AbstractIPv6 is rapidly becoming an important network technology to service providers, government agencies and enterprises. Deployment of IPv6 requires new man-agement strategies, practices and tools to enable deployment and effective opera-tion. Because most deployments of IPv6 will be in dual-stack networks that use IPv4 and IPv6 in parallel, the IPv4 management infrastructure will be extended for IPv6 for integrated IPv4-IPv6 operation. It will be crucial for IPv6 deployments to be carefully planned and managed to ensure success-ful implementation and avoid significant increases in management overhead. This article provides some background informa-tion on IPv6 deployment and management strategies.

IntroductionFulfilling many of the technical proph-esies of the Internet’s near-past, IPv6 has reached a high degree of importance and credibility as well as has reached the fore-front of many discussion regarding NGN Architectures. The main driver behind the focus on IPv6 is the acknowledged impending exhaustion of the IPv4 address space. The consumption of IPv4 address space has been accelerated by the rapid expansion of IP into mobile devices, NGN Enterprise and Service Provider infrastruc-tures providing �Play and 4Play services, as well as the rapid growth of virtualization. Service providers are also looking at IPv6 as a way of restoring end-to-end Internet service. At the same time, the DoD 2008 mandate for IPv6 readiness, along with similar mandates from other countries and international organizations, has stimulated development of IPv6 deployment solutions.

Although network devices have had IPv6 since the late 1��0s, the focus on Network Management for IPv6 has only recently

Managing IPv6 Deploymentsby Jeffrey Wheeler and Ralph Droms

been a ‘hot topic.’ The management of IPv6 deployments is not as simple an effort as extending existing IPv4 management solutions to accommodate a longer IPv6 address space. IPv6 is not just a single new protocol but an entirely new technical solution with many protocols and services being introduced.

Hence the management of IPv6 is not about managing a new network ‘feature’ or ‘functionality’ but about managing a funda-mentally new IP paradigm truly supporting end-to-end services with full mobility and other advanced features. Eventually the focus will then be on network manage-ment tools becoming ‘IP agnostic’ which will introduce abstraction layers new to applications and developers of IP manage-ment solutions.

IPv6 Network Management StrategyRegardless of the size or purpose of the deployment of an IPv6 network, there will be a workload increase on all staff from the architects to the administrators. Most initial deployments will be dual-stack based, in which IPv6 is deployed in parallel with an existing IPv4 network. Those dual-stack networks may, in fact, require more than twice as much effort to manage as an IPv4 network, because the IPv6 network will es-sentially be a parallel network that interacts with the IPv4 network. The challenge in network management of these dual-stack networks is to reduce the cost of operation as close as possible to the cost of running an IPv4 network.

The introduction of IPv6 into an existing IPv4 infrastructure creates new complexi-ties for network management such as:

• Managing the actual transition process itself. The standards bodies have yet to facilitate a standardized approach

for the deploying and managing of IPv6 infrastructures which has led in part to several vendor specific proprietary solutions and BCPs.

• Requirements for additional institutional knowledge in support staff

• Managing nodes’ transitions from IPv4 to IPv6 entities

• Management and design strategies for the new addressing structure, hierarchy and attendant policies

• The introduction of additional DHCP and DNS services for IPv6 and the management of those

• Managing the coexistence of the IPv4 and IPv6 security infrastructures

• Tool visibility, insight and analysis into utilization specific to IPv6 traffic and uti-lization that is a part of the whole IPv4/ IPv6 traffic load and performance stats.

Creating a High Level IPv6 Management StrategyTo address the complexities introduced by the deployment of IPv6, a high level IPv6 management strategy should be devel-oped before beginning an IPv6 deploy-ment. The first step in that strategy is the development of subject matter expertise in IPv6 and IPv6 management in network operations staff. While IPv6 operates much like IPv4 and provides similar services, the details are different, and operations staff will need to learn those details to deploy and operate IPv6. An IPv6 management strategy will focus on appropriate stan-dards for architecture and designs incor-porating current RFCs and Drafts. Vendors can contribute to a strategy through shar-ing experience and BCPs, and by provid-ing management tools that offer:

• Handling the 128-bit IPv6 addresses with multiple formats and expressions

CISCO PUBLIC

and allow for multiple datatypes in databases.

