ipv6 v podnikových sítích - cisco · begin ipv6 testing and implementation in pilot mode, then...

Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved. 1Cisco Expo

Cisco Expo

2012

IPv6 v podnikových sítíchT-NET5/L3

Miroslav Brzek

Systems Engineer, Cisco

[email protected]

2© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Cisco Expo

• IPv6 Current status

• IPv6 Planning Steps

• IPv6 Address consideration

• Transition Mechanisms

• IPv6 Co-existence Considerations

• IPv6 Security

• Conclusion, Q&A


This is accelerating !

Consistently beating

estimates

Microsoft has just

purchased 666,624 IP

addresses for

$7.5million

($11.25/addr)

Bankrupt bookseller

Borders is trying to sell

its 65000 IPv4 address

($12/addr)


• World IPv6 Day• Velcí poskytovatelé obsahu a výrobci kom.

technologií (Google, Facebook, Cisco…) zpřístupnili své WWW stránky prostřednictvím protokolu IPv6 na 24 hodin pro účely otestování IPv6 služeb

8 červen2012

• World IPv6 Launch• Hlavní ISP, poskytovatelé obsahu a výrobci

kom. technologií trvale spustí své služby na protokolu IPv6

6 červen

2012

• 2012: začíná platit US Obama Administration Mandate

• 2014 – IPv6 se stává stěžejním komunikačním protokolem

2012 ->







• IPv6 Security

• Conclusion, Q&A


• IPv4 & IPv6 will coexist for the foreseeable future

No D-Day / Flag Day.

• Applications will be migrated to IPv6

with the support of dual-stack operating systems (Windows 7, Linux, BSD..)

• Network infrastructure will integrate IPv6 protocol

Both protocols IPv4 and IPv6 will be running in the network at the same time

Most of the devices in the network will support both protocols at the same time (dual-stack routers and L3 switches)

• Education & Careful Planning are crucial

• IPv4 & IPv6 implementations must be scalable, reliable, secure and feature rich

7

© 2012 Cisco and/or its affiliates. All rights reserved. 8

Repeat for the Next IPv6-Critical Area in Your Network

Identify the highest priority IPv6-critical areas in your

network

Perform IPv6 Assessment on highest-priority areas to

determine scope of design

Develop an IPv6 design that enables IPv6 to be introduced

without disrupting your IPv4 network

Begin IPv6 testing and implementation in pilot mode, then extend over time into production deployment

Start with a Phased Plan Alignedwith Your Business Strategy

2

3

4

1







• IPv6 Security

• Conclusion, Q&A


• Build on the lessons learned from how the IPv4 plan was developed and implemented

Does it make sense to follow the current IPv4 assignment model?

• Must be proportional to current usage and expected growth

• Hierarchy is key

Do you get a prefix for the entire company or do you get one prefix per site (what defines a site?)

• Cisco IPv6 Addressing White Paper

http://www.cisco.com/web/strategy/docs/gov/IPv6_WP.pdf

10


• What type of addressing should I deploy internal to my network? It depends:

ULA only

Not routable on the internet - basically RFC1918 for IPv6 only better, less likelihood of collisions

Default prefix is /48, that limits use in large organizations that will need more space

Semi-random generator prohibits generating sequentially ‗useable‘ prefixes—no easy way to have aggregation when using multiple /48s

Generate your own ULA: http://www.sixxs.net/tools/grh/ula/

ULA + Global

Allows for the best of both worlds but at a price— much more address management with DHCP, DNS, routing and security—SAS does not always work as it should

Global-only

Recommended approach but the old-school security folks that believe topology hiding is essential in security will bark at this option

http://www.sixxs.net/tools/grh/ula/


• Everything internal runs the ULA space

• An IPv6 Prefix Translator (NPTv6) or an IPv6 proxy is required to access IPv6 hosts on the internet

Must run filters to prevent any SA/DA in ULA range from being forwarded

NOTE: NPTv6 (NAT66) is still in draft status.

