ipv6 planning, deployment and operation...

IPv6 Planning, Deployment and Operation Considerations

Jim Bailey , Technical Leader

BRKRST-2312

Source - https://imgur.com/HyCwObF

https://imgur.com/HyCwObF

Agenda

• IPv6 Market Trends

• IPv6 Planning Steps

• IPv6 Addressing

• Transition Mechanisms

• IPv6 Co-existence Considerations

• Management, Operations Troubleshooting • IPv6 DNS

• IPv6 Security

• Summary

IPv6 Market Trends

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

IPv4 Address Exhaustion

http://www.potaroo.net/tools/ipv4/

BRKRST-2312 6

http://www.potaroo.net/tools/ipv4/


% of IPv6 users as seen by Google in the U.S.

Data: Google, Forecasting: Eric Vyncke, Cisco

https://www.vyncke.org/ipv6status/project.php

% of IPv6 Enabled Web Browsers in the US https://www.google.com/intl/en/ipv6/statistics.html#tab=ipv6-

adoption&tab=ipv6-adoption

Native IPv6 Traffic to Google.

IPv6 Routes

29000

IPv4 Routes

582000

http://6lab.cisco.com/stats/ BRKRST-2312 7

https://www.vyncke.org/ipv6status/project.php

https://www.google.com/intl/en/ipv6/statistics.html#tab=ipv6-adoption&tab=ipv6-adoption


Measuring Cisco IPv6 Deployment

http://www.worldipv6launch.org/measurements/

BRKRST-2312 8


• Cisco IT Situation (Public Facing) • ARIN pool exhausted on 24th Sep 2015

• Available free space on the market is fragmented

• DC Growth for 2016 driving IPv6 requirements.

Internet User – Global View

Public IPv4 address space only

Source Google

BRKRST-2312 9


Why Bother?

• Continuity of Business

• To ensure services are available to customers and partners

• New products and enhanced service delivery

• Government/Partner/Corporate mandates or regulations

• Cost

• Avoid the risk and cost associated with unplanned and uncontrolled implementation of IPv6

• Avoid the increased cost of moving to IPv6 when the industry and suppliers are driving the market

Time

IPv4 Free Pool

Size of the Internet

IPv6 Deployment

Today

?

BRKRST-2312 10

IPv6 Planning


The Scope of IPv6 DeploymentPlanning and coordination is

required from many across the

organization, including …

Network engineers & operators

Security engineers

Application developers

Desktop / Server engineers

Web hosting / content

developers

Business development

managers

…

Moreover, training will be required

for all involved in supporting the

various IPv6 based network services

BRKRST-2312 12


IPv6 Planning Steps

Evaluate effect

on business

model1

Establish IPv6

project team 2

Assess network

hardware and

software readiness6

Establish IPv6

training strategy 3

Obtain IPv6

prefixes 7

Decide IPv6

architectural

solution4

Test application

software and

services9

Develop

procurement

plan10

Develop

exception

strategy5

Develop security

policy 8

Execute BRKRST-2312 13


IPv6 deployment phases – The associated metrics

1 – PlanningPrefixes (allocated, routed, traffic)Sources: RIR db, routeview.org, BitTorrent agent

2 – The NetworkIPv6 Transit AS’s

BGP tablesSource: routeview.org, RIPE Lab

4 – User adoptionGoogle users/browsers stats

APNIC Ad’s embedded http probesSources: google stats, apnic lab

3 – Content enablementAlexa top sites / country

+ 6lab http probesSources: Alexa.com, 6lab.cisco

BRKRST-2312 14


Cisco IT Lessons Learned IPv6 impact to service providers and external partners

– Internet service providers

– CDN providers

– 3rd party application providers

Security – Firewalls

– IDS/IPS

– Security event management and forensics logging

Application visibility – Netflow V9 not supported on all platforms including collectors

– Had to shift Netflow collection into DMZ to deal with constraints above

– Use of Netflow reflectors can bring some relief

Geo-Location and Web analytics – Use of the X-Forwarded For header

Take advantage of prescheduled release windows when possible

Lessons

BRKRST-2312 15

• Core-to-Access – Gain experience with IPv6

• Turn up your servers – Enable the experience

• Access-to-Core – Securing and monitoring

• Internet Edge – Business continuity

Where do I start?

Servers

Branch Access

WAN

Core

AccessLayer

ISP ISP

InternetEdge


Common Deployment Models for Internet EdgeInternet, Partner, Branch

Enterprise

Edge

Agg +

Services

Phy/Virt.

