cisco のipv6 対応と ジレンマ - · pdf file2008 ipv4 address use report(3)...
TRANSCRIPT
© 2009 Cisco Systems, Inc. All rights [email protected] 1
CiscoののののIPv6対応対応対応対応ととととジレンマジレンマジレンマジレンマ
Hiroyuki Kodama [ [email protected] ]13 Mar 2009
© 2008 Cisco Systems, Inc. All rights [email protected] 2
Remaining IANA IPv4 pool
© 2008 Cisco Systems, Inc. All rights [email protected] 3
IPv4 Address Fractal Map Jan-2011
Fractal m
ap: L
ayout b
y Randall M
unroe, T
ime Sequence by Tony Hain, H
ighlig
hted by Jeff A
pcar
085RIPE
084RIPE
083RIPE
080RIPE
079RIPE
078RIPE
065ARIN
086RIPE
087RIPE
082RIPE
081RIPE
076ARIN
077RIPE
066ARIN
064ARIN
063ARIN
060APnic
067ARIN
062RIPE
061APnic
089RIPE
088RIPE
093RIPE
094RIPE
075ARIN
072ARIN
071ARIN
068ARIN
049Next
050Next
090RIPE
091RIPE
092RIPE
095RIPE
074ARIN
073ARIN
070ARIN
069ARIN
101Next
100Next
099ARIN
096ARIN
117APnic
118APnic
121APnic
122APnic
102Next
103Next
098ARIN
097ARIN
116APnic
119APnic
120APnic
123APnic
105Next
104Next
109Next
110Next
115APnic
114APnic
125APnic
124APnic
106Next
107Next
108Next
111Next
112Next
113Next
126APnic
059APnic
058APnic
005Next
004L3
003GE
000Reserved
056US Postal
057SITA
006US DoD
007Next
002Next
001Reserved
055US DoD
054Merck
009IBM
008L3
013Xerox
014Next
048Prudential
051UK DSS
052El duPONT
053Cap Debis
010Private
011US DoD
012AT&T
015HP
047Bell North
046Next
033US DoD
032AT&T
031Next
030US DoD
017Apple
016DEC
044Radio
045Interop
034Haliburton
035MERIT
028US DoD
029US DoD
018MIT
019Ford
043Inet
040Eli Lily
039Next
036Next
027Next
024Cable
023Next
020CsC
127Loopback
042Next
041AFRNic
038PSI
037Next
026US DoD
025UK Defense
022US DoD
021US DoD
149Various
148Various
150Various
151Various
153Various
152Various
154Various
155Various
147Various
144Various
146Various
145Various
157Various
158Various
156Various
159Various
165Various
164Various
166Various
169Various
170Various
167Various
168Various
171Various
163Various
160Various
162Various
161Various
173Next
174Next
143Various
142Various
140Various
141Various
139Various
136Various
138Various
137Various
129Various
128Various
130Various
135Various
134Various
131Various
132Various
133Various
181Next
182Next
185Next
186LANnic
180Next
183Next
184Next
187LANnic
179Next
178Next
189LACnic
188Various
213RIPE
214US DoD
217RIPE
218APnic
212RIPE
215US DoD
216ARIN
219APnic
211APnic
210APnic
221APnic
220APnic
208ARIN
209ARIN
222APnic
223Next
229Multicast
228Multicast
227Multicast
224Multicast
230Multicast
231Multicast
226Multicast
225Multicast
233Multicast
232Multicast
237Multicast
238Multicast
234Multicast
235Multicast
236Multicast
239Multicast
207ARIN
204ARIN
203APnic
202APnic
206ARIN
205ARIN
200LACnic
201LACnic
245Class E
246Class E
244Class E
247Class E
243Class E
242Class E
240Class E
241Class E
192RIPE
194RIPE
199ARIN
198Various
249Class E
