SlideShare utilise les cookies pour améliorer les fonctionnalités et les performances, et également pour vous montrer des publicités pertinentes. Si vous continuez à naviguer sur ce site, vous acceptez l’utilisation de cookies. Consultez nos Conditions d’utilisation et notre Politique de confidentialité.
SlideShare utilise les cookies pour améliorer les fonctionnalités et les performances, et également pour vous montrer des publicités pertinentes. Si vous continuez à naviguer sur ce site, vous acceptez l’utilisation de cookies. Consultez notre Politique de confidentialité et nos Conditions d’utilisation pour en savoir plus.
How To Prepare for IPv6 NetworkingBY ED TITTEL AND JEFF CARRELL SPONSORED BY
The TCP/IP protocols that drive the Internet have been available in two differentversions since the mid-1990s. The network protocol known as Internet Protocol,or IP, that helps name TCP/IP, comes in a 32-bit flavor known as IPv4, and a 128-bit flavor known as IPv6. Though IPv6 traces its roots back to work undertaken atthe Internet Engineering Task Force (IETF) as far back as 1994, it has only begunto register with internet service providers (ISPs) and major network users withsome urgency in the past few years.Because it uses 32-bit addresses, IPv4 has serious issues today. The maximum number of addresses thata 32-bit value can represent is around 4.3 billion. By the time various reservations for loopback, privateIP addresses, multicasts, and experimental uses are removed, somewhat over 3.9 billion public IPaddresses remain for allocation. As of February 2011, the Internet Assigned Numbers Authority (IANA)had allocated all remaining public IP address ranges to the five global regional Internet registries. Aquick look at this IPv4 Exhaustion Counter below shows a total of 13.24 /8 (8-bit) IPv4 address rangesremaining, for a total of less than 3,400 remaining unallocated IPv4 addresses. Essentially, this meansIPv4 is played out. Figure 1: The iNetCore Exhaustion Counter ReadWriteWeb | How to Prepare for IPv6 Networking | 1
By contrast, with a 128-bit address space, IPv6 creates a completely different universe. The total maximum addresses available is on the order of 3.4 * 1038 addresses (that is 34 undecillion, in US numbers). The IPv6 address space is roughly 8 * 1027 larger than the IPv4 address space. The best way to really understand what this means is to ponder the typical IPv6 address allocation from an ISP to a customer for networking use. Customers are usually granted a /64 address, which means a single entity gets 4.3 billion times as many addresses as occur in the entire IPv4 address space. There’s More to IPv6 Than Oodles of Addresses Beyond an extremely large address space, IPv6 brings numerous other advantages to networks that use this protocol stack, and the many services it supports. These include the following: • A redesigned IP header format that moves non-essential and optional elements into so-called extension headers that follow the IPv6 header. The resulting streamlined IPv6 header is more compact, and faster and easier to process as it’s routed from sender to receiver. • Efficient, hierarchical addressing and routing: rework of IPv4 into Classless Interdomain Routing (aka CIDR) taught networking engineers how to organize and orchestrate addressing and routing information. IPv6 incorporates all of this into its base design. • Multiple auto-addressing and address configuration methods, including DHCPv6 and automated link-local addressing. Local hosts can always automatically configure themselves for local communication quickly and easily (the same is not true for Internet access). • Improved security comes from built-in support for IP Security (aka IPsec) in IPv6. IPv6 incorporates security header extensions for encryption, authentication, and VPNs, and uses IPsec from end to end. Though IPsec remains optional in IPv6, it is much easier to use. • Better routing technologies. Support for a Flow Label field in the IPv6 header makes it easier to route and manage IPv6 network, to impose priority or quality of service regimes on network flows, and to use sophisticated routing and high-speed packet delivery services through the cloud (MPLS). • Better Neighbor Discovery protocols for IPv6 replaces the broadcast Address Resolution Protocol, along with ICMPv4 Router Discovery, and ICMPv4 Redirect messages. It uses efficient multicast, anycast, and unicast messages for neighbor discovery and route info. • No more NAT (network address translation) is needed — though IPv6 proxies may be a good idea to maintain anonymity and opacity — because sufficient IPv6 addresses for all conceivable uses eliminate the need for address translation services. WHY ISN’T EVERYBODY ALREADY USING IPV6? IPv6 hasn’t exactly lit the world on fire, and people are still sticking to IPv4 addresses. Why haven’t they switched? There are a lot of reasons, some which relate to services available, some to networking2 | ReadWriteWeb | How to Prepare for IPv6 Networking
