Successfully Deploying IPv6

Successfully Deploying IPv6

• 1.
  © 2015 GlobalTechnology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Successfully  Deploying  IPv6   Presented  by  Sco8  Hogg,  CTO  GTRI   NANOG  On  The  Road  7  –  Herndon,  VA   June  23rd,  2015  
• 2.
  © 2015 GlobalTechnology Resources, Inc. All Rights Reserved. •  Dual Stack Migration Planning Pitfalls •  Training for IPv6 Deployment Success •  Addressing Challenges •  IPv6 Routing •  Dual-Protocol Applications •  Troubleshooting Dual-Protocol Networks Agenda  
• 3.
  © 2015 GlobalTechnology Resources, Inc. All Rights Reserved. •  Organizations using IPv4 today will add IPv6 as a separate protocol, run them in parallel for many years, then after many years, start to disable IPv4. IPv6  Planning  –  Dual  Stack  MigraOon   IPv4  Deployment   IPv6  Deployment   Time  
• 4.
  © 2015 GlobalTechnology Resources, Inc. All Rights Reserved. •  Failing to build a cross-function IPv6 deployment team –  Multidisciplinary, Collaborative, Cooperative •  Organizations need to treat IPv6 as a “Program” not just like a typical smaller IT “Project”. –  IPv6 transition is made up of many projects that will span multiple years and cross the entire enterprise. •  Regular/Frequent meetings are key to maintaining pace. •  Just like anything, executive buy-in and support is essential. IPv6  Planning  PiPalls  
• 5.
  © 2015 GlobalTechnology Resources, Inc. All Rights Reserved. •  Don’t try to look at everything, identify devices requiring IPv6 •  Focus your efforts on the Internet perimeter. –  Look at every device in the transmission path (IPS, WAF, web proxy, DLP, …). •  The good news is you have waited to deploy IPv6. –  Now most IT products come standard with IPv6 capabilities. •  Don’t be concerned about an IPv4-only management plane. –  You can continue to manage systems over IPv4. •  Some devices may remain IPv4-only until they are decommissioned. Performing  an  IPv6  Readiness  Assessment  
• 6.
  © 2015 GlobalTechnology Resources, Inc. All Rights Reserved. •  Assume your IT organization has not taken the initiative to immerse themselves in learning IPv6. •  People need to be trained early in the process, but not too early that they forget what they learned. –  Train “just in time”, not years before an IPv6 address is actually configured on a production device. •  Train for different skillsets (appdev, sysadmin, net admin, sec admin, helpdesk, PMs, …). •  Much of your IPv4 experience is applicable to IPv6. •  Don’t fear the larger addresses – Learn to “Think in Hex”. Training  for  Success  
• 7.
  © 2015 GlobalTechnology Resources, Inc. All Rights Reserved. •  IPv4-Think is dangerous when planning IPv6 addressing –  Crazy Talk: Using decimal #s, embedding VLAN #, IPv4 address converted to hex •  There is no scarcity of IPv6 addresses –  If there is no scarcity, there can be no waste –  Don’t try to assign only the minimum-needed prefix length –  Plan for the number of subnets, not the number of hosts •  Perform addressing for simplicity and ease of use and management –  Don’t be concerned about lots of reserved space IPv6  Addressing  
• 8.
  © 2015 GlobalTechnology Resources, Inc. All Rights Reserved. •  Don’t force levels of hierarchy that are not needed. •  Use standard prefix lengths: /48, /56, /64 •  Use nibble-boundary – don’t use /50, /57, /65, … •  Consistency between sites can increase operational efficiency, however, not every site needs the same addressing plan. –  Branches need a different plan than a data center “site”. •  Stick with Global Unicast Addresses (GUA) 2000::/3 –  Use these everywhere, you don’t need NAT •  Avoid Unique Local Addresses (ULA) FC00::/7 IPv6  Addressing  
• 9.
