ipv6 enterprise-design-tm-vb
TRANSCRIPT
© 2012 Cisco and/or its affiliates. All rights reserved. 1
Cisco “Tech Session” IPv6 Design Considerations
Tim Martin
CCIE #2020
Solutions Architect
Spring 2015
© 2012 Cisco and/or its affiliates. All rights reserved. 2
• IPv6 General Design Considerations • Campus Core, Distribution, Access • Data Center • Operations & Management • Translation Techniques • Internet Edge • Summary
© 2012 Cisco and/or its affiliates. All rights reserved. 3
IPv6
IPv4 Address Depletion
2011
National IPv6 Strategies STEM
Mandate
Infrastructure Evolution
4G, DOCSIS 3.0, CGN
IPv6 OS, Content & Applications
Pref. by App’s in W7, S2008, OSX
3
© 2012 Cisco and/or its affiliates. All rights reserved. 5
ü Create a project team, assign a PM ü Identify business value & impacts ü Assess equipment & applications for IPv6 ü Begin training & develop training plan ü Develop the architectural solution ü Obtain a prefix and build the address plan ü Define an exception process for legacy systems ü Update the security policy ü Deploy IPv6 trials in the network ü Test and monitor your deployment
© 2012 Cisco and/or its affiliates. All rights reserved. 6
Data Center WAN Internet
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSiSiSi SiSi
SiSi SiSi
Access
Core
Distribution
Distribution
Access
© 2012 Cisco and/or its affiliates. All rights reserved. 7
Where do I start? • Core-to-Access – Gain experience with v6
• Turn up your servers – Enable the experience
• Access-to-Core – Securing and monitoring
• Internet Edge – Business continuity
Servers
Branch Access
WAN
Campus Core
Access Layer
ISP ISP
Internet Edge
7
© 2012 Cisco and/or its affiliates. All rights reserved. 8 8
Distribution Layer
Access Layer
Core Layer
Aggregation Layer (DC)
Access Layer (DC)
IPv6/IPv4 Dual-stack
Server
IPv6/IPv4 Dual-stack Hosts
Data Center Block
Access Block
• Leverages existing IPv4 infrastructure • Allows “slower” roll into IPv6 deployment • Poor scalability and overall performance, no Multicast support • Tunneling everywhere, “flattens” the network you have built
© 2012 Cisco and/or its affiliates. All rights reserved. 9 9
ISATAP IPv6 Service Block
DA
Data Center Block
WAN/ISP Block
Access Layer
Dist. Layer
Core Layer
IPv4-only Campus Block
Server Internet
• Provides tighter control of where IPv6 is deployed • Allows for reduced time to deliver IPv6 services • Cost of SB equipment and it’s reuse in the network • Eventually hits scalability and overall performance, no Multicast support
© 2012 Cisco and/or its affiliates. All rights reserved. 10
Distribution Layer
Access Layer
Core Layer
Aggregation Layer (DC)
Access Layer (DC)
IPv6/IPv4 Dual-stack
Server
IPv6/IPv4 Dual-stack Hosts
Data Center Block
Access Block
• Preferred Method, Versatile, Scalable and Highest Performance • No Dependency on IPv4, runs in parallel on dedicated HW • No tunneling, MTU, NAT or performance degrading technologies • Does require IPv6 support on all devices
© 2012 Cisco and/or its affiliates. All rights reserved. 11
• Should we use both on the same link at Layer 3? • Separate links, possibly to collect protocol specific statistics • Routing protocols OSPFv3, EIGRP combined or separate? • Fate sharing between the data and control planes per protocol
OSPFv3
EIGRP
Internet
2001:db8:1:1::/64 198.51.100.0/24
IPv4 & IPv6
IPv4 & IPv6
2001:db8:6:6::/64 192.168.4.0/24
© 2012 Cisco and/or its affiliates. All rights reserved. 12
• Topology hiding, Interfaces cannot be seen by off link devices • Reduces routing table prefix count, less configuration • Need to use ULA or GUA for generating ICMPv6 messages • What about DNS?, Traceroute, WAN Connections, etc.. • RFC7404 – Details pros and cons
WAN/MAN
Internet FE80::/64
FE80::/64
ULA/GUA
FE80::/64
ULA/GUA
ULA/GUA
ULA/GUA
ULA/GUA
© 2012 Cisco and/or its affiliates. All rights reserved. 13
Corporate Backbone Branch 2
ULA Space FD9C:58ED:7D73::/48 Global – 2001:DB8:CAFE::/48
Internet
FD9C:58ED:7D73:3000::/64 2001:DB8:CAFE:3000::/64
FD9C:58ED:7D73::2::/64
Global
2001:DB8:CAFE::/48
• Automatic Prefix Generation (RFC 4193) non sequential /48, avoid M&A challenges • Need to use Global for troubleshooting beyond the internal network • Caution with older OS’s (RFC 3484) using ULA & IPv4 • Multiple policies to maintain (ACL, QoS, Routing, etc..)
