steve ulrich - Syringa Networks and Settings/27... · • in practice, given todayʼs transition...
Transcript of steve ulrich - Syringa Networks and Settings/27... · • in practice, given todayʼs transition...
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
steve ulrich consulting engineer
25-may, 2011
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 20110330 - TDS - IPv4 Exhaust/IPv6 Transition
• IPv4 exhaustion
what’s the big deal?
• IPv6 overview
very abbreviated
• IPv6 transition technologies
what are my options?
• actions / next steps
boiling this down
• world IPv6 day
what’s going on here?
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 20101110-telco_named see http://www.potaroo.net/tools/ipv4/index.html
31-jan, 2011 - last IPv4 unicast /8s allocated
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
• note that this is based off historic burn – it doesn’t take into consideration soft-landing and/or existing / emergent behaviors within the RIRs
widely anticipated to move this way
nice way of saying all gone
http://www.potaroo.net/tools/ipv4/rir.jpg
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
VRF
VRF
Enterprise v6
Enterprise v4 & v6
Dual-Stack PE
IPv6 Service/Content Provider
Dual-Stack AFBR
Dual-stack/ Softwires Mesh
CGN NAT44
IPv4 Internet
v6
Consumer Home
Peering/ Enterprise Edge Wireline
Mobility / Wireless
SP Core DS-Lite
DS-Lite
CGN 6rd
6rd
BRAS CMTS OLT
CGN NAT64
Data Center
IPv6 Peering IPv6 Data Center
IPv6 VPN Enterprise & Govt
Consumer Internet
IPv6 in the Home
4G/LTE IPv6 Mobile
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 6
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 7
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Version HL Type of Service Total Length
Identification Flags Fragment
Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Options Padding
Version Traffic Class Flow Label
Payload Length Next
Header Hop Limit
Source Address
Destination Address
IPv4 Header IPv6 Header
field name kept from IPv4 to IPv6
fields not kept in IPv6
name and position changed in IPv6
new field in IPv6
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
• The IPv6 header is redesigned. As compared to IPv4,
• IPv6 minimizes IP header overhead and reduces the IP header processing for the majority of the packets
• less essential and optional fields are moved to extension headers
IPv6 and IPv4 headers are not interoperable!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
• IPv6 uses Ethernet Protocol ID (0x86DD)
• IPv4 uses Ethernet Protocol ID (0x0800)
0x0800 IPv4 Header and Payload Dest MAC Source MAC
0x86DD IPv6 Header and Payload Dest MAC Source MAC
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
IPv4 32-bits
IPv6 128-bits
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
• Base format (write all 16 bytes)
• Compact Format:
• Literal representation (e.g. used when browsing to IPv6 address directly and not through the DNS name)
[2001:660:3003:2:a00:20ff:fe18:964c]
2001:0660:3003:0001:0000:0000:6543:210F
2001:0660:3003:0001:0000:0000:6543:210F 2001:0660:3003:0001:0000:0000:6543:210F 2001:660:3003:1:0:0:6543:210F 2001:660:3003:1:0:0:6543:210F 2001:660:3003:1::6543:210F
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Service IPv4 IPv6
Addressing Range 32-bit, NAT 128-bit, Multiple Scopes
IP Provisioning DHCP SLAAC, Renumbering,
DHCP
Security IPSec IPSec
Mobility Mobile IP Mobile IP with Direct
Routing
Quality-of-Service Differentiated Service,
Integrated Service Differentiated Service,
Integrated Service
Multicast IGMP/PIM/MBGP MLD/PIM/MBGP, Scope
Identifier
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
• Addresses are assigned to interfaces
• An IPv6 interface is “expected” to have multiple addresses and multiple scopes
• Addresses have scope
Link Local
Unique Local
Global
• Addresses have lifetime
Valid and preferred lifetime
Link Local Unique Local Global
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
IPv6 is the foundation of a lifecycle management discussion
preserve the customer’s existing investment • Audit and leverage existing IPv6 capabilities
prepare a migration and deployment plan • Identify and enable critical IPv6 functional areas