hardware components and infrastuctures, and some to necessary changes to important applicationsand services to enable end-to-end use of IPv6. Let’s examine each of these parts in turn, to explainwhere there might be hold-ups or other impediments in the way.LACK OF NATIVE IPV6 INTERNET ACCESSIPv4 and IPv6 are not interoperable, and in fact, require different protocol stack software to workproperly on networking hardware (including Layer 3 switches, routers, and firewalls), as well ason servers and client devices that usually act as the end-points for Internet or private networkinteractions. ISPs must add IPv6 support to existing IPv4 capabilities, and be able to support bothprotocols indefinitely (this is usually called a “dual-stack” approach to IPv4 and IPv6).A quick look at recent surveys on ISPs that support (or plan to support) IPv6 breaks down somethingroughly like this:• One-third of ISPs already support IPv6• Up to 85 percent of all ISPs plan to support IPv6 by the end of 2012, so somewhere around 50 percent are “getting ready” to go with IPv6. In the USA, for example, major ISPs such as Sprint, Comcast, AT&T, Time-Warner, and Verizon have pilot or partial deployments of IPv6. Most of them offer native, dual-stack services for enterprise and US government customers already (thanks in large part to federal mandates for IPv6 support to supply Internet services to US government agencies and workers).• The remaining 15-25 percent plan to support IPv6 in 2013 or later.A recent article by Steven J. Vaughn-Nichols entitled Hurricane Electric takes its IPv6 expertise to thedatacenter makes the key point that datacenters create and use hundreds to thousands of virtualmachines at a time, and all of these VMs need IP addresses. As more and more new VMs are created,data centers will have increasing needs for IPv6 addresses for them to use, with all that this entails. Theday of IPv6 reckoning may therefore be closer than some may think for many organizations, for thisreason.IPV6 CAPABLE NETWORKING INFRASTRUCTURES NEEDEDAside from whether or not external ISP links can accommodate IPv6, internal network infrastructuresmust also be able to handle IPv6 as well. For companies and organizations that purchase enterprise-class networking gear — including routers, firewalls, Layer 3 switches, and other networkingappliances of all kinds (WAN Optimization, spam filters, anti-malware devices, content filters, andso forth) — IPv6 support is more often present than absent. For SOHO or SMB gear, however, someresearch and testing may be needed to determine what’s what.But on networks not already configured for IPv6 some work will be needed to enable IPv6 onnetworking gear, and then to configure it properly, and test to make sure it’s working properly. Routerswill need IPv6 enabled, and to be tested to make sure IPv6 routing protocols are working properly.Layer 3 switches will need to have IPv6 VLANs set up and configured. And finally, firewalls will requireturning on IPv6 packet forwarding, and rules or filters established for what kinds of IPv6 traffic (and ReadWriteWeb | How to Prepare for IPv6 Networking | 3
addresses, states, and so forth) to allow and deny. Certain IPv6-based services will also be essential to proper IPv6 network function, particularly DHCPv6 to assign and manage IPv6 network addresses, and DNSv6, to resolve IPv6 based name lookups so that clients may use domain names to make Internet service connections. At SMB organizations, adding IPv6 support may involve replacing some networking equipment — particularly switches, routers, firewalls, and so-called “combo devices” that often integrate all of these functions into a single appliance. If there aren’t any IPv6 entries in the configuration menus for the gear you’ve got, and the manuals don’t describe how to enable and configure IPv6 networking, odds are that you will have to replace some or all of your current equipment with newer, IPv6-capable devices instead, or at least update to newer firmware, if that firmware support IPv6. UPGRADE AND ENABLE KEY NETWORK SERVICES FOR IPV6: DHCP, DNS, E-MAIL, AND MORE To make effective use of IPv6, the network infrastructure must itself be upgraded to provide IPv6 support. At a minimum, this means some kind of IPv6 addressing scheme must be designed and implemented. Although DHCPv6 isn’t required to supply network interfaces with IPv6 addresses it is enough like the IPv4version for network administrators to understand how to install and use it both easily and readily. This addresses the need for clients to obtain IPv6 addresses that they can then use for IPv6 communications and network access. Likewise, support for the Domain Name Service (DNS) is as important for IPv6 users as it is for IPv4 users. Network administrators will need to investigate current DNS services to see if they can be enabled, extended or upgraded to add DNSv6 support. For smaller organizations, this often consists of confirming that an ISP (or other providers of DNS services, such as OpenDNS) can deliver DNSv6 services, and then providing the proper IP addresses for primary and secondary DNS servers in the various configuration contexts where such information is needed. Then there’s the application and services universe to consider as well, including email and Web servers. Certainly, as a core information service for organizations, e-mail services will need to be extended to support IPv6. In many cases, current software versions may support IPv6 and, as with other elements we’ve already explored, IPv6 needs to be enabled, configured, and tested for proper operation. In most cases, older SMTP, POP3, or IMAP services need upgrades or replacements to make IPv6 support possible. But the beauty of a dual-stack environment is that both IPv4 and IPv6 can coexist peacefully and harmoniously, and users can employ whichever stack works best for them.4 | ReadWriteWeb | How to Prepare for IPv6 Networking