• Facilitate management of the expanded address scoping and hierarchy intro-duced by IPv6

• The ability to manage multiple ad-dresses on each interface / sub-inter-face including a mix of IPv4 and IPv6 addresses

• Manage and provide for auto configura-tion

• Manage the dual-stack deployments fully

Managing the TransitionEvery network will have a transition period during which IPv6 is deployed and tested before the IPv6 service is considered to be fully operational. Management of this transition includes the architecture of the IPv6 service, which may combine full IPv6 service to parts of the network with IPv6 transport over IPv4 where full IPv6 ser-vice is not required, accommodation of legacy devices and services that may not be upgradeable to IPv6 and integration of IPv6 capabilities into legacy management tools for management of the actual IPv6 deployment for the duration of the transi-tion period.

There are a number of tacit assumptions that can be considered reality for most

IPv6 transition management strategies and transition architectures:

• Many, if not all, of the transition manage-ment tools and processes will undergo evolutionary change as the IPv6 infra-structures are moved from conception to maturity.

• IPv6 management will support multiple (and evolutionary as well) transition mechanisms for IPv6 like DSTM, SSTM, NAT-PT…

• Most of the efforts involved in manag-ing the IPv6 transition process and period will be new to the management lifecycle established for IPv4 networks.

• Separate data repositories specific to the transition period will need to be created and managed.

The transition management will need to take into the account the � most likely phases that will be found in all Transition Strategies:

1. Management of the Dual-Stack environ-ments

2. Management of the integrated use of tunneling solutions, which by default then presents the IPv6 infrastructure as an overlay to the initial IPv4 transport; and

�. The management of translators which will no doubt be deployed in the final phases of the transition period.

Developing and Integrating an IPv6 Event Management StrategyIt is assumed that the initial rollouts of IPv6 management will focus largely on events as any additional processes and methodologies for management of IPv6, the harmonized IPv4/IPv6 environment and the transition aspects are developed. Following are a number of key recommen-dations applicable to any new IPv6 hybrid deployment:

• Determine and document what IPv6 events are key and critical to initial rollouts

• Identify sources for all of the IPv6 events determined and categorize against available tools. For example:

o Are there available tools to manage these events?

o Are there standard MIBs or propri-etary MIBs for these events?

o Is RMON supported for these events?

• Map the IPv6 events and the flow of events to the identified tools. IPv6 presents new scenarios for events as in most cases IPv6 will initially be run

IP NGN ARCHITECTURE THOUGHT LEADERSHIP JOURNAL - Q1 FY2010

in a dual-stack environment and as an overlay on the existing IPv4 transport infrastructure.

o Key is to separate the IPv4 events from the IPv6 events

• Perform a gap analysis and identify any new IPv6 events that will need addi-tional tools not yet identified.

• Integrate the initial toolsets and results into a common reporting solution.

• Create a Correlation solution to transfer the intelligence from the IPv4 event data to the IPv6 environment and the reciprocal. This will be a key aspect of the overall strategy and will be required if the intent is to reduce the TCO and mitigate admin’s time.

• Consider the entire process as iterative.

Refine the IPv6 Event Management Strat-egy as each ‘lessons learned’ phase is passed. The refinement of the IPv6 Event Management Strategy will go through sev-eral large-scale changes as the infrastruc-ture moves from a dual-stack through to the final IPv6 primary and native environ-ment. The Event management strategy

must not be viewed as a closed canon but as an evolving and living strategy. Initially the strategy will have a total and exclusive IPv6 focus but must migrate to being IP agnostic. Focusing initially on the goal of being IP agnostic will present a scope (and scope creep) that is so large that the effort will not likely find completion.

IPv6 Management Issues and ConcernsWithin an overall IPv6 management strategy there are key areas of technical detail that should be included in any initial IPv6 management strategy and resulting task list. The areas listed below provide high-level identification of efforts that could each launch a separate article in and of themselves but for the sake of brevity we’ll address them here in abbreviated form:

• Renumbering impact on ACL policies and Reflexive ACL support strategy. Since IPv6 addresses do not follow the convention or model of IPv4 addresses any management application or report-ing tool will require rewrites to the code base.

• Distributed IPv6 management integra-

tion: Given the relative immaturity of the management designs and solutions, the initial IPv6 management solutions will no doubt be centralized and oper-ated from a ‘command and control’ paradigm. Focus should be made upon the need to move quickly to a distributed environment with that new IPv6 distributed management solution integrated with other legacy solutions. This rapid migration from a centralized to a distributed management strategy should be well documented and build upon the lessons’ learned early in the centralized deployment. Since the IPv6 management strategy will include the initial dual-stack deployments, and that these dual-stack deployments will eventually give way to native IPv6 the management strategy implementation must keep in lockstep with the actual IPv6 rollouts in network designs. Coor-dination is critical.

