infoblox jan ursi ipv6 overview

Upload: kristof-quintens

Post on 16-Jul-2015

64 views

Category:

Documents


0 download

TRANSCRIPT

IPV6: Migration and beyondDec, 2010

2010 Infoblox Inc. All Rights Reserved.

1

Agenda

IPV6: What is it? Why Migrate? Migration Challenges Infoblox Solutions

2010 Infoblox Inc. All Rights Reserved.

IP Device Explosion

2010 Infoblox Inc. All Rights Reserved.

IPv4 Address Space Utilization

Unavailable Available Allocated

*as of 30 November 2010This despite increasingly intense conservation efforts PPP / DHCP address sharing CIDR (classless inter-domain routing) NAT (network address translation) plus some address reclamation

Theoretical limit of 32-bit space: ~4 billion devices Practical limit of 32-bit space: ~250 million devices (RFC 3194)4 2010 Infoblox Inc. All Rights Reserved.

ARINs Guidelines

Organization typeBroadband Providers

Recommendation Your customers want access to the entire Internet, and this means IPv4 and IPv6 websites. Offering full access requires running IPv4/IPv6 transition services and is a significant engineering project. Multiple transition technologies are available, and each provider needs to make its own architectural decisions. Plan out how to connect businesses via IPv6-only and IPv4/IPv6 in addition to IPv4-only. Businesses are beginning to ask for IPv6 over their existing Internet connections and for their co-located servers. Communicate with your peers and vendors about IPv6, and confirm their timelines for production IPv6 services. Content must be reachable to newer Internet customers. Content served only via IPv4 will be accessed by IPv6 customers via transition solutions run by access providers. Plan on serving content via IPv6 in addition to IPv4 as soon as possible. Mail, web, and application servers must be reachable via IPv6 in addition to IPv4. Open a dialogue with your Internet Service Provider about providing IPv6 services. Each organization must decide on timelines, and investment level will vary. Coordinate with industry to support and promote awareness and educational activities. Adopt regulatory and economic incentives to encourage IPv6 adoption. Require IPv6 compatibility in procurement procedures. Officially adopt IPv6 within your government agencies. Introduce IPv6 support into your product cycle as soon as possible

Internet Service Providers

Content providers

Enterprise Government

Equipment Manufacturers

2010 Infoblox Inc. All Rights Reserved.

About IPv4 and IPv6IP versionDeployed Address Size Address Format

IPv41981 32-bit number Dotted Decimal Notation: 192.0.2.76

IPv61999 128-bit number Hexadecimal Notation: 2001:0DB8:0234:AB00: 0123:4567:8901:ABCD 2128 = 340,282,366,920,938,463, 463,374,607,431,768,211,456 2001:0DB8:0234::/48 2600:0000::/12 IPSec Mandated, works End-to-End Mobile IP with Direct Routing Differentiated/Integrated Service

Number of Addresses Examples of Prefix Notation Security Mobility Quality of Service IP Multicast

232 = 4,294,967,296

192.0.2.0/24 10/8 IPSec Mobile IP Differentiated/Integrated Service

IGMP/PIM/Multicast BGP

MLD/PIM/Multicast, BGP, Scope Identifier

6 2010 Infoblox Inc. All Rights Reserved.

IPv6 Benefits

Expanded addressing capabilities Structured hierarchy to manage routing table growth Server less auto-configuration and reconfiguration Streamlined header format and flow identification Improved support for options / extensions

2010 Infoblox Inc. All Rights Reserved.

IPv6 Adoption Drivers

ADDRESS ISSUES Exhaustion M&A Business Growth Geographic Expansion

GOVERNMENT MANDATES US DoD China NGI EU

IPV6 ONLY DEVICES New wireless phones Carrier offerings

INFRASTRUCTURE SmartGrid Meters DOCSIS 3.0 4G/LTE

2010 Infoblox Inc. All Rights Reserved.

IPv4 & IPv6 - The Bottom Line

WererunningoutofIPv4addressspace. IPv6deploymenthasbegun. Regulationsandneedaredrivingmigration

IPv6isnotbackwardscompatiblewithIPv4. WemustmaintainIPv4andIPv6simultaneouslyfor manyyears.

NewIPv6onlydevicesandP2Papplicationswill notworkwithIPv4onlyinfrastructure IPV6clientsoninternetmayneedtoaccess yournetworks E.g.Email,Websites,Applications ServiceproviderIPv6>IPv4translationwilllosecritical userinformationinyourwebsitelogs

9 2010 Infoblox Inc. All Rights Reserved.