Case Study: A Sample SMB IPv6 Set-up ScenarioWithout going into all of the details involved in set-up and configuration, let’s review a recent case inpoint in converting a small company from IPv4 only to dual-stack IPv4/IPv6 networking and show youhow it was done and the time and issues dealt with along the way. We consider a network that enabledWindows 7 clients to run in dual-stack mode, with IPv6 used when available, and IPv4 otherwise.Total expenditures involved were around $2,000 to replace an older (Rev A) D-Link DIR-655 combodevice (firewall, single WAN port, 4-port GbE switch, and wireless access point with RevA3 firmware)with a Fortinet Fortigate 80C device (firewall, gateway, 6-port GbE switch, dual WAN ports withcomprehensive and complete IPv6 support).STEP 1: SOLVE THE ISP BARRIER (ONE HOUR)Because local native IPv6 ISP service was not available from the company’s chosen ISP, a tunnel-basedapproach was set up with well-known IPv6 service provider Hurricane Electric (HE) as part of theoverall solution. HE offers a free IPv6 Tunnel Broker solution that support native IPv6 Internet accessby tunneling over IPv4 connections through a non-native IPv6 ISP from an in-house IPv6 enabled hostcomputer or boundary device to an HE IPv6 router.Though tunneling does impose a performance impact, HE routers are extremely fast and efficient.And because the company peers with major backbone providers at its datacenters, we didn’t noticeany perceptible slowdowns when comparing Internet interactions with dual-stack services forIPv6 as compared to using IPv4 instead. So far, users at the company have noticed no change inInternet behavior or performance, even though they’re using IPv6 for up to 35% of their networkcommunications, according to our traffic analyses.STEP 2: MAKE THE NETWORK IPV6-READY (THREE HOURS)Once we replaced the D-Link boundary device with the Fortinet Fortigate 80C, we simply had toenable IPv6 on that device, and set up protocol filters for HTTP/HTTPs, SMTP, POP3, remote access, andICMP, then set up the HE tunnel broker. We were immediately able to use IPv6 on devices attacheddirectly to the Fortinet box through one of the switch ports. The total time and effort involved wasunder two hours, including a mix of GUI/Web and command-line-based setup and configurationactivities on the Fortinet device.The next step was to configure our HP/3COM Layer 3 switches to support IPv6 VLANS to set up theswitched equivalent of subnets on these devices. ReadWriteWeb | How to Prepare for IPv6 Networking | 5
STEP 3: CREATING AN IPV6 FRIENDLY ENVIRONMENT (ONE HOUR-PLUS) Configuring the HE tunnel broker automatically handled the DNS issue: we simply linked to HE’s DNS servers which run dual-stack and resolve IPv4 and IPv6 name resolution requests. In other cases, we’ve found that configuring Microsoft or BIND DNS for IPv6 takes some study and preparation, but that the actual activity usually takes less than 15 minutes to complete. The first time can be challenging but it gets progressively easier after that. The Fortinet Fortigate 80C includes a simple DHCPv6 server as part of its IPv6 configuration options. We needed only to provide it with a suitable address range for assignment, and to note static address assignments for servers, routers, switches, and so forth, and address management was good to go. Finally, we also modified an Exchange Server 2010 to enable IPv6 support. All of the IPv6 related issues and details are completely explained and illustrated in the TechNet article Understanding IPv6 Support in Exchange 2010 so this proved relatively easy and straightforward. IIS 7 supports IPv6 as-is, so unless you’ve turned off IPv6 features on the servers on which it runs, though it is necessary to download FTP for IIS 7.0 if you want to support IPv6 FTP connections for IIS (see this SoftLayer forum post for details). Depending on your installation, this could take an hour or more.6 | ReadWriteWeb | How to Prepare for IPv6 Networking
Time to Take the IPv6 Plunge!When it comes to pursuing IPv6 deployment for your own networks, you’ll want to undertake aspecific series of tasks. Inside your network, you’ll need to research the level of IPv6 support that ispresent on every device attached to your network. It’s a good idea to set up a test lab that’s as closeto your production environment as time and money will allow, so you can document changes andthe migration process independently, acquire needed upgrades and replacements, and deploy whenyou’ve got a sure-fire working set of equipment, software, and migration scripts or how-tos.In dealing with obtaining IPv6 from an ISP, you’ll want to contact them and inquire about IPv6availability (or scheduled dates for turning native IPv6 access on). You’ll want to ask specifically howthey will support IPv6 when it does become available, particularly if this means upgrading CPEsoftware or replacing your current CPE device itself. In the meantime, you too, can set up a tunnel toHurricane Electric.For organizations that contract Web, e-mail, DNS, and other services hosting to third parties, you’llwant to find out about their current or planned support for IPv6. In some cases, what you learn mayalso require making some changes to bring your organization into the IPv6 fold.Ed Tittel and Jeff Carrell are both longtime computing industry veterans, former Novell employees, andco-authors (with Laura Chappell) of a college textbook entitled Guide To TCP/IP, 4e (Course Technology,2012, ISBN: 978-11330-1986-2). Jeff develops and delivers training on HP network switches and routers, andteaches hands-on IPv6 labs for SharkFest and all kinds of IPv6 task forces and organizations. Ed makes hisliving as a freelance writer and researcher. Together, they operate IPv6NetworkPros.com, an IPv6 portal thatincludes a virtual IPv6 training lab, IPv6 content and information, and pointers to most imaginable kinds ofIPv6 resources. ReadWriteWeb | How to Prepare for IPv6 Networking | 7