ipv6 planning, deployment and operation...
TRANSCRIPT
Agenda
• IPv6 Market Trends
• IPv6 Planning Steps
• IPv6 Addressing
• Transition Mechanisms
• IPv6 Co-existence Considerations
• Management, Operations Troubleshooting • IPv6 DNS
• IPv6 Security
• Summary
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv4 Address Exhaustion
http://www.potaroo.net/tools/ipv4/
BRKRST-2312 6
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
% of IPv6 users as seen by Google in the U.S.
Data: Google, Forecasting: Eric Vyncke, Cisco
https://www.vyncke.org/ipv6status/project.php
% of IPv6 Enabled Web Browsers in the US https://www.google.com/intl/en/ipv6/statistics.html#tab=ipv6-
adoption&tab=ipv6-adoption
Native IPv6 Traffic to Google.
IPv6 Routes
29000
IPv4 Routes
582000
http://6lab.cisco.com/stats/ BRKRST-2312 7
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Measuring Cisco IPv6 Deployment
http://www.worldipv6launch.org/measurements/
BRKRST-2312 8
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Cisco IT Situation (Public Facing) • ARIN pool exhausted on 24th Sep 2015
• Available free space on the market is fragmented
• DC Growth for 2016 driving IPv6 requirements.
Internet User – Global View
Public IPv4 address space only
Source Google
BRKRST-2312 9
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why Bother?
• Continuity of Business
• To ensure services are available to customers and partners
• New products and enhanced service delivery
• Government/Partner/Corporate mandates or regulations
• Cost
• Avoid the risk and cost associated with unplanned and uncontrolled implementation of IPv6
• Avoid the increased cost of moving to IPv6 when the industry and suppliers are driving the market
Time
IPv4 Free Pool
Size of the Internet
IPv6 Deployment
Today
?
BRKRST-2312 10
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Scope of IPv6 DeploymentPlanning and coordination is
required from many across the
organization, including …
Network engineers & operators
Security engineers
Application developers
Desktop / Server engineers
Web hosting / content
developers
Business development
managers
…
Moreover, training will be required
for all involved in supporting the
various IPv6 based network services
BRKRST-2312 12
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6 Planning Steps
Evaluate effect
on business
model1
Establish IPv6
project team 2
Assess network
hardware and
software readiness6
Establish IPv6
training strategy 3
Obtain IPv6
prefixes 7
Decide IPv6
architectural
solution4
Test application
software and
services9
Develop
procurement
plan10
Develop
exception
strategy5
Develop security
policy 8
Execute BRKRST-2312 13
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6 deployment phases – The associated metrics
1 – PlanningPrefixes (allocated, routed, traffic)Sources: RIR db, routeview.org, BitTorrent agent
2 – The NetworkIPv6 Transit AS’s
BGP tablesSource: routeview.org, RIPE Lab
4 – User adoptionGoogle users/browsers stats
APNIC Ad’s embedded http probesSources: google stats, apnic lab
3 – Content enablementAlexa top sites / country
+ 6lab http probesSources: Alexa.com, 6lab.cisco
BRKRST-2312 14
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco IT Lessons Learned IPv6 impact to service providers and external partners
– Internet service providers
– CDN providers
– 3rd party application providers
Security – Firewalls
– IDS/IPS
– Security event management and forensics logging
Application visibility – Netflow V9 not supported on all platforms including collectors
– Had to shift Netflow collection into DMZ to deal with constraints above
– Use of Netflow reflectors can bring some relief
Geo-Location and Web analytics – Use of the X-Forwarded For header
Take advantage of prescheduled release windows when possible
Lessons
BRKRST-2312 15
• Core-to-Access – Gain experience with IPv6
• Turn up your servers – Enable the experience
• Access-to-Core – Securing and monitoring
• Internet Edge – Business continuity
Where do I start?
Servers
Branch Access
WAN
Core
AccessLayer
ISP ISP
InternetEdge
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Common Deployment Models for Internet EdgeInternet, Partner, Branch
Enterprise
Edge
Agg +
Services
Phy/Virt.
Access
ComputeStorage
IPv4/IPv6
Host
Dual Stack
Hosts
Enterprise
Edge
Agg +
Services
Phy/Virt.
Access
ComputeStorage
IPv4/IPv6
Host
Mixed Hosts
IPv6 IPv4
SLB
64
/ N
AT
64 B
oun
dary
Multi-Tenant
Core
Agg +
Services
Phy/Virt.