prosper through the transition to IPv6 Internet • Enable all systems with dual-stack capabilities • Grow seamlessly as customers transition to IPv6
Preserve
Prepare
Prosper
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Large-Scale NAT
(LSN)
NAT44 NAT44
Home network ISP network
IPv4private IPv4private
IPv4 Internet
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
pros
• ISPs can reclaim global IPv4 addresses from customers, replacing with non-routable private addresses and NAT
• addresses immediate IPv4 exhaust problem
• no change to subscriber CPE
• no IPv4 re-addressing in home
• dense utilization of public IP address/port combinations
cons
• SP NAT results in margin & competitive implications
• does not solve address exhaust problem in the long term
• sharing IPv4 addresses could have user behavioral and liability implications
• user control over NAT
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
• IP-on-demand optimization introduce usage idle-time based mechanism for public IPv4 address assignment. release addresses after idle period. (effectively remove always-on-service for public IPv4)
• IP address trading establish market and regulation registration mechanism
enhance anti-IP spoofing/hijacking technology and inter-domain routing
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
preserve to date the cost of getting IPv4 address space is low:
service Provider: RIR membership fee & registration service fee end-sites usually receive IPv4 address block from SP as part of service many SPs already charge end-site for privilege of public IPv4 address
when RIRs have no more IPv4 address space to distribute: cost of IPv4 addresses will be higher (to date it’s been close to 0) SPs may “purchase” IPv4 address space from other org’s
current IPv4 address allocation mechanisms were not built to support the dynamic reallocation of subnets
facilitating address trading means protecting against address hijacking / false announcements etc. BGP Prefix Validation (SIDR)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
pros
• valuation of IPv4 addresses may hasten IPv6 adoption by encouraging sellers, perhaps more than offsetting costs to move some or all of their network to v6
• receivers of transferred IPv4 address space can prolong their IPv4 networks
cons • market may not materialize, so
organizations hoping to benefit may not
• depending on region, if RIR doesn’t register transfer, there may be no route-ability
• risk to integrity of routing system, as RIRs no longer authoritative for address records. will BGP Prefix Validation be universally deployed in time?
• even more rapid growth of routing system
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
• enable enterprise IPv6 unicast and multicast connectivity across IPv4/MPLS network
configure 6vPE routing/forwarding on existing PE routers; core routers stay IPv4/MPLS
addresses current and future IPv6 VPN route table with business-class SLAs
IPv4/MPLS Backbone
6vPE Router 6vPE Router
IPv4
IPv6
IPv4
IPv6
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
• Classic RFC 4213 solution
Supported by most end hosts Oses
• in the short term deploying IPv6 in dual stack does not solve IPv4 exhaust ; IPv4 run-out is expected before full deployment
can be easily combined with NAT44 to offer a solution, while allowing IPv6 deployment ramp-up.
NAT44
BRAS Access Node
Home Gateway
IPv4 Internet
CGN
IPv4 & IPv6
IPv4-Private IPv6-Public
IPv6 Internet
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
• Broadband PPP Access dual-stack IPv6 and IPv4 supported over a shared PPP session with v4 and v6 NCPs running as ships in the night. should not consume extra BRAS session state nor require Access-Node upgrades note: not all PPPoE clients support IPv6 (eg WinXP)
• Broadband IPoE Access form of supporting in “session” form remains to be determined. possibilities include. two session model, IPv4 and IPv6 independent sessions. L2 session model, IPv4 and IPv6 running on common L2/MAC session
PPP Session
IPv4IPv6
VLAN
IPv6 Session
L2 Session
IPv4IPv6
IPv4 Session
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
pros