Access

ComputeStorage

IPv4/IPv6

Host

Dual Stack

Hosts

Enterprise

Edge

Agg +

Services

Phy/Virt.

Access

ComputeStorage

IPv4/IPv6

Host

Mixed Hosts

IPv6 IPv4

SLB

64

/ N

AT

64 B

oun

dary

Multi-Tenant

Core

Agg +

Services

Phy/Virt.

Access

ComputeStorage

IPv4-onlyHosts

Pure Dual Stack Conditional Dual Stack Translation as a Service

AF

T

BRKRST-2312 17

IPv6 Readiness Assessment


Readiness Assessment

• A key and mandatory step to evaluate the impact of IPv6 integration

• Evaluate costs and define timelines

• Define the scope of integration

• Answer the question of who, what, where and how will IPv6 integration impact operations

• Should be split in several components

• Network Infrastructure, Service Providers, End Systems, Applications, Operations, Addressing

BRKRST-2312 19


Network Assessment• Break the project down into phases

• Avoids false positives and cuts back on upgrade costs

• Determine place in the network (PIN), platforms, features that are needed in each phase

• RIPE-554

• IPv6 Ready Logo Program

• Work with your vendor to address the gaps

• Applies to all of your vendors

BRKRST-2312 20


Application Assessment

Don’t Forget the Applications

BRKRST-2312 21


Commonly Deployed IPv6-enabled OS/Apps

Operating Systems

• Windows 7

• Windows Server 2008/R2

• Red Hat

• Ubuntu

• OSX/iOS

• Android

• And the list goes on …

Virtualization & Applications

• VMware vSphere 4.1

• Microsoft Hyper-V

• Microsoft Exchange 2007 SP1/2010

• Apache/IIS Web Services

• Windows Media Services

• Multiple Line of Business apps

Most commercial applications won’t be your problem

– it will be the custom/home-grown apps that are difficult

BRKRST-2312 22


What Defines an Application?

HTTP

FTP

SMTP

POP3

IMAP

HTTPS

Are these

applications?

Or just ports?

80

20/21

25

110

143

443

Are These ApplicationsWhat about these?

IPv4/IPv6 transport

BRKRST-2312 23


Services Assessment

Questions to ask your Internet Service Provider

http://docwiki.cisco.com/wiki/What_To_Ask_From_Your_Service_Provider_About_IPv6

Evaluate the organizations that are going to provide services to support your deployment

Internet Service

Application

Cloud Services

Content Management . DNS

Deployment Type

Dual Stack,

Native or Overlay

What kind of services are offered

Are they “IPv6 Capable”?

If not, when will IPv6 be integrated?

BRKRST-2312 24


Operational Assessment

• Evaluate the tools in the NMS for IPv6 capability

• All tools across the FCAPS model

• Define what is critical and what can wait

• Is it critical to support netflow or anycast DNS?

• Custom scripts

• Updated to accommodate dual transports

Override default behavior to prefer one over the other

• Are there new scripts needed?

Are both transports available?

# addresses per host, DNS queries/response, validating summarization

BRKRST-2312 25


IPv4 Address Assessment

• Assess how the existing IPv4 address space is used

• Useful information for

• IPv6 integration

• IPv4 address consolidation

• Reclaiming unused address space

• Use existing tools

• IPAM

• ARP tables

• Routing tables

• DHCP logs

Better visibility into how the existing

Address space is used

Can better answer when IPv6 is critical

BRKRST-2312 26

IPv6 Addressing


Addressing Plan Requirements and Considerations

• Clear addressing for different parts of the network

• WAN/Core, Campus, branch, DC, Internet Edge etc.

• Different Locations

• Different services

• Encoding of information

• Ease of aggregation

• Leaving space for growth

• Involvement of other teams

• E.g. Information Security

• Length of prefix and bits to work with

• Enterprises usually multiple /48 (≥ 16 bits)

• SPs should get /29 (≥ 35 bits)

• Avoid breaking the nibble boundary

• Think of # of prefixes at each level

• Templates will be your friends

• Internal policy for using the Addressing Plan

Requirements Considerations

BRKRST-2312 28


• Many ways of building an IPv6 Address Plan• Regional Breakdown, Purpose built or Generic buckets, Separate per business function

• Hierarchy is key

• Don’t worry too much about potential inefficiencies

• Prefix length selection• Network Infrastructure links, Host/End System LAN

• Addressing hosts• SLAAC, DHCP (stateful), DHCP (stateless), Manually assigned

• Building the IPv6 Address Plan• Cisco IPv6 Addressing White Paper

http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_BN_IPv6AddressingGuide-Feb2013.pdf

