1 IPV6 FOR INTERNET SERVICE PROVIDERS STATE/LESSONS/STILL TO COME Aaron Hughes, CEO 6connect RIPE70
2 PERCEPTION OF IPV6 IMPLEMENTATIONS Network People We dual stacked the network years ago and we re done Sales People Yes, we have that DevOps We don t really need to do anything Do I need to be doing anything? Systems Support staff All we have to do is turn it on and HUP the process Cloud Providers We can get you an IPv6 address..
3 EXPLORING REALITIES After conducting interviews with various type of providers in the Service Provider space, I ve found that reality does not match perceptions. While we in the operator and policy forums are focused heavily on dual stacking backbones, eyeballs and eyeball facing content, the reality of percentage of implementation is different than perception. The globally acceptable metric in these forums seems to be percentage of IPv6 traffic on the global internet measured by, typically, Google. While measuring actual implementation with ISPs may be challenging, this is an attempt to give the state of some ISPs, where they are today, difficulties, and general experiences. If this is useful, it may be useful to have regular polls in an anonymous format for Service Providers (and perhaps Enterprises) to provide to this audience.
4 A SMALL CANADIAN ISP Our IPv6 plan was phased over time We started with our BGP core adding transit and peers over time As part of server refreshes, we enabled IPv6 functionality over time. A byproduct of the migration has been the cleanup of a number of outlier systems and network components. We didn't have a large lab to test everything so we would change a small part each time and watch for issues. To date a couple minor bugs but no customer facing concerns.
5 A SMALL CANADIAN ISP CONT. Routers Switches BACKEND Monitoring DNS (recursive) DNS (authoritative) MAIL Control Panel Web Servers Radius Backup Servers VPN Corporate Firewall
6 A SMALL CANADIAN ISP CONT. Things we learned along the way: 1) The Big Unknown. Older Servers and Routers need to be updated or refreshed. Stateful Firewall for IPv6 not supported in Redhat 5 (No Connection Tracking). Feature parity in older JunOS versions weren't there. FreeRadius 1.x doesn't support sending IPv6 packets. 2) It's the small things fail2ban a firewall script for blocking doesn't have IPv6 support (experimental only) Custom scripts written years ago were making IPv4 assumptions. We use greylisting and utilize whitelisting, very limited IPv6 support.
7 A SMALL CANADIAN ISP CONT. 3) Reverse DNS is a bind J We migrated to PowerDNS to simplify IPv6 reverse delegation. 4) Have a plan for your netblock A /32 is a lot of space for a small ISP, unless you divide it badly. We split ours into a /36 per POP. Each business customer is sparse allocated a /48. 5) The final step is the enabling of IPv6 for our DSL and Fibre customers, as this has the most devices outside of our control.
8 A MEDIUM SIZED PROVIDER IN CALIFORNIA Dual stacking the backbone was easy. We started with peers early on (HE was a huge help since they provided full tables) Transit was harder to get and took time to get them to execute (6 months for all transit providers to get completed) Subnet size challenges for PTP (/127 v /126 v /64) Initially used /64s, switched to /126s after hearing about TTL bouncing attacks. Chose 126 over 127 to keep operation staff comfortable with ::1 ::2 (discarded the rest of the 64) (Didn t like the idea about :: (or ::0) as a valid address. Over time converted back to 64s on all interfaces and 48s to customers via static.
9 A MEDIUM SIZED PROVIDER IN CALIFORNIA After dual stack was completed, added a few SLAAC subnets in lab environments and quickly added public facing services (NS, MAIL, WEB) Writing IPAM was a painful process e.g. get next approach different from IPv4 Internal tools took some time to update and training sales and SEs to add fields in Salesforce for IPv6 allocation ($0 line item) was challenging to explain. Selling the story internally to all staff was like talking about the Y2K issue. People simply didn t believe we were really in need of making serious changes. Customer demand trickled in slowly over time and implementation staff received real world experience with turn-ups including customer BGP inet6, etc. Took an additional year to get supporting internal services dual stacked.
10 A MEDIUM SIZED PROVIDER IN CALIFORNIA Supporting systems were difficult Training ops on PTRs for ip6.arpa. / Delegation not easy. Were using IRRPT for customer filters, no support for v6 Many hard coded references in code, logging analysis, abuse reporting, etc No monitoring tools available to properly externally monitor dual stack. Added additional probes per host with hard coded stack Still a work in progress with external monitoring orgs. Debating service.ipv4.domain.com & service.ipv6.domain.com Name Based virtual hosts with application testing extremely difficult. Internal monitoring was less of an issue, but still no decent discovery of v6 subnets and hosts within. Displaying stacks on visuals is still a challenge. Debugging which stack is being used not being relayed clearly to support.
