understanding IPv6 128 bit length format

- addresing by location (example:2A01:5B8:FEED:HEX1(location)HEX2(desktop/server/DMZ/infrastructure)HEX3&4(Vlan number)::(host IPv6)/64

- addresing by type(example:2A01:5B8:FEED:HEX1&2(desktop/server/DMZ/infrastructure)HEX3&4(location)::(host IPv6)/64

Where to go next:

- Test applications- Evaluate impact on existing infrastructure- Endure new purchases are IPv6 compatible (HW/SW)- Train your staff- Start small- enable your website

* Dual stack* native IPv6 or NAT-PT (or SLB-PT)

- Enable Internal connectivity. Pilot IPv6 in your network- Contact your service provider and investigate possibilities for NAT64/DNS64

IPv6 advantage:

- Added adresses- Stateless autoconfiguration- Simplifies routing- fewer header fields- Support IPSec natively- Improved Mobile IP support- QoS support-flow label potential- Native multicast- Includes anycast- Backward compatible- Extensible

IPv6 Transition Techniques- Dual stack- Tunnel/Encapsulation

* configured tunnels* automatic tunnels

6 to 4ISATAPTunnel Broker with TSPTeredo

* NAT64- Application layer gateways

* Proxy* Load balancer

Some security consideration- Controlling access v4 and v6- Eliminate undesired traffic- Configure your IPv4 Firewall to drop protocol 41 to prevent internet hosts from using IPv6 over IPv4 tunneled traffic

* 6 to 4 (protocol 41), ISATAP (protocol 41)* Terredo (UDP port 3544)

- Misconfigured network devices and DNS server- Statefull firewall between private IPv6 hosts and internet

PREPARATION/DEPLOYMENT IN ONE for IPv6 day 2011 (08 June)Steps undertaken on eBGP routing equipment (upstream peering):Step 1a.

IPv6 BGP implementation to Telekom Slovenia (leader in ipv6 implementation at that time)interface Port-channel 1.487 description upstream - TelekomSlovenija ipv6 address 2A00:EE0:5:18::2/64 ipv6 enable

interface Loopback2 description LOOPBACK_ipv6 ipv6 address 2A01:5B8::1/64 ipv6 enable

router bgp 16333 neighbor 2A00:EE0:5:18::1 remote-as 5603neighbor 2A00:EE0:5:18::1 description IPV6-TELEKOM_SLOVENIJA

PREPARATION/DEPLOYMENT IN ONE for IPv6 day 2011 (08 June)Steps undertaken on eBGP routing equipment (upstream peering):Step 1b.

IPv6 BGP implementation to Telekom Slovenia (leader in ipv6 implementation at that time)address-family ipv6no synchronization network 2A01:5B8::/32 neighbor 2A00:EE0:5:18::1 activate neighbor 2A00:EE0:5:18::1 soft-reconfiguration inbound exit-address-family

ipv6 route 2A01:5B8::/32 Null0 240

#sh bgp ipv6 unicast summaryeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd2A00:EE0:5:18::1 4 5603 175953 17967 2043948 0 0 5d17h 8967

PREPARATION/DEPLOYMENT IN ONE for IPv6 day 2011 (08 June)Steps undertaken on eBGP routing equipment (upstream peering):Step 2

IPv6 implementation on CORE routers (static routes)main bgp router#ipv6 route 2002::/16 Tunnel102ipv6 route 2A01:5B8:D910::/48 2A01:5B8:0:1::Fipv6 route 2A01:5B8:FAAA::/48 2A01:5B8:FAAA:101::1ipv6 route 2A01:5B8:FEED::/48 2A01:5B8:FEED:101::1

core router# interface GigabitEthernet1/24 description Link to Yoda ipv6-gateway no ip address ipv6 address 2A01:5B8:0:1::1/64 ipv6 enable

default route:ipv6 route ::/0 2A01:5B8:0:1::2

PREPARATION/DEPLOYMENT IN ONE for IPv6 day 2011 (08 June)Steps undertaken on routing equipment:Step 4

Bypass IPv4 infrastructure with 6to4 tunnels interface Tunnel100 description TUNNEL_IPV6IP_FOR_IT (IPV6_SUBNET_2a01.5b8.feed::/48) no ip address ipv6 address 2A01:5B8:FEED:101::2/64 ipv6 enable tunnel source 217.16.64.24 tunnel destination 212.158.191.162 tunnel mode ipv6ip

IPv6 real connectivity test and troubleshooting on network equipment#traceroute ipv6 ipv6.google.com

Translating "ipv6.google.com"...domain server (217.16.69.3) [OK]

Type escape sequence to abort.Tracing the route to ipv6.l.google.com (2A00:1450:4016:800::1010) 1 2A00:EE0:5:18::1 [AS 5603] 16 msec 16 msec 16 msec 2 2A00:EE0:0:216::2 [AS 5603] 20 msec 32 msec 20 msec 3 de-cix20.net.google.com (2001:7F8::3B41:0:2) [AS 5603] 84 msec 80 msec 76 msec 4 2001:4860::1:0:10 [AS 5603] 36 msec 2001:4860::1:0:11 36 msec 2001:4860::1:0:10 36 msec 5 2001:4860::8:0:3015 [AS 5603] 36 msec 36 msec 36 msec 6 2001:4860::1:0:336C [AS 5603] 136 msec 44 msec 44 msec 7 2001:4860:0:1::535 [AS 5603] 44 msec 44 msec 44 msec 8 2A00:1450:8000:1E::4 [AS 5603] 88 msec 88 msec 88 msec

IPv6 real connectivity test and troubleshooting on network equipmentping ipv6 ipv6.google.comType escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2A00:1450:4016:800::1010, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 44/44/44 ms

#ping ipv6 ipv6.on.net.mkTranslating "ipv6.on.net.mk"...domain server (217.16.69.3) [OK]Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2A01:5B8:FAAA::D910:5F4C, timeout is 2 seconds:.H.H.Success rate is 0 percent (0/5)

#ping ipv6 ipv6.one.mkTranslating "ipv6.one.mk"...domain server (217.16.69.3) [OK]Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2A01:5B8:FEED:1303::28, timeout is 2 seconds:!!!!!

- Official participation for World IPv6 day in 2011 (8 June)

http://www.worldipv6day.org/ipv6-enabled-websites/index.html

IPv6 Enabled WebsitesThe IPv6 standards have been stable for many years. Networks, websites, equipment and operating system vendors have been developing and deploying IPv6 during the standards

development process and continue to do so.Here is a set of websites that have IPv6 enabled today and who have contacted us supporting the

World IPv6 Day effort. You can visit them using IPv6 today:Show entries

Search: IPv6 Enabled Websites on.net.mk Showing 1 to 1 of 1 entries

- How to check that portal is ipv6 ready:1. http://ipv6.one.mk

2.http://ipv6.on.net.mk 3.http://ipv6.google.com

http://ripeness.ripe.net/pies.htmlhttps://labs.ripe.net/Members/becha/ipv6-ripeness-how-to-reach-the-stars http://eggert.org/meter/ipv6.html

FUTURE PLANS for IPv6 expansion in ONE:- Dual stack deployment in Packet Mobile (GGSN, SGSN) - Dual stack deployment for PPPoEusers (BRASs)- Dual stack deployment on all hosted web portals

First commercial request for deployment of IPV6/IPv4 dual stack awareness came from Google for their GGC (Google global cash) nodes deployed in ONE

IPv6 is a must, not an option!!!!

Question remains, will we be ready for IPv6, or we will wait to be surprised by IPv6?

ACT NOW!!!!!

QUESTIONS

THANK YOU