IPv4-IPv6 Transition / Co-Existence

A wide range of techniques have been identified and implemented Dual-stack techniques, to allow IPv4 and IPv6 to co-exist in the same devices and networks Tunneling techniques, to avoid order dependencies when upgrading hosts, routers, or regions Translation techniques, to allow IPv6-only devices to communicate with IPv4-only devices

Expect all of these to be used, in combination.

2010 Infoblox Inc. All Rights Reserved.

IPv4->IPv6 Transition Map

Required to ensure IPv6 only devices can access website, email, apps etc.

Make External Services IPv6 Capable

Preserves identity of users since origin IP etc. is not lost in translation by carrier Uses DNS AAAA records and IPv6 addresses

Core and edge routers

Dual stack Internal Infrastructure and End Points

End point devices and hosts DHCPv6 and DNS AAAA

Applications or infrastructure components that cannot support IPv6 dual

Create Temporary Islands for IPv4-Only Apps/Servers/Infrastructure

stack should live in the island Use NAT64 and DNS64 to allow IPv6 devices to access these Slowly migrate components out to dual stack infrastructure

2010 Infoblox Inc. All Rights Reserved.

Migration Considerations Security policies need to be revised Security issues with IPv4 are well documented; IPv6 remains unexplored

Application compatibility needs to be verified Not all of your existing applications are IPv6 compliant Upgrades may be required

V6 compatibility in networking equipment often comes with performance risks Unlike IPv4 several IPv6 implementations not yet optimized

Backend tools are lacking Current management and troubleshooting tools and methods may not work

SPAM tools need to be reinvented. Heavy reliance on DNS

Testing v6 Services for Compatibility Few reference implementations to test against

2010 Infoblox Inc. All Rights Reserved.

IPv6 IP Assignments

Manual Manually configured by an administrator

Link Local Auto assigned to itself by the device

IPv6 IP Assignment Techniques Stateless Devices configure an IP themselves based on information from router Stateful Devices use DHCPv6 to receive an IP address and other configuration information

2010 Infoblox Inc. All Rights Reserved.

IPV6 Migration Challenges

Dual infrastructure for foreseeable future IPV4 and IPV6 will coexist requiring infrastructure support for both

IPV6 expertise is scarce Existing management tools/scripts wont work IP Address Management with spreadsheets will not scale IP assignments/reclaiming will be difficult Subnet creation will require new methods DNS management will be error prone

2010 Infoblox Inc. All Rights Reserved.

Network configuration and DDI are fragile Manual change one by oneRepetitive tasks for expensive staff Hope for no fat fingers or bad copy and paste

Custom scripts (i.e. PERL)One expert, hope they never leave Always adding more and more over time

We are the expertsAssume it works, hope for the best If it breaks, go fix it

Rely on the change management processNo one ever makes an undocumented change All changes occur within the window and process Assume all details are up to date and correct

IPV6 migration will expose these risks 2010 Infoblox Inc. All Rights Reserved.

Network Automation: Key to a successful migration

Automate Network configuration and change Change management for IPV6 enabled devices IP Address Assignments and reclaiming Replace spreadsheets based IP space management Subnet calculation and allocation Automated calculation and documentation DNS configuration AAAA records are hard to manage manually Reverse DNS zones with IPV6

2010 Infoblox Inc. All Rights Reserved.

Infoblox solutions enable IPV6 migration

DNS/DHCP/IPAM AutomationDNS/DNSSEC configuration automation IP address management automation

IPV6 Enabled Network Configuration AutomationNetwork change automation Configuration management Compliance, policy enforcement and auditing

2010 Infoblox Inc. All Rights Reserved.

Infoblox tools for IPv6 migration and managementIPv6 Capable External Presence DNS for IPv6 Dual Stack DNS Appliance

Internal IPv6 Migration Planning

-

Current Network Equipment Inventory (with OS version running) Current Network Topology and Connectivity Current Subnet Inventory

Internal IPv6

-

IPv6 IP Address Allocation, Tracking and Reclaiming IPv6 Subnet Allocation and Tracking Dual Stack Devices Tracking (Smart Folders) Reduced Complexity of Dual Stack Environment and IP Address Explosion

IPv6 Network Infrastructure Management

-

Automated Network Change and Configuration for IPv6 Compliance, Policy Enforcement and Auditing

2010 Infoblox Inc. All Rights Reserved.

IPV6 Support in Infoblox Solution (DDI) IPv6 Networkingo o o Members can have an IPv6 address (HA supported) Members will respond to DNS queries from/to IPv6 addresses Members will respond to zone transfers from/to IPv6 addresses