• Removes the advantages of not having a NAT i.e. application interoperability, global multicast, end-to-end connectivity)

Requires NAT for IPv6

Not currently recommended

Corporate HQCorporate Backbone

Unique Local – fd9c:58ab:7f73::/48

fd9c:58ab:7f73:3000::/64

fd9c:58ab:7f73:0000::/56

Branch 1

fd9c:58ab:7f73:2800::/64

Branch 2

fd9c:58ab:7f73:1000::/56

InternetGlobal – 2001:db8:cafe::/48


Corporate HQCorporate Backbone

• Global is used everywhere

• No requirements to have NAT for ULA-to-Global translation—but, NAT may be

used for other purposes

e.g. Printers, Data Bases etc can be on ULA.

• Easier management of DHCP, DNS, security, etc.

• Only downside is breaking the habit of believing that topology hiding is a good

security method

Global – 2001:db8:cafe::/48

2001:db8:cafe:3000::/64

2001:db8:cafe:0000::/56

Branch 1

2001:db8:cafe:2800::/64

Branch 2

2001:db8:cafe:1000::/56

Internet

Recommended


• Mainly a Enterprise Issue

• Service Providers will get allocation direct from RIR

• PI space is great for organizations who want to multihome to different SPs

• PA is a great space if you plan to use the same SP for a very long time or you plan to NAT/Proxy everything with IPv6 (not likely)

• Other things to consider

Do you get a prefix for the entire company or do you get one prefix per site

Do you get a prefix per regional registry (RIPE, APNIC, LACNIC, etc)


Registries

Level FourEnterprise

IANA

ISP Org

Provider Assigned

http://www.ripe.net/ripe/policies/proposals/2006-01.html


2000::/3

/48

2000::/3

/48

/12

/32

/12

Provider Independent








• High Level addressing plan. Indicative only. Can be modified to suit needs

• /48 = 65536 x /64

• Break up into functional blocks ( 4 x /50 in this case)

• Each functional block simplifies security policy

• Assumes up to 64 Branch networks

• Each Branch has access to 256 /64 prefixes for WAN, DMZ, & VLAN use

/48

/50

Branch

/50

WAN

/50

DC

/50

Lab

/56

Branch 1

/56

Branch 2

/56

Branch 3

/56

Branch4

/64

Loop /64

WAN /64

DMZ /64

VLAN4

....

/64

VLAN…

/56

MGMT

/64

Loop /64

WAN /64

DMZ /64

VLAN4 /64

VLAN…


• /64 everywhere

• /64 + /126

64 on host networks

126 on P2P

• /64 + /127

64 on host networks

127 on P2P

• Always use /128 on loop

64 bits > 64 bits

Address space conservation

Special cases:/126—valid for p2p/127—valid for p2p if you are careful (draft-kohno-ipv6-prefixlen-p2p-xx/(RFC3627))/128—loopback

Must avoid overlap with specific addresses:Router Anycast (RFC3513)Embedded RP (RFC3956)ISATAP addresses

Recommended by RFC3177 and IAB/IESG

Consistency makes management easy

MUST for SLAAC (MSFT DHCPv6 also)

Significant address space loss (18.466 Quintillion)


• Originally point to point links we numbered with /64, /96, /112, or /126

• /64 simplest

• /96 allowed 32 bits of IPv4 address to be used

• /112 allowed significant 16 bits of IPv4 address to be used

• /126 emulated the /30 behaviour for IPv4

• Use of ample address space opened networks up to attack

• Two conflicting RFCsRFC 3627 ―Use of /127 Prefix Length Between Routers Considered Harmful‖

RFC 6164 ―Using 127-Bit IPv6 Prefixes on Inter-Router Links‖

• /127 not possible in some implementations due to conflict with ―the Subnet-router anycast address‖

• Cisco IOS does not implement Subnet Router Anycast by default

• Issues is with multivendor support

• Industry is moving towards RFC 6164


• Allocate /64 everywhere

• Ensures simple allocation and no need to maintain /30 style spreadsheets

• Change the mask to suit purpose

• /64 for LAN

• /127 for p2p link

• Don‘t use EUI-64 with Global Addresses for network infrastructure

• Address will change with RMA

• Will affect DNS

• Higher Operational overhead


Similar to IPv4 New in IPv6

Manually configured

Assigned via DHCP

DHCPv6 Request

DHCPv6 Reply

RS

RA2

1

4

3

Stateless configuration

Router

Solicitation

Router

Announcement2

1

(/64 prefix, timers, etc…)

IPv6 Address = /64 prefix + EUI64 (e.g. MAC address)

Auto-generated pseudo-random

number (rfc3041)

Router

Solicitation

Router

Announcement2

1

IPv6 Address = /64 prefix + Random 64 bits (rfc3041)


• 1 – Stateless Auto Address Configuration (SLAAC) (RFC2462)

Host autonomously configures its own Link-Local address

Router solicitation are sent by booting nodes to request RAs for configuring the interfaces.

