IPv6 Status, Management, & Configuration Issues Winter 2013 ESCC meeting January 18, 2013

Current Site OMB 2012 Milestone Status Comment: Includes IPv6 support into network core

Current Site OMB 2014 Milestone Status Comment:Expect to implement 18 month pilot project to provide production quality IPv6 support to Computing Division staff and general wireless users (voluntary)

OMB 2014 Compliance Comment: Includes IPv6 support into network core

Comments on Current Site IPv6 Status (I) We have enabled IPv6 dual stack support on wireless for a limited scope pilot test. It provides IPv6 DNS & DHCP services. DNS is IPv6 enabled. Delays waiting on cyber tools to be v6 enabled. There is some effort in the Cyber department to get their arms around firewall and border blocking of IPv6 addresses. Cyber is also working on collecting Netflow for IPv6 traffic. Looking into support for IPv6 support for our proxy servers that web traffic is routed through. There is also some thinking of how to handle host IPv6 addresses. How do we force a host to use a specific IPv6 address. We will IPv6ify additional PDN services to provide basic IPv6 site-to-site connectivity. I.E. SSH and FTP will be available in the near term Currently holding with external facing services operational. When activity resumes we will likely start with a small (operational) testbed on the production network.

Comments on Current Site IPv6 Status (II) We outsource a number of services. So, a large risk for our environment is not having support from 3rd party vendors. Growing executive's interest in IPv6 thanks mainly to peer pressure. Critical path blocked by lack of suitable IPAM system. Generally following OMB road map, but not attempting to adhere to its timelines. There is an R&D project to test IPv6 with LHC middleware & applications in conjunction with with Hepix IPv6 work group. We have implemented a partial solution, but do not consider it a top priority. We are also working with 'appliance' vendors, like Proofpoint and Infoblox, to support IPv6. They are finally starting to take it seriously.

Comments on Current Site IPv6 Status (III) We developed patches for IPv6 support in our IPAM and deployed them into production. It generates correct IPv4 and IPv6 DNS records. We will be adding more patches to our IPAM to generate DHCPv6 configs. We had extreme unfriendly behavior trying to put IPv6 through our production Cisco firewalls, but have already purchased replacements. So we rolled our IPv6 network equipment support into our 10-gig project. New firewall vendor had support issues with IPv6, particularly in HA failover mode, but they've since patched. We have purchased all equipment, including switches and firewalls, and we are expecting to begin deploying our core changes in stages by next days.

Discussion Points on Site IPv6 Support What is your site’s perspective on the need to support IPv6?  When? What’s the current level of commitment at your site toward supporting IPv6?  How has it changed (or is changing…)? What is the view on the OMB IPv6 milestones at your site?

IPv6 Status – The Big Picture Systems/Devices:  Windows 7 & MacOS 10.6 support IPv6 by default  Linux supports IPv6 (not by default)  Tablets & smart phones generally have IPv6 support Internet service providers:  Comcast targeting home IPv6 availability to homes by end of year Content service providers:  Google, Facebook, Yahoo, Youtube, Wikipedia Google IPv6 Access Monitoring

Problems with Valentine’s Day for the Person that has Everything? IPv6-addressable light bulb (LED)  Uses 6LoWPAN over IEEE  $200 for the kit  $30/light bulb 10 In case you were wondering why we might need an undecillion addresses…

Shadow IPv6 Networks Blue Coat: “Shadow IPv6 networks are here today”

Shadow IPv6 Networks (I) Comments:We have IDS (BRO) monitoring and blocking IPv6 traffic. We are assessing the potential impact of transitioning technology in dual stack environment. Windows clients have tight configuration control. Less so for other clients. v6 tunneling protocols (6to4, teredo) are blocked at site border. Investigating doing same between internal subnets. Would like to do RA guard, unsure of sw licensing issues on our installed switches.

Shadow IPv6 Networks (II) Comments:We have the capability of monitoring or checking unexpected IPv6 traffic traversing our DMZ if needed. Using wireshark to capture LAN traffic, with IPv6 filters Structured at the border, but less so internally. Network monitors do detect native and tunneled ipv6 in some cases. ipv6 is not routed on any L3 or routing equipment.

Shadow IPv6 Networks (III) Comments:We disable udp 3544 and protocol 41 v6 tunneling protocols (6to4, teredo) are blocked at site border. For 6-to-4, blocking the 6-to-4 anycast address and IPv4 protocol 41. For Toredo, blocking UDP port block IP protocol 41 at border as well as v6 transition technology addresses block known ports/protocols for tunneling, add as we discover others. tunnel is not allowed out through the firewall

Discussion Points on Shadow IPv6 Networks Ideas on whether/what/how to develop IPv6 visibility tools?  Other than buy a BlueCoat PacketShaper, of course

IPv6 Technology Issues

Site Expectations for SLAAC Support Comments:Definitely in guest network environments; unclear about general wireless or user LANs Still investigating, reluctant to use on servers SLAAC provides no capability to serve DNS server addresses. Since we must provide DHCPv6 to provide DNS addresses, it makes no sense to run both SLAAC and DHCPv6 in parallel. Would prefer a DHCP like solution that would be more like our current management scheme.

Expectations for Auto-configuration Controls Comments:We do expect to control RA but not clear on an effective implementation. RA guard very desirable. Not sure of the feasibility on all existing access devices not currently, but eventually We block it where we have the ability to in hardware Will configure L3 network equipment to not support

SLAAC & ND Issues/Concerns/Best Practices SLAAC does provide the capability to provide DNS server information (RFC 5006, obsoleted by 6106), but there is very little support for that in OS/router implementation. Is anyone using this feature? Is anyone running DHCPv6 in production? How are you handling issues like default router configuration, etc.? What about client identification?

Unique Local Addresses (ULAs) Comments: No RFC1918 and NAT support on production network ULA might be used for site-only networks. Unclear how much advantage vs filter at site border. Don't seem to be many reasonable alternatives for RFC1918 addresses, except border blocking. Assign block of v6 space and block at border We support IPv4 RFC1918 addresses only on closed non-routable VLANs. We have no plans to deploy ULAs on other VLANs, even in parallel with public routeable IPv6. We support RFC1918, but will use assigned ipv6 addresses, but will be firewalled

ULA Issues/Concerns/Best Practices Are there any new HPCC or massively parallel systems going into production? Will those systems use IPv6 for their internal addresses? Are there other places where ULA is being considered? Any concerns about the future of ULA?

Non-Default IPv6 Configurations Comments: Expect AD to enforce some group policy in protocol preferences or host tunneling capabilities. Would like to at least disable host tunnel capabilities. Privacy addresses are a management concern. Our machine network registration policy requires 1:1 assignment of addresses to machines. Therefore, we intend to use group policy wherever possible to disable privacy addresses. Most likely we will to avoid unwanted defaults, but not clear because of BYOD & variety of system types.

IPv6 Configuration Guidance & Best Practices Is anyone scraping their routers for NDP (or even ARP) information? Anyone using tools for this, like netdisco or netdot? (Did anyone watch the TIP presentation on netdot?) How useful is this sort of thing for us? Like it or not, privacy addresses are now becoming the default on OSes.