tony hain cisco systems ahain@ciscoprearranged addresses for both ipv4 & ipv6, manually...
TRANSCRIPT
1© 2003 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID
IPv6 Transition
Tony HainCisco [email protected]
2© 2003 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID
OutlineBusiness CaseDeployment Tool SetEnvironmentsStrategy
333© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Transition Variables• Business Requirements
Time frame required to meet a set of business requirements
Need for applications to communicate between administrative domains
New functions that can exist without extensive access to legacy IPv4 nodes
Mission critical applications that must interoperate with legacy nodes
• Network Security RequirementsFirewall support for both IPv4 & IPv6
Telecommuters and Mobile Node access methods
• Availability of software & hardware upgrades for existing nodesSource code availability for custom applications
• Order and rate for IPv6 deployment within a networkCurrent use of IPv4 private addresses and NAT
Provider support for IPv6
4© 2003 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID
OutlineBusiness CaseDeployment Tool SetEnvironmentsStrategy
555© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
IPv4-IPv6 Transition / Co-Existence
A wide range of techniques have been identified and implemented, basically falling into three categories:
(1) Dual-stack techniques, to allow IPv4 and IPv6 toco-exist in the same devices and networks
(2) Tunneling techniques, to avoid order dependencies when upgrading hosts, routers, or regions
(3) Translation techniques, to allow IPv6-only devices to communicate with IPv4-only devices
Expect all of these to be used, in combination
666© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Tools – Dual Stack
• Primary tool
• Allows continued 'normal' operation with IPv4-only nodes
• Address selection rules generally prefer IPv6
• DSTM variant allows temporary use of IPv4 pool
IPv6 Enabled
IPv6 Enabled IPv4-Only
Internet
777© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Dual Stack Approach
• Dual stack node means:Both IPv4 and IPv6 stacks enabledApplications can talk to bothChoice of the IP version is based on name lookup and applicationpreference
TCP UDP
IPv4 IPv6
IPv6-enable Application
Data Link (Ethernet)
0x0800 0x86dd FrameProtocol ID
Preferred method on
Application’s servers
TCP UDP
IPv4 IPv6
Legacy Application
Data Link (Ethernet)
0x0800 0x86dd
888© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Dual-Stack Approach
• When adding IPv6 to a system, do not delete IPv4this multi-protocol approach is familiar and
well-understood (e.g., for AppleTalk, IPX, etc.)note: in most cases, IPv6 will be bundled with
new OS releases, not an extra-cost add-on
• Applications (or libraries) choose IP version to usewhen initiating, based on DNS response:
prefer scope match first, when equal scope IPv6 over IPv4when responding, based on version of initiating packet
• This allows indefinite co-existence of IPv4 and IPv6, and gradual app-by-app upgrades to IPv6 usage
999© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Dual Stack Approach & DNS
DNS Server
IPv4
IPv6
www.a.com= * ?
3ffe:b00::1
3ffe:b00::110.1.1.1
• In a dual stack case, an application that:Is IPv4 and IPv6-enabled
Asks the DNS for all types of addresses
Chooses one address and, for example, connects to the IPv6 address
101010© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Cisco IOS Dual Stack Configuration
IPv6 and IPv4 Network
Dual-StackRouter
IPv4: 192.168.99.1
IPv6: 2001:410:213:1::/64 eui-64
router#ipv6 unicast-routing
interface Ethernet0ip address 192.168.99.1 255.255.255.0ipv6 address 2001:410:213:1::/64 eui-64
• Cisco IOS is IPv6-enable:If IPv4 and IPv6 are configured on one interface, the router is dual-stacked
Telnet, Ping, Traceroute, SSH, DNS client, TFTP,…
111111© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Tools – Tunneling
• Nodes view IPv4 network as a logical NBMA link-layer
• May be used in conjunction with dual-stack
IPv6 Enabled
IPv6 Enabled
IPv4-Only
Internet
Note: Tunnels may be end to middle as shown, or middle to middle, or end to end.