• 2 – Stateful DHCPv6

Host uses DHCP to get its IPv6 address (Similar to IPv4 behavior)

• 3 – Stateless DHCP

host uses SLAAC and also DHCP to get additional parameters such as DNS, TFTP Server ,etc.

• Choice relies on RA Flags sent by the router on the LAN

RA with ―M‖, ―A‖ and/or ―O‖ Flags

Router

Host


• Both SLAAC and DHCP runs independently. It‘s perfectly valid to have both at the same time. This is the default behaviour when setting the M-Flag

!

interface ethernet0/0

ipv6 nd managed-config-flag

!

!


ipv6 nd prefix 2001:DB8:1:CAFE::/64 300 300 no-autoconfig

!

!


ipv6 nd other-config-flag

!

M-Flag – Managed Flag

- if the RA has the M bit set, the host should do DHCP to acquire an IPv6 address

- To enable stateful DHCP

A-Flag – Autoconfiguration Flag

-if the RA has the A bit set, the host should do address autoconfiguration (SLAAC)

-To disable autoconfig and clear the A-flag

O-Flag – To enable stateless DHCP in addition to SLAAC, use the O-Flag







• IPv6 Security

• Conclusion, Q&A


Tunneling Services

Connect Islands of IPv6 or IPv4

IPv4 over IPv6 IPv6 over IPv4

Dual Stack

Recommended Enterprise Co-Existence Strategy

Translation Services

Connect to the IPv6 Community

IPv4

IPv6

Business Partners

Internet consumers

Remote Workers

International Sites

Government Agencies

IPv6

IPv4


• Hosts today are IPv4+IPv6:

Windows Vista, MAC OSX, Linux, BSD

• Make the network IPv4+IPv6

• Support for every media/WAN

type you want to use (Ethernet,

leased-line, broadband, MPLS,

etc…)

• When forced to deploy IPv6-

only networks, they will be able

to talk with other hosts

• Dual-stack should be the focus

of your implementation

IPv4+IPv6Network

IPv6-onlyHosts or Network

IPv4+IPv6 Hosts


Servers

Branch Branch

WAN

DC Access

DC Aggregation

DC/Campus Core

Campus Block

ISP ISP

InternetEdge

• Based on Timeframe/Use case

• Internet Edge – Business continuity

• Core-to-Edge – Fewer things to touch

• Edge-to-Core – Challenging but doable


Key Steps Summarized – IPv6 to IPv4 Translation using Stateful NAT64

Step 1: Enterprise registers the public facing IPv6 address representing the enterprise e.g. Example-v4.com as

2001:db8:cafe::101 with the authoritative AAAA DNS server

Step 2 : IPv6-only host connects to the service at Example-v4.com by using the IPv6 address received in the AAAA DNS

response from the authoritative server

Step 3: Enterprise edge receives IPv6 packets and performs Stateful NAT64 translation

Step 4: Post translation, the enterprise edge forward the IPv4 packets to Example-v4.com servers as regular IPv4 packets

Step 5: The service hosted at Example-v4.com receives, processes the request and the communication is established

DNS

Server

Server

Farm

6:4

192.0.2.0/24

192.168.2.1/24

2001:db8:abcd:2::1/64

IPv6

IPv4Bi-directional IPv6 Traffic

Flow

Bi-directional IPv4 Traffic

Flow

IPv4-Only Network

192.0.2.0/24

Also representing IPv6

Network

2001:db8:cafe::/48

Enterprise

Edge

SLB44

IPv4-only network


Enable IPv6 Unicast Routing

!

ipv6 unicast-routing

!

Interface Configuration:

interface GigabitEthernet2/3/1

description Connected to IPv4_Network

ip address 172.16.1.1 255.255.255.252

nat64 enable (Enable NAT64 processing

on this interface)

!

interface GigabitEthernet2/3/2

description Connected to IPv6_Network

ipv6 address fd00:1::1/124

ipv6 enable (Enable IPv6 processing)

nat64 enable (Enable NAT64 processing

on this interface)

!