248Class E
253Class E
254Class E
172Various
175Next
176Next
177Next
190LACnic
191Various
192Various
195RIPE
196AFRnic
197Next
250Class E
251Class E
252Class E
255Class E
© 2008 Cisco Systems, Inc. All rights [email protected] 4
2008 IPv4 Address Use Report
1468.61
1300.65
1122.85
925.58
0
200
400
600
800
1,000
1,200
1,400
1,600
1,800
2,000
2006/01/01 2007/01/01 2008/01/01 2009/01/01
Addresses free
[Million]
Date
IPv4アドレスの消費数
1億9727個 消費(使用率 69.7% → 75.3%)
http://www.bgpexpert.com/addrspace2008.php
© 2008 Cisco Systems, Inc. All rights [email protected] 5
2008 IPv4 Address Use Report (3)
•上位 3 カ国 = 中国、ブラジル、ロシア (BRICs)
http://www.bgpexpert.com/addrspace2008.php
© 2008 Cisco Systems, Inc. All rights [email protected] 6
Monitoring Market Drivers
Addresse 枯渇枯渇枯渇枯渇 National IT Strategy
MSFT Vista & Server 2008
IPv6 “on” & “preferred” by default
IPv6だけでだけでだけでだけで動作動作動作動作するするするするアプリケーシアプリケーシアプリケーシアプリケーションョンョンョン (P2P framework)
IPv6 Task Force and promotion councils: Africa, India, Japan, Korea,…
U.S. Federal Mandate
China Next Generation Internet (CNGI) project
European Commission sponsored projects
Infrastructure Evolution
IP NGN
DOCSIS 3.0, FTTH, HDTV, Quad Play
Mobile SP – 3G, WiMax, PWLAN
Networks in Motion
Networked Sensors, ie: AIRS
NAT Overlap – M&A
http://www.potaroo.net/tools/ipv4/
インパクトインパクトインパクトインパクト
- Internet 成長成長成長成長のののの鈍化鈍化鈍化鈍化
- 企業新興諸国企業新興諸国企業新興諸国企業新興諸国へのへのへのへの事業拡大事業拡大事業拡大事業拡大へのへのへのへの影響影響影響影響
- 新規事業者新規事業者新規事業者新規事業者へのへのへのへのハードルハードルハードルハードル
© 2008 Cisco Systems, Inc. All rights [email protected] 7
他国政府関係他国政府関係他国政府関係他国政府関係
� EUも目標25%@2010です
http://ec.europa.eu/information_society/policy/ipv6/docs/european_day/communication_final_27052008_en.pdf
� 中国も同様で、必須項目(BRICs?)
� US Fed 特にDoDは必須。 おかげでreadyLogo-2が。。。
© 2008 Cisco Systems, Inc. All rights [email protected] 8
Deployment Scenario
The Scope of IPv6 Deployment
Basic Network Infrastructure
Hardware Support
IP Addressing
Routing Protocols
Networked Infrastructure Services
DNS & DHCP
Load Balancing & Content Switching
Security (Firewalls & IDS/IPS)
Content Distribution
Instrumentation
Optimization (WAAS, SSL acceleration)
Staff T
raining and O
peratio
ns
VPN Access
Networked Device Support
Data Center Servers
Client Access (PC’s)
PrintersCollaboration Devices & Gateways
Sensors & Controllers
Applications & Application Suites
Web Content Management
Connectivity
Roll-o
ut R
eleases & PlanningIP Services (QoS, Multicast, Mobility, Translation)
IPv6 over MPLS(6PE/6VPE)
IPv6 over IPv4 Tunnels(Configured, 6to4, ISATAP, GRE)
Dual-Stack
© 2008 Cisco Systems, Inc. All rights [email protected] 9
IntelIntelIntelIntelののののEthernet NICEthernet NICEthernet NICEthernet NICののののIPv6IPv6IPv6IPv6対応対応対応対応
© 2008 Cisco Systems, Inc. All rights [email protected] 10
OSのののの対応対応対応対応
� 一般利用されるOSのほとんどがIPv6サポート
