This document summarizes IPv6 implementation plans at ETH Zurich. It discusses that IPv4 addresses are running out, so IPv6 is needed to connect growing devices. The roadmap is to gain experience with IPv6 in 2013-2014, start dual-stack rollout in 2015, and transition fully from IPv4 by 2020. Key aspects covered include changing to a new IPv6 address range, DHCPv6 implementation challenges, firewall upgrades, and initial projects already using IPv6.
2. Agenda
IPv4 usage at ETH Zurich
Changing IPv6 range before rollout
Roadmap
Dr. A. Wittmann November 2012
3. IPv4: free 64 (/26) subnets
# free /26 64-Subnets
300
250
200
150
100
50
0
2007 2008 2009 2010 2011 11.2012
Dr. A. Wittmann November 2012
4. # devices detected last 90 days vs. IPv4-Range
250000
200000
150000
# different MAC addresses
(last 90 days)
# assigned IPv4 addresses
100000
50000
0
2005 2006 2007 2008 2009 2010 2011 9.2012
Dr. A. Wittmann November 2012
5. IPv6-Traffic (last 12 months)
Dr. A. Wittmann November 2012
6. Changing IPv6 range before rollout
BCM analysis
BIA analysis
new Provider Independent (PI) IPv6 range
will replace old one
Request:
Request made by SWITCH: 13.9.2012
Routing to ETH done: 21.9.2012
Dr. A. Wittmann November 2012
7. IPv6-Roadmap: Management view
IPv6 pilot projekt started
important infrastructures (Exchange, CMS, Hosting,
Storage)
Instruction initiative
Server-Admins, IT-Supporter, end user, students
documentation must be made first
DHCPv6 release in December 2012
produktive per April 2013
client networks will be forced
IPv6-only network zone offered for all ETH
IPv4-NAT/PAT project started (usage for next 10 years )
Dr. A. Wittmann November 2012
9. Agenda
My personal impression about IPv6
Roadmap
IPv6-Concept (ID ICT-Networks)
DHCPv6
Firewall
IPv6 SSID ‚eth‘ design
Multicast
What is done
?
Dr. A. Wittmann November 2012
10. My personal impression about IPv6
No way around IPv6 to connect all the devices to the
Internet/Intranet
Phase 4 in Gartner‘s Hype Cycle (Slope of
enlightenment)
It is not enterprise ready yet (DHCP, OS-Support,...)
It is mainly designed for ISP‘s
Nearly no IPv6 rollout-project‘s in other
Universities/Companies
Client-side: no fallback to IPv4 (DNS) – new rfc
announced
Dr. A. Wittmann November 2012
11. Roadmap
1H 2013 Network Ready for IPv6 large scale
deployment (Firewall; DHCP-Relay; IPv6-only
test-VPZ)
2014 get experience
2015 start IPv6 Rollout (Dualstack)
2020 start a ‚get rid of IPv4‘-project
Dr. A. Wittmann November 2012
12. IPv6-Concept (2001:067C:10ec::/48 PI)
49 Bit
50 Bit
1 x Reserve (not used)
256 /58 Bereiche für VPZ
Jedes VPZ erhält somit 64 /64 Subnetze diese
1 VPZ-Prefix
können auch für interne Cluster- oder
Managementadressierung verwendet werden.
0
1 VPZ-Prefix 128 /58 Bereiche für weitere VPZ
0
1 4096 /64 Subnetze für Tests bis IPv6 produktive eingesetzt wird
0 4096 /64 Subnetze für Network
0 (Links/Loopback/NET-Admin)
49 Bit
50 Bit
51 Bit
52 Bit
58 Bit
13. IPv6 Concept
One IPv6-Range (/58; Prefix) per VRF -> 64 subnets
One /64-Subnetz reserved per VLAN
But on the Router will be configured only a
/118 subnet configured for Server (1024 IPv6’s)
/115 subnet Docking/Client (8192 IPv6’s)
Prevent for DoS (Router breaks down during scans)
No auto configured addresses allowed.
- No MAC-Addresses leave the ETH Zurich
- No Random IPv6 Addresses (IDS, Support)
Always configured in Dual Stack with IPv4 (no 6to4-NAT)
Source-Routing will be blocked
Some Multicast addresses will be blocked (DHCP,DNS..)
Incoming IPv6 RAs will be blocked on access ports.
Dr. A. Wittmann November 2012
14. DHCPv6
DHCPv6-Relay standard ... use outgoing
interface of the router, which is IPv4 only ...will
change
‚No‘ redundant server -> 2 standalone Server
with independent ranges (2x 4096 = 8192)
DHCPv6 lease depend to DUID (DHCP Unique
ID), which is assigned by the OS...PXE-Boot?
Not all OS Support DHCPv6 – Android 4.x
Dr. A. Wittmann November 2012
15. Firewall IPv6
Old Firewall Service Module not capable
New Hardware onsite, migration by end 2012
Separate ACL for IPv4 and IPv6
→ new Firmware available now
→ CSM Release in Q1.2013
Dr. A. Wittmann November 2012
16. IPv6 SSID ‚eth‘ design
VTP-Zone WPA
DHCP-Client
vrf red
DHCP-Client
vrf red
Cat4500/Cat3750
10x
MPLS
trunk
eBGP
FWSM
(vrf-global)
Fusion Routers
trunk
Central DHCP-Server Central DHCP-Server
Dr. A. Wittmann November 2012
17. What is done
2001:067c:10ec::/48 = ETH Zurich Subnet
10-Gig Dual-Stack-connection to SWITCH
Core is ready, but some issues with DHCP
DHCP (with limitations)
DNS
IPv6 rough concept
IPv6 Firewall
IPv6 VPN-Client (IPv6 tunneled over IPv4)
Mgmt Tool ‘Netcenter’ (Reports, IP-Tool, Firewall)
IPv6 Loadbalancer
Dr. A. Wittmann November 2012
18. What is not planed yet
SEND/CGA (secure arp)
Router performance, whole Subnet have to be
open
IPv6 to IPv4 NAT nor IPv4 to IPv6 NAT
DNS-Problems, IPv4-NAT is easier
IPv6 HTTP-Proxy
IPv6 Multicast (Not supported yet)
Dr. A. Wittmann November 2012