• BRKRST-2667 How to write an IPv6 Addressing Plan

IPv6 Address Considerations

BRKRST-2312 29

http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_BN_IPv6AddressingGuide-Feb2013.pdf


IPv6 Address Space - PI vs PA

• Do I Get PI or PA?• PI space is great for organizations who want to multihome

to different SPs

• PA if you are single homed or you plan to NAT/Proxy everything with IPv6 (not likely)

• Possible Options for PI• Get one large global block from local RIR and subnet out

per region

• Get a separate block from each of the RIR you have presence in

• Most organizations are going down the PI path• Getting assignments across regional registries provides

“insurance” against changing policies

• Traffic Engineering

BRKRST-2312 30


Addressing Recommendations

• Link Local Address

• Normally, first 64 bits are fixed

• Usually the Interface Identifier is modified

• Encoding external identifiers for troubleshooting

• VLAN number• Router IDs

• IPv4 address

• Possible to leverage for IGP routing

• Unique Local Address

• Not for end-point addressing

• Unless in a closed system

• Possible for infrastructure addressing

• Needs IPv6-to-IPv6 Network Prefix

Translation (NPTv6) on Internet Edge

• Global Unicast Address

• Vast number of prefixes

• Manage just one address spaceGlobal Address

Unique Local Address

Link-Local Address

BRKRST-2312 31


Prefix Length Considerations

• Anywhere a host exists /64

• Point to Point /127

• Should not use all 0’s or 1’s

• in the host portion

• Nodes 1&2 are not in the

• same subnet

• Loopback or Anycast /128

• RFC 7421 /64 is here

• RFC 6164 /127 cache exhaust

Pt 2 Pt /127

WAN

Core/64 or /127

Servers/64

Hosts/64

Loopback/128

BRKRST-2312 32


Point-to-Point Routed Links

• Suppress RA’s for global assigned addressing

• Disable ICMPv6 redirects

• Don’t send ICMPv6 “unreachables”

interface FastEthernet0/1

ipv6 address 2001:db8:66:67::2/127

ipv6 nd ra suppress

no ipv6 redirects

no ipv6 unreachables

BRKRST-2312 33


Longest Prefix Match (LPM) Sizing

• Recommendation is stick with /64 prefixes as the longest prefix that will have attached hosts

• What about prefixes that are longer than a /64?• Most platforms consume 2 slots for every IPv6 route and 1 slot for IPv4

• LPM can consume a greater amount of HW switching resources• Greatly limits the scalability of the platform for prefix lengths in the /64 - /127 range

• May be appropriate based on location of the device

• See first point 2001:db8:4646::/48

2001:db8:4646:5::/64

2001:db8:4646:5::aa03/127

BRKRST-2312 34


Host Address AssignmentManual Stateless Stateful DHCPv6

Pros Address is stable

Controlled assignment

Well understood process

Scales well

Time to deploy

Widely implemented

Well understood process

Controlled assignment

Time to deploy

Cons Does not scale

Time to deploy

No control on assignment process

Not well understood

Lack of management

Privacy concerns

Implementation in OS

Must design for HA

• The choice of assignment depends on the existing processes and the adaptability of that process

• Remember that the methods are not mutually exclusive - all three can be used

• Regardless of choice must still control the stateless address assignment of addresses

BRKRST-2312 35


Address Plan Example

2001:db8:1a00000000:0000000000000000::/40

24 bits for organizational subnets

4 bits to define regional prefix

8 bits to define site prefix

4 bits for subnet function

8 bits for subnets

2001:db8:1a10:1110::/64

0 = Infra

1 = Desktop

2 = Lab

3 = Guest

D = Building DC

... etc

0 = Reserved

1 = North America

2 = Europe

3 = APAC

... etc

0 = Reserved

1 = New York

2 = Atlanta

3 = Chicago

... etc

0 = Infra

XX Functional

Prefixes

BRKRST-2312 36


Link Local Only?

- Exclusively use Link Local Addresses on network infrastructure

Prefix Lengths don’t matter anymore

Network Infrastructure is un-reachable from outside of the network

- Will impact your network management system

Ping, traceroute, SNMP, TACACS, RADIUS

- See RFC 7404

BRKRST-2312 37


What about NAT

A couple of versions of address translation related to IPv6

NAT-PTOriginal specification

Deprecated

NPTv6 Stateless translation method

Only manipulate the prefix

NAT66Stateful translation

Not specified in RFC

NAT64Translation between IPv6 and IPv4 address families

Stateless and stateful methods available

Where should NAT be applied?