� Top-to-bottom TCP/IP stack re-design
� IPv6 is on by default and preferred over IPv4 (considering network/DNS/application support)
� Tunnels will be used before IPv4 if required by IPv6-enabled application
ISATAP, Teredo, 6to4, Configured
� Vista/Server 2008 support IPv4 and IPv6 (IPv6-only is supported)
Active Directory, IIS, File/Print/Fax, WINS/DNS/DHCP/LDAP, Windows Media Services, Terminal Services, Network Access Services – Remote Access (VPN/Dial-up), Network Access Protection (NAP), Windows Deployment Service, Certificate Services, SharePoint services, Network Load-Balancing, Internet Authentication Server, Server Clustering, etc…
� http://www.microsoft.com/technet/network/ipv6/default.mspx
© 2008 Cisco Systems, Inc. All rights [email protected] 11
Content sites are taking initial steps
ipv6.google.com 米Googleは2008年5月13日,同社の検索機能がIPv6に対応したと公式ブログの中で発表した。IPv6版Google検索サイトのアドレスは「http://ipv6.google.com/」GoogleMapも :http://ipv6.google.com/maps
© 2008 Cisco Systems, Inc. All rights [email protected] 12
CiscoののののIPv6へのへのへのへの貢献貢献貢献貢献
� Long standing support for IPv6 by CiscoIETF Working Group Chairs: IPv6; ngtrans; v6ops; dhcpv6; mipv6; roll; softwire
Cisco engineers originated many IETF proposals
IPv6, MP-BGP4, NAT-PT, 6PE/6VPE, DHCPv6 PD, …
Founding member of the IPv6 Forum
Founding partner of 6Net
IPv6 Ready Logo
Mobile Networking demo – IPv6 Promotion council
“Jun Murai award”
© 2008 Cisco Systems, Inc. All rights [email protected] 13
IPv6 対応製品対応製品対応製品対応製品 ( Router-1)
-NowCisco 7200 SeriesCisco 7200 SeriesCisco 7200 SeriesCisco 7200 Series
-NowCisco 7301Cisco 7301Cisco 7301Cisco 7301
-NowCisco 7304Cisco 7304Cisco 7304Cisco 7304
With Supervisor Engine 720, 720-3BXL, and 32W, RSP720, as well as 10Gb/s support (10GE and OC-192)
YesNowCisco 7600 SeriesCisco 7600 SeriesCisco 7600 SeriesCisco 7600 Series
With PRE2, PRE3 and PRE4YesNowCisco 10000 Cisco 10000 Cisco 10000 Cisco 10000 SeriesSeriesSeriesSeries
YesNowCisco ASR 1000 Cisco ASR 1000 Cisco ASR 1000 Cisco ASR 1000 SeriesSeriesSeriesSeries
YesNowCisco 10720 Cisco 10720 Cisco 10720 Cisco 10720 SeriesSeriesSeriesSeries
HW Performance up to 10 Gb/s (Engine 5)YesNowCisco 12000 Cisco 12000 Cisco 12000 Cisco 12000 SeriesSeriesSeriesSeries
HW Performance up to 40Gb/s (OC-768 line card)YesNowCisco CRSCisco CRSCisco CRSCisco CRS----1111
CommentsCommentsCommentsCommentsH/WH/WH/WH/WIPv6IPv6IPv6IPv6ProductProductProductProduct
© 2008 Cisco Systems, Inc. All rights [email protected] 14
IPv6 対応製品対応製品対応製品対応製品 ( Router-2)
Beginning on Release 12.3(4)XG-NowCisco 830 SeriesCisco 830 SeriesCisco 830 SeriesCisco 830 Series
No IPv6 support-NoCisco 850 seriesCisco 850 seriesCisco 850 seriesCisco 850 series
-NowCisco 860 seriesCisco 860 seriesCisco 860 seriesCisco 860 series