NAT64 Configuration:

nat64 prefix stateful 2001:db8:cafe::/96

nat64 v4 pool mypool 203.0.113.1 203.0.113.100

nat64 v6v4 list mylist pool mypool overload

ipv6 access-list mylist

permit ipv6 2001:db8:cafe::/48 any

GE 2/3/2

fd00:1::1/127

GE 2/3/1

172.16.1.1/30

6:4

IPv6-Only Network

2001:db8:cafe::/48

IPv4-Only Network

192.0.2.0/24

For Your

Reference


• Dual Stack = Two protocols running at the same time (IPv4/IPv6)

• #1 requirement—switching/ routing platforms must support hardware based forwarding for IPv6

• IPv6 is transparent on L2 switches but consider:

L2 multicast—MLD snooping

IPv6 management—Telnet/SSH/HTTP/SNMP

• Expect to run the same IGPs as with IPv4

Dual-stackServer

L2/L3

v6-Enabled

v6-Enabled

v6-Enabled

v6-Enabled

IPv6/IPv4 Dual Stack Hosts

v6-Enabled

v6-Enabled

Aggregation Layer (DC)

Access Layer (DC)

Access Layer

Distribution Layer

Core Layer

Du

al S

tack

Du

al S

tack


• Plan ―B‖ if Layer 3 device can‘t support IPv6 but you have to get IPv6 over it

• Offers IPv6 connectivity via multiple options

Dual-stack

Configured tunnels—L3-to-L3

ISATAP—Host-to-L3

• Leverages existing network

• Offers natural progression to full dual-stack design

• May require tunneling to less-than-optimal layers (i.e. core layer)

• ISATAP creates a flat network (all hosts on same tunnel are peers)

- Create tunnels per VLAN/subnet to keep same segregation as existing design

• Provides basic HA of ISATAP tunnels via old Anycast-RP idea

Dual-stackServer

L2/L3

v6-Enabled

NOT v6-Enabled

v6-Enabled

NOT v6-Enabled

IPv6/IPv4 Dual Stack Hosts

v6-Enabled

v6-Enabled

ISA

TA

P

ISA

TA

P

Aggregation Layer (DC)

Access Layer (DC)

Access Layer

Distribution Layer

Core Layer

Du

al S

tack

Du

al S

tack


IPv6-Only SubscriberIPv6 Rapid Deployment

CECE

Dual Stack

WAN

Dual Stack IPv4/IPv6

(Preferred)

Dual Stack CPEs

Dual Stack Headquarters

Dual Stack WAN

Subscriber Network

Subscriber Network

MPLS IPv4 Core

Customer Network

Customer Network

6VPE Core

Dual Stack IPv4 / IPv6

VPN Service

Customer Network

Customer Network

Carrier Grade NAT

Using Tunnels

Manually configured tunnels

IPv6 over GRE

LISP

IPSec Tunnels

Dynamic Multipoint VPN (DMVPN)

IPv4

WAN







• IPv6 Security

• Conclusion, Q&A


• IPv6 Neighbor Cache = ARP for IPv4

In dual-stack networks the first hop routers/switches will now have more memory consumption due to IPv6 neighbor entries (can be multiple per host) + ARP entries

ARP entry for host in the campus distribution layer:

Internet 10.120.2.200 2 000d.6084.2c7a ARPA Vlan2

IPv6 Neighbor Cache entry:

2001:DB8:CAFE:2:2891:1C0C:F52A:9DF1 4 000d.6084.2c7a STALE Vl2

2001:DB8:CAFE:2:7DE5:E2B0:D4DF:97EC 16 000d.6084.2c7a STALE Vl2

FE80::7DE5:E2B0:D4DF:97EC 16 000d.6084.2c7a STALE Vl2

• Full internet route tables—ensure to account for TCAM/memory requirements for both IPv4/IPv6—not all vendors can properly support both

• Multiple routing protocols—IPv4 and IPv6 will have separate routing protocols. Ensure enough CPU/Memory is present

• Control plane impact when using tunnels—terminate ISATAP/configured tunnels in HW platforms when attempting large scale deployments (hundreds/thousands of tunnels)