NAT66Address hiding ???

That’s the way we do IPv4???

It provides security???

Multi-homing

NAT64Boundaries between IPv4 only and IPv6

Highly successful in getting quick IPv6 access

Cannot be the final state

Must move towards full IPv6 integration

BRKRST-2312 38


IP Address Management

• It is normal for a single host to have 3 or more IPv6 addresses

• Each /64 subnet can have 18 million trillion addresses

• Managing a spreadsheet with 18 million trillion fields for 128 bit long addresses in HEX is not practical

• If you don’t want to do that use an IPAM solution!

• Cisco Prime Network Registrar

• Infoblox

• Bluecat

• BT Diamond

BRKRST-2312 39

Transition Mechanisms


Transition Solution Universe!

BRKRST-2312 41


Customer Network

Customer Network

Carrier Grade NAT IPv6 Rapid Deployment

CE CE

Using Tunnels

Manually configured tunnels

IPv6 over GRE

LISP

IPSec Tunnels

Dynamic Multipoint VPN (DMVPN)

Dual Stack

WAN

Dual Stack IPv4/IPv6

Dual Stack CPEs

Dual Stack Headquarters

Dual Stack WAN

Subscriber Network

Subscriber Network

MPLS IPv4 Core

Customer Network

Customer Network

6VPE Service

Dual Stack IPv4 / IPv6

6VPE VPN Service

Connecting IPv6 Sites Together

IPv4

WAN

6VPE

6VPE

BRKRST-2312 42


SP IP Network Transition options

IPv6

InternetIPv4

Internet

IPv4

IPv4 Core

Subscriber Network

NAT

IPv4 Carrier Grade NAT

NAT

IPv6 Access

Network

Dual Stack Core

Subscriber

Network

CE

IPv6-Only Subscriber

6↔4

Dual Stack Core

v6over

v4

Subscriber Network

IPv6 Rapid Deployment

6rd

or L

2T

P

6rd BR

SubscriberNetwork

v4

over

v6

Dual Stack Core

4rd

or D

S-L

ite

IPv6-Only Access Network

NAT

Dual Stack

Core+

Access (ex: DOCSIS 3.0)

Subscriber Network

PE

Native

Dual Stack

For more info see: http://www.cisco.com/go/cgv6

PE

CE CE

4rd BRAFTR

CE

LNS

IPv4 via IPv6

Using DS-Lite (w/NAT44)

MAP-E – Encap All

MAP-T - L3 and L4 in header

Lw4over6

4rd

464Xlat

6 Rapid Deployment (6rd

L2TP

Softwires

Broad Band Connectivity

Dual Stack Core

DOCSIS Access

AFT64NAT444


IPv6 and Cloud Adoption Consideration Contiguous large blocks of IPv4 not available

– Impact traffic engineering

– Introduces complexities of NAT once again

– Impacts end to end authentication

Platform and Designs built around IPv4 including scale, management and visibility

Cloud Consumption offers and tools are typically looking at IPv4 – What is being missed from a risk perspective ?

A very large percentage of DNS queries are also handing out A and AAAA records – What is being consumed?

– What happens when a work load moves?

Incorporate IPv6 into your cloud strategy– Better scalability, address aggregation

– Portolio for NFV and Service Chaining should include IPv6

– Keep an eye out for Open Stack functions and IPv6 support.

– Read the Fine Print – I.e First /64 included $ 10-20 for additional Global Address

Source: Nephos6

Action: Drive IPv6 as a firm requirement with ALL of your private/public cloud vendors and providers

BRKRST-2312 44


Recommended Approach for IPv6

• Dual-Stack to the hosts

• Hosts support dual stack• Windows, OSX, iOS, Linux, BSD

• Network support dual stack

• But…IPv4 exhaustion is underway

• Every host CANNOT be assigned an IPv4 address

Dual-Stack Deployment (RFC 4213)

IPv4+IPv6 Hosts (Dual Stack)

IPv4+IPv6

Network

BRKRST-2312 45


Dual StackProblem: IPv6 is Broken to a certain website?

BRKRST-2312 46


Dual StackSolution – Happy Eyeballs

BRKRST-2312 47


Dual StackSolution – Happy Eyeballs Optimization

BRKRST-2312 48

Coexistence Considerations


Scalability and Performance

• IPv6 Neighbor Cache = ARP for IPv4• In dual-stack networks the first hop routers/switches will now have more memory

consumption due to IPv6 neighbor entries (can be multiple per host) + ARP entries

ARP entry for host in the campus distribution layer:

Internet 10.120.2.200 2 000d.6084.2c7a ARPA Vlan2

IPv6 Neighbor Cache entry:

2001:DB8:CAFE:2:2891:1C0C:F52A:9DF1 4 000d.6084.2c7a STALE Vl2

2001:DB8:CAFE:2:7DE5:E2B0:D4DF:97EC 16 000d.6084.2c7a STALE Vl2

FE80::7DE5:E2B0:D4DF:97EC 16 000d.6084.2c7a STALE Vl2

• There are some implications to managing the IPv6 neighbor cache when concentrating large numbers of end systems

BRKRST-2312 50


Coexistence

IPv6 Router Advertisement

– Disable when not needed

– Still needed for default GW propagation

– Use RA Guard whenever possible

Over time as new operating systems come on line it will be harder to identify “IPv6” issues.

– Most organizations not aware that IPv6 is running in the network

– Need visibility for both transport protocols

Management of SLAs and Network Management

– Understand host behavior when multiple addresses are present.

– Saves time during testing and implementation at time expected address is not being used.

Coexistence

BRKRST-2312 51


Understanding Co-Existence Implications

Resources considerations

‒ Memory (storing the same amount of IPv6 routes

requires less memory than might be expected)

‒ CPU (insignificant increase in the case of HW

platforms, additive in the case of SW platforms)

Control plane considerations

‒ Balance between IPv4/IPv6 control plane separation

and scalability of the number of sessions

Performance considerations

‒ Forwarding in the presence of advanced features

‒ Convergence of IPv4 routing protocols when IPv6 is

enabled

0

50000

100000

150000

200000

250000

300000

350000

400000

450000

0 500 1000 1500 2000 2500 3000

Number of Routes

Mem

ory

(b

yte

s)

IPv4

IPv6

Linear

(IPv6)Linear

(IPv4)

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

0.5

0 500 1000 1500 2000 2500 3000

Number of Perfixes

Tim

e

IPv4 OSPF

IPv4 OSPF

IPv6 OSPF

Linear (IPv4

OSPF IPv6

OSPF)Linear (IPv4

OSPF)

BRKRST-2312 52


The Coexistence Twist

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

0.5

0 500 1000 1500 2000 2500 3000

Number of Prefixes

Tim

e

IPv4 OSPF

IPv4 OSPF w/

IPv6 OSPF

Linear (IPv4

OSPF w/ IPv6

OSPF)Linear (IPv4

OSPF)

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0 500 1000 1500 2000 2500 3000

Number of Prefixes

Tim

e

IPv4 OSPF

IPv4 OSPF w/

IPv6 OSPF

Linear (IPv4

OSPF w/ IPv6

OSPF)Linear (IPv4

OSPF)

IPv6 IGP impact on the IPv4 IGP

convergence

Aggressive timers on both IGPs will highlight

competition for resources

Is parity necessary from day 1? Tuned IPv4 OSPF, Tuned IPv6 OSPF

Tuned IPv4 OSPF, Untuned IPv6 OSPF

BRKRST-2312 53


IPv6 and IPv4 Routing Protocols

OSPF

OSPFv2 for IPv4

OSPFv3 for IPv6

Distinct but similar protocols with OSPFv3 being a cleaner implementation that takes advantage of

IPv6 specificities

IS-ISExtended to support IPv6

Natural fit to some of the IPv6 foundational concepts

Supports Single and Multi Topology operation

EIGRPExtended to support IPv6

Some changes reflecting IPv6 characteristics

BGP Extended to support IPv6 through multi-protocol extensions

BRKRST-2022 Introduction to IPv6 Routing

BRKRST-2312 54


QoS Considerations

• IPv4 and IPv6 QoS features are mostly compatible (RFC 2460/3697)

• Both Transport uses DSCP (aka Traffic Class)

• Control plane Queues need to now take into account IPv6 Overhead too

• IPv6 classification can follow the same IP Precedence, Service Class, DSCP and EXP QOS Taxonomy values already defined for IPv4.

• CE devices will need additional configuration to set appropriate values on the IPv6 traffic class field.