• Security Management consider-ations for both IPv4 and IPv6 because of IPv6

o Firewall updates for IPv6 secu-rity strategy and reporting must be planned for and should address and incorporate impacts to both IPv4 and IPv6. This of course assumes that the network architects and designers are working closely with the IPv6 security folk. Serious consideration must be given initially to hardware and network designs that could exacerbate an al-ready fragile and exposed IPv4 network infrastructure. Without a well-reasoned design the IPv4 infrastructure could be impacted and put at risk by any IPv6 attack or penetration.

o Security exposure of IPv4 due to the complexity and additional code required to support iPv6. This expo-sure is not just limited to operational equipment but includes those manage-ment platforms and solutions that are

CISCO PUBLIC

being introduced to support IPv6 in dual-stack deployments.

o The introduction of new avenues for security risks due largely to the inex-perience of IPv6 of network admin and design staff.

o Tools and processes that identify reconnaissance attacks by blocking information to attacker at any and all IPv4/IPv6 points.

o Enhanced policy management and AAA management for IPv6 limiting the exploitation due to unauthorized ac-cess

o Mitigate IPv6 routing information and IPv6 routing protocol attacks and spoofing. Ensure that IPv6 routing information is given the same security and management considerations as IPv4 even though IPv6 traffic is moved initially over an IPv4 transport. Do not assume that since the transport most likely will be IPv4 that the transport will not be a viable target.

o Since IPv6 offers a radically new and more complex header architecture the IPv6 management strategy must identify header manipulation attacks at the least.

o Smurf attacks will always be a con-cern regardless of IPv4 and / or IPv6.

o Coincident with IPv6 rollouts are advanced network services and appli-cations. This mandates that a manage-ment strategy should focus on spoofing attacks at all layers of applications and services.

o ARP and DHCP attacks (mixed IPv4 and IPv6) should be assumed given the dual-stack architecture.

o Since initial IPv6 deployments will not be fully automated the IPv6 man-agement strategy should identify appli-cation layer attacks and rogue devices and apps in the most automated way as possible.

• IPv6 will place new and immediate demands on syslog type solutions due to ICMP changes for IPv6. ICMPv6 is new for IPv6. Traditional tools and home-grown scripts will need to be scrutinized for necessary changes to support IPv6. The level of effort put into this aspect of any IPv6 management solutions will be on par with the Y2K efforts looking for issues deep in code.

• Assuming a dual-stack architecture- focus on separating management strategies as if the IPv6 network were a virtualized network. Cisco provides a well articulated ‘network virtualization’ strategy with multiple BCPs that can be utilized to set up this initial manage-

ment solution for IPv6. Following are some key elements included in this Network Virtualization architecture:

o Access Edge IPv6 strategy

o IPv6 transport strategy

o Core and Services IPv6 manage-ment strategy

• The lack of ‘backward compatibility’ of IPv6 management tool roll outs based on legacy IPv4 code bases. Immedi-ate demands for management tools required for DoD and Federal IPv6 compliance could lead to disparate products under the same product heading.

SummaryAs seen, IPv6 poses considerable chal-lenges to any network infrastructure and management strategy. IPv6 Network Management tools and solutions will evolve slightly behind the standards as well as network equipment IPv6 features and functionalities. IPv6 instrumentation roadmaps in products traditionally take 18 month plans. This pushes the impetus and importance of IPv6 management initially to scripting tools, CLI and existing IPv4 code-base tools. The evolution of IPv6 man-agement solutions and tools will pace the migration from IPv4 to dual-stack to native IPv6 implementations.

IP NGN ARCHITECTURE THOUGHT LEADERSHIP JOURNAL - Q1 FY2010

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst,

CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0903R)

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0903R)

Americas Headquarters Cisco Systems, Inc. San Jose, CA

Asia Pacific Headquarters Cisco Systems (USA) Pte. Ltd. Singapore

Europe Headquarters Cisco Systems International BV Amsterdam, The Netherlands

Americas Headquarters Cisco Systems, Inc. San Jose, CA

Asia Pacific Headquarters Cisco Systems (USA) Pte. Ltd. Singapore

Europe Headquarters Cisco Systems International BV Amsterdam, The Netherlands