Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
IPv6 on the INTEROPNET: Network Architecture and Lessons Learned
1. IPv6 on the INTEROPNET
Interop, Wednesday, 9 May 2013
Brandon Ross, Routing Team Lead
Chief Network Architect, Network Utility Force
http://www.netuf.net/
Jeff Enters, Chief Infrastructure Architect, HP
http://www.hp.com/services
2. Agenda
• Background and Goals
• IPv6 Basics
• How IPv6 works on the InteropNET
• Subnetting and Addressing
• Challenges and Lessons Learned
• Conclusions
3. RFC 6540
• Are you aware of this requirement?
• Are your nodes IPv6 capable?
4. IPv6 Support Required for All IP-
Capable Nodes – RFC 6540
• “Given the global lack of available IPv4
space, and limitations in IPv4 extension
and transition technologies, this document
advises that IPv6 support is no longer
considered optional.”
• “IPv6 support must be equivalent or better
in quality and functionality when compared
to IPv4 support in a new or updated IP
implementation.”
5. Background
• IPv4 depletion is already occurring
• IPv6 adoption is accelerating
• Most network hardware supports IPv6
• For the most part, dual stack Just Works
http://www.potaroo.net/tools
IPv4 Free Pool Depletion
http://www.ipv6actnow.org/info/statistics/#alloc
IPv6 Routing Table Growth
6. US Feds Lesson Learned
The US federal government had a mandate for all public facing web
services to support IPv6 by September 30, 2012.
287 of 1494 sites had IPv6 web support by the deadline.
Today 961 of 1355 sites support IPv6.
That’s over 70%. Not 100%, but far ahead
of most other large organizations.Source: http://usgv6-deploymon.antd.nist.gov//
7. Europe out of Free Pool
• Asia (APNIC) effectively ran out of free
addresses in April, 2011
• Europe (RIPE) is also out of addresses as
of September 14th, 2012
• ARIN predicted to run out of free space in
April, 2014 (Geoff Huston,
http://www.potaroo.net/tools/ipv4/index.ht
ml)
8. Goals
• Network must be fully dual stack
(IPv4+IPv6)
• All IPv4 services should be reachable over
IPv6
• Connections to IPv6-enabled websites
should use IPv6 by default
• Nothing should break
9. Agenda
• Background and Goals
• IPv6 Basics
• How IPv6 works on the InteropNET
• Subnetting and Addressing
• Challenges and Lessons Learned
• Conclusions
10. Building on IPv4, IPv6 addresses contemporary networking needs
IPv6 Advantages Overview
Features IPv4 IPv6
Address length 32 bits 128 bits
NAT Often necessary Not necessary
Header size Variable length, 20 bytes + many
options
Fixed-length, 40 bytes + extension headers
Configuration Manual, DHCPv4 Manual, stateless automatic, stateful
automatic (DHCPv6)
Types of addresses Broadcast, multicast, unicast Multicast, unicast, anycast
Addresses per-interface Single Multiple
Neighbor discovery, router
discovery, Address resolution,
NUD, redirects, etc.
A variety of separate protocols Neighbor Discovery Protocol (built in)
IPsec Optional Integrated
QoS Some Better
11. Unlock the potential of IPv6
IPv6 Operational Advantages
• Robust, Effective, Efficient. Unlimited
Address space. Extensibility.
Optimized for next generation
networks.
• End to End Services and
applications.
• Enable Service Automation.
• Better Support for QoS.
• Enhanced Mobility.
• Policy driven operations.
• Free manpower from ordinary tasks.
• Rapid deployment.
• Much more than just a larger addressing
space
12. IPv6 Features useful in Internet facing devices
Internet Presence
Transition
Dual Stack IPv4 and IPv6 – on all publically available servers
Translation NAT64
Connectivity
Make sure your mBGP is able to advertise and receive both
IPv4 and IPv6 Internet route updates
Understand how DNS server, OS, and application will interact.
Make sure DNS server can store AAAA (IPv6 Address) records.
Ensure records can be retrieved over both IPv4 and IPv6
transport.
Enable Load balancer for both IPv4 and IPv6 traffic
Security
Deploy IPv6 Firewall and IDS/IPS
IPsec – Now integrated into the IPv6 protocol, but not widely
deployed
VPN – IPv6 VPN is very similar to IPv4 VPN
18. Agenda
• Background and Goals
• IPv6 Basics
• How IPv6 works on the InteropNET
• Subnetting and Addressing
• Challenges and Lessons Learned
• Conclusions
20. Autoconfiguration
• All client-facing networks use SLAAC to
allow clients to auto-assign themselves an
IPv6 address and default gateway on the
correct subnet
– Supported by all IPv6-capable devices
Auto-assigned
IPv6 address
Default Gateway
(Link-local from RA)
21. DNS
• All DNS services are provided by DynDNS
and load-balanced by F5
• Using anycast to direct traffic to it’s
nearest DNS server, either show floor or
Denver
22. InteropNET NOC Services
• Goal was to provide all internal services
over IPv6 as well as IPv4
• This required coordination with vendors to
enable IPv6, make sure services were
bound to their IPv6 ports, and publish
AAAA records
• Most (but not all) services ended up
reachable over IPv6
23. Wireless
• InteropNET wireless is provided by Xirrus
• Purpose-built VLANs are shared across all
APs and all are dual-stack
26. Agenda
• Background and Goals
• IPv6 Basics
• How IPv6 works on the InteropNET
• Subnetting and Addressing
• Challenges and Lessons Learned
• Results and Statistics
• Conclusions
27. State of Assignments
• All of the registries, for the most part,
assign initial blocks for
Service provider /32
Enterprise /48
28. What makes up a good
addressing plan?