© 2012 Cisco and/or its affiliates. All rights reserved. 14
• Today, NAT44 & RFC1918 • All PA or all PI and peering in multiple regions
PI from one region and run it everywhere? ISP in one region reject PI block from another? What about translation?
• IETF does NOT recommend the use of NAT66 w/IPv6
• NAT ≠ Firewall – RFC 4864 (Local Network Protection)
• NAT ≠ Firewall – RFC 7021 (Impact of CGN on Applications)
Firewall+NAT Internet
© 2012 Cisco and/or its affiliates. All rights reserved. 15
• Anywhere a host exists /64
• Point to Point /127 Should not use all 0’s or 1’s in the host portion Nodes 1&2 are not in the same subnet
• Loopback or Anycast /128
• RFC 7421 /64 is here
• RFC 6164 /127 cache exhaust
Pt 2 Pt /127
WAN
Core /64 or /127
Servers /64
Hosts /64
Loopback /128
© 2012 Cisco and/or its affiliates. All rights reserved. 16
• Methods Follow IPv4 (/24 only), Organizational, Location, Function based
• Hierarchy is key (A /48 example) Bit twiddle's dream (16 bit subnet strategy) 4 or 8 bits = (16 or 256) Regions (states, counties, agencies, etc..) 4 or 8 more bits = (16 or 256) Sub Levels within those Regions 4 more bits = (16) Traffic Types (Admin, Guest, Telephony, Video, etc..)
• Cisco IPv6 Addressing White Paper www.cisco.com/go/ipv6
• Monotonically (1000, 2000, 3000, etc.) vs. Sparse (0000, 4000, 8000, c000 )
© 2012 Cisco and/or its affiliates. All rights reserved. 18
HSRP for IPv6 • Modification to NA, RA and ICMPv6 redirects
• Virtual MAC derived from HSRP group # and virtual IPv6 LLA HSRP Standby
HSRP Active
Neighbor Unreachability Detection • Rudimentary HA at the first HOP, that is slow to detect failures
• Hosts use “reachable time” to cycle next known default GW
RA Reach-time
GLBP for IPv6 • Default Gateway is announced via RA’s from Virtual MAC
• Active Virtual Gateway (AVG), assigns MAC’s, responds to NDP and directs hosts to Active Virtual Forwarder (AVF)
GLBP AVG AVF
GLBP AVG AVF
VRRP for IPv6 • Active/Standby design or laod balancing via VLAN’s • Multi-vendor interoperabilty
© 2012 Cisco and/or its affiliates. All rights reserved. 19
• IPv4 syntax has used “ip” following match/set statements Example: match ip dscp, set ip dscp
• New match criteria match dscp match precedence
• New set criteria set dscp set precedence
• Modification to support IPv6 and IPv4
© 2012 Cisco and/or its affiliates. All rights reserved. 20
• FF02::FB – Multicast DNS – mDNS (Apple Bonjour) (Chromecast)
• FF02::2:FF/104 – Node Information Query (FreeBSD)
• FF02::C – Simple Service Discovery Protocol – SSDP, UPnP (Microsoft)
• FF02::1:3 – Link Local Multicast Name Resolution – LLMNR (File Sharing enabled)
Personal Computer Operating Systems • Windows • Mac OS X • Linux
Appliances & Networking • Printers • Access Points • Switches • Routers
AV Equipment • Speakers • Cameras • Displays • AV Receivers
© 2012 Cisco and/or its affiliates. All rights reserved. 21
• Catalyst Integrated Security Features (CISF)
• Dug Song - dsniff Port
Security
© 2012 Cisco and/or its affiliates. All rights reserved. 22
• ARP is replaced by Neighbor Discovery Protocol Nothing authenticated Static entries overwritten by dynamic ones
• Stateless Address Autoconfiguration rogue RA (malicious or not)
• Attack tools are real! Parasit6 Fakerouter6 Alive6 Scapy6 …
© 2012 Cisco and/or its affiliates. All rights reserved. 23
IPv6 Snooping
RA Guard
DHCPv6 Guard
Source/Prefix Guard
Destination Guard
Protection: • Rogue or
malicious RA • MiM attacks
Protection: • Invalid DHCP
Offers • DoS attacks • MiM attacks
Protection: • Invalid source