• IPv6 will utilize the same Network Control, Voice,, Gold, Bronze, Silver, Best Effort classes

IPv6

DSCP

Fragment Offset

Flags

Total LengthType of Service

IHL

PaddingOptions

Destination Address

Source Address

Header ChecksumProtocolTime to Live

Identification

Version

IPv4

DSCP

BRKRST-2312 55


QoS CLI

• Class maps can match both IPv4 and IPv6 traffic

• Can be broken into “ip” and “ipv6” matching

• Design principles still the same

• Mark at the edge

• Trust boundaries still apply

• Queue sizing

class-map match-any Critical_Data

match dscp af21

class-map match-any Voice

match dscp ef

class-map match-all Scavenger

match dscp cs1

class-map match-any Bulk_Data

match dscp af11

!

policy-map DISTRIBUTION

class Voice

priority percent 10

class Critical_Data

bandwidth percent 25

random-detect dscp-based

class Bulk_Data

bandwidth percent 4

random-detect dscp-based

class Scavenger

bandwidth percent 1

class class-default

bandwidth percent 25

random-detect

DataVoice

VideoInternet

Management and Operations


Don’t Forget About Network Management

• Management and design strategies for IPv6 addressing policies and operation

• Introduction of extended IP services: DHCPv6, DNSv6, IPAM

• Managing security infrastructures: Firewall, IDS, AAA

• Tool visibility, insight and analysis of IPv6 traffic Netflowv9, IPv6 SLA

• Dual Stack Interfaces and tools

• Reporting combined v4 and V6 traffic statistics.

• Requires support in

• Instrumentation (MIB , Netflow records, etc.)

• NMS tools and systems

BRKRST-2312 58


NetFlow for IPv6

• Application Performance monitoring is a great differentiator for IPv6

• IPv6 support added as part of Flexible NetFlow (metering) and NetFlow v9 (exporting) Monitors the IPv6 traffic.

• Export is over an IPv4 Transport

• Exporting: NetFlow version 9

•Advantages: extensibility

• Integrate new technologies/data types quicker (MPLS, IPv6, BGP next hop, etc.)

• Integrate new aggregations quicker

•Note: for now, the template definitions are fixed

• Metering: Flexible NetFlow

•Advantages: cache and export content flexibility

• User selection of flow keys

• User definition of the records

BRKRST-2312 59


• Configure traffic statistics collection for IPv4 and IPv6 protocols

• IPv6 application reporting with Flexible NetFlow

Flexible NetFlowIPv6 Application Monitoring

BR

HQ

MC/B

R

MC/B

RBRMC/B

R

WAN2(IPVPN, DMVPN)

WAN1(IP-VPN)

BR

flow record RECORD-FNF-v6

match ipv6 source address

match ipv6 destination address

match application name

# sh flow monitor MONITOR-FNF-v6 cache format table

IPV6 SOURCE ADDRESS IPV6 DESTINATION ADDRESS APPL

NAME

2A01:E35:8ABF:9510:FA1E:DFFF:FEE1:E789 2A01:E35:8ABF:9510:222:55FF:FEE6:BA98 http

BRKRST-2312 60


L2

IPv6/IPv4 Dual Stack Hosts

IPv6Internet

Tunnel Filtering with ASA

Response measurement with IP SLA

IPv6 Traffic Metering with Flexible Netflow

Tunnel detection with NBAR2

L3

IPv6 Instrumentation

Campus

IPv6 FHSPort ACL

IPv6 MIBs

IPv6 over IPv4 tunnel

IDS/IPS signaturesPrefix Propagation

BRKRST-2312 61


Troubleshooting IPv6 Issues

• IPv4 or IPv6 is transparent to a user since names are used to connect to web sites or other hosts

• http://www.google.com will take us to Google

• Typically an end user will notice issues if all of the following are true:

• IPv6 is enabled on the desktop

• The DNS query returns an IPv6 AAAA record

• IPv6 is preferred over IPv4

• There are connectivity problems over IPv6

TCP UDP

IPv4 IPv6

Data Link (Ethernet)

0x0800 0x86dd

BRKRST-2312 62

http://www.google.com/


Diagnosing IPv6 Issues• When a desktop needs to connect to a web site, the

first thing it does is resolve the DNS name to an IP address.

• If the address returned contains an AAAA record and IPv6 is enabled and preferred on the host, it will use IPv6 to reach that website.

• If there are issues with IPv6 connectivity further in the network, the host may not be able to connect (or load the page in a browser)

• The host will wait for IPv6 to time out before falling back to IPv4 (this is ~30 sec for windows) and leads to bad user experience.

• Basic troubleshooting using ping, tracert, ipconfig should help isolate the issue

BRKRST-2312 63


IPv6 Testing Considerations

• How do hosts react to auto-configuration?

• Are devices taking both a static and auto-configuration ?

– Understand so that security Policy is not affected?

• Should IPv6 RA’s be disabled how do devices re-act to that?

• Does application being used implement SAS (Source address selection) algorithm correctly?

• How do devices re-act with A and AAAA DNS records?