-NowCisco 870 seriesCisco 870 seriesCisco 870 seriesCisco 870 series
-NowCisco 1800 SeriesCisco 1800 SeriesCisco 1800 SeriesCisco 1800 Series
-NowCisco 2800 SeriesCisco 2800 SeriesCisco 2800 SeriesCisco 2800 Series
-NowCisco 3200 SeriesCisco 3200 SeriesCisco 3200 SeriesCisco 3200 Series
-NowCisco 3800 SeriesCisco 3800 SeriesCisco 3800 SeriesCisco 3800 Series
CommentsCommentsCommentsCommentsH/WH/WH/WH/WIPv6IPv6IPv6IPv6ProductProductProductProduct
© 2008 Cisco Systems, Inc. All rights [email protected] 15
IPv6 対応製品対応製品対応製品対応製品 ( Router-3)
-NowCisco 1700 SeriesCisco 1700 SeriesCisco 1700 SeriesCisco 1700 Series
End of LifeLimited support from Cisco IOS Software Release 12.2T
-NowCisco 2500 SeriesCisco 2500 SeriesCisco 2500 SeriesCisco 2500 Series
Refer to Product Bulletin #1975 for non-XM Cisco 2600
(except 2691)-NowCisco 2600 SeriesCisco 2600 SeriesCisco 2600 SeriesCisco 2600 Series
Refer to Product Bulletin #1975 on Cisco 3620-NowCisco 3600 SeriesCisco 3600 SeriesCisco 3600 SeriesCisco 3600 Series
-NowCisco 3700 SeriesCisco 3700 SeriesCisco 3700 SeriesCisco 3700 Series
-NowCisco AS5350Cisco AS5350Cisco AS5350Cisco AS5350
-NowCisco AS5400Cisco AS5400Cisco AS5400Cisco AS5400
-NowCisco AS5850Cisco AS5850Cisco AS5850Cisco AS5850
End of Life--Cisco 4000 SeriesCisco 4000 SeriesCisco 4000 SeriesCisco 4000 Series
End of Life-NowCisco 7500 SeriesCisco 7500 SeriesCisco 7500 SeriesCisco 7500 Series
CommentsCommentsCommentsCommentsH/WH/WH/WH/WIPv6IPv6IPv6IPv6ProductProductProductProduct
© 2008 Cisco Systems, Inc. All rights [email protected] 16
IPv6 対応製品対応製品対応製品対応製品 ( CatalystSwitch)
YesNowCisco Catalyst 3560 Cisco Catalyst 3560 Cisco Catalyst 3560 Cisco Catalyst 3560 and 3560and 3560and 3560and 3560----E SeriesE SeriesE SeriesE Series
YesNowCisco Catalyst 3750 Cisco Catalyst 3750 Cisco Catalyst 3750 Cisco Catalyst 3750 and 3750and 3750and 3750and 3750----E SeriesE SeriesE SeriesE Series
With Supervisor Engine 6EYesNowCisco Catalyst 4500 Cisco Catalyst 4500 Cisco Catalyst 4500 Cisco Catalyst 4500 SeriesSeriesSeriesSeries
With Supervisor Engine 720 and 720-3BXL, and 32W as well
as 10Gb/s support(10GE and OC-192)YesNowCisco Catalyst 6500 Cisco Catalyst 6500 Cisco Catalyst 6500 Cisco Catalyst 6500
SeriesSeriesSeriesSeries
CommentsCommentsCommentsCommentsH/WH/WH/WH/WIPv6IPv6IPv6IPv6ProductProductProductProduct
© 2008 Cisco Systems, Inc. All rights [email protected] 17
IPv6 対応対応対応対応 Datacenter
� Nexus 7000
- supports IPv6 addressing
MLD v2 / PIM SSM / PIM BIDR / EIGRP
- features support IPv6
QoS / uRPF / ACLs-PACLs / VACLs / RACLs
CoPP matching packets / NetFlow
� Cisco MDS 9000 with SAN-OS rel 3.x
MDS 95xx、92xx、91xx
© 2008 Cisco Systems, Inc. All rights [email protected] 18
IPv6 対応対応対応対応 Security
NowCisco Catalyst 6500/7600 Series Firewall Services Module (FWSM)