121212© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
IPv6 over IPv4 Tunnels
IPv4IPv6 Network
IPv6 Network
Tunnel: IPv6 in IPv4 packet
IPv6 Host
Dual-StackRouter
Dual-StackRouter
IPv6 Host
IPv6 HeaderIPv6 HeaderIPv4 HeaderIPv4 Header
IPv6 HeaderIPv6 Header Transport Header
Transport Header DataData
DataDataTransport Header
Transport Header
• Tunneling is encapsulating the IPv6 packet in the IPv4 packet
• Tunneling can be used by routers and hosts
131313© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Tunneling Mechanisms (operationally challenging)
• ConfiguredPrearranged addresses for both IPv4 & IPv6, manually configured
• Tunnel BrokerBuilds on configured tunnel via IPv4 auth scheme to establish mapping ; typically default route
• 6over4Any address, but requires IPv4 multicast for ND
• AutomaticHost-to-host – IPv4 address embedded in low 32 bits with prefix ::/96 deprecated as it requires injecting IPv4 BGP table into IPv6 routing
141414© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Tunneling Mechanisms (primary set)
• 6to4Automatic prefix allocation based on public IPv4
• ISATAPIntra-site automatic tunneling with any prefix
• TeredoIPv6 over UDP/IPv4 to traverse NAT
151515© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Manually Configured Tunnel (RFC 2893)
IPv4IPv6 Network
IPv6 Network
Dual-StackRouter2
Dual-StackRouter1
IPv4: 192.168.99.1 IPv6: 3ffe:b00:c18:1::3
IPv4: 192.168.30.1 IPv6: 3ffe:b00:c18:1::2
router1#
interface Tunnel0ipv6 address 3ffe:b00:c18:1::3/64tunnel source 192.168.99.1tunnel destination 192.168.30.1tunnel mode ipv6ip
router2#
interface Tunnel0ipv6 address 3ffe:b00:c18:1::2/64tunnel source 192.168.30.1tunnel destination 192.168.99.1tunnel mode ipv6ip
• Manually Configured tunnels require:Dual stack end points
Both IPv4 and IPv6 addresses configured at each end
161616© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
IPv4 Compatible Tunnel (RFC 2893)
• IPv4-compatible addresses are easy way to autotunnel, but it:
May be deprecated soon
IPv4
Dual-StackRouter
Dual-StackRouter
IPv4: 192.168.99.1 IPv6: ::192.168.99.1 IPv4: 192.168.30.1
IPv6: ::192.168.30.1
171717© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
6to4 Tunnel (RFC 3056)
IPv4IPv6 Network
IPv6 Network
6to4 6to4 Router2Router2
6to4 6to4 Router1Router1
192.168.99.1 192.168.30.1Network prefix:
2002:c0a8:6301::/48Network prefix:
2002:c0a8:1e01::/48= =
E0 E0
router2#interface Loopback0ip address 192.168.30.1 255.255.255.0ipv6 address 2002:c0a8:1e01:1::/64 eui-64
interface Tunnel0no ip addressipv6 unnumbered Ethernet0tunnel source Loopback0tunnel mode ipv6ip 6to4
ipv6 route 2002::/16 Tunnel0
• 6to4 Tunnel: Is an automatic tunnel methodGives a prefix to the attached IPv6 network2002::/16 assigned to 6to4Requires one global IPv4 address on each Ingress/Egress site
2002 Public IPv4 address
/48 /64
Interface IDSLA
/16
181818© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
6to4 Relay
IPv4IPv6 Network
IPv6 Network
6to4 Router1
192.168.99.1Network prefix:2002:c0a8:6301::/48 IPv6 address:
2002:c0a8:1e01::1=
6to4 Relay IPv6
Internet
router1#interface Loopback0ip address 192.168.99.1 255.255.255.0ipv6 address 2002:c0a8:6301:1::/64 eui-64
interface Tunnel0no ip addressipv6 unnumbered Ethernet0tunnel source Loopback0tunnel mode ipv6ip 6to4
ipv6 route 2002::/16 Tunnel0ipv6 route ::/0 2002:c0a8:1e01::1
• 6to4 relay: Is a gateway to the rest of the IPv6 InternetDefault routerAnycast address (RFC 3068) for multiple 6to4 Relay
191919© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Tunneling issues
• IPv4 fragmentation needs to be reconstructed at tunnel endpoint.