11 A MEDIUM SIZED PROVIDER IN CALIFORNIA IPv6 not engrained in decision making Getting entire company to require proper support from vendors (not make the problem worse) is very hard to instill Not willing to put the relationship on the line for IPv6 support. Constant reminders to provisioning staff that dual stack must be the default assignment is getting better, but still not part of normal behavior Convincing sales to charge more money for IPv4 statics and give IPv6 without cost is difficult. They don t want to confront the why we are charging more with the customer(s). Eating your own dog food is not enough to get people to understand the underlying differences.
12 A MEDIUM SIZED PROVIDER IN CALIFORNIA Downstream Training: Educating prospects and existing customers is an uphill battle Sales staff does not want to risk potential revenue by injecting IPv6 into RFP requirements. The level of comfort with discussing downstream customers IPv6 plan is low. There is a fear that the dialogue can interfere with margin or cause them to feel unhappy Additional fears / discomfort with potentially disclosing how much IPv4 space is in our own inventory (The customer may go somewhere with more inventory).
13 A MEDIUM SIZED PROVIDER IN CALIFORNIA Feature Parity Seemingly simply features in IPv4 are not supported with IPv6 on a great deal of hardware and software (or supporting software) Cisco HSRP (standby version 2) Stateful firewalls Load balancers IPS/IDS/Security analysis tools (and alerting) FlowAnalysis Log Parsing tools Filtering tools DNS management tools DHCPd (and helper addresses) Odd behaviors with v4 NAT + v6 Native (inconsistent security policies)
14 A MEDIUM SIZED PROVIDER IN CALIFORNIA Internal supporting staff Very limited number of operations and IT staff able to understand how to debug IPv6 and dual stack issues. Even fewer able to train others DevOps staff consider requests new features vs. bug and have long timelines.
15 A MEDIUM SIZED PROVIDER IN CALIFORNIA Security Entirely different to secure Duplication of policies does not always work NAT is no longer the demarc and requires unique policy Some applications only bind to IPv4 and avoid the security application entirely Symantec Encryption Desktop / PGP issues Duplicating security policy challenges
16 A CLOUD SERVICE PROVIDER Orchestration platforms missing IPv6 support entirely. vcenter, vremote, etc, zero support for IPv6 Defining vcell IP schema difficult, matching to existing 1918 plan Could not add management network without public facing first If a server has an IPv6 address, it will attempt to use the AAAA s of those returned. DNS policies utilizing split horizon need to change Mapping solutions for things such as OpenStack UUID (mgmt ssh broken) Most provisioning tools are home-grown dev-ops v4 only Missing ILMI support over v6 on a ton of gear
17 EYEBALL ACCESS All connected Ethernet type services were easy to dual stack (bridged) DSL and cable modems have mixed support and behavior Feature parity missing with 100% of vendors based on received feedback Missing firewall, mapping, MAC filtering, security features Allocation sizes to customers vary from a single /64 to a /48. Surprising majority only hand out a single /64 Support for static v6 assignments missing from most eyeballs. Long DHCP leases were the norm Several waiting on CMTS support for IGP features.
18 BACKBONE TOPOLOGY Overwhelming majority: OSPFv3 on loopbacks and connected links ibgp injecting other connected interfaces and static routes ebgp aggregation of aggregates Most started with dual stacking the backbone, adding peers or transit and working their way in from edge to core Most added test systems and then some public facing services Most added operations staff for purposes of comfort Most then considered this a stopping point for a long time while working on internal education and approaching all other services and equipment over long periods of time.
19 CONCLUSIONS ISPs have had no trouble dual stacking their backbones Major public facing services were mostly easy to deploy There is still a great deal of work to do with hardware and software vendors Many vendors claim support which simply does not work Completely missing in all evaluated cloud orchestration products Getting to the next steps (default v6 for all customers, services, educated staff same as v4) is going to take a lot of time. Continuous work with hardware and software vendors IPv6 enabled / compatible frequently means broken implementations or some portion of IPv6 support Everyone I spoken to was comfortable talking about their experiences and naming specific vendors with issues as long as they were anonymous.