  © 2015 GlobalTechnology Resources, Inc. All Rights Reserved. •  IP addressing and routing go hand-in-hand. •  All IP routing protocols have IPv6 capabilities. •  Separating control plane for two data planes can be desirable. –  Establish BGP peer over IPv4 TCP 179 for sharing IPv4 routes –  Establish BGP peer over IPv6 TCP 179 for sharing IPv6 routes •  Don’t forget to use a 32-bit RID to the IPv6 routing process. •  Peering using global (preferred) or link-local addresses. •  Consider using locally-administered link-local addresses. –  fe80::cccc:0001, fe80::dddd:0002, … •  Type carefully – don’t fat-finger the address IPv6  RouOng  
• 10.
  © 2015 GlobalTechnology Resources, Inc. All Rights Reserved. •  Assessing current code for IPv6-capability –  Most applications do not create socket-level connections. –  Most applications use higher-level APIs or rely on lower-level web services for connectivity. •  Create code that is Address-Family (AF) independent. •  Presentation-to-Numeric (p2n) & Numeric-to-Presentation (n2p) –  Robustness principle: Be conservative in what you send, be liberal in what you accept. •  Be careful of data structures for storing 128-bit addresses. •  Create code that performs dual-protocol DNS resolution and incorporates Happy Eyeballs (RFC 6555). •  Write code that properly handles Path MTU Discovery (PMTUD). Dual-­‐Protocol  ApplicaOons  
• 11.
  © 2015 GlobalTechnology Resources, Inc. All Rights Reserved. •  Understand how IPv4 and IPv6 are different in terms of networking (NDP, extension headers, dynamic tunnels) •  Don’t deploy IPv6 if you lack the products to secure the protocol properly. •  Don’t be overly worried about IPv6 NDP security weaknesses. –  You haven’t secured your IPv4 LANs either. –  https://community.infoblox.com/blogs/2015/02/10/holding- ipv6-neighbor-discovery-higher-standard-security IPv6  Security  ConsideraOons  
• 12.
  © 2015 GlobalTechnology Resources, Inc. All Rights Reserved. •  Even if you do not deploy IPv6, there could still be IPv6- related issues that you must deal with. •  You now have IPv6-enabled nodes in your environment. •  Using a disciplined troubleshooting methodology will pay dividends when dealing with multi-part problems. •  Troubleshoot IPv6 in segments (LAN1, WAN, LAN2). •  Troubleshooting NDP requires a magnifying lens. –  You may need to break out the protocol analyzer. –  Looking for an IPv6 needle in a haystack of IPv4. TroubleshooOng  Dual  Protocol  Networks  
• 13.
  © 2015 GlobalTechnology Resources, Inc. All Rights Reserved. TroubleshooOng  Dual  Protocol  Networks   Applicatio n Layer Transport Layer Internet Layer Link Layer IPv4 IPv6 ARP ICMP IGMP TCP UDP SCTP HTTP(S)   SSH   SMTP   TFTP   DHCP   DNS   SIP   WebRTC   TLS/SSL   SNMP   BGP   DCCP T1/E1/T3/E3 SONET SDH ICMPv6 NDP MLD Ethernet Wireless
• 14.
  © 2015 GlobalTechnology Resources, Inc. All Rights Reserved. •  View yourself from the Internet-perspective –  Leverage IPv6-capable looking glasses –  Is your traffic really using IPv6? •  In a dual-protocol environment there are many tasks that will need to be performed twice (once for each IP version). •  Some connections could use IPv4 and/or IPv6 –  Web pages could be delivered over a combination of protocols. How do you know which protocol was used? –  IPv6 Browser add-ons, plug-ins can be helpful TroubleshooOng  Dual  Protocol  Networks  
• 15.
  © 2015 GlobalTechnology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Thank  You!   Sco8  Hogg,  CTO  GTRI   303-­‐949-­‐4865    |    shogg  at  gtri.com