• No translation of Path MTU messages between IPv4 & IPv6.
• Translating IPv4 ICMP messages and pass back to IPv6 originator.
• May result in an inefficient topology.
202020© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Tunneling issues II
• Tunnel interface is always up. Use routing protocol to determine link failures.
• Be careful with using the same IPv4 source address for several tunneling mechanisms. Demultiplexing incoming packets is difficult.
212121© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Tools – BGP tunnel
IPv6Island
IPv6Island
IPv4-onlycore
• Service provider can incrementally upgrade PE routers with active customers
• Sites are connected to Dual Stack MP-BGP-speaking edge router
• Transport across the IPv4 core can be any tunneling mechanism
222222© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
IPv6 Provider Edge Router (6PE) over MPLS
P
P
P
Pv6
IPv4MPLSv4
v6
v4
v4
v6
v6
MP-iBGP sessions
CE
CE
6PE
6PE 6PE
6PE
192.254.10.0
2001:0421::
2001:0420::
192.76.10.0
145.95.0.0
2001:0621::
2001:0620::
Dual Stack IPv4-IPv6 routersDual Stack IPv4-IPv6 routersDual Stack IPv4-IPv6 routersDual Stack IPv4-IPv6 routers
CE
• IPv4 or MPLS Core Infrastructure is IPv6-unaware• PEs are updated to support Dual Stack/6PE • IPv6 reachability exchanged among 6PEs via iBGP (MP-BGP)• IPv6 packets transported from 6PE to 6PE inside MPLS
232323© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Tools – Translation
IPv6 Enabled
IPv4-Only
Internet
• Tool of last resort
• Allows for the case where some components are IPv6-only while others are IPv4-only
• Pay attention to scaling properties
• Same application issues as IPv4/IPv4 translation
242424© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
IPv6-IPv4 Translation Mechanisms
• StatelessSIIT
Address & protocol translation
BIS (Bump-In-the-Stack)
Augmentation between IPv4 stack & device driver (RFC 2767)
BIA (Bump-In-the-API
Supports IPv4 apps over IPv6 stack
• StatefulNAT-PT (RFC 2766)
requires ALG for each application
TRT TCP-UDP Relay (RFC 3142)
SOCKS-based Gateway (RFC 3089)
IGMP / MLD proxy
Joins opposing groups & maps addresses
252525© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
NAT-PT Overview
ipv6 nat prefix 2010::/96
NAT-PTIPv4-onlynetwork
IPv4 Host IPv6 Host
IPv6-onlynetwork
2001:0420:1987:0:2E0:B0FF:FE6A:412C
Src: 2001:0420:1987:0:2E0:B0FF:FE6A:412CDst: PREFIX::1
1
2
Src: 172.17.1.1Dst: 172.16.1.1
3
Src: 172.16.1.1Dst: 172.17.1.1 Src: PREFIX::1
Dst: 2001:0420:1987:0:2E0:B0FF:FE6A:412C
4
172.16.1.1
PREFIX is a 96-bit field that allows routing back to the NAT-PT device
262626© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Translation
• May prefer to use IPv6-IPv4 protocol translation for:new kinds of Internet devices (e.g., cell phones, cars, appliances)
benefits of shedding IPv4 stack (e.g., serverless autoconfig)
• This is a simple extension to NAT techniques, to translate header format as well as addresses
IPv6 nodes behind a translator get full IPv6 functionality when talking to other IPv6 nodes located anywhere
they get the normal (i.e., degraded) NAT functionality when talking to IPv4 devices
drawback : minimal gain over IPv4/IPv4 NAT approach
272727© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Configuring Cisco IOS NAT-PT
LAN2: 192.168.1.0/24
LAN1: 2001:2::/64
Ethernet-2
Ethernet-1NATed prefix 2010::/96
.200interface ethernet-1
ipv6 address 2001:2::10/64ipv6 nat prefix 2010::/96ipv6 nat
!interface ethernet-2
ip address 192.168.1.1 255.255.255.0ipv6 nat
!ipv6 nat v4v6 source 192.168.1.100 2010::1!ipv6 nat v6v4 source route-map map1 pool v4pool1ipv6 nat v6v4 pool v4pool1 192.168.2.1 192.168.2.10 prefix-length 24!route-map map1 permit 10match interface Ethernet-1
DNS
.100
Network Address Translation-Protocol TranslationRFC 2766• IP Header and Address translation
• Support for ICMP and DNS embedded translation
• Auto-aliasing of NAT-PT IPv4 Pool Addresses
2001:2::1
28© 2003 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID
OutlineBusiness CaseDeployment Tool SetEnvironmentsStrategy
292929© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Transition environments
Telecommuter
Residential
Dual Stack or MPLS & 6PEDual Stack or MPLS & 6PE
IPv6 over IPv4 tunnels or IPv6 over IPv4 tunnels or Dedicated data link layersDedicated data link layers
Cable
IPv6 over IPv4 TunnelsIPv6 over IPv4 Tunnels
IPv6 IX
IPv6 over IPv4 tunnels or Dedicated data link layers
DSL,FTTH,Dial
Aggregation
IPv6 over IPv4 tunnels or Dual stack
ISP’s
6Bone
6to4 Relay
Dual Stack
ISATAP
Enterprise
Enterprise
WAN: 6to4, IPv6 over IPv4, Dual Stack
303030© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Environments
Service Provider
EnterpriseUnmanaged
313131© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Environments – Unmanaged
• No administrative staff to manage configuration or policies
• Devices need to be plug-n-play appliances
• Network & hosts share administrative policies
• Tool automation a primary concern
323232© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Issues
• ISP offers IPv6 serviceEdge device acquires a prefix to redistribute
• ISP still IPv4-only service(may be due to device limitations like docsis modems)
Tunneling required
Prefix from tunnel broker or automated 6to4/Teredo
• If no auto-tunnel to native relays, may need both
333333© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Environments – Managed Enterprise
• Dedicated management staff & tools
• Network & hosts share administrative policies
• Applications will likely require recertification
Campus Network
Campus Network
WAN
SDP RO LI A NT 1 850R
SDP RO LI A NT 1 850R
SDP RO LI A NT 1 850R
SDP RO LI A NT 1 850R
343434© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Managed networks differentiation
Single geographic region, single administration & policy Multiple geographic regions, single administration & policy Multiple geographic regions, multiple administrations & policy Use of public network for transit service
Simple routed case looks like multi-multi aboveVPN tunneled case would look like multi-single w/circuit setup
New enterprise, looking to avoid a transition Deployment order - All at once by definition
For each of the 5 categories considerDeployment order - Hosts & Apps first vs. Network first ISP offering - IPv4-only IPv4 & IPv6 IPv6-only
353535© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Infrastructure concerns• Critical Applications• Addressing : Dynamic vs. controlled• DNS : Dynamic vs. controlled
Public visibility of name space• AAA : Internal & external
Mobility of road warrior & telecommutersMobility of nodes within the enterprise
• ICMP : PMTU & neighbor discovery• Management tools
Trust between host & network management teams
363636© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Multiple Address Issues
Renumbering simplified as old & new can overlapPrivacy addresses reduce attack profilePreferred vs. valid lifetimes
Improper configuration could lead to 100’s per interface
Diagnostics require more effortTE via addressing limits multi-homing flexibilitySite-local allows internal stability
373737© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Routing Issues
• Allocations of ::/48 should allow self aggregation by organizations with multiple IPv4 prefixes
• TunnelingDecouples network from end system deployment
Multicast less efficient
• Native serviceMay require hardware upgrades
383838© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Environments – Managed Service Provider
• Dedicated management staff & tools
• Network has different administrative policies than connected hosts or networks
• Interaction with Peer networks may require translation
• Services as Dual-stack
• Distributed tunnel relay service minimizes overhead AAA
DNSSMTP
NAT-PTTunnel Relay
Peer SP
BackboneSDP RO LI A NT 1 850R
SDP RO LI A NT 1 850R
SDP RO LI A NT 1 850R
SDP RO LI A NT 1 850R
393939© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Address Allocation Issues