• cost effective long term solution model
• supports legacy (IPv4) applications
• flexible: can be combined with NAT44 deployment for addressing IPv4 exhaustion
• once services are on IPv6, IPv4 can simply be discontinued
cons
• continuing to use public IPv4 doesn’t solve IPv4 exhaustion
• IPv6 alongside existing IPv4 infrastructure might cost extra in terms of opex and hardware changes
• in some forms of dual-stack deployments or implementations can lead to decreased network scalability
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
• AFT64:= “stateful v6 to v4 translation” or “stateless IV-VI translation a.k.a IVI”
PDNGW Serving Gateway eNB
NAT64
AFT64
IPv4 Public
NAT
IPv6 Public
IPv6 Public
See also draft-baker-behave-v4v6-framework, draft-bagnulo-behave-nat64, draft-bagnulo-behave-dns64, and related
Deploy IPv6 only end-points
Use AFT64 to connect IPv6 end-points to Internet and legacy IPv4 user base
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
pros
• allows IPv6 only clients access to IPv4 content
• IPv6 services and applications offered natively to consumers
• SP network runs IPv6 only, avoiding IPv4 support costs
• stateless technique can be used for IPv4 to IPv6 access
cons
• technical viability of IPv6 only service (IPv6 stack not enabled on all hosts)
• does not address IPv4 customer base
• ALGs required
• DNS infrastructure must be modified to support NAT64
• operations & troubleshooting of transient issues
• stateful NAT has many of the same implications as NAT44
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
• retains end-end IP semantics
• in theory requires “touching” only tunnel end-points
• in practice, given today’s transition from IPv4 to IPv6 the different tunneling approaches represent different philosophies:
IPv6 Services and IPv6 end-point enablement (IPv6 over IPv4)
IPv4 Services and IPv6 as an SP transport (IPv4 over IPv6)
IPv6 IPv6
IPv4 tunnel
IPv4 IPv4
IPv6 tunnel
Source: RFC3439
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
IPv6 in IPv4 – why?
Access Node • DHCPv6 snooping • ICMPv6 snooping • IPv6 NMS • IPv6 Security
User • OS v6 Stack
RG • IPv6 LAN • IPv6 WAN • IPv6 NMS
Aggregation • ICMPv6 snooping • IPv6 NMS
Core • IPv6 Routing
Aggregation • IPv6 Stack • IPv6 PE/VPE • IPv6 Routing • IPv6 NMS
AAA/DHCP/Policy
BNG Access Node
RG
IPv6 IPv4 L2
deployment of fully native IPv6 affects numerous system components, aka “touch points”
NMS/Addressing • IPv6 Parameters • DHCPv6
upgrading some components is more challenging than others:
e.g.: IPv6 upgrade of access node and/or BNG
tunneling IPv6 over existing IPv4 infrastructure provides a transition solution which limits the number of “touch points”
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 29
IPv6 Rapid Deployment (6rd) – IPv6 in IPv4
• A form of v6/v4 which traverses v4 aggregation clouds http://tools.ietf.org/html/rfc5569
For IPv6 traffic destined to the backbone, the RG uses the destination IPv4 of the 6rd Relay.
RG IPv4 Address
6rd Relay
For IPv6 traffic destined for the Home, the 6rd Relay pulls the RG’s IPv4 from within the destination IPv6 address
For IPv6 traffic destined to a nearby 6rd user, the RG pulls the target IPv4 tunnel endpoint from within the destination IPv6 address
6rd CPE
+ RG IPv4 Address + SLA /64
Residence’s IPv6 Subnet is constructed from:
ISP’s IPv6 Prefix /128
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
30
IPv6 Rapid Deployment (6rd) – IPv6 in IPv4 pros
• enables a v6 service to a routed CPE user
• IPv6 can traverse existing IPv4 infrastructure. no new access CAPEX to enable v6.
• derives IPv6 from IPv4 addresses, eliminating need for much of IPv6 OSS
• efficient local routing of user-user traffic
• stateless = easier to operate
• easily combined with NAT44 to solve IPv4x. decouples NAT44 from IPv6 deployment
• operational models of v4 and v6 are very similar
cons
• continuing to use public IPv4 doesn’t solve IPv4 exhaustion. solution may need to be combined with NAT44.
• may require dedicated device in the architecture (BR).
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
CPE
NAT44 or A+P Routing
CMTS
Dual Stack Lite – IPv4 in IPv6 • tunneling IPv4 using IPv6 transport.