address • Invalid prefix • Source address
spoofing
Protection: • DoS attacks • Scanning • Invalid
destination address
RA Throttler
ND Multicast Suppress
Reduces: • Control traffic
necessary for proper link operations to improve performance
Core Features Advance Features Scalability & Performance
Facilitates: • Scale
converting multicast traffic to unicast
© 2012 Cisco and/or its affiliates. All rights reserved. 24
• Port ACL interface FastEthernet0/2
ipv6 traffic-filter ACCESS_PORT in
deny icmp any any router-advertisement
• Feature Based interface FastEthernet0/2
ipv6 nd raguard
• Policy Based ipv6 snooping policy HOST
security-level guard
limit address-count 2 device-role node
interface GigabitEthernet1/0/2
ipv6 snooping attach-policy HOST
HOST Device-role
RA
RA
RA
RA
RA
ROUTER Device-role
© 2012 Cisco and/or its affiliates. All rights reserved. 25
Prevent Rogue DHCP responses from misleading the client
DHCP Server
DHCP Req.
I am a DHCP Server
DHCP Client
25
© 2012 Cisco and/or its affiliates. All rights reserved. 26
IPv6 NH=44 NH=60, Offset = 0, M=1 DO - Frag 1, >1400 Bytes
ICMP RA IPv6 NH=44 NH=58, Offset = 176, M=0 Fragment 2
ICMP RA IPv6 NH=44 NH=58, Offset = 1, M=0 Fragment 2
IPv6 NH=44 NH=58, Offset = 0, M=1 Fragment 1 ICMP
Hidden ULP
Overlapping Fragments
Offset Flag
Length ToS IHL
Checksum Prot TTL
ID
Ver Routing Type!Reserved Next Header Offset Reserved | M!Identification
Fragmentation EH (type 44)
Aug 2013 RFC 6980
• RFC 6980 ≥ deny ipv6 fe80::/64 any fragments
deny ipv6 any any undetermined-transport
RFC 5722, hosts to reject id’s with overlaps
© 2012 Cisco and/or its affiliates. All rights reserved. 27
• Deep control packet Inspection • Address Glean (ND , DHCP, data) • Address watch • Binding Guard
• Source Address Validation Improvement (SAVI) link-operation security feature • Analyzes control or data traffic, detect IP address and switch port • Stores and updates a Binding Table to ensure rogue users cannot spoof
Intf IPv6 MAC VLAN State
g1/0/10 ::000A 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
IPv6 Binding Table (RFC6620)
IPv6 Source Guard
IPv6 Destination Guard Device Tracking
© 2012 Cisco and/or its affiliates. All rights reserved. 28
Mitigates Address High Jacking, Ensures Proper Prefix
Intf IPv6 MAC VLAN State
g1/0/10 ::000A 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
g1/0/21 ::0021 0021 200 Active
~Host A
NDP or DHCPv6
Host A
28
© 2012 Cisco and/or its affiliates. All rights reserved. 29
• Mitigate prefix-scanning attacks and protect ND cache • Drops packets for destinations without a binding entry
Intf IPv6 MAC VLAN State
g1/0/10 ::0001 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
Forward packet
Lookup Table
found No
Yes
NS 2001:db8::1
Ping 2001:db8::1
Ping 2001:db8::4 Ping 2001:db8::3
Ping 2001:db8::2
© 2012 Cisco and/or its affiliates. All rights reserved. 31
• Management access - Telnet/SSH/HTTP/HTTPs • Mobility – Auto anchor, Guest access, WebAuth, • Services – NTP, SNMP, Syslog, Radius, CDP, CAPWAPv6 • UDP Lite – Speeds calculating checksums using pseudo-header • WebAuth - Captive portal for IPv6 only clients
© 2012 Cisco and/or its affiliates. All rights reserved. 32
• Radio is a shared media • Hosts must “awaken” to see if Multicast is for them • Only unicast frames are acknowledged and retransmitted • AP transmits bcast/mcast frames at the lowest possible rate to ensure reception
• Broadcast/Multicast up to 10x more time in air IEEE 802.11a mcast: 6 Mbps, ucast up to 54 Mbps IEEE 802.11n mcast: 15 Mbps, ucast up to 150 Mbps
!