• From Regional Registries::/32 minimum
HD ratio based on .8 utilization of ::/48s
• To Customers::/48 Prefix delegation via DHCPv6
(normal customer allocation)
::/64 Prefix delegation via RA or DHCPv6(for single subnet sites, ie: 802.11 hotspots)
• RFC 3041 addresses allow end system anonymity as they move between networks, but the allocated prefix still allows customer identification for LI conformance
404040© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Routing Issues
• Allocations should allow massive aggregationCurrent allocation policy all PA based, so global BGP table should approach number of origin AS’s
• Multi-homed sites still an unsolved problem
414141© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
DNS Issues
• Dual-stack servers
• Consistency of the client and referral chain
• IPv6 glue records
• Sub-domain delegation to consumer customers?
424242© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
SMTP Issues
• Dual-stack MTAs
• Consistency of clients and MX to A/AAAA mappings
• Broken DNS servers return 'nxdomain' for missing AAAA
43© 2003 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID
OutlineBusiness CaseDeployment Tool SetEnvironmentsStrategy
444444© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
How Do we Get There from Here?
• Network managers must include IPv6 as a core element of their deployment strategy.
Applications must become protocol agnostic
• IPv4 & IPv6 will coexist for the foreseeable future
No network wide Flag Day
• Education & Careful Planning are crucial.How long does it take to make changes in the environment?
• IPv4 & IPv6 implementations must be scalable, reliable, secure and feature rich.
Strategy that reflects this …
Starting with Edge upgrades enable IPv6 service offerings nowStarting with Edge upgrades enable IPv6 service offerings now
454545© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Strategy - Value to early deployment
• Allows early customer needs to help shape vendor priorities
• Enables smooth interaction with global economic partners motivated by limited IPv4 allocations
• Allows managing the pace of local action before the inevitable urgency arises
464646© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Strategy - Value in caution
• Allows others to work through early implementation inconsistencies
• Allows extended development and testing time for custom applications
• Allows normal life-cycle replacements to establish a capability baseline before turning on IPv6
474747© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Strategy - Value in transition tools
• Primary approach of dual-stack enables independent deployment of applications in line with local business need
• Tunneling tools decouple decisions about application & end system deployment from infrastructure deployment
• Transition tools allow timing upgrades as part of a normal life-cycle plan, or to optimize investments
484848© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Impediments to IPv6 deployment
Applications
Applications
Applications
The time to move to the new APIs is NOW
The most interesting applications will address business models that are not possible (or costly due to escalating operational complexity) using IPv4.
494949© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Summary
• Audit for business requirements and impacts
• Multiple transition technologies enable a wide variety of situations
Dual-stack is the primary approach
Tunneling decouples end-system & infrastructure timing
Translation as last resort - only when absolutely necessary
• Environment characteristics will dictate technology
• Production use of IPv6 is controlled by applications that are using the new APIs.
505050© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID 50© 2000, Cisco Systems, Inc.
Questions?
515151© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
525252© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID