kinber ipv6-education-healthcare

© 2013 Utilities Telecom Council

IPv6: What Higher Education Needs to Know, Now

Brandon Ross

Chief Network Architect and CEO

Network Utility Force

KINBER 2013 Member Meeting

IPv6 Support Required for All IP-Capable Nodes – RFC 6540

Given the global lack of available IPv4 space, and limitations in IPv4 extension and transition technologies, this document advises that IPv6 support is no longer considered optional. It also cautions that there are places in existing IETF documents where the term "IP" is used in a way that could be misunderstood by implementers as the term "IP" becomes a generic that can mean IPv4 + IPv6, IPv6-only, or IPv4-only, depending on context and application.


RFC 6540

• Are you aware of this requirement?• Are your nodes IPv6 capable?


Background

• IPv4 depletion is already occurring• IPv6 adoption is accelerating• Most network hardware supports IPv6• For the most part, dual stack Just Works

http://www.potaroo.net/tools/ipv4/

IPv4 Free Pool Depletion

http://bgp.potaroo.net/v6/as2.0/

IPv6 Routing Table Growth


US Feds Lesson Learned

The US federal government had a mandate for all public facing web services to support IPv6 by September 30, 2012.287 of 1494 sites had IPv6 web support by the deadline.

Today 958 of 1351 sites support IPv6. That’s over 70%. Not 100%, but far ahead

of most other large organizations.Source: http://usgv6-deploymon.antd.nist.gov//


But Can We Afford to Deploy IPv6?

• Well, what are the costs?– See Lee Howard’s talks on IPv6 deployment costs (and costs of NOT

deploying IPv6) (http://www.youtube.com/watch?v=vXf8ZIew1j0)

– A good estimate for the cost of renumbering existing devices to free up IPv4 space is $2.50/device

– Sale of an IPv4 address is likely to bring in $10-15 per address for the next year or two

– After ARIN free space run-out, each IPv4 address is likely to bring in twice that, $20-30, and up

http://www.youtube.com/watch?v=vXf8ZIew1j0

http://www.youtube.com/watch?v=vXf8ZIew1j0


Paying for IPv6 Deployment

• Many educational institutions have large address allocations– Some math for an example institution that has a /16 (historically called

a “Class B”)

– /16 = 65,384 addresses

– Let’s assume that by renumbering ¼ of that address space, that ½ of it will be freed

• ¼ of 65,384 is 16,346

• ½ of 65,384 is 32,692

• It costs $2.50 to renumber 16,346 devices. 2.50*16346=$40,865

• At sale, addresses fetch $20 each. 20*32,692=$5,081,730.

• Net proceeds: $5,081,730-$40,865=$5,040,865!!!


What next?

“Okay, my organization is convinced it’s time to begin IPv6 deployment, what do I need to consider?”


Consider the Fundamentals of Best Practice

The fundamentals haven’t changed a bit for IPv6, consider:

• Security• Maintainability• Scalability• Performance• Flexibility


Apply the Fundamentals

What areas need the most attention?• Addressing plan• Interconnectivity• Bootstrapping/AAA• Security issues• Staff training• Transition


IPv6 Address Space is VAST

“IPv6 uses a 128-bit address, allowing 2128, or approximately 3.4×1038 addresses, or more than 7.9×1028 times as many as IPv4, which uses 32-bit addresses.” (Wikipedia)

That’s 340 Undecillion!

Undecillion is a number with 36 zeros.

We must change our thinking about how to allocate address space to meet our best practice goals.


State of Assignments

• All of the registries, for the most part, assign initial blocks for Service provider /32

Enterprise /48


What makes up a good addressing plan?

• Depends on the type of network, the size of the network, and problem to be solved

• Points to consider Documentation

Ease of troubleshooting

Aggregation

Standards compliance

Growth

SLAAC

Existing IPv4 addressing plan

Human factors


Interconnectivity

• Routing protocols have been updated, but the fundamental concepts remain the same– Run routing protocols such that they fail when the underlying transport

fails

• That means separate v4 and v6 protocols

– For ease of management, configure IPv4 and IPv6 connectivity to follow the same paths

– Also use the same routing policies whenever possible

• Ask your Internet traffic peers, suppliers, partners and clients to begin transporting IPv6 traffic


Security Issues

• Use the same diligence you used for IPv4• Ask equipment vendors to support specific protections in IPv6

– RA-Guard – prevents an attacker from sending rogue RAs into the network and becoming a man-in-the-middle

– DHCP-Shield – similar to RA-Guard in that it blocks fake DHCP servers from giving out false information

• Ensure equipment supports all IPv4 features you use in IPv6 as well such as ACLs, anti-spoof filtering (RPF), etc. Why should v6 be any different in these areas?

• Where firewalls are needed, ensure your choice of firewall supports v6 as well as v4.

• NAT is NOT a security feature and v6 doesn’t have it


Staff Training

• Find an experienced organization to provide training• Education and research institutions require a different level of

scalability and maintainability than enterprise, use a trainer that understands education’s unique challenges

• Build a lab, get a tunnel to experiment with IPv6


How to get there from here

• IPv6 transition technologies have been designed by standards organizations to make a transition to an IPv6 world easier

• They all involve compromises in performance or functionality (or both) because inherently IPv4-only devices CAN NOT speak to IPv6-only devices without help

• These technologies bridge between those worlds, or allow one to operate on top of the other


Transition

• 3 types of transition technologies– Dual Stack

• Hopefully will be the most common

• Simply means running both v4 and v6 at the same time

– Tunneling

• Putting either IPv4 packets inside IPv6 packets or vice versa, depending on the situation

• Can be useful to solve problems in certain areas, but in general, tunneling hurts performance and should be avoided when possible

• Examples: 6rd, 6in4, 4in6, DS-Lite, MAP

– Translation

• Converting an IPv4 packet into an IPv6 packet or vice versa

• Like in tunnels, can be useful in certain circumstances, especially for rapid deployment of IPv6 on public facing services such as web servers

• Example: NAT64


Case Study - InteropNet

• InteropNet is the network that supports the Interop trade show, known as one of the largest portable, rapid deployment network in the world

• The network supports 100’s of exhibitor booths and 10’s of thousands of attendees to the show

• Native IPv6 has been consistently supported everywhere in the network for the last 3 years (and supported in a less ubiquitous manner for over 15 years)

• Users inside the InteropNET used IPv6 to reach www.interop.com without knowing it

• 4 GB delivered over IPv6

• 13 GB delivered over IPv4

http://www.interop.com/


Case Study – City of Douglasville, GA

• One of the first, free, metro Wifi projects to support native IPv6

• Covers 60 acres in Douglasville, a suburb of Atlanta including parks and a downtown pedestrian area


Conclusions

• IPv6 works in the real world• There are challenges to implementing IPv6, but nothing

show-stopping• Much of the Internet’s content is reachable over IPv6 (and

growing fast) including all of Google, FaceBook and 3000 other sites

• A much smaller percentage of Internet users have IPv6 connectivity (though this may change quickly with IPv4 depletion)

Questions?

Brandon Ross – [email protected] - +1-404-635-6667

Download the presentation using this

QR code:

mailto:[email protected]

kinber ipv6-education-healthcare

Technology