IPv6 strategy for deployment at ETH Switzerland
-
Upload
swiss-ipv6-council -
Category
Documents
-
view
577 -
download
2
description
Transcript of IPv6 strategy for deployment at ETH Switzerland
![Page 1: IPv6 strategy for deployment at ETH Switzerland](https://reader031.fdocuments.in/reader031/viewer/2022020803/546c46cdaf795976298b4f49/html5/thumbnails/1.jpg)
IPv6 at ETH Zurich
Armin Wittmann
![Page 2: IPv6 strategy for deployment at ETH Switzerland](https://reader031.fdocuments.in/reader031/viewer/2022020803/546c46cdaf795976298b4f49/html5/thumbnails/2.jpg)
Dr. A. Wittmann November 2012
Agenda
IPv4 usage at ETH Zurich
Changing IPv6 range before rollout
Roadmap
![Page 3: IPv6 strategy for deployment at ETH Switzerland](https://reader031.fdocuments.in/reader031/viewer/2022020803/546c46cdaf795976298b4f49/html5/thumbnails/3.jpg)
Dr. A. Wittmann November 2012
IPv4: free 64 (/26) subnets
0
50
100
150
200
250
300
2007 2008 2009 2010 2011 11.2012
# free /26 64-Subnets
![Page 4: IPv6 strategy for deployment at ETH Switzerland](https://reader031.fdocuments.in/reader031/viewer/2022020803/546c46cdaf795976298b4f49/html5/thumbnails/4.jpg)
Dr. A. Wittmann November 2012
# devices detected last 90 days vs. IPv4-Range
0
50000
100000
150000
200000
250000
2005 2006 2007 2008 2009 2010 2011 9.2012
# different MAC addresses(last 90 days)
# assigned IPv4 addresses
![Page 5: IPv6 strategy for deployment at ETH Switzerland](https://reader031.fdocuments.in/reader031/viewer/2022020803/546c46cdaf795976298b4f49/html5/thumbnails/5.jpg)
Dr. A. Wittmann November 2012
IPv6-Traffic (last 12 months)
![Page 6: IPv6 strategy for deployment at ETH Switzerland](https://reader031.fdocuments.in/reader031/viewer/2022020803/546c46cdaf795976298b4f49/html5/thumbnails/6.jpg)
Dr. A. Wittmann November 2012
Changing IPv6 range before rollout
BCM analysis
BIA analysis
new Provider Independent (PI) IPv6 range
will replace old one
Request:
Request made by SWITCH: 13.9.2012
Routing to ETH done: 21.9.2012
![Page 7: IPv6 strategy for deployment at ETH Switzerland](https://reader031.fdocuments.in/reader031/viewer/2022020803/546c46cdaf795976298b4f49/html5/thumbnails/7.jpg)
Dr. A. Wittmann November 2012
IPv6-Roadmap: Management view
IPv6 pilot projekt started
important infrastructures (Exchange, CMS, Hosting,
Storage)
Instruction initiative
Server-Admins, IT-Supporter, end user, students
documentation must be made first
DHCPv6 release in December 2012
produktive per April 2013
client networks will be forced
IPv6-only network zone offered for all ETH
IPv4-NAT/PAT project started (usage for next 10 years )
![Page 8: IPv6 strategy for deployment at ETH Switzerland](https://reader031.fdocuments.in/reader031/viewer/2022020803/546c46cdaf795976298b4f49/html5/thumbnails/8.jpg)
IPv6 @ ETH Zurich
Derk Valenkamp
![Page 9: IPv6 strategy for deployment at ETH Switzerland](https://reader031.fdocuments.in/reader031/viewer/2022020803/546c46cdaf795976298b4f49/html5/thumbnails/9.jpg)
Dr. A. Wittmann November 2012
Agenda
My personal impression about IPv6
Roadmap
IPv6-Concept (ID ICT-Networks)
DHCPv6
Firewall
IPv6 SSID ‚eth‘ design
Multicast
What is done
?
![Page 10: IPv6 strategy for deployment at ETH Switzerland](https://reader031.fdocuments.in/reader031/viewer/2022020803/546c46cdaf795976298b4f49/html5/thumbnails/10.jpg)
Dr. A. Wittmann November 2012
My personal impression about IPv6
No way around IPv6 to connect all the devices to the
Internet/Intranet
Phase 4 in Gartner‘s Hype Cycle (Slope of
enlightenment)
It is not enterprise ready yet (DHCP, OS-Support,...)