IPv6, Perspective from small to medium ISP April 13 th, 2010 INET Conference, Hong Kong Christian Dwinantyo Overview Some myths and facts about IPv6 Implementation Strategy Before you begin Case study:
How to Successfully Select and Implement a Hosted VoIP System Written by Igal Rabinovich, CEO IT Help Central How to Successfully Select and Implement a Hosted VoIP System Page 1 TABLE OF CONTENTS EXECUTIVE
FortiOS Handbook - Best Practices VERSION 5.2.0 FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE
Capstone Project Putting It All Together Objectives Understand the steps involved in planning and implementing a technical solution for a small business. Gather relevant information to help devise a technical
Hybrid: The Next Generation Cloud Interviews Among CIOs of the Fortune 1000 and Inc. 5000 IT Solutions Survey Wakefield Research 2 EXECUTIVE SUMMARY: Hybrid The Next Generation Cloud M ost Chief Information
SAP Business One Whitepaper Page 1 SAP Business One, The Answer to the Challenges of SMB Business Management Software Selection Contact: Daniel A. Carr email@example.com Phone: 248-347-4600 Date: June 14,
Net Integration Technologies, Inc. http://www.net itech.com Net Integrator Firewall Technical Overview Version 1.00 TABLE OF CONTENTS 1 Introduction...1 2 Firewall Architecture...2 2.1 The Life of a Packet...2
Securing Enterprise Applications Version 1.1 Updated: November 20, 2014 Securosis, L.L.C. 515 E. Carefree Highway Suite #766 Phoenix, AZ 85085 T 602-412-3051 firstname.lastname@example.org www.securosis.com Author
Customer Relationship Management and how you can use CRM technology to manage and grow your business. What is Customer Relationship Management? Customer Relationship Management (CRM) is undoubtedly one
WHITE PAPER 1ntroduction... 2 Zenoss Enterprise: Functional Overview... 3 Zenoss Architecture: Four Tiers, Model-Driven... 6 Issues in Today s Dynamic Datacenters... 12 Summary: Five Ways Zenoss Enterprise
ing Reliable Networks with the Border Gateway Protocol O'REILLY' BGP by Iljitsch van Beijnum Copyright 2002 O'Reilly & Associates, Inc. All rights reserved. Printed in the United States of America. Published
Session Name: NAT64 Technical Deep Dive Session Number: 206151477 Date: Wednesday, September 14, 2011 Starting Time: 11:28 AM Question Answer ETA for Stateful NAT64? ASR1k is now shipping stateful NAT64
Firewall Strategies June 2003 (Updated May 2009) 1 Table of Content Executive Summary...4 Brief survey of firewall concepts...4 What is the problem?...4 What is a firewall?...4 What skills are necessary
ip address management best practices for microsoft networks By: Brien M. Posey ip address management best practices for microsoft networks Microsoft DNS and DHCP services are widely used on networks large
Vision & High Level Design Overview OpenDI Release 1 October 2008 v1.6 J. Carolan, J. Kirby, L. Springer, J. Stanford http://opendi.kenai.com Abstract This document provides a high level overview of the
Learn what an IP PBX system can do for you and understand what issues you should consider during your decision-making process. IP PBX Buyer s Guide Copyright 2007, Tippit, Inc., All Rights Reserved Contents
C H A P T E R 2 On the Job with a Network Manager This chapter presents a number of scenarios to give an impression of the types of activities that are performed by people who run networks for a living.
2012 CNIT 399- Virtual Security Best Practices Thomas (T.J.) Busch [VIRTUAL SECURITY BEST PRACTICES ] A guide for anyone designing/building/managing a virtual environment and the architectures / services
3 Network Design Before purchasing equipment or deciding on a hardware platform, you should have a clear idea of the nature of your communications problem. Most likely, you are reading this book because
On Designing and Deploying Internet-Scale Services James Hamilton Windows Live Services Platform ABSTRACT The system-to-administrator ratio is commonly used as a rough metric to understand administrative
Unified Security Monitoring Best Practices June 8, 2011 (Revision 1) Copyright 2011. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of
The Definitive IP PBX Guide Understand what an IP PBX or Hosted VoIP solution can do for your organization and discover the issues that warrant consideration during your decision making process. This comprehensive
Security and WAN optimization: Getting the best of both worlds E-Guide As the number of people working outside primary office locations increases, the challenges surrounding security and optimization are
Accounting and Routing in the Internet Introduction There has been discussion of proposals to engage in the collection of traffic flow measurement information for monitoring and to support charging and