IPv6 - A Quick Introduction

Transcription

1 IPv6 campus deployment experiences Tim Chown University of Southampton HEAnet 2010, Kilkenny 11 th November 2010

2 Topics A very quick what is IPv6 Why IPv6? Phased deployment Managing a dual- stack network Some service examples Lessons learnt The future

3 What is IPv6? The new version of the Internet Protocol Currently IPv4 is dominant IPv6 s key advantage is 128- bit address space IPv4 uses 32 bits (approx 4 billion unique IPs) Being IP, it sits beneath TCP/UDP and above link layers (e.g. Ethernet) just like IPv4 Hosts and routers can run IPv6 alongside IPv4 Known as dual- stack opera[on Possible due to updated APIs and link layer specs

4 IPv6 addresses Address space is IPv6 s key benefit Expressed in the following format: 2001:0630:00d0:0000:0020:e3ff:fe23:26d2 or 2001:630:d0::20:e3ff:fe23:26d2 Link- local, unique local (ULA) and global scopes Supports stateless (no DHCP) autoconfigura[on Default subnet size /64 Default site (campus) alloca[on /48 So a campus gets 65,000+ /64 subnets

5 Example 1 As seen under Mac OS X on the HEAnet WLAN here Note two IPv6 addresses autoconfigured with different scopes en1: flags=8863<up,broadcast,smart,running,simplex,multicast> mtu 1500 ether 60:33:4b:11:a7:53 inet6 fe80::6233:4bff:fe11:a753%en1 prefixlen 64 scopeid 0x7 inet netmask 0xffffff00 broadcast inet6 2001:770:a8::6233:4bff:fe11:a753 prefixlen 64 autoconf status: ac[ve

6 Example 2 Running netstat on Mac OS X, again on local HEAnet WLAN here Note both have subnet and default routes, and ::1 is the IPv6 localhost Internet:!!Destination Gateway Flags Refs Use Netif Expire!!default UGSc 20 0 en1!! UCS 0 0 lo0!! UH 2 21 lo0!! link#7 UCS 0 0 en1!! link#7 UC 3 0 en1!! UHS 0 0 lo0!!internet6:!!destination Expire! Gateway Flags Netif!default fe80::211:92ff:fe18:adc2%en1 UGS en1!!::1 ::1 UH lo0!!2001:770:a8::/64 link#7 UC en1!!2001:770:a8::6233:4bff:fe11:a753 60:33:4b:11:a7:53 UHL lo0!

7 Transparent to users Ideally, IPv6 will be transparent to users They just care about connec[vity But some[mes it isn t Visit hop:// here today If using IPv6 you ll see the turtle dancing

8 Why IPv6? Not due to immediate lack of address space Established UK universi[es have pre- CIDR IPv4 /16 s Rather because universi[es are places of learning Important to gain early insights into IPv6 impact Teach IPv6 to students who will be using it IPv6 capability for research projects Prove new technologies in a produc[on environment Aoract students from outside the UK Network security aspects manage the change IPv6 is in your network already

9 Phased approach With hindsight, we d suggest IPv6 deployment should be undertaken with a phased approach, broadly: Advance planning/prepara[on Trial/pilot service Produc[on (dual- stack) deployment Ongoing opera[on There s no reason not to begin planning now Gain early experience/insight Minimise addi[onal future (change) costs by including IPv6 requirements in current procurements

10 Dual- stack or IPv6- only? Dual- stack Con[nue to operate exis[ng IPv4 systems Hosts and routers support/run both protocols Can allow IPv6- only devices to operate internally Addi[onal complexity lies within the network IPv6- only Run only IPv6 internally Requires all systems to be able to run IPv6 without IPv4 Complexity lies at the edge in the NAT64 func[on Currently dual- stack is the most viable op[on A lot of work ongoing on NAT64- style opera[on

11 Preparing for IPv6 at your site Talk to ISP about connec[vity and address space JANET support dual- stack IPv6 on their core Some sites may require IPv6- in- IPv4 tunnels JANET allocated us 2001:630:d0::/48 Consider your IPv6 address plan Survey systems and services for capability Train your staff where necessary As a minimum enables specifica[on of IPv6 requirements in your procurements Build and operate a testbed Develop skills & confidence, iden[fy possible issues