33


HSRP for v6• Modification to Neighbor Advertisement, router

Advertisement, and ICMPv6 redirects

• Virtual MAC derived from HSRP group number and virtual IPv6 link-local address

HSRP

Standby

HSRP

Active

GLBP for v6• Modification to Neighbor Advertisement, Router

Advertisement—GW is announced via RAs

• Virtual MAC derived from GLBP group number and virtual IPv6 link-local address

GLBP

AVF,

SVF

GLBP

AVG,

AVF

Neighbor Unreachability Detection• For rudimentary HA at the first HOP

• Hosts use NUD ―reachable time‖ to cycle to next known default gateway (30s by default)

RA Sent

Reach-time =

5,000 msec


• HSRP for IPv4 and IPv6 have similar state-machine

• Differences between HSRP for IPv6 and IPv4:

• Host will learn the default gateway through router RA messages (no need to configure default gateway)

• Active HSRP router will by default send RA every 200 seconds

• Standby HSRP router will suppress its RA messages

• HSRP for IPv6 vs. IPv6 ND

• Provides predictable IPv6 Host-to-Router redundancy and faster failover – default 10 seconds vs. default 30 seconds

• Reduces ND traffic overhead (NS/NA messages) associated with reducing ND Reachable Time timer

interface FastEthernet0/1

ipv6 address 2001:DB8:66:67::2/64

ipv6 cef

standby version 2

standby 1 ipv6 autoconfig

standby 1 timers msec 250 msec 800

standby 1 preempt

standby 1 preempt delay minimum 180

standby 1 authentication md5 key-string cisco

standby 1 track FastEthernet0/0

HSRP

StandbyHSRP

Active

For Your

Reference


• IPv4 and IPv6 QoS features are mostly compatible (RFC 2460/3697)

• Both Transport uses DSCP (aka Traffic Class)

• Future use of Flow label will be a viable options if application differentiation required or source specific traffic characteristics

• IPv4 syntax has used ―ip‖ following match/set statements

Example: match ip dscp, set ip dscp

• Modification in QoS syntax to support IPv6 and IPv4

New match criteria

match dscp — Match DSCP in v4/v6

match precedence — Match Precedence in v4/v6

New set criteria

set dscp — Set DSCP in v4/v6

set precedence — Set Precedence in v4/v6

• Additional support for IPv6 does not always require new Command Line Interface (CLI)

Example—WRED


RIPRIPv2 for IPv4

RIPng for IPv6

Distinct but similar protocols with RIPng taking advantage of IPv6 specificities

OSPF

OSPFv2 for IPv4

OSPFv3 for IPv6

Distinct but similar protocols with OSPFv3 being a cleaner implementation

that takes advantage of IPv6 specificities

IS-ISExtended to support IPv6

Natural fit to some of the IPv6 foundational concepts

Supports Single and Multi Topology operation

EIGRPExtended to support IPv6

(IPv6_REQUEST_TYPE, IPv6_METRIC_TYPE, IPv6_EXTERIOR_TYPE) Some changes reflecting IPv6 characteristics

BGPNew MP_REACH_NLRI, MP_UNREACH_NLRI, AFI=2 with SAFI for

Unicast/Multicast/Label/VPN

Peering over IPv6 or IPv4 (route maps)

For all intents and purposes, IPv6 IGPs are similar to their IPv4 counterparts

IPv6 IGPs have additional features that could lead to new designs







• IPv6 Security

• Conclusion, Q&A


• Your host:

IPv4 is protected by your favorite personal firewall...

IPv6 is enabled by default (Windows 7, Linux, Mac OS/X, ...)

• Your network:

Does not run IPv6

• Your assumption:

I‘m safe

• Reality

You are not safe

Attacker sends Router Advertisements

Your host silently configures to IPv6

You are now under IPv6 attack

=> Probably time to think about IPv6 in your network

39


What is specific with IPv6 in the L2 domain? More addresses!

• More end-nodes allowed on the link (up to 2^64!)

• More states (neighbor cache, etc.) on hosts, routers and switches

• Creates new opportunities for DoS and MiM attacks

Attacks on Router Discovery: Fake router

Attack on Address Configuration

Attack On Address Resolution

DoS Attacks On Neighbor Cache, etc.