Access
ComputeStorage
IPv4-onlyHosts
Pure Dual Stack Conditional Dual Stack Translation as a Service
AF
T
BRKRST-2312 17
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Readiness Assessment
• A key and mandatory step to evaluate the impact of IPv6 integration
• Evaluate costs and define timelines
• Define the scope of integration
• Answer the question of who, what, where and how will IPv6 integration impact operations
• Should be split in several components
• Network Infrastructure, Service Providers, End Systems, Applications, Operations, Addressing
BRKRST-2312 19
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Assessment• Break the project down into phases
• Avoids false positives and cuts back on upgrade costs
• Determine place in the network (PIN), platforms, features that are needed in each phase
• RIPE-554
• IPv6 Ready Logo Program
• Work with your vendor to address the gaps
• Applies to all of your vendors
BRKRST-2312 20
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Assessment
Don’t Forget the Applications
BRKRST-2312 21
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Commonly Deployed IPv6-enabled OS/Apps
Operating Systems
• Windows 7
• Windows Server 2008/R2
• Red Hat
• Ubuntu
• OSX/iOS
• Android
• And the list goes on …
Virtualization & Applications
• VMware vSphere 4.1
• Microsoft Hyper-V
• Microsoft Exchange 2007 SP1/2010
• Apache/IIS Web Services
• Windows Media Services
• Multiple Line of Business apps
Most commercial applications won’t be your problem
– it will be the custom/home-grown apps that are difficult
BRKRST-2312 22
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
What Defines an Application?
HTTP
FTP
SMTP
POP3
IMAP
HTTPS
Are these
applications?
Or just ports?
80
20/21
25
110
143
443
Are These ApplicationsWhat about these?
IPv4/IPv6 transport
BRKRST-2312 23
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Services Assessment
Questions to ask your Internet Service Provider
http://docwiki.cisco.com/wiki/What_To_Ask_From_Your_Service_Provider_About_IPv6
Evaluate the organizations that are going to provide services to support your deployment
Internet Service
Application
Cloud Services
Content Management . DNS
Deployment Type
Dual Stack,
Native or Overlay
What kind of services are offered
Are they “IPv6 Capable”?
If not, when will IPv6 be integrated?
BRKRST-2312 24
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Operational Assessment
• Evaluate the tools in the NMS for IPv6 capability
• All tools across the FCAPS model
• Define what is critical and what can wait
• Is it critical to support netflow or anycast DNS?
• Custom scripts
• Updated to accommodate dual transports
Override default behavior to prefer one over the other
• Are there new scripts needed?
Are both transports available?
# addresses per host, DNS queries/response, validating summarization
BRKRST-2312 25
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv4 Address Assessment
• Assess how the existing IPv4 address space is used
• Useful information for
• IPv6 integration
• IPv4 address consolidation
• Reclaiming unused address space
• Use existing tools
• IPAM
• ARP tables
• Routing tables
• DHCP logs
Better visibility into how the existing
Address space is used
Can better answer when IPv6 is critical
BRKRST-2312 26
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Addressing Plan Requirements and Considerations
• Clear addressing for different parts of the network
• WAN/Core, Campus, branch, DC, Internet Edge etc.