• Depends on the type of network, the size of
the network, and problem to be solved
• Points to consider
Documentation
Ease of troubleshooting
Aggregation
Standards compliance
Growth
SLAAC
Existing IPv4 addressing plan
Human factors
29. Algorithmic Approach
• Encode every IPv4 address in the network
in an IPv6 address
10.10.10.10 (A0A0A0A)
2001:DB8:A0A:A0A::
30. Link Numbering Issues
• OSPFv3 masks this problem, unlike in IPv4
• Separation of addressing from the link state
database means that OSPFv3 neighbor
relationships will establish, even on links with
mismatched addressing and/or masks
• Link-local based forwarding prevents address
mismatches from being easily detected
because traffic flows normally and
traceroutes don’t appear too strange
31. Link Numbering Issues
• To detect link numbering errors, look for “Uturn” routing:
$ traceroute6 2620:144:B0C::
traceroute to 2620:144:B0C:: (2620:144:b0c::), 30 hops max, 80 byte packets
1 2620:144:8fc:: (2620:144:8fc::) 26.747 ms 26.730 ms 26.716 ms
2 2620:144:b0c::2 (2620:144:b0c::2) 29.137 ms 29.222 ms 29.264 ms
3 2620:144:8fc:: (2620:144:8fc::) 29.355 ms 29.335 ms 29.350 ms
4 2620:144:8fc:: (2620:144:8fc::) 29.438 ms !H 29.433 ms !H 29.413 ms !H
Note hop 2 is the misnumbered address. This traceroute should have
looked like this:
$ traceroute6 2620:144:B0C::
traceroute to 2620:144:B0C:: (2620:144:b0c::), 30 hops max, 80 byte packets
1 2620:144:8fc:: (2620:144:8fc::) 32.473 ms 32.447 ms 32.427 ms
33. Link Numbering Issues
• Should you number your links at all or just
use link-local?
• Loopback interfaces usually show up so
you know which routers traffic is following,
so why waste address space on links?
34. Link Numbering Issues
• Using equal cost multipath?
• $ traceroute6 2001:DB8::5:2
• traceroute to 2001:DB8::5:2 (2001:DB8::5:2), 30 hops max,
80 byte packets
• 1 2001:DB8::6:1 (2001:DB8::6:1) 22.723 ms 26.730 ms
26.716 ms
• 2 2001:DB8::1:1 (2001:DB8::1:1) 80.233 ms * ms
72.173 ms
• 3 2001:DB8::5:2 (2001:DB8::5:2) * ms 99.223 ms
29.350 ms
• Which link did it take?
35. Link Numbering Issues
• Does your management system use link numbering for
monitoring or circuit identification?
• Are you really saving any significant addressing by not
assigning addresses?
36. Link Numbering Issues
• $ traceroute6 2001:DB8::5:2
• traceroute to 2001:DB8::5:2 (2001:DB8::5:2), 30
hops max, 80 byte packets
• 1 2001:DB8::6:1 (2001:DB8::6:1) 22.723 ms
26.730 ms 26.716 ms
• 2 2001:DB8::4 (2001:DB8::4) * ms 88.322 ms *
ms
• 3 2001:DB8::5:2 (2001:DB8::5:2) * ms 90.123
ms 100.110 ms
• Better, now we know which link is having issues.
37. Standards Compliance
Networks smaller than /64 can be desirable,
especially using /127s for point to point links
(RFC 6164)
To avoid future breakage, allocate a /64 in your
documentation but use the smaller block
Similarly, reserve /48s for EVERYTHING you
can, there’s no reason to allocate densely,
there’s plenty of space
If you have a complex network, allocate in a
sparse way to enable easy aggregation
38. Agenda
• Background and Goals
• IPv6 Basics
• How IPv6 works on the InteropNET
• Subnetting and Addressing
• Challenges and Lessons Learned
• Conclusions
39. DUID
• When a Windows machine is cloned, you can get
two or more machines with the same DHCPv6
Unique IDentifier (DUID)
• This DUID is used by the DHCPv6 server to
identify the client, so when two clients with the
same DUID request IPv6 addresses with DHCPv6,
they will both be given the same address
• When the second machine receives its address
from the DHCPv6 server, it does IPv6 Duplicate
Address Detection, determines there is an IP
address conflict, and refuses the lease
40. Rogue RAs
• When a client is configured to run 6to4 (an
automatic tunneling protocol) and Internet
Connection Sharing, it will advertise itself as an
IPv6 router by sending out RAs on its wireless
interface
• Clients receiving such RAs will auto-assign
themselves an address in the wrong subnet
• Routers are generally configured with RA guard or
equivalent on their wired ports
• Unfortunately there is no way to block rogue RAs
over wireless APs (and some wired switches)
41. Agenda
• Background and Goals
• IPv6 Basics
• How IPv6 works on the InteropNET
• Subnetting and Addressing
• Challenges and Lessons Learned
• Conclusions
42. Conclusions
• IPv6 works in the real world
• There are challenges to implementing
IPv6, but nothing show-stopping
• Much of the Internet’s content is reachable
over IPv6 (and growing fast) including all
of Google, FaceBook and 3000 other sites
• A much smaller percentage of Internet
users have IPv6 connectivity (though this
may change quickly with IPv4 depletion)
