IPv6 Are we there yet?

Problem The Internet keeps growing Running out of IPv4 addresses Running out of time!

Problem

Original Design Network of networks Packet-based network Unique addresses End-to-end connectivity Layered design

Quick fixes Address Resource Management CIDR NAT Rethinking IP, start in 1992

Extending IPv4 lifetime NAT – CPE NAT – Carrier-grade CIDR

Internet Resources Addresses (IPv4/IPv6) + ASN Hierarchical manner (top-down) Goals of the Internet Registry System – Uniqueness – Aggregation – Conservation – Registration

IPv4 depletion How many IPv4 addresses? 2 32 = ~4,3 billion IPv4 addresses

What is left? IANA allocates /8 to RIRs 256 /8s is the entire IPv4 Internet Beginning of 2010, IANA had 26 /8s left In February 2011, IANA allocated the last /8 Even RIR’s are running out… –APNIC handed out last /8 in April 2012 –Microsoft – Nortel  trade of IPv4 blocks –Asking legacy holders to become LIR or sponsorship. –Ripe is exhausting rapidly

What is left?

What is left?

IPv6 Islands… Addresses (IPv4/IPv6) + ASN Hierarchical manner (top-down) Goals of the Internet Registry System – Uniqueness – Aggregation – Conservation – Registration

IPv6 to the rescue It is clear that we need a better solution IPv6 to solve address exhaustion Extra features built in IPv6 exists for 16 years Time to act now!

IPv6 to the rescue

Improved features Better support for mobility Security, IPSec Auto-configuration Routing (simpler header, flexible extensions, aggregation) IPv6 Multicast, more addresses

More… …IP addresses !!!!! 128 bits instead of 32 bits addresses, 3.4×10 38 addresses 340 sextiljoen (undecillion) addresses Let’s just say … a lot of addresses Restore end-to end connectivity  Internet as it was meant to be!

IPv6 subnetting

IPv6 addresses 2001:6a8:3c80:8000:222:19ff:fe14:a617/ :06a8:3c80:0000:0000:0000:0000: :6a8:3c80:: Network IDHost ID

IPv6 interoperability / /24 0/0 2001:6a8:2400:8003::/64 ::1 ::2 2001:6a8:24c0::/48 ::/0

Differences Different types and scope of addresses No broadcast, thus no ARP Relies heavily on multicasting Auto-configuration instead of DHCP? Common to have multiple addresses on an interface. What IP will be used to source traffic?

Belnet 2001:6a8::/32 Native, dual-stack since Jan 2003 Multiple IPv6 peerings – Geant – Transit – BNIX – Other IXes Various services already available on IPv6 FTP, DNS, Jabber, NTP, WWW, SMTP, Antispam Pro…

 Text IPv6 assignments

24 Belnet: active use of IPv6 (live traffic) % of the Belnet customer base IPv6: current status

Why you should run IPv6 Belnet: active use of IPv6 (live traffic) /09/2015

IPv6 elsewhere Equipment vendors (routers, firewall, …) Software (OS, applications, …) Networks – Content: google, facebook (IPv6 day 8/06/2011) – IXes – ISPs: Comcast (US), XS4all (NL) – CDNs: Akamai (end of 2010)

Why you should run IPv6 Experimental users Power users Global audience  Get your content available over IPv6

Interesting Sites 9/09/

Enabling IPv6 on your network

Your action plan Equipment inventory Raise awareness Get your assignment Prepare your address plan Get IPv6 on your DMZ Get IPv6 on your LAN

Equipment inventory Routers and firewalls Does it support IPv6? At full performance? Server & Desktop OS Should be no-brainer for recent OSes Application software Does it depend on hard coded IPv4 addresses/ranges? If built on Apache or IIS no other problems expected... Other networked gear Printers? Switches? RA guard, PACL; RA snooping…

Raise awareness Your ICT colleagues/Management Awareness of network changes No surprises End users Migration should be transparent to them Only warn when deployed on LAN and/or Wi-Fi Via Intranets?