© 2012 Cisco and/or its affiliates. All rights reserved. 33
• Scaling the 802.11 multicast reliability issues • NDP process is multicast “chatty”, consumes airtime • Controller rate limits the period RA’s, while allowing RS to flow • Caching allows the Controller to “proxy” the NA, based on gleaning
(NS)
00:24:56:75:44:33 2001:db8:0:20::2 00:24:56:11:93:28 2001:db8:0:20::4
(Unicast NA)
(NS) (Unicast NA)
2
4 Periodic (RA’s)
(Multicast NS)
(Multicast NS)
© 2012 Cisco and/or its affiliates. All rights reserved. 35
• Enable IPv6 routing - “ipv6 unicast-routing”
• IPv6 Next Hop - Link local addresses
• Router ID - Unique 32-bit number that identifies the router - Happens to be written in dotted decimal notation L
• Addressing considerations - Structure - Hierarchy - Summarization
Management Routing
Switching Services
© 2012 Cisco and/or its affiliates. All rights reserved. 36
• IGP’s use Link Local Address’s • Redistribution needs GUA or ULA
• Routing Protocols may need “Multi-Hop”
• Static can be tragic, no auto update
Ipv6 unicast-routing ! !direct Ipv6 route 2001:db8:2::/48 ethernet 1/0 ! !recursive Ipv6 route 2001:db8:5::/48 2001:db8:4::1
© 2012 Cisco and/or its affiliates. All rights reserved. 37
Ipv6 unicast-routing ! Interface loopback0 Ipv6 address 2001:db8:1000::1/128 Ipv6 eigrp 11 ! Interface ethernet 0/0 Ipv6 address 2001:db8:5000:31::1/64 Ipv6 eigrp 11 ! Ipv6 router eigrp 11 Passive-interface loopback0 Eigrp router-id 10.10.10.10
• EIGRP – IP 88
• FE80::/64 Source à FF02::A Destination
• 2 New TLV’s – internal-type & external-type • No Split Horizon, Auto Summary Disabled • Stub reduces topology & queries • EIGRP can perform better in large scale hub
and spoke environments
© 2012 Cisco and/or its affiliates. All rights reserved. 38
Ipv6 unicast-routing ! Interface loopback0 Ipv6 address 2001:db8:1000::1/128 Ipv6 ospf 8 area 0 ! Interface ethernet 0/0 Ipv6 address 2001:db8:5000:31::1/64 Ipv6 ospf 8 area 0 ! Ipv6 router ospf 8 router-id 10.10.10.10 passive-interface loopback0
• OSPFv3 – IP 89 • FE80::/64 Source à FF02::5, FF02::6 (DR’s) • Link-LSA (8) – Local Scope, NH • Intra-Area-LSA (9) – Routers Prefix’s • Use Inter-Area-Prefix (3) – Between ABR’s
• Can converge quickly to a point of scale, initial database build and discovery takes some time
• Link state protocols perform better in full mesh environments, if tuned correctly
RFC 5838 (AF), RFC 7166 (AT)
© 2012 Cisco and/or its affiliates. All rights reserved. 40
§ Adding TTL Security (for both IPv4 and IPv6) § Adding the ability to form LDP session over IPv6, including peer discovery § Modifying the Forwarding Equivalence Class to support both IPv4 and IPv6 § Modifying how the LDP Identifier is used; still 32 bit § Link local address will NOT get labels generated or passed
2001:db8:café:1::/64
2001:db8:babe:1::/64
2001:db8:d00d:1::/64
2001db8:café:4::/64
2001:db8:babe:4::/64
2001:db8:dood:4::/64
R1
R4
© 2012 Cisco and/or its affiliates. All rights reserved. 41
• Private Circuit – Business as usual, Routing Protocols
• Internet Circuit – DMVPN for scalability and resiliency
• Local Internet “hop off” is Multi homing
Branch
WAN
::1 ::2
::3 ::1
::2
::3
::4 ::1 ::2
::3
Enterprise Campus
Data Center
HE2
HE1
BR1-2
BR1-1 ASA-1 BR1-LAN
::5 ::2
::3 BR1-LAN-SW
Main Site
41
© 2012 Cisco and/or its affiliates. All rights reserved. 43
• IPv4 Only Data Center – IPv6 Translation on the Front End
• Dual Stack – Both IPv4 & IPv6 Into the Data Center
• IPv6 Only Data Center – IPv4 Translation on the Front End
• What is the Cost of Each Stage?