• two common options allowed by: http://tools.ietf.org/html/draft-ietf-softwire-dual-stack-lite-02
• dual-stack-lite with NAT44 tunnel from CPE is to a LSN NAT44 device. LSN NAT44 is stateful. No CPE NAT44
• dual-stack lite Address+Port (A+P) tunnel is between CPE and A+P Router CPE is doing port restricted NAT44
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
32
dual-stack lite – IPv4 in IPv6
pros
• enables a v6 service to a routed CPE user - improves long term delivery economics
• eliminates NAT444 through use of B4 element and a centralized NAT44 CGN
• efficient local routing of user-user IPv6 traffic
cons
• requires upgrading access infrastructure and intervening devices to support IPv6, immediately
• depending on model used potential for painful renumbering at NAT44 element
• state full network deployment
• likely some time before viable option outside of cable segment
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
• IPv4 traffic tunneled over IPv6 network IPv4-in-IPv6 encap/decap between CE and BR
Customer IPv4 prefix/address derived from IPv6 prefix
Stateful NAT44 on CPE or BR
Algorithmic mapping of IPv4 TCP/UDP ports to/from IPv6 address
• IPv6 traffic forwarded natively
Boundary Router
IPv6 or IPv4+IPv6 Network
Public IPv4
IPv6-only backend
Gateway (L3) Residential Edge
Public IPv4
Private IPv4
IPv6
Router (L3)
CGN44 (optional)
Public IPv6
4rd BR 4rd CE
4rd CE
NAT44 (optional
)
NAT44 (optional)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
• Customer IPv4 traffic translated to IPv6 traffic - CPE does NAT446 (=Stateful NAT44 + Stateless NAT46)
- Network does Stateless NAT64
• Customer IPv6 traffic, if any, forwarded natively Separate IPv6 prefix (from dIVI IPv6 prefix)
Stateful NAT44 stays at the home
Boundary Router
IPv6 or IPv6+IPv4 Network
Public IPv4
IPv6-backend
Modem (L2)
Gateway (L3) Residential Edge
Public IPv4
Private IPv4
IPv6
Router (L3)
Public IPv6
NAT64 NAT446
NAT446
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
IPv6 Internet
IPv4 Internet
IPv4 Access Network
IPv4 Core
Subscriber Network
NAT
Carrier Grade NAT
NAT
IPv6 Access Network
Dual Stack Core
Subscriber Network
CE
IPv6-Only Subscriber
6↔4
Dual Stack Core
v6 over v4
Subscriber Network
IPv6 Rapid Deployment
6rd or L2TP
6rd BR
Subscriber Network
v4 over
v6
Dual Stack Core 4rd / dIV
I / DS
-Lite
IPv6-Only Access Network
NAT
Dual Stack
Core +
Access
Subscriber Network
PE
Native Dual Stack
For more info see: http://www.cisco.com/go/cgv6
PE
CE CE
4rd BR AFTR
CE
LNS
Preserve Prepare Prosper
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 36
36
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
broadband objective • desired end state - fully dual-stack
capable network future investment should be oriented around committed dual-stack L3 ege functionality
must support existing BNG feature set as well as support IP{v4,v6}oE feature sets
objective is to minimize non-dual-stack capable platforms within deployed base
• mixture of PPP{d-s} and IPoE{d-s} support likely a key requirement given variability in access platforms and CPE
IPv4-only footprint • ASAP - certify & deploy dual-stack capable
CPE w/tunneling capability
• deployment of CGN platforms to terminate v6 tunnels over IPv4 only infrastructure enables incremental rollout over existing IPv4-only infrastructure (use 6RD)
• enables congruency from subscriber policy application
i.e.: common QoS and service policy application
• minimizes churn of edge platforms
maximizes depreciation cycle
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
CPE
• functionality timelines aren’t necessarily conducive to deployment of D-S CPE - today
interim requirement to deploy CPE which aren’t fully dual-stack capable
must insure vendor commitment to necessary IPv6 feature sets to support tunneling and native dual-stack models
• remote manageability via TR-069 feature sets critical
remote code upgrade - critical requirement
access platforms
• particular consideration should be given to the ability of downstream platforms (especially DSLAMs) to support IPv6 first mile features
insure support for IPv6 EtherTypes
insure support for MLD(v2) snooping capabilities if there’s a requirement for broadcast video or multicast delivery over IPv6
DHCPv6 L2 relay functionality
• IPv4 + IPv6 multicast co-existence - largely unexplored at this point w/i access platforms
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
long term co-existence (transition) period is very likely
not doing IPv6 increases the new service adoption risk and existing internet service costs over the long term.