43. Learn More!
• http://www.getipv6.info/
• http://tunnelbroker.net/
• http://www.sixxs.net/
• http://www.ipv6ready.org
• https://www.arin.net/knowledge/ipv6_info_center.html
• Contact us:
– Brandon Ross,
• Chief Network Architect and CEO
• Network Utility Force
• bross@netuf.net +1-404-635-6667
– Jeff Enters
• Chief Infrastructure Architect
• HP TS Networking
• Jeff.enters@hp.com +1-414-412-3268
Notes de l'éditeur
IPv6 Network Architecture OptionsWhen moving from an IPv4 to IPv6 environment there are several key choices to be made.Do you have Internet access from multiple providers?How to autoconfigure your end hosts?Which transition Mechanisms will you use? Tunneling, Dual Stack, Translation. Which we will cover later on in this webinarEveryone should already be reachable on the IPv6 Internet, but this is not enough, dont stop here.As Yanick already covered IPv6 is already on your internal network and has similar vulnrabilities as IPv4 that need to be addressed.
Let’s us now talk about the different transition mechanisms we have at our disposal to address the transition to IPv6. The industry knew from the start that IPv6 was not backward compatible with IPv4, they had to provide some transition tools.There are 3 methodsThe first one is Dual Stack – that is the ability for hosts or routers to support both IPv4 and IPv6The second one is Tunneling – a method using encapsulation of IPv6 inside and IPv4 packet to cross an existing IPv4 network.And the third one Translation – the more complex way to actually translate an IPv6 packet into an IPv4 packet, or vice-versaWe will analyze all these techniques in more detail in the next slide
Because IPv6 is not backwards compatible with IPv4, IPv4 hosts and IPv6 hosts cannot communicate directly.With dual stack, a host has both an IPv4 and an IPv6 stack. Applications can use either stack to communicate. Usually there is a default stack for each application or for the system. If the network is unable to establish the connection after a certain time, the network will try the other stack. Trying both IP version in parallel is recommended since trying both protocols in sequence will delay deployment.While dual-stack devices offer the greatest flexibility, the following is also true:An IPv4 address (public or private) must be available for every dual-stack device.Dual-stack routers must maintain two routing tables. Dual-stack nodes require additional memory and CPU power. Each network requires its own routing protocol.Firewalls must be configured with security rules appropriate to each.A DNS resolver capable of resolving both IPv4 and IPv6 addresses is required.All applications must be able to determine whether communication is with an IPv4 or IPv6 peer.Separate network management commands are required.Still, Dual Stack is the recommended transition tools for all networks, as it allows to migrate at the user’s own pace.
The concept of tunneling is simple and has been used for a long time.The IPv6 packet is encapsulated in an IPv4 packet. This can happen automatically, or manually. This can happen at the host or a gateway router.When using a gateway router, which is common for Enterprises, IPv6 hosts do not require any changes. The gateway routers will take care of the encapsulation over IPv4 and maintain connectivity point. They also maintain a list of the gateway routers that are closest to IPv6 hosts. It is also possible to create the tunnel at the host itself. This distributes the load over many hosts. This method is prevalent for home connections. One well known method is ISATAP and supported by Microsoft.ISATAP has been proposed by Microsoft. It is not a real IETF standard (Info only) and require specialized protocol to replace ND. It has problems to scale, but because of Microsoft is a major player. The main advantage of IPv6 tunneling over IPv4 is the fact that it allows deploying IPv6 in your network even if the Carrier infrastructure does not support IPv6 yet. In the same way, if you can support full IPv6 in the infrastructure, you can tunnel IPv4 over IPv6.There are many drawbacks though. As the encapsulation is performed in the slow path, there is a performance and latency impact. In addition the IPv4 header increases the packet size and may require fragmentation and multi packet transmissions. Tunneling can be more vulnerable to security attacks. The tunneling masks the real origin of the packets and make debugging and network management.
Even with tunneling or dual stack, the fact remains that IPv4 host can only talk to IPv4 servers. Translation is the last mechanism in our tools box. But it is not simple that simple, as addresses appear in all level of the OSI hierarchy, even possibly in the packet data itself. All the drawbacks of NAT exists with this solution. We already covered NAT in depth and will not restate it here.This mechanism should remain a last resort.