DNSo o o AAAA records in the forward zone ip6.arpa reverse zone ACLs for IPv6 addresses and networks

IPv6 IPAMo o o o IPV6 subnets IPV6 address assignment Split/Join IPV6 networks Host objects with IPv6 IP address

2010 Infoblox Inc. All Rights Reserved.

IPV6 Support in Infoblox Solution (NCCM) Automated network change automation and configuration management for IPv6o o o o o o o Understand Cause & Effect Management view to health, policy and compliance Collect & analyze network infrastructure configurations Identify violations of best practice rules Identify security policy violations See the affect of change on health and policy Identify, verify and remediate issues proactively

Compliance, policy enforcement and auditing for IPv6o o o o o Hundreds of packaged analysis rules Built-in remediation and compliance reports Proactive alerts for policy violations Live and historical status, trends and reports Wizard for encoding complex rule logic

2010 Infoblox Inc. All Rights Reserved.

BACKUP

2010 Infoblox Inc. All Rights Reserved.

21

DHCPv6 Operation Client sends messages to link-local multicast address Server unicasts response to client Information-Request / Reply - provide client configuration information but no addresses Confirm / Reply - assist in determining whether client moved Reconfigure - allow servers to initiate a client reconfiguration Basic client/server authentication capabilities in base standard DHCP Unique Identifier (DUID) used to identify clients & servers Identity Association ID (IAID) used to identify a collection of addresses Relay Agents used when server not on-link Relay Agents may be chained

2010 Infoblox Inc. All Rights Reserved.

DHCPv6 Basic Message Format0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | msg-type | transaction-id | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . options . . (variable) . | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

SOLICIT ADVERTISE REQUEST CONFIRM RENEW REBIND REPLY

RELEASE DECLINE RECONFIGURE INFORMATION-REQUEST RELAY-FORW RELAY-REPL

2010 Infoblox Inc. All Rights Reserved.

DHCPv6 Option Format and Base Options0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | option-code | option-len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . Option Data . . (option-len octets) . | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Client Identifier Server Identifier Identity Association for Non-temporary Addresses Identity Association for Temporary Addresses IA Address Option Request Preference Elapsed Time Relay Message Server Unicast 2010 Infoblox Inc. All Rights Reserved.

Authentication Status Code Rapid Commit User Class Vendor Class Vendor-specific Information Interface-Id Reconfigure Message Reconfigure Accept

NAT64 OverviewDNS64 Translator

IPv6

IPv6 + IPv4 Network IPv4

IPv6 Client

NAT64 Router

IPv4 Server Farm

IPv6 Prefix dedicated to mapped IPv4 addresses DNS64 used to convert A records to equivalent AAAA records NAT64 router uses prefix to correctly route/attract IPv6 packets for routing to IPv4 network

2010 Infoblox Inc. All Rights Reserved.

DNS64: How does it work?DNS64 Translator

IPv6

IPv6 + IPv4 Network IPv4

IPv6 ClientAAAA for mycompany.com

NAT64 Router

IPv4 Server Farm

AAAA for mycompany.com ERROR A for mycompany.com

Mycompany.com (A) = 192.168.0.55

DNS64 translationMycompany.com (AAAA) = 64:ff9b::192.168.0.55

2010 Infoblox Inc. All Rights Reserved.

NAT64: How does it work?DNS64 Translator

IPv6

IPv6 + IPv4 Network IPv4

IPv6 ClientTCP SYN S=C-v6 D=WKP-v6

NAT64 Router

IPv4 Server Farm

Translate v6 to v4; Pick free IPv4 address and build NAT session entryTCP SYN S=NP-v4 D=S-v4

TCP ACK=NP-v4 D=S-v4

Translate v4 + port to v6TCP ACK S=WKP-v6 D=C-v6

2010 Infoblox Inc. All Rights Reserved.

IPv6 Enablers in Infoblox solutionFeatureJITC IPv6 Certification IPAM / Create IPv6 Networks IPAM / Split/Join IPv6 Networks IPAM / Auto-create ip6.arpa zones IPAM / Dual-stack hosts IPAM / Create IPv6 address based on MAC IPAM / IPv6 Network Utilization Bars IPv6 Network Interfaces DNS / AAAA records DNS / AAAA Shared Records DNS / IP6.ARPA Zone DNS / Mixed v4 and v6 ACLs Network Configuration and Change Management 2010 Infoblox Inc. All Rights Reserved.

Infoblox

Notes

Key feature. Typing in ip6.arpa zones is prone to errors IP Address management for dual stack devices

Services can be configured to work with IPV4, IPV6 or both

Just like IPv6

NetMRI NCCM solution has full support for IPV6