© 2012 Cisco and/or its affiliates. All rights reserved. 44
• Legacy
• Load Balancer inline
• No translation in this design
• Services are Firewalled
Internet Firewall Edge Router Load Balancer Switch Web, Email, Etc.
IPv4
© 2012 Cisco and/or its affiliates. All rights reserved. 45
• Dual Stack Front End
• Translation via NAT/Proxy/SLB
• Easy to Turn Up
• Hard to Move Forward
• False Sense of Accomplishment
Firewall Edge Router Load Balancer Switch Web, Email, Etc.
NAT/Proxy/SLB
IPv4/IPv6 IPv4
Internet
© 2012 Cisco and/or its affiliates. All rights reserved. 46
• IPv4 & IPv6 Addressing on All Devices
• Incremental Operational Cost (~20%)
• Double Everything (ACL’s, SLA’s, etc.)
• Two Data Planes, Two Control Planes
• Recommended Approach
Firewall Edge Router Load Balancer Switch Web, Email, Etc.
IPv4/IPv6
Internet
© 2012 Cisco and/or its affiliates. All rights reserved. 47
• Dual Stack Front End
• Translation via NAT/Proxy/SLB
• Forces Developers to use IPv6
• Reduces Operational Costs
• Eliminates Complexity within the DC
Load Balancer Switch Web, Email, Etc.
NAT/Proxy/SLB
IPv6 IPv4/IPv6
© 2012 Cisco and/or its affiliates. All rights reserved. 49
• Managing security infrastructures: Firewall, IDS, SIEM
• Tool visibility, insight and analysis of IPv6 traffic Netflowv9, IPv6 SLA
• Dual Stack Interface may result in combined output MRTG reporting combined v4 and V6 traffic statistics.
• Requires support in Instrumentation (MIB , Netflow records, etc.) NMS tools and systems Protocol Version Independent OID Mmgt
RFC’s 4292 & 4293
49 49
© 2012 Cisco and/or its affiliates. All rights reserved. 50
IPv4 IPv6
A record:
Function IPv4 IPv6
Hostname to
IP Address
A Record www.abc.test. A 192.168.30.1
AAAA Record (Quad A) www.abc.test AAAA 2001:db8:C18:1::2
IP Address To
Hostname
PTR Record 1.30.168.192.in-addr.arpa. PTR www.abc.test.
PTR Record 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0.8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test.
• Add an IPv6 address to a host, create AAAA record in DNS zone
• Repeat for every name server from sub zones to parent zone
• Glue records, add an entry in DNS for the IPv6 address of your name servers
• Inbound SMTP mail transfer agents (MTA) require reverse lookup (PTR)
© 2012 Cisco and/or its affiliates. All rights reserved. 51
• Anycast Address for Client Access to DHCP/DNS • Uses the same address in multiple locations • Simple, Scalable and Reliable Solution • Global Unicast Address (GUA) for Service Uptime • DNS server injects /128 via OSPF DDI2
2001:db8:aa::21
2001:db8:aa::21
2001:db8:aa:: Cost 10
I pick DNS1 closest metric
2001:db8:aa:: Cost 30
2001:db8:aa:: Cost 20
DDI3 2001:db8:aa::21
DDI4 2001:db8:aa::21
Command &
Control GUA
DDI1 2001:db8:aa::21
© 2012 Cisco and/or its affiliates. All rights reserved. 52
Stop probing the wrong path with “ping”
Trace the live traffic: Detect the flaky link!
!