IPv6 is a long term must, but likely not quite a short term solution to IPv4 exhaust. deploying IPv6 incrementally will be key - start now!
risk of IPv4 exhaust before all services or content move to IPv6 is real, but adoption of IPv6 needs to be done judiciously
39
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
• when is it?
• what is it?
• who’s participating
• why are people doing this?
• what does it mean for telcos?
• what about the day after?
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
• WHEN – 8-jun, 2011 – midnight UTC to midnight UTC
• WHERE - official site for World IPv6 Day: http://isoc.org/wp/worldipv6day/
• WHY - to provide a 24 hour test flight of IPv6 connectivity across the Internet to motivate service providers, content providers and the vendor community (hardware & software vendors, OS vendors, etc.) to prepare and test their services and platforms for the upcoming transition to IPv6 as IPv4 addresses run out.
provides an opportunity to test IPv6 readiness and measure the impact of IPv4/IPv6 coexistence on the global Internet
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
• promotion of IPv6 – get the message out there!
• address “broken users” problem http://getipv6.info/index.php/Customer_problems_that_could_occur
from a recent Yahoo! presentation:
• current “breakage stats” impacts 0.026% of their users
• 18 months ago this was 0.078% - depending on subscriber base this number may be unacceptably high
• test without the early mover penalty everyone appears to be broken to broken users – it’s not just the IPv6 folks
• expose and fix bugs
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
• Content Providers Google, FaceBook, Yahoo!, Microsoft Bing and more
• CDN providers Akamai, Limelight
• Vendors Cisco
Juniper – just announced their participation
suspect that other vendors will participate as well.
• Service Providers those who have deployed IPv6
• official list here http://isoc.org/wp/worldipv6day/participants/
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
• content providers who have deployed dual-stack capability will be publishing non-side door DNS entries to enable end user IPv6 and IPv4 connectivity
i.e.: http://www.google.com will be available via IPv4 and IPv6 without whitelisted DNS servers1 or explicitly using http://ipv6.google.com
IPv4 connectivity will be retained – folks aren’t turning that off
• this effectively translates into simultaneous publication of A and AAAA records where there had only been an A record previously
• measurement and analysis what’s working, what’s not, break it, fix it, find bugs.
it won’t just be you doing this
references 1 - http://www.google.com/intl/en/ipv6/
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
• deploy IPv6 even if you have enough IPv4 addresses for your customer base, you’ll need to talk to IPv6 endpoints sooner rather than later.
http://getipv6.info/index.php/First_Steps_for_ISPs
• staff support / help desk to troubleshoot broken users educate staff to understand the symptoms and resolution of “broken user” problems
http://getipv6.info/index.php/Customer_problems_that_could_occur
http://test-ipv6.com - may be helpful with troubleshooting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
• many of the participants will revert to current operational modes to analyze the impact of World IPv6 Day and to address bugs and modify their service deployments to address any issues which may have become apparent through the testing
• some large content providers will evaluate whether to utilize whitelisted DNS to prevent breakage – using the results of IPv6 day to provide inputs for decision process
• service providers will need to address issues discovered over the course of the day and make necessary changes to address any issues found
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
• ARIN Number Resource Policy Manual https://www.arin.net/policy/nrpm.html
“Soft-Landing” Provisions of the ARIN NRPM: After an organization has been a subscriber member of ARIN for one year, they may choose to request up to a 12-month supply of IP addresses. When ARIN receives its last /8, by IANA implementing section 10.4.2.2, the length of supply that an organization may request will be reduced. An organization may choose to request up to a 3-month supply of IP addresses. This reduction does not apply to resources received via section 8.3. An organization receiving a transfer under section 8.3 may continue to request up to a 12-month supply of IP addresses.
-- John Curran
http://nanog.org/meetings/nanog51/presentations/Wednesday/curran.pdf - slide 2
thank you.