NowCisco ASA 5500
NowCisco PIX Firewall
NowCisco IOS Software IPv6 firewall
FirewallFirewallFirewallFirewall
NowIPv6 hardware encryption modules - NM-AIM/VPN, VAM2+
NowSite-to-site tunnel
NowOSPFv3 authentication on Cisco IOS Software
IPv6 IPv6 IPv6 IPv6 IPsecIPsecIPsecIPsec
StatusStatusStatusStatusSolution/ProductSolution/ProductSolution/ProductSolution/ProductFeature SetFeature SetFeature SetFeature Set
© 2008 Cisco Systems, Inc. All rights [email protected] 19
AnyConnect 2.x—SSL VPN
Dual-Stack Host
AnyConnect Client
Cisco ASA
asa-edge-1#show vpn-sessiondb svc
Session Type: SVC
Username : ciscoese Index : 14
Assigned IP : 10.123.2.200 Public IP : 10.124.2.18
Assigned IPv6: 2001:db8:cafe:101::101
Protocol : Clientless SSL-Tunnel DTLS-Tunnel
License : SSL VPN
Encryption : RC4 AES128 Hashing : SHA1
Bytes Tx : 79763 Bytes Rx : 176080
Group Policy : AnyGrpPolicy Tunnel Group: ANYCONNECT
Login Time : 14:09:25 MST Mon Dec 17 2007
Duration : 0h:47m:48s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
© 2008 Cisco Systems, Inc. All rights [email protected] 20
� Cisco VPN Client 4.x IPv4 IPSec Termination (PIX/ASA/IOS VPN/ Concentrator)
IPv6 Tunnel Termination (IOS ISATAP or ConfiguredTunnels)
� AnyConnect Client 2.xSSL/TLS or DTLS (datagram TLS = TLS over UDP
Tunnel transports both IPv4 and IPv6 and the packets exit the tunnel at the hub ASA as native
IPv4 and IPv6.
Internet
� IPv6 IPSec Tunnels
� IOS 12.4(4)T
� IPv6 HW Encryption
� 7200 VAM2+ SPA
� ISR AIM VPN
� IPv6 Firewall
� IOS Firewall 12.3T, 12.4, 12.4T
� FWSM 3.x
� PIX 7.x +, including ASA 5500 series
Client-based IPsec VPN
Client-based SSL
� IOS 12.4(9)T—RFC 4552—OSPFv3 Authentication
� All IOS—packet filtering e-ACL
� IPv6 over DMVPN
Cisco IPv6 Security
© 2008 Cisco Systems, Inc. All rights [email protected] 21
Cisco.comでのでのでのでの情報提供情報提供情報提供情報提供
� IPv6全般
http://www.cisco.com/en/US/technologies/collateral/tk648/tk872/tk373/technologies_white_paper_09186a00802219bc.html
� IPv4/IPv6 ルータパフォーマンス
http://www.cisco.com/web/strategy/docs/gov/IPv6perf_wp1f.pdf
� その他 IPv6 デザインガイドなど
© 2008 Cisco Systems, Inc. All rights [email protected] 22
© 2008 Cisco Systems, Inc. All rights [email protected] 23
© 2008 Cisco Systems, Inc. All rights [email protected] 24
通信事業者通信事業者通信事業者通信事業者にとってのにとってのにとってのにとってのIPv6 現状
IPv4アドレス枯渇は認識
IPv4アドレス枯渇が迫ってきているが、移行計画まで手が回らない
IPv6に移行しても、経費はかかるが、利益は生みにくい
IPv6対応しても、利用者の利便・利益には直結しない
構成が複雑になり品質が落ちる可能性もある
IPv6への対応は他のISPの動向を見ながら、検討
積極的にNAT導入したいわけではないが困ってからは遅いので
Sever関係は可能な限りIPv6対応しておく
総務省:IPv6接続サービスの提供状況に関する調査の結果について
http://www.soumu.go.jp/menu_02/ictseisaku/ipv6/pdf/080328_1_a1.pdf
© 2008 Cisco Systems, Inc. All rights [email protected] 25
課題
� IPv6接続の必然性がないため、ユーザ側のインセンティブが働かない
� IPv6サービスを利用している法人は、全体の1%(約100社)
アクセスサービスの導入だけでは新たな収入源になりにくい
コスト負担の課題(誰がどこまで?ISP,User?)