• Different Locations
• Different services
• Encoding of information
• Ease of aggregation
• Leaving space for growth
• Involvement of other teams
• E.g. Information Security
• Length of prefix and bits to work with
• Enterprises usually multiple /48 (≥ 16 bits)
• SPs should get /29 (≥ 35 bits)
• Avoid breaking the nibble boundary
• Think of # of prefixes at each level
• Templates will be your friends
• Internal policy for using the Addressing Plan
Requirements Considerations
BRKRST-2312 28
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Many ways of building an IPv6 Address Plan• Regional Breakdown, Purpose built or Generic buckets, Separate per business function
• Hierarchy is key
• Don’t worry too much about potential inefficiencies
• Prefix length selection• Network Infrastructure links, Host/End System LAN
• Addressing hosts• SLAAC, DHCP (stateful), DHCP (stateless), Manually assigned
• Building the IPv6 Address Plan• Cisco IPv6 Addressing White Paper
http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_BN_IPv6AddressingGuide-Feb2013.pdf
• BRKRST-2667 How to write an IPv6 Addressing Plan
IPv6 Address Considerations
BRKRST-2312 29
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6 Address Space - PI vs PA
• Do I Get PI or PA?• PI space is great for organizations who want to multihome
to different SPs
• PA if you are single homed or you plan to NAT/Proxy everything with IPv6 (not likely)
• Possible Options for PI• Get one large global block from local RIR and subnet out
per region
• Get a separate block from each of the RIR you have presence in
• Most organizations are going down the PI path• Getting assignments across regional registries provides
“insurance” against changing policies
• Traffic Engineering
BRKRST-2312 30
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Addressing Recommendations
• Link Local Address
• Normally, first 64 bits are fixed
• Usually the Interface Identifier is modified
• Encoding external identifiers for troubleshooting
• VLAN number• Router IDs
• IPv4 address
• Possible to leverage for IGP routing
• Unique Local Address
• Not for end-point addressing
• Unless in a closed system
• Possible for infrastructure addressing
• Needs IPv6-to-IPv6 Network Prefix
Translation (NPTv6) on Internet Edge
• Global Unicast Address
• Vast number of prefixes
• Manage just one address spaceGlobal Address
Unique Local Address
Link-Local Address
BRKRST-2312 31
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Prefix Length Considerations
• Anywhere a host exists /64
• Point to Point /127
• Should not use all 0’s or 1’s
• in the host portion
• Nodes 1&2 are not in the
• same subnet
• Loopback or Anycast /128
• RFC 7421 /64 is here
• RFC 6164 /127 cache exhaust
Pt 2 Pt /127
WAN
Core/64 or /127
Servers/64
Hosts/64
Loopback/128
BRKRST-2312 32
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Point-to-Point Routed Links
• Suppress RA’s for global assigned addressing
• Disable ICMPv6 redirects
• Don’t send ICMPv6 “unreachables”
interface FastEthernet0/1
ipv6 address 2001:db8:66:67::2/127
ipv6 nd ra suppress
no ipv6 redirects
no ipv6 unreachables
BRKRST-2312 33
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Longest Prefix Match (LPM) Sizing
• Recommendation is stick with /64 prefixes as the longest prefix that will have attached hosts
• What about prefixes that are longer than a /64?• Most platforms consume 2 slots for every IPv6 route and 1 slot for IPv4
• LPM can consume a greater amount of HW switching resources• Greatly limits the scalability of the platform for prefix lengths in the /64 - /127 range
• May be appropriate based on location of the device
• See first point 2001:db8:4646::/48
2001:db8:4646:5::/64
2001:db8:4646:5::aa03/127
BRKRST-2312 34
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Host Address AssignmentManual Stateless Stateful DHCPv6
Pros Address is stable
Controlled assignment
Well understood process
Scales well
Time to deploy
Widely implemented
Well understood process
Controlled assignment
Time to deploy
Cons Does not scale
Time to deploy
No control on assignment process
Not well understood
Lack of management
Privacy concerns
Implementation in OS
Must design for HA
• The choice of assignment depends on the existing processes and the adaptability of that process
• Remember that the methods are not mutually exclusive - all three can be used
• Regardless of choice must still control the stateless address assignment of addresses
BRKRST-2312 35
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Address Plan Example
2001:db8:1a00000000:0000000000000000::/40
24 bits for organizational subnets
4 bits to define regional prefix
8 bits to define site prefix
4 bits for subnet function
8 bits for subnets
2001:db8:1a10:1110::/64
0 = Infra
1 = Desktop
2 = Lab
3 = Guest
D = Building DC
... etc
0 = Reserved
1 = North America
2 = Europe
3 = APAC
... etc
0 = Reserved
1 = New York
2 = Atlanta
3 = Chicago
... etc
0 = Infra
XX Functional
Prefixes
BRKRST-2312 36
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Link Local Only?
- Exclusively use Link Local Addresses on network infrastructure
Prefix Lengths don’t matter anymore
Network Infrastructure is un-reachable from outside of the network
- Will impact your network management system
Ping, traceroute, SNMP, TACACS, RADIUS
- See RFC 7404
BRKRST-2312 37
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
What about NAT
A couple of versions of address translation related to IPv6
NAT-PTOriginal specification
Deprecated
NPTv6 Stateless translation method
Only manipulate the prefix
NAT66Stateful translation
Not specified in RFC
NAT64Translation between IPv6 and IPv4 address families
Stateless and stateful methods available
Where should NAT be applied?