Prepare your address plan (1) 2001:6a8:3c80:8004:ca2a:14ff:fe15:9cb6 Belnet /32 Customer /48 Host address assignable /64 ranges L V A A azerty

Prepare your address plan (2) Map your IPv4 address plan into your IPv6 prefix /24 -> 2001:6a8:1234:5060::/64 Easy, but not always a good idea Large networks need a decent IPv6 address plan Use location / VLAN id / type of service :6a8:1234: ::/64 e.g. 2001:6a8:1234:0165::/64 (site 0, vlan 165) 16 bits to play with

Get IPv6 on your DMZ (1) Requirement: firewall support! Use a separate zone if you want to test in advance Use firewall policies similar to IPv4 policies ICMP! Enable IPv6 on your public servers OS + Applications Publish AAAA records in your DNS for IPv6- enabled services

Get IPv6 on your DMZ (2) Sample interface config for JunOS devices: ge-0/0/0 { unit 0 { family inet { address /24; } family inet6 { address 2001:6a8:3d00:8000::1/64; }

Get IPv6 on your DMZ (3) Sample default route for JunOS devices: routing-options { rib { inet6.0 { static { route 0::/0 next-hop 2001:6a8:3d00:8001::2; }

Get IPv6 on your DMZ (4) Sample config for Cisco IOS devices: Router(config)# interface ethernet 0/0 Router(config-if)# ipv6 address 2001:6a8:3d00:8000::1/64 or: Router(config-if)# ipv6 address 2001:6a8:3d00:8000::/64 eui-64 static default route: Router(config)# ipv6 unicast-routing Router(config)# ipv6 route 0::/0 2001:6a8:3d00:8000::2

Get IPv6 on your servers (1) Web servers IIS and Apache: no problem Application-specific, legacy, unknown,… Use reverse-proxy HTTPS: One domain per IP DNS servers Windows 2008’s DNS, BIND: no problem Windows 2003: support very limited But IPv6 DNS server not mandatory to serve AAAA records

Get IPv6 on your servers (2) Mail servers Very few MTA supported Even less antispam software IPv6 blacklisting still experimental Our advise : do not port MTA now Get Belnet Antispam Pro (Fully IPv6 compliant) !

Get IPv6 on your LAN(s) Use a separate zone if you want to test in advance One LAN at a time admin, students, guests, eduroam,... Use firewall policies similar to IPv4 policies Do not forget inbound connections as there is no more NAT! Filtering inbound ports <1024 is good practice Filter everything incoming if you want a perfect match between policies Warn your power users about network changes You want to know if something is no longer working…

Get IPv6 on your LAN (cont'd) Distribution of IPv6 addresses Router advertisement Widely supported Limited autoconfiguration options (only DNS server, if at all) Perfect for dual stack: DHCPv4 + RAdvd DHCPv6 Not widely supported yet (only recent MS products) Can coexist with router advertisement (DNS servers etc) Our advice : go DHCPv4 + RA

Transitioning technologies Tunneling technologies Tunnel broker Belnet hosts a SiXXs.net PoP server Native addresses Specific software on routers/stations 6to4 Built-in in Windows, OSX, Apple Airport & other home routers Teredo Built-in in Windows, Miredo Teredo port for Unix/Linux

Transitioning technologies Native connectivity Dual stack IPv6 and IPv4 on same wire/lan/frames Advantages Easier to put on desktops, routers Control/inspect your traffic Stability, ISP support Our advice : go dual stack

Transitioning technologies (cont'd) NAT64 & DNS64

Briefly Follow the steps Inventory Awareness Network plan DMZ + LAN Go Dual stack On the WAN On the LAN Belnet is a partner Ask us questions !

Thank You

NAT64 + DNS64

NAT64 + DNS64