• What happens if IPv4 is disabled?

• What happens if IPv6 is impaired?

A record

AAAA record

ARP request

RA

DHCP reply

DNS reply

BRKRST-2312 64


IPV6 Testing Considerations

• Create base line template that should be run as part of all IPv6 solution testing

• Hosts/Servers/End Systems

• Routers/Switches

• Firewalls/IPS

• Template should consist of basic IPv6 RFC 2460 functionality.

• IPv6 Ready Logo - http://www.ipv6ready.org

• USGv6 - http://www-x.antd.nist.gov/usgv6/index.html

• RIPE-554 - http://www.ripe.net/ripe/docs/current-ripe-documents/ripe-554

BRKRST-2312 65

http://www.ipv6ready.org/

http://www-x.antd.nist.gov/usgv6/index.html

http://www.ripe.net/ripe/docs/current-ripe-documents/ripe-554


IPv6 Tools Different ways to check on what is happening

Where’s my prefix?

‒ Route servers and looking glasses - http://www.bgp4.as/looking-glasses

‒ Look at your network from the outside in

Pings, traceroutes, SSLcert and DNS queries

‒ https://atlas.ripe.net/results/

IPv6 troubleshooting tools for mobile devices (iOS & Android)

IPv6 toolkit HE.net Netalyzr LanDroid Netstat

BRKRST-2312 66

http://www.bgp4.as/looking-glasses

https://atlas.ripe.net/results/

IPv6 and DNS


IPv4 IPv6

Hostname to

IP Address

A Record:

www.abc.test. A 192.168.30.1

IPv6 and DNS

AAAA Record:

www.abc.test AAAA 2001:db8:C18:1::2

IP Address to

Hostname

PTR Record: 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0.

8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test.

PTR Record:

1.30.168.192.in-addr.arpa. PTR

www.abc.test.

BRKRST-2312 68


AAAA Records on the Wire

BRKRST-2312 69


DNS as an Integration Tool

Government Agencies

When

Who is www.cisco.com?

DNS serverwww.cisco.com is

A 173.37.145.84

AAAA 2001:420:1101:1::a

End System

Internetwww.cisco.com

Corporate

Who

Business PartnersWho is www.cisco.com?

DNS server

End System

Internetwww.cisco.com

Corporate

End System

www.cisco.com is

A 173.37.145.84

AAAA 2001:420:1101:1::a


www.cisco.com is

A 173.37.145.84

How

DNS server

www.cisco.com is

A 173.37.145.84

www.ipv6.cisco.com

IPv6

Internet consumers

Remote


End System

Internet

www.cisco.com

CorporateEnd System

Who is www.ipv6.cisco.com? www.ipv6.cisco.com is

AAAA 2001:420:1101:1::a

BRKRST-2312 70

IPv6 Security


IPv6 Security

In 5 slides or less…

Can’t be done

Please see the following sessions for a much more detailed treatment

BRKSEC-2003 Introduction to IPv6 Security

BRKSEC-3003 Advanced IPv6 Security in the LAN

BRKSEC-3200 Advanced IPv6 Security in the Core

BRKSEC-3772 Advanced Web Security Deployment with WSA in IPv4 & IPv6 Networks

BRKRST-2312 72


Security Considerations

Dual Stack increases the types and size of your

attack vectors


Dual Stack Host Considerations

Host security on a dual-stack device

Applications can be subject to attack on both IPv6 and IPv4

Fate sharing: as secure as the least secure stack...

Host security controls should block and inspect traffic from both stacks

Host intrusion prevention, personal firewalls, VPN clients, etc.

Does the IPSec Client Stop an Inbound IPv6 Exploit?Dual Stack

Client

IPv4 IPSec VPN with No Split Tunneling

IPv6 HDR IPv6 Exploit

Clear IPv6 Transport

BRKRST-2312 74


Securing the Edge, FW, Perimeter Router

• Address Range

• Source of 2000::/3 at minimum vs. “any”, permit assigned space

• ICMPv6

• RFC 4890 “Recommendations for Filtering ICMPv6 Messages in Firewalls”

• Extension Headers

• Allow Fragmentation, others as needed. Block HBH & RH type 0

• IPv6 ACL’s

• IPv6 traffic-filter – to apply ACL to an interface

permit icmp any any nd-na

permit icmp any any nd-ns

deny ipv6 any any log

BRKRST-2312 75


Infrastructure Security - Management Plane

ipv6 access-list VTY

permit ipv6 2001:db8:0:1::/64 any

line vty 0 4

ipv6 access-class VTY in

In IOS-XR: The command is ‘access-class VTY ingress’,

And

The IPv4 and IPv6 ACL must have the same name

• SSH, syslog, SNMP, NetFlow all work over IPv6

• Dual-stack management plane

More resilient: works even if one stack is down

More exposed: can be attacked over IPv4 and IPv6

• RADIUS over IPv6 is recent but IPv6 RADIUS attributes can be transported over IPv4