NAT66Address hiding ???
That’s the way we do IPv4???
It provides security???
Multi-homing
NAT64Boundaries between IPv4 only and IPv6
Highly successful in getting quick IPv6 access
Cannot be the final state
Must move towards full IPv6 integration
BRKRST-2312 38
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP Address Management
• It is normal for a single host to have 3 or more IPv6 addresses
• Each /64 subnet can have 18 million trillion addresses
• Managing a spreadsheet with 18 million trillion fields for 128 bit long addresses in HEX is not practical
• If you don’t want to do that use an IPAM solution!
• Cisco Prime Network Registrar
• Infoblox
• Bluecat
• BT Diamond
BRKRST-2312 39
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transition Solution Universe!
BRKRST-2312 41
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Customer Network
Customer Network
Carrier Grade NAT IPv6 Rapid Deployment
CE CE
Using Tunnels
Manually configured tunnels
IPv6 over GRE
LISP
IPSec Tunnels
Dynamic Multipoint VPN (DMVPN)
Dual Stack
WAN
Dual Stack IPv4/IPv6
Dual Stack CPEs
Dual Stack Headquarters
Dual Stack WAN
Subscriber Network
Subscriber Network
MPLS IPv4 Core
Customer Network
Customer Network
6VPE Service
Dual Stack IPv4 / IPv6
6VPE VPN Service
Connecting IPv6 Sites Together
IPv4
WAN
6VPE
6VPE
BRKRST-2312 42
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SP IP Network Transition options
IPv6
InternetIPv4
Internet
IPv4
IPv4 Core
Subscriber Network
NAT
IPv4 Carrier Grade NAT
NAT
IPv6 Access
Network
Dual Stack Core
Subscriber
Network
CE
IPv6-Only Subscriber
6↔4
Dual Stack Core
v6over
v4
Subscriber Network
IPv6 Rapid Deployment
6rd
or L
2T
P
6rd BR
SubscriberNetwork
v4
over
v6
Dual Stack Core
4rd
or D
S-L
ite
IPv6-Only Access Network
NAT
Dual Stack
Core+
Access (ex: DOCSIS 3.0)
Subscriber Network
PE
Native
Dual Stack
For more info see: http://www.cisco.com/go/cgv6
PE
CE CE
4rd BRAFTR
CE
LNS
IPv4 via IPv6
Using DS-Lite (w/NAT44)
MAP-E – Encap All
MAP-T - L3 and L4 in header
Lw4over6
4rd
464Xlat
6 Rapid Deployment (6rd
L2TP
Softwires
Broad Band Connectivity
Dual Stack Core
DOCSIS Access
AFT64NAT444
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6 and Cloud Adoption Consideration Contiguous large blocks of IPv4 not available
– Impact traffic engineering
– Introduces complexities of NAT once again
– Impacts end to end authentication
Platform and Designs built around IPv4 including scale, management and visibility
Cloud Consumption offers and tools are typically looking at IPv4 – What is being missed from a risk perspective ?
A very large percentage of DNS queries are also handing out A and AAAA records – What is being consumed?
– What happens when a work load moves?
Incorporate IPv6 into your cloud strategy– Better scalability, address aggregation
– Portolio for NFV and Service Chaining should include IPv6
– Keep an eye out for Open Stack functions and IPv6 support.
– Read the Fine Print – I.e First /64 included $ 10-20 for additional Global Address
Source: Nephos6
Action: Drive IPv6 as a firm requirement with ALL of your private/public cloud vendors and providers
BRKRST-2312 44
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Recommended Approach for IPv6
• Dual-Stack to the hosts
• Hosts support dual stack• Windows, OSX, iOS, Linux, BSD
• Network support dual stack
• But…IPv4 exhaustion is underway
• Every host CANNOT be assigned an IPv4 address
Dual-Stack Deployment (RFC 4213)
IPv4+IPv6 Hosts (Dual Stack)
IPv4+IPv6
Network
BRKRST-2312 45
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dual StackProblem: IPv6 is Broken to a certain website?
BRKRST-2312 46
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dual StackSolution – Happy Eyeballs
BRKRST-2312 47
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dual StackSolution – Happy Eyeballs Optimization
BRKRST-2312 48
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scalability and Performance
• IPv6 Neighbor Cