migrating to ipv6auspextech.com/vaipv6/f5 va_ipv6_panel_discussion1.pdf · f5 support for ipv6. 8....
TRANSCRIPT
2
Agenda
• Introduction
– Role of Application Delivery Controller
– Basic Components of ADC
– TMOS (BIG-IP) architecture
• F5 Support for IPv6
• Certification Effort
4
Role of Application Delivery Controller (ADC)
• Occupies strategic point of control within the
network
• Evolved from simple load balancing
• Features beyond load balancing
5
BIG-IP LTM Components
Intranet/Internet
Client 10.10.10.1
192.168.114.0/24 Server Network
172.16.1.0/24 Production Network
Intf 1.1VLAN External
172.16.1.1
Intf 1.2VLAN Internal192.168.114.1
192.168.114.125 192.168.114.126 192.168.114.127
HTTP_Pool
Node InformationGateway: 192.168.114.1 (BIG-IP)
Services: http (tcp/80)
HTTP_vs172.16.1.230:80Pool: HTTP_Pool
6
iRules
TMOS ArchitectureA unified system for application delivery
Microkernel
UsersApplications
Full Proxy
ClientSide
Server Side
High Performance Hardware iControl
Rate
Shapin
g
TC
P E
xpre
ss
SS
L
Cachin
g
XM
L
Com
pre
ssio
n
OneC
onnect
TC
P E
xpre
ssA
pp S
ecurity
Web A
ccel
WA
N O
PT
Access C
ontr
ol
Geo L
ocation
Glo
ba
l L
B
8
BIG-IP IPv6 Implementation
• First delivered in 2004.
• IPv6/IPv4 Dual-stack, and Proxy Translation
• IPv6 Addressable BIG-IP LTM Objects– Self IP’s
– Virtual Servers
– Nodes
– SNAT’s
– NAT
• BIG-IP GTM may contain both IPv6 and IPv4 virtual servers.– VIPs selected based on request type ( A or AAAA/A6)
9
BIG-IP IPv6 Implementation
• BIG-IP NATs, SNATs, and Virtual Servers can automatically serve as gateways between IPv6 and IPv4 networks.
‒ IPv6 VIP to IPv6 node
‒ IPv6 VIP to IPv4 node
‒ IPv4 VIP to IPv6 node
‒ IPv4 VIP to IPv4 node
• Pool may contain both IPv6 and IPv4 nodes
• NAT/SNAT (PAT)
• IPv6 auto-configuration of down stream nodes‒ Neighbor Discovery Protocol for IPv6 (RFC 2461)
• Dynamic routing (ZebOS) supports IPv6
10
IPv6Client
v6 VS
www.server.com (A)
v4DNS
v4 Internet / Network
1. Client sends DNS query www.server.com
v6DNS
2. LTM sends AAAA & A Queries to DNS
3a. If v6 DNS then AAAA record returned to client as usual
3b. If only v4 DNS A record returned, LTM adds 96 bit prefix to A record and returns AAAA to client
5. LTM transforms v6 addressto v4 addresses for outgoing
6. LTM maps and transforms v4 addresses to v6 for return traffic
www.server.com (AAAA)
4. Client sends traffic to AAAA address
NAT64
DNS64
Forwarding / mapping Virtual
BIG-IP Providing NAT64 & DNS64 Gateway Function
11
IPv6 Notable Exceptions
• IPv6 IPSec is not currently supported
• Tunneling is not supported
• Mobile IPv6 is partially implemented, but lacks the “return routeability” feature set.
– The return routeability capability requires a return routeabilityhandshake between the mobile node and the correspondent node.
– Unfortunately the messages involved in this handshake to do not contain enough information for BIG-IP LTM to persist the two messages reliably to the same server
13
Planned Certifications
• IPv6 Ready Certification
• USGv6 Certification
• JITC/TIC for UC-APL
• ICSA Enterprise Firewall
• FIPS 140-2 Level 2
• ICSA WAF
• ICSA SSL-TLS VPN
• NEBS
• EAL2+