It is mainly designed for ISP‘s
Nearly no IPv6 rollout-project‘s in other
Universities/Companies
Client-side: no fallback to IPv4 (DNS) – new rfc
announced
![Page 11: IPv6 strategy for deployment at ETH Switzerland](https://reader031.fdocuments.in/reader031/viewer/2022020803/546c46cdaf795976298b4f49/html5/thumbnails/11.jpg)
Dr. A. Wittmann November 2012
Roadmap
1H 2013 Network Ready for IPv6 large scale
deployment (Firewall; DHCP-Relay; IPv6-only
test-VPZ)
2014 get experience
2015 start IPv6 Rollout (Dualstack)
2020 start a ‚get rid of IPv4‘-project
![Page 12: IPv6 strategy for deployment at ETH Switzerland](https://reader031.fdocuments.in/reader031/viewer/2022020803/546c46cdaf795976298b4f49/html5/thumbnails/12.jpg)
IPv6-Concept (2001:067C:10ec::/48 PI)
VPZ-Prefix
VPZ-Prefix
4096 /64 Subnetze für Network
(Links/Loopback/NET-Admin)
4096 /64 Subnetze für Tests bis IPv6 produktive eingesetzt wird
128 /58 Bereiche für weitere VPZ
256 /58 Bereiche für VPZ
Jedes VPZ erhält somit 64 /64 Subnetze diese
können auch für interne Cluster- oder
Managementadressierung verwendet werden.
Reserve (not used)
49 B
it
50 B
it
1 x
0
0
1
0
1
0
1
49 B
it
50 B
it
51 B
it
52 B
it
58 B
it
![Page 13: IPv6 strategy for deployment at ETH Switzerland](https://reader031.fdocuments.in/reader031/viewer/2022020803/546c46cdaf795976298b4f49/html5/thumbnails/13.jpg)
Dr. A. Wittmann November 2012
IPv6 Concept
One IPv6-Range (/58; Prefix) per VRF -> 64 subnets
One /64-Subnetz reserved per VLAN
But on the Router will be configured only a /118 subnet configured for Server (1024 IPv6’s) /115 subnet Docking/Client (8192 IPv6’s)
Prevent for DoS (Router breaks down during scans)
No auto configured addresses allowed. - No MAC-Addresses leave the ETH Zurich - No Random IPv6 Addresses (IDS, Support)
Always configured in Dual Stack with IPv4 (no 6to4-NAT)
Source-Routing will be blocked
Some Multicast addresses will be blocked (DHCP,DNS..)
Incoming IPv6 RAs will be blocked on access ports.
![Page 14: IPv6 strategy for deployment at ETH Switzerland](https://reader031.fdocuments.in/reader031/viewer/2022020803/546c46cdaf795976298b4f49/html5/thumbnails/14.jpg)
Dr. A. Wittmann November 2012
DHCPv6
DHCPv6-Relay standard ... use outgoing
interface of the router, which is IPv4 only ...will
change
‚No‘ redundant server -> 2 standalone Server
with independent ranges (2x 4096 = 8192)
DHCPv6 lease depend to DUID (DHCP Unique
ID), which is assigned by the OS...PXE-Boot?
Not all OS Support DHCPv6 – Android 4.x
![Page 15: IPv6 strategy for deployment at ETH Switzerland](https://reader031.fdocuments.in/reader031/viewer/2022020803/546c46cdaf795976298b4f49/html5/thumbnails/15.jpg)
Dr. A. Wittmann November 2012
Firewall IPv6
Old Firewall Service Module not capable
New Hardware onsite, migration by end 2012
Separate ACL for IPv4 and IPv6
→ new Firmware available now
→ CSM Release in Q1.2013
![Page 16: IPv6 strategy for deployment at ETH Switzerland](https://reader031.fdocuments.in/reader031/viewer/2022020803/546c46cdaf795976298b4f49/html5/thumbnails/16.jpg)
Dr. A. Wittmann November 2012
IPv6 SSID ‚eth‘ design
10x
DHCP-Client
vrf red
MPLS
eBGP
(vrf-global)
trunk
trunk
Cat4500/Cat3750
VTP-Zone WPA
FWSM
Fusion Routers
Central DHCP-Server
DHCP-Client
vrf red
Central DHCP-Server
![Page 17: IPv6 strategy for deployment at ETH Switzerland](https://reader031.fdocuments.in/reader031/viewer/2022020803/546c46cdaf795976298b4f49/html5/thumbnails/17.jpg)
Dr. A. Wittmann November 2012
What is done
2001:067c:10ec::/48 = ETH Zurich Subnet
10-Gig Dual-Stack-connection to SWITCH
Core is ready, but some issues with DHCP
DHCP (with limitations)
DNS
IPv6 rough concept
IPv6 Firewall
IPv6 VPN-Client (IPv6 tunneled over IPv4)
Mgmt Tool ‘Netcenter’ (Reports, IP-Tool, Firewall)
IPv6 Loadbalancer
![Page 18: IPv6 strategy for deployment at ETH Switzerland](https://reader031.fdocuments.in/reader031/viewer/2022020803/546c46cdaf795976298b4f49/html5/thumbnails/18.jpg)
Dr. A. Wittmann November 2012
What is not planed yet
SEND/CGA (secure arp)
Router performance, whole Subnet have to be
open
IPv6 to IPv4 NAT nor IPv4 to IPv6 NAT
DNS-Problems, IPv4-NAT is easier
IPv6 HTTP-Proxy
IPv6 Multicast (Not supported yet)
![Page 19: IPv6 strategy for deployment at ETH Switzerland](https://reader031.fdocuments.in/reader031/viewer/2022020803/546c46cdaf795976298b4f49/html5/thumbnails/19.jpg)
Dr. A. Wittmann November 2012
?