12 Produc[on deployment Determine where to deploy first Specific subnets? WLAN? DMZ? Enable IPv6 on the wire in rou[ng infrastructure, host subnets and security components Firewalls, IDS, Enable IPv6 in network services DNS, monitoring tools, Enable appropriate applica[on services Might ini[ally only be web- based services Enable end- user client systems Turn on Router Adver[sements at the edges

13 What we found easy Geung IPv6 connec[vity and address space Thanks to prior work done by JANET General support in host/router plavorms Only Mac OS X lagging a bit behind Enabling core services DNS, MXes, web servers Por[ng our in- house sowware/tools to support IPv6 Easier when the sowware is well- wrioen Host (address) autoconfigura[on IPv6 wireless access control via eduroam Uses 802.1X authen[ca[on, independent of IP version

14 What s been harder Managing a dual- stack environment IP address accountability without DHCPv6 Support for DHCPv6 improving Admins comfortable with DHCP- based accountability Living with mul[- addressed hosts Including dynamic IPv6 Privacy addresses Support in some MS applica[ons/services Improved a lot with recent releases Some LAN security issues e.g. rogue RAs have been problema[c

15 Dual- stack cost Main opera[onal cost lies in managing a dual- stack infrastructure Need to manage and monitor both IPv4 and IPv6 Need consistency in applying configura[ons and policy Monitoring (e.g. Nagios) Firewalls especially if running a separate IPv6 firewall Integrated DHCPv4 and DHCPv6 Troubleshoo[ng Do not want to use different tools/interfaces to manage each protocol Some improvements to be made in commercial apps

16 Service examples Some examples in next few slides of service graphs and management/monitoring tools Shows open source solu[ons in opera[on IPv6 transport external web traffic IPv6 transport external s Switch/router configura[on monitoring Packet flow analysis Again, it s important to have these tools managed consistently via one administra[ve interface

17 IPv6 web traffic Very slow growth on external IPv6 web visits Adver[se web presence via IPv4 and IPv6 DNS records Less than 1% of IPv6 accesses are via 6to4

18 IPv6 We also adver[se our MXes with both IPv4 and IPv6 DNS records As per RFC 3974 Average 250,000 external IPv4 s per day 88% spam Average 500 external IPv6 s per day Currently less than 25% spam IPv6 transport is 0.2% of total Again, a very small frac[on

19 IPv6 traffic

20 Switch/router monitoring NAV Open source hop://metanav.unineo.no Dual- stack aware Mul[- addressed hosts

21 Integrated dual- stack monitoring NAV determines most network proper[es automa[cally e.g. dual- stack subnets on the same vlan

22 Network flows Desirable to collect network flow records Useful for many tasks Nevlow v9 includes IPv6 support Simple configura[on on our Cisco router(s) Need to also run a collector/viewer We use nfsen (hop://nfsen.sourceforge.net) Allows detailed flow queries, e.g. Summary of external port 53 DNS flows Views of individual external port 25 SMTP flows

23 IPv6 port 53 summary flows

24 IPv6 port 25 individual flows

25 Ongoing opera[on - new services? What can you do beyond deploying IPv6 just to be ready? IPv6 Mul[cast simpler, more agile Mobile IPv6 improved mobility support? Applica[ons from engaged users/students Google IPv6 is something big on the horizon? Community/ad- hoc networks New use cases e.g. sensor networks Seeing some interes[ng green shoots but no single killer app

26 Future work at Southampton S[ll some internal services lew to make dual- stack Integrate IPv4 and IPv6 firewall func[ons DHCPv6 deployment Unless we can improve autoconfigura[on accountability, perhaps by wider use of 802.1X Wider use of external services IPv6 transport to root DNS Google IPv6 Programme Further trials of IPv6- only devices Helps us to focus on viability of NAT64 solu[ons Plan for IPv6 deployment on wider campus network

27 Conclusions If you re not ac[vely planning for IPv6, begin now Checking capabili[es in procurements as a minimum Consider security implica[ons IPv6 is already in your network Dual stack IPv6 produc[on deployment is possible today Running here 5+ years without significant issues You don t have to dual- stack everything from the outset Look for tools that offer integrated IPv4/IPv6 management Even if that might mean changing the tools you use Don t forget training and awareness in your organisa[on Don t expect huge IPv6 traffic volumes (yet)

28 References 6NET ( Pan- European project) hop:// 6DEPLOY (IPv6 training and resources) hop:// JANET IPv6 Technical Guide (under revision) hop:// technical- guides/ipv6- tech- guide- for- web.pdf