consultant for enterprise IPv6 deployment and data center design with a at aracer.mobi The threat to an enterprise with no IPv6 adoption plan grows daily. Such risks architects. The document explores common segments of the enterprise network and in each case evaluates why, . solution/aracer.mobi).This trend . 2. Reference Materials. ▫ Deploying IPv6 in Campus Networks (Just updated): Cisco Live Tweet Chat on Enterprise IPv6: aracer.mobi ▫ Interop Las .. Campus Networks: aracer.mobi pdf.
|Language:||English, Spanish, Hindi|
|Genre:||Politics & Laws|
|Distribution:||Free* [*Registration needed]|
IPv6 for Enterprise Networks brings together all the information List Price: $; Includes EPUB, MOBI, and PDF; About eBook Formats. IPv6 Enterprise Networks Scenarios. Enterprise Design Team draft-pouffary- v6ops-ent-v6nettxt. IETF 57th - v6ops WG. July Vienna, Austria. PDF | Internet Protocol Version 6 (IPv6) is a new routing protocol and it is the most mature protocol for future internet. It is the advanced version.
This gives the typical enterprise 65, subnets which for the vast majority should be more than enough. Only very large multisite, multibuilding enterprises may need to request a larger address block from their service provider or RIR.
Dual-Stack Most enterprises will initially prefer the dual-stack model. All users, applications, and network equipment will be given address space from both the legacy protocol and the IPv6 protocol.
Most common operating systems prefer IPv6 when a functional path is available. This specification tries to ensure that where it is reliably available IPv6 is usually preferred over IPv4. Simply stated, parallel DNS queries are launched for IPv4 and IPv6 addresses for any website, and the first response back is preferred.
It is important to note that the dual-stack model will not be sustainable in the future when we have completely exhausted the available IPv4 space. Figure 4. There have been numerous recent examples of large entities migrating to IPv6-only after dual-stack transitions. Typical motivations are to avoid costs of translation equipment, reduce the cost of running a dual-stack infrastructure, reduce the attack surface to only one protocol, and simplify troubleshooting.
Facebook is an example. It has deployed an IPv6-only infrastructure within its data center.
Tunneling In , native or dual-stack IPv6 deployment is possible and should be used for security and performance reasons. Tunnels should in general be avoided at all costs. Enterprise Network Segments The typical enterprise network has been built on a three-layer model, defining access, distribution, and core as those layers, integrating the Internet edge, and providing maximum scalability. Smaller enterprises may have collapsed the core and distribution layers and combined that with the access layer.
The adoption of IPv6 does not change those models and should be planned for in a similar fashion. We discuss the key segments of the overall network architecture later. Certain operational support systems and network operations procedures must also become IPv6 aware.
Web In order to get an IPv6 web presence, it is usually enough to implement IPv6 on the front end of all web servers. There is no immediate need to upgrade any back-end database or back-end server, as those servers are never accessed directly from the Internet. There are multiple ways of adding IPv6 connectivity to a web server farm. Most modern web servers have supported IPv6 for several years. This is the clean and efficient way to do it.
Some applications or scripts running on the web servers may need some code changes, particularly if they use, manipulate, or store remote IP addresses of their clients. This approach has the benefit of reducing dependencies on other components, perhaps even allowing selection of different hosting providers for IPv4 and IPv6. They do this by translating back and forth between the two address families IPv4 and IPv6. This is probably the easiest way to add IPv6 to the web servers.
However, with RFC ,  a Forwarded: header can be injected by the load balancer and the originating client IPv6 address can be identified Figure 5. Figure 5. The specification includes both stateful and stateless translation methods. For example, Akamai and Cloudflare both support IPv6 in their infrastructures today.
Any customer of these CDN services can request dual-stack delivery of their content, and by proxy they become IPv6 reachable over the Internet. Figure 6 illustrates some of these translation techniques.
Figure 6. VPN remote access and site to site works today with IPv6 natively. Over the long term, enabling IPv6 at the head end will make it easier for IPv6-only clients to connect.
To facilitate debugging and operation, it is also advisable to add the reverse mapping of IPv6 addresses to fully qualified domain names FQDNs. These two steps are independent. In order to have an Internet IPv6 presence, only the first step is required; that is, the enterprise must publish the IPv6 addresses of all its Internet servers in its DNS zone information. Figure 7. The dubious security value of IPv4 NAT is easily replaced by any stateful firewall solution for IPv6 which can, of course, be complemented by other security techniques such as intrusion prevention systems [IPS].
NAT also breaks the end-to-end connectivity model and either breaks or complicates application deployment. Another commonly cited reason is host mobility and how connectivity works for device roaming between the inside and outside of network domains.
This solution allows enterprises to accelerate IPv6 adoption and also helps with IPv4 address depletion at the same time. It supports both IPv6-initiated and IPv4-intiatied communications 1-to-1 translation. It supports both IPv6-initiated and IPv4-initiated communications with static or manual mappings 1-to-N translation.
Multihoming Multihoming on the Internet edge of an enterprise network refers to having redundant reliable paths through one or more ISPs. Larger enterprise environments typically solve problems such as asymmetric routing and prefix advertisement with a combination of NAT and border gateway protocol BGP peering.
When deploying IPv6 for those environments, medium-sized enterprises using multIprovider designs can benefit from a recent technology: RFC Network Prefix Translation NPTv6 , a stateless prefix-swapping technology operating on the network topology portion of an IPv6 address while still allowing inbound access Figure 8.