R1

A B


host

router

time server

web server

Trusted end-nodes

un-trusted end-nodes

attacker

DHCP server/relay

• Distributed: security verified between any pair of nodes

• Centralized: security verified between each node and the central switch


• Advantages

– No central administration, no central operation

– No bottleneck, no single-point of failure

– Intrinsic part of the link-operations

– No tying up to the L2 infra

– Load distribution

• Disadvantages

– Heavy provisioning of end-nodes

– Only provisioned end-nodes are protected

– Tied up to nodes capability

– Bootstrapping issue

– Complexity spread all over the domain.

ProvisioningInfra-structure

ConfigurationServer

DHCPServer

TimeServer

CertificateServer

Hosts

L2/linkInfra-structure

Internet


• SeND is NOT a new protocol

• SeND is ―just‖ an extension to NDP

• Therefore ND+SeND remains a protocol operating on the link

• SeND is a distributed mitigation mechanism

• Provides Address ownership proof and Router authorization

• It does not verify other key role legitimacy (DHCP server, NTP server, etc.)

• SeND does not provide any ―end-to-end‖ security

• SeND specified in RFC3971 and RFC3972

• Requires IOS 12.4(24)T


• To benefit fully from SeND, nodes must be:

Provisioned with CA certificate(s)

Time synchronized/have access to the NTP server

Have access to a CRL or OCSP server

Have Private/public key pair for CGA

• Overhead introduced

Routers have to do many public/private key calculation (some may be done in advance of use)

=> Potential DoS target

Routers need to keep more state

• Available:

Unix (DoCoMo), Cisco IOS 12.4(24)T

• Microsoft:

no support in Windows Vista, 2008 and Windows7


• Advantages

– central administration, central operation

– Complexity and provisioning limited to first hop

– All nodes protected

– Transitioning lot easier

• Disadvantages

– Applicable only to certain topologies

– Requires first-hop to learn about end-nodes

– First-hop can be a bottleneck and single-point of failure

ProvisioningInfra-structure

ConfigurationServer

DHCPServer

TimeServer

CertificateServer

Hosts

L2/linkInfra-structure

Internet


• Takes care of all nodes security, primarily from a link-operations standpoint

• Leverage information gleaned by snooping link-operations

• The switch does/will integrate a set of monitoring, inspection and guard features

• Port ACL

• ACL Based RA Guard

• ACL based DHCP Guard

• RA Guard

• NDP Inspection

• Device Tracking


ipv6 access-list ACCESS_PORT

remark Block all traffic DHCP server -> client

deny udp any eq 547 any eq 546

remark Block Router Advertisements

deny icmp any any router-advertisement

permit any any

Interface gigabitethernet 1/0/1

switchport

ipv6 traffic-filter ACCESS_PORT in

For Your

Reference


IPv6 FHS

IPv6

Integrity

Guard

IPv6

RA Guard

IPv6

DHCP Guard

IPv6

Source Guard

IPv6

Destination

Guard

• Integrity

protection for

FHS binding

table

• Protection

against IPv6

address theft

• Protection

against MiM

Attacks

• Protection

against rouge

or malicious

Router

Advertisement

• Protection

against MiM&

DoS attacks

• Rejects invalid

DHCP Offers

• Validate

source

address or

prefix

• Protects

against source

address

spoofing

• Validates

destination

address of

IPv6 traffic

reaching the

link

• Protects

against

scanning or

DoS attacks







• IPv6 Security

• Conclusion, Q&A


• IPv6 is coming if you want it or not! – and yes, it did take some time before that was a reality

• IPv4 & IPv6 will coexist for the foreseeable future

No D-Day / Flag Day

• IPv6 is NOT a feature.

It is about the fundamental IP network layer model developed for end-to-end services and network transparency

• ―Dual stack where you can, Tunnel where you must‖

• IPv4/IPv6 Translation (NAT64) as transient solution

• Now is time to build an IPv6 transition strategy for your IT infrastructure

Create a virtual team of IT representatives from every area of IT to ensure coverage for OS, Apps, Network, Security and Operations/Management

• Deploy it – at least in a lab – IPv6 won‘t bite


Prosíme, ohodnoťte tuto přednášku.

T-NET5

ipv6 v podnikových sítích - cisco · begin ipv6 testing and implementation in pilot mode, then...

Documents