Debug ECMP Networks
Simplify Operations
Always on app visibility
Enhance Applications
Charge level for battery-operated devices (sensors) included in data traffic: No need to drain
battery for OAM
R1
R2
R4
R5
R3 R6
Derive IPv6 Traffic Matrix
Optimize Planning
Delay Trend Analysis
Enhance Visibility
A trip-recorder for your traffic at inline at rate performance Uses Destination Option extension header
52
© 2012 Cisco and/or its affiliates. All rights reserved. 53
IPv6 toolkit HE.net Netalyzr LanDroid Netstat
© 2012 Cisco and/or its affiliates. All rights reserved. 55
Application Support
Server Load Balancer
IPv6
IPv4
IPv6 Internet
Stateful NAT64
Client Visibility
IPv4
IPv6
IPv4 Internet
SW = Poor Performance
Proxy
IPv6
IPv4
IPv6 Internet
© 2012 Cisco and/or its affiliates. All rights reserved. 56
• Translation Algorithms RFC 6052 (Implementation Details)
• Framework for Translation RFC 6144 (Implementation Scenarios)
• Stateless NAT64 RFC 6145 (IP/ICMP Translation Algorithm) Maps the Entire IPv4 Internet into IPv6 Prefix
• Stateful NAT64 RFC 6146 (State Table for IPv4/IPv6 Translation) Used mainly where IPv6-only clients access IPv4 servers
• DNS64 RFC 6147 (IPv6 Client to IPv4 Server)
Version IHL Type of Service Total Length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Version Traffic Class Flow Label
Payload Length Next Header Hop Limit
Source Address
Destination Address
IPv4 Internet
IPv4 Internet
IPv4 Network
IPv6 Network
IPv6 Network
IPv6 Internet
IPv6 Network
IPv4 Network
IPv4 Network
IPv6 Network
© 2012 Cisco and/or its affiliates. All rights reserved. 57
Step 1à IPv6 PC queries AAAA Record for v4 Server
2001:db8:122:344::6 DNS Server
192.168.90.101
192.0.2.0/24 2001:db8:122:344::/64
DNS64
DNS46
IPv6 PC
.1 ::2
ßStep 5 Translates it to a AAAA Record
AAAA Record A Record
AAAA Record
A Record
Network-Specific Prefix 3001::/96
Step 3à Translator Sends A Record for v4Server ßStep 2 DNS responds “empty” AAAA Record
ßStep 4 DNS Server responds A Record for IPv4Server
© 2012 Cisco and/or its affiliates. All rights reserved. 58
ßSource IPv6 3001::c000:221 Dest. IPv6 2001:db8:122:344::6
ßSource IPv4 192.0.2.33 Dest. IPv4 192.0.2.1
à Source IPv6 2001:db8:122:344::6 Dest. IPv6 3001::c000:221
Network-Specific Prefix 3001::/96
2001:db8:122:344::6 IPv4 Server 192.0.2.33
2001:db8:122:344::/64
Dynamic NAT64
Static NAT46
IPv6 PC
.1 ::2 192.0.2.0/24
àSource IPv4 192.0.2.1 Dest. IPv4 192.0.2.33
© 2012 Cisco and/or its affiliates. All rights reserved. 59
SLB64 Translation Technique Citrix NetScaler, F5
• Virtual IP (VIP), SNAT Pool • Publish Appropriate AAAA Record • IPv6 to IPv4, Similar to NAT64 • Translation & SLB are done on same platform • OS/App dictate design parameters • Rapid Time to Deploy
ISP-A
Servers WWW
ISP-B
UCS Servers
Dual Stack
IPv4 Only
59
© 2012 Cisco and/or its affiliates. All rights reserved. 60
• Web Server Logging for Geo Location, Analytics, Security, etc..
• Source IP of client requests will be logged as the SNAT or other NAT’d address
• Packet may go through multiple proxies X-Forwarded-For: client, proxy1, proxy2
GET / HTTP/1.1 Host: www.foo.org User-Agent: Mozilla Firefox/3.0.3 Accept: text/html,application/xhtml+xml,application/xml Accept-Language: en-us,en Keep-Alive: 300 x-forward-for: 2001:db8:ea5e:1:49fa:b11a:aaf8:91a5 Connection: keep-alive Servers
WWW
Global IPv6 Address ---Translation--- Source NAT Pool
© 2012 Cisco and/or its affiliates. All rights reserved. 62
Single Link Single ISP
Enterprise
ISP 1
Default Route
Dual Links Single ISP
ISP 1 POP1
POP2
Enterprise
Multi-Homed Multi-Prefix
Enterprise
ISP2
USA
ISP4
BGP
ISP3
ISP 1
Europe
© 2012 Cisco and/or its affiliates. All rights reserved. 63
• Do you support dual stack peering? • Do you have a separate (SLA) for IPv6? • Do you support BGP peering over IPv6? • Do you have a FULL IPV6 route table? • What is the maximum prefix length?
• What about DNS…
Hosted Cloud Service • Maximum prefix length offered by the cloud provider? • Access to provisioning and billing portal over IPv6? • Global IPv6 addressing for VM’s in your environment?
ISP-A ISP-B
Routing
Switching
Services
© 2012 Cisco and/or its affiliates. All rights reserved. 64
• Peer over IPv6 for IPv6 prefixes
• Solve for Ingress & Egress separately
• MD5 shared secret’s, IPSec could be used
• Controlling TTL, accepting >254 only (allow -1)
• Prefix Size Filtering, /32 - /48
router bgp 200
bgp router-id 4.6.4.6
neighbor 2001:db8:café:102::2 remote-as 2014
neighbor 2001:db8:café:102::2 ttl-security hops 1
neighbor 2001:db8:café:102::2 password cisco4646
ISP A ISP B
Internet
© 2012 Cisco and/or its affiliates. All rights reserved. 65
Common Deployment Scenarios
• Avoid Over Tuning BGP Longest Match, Highest Local-Pref, Shortest AS-Path Peer with IPv6, “no bgp default ipv4-unicast”
• Split Your Allocation /44 = (2) /45’s AS Path prepend to prefer one ISP over the other
• iBGP link Between Edge Routers is Required To avoid black hole. GRE, L3 VPN, MAN/WAN
• Dynamic Routing Protocol or HSRP at FW When more than one Edge Router is used
• eBGP Multi-hop to Core thru FW Increase Metrics, so that DCI Link is not Preferred
Multiple Locations, PI Prefix
ISP A ISP B
AS 64498
EIGRP 10
Subnets X,Y,Z Subnets A,B,C
AS 65535 AS 65534
Internet
65
© 2012 Cisco and/or its affiliates. All rights reserved. 66
ISP-A ISP-B • Small to Medium Enterprise • Swaps Left Most Bits of Address ‒ Equal length Prefix’s
• Modification of RFC 6724 API or RFC 7078 - Site scoped ULA connecting to GUA
• No Protocol “fixups”, Unless ALG’s are Supported • “IETF does not recommend the use of Network Address
Translation technology for IPv6” • Consider reading RFC 7157, No NAT Multi-homing
FD07:18:403e::/48
2001:db8:11::/48 2001:db8:55::/48
© 2012 Cisco and/or its affiliates. All rights reserved. 67
• Small to Medium Enterprise • Tunneling the PA IPv6 over LISP ‒ Provider Allocated /48 ‒ Hosted by PxTR Provider
• Avoids Multi Prefix PA Issues • Possibly an ISP that is IPv4 Only • SHIM6, HIP, ILNP etc. ‒ OS Mods, Code Change
Dual Stack Internet
MR/MS PxTR MR/MS PxTR
Client 172.16.99.100 2001:db8:ea5e:1::/64
2001:db8:cafe::/48
xTRs
192.168.1.x/30
2001:db8:cafe:103::/64
2001:db8:cafe::/48
© 2012 Cisco and/or its affiliates. All rights reserved. 68
• Bogon filtering (data plane & BGP route-map): http://www.cymru.com/Bogons/ipv6.txt
• Anti-spoofing (RFC2827, BCP38), Multi homed filtering (RFC3704, BCP 84)
• uRPF – Unicast Reverse Path Forwarding
Enterprise Internet
B2B
© 2012 Cisco and/or its affiliates. All rights reserved. 69
• Address Range - Source of 2000::/3 at minimum vs. “any”, permit assigned space
• ICMPv6 - Error types thru, NDP to, RFC4890
• Extension Headers - Allow Fragmentation, others as needed. Block HBH & RH type 0
• IPv6 ACL’s - IPv6 traffic-filter – to apply ACL to an interface
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any log
© 2012 Cisco and/or its affiliates. All rights reserved. 72
• Gain Operational Experience now
• Security enforcement is possible
• Control IPv6 traffic as you would IPv4
• “Poke” your Provider’s
• IPv6 is here now are you?
72