Figure 8. LISP is a very powerful set of services and tools that reduces the operational burden of tuning BGP for load balancing and provides an extra layer of resilience at the Internet layer. Enterprise Data Center The enterprise data center is defined as the different data centers of an enterprise that are located within the enterprise network and managed by the enterprise.
It contains all the servers, applications, and data storage accessed by Internet users, partners, and internal users. The different user types external vs.
The section that follows discusses internal access to the data center and the applications or services an enterprise provides to its internal employees. For the enterprise data center using public IPv4 addresses, address exhaustion will be an immediate issue because access to new IPv4 address space may not be possible.
Moving to IPv6 is clearly the right way forward. For the enterprise using private address space, changes such as mergers, application development, and gateway deployment will be barriers to success at some point in the future.
Deploying IPv6 in the data center requires two main steps: Network deployment: Because of the higher performance required in the data center, all networking devices must have the same performance level for IPv6 as for IPv4, not only for routing but also for convergence, high availability, security inspection, and so on. Other points that could be sensitive are the load balancers, SSL acceleration devices, and network management tools.
Application deployment: While Microsoft is aggressively moving to IPv6, this is not the case for all application vendors or open-source applications. If a server runs an IPv4-only application or its code has IPv4 literals embedded in the application, a migration strategy may be needed. This could be accomplished by using the legacy protocol for the life of the application or by updating or even rewriting the code.
Moving data from one data center to the next for the purpose of replication or disaster recovery will require that the enterprise deploy data center interconnect DCI technologies that support IPv6, such as overlay transport virtualization OTV. Cloud As more services and operations move to the cloud, operations are affected in many ways.
The dependence on the Internet becomes mission critical for both the cloud provider and the customer. From the cloud provider standpoint, being IPv6 enabled increases site reliability, as resources may be reached over two protocols that are orthogonal to each other.
In addition, peering paths for IPv4 and IPv6 tend to be different, which enhances the path diversity to reach their site. The entire RFC can easily be consumed, as it provides only 17,, addresses. This can all be avoided by deploying IPv6 to customer resources. If for some reason IPv4 routes are compromised or dropped, the provider can still be reached over IPv6. How to Select an IPv6 Cloud Provider The arrival of cloud computing and cloud-based services presents enterprises with another area where the impact of IPv6 will require careful consideration.
Pay particular attention to transit and peering, which may be completely different from the legacy protocol. Because public addresses are needed in the cloud, we are already seeing some cost pressures on IPv4-based services.
Some providers are actually offering lower rates for IPv6 services than for those that require the legacy protocol. One such example is OVH. Management Any tool that monitors network activity should be reviewed to make sure that it could handle the new address format. Similarly, any tools that perform packet analysis, inspection, or access control must be reviewed.
This behavior may affect an enterprise security audit. As part of the design phase, an enterprise will have to decide which address strategy to use SLAAC vs.
It is likely that an enterprise will deploy both, though not typically on the same access layer segment. Security Secure deployment and understanding of risk are key criteria for the successful deployment of IPv6 in the enterprise.
At a minimum we should expect parity with the legacy protocol.
In fact, the majority of security concerns do not change with the introduction of IPv6. The differences occur when the protocol specifics become important. IPv6 introduces the concept of extension headers.
Some types of extension headers have been deprecated and others may be blocked, depending on the policy and needs of the enterprise. Certain ICMPv6 message types must be allowed through the firewall in order to provide connectivity, while other types may be blocked or allowed per policy. There has been guidance from network operators in the form of best common practices BCPs related to IPv6.
These BCPs include bogon filtering and antispoofing techniques. It is expected that an enterprise security policy will be updated to properly allow and control IPv6 traffic. Most intrusion prevention systems IPS have adapted to IPv6 and function similar to the legacy protocol designs.
Another critical element in securely operating IPv6 is to ensure that the security incident and event management SIEM systems are capable of providing the forensics and correlation required by the enterprise security policy. Of interest to enterprises about to embark on an IPv6 deployment are the challenges found when retrofitting security controls over existing IPv4 deployments.
Most such deployments did not have all modern security controls in place, and retrofitting things such as proper zoning of addressing to simplify controls and first hop security has not been trivial or without impact. As IPv6 is in many cases a greenfield for enterprises, architects have the ability from the outset to enable a secure environment, so that in the event they need to tighten access in the future, the framework is laid and the enterprise can be agile in the deployment of additional controls.
First Hop Security When a device has an IPv6 stack enabled, it will automatically send router and neighbor solicitations to find network information. A rogue device could through either misconfiguration or malicious intent provide that information via router advertisements. Any extra training will pay dividends as the IPv6 project progresses. IPv6 planning and design Once the teams are trained and know what is in the environment, they can create a detailed technical plan for deployment.
This wholistic design will take into account all aspects of your environment and the business benefits that your organization will derive from IPv6 implementation. The plan should follow the internet-inward deployment method.
IPv6 addressing plan At this point, the team will understand IPv6 address formats and will be ready to build an IPv6 addressing plan. The first step is to determine the size of the global IPv6 prefix your organization may need, a process that can be helped along with an IPv6 address planning tool. Then you can request an IPv6 address allocation from your regional internet registry RIR and proceed to create the detailed prefix plan.
IPv6 proof of concept PoC If your organization has a lab to test configurations, then this is where you will perfect your configuration scripts. Using your own IPv6 home lab , while a great way to learn, may not be sufficient, and you may require a PoC testbed to prepare for production implementation.
Deploying IPv6 at the internet perimeter All the preparations up to this stage have laid a foundation for your organization to start pulling together the configuration changes you will make to network devices, servers, security systems, services and end-user devices.