IPV6 @KU LEUVEN
Who ?
• Network Engineer @KU Leuven – Reponsible for dns/dhcp/vpn/firewall/ipv6 infrastructure
• KU Leuven – 40.000 students – 10.000 staff – Campus Kortrijk (KULAK) – Started deployment January 2011
Why IPv6 ?
– Asked by our ‘customers’ • Computer science department • Students
– Keep on top of ‘new’ technologies – Connecting institutions of higher education in
one big intranet (Association KU Leuven) • Clashes within RFC1918 space (10.x/192.168.x)
– Visibility for future IPv6 only visitors (students from Asia)
What / How IPv6 enabled ?
• Infrastructure – Backbone – Firewall – ISATAP
• Services – Websites – DNS – Mail
What – Infra – Backbone
• Backbone tekening
What / How – Infra – Backbone (2)
• Backbone ring – IPv6 loopback address – EIGRP v6 as routingprotocol – Link-local adresses used in routingvlans.
• Connected the computer science department
• Don’t forget ACL’s on vty (ipv6 access-class)
What / How – Infra - Firewall
• Host (only network team servers) and network firewalls IPv6 enabled and same global filtering policy as IPv4
• Implement firewalling before rolling out rest of infrastructure/services
What / How – Infra - ISATAP
• Used for kotnet (students on Telenet (no L2 access)) and VPN connections (network team)
• Tunnels IPv6 traffic in IPv4
• ISATAP works out-of-the-box on Windows 7
• Firewalled! Must be explicitly enabled by the student!
• Scapy can be used to send own RA to start ISATAP tunnel (ISATAP only sends a RS once on startup)
What / How – Infra - ISATAP (2)
• Peak of 400 simultaneous ISATAP users
• Traffic slowly rising but very marginal
What / How – Infra – Staff
• Proper training for every member of network Team
What / How – Services - Websites
• Used our loadbalancers to terminate IPv6 at the frontend and speak IPv4 at the backend. – Simple setup – Transparant
• EVERY website on loadbalancer is also available on IPv6
• Usage – IPV4 = 99.5% – IPV6 = 0.5%
• Get rich IPv6 quick, minimum risk involved
What / How – Services - Dns
• DNS servers (dualstack) – authoritative / slave – recursive servers – IPv6 reverse (ip6.arpa)
• Usage – IPv4 = 99% – IPv6 = 1%
• Also allow request from an ipv6 source address (e.g. necessary for ipv6 only nameservers).
What / How - Services – Mail
• Outgoing/incoming mailservers dualstack (postfix)
• Spam blacklists for ipv6 do not really exist yet ? (no spamhaus/dnsblacklist)
• smtp_mx_address_limit (of 5) increase (postfix) • MX records now use 2 addresses
Incoming Outgoing IPv4 usage 99% 98.6% IPv6 usage 1% 1.4%
Issues
• Security, security and security – DHCPv6 snooping/ND snooping/RA guard – Latent IPv6 support in Windows 7 (on IPv4 only
network) / Windows 7 DoS – If you don’t have the latest switches you’re out
of luck only solution = protected ports (disallow any L2
traffic to peers)
• No IPv6 connectiontrack in RHEL 5.x • Various Vendor issues
– E.g. No DHCPv6 Relay Source on specific IOS and no ntpv6 server support
– Unclear roadmap for Juniper VPN IPv6 support – Microsoft Lync 2010 has no IPv6 support!
Future
• Applying for LIR ? (current deployment on hold) • KU Leuven Assocation • Renumbering addressplan
• Services in near future – DHCPv6 servers – NTP servers – NFS – Wifi (hurrah for latest 7.2 release from Cisco)!
• First hop security support and finally native IPv6
• Get other teams involved!
Q&A