ISPから利用者へのIPv6移行の付加価値の検討?
IPv6対応(コスト)+IPv4枯渇 =現状のビジネスモデルの崩壊
� IPv6運用のスキル(サービス・運用部分でのIPv6対応が必要)
� 今、一番重要なのはSecurity!
� その前に解決しないといけないトラフィックの増加!
インフラ構築コストは増加しているが収入増に結びついていない
� 他のレイヤー(SIer・NIer、コンテンツプロバイダー、データセンター)への事業展開
© 2008 Cisco Systems, Inc. All rights [email protected] 26
Ciscoにいるとにいるとにいるとにいると色色色色々々々々なななな依頼依頼依頼依頼がががが
� IPv4もIPv6も同じOSライセンスフィーで
� Security、NMS、冗長性能、関係サーバ、全部v6対応
� IPv6動かしてもパフォーマンスダウンなしで!
� ・・・・
© 2008 Cisco Systems, Inc. All rights [email protected] 27
Emergency Alert
© 2008 Cisco Systems, Inc. All rights [email protected] 28
Sensor arrays
� Sensors on aging infrastructure.
� Adhoc networks of fire sensors.
6LoWPAN (RFC 4919 & 4944) based networksRouting Over Low power and Lossy networks http://www.ietf.org/html.charters/roll-charter.html
ΦΦ
Φ
accelerometer laser LVDT strain gauge crack gauge tilt gauge AE detector
© 2008 Cisco Systems, Inc. All rights [email protected] 29
Innovative Opportunity –Agriculture
� Wireless Sensor Network Research Group, Institute of Computing Technology, Chinese Academy of Sciences
CNGI: IPv6 Based Sensor network Application Demonstration Bycooperating with Chinese University of Sciences and Technology, we are going to develop a sensor application system by integrating wireless sensor network technology, control technology and precision agriculture technology. The applications of the integrated system are two-folded: accurate watering of farmland and water/soil pollution monitoring.
http://www.sixxs.net/misc/toys/
Opportunities exist beyond farming in smaller scale uses.
© 2008 Cisco Systems, Inc. All rights [email protected] 30
IPv6有効有効有効有効????利用利用利用利用
� IPv4枯渇と原油枯渇は違う。でもすぐにやってくる。現在アサインされているIPv4アドレスがなくなるわけではない
新規アサインができないのが問題
本当にGlobalな必要ある?(BBR)
Y2kを思い出させる状態、IPv4が枯渇する直前にパニックになるのは?
� IPv6って、IPv4の上位プロトコル?IP/IPX/DECnetの共存時代と何が違うの?
現在のIPv4環境を、すぐに&すべてIPv6で実現?
� YellowCable時代から引きずっているIPv4アドレス設計UCやDCなど、現状のIPv4アドレス設計では追加できないアプリケーションの導入
Vmwareでバーチャル化の前にデザイン変更?
� ユーザがIPv6になじめば接続要求も上がる?
� ユーザがほしいのはサービスで、プロトコルじゃない
© 2008 Cisco Systems, Inc. All rights [email protected] 31