• As usual, infrastructure ACL is your friend as well as out-of-band management

BRKRST-2312 76


Control Plane Policing

Control Plane Policing can be applied to IPv6

Adapt what’s in place today to accommodate IPv6

‒ Routing protocols

‒ Management protocols

Remember the extended functionality of ICMP

Monitor carefully to see what shows up in the logs

Remember the default rules at the end of all IPv6 ACLs

permit ipv6 any any nd-na

permit ipv6 any any nd-ns

deny ipv6 any any

‒ They apply to any CoPP policy that uses ACLs to match

policy-map COPPr

class ICMP6_CLASS

police 8000

class OSPF_CLASS

police 200000

class class-default

police 8000

!

control-plane cef-exception

service-policy input COPPr

BRKRST-2312 77


Routing Protocol Authentication - Control Plane BGP, ISIS, EIGRP no change:

‒ MD5 authentication of the routing update

OSPFv3 has changed and pulled MD5

authentication from the protocol and instead

rely on transport mode IPsec (for

authentication and confidentiality)

Or New Alternative is Authentication trailer for

OSPFv3 (Refer to RFC 6506)

IPv6 routing attack best practices

‒ Use traditional authentication mechanisms

on BGP and IS-IS

‒ Use IPsec to secure protocols such as

OSPFv3

interface Ethernet0/0

ipv6 ospf 1 area 0

ipv6 ospf authentication ipsec spi 500 md5

1234567890ABCDEF1234567890ABCDEF

interface Ethernet0/0

ipv6 authentication mode eigrp 100 md5

ipv6 authentication key-chain eigrp 100 MYCHAIN

key chain MYCHAIN

key 1

key-string 1234567890ABCDEF1234567890ABCDEF

accept-lifetime local 12:00:00 Dec 31 2006 12:00:00 Jan

1 2008

send-lifetime local 00:00:00 Jan 1 2007 23:59:59 Dec 31

2007

No crypto maps, no ISAKMP:

transport mode with static

session keys

BRKRST-2312 78


Perimeter Security: Anti-Spoofing and Bogon Filters

IPv6

Internet

Inter-Networking Device

with uRPF Enabled

IPv6 Unallocated

Source Address

X IPv6 Intranet /

Internet (SP)

No Route to SrcAddr => Drop

Similar to IPv4, IPv6 has Bogons

Anti-spoofing in IPv6 same as IPv4

=> Same technique for single-homed edge= uRPF

ipv6 access-list NO_BOGONS

remark Always permit ICMP unreachable (PMTUD)

permit icmp any any unreachable

remark Permit only large prefix blocks from IANA

permit ip 2001::/16 any






permit ip 2a00::/12 any

permit ip 2c00::/12 any

Remark implicit deny at the end

http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt

For Full list of Bogons:

BRKRST-2312 79

http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt


IPv6 Snooping

IPv6 First Hop Security (FHS)

IPv6 FHS

RA Guard

DHCPv6 Guard

Source/Prefix Guard

Destination Guard

Protection:• Rouge or

malicious RA• MiM attacks

Protection:• Invalid DHCP

Offers• DoS attacks• MiM attacks

Protection:• Invalid source

address• Invalid prefix• Source address

spoofing

Protection:• DoS attacks • Scanning• Invalid destination

address

RA Throttler

ND Multicast Suppress

Reduces:• Control traffic

necessary for proper link operations to improve performance

Core Features Advance Features Scalability & Performance

Facilitates:• Scale

converting multicast traffic to unicast

BRKRST-2312 80

What Next?


• IPv4 addresses have been exhausted

• Adoption of IPv6 on the Internet is increasing

• IPv6 integration has a lengthy deployment cycle

• IPv6 integration involves all aspects of IT

State of IPv6 Deployment Today

http://6lab.cisco.com/stats/

BRKRST-2312 82


Call to Arms

• Take a systematic wide approach to IPv6 planning and execution

• Take opportunities to be IPv6 ready in technology refresh cycles

• Learn from others who have undertaken the journey

• Make the leap!

• Be the IPv6 “Nut”

BRKRST-2312 83

ipv6 planning, deployment and operation...

Documents