Migrating to IPv6

John Shin, Field Systems Engineer

j.shin@f5.com

2

Agenda

• Introduction

– Role of Application Delivery Controller

– Basic Components of ADC

– TMOS (BIG-IP) architecture

• F5 Support for IPv6

• Certification Effort

3

Introduction

4

Role of Application Delivery Controller (ADC)

• Occupies strategic point of control within the

network

• Evolved from simple load balancing

• Features beyond load balancing

5

BIG-IP LTM Components

Intranet/Internet

Client 10.10.10.1

192.168.114.0/24 Server Network

172.16.1.0/24 Production Network

Intf 1.1VLAN External

172.16.1.1

Intf 1.2VLAN Internal192.168.114.1

192.168.114.125 192.168.114.126 192.168.114.127

HTTP_Pool

Node InformationGateway: 192.168.114.1 (BIG-IP)

Services: http (tcp/80)

HTTP_vs172.16.1.230:80Pool: HTTP_Pool

6

iRules

TMOS ArchitectureA unified system for application delivery

Microkernel

UsersApplications

Full Proxy

ClientSide

Server Side

High Performance Hardware iControl

Rate

Shapin

g

TC

P E

xpre

ss

SS

L

Cachin

g

XM

L

Com

pre

ssio

n

OneC

onnect

TC

P E

xpre

ssA

pp S

ecurity

Web A

ccel

WA

N O

PT

Access C

ontr

ol

Geo L

ocation

Glo

ba

l L

B

7

F5 Support for IPv6

8

BIG-IP IPv6 Implementation

• First delivered in 2004.

• IPv6/IPv4 Dual-stack, and Proxy Translation

• IPv6 Addressable BIG-IP LTM Objects– Self IP’s

– Virtual Servers

– Nodes

– SNAT’s

– NAT

• BIG-IP GTM may contain both IPv6 and IPv4 virtual servers.– VIPs selected based on request type ( A or AAAA/A6)

9

BIG-IP IPv6 Implementation

• BIG-IP NATs, SNATs, and Virtual Servers can automatically serve as gateways between IPv6 and IPv4 networks.

‒ IPv6 VIP to IPv6 node

‒ IPv6 VIP to IPv4 node

‒ IPv4 VIP to IPv6 node

‒ IPv4 VIP to IPv4 node

• Pool may contain both IPv6 and IPv4 nodes

• NAT/SNAT (PAT)

• IPv6 auto-configuration of down stream nodes‒ Neighbor Discovery Protocol for IPv6 (RFC 2461)

• Dynamic routing (ZebOS) supports IPv6

10

IPv6Client

v6 VS

www.server.com (A)

v4DNS

v4 Internet / Network

1. Client sends DNS query www.server.com

v6DNS

2. LTM sends AAAA & A Queries to DNS

3a. If v6 DNS then AAAA record returned to client as usual

3b. If only v4 DNS A record returned, LTM adds 96 bit prefix to A record and returns AAAA to client

5. LTM transforms v6 addressto v4 addresses for outgoing

6. LTM maps and transforms v4 addresses to v6 for return traffic

www.server.com (AAAA)

4. Client sends traffic to AAAA address

NAT64

DNS64

Forwarding / mapping Virtual

BIG-IP Providing NAT64 & DNS64 Gateway Function

11

IPv6 Notable Exceptions

• IPv6 IPSec is not currently supported

• Tunneling is not supported

• Mobile IPv6 is partially implemented, but lacks the “return routeability” feature set.

– The return routeability capability requires a return routeabilityhandshake between the mobile node and the correspondent node.

– Unfortunately the messages involved in this handshake to do not contain enough information for BIG-IP LTM to persist the two messages reliably to the same server

12

Certification Effort

13

Planned Certifications

• IPv6 Ready Certification

• USGv6 Certification

• JITC/TIC for UC-APL

• ICSA Enterprise Firewall

• FIPS 140-2 Level 2

• ICSA WAF

• ICSA SSL-TLS VPN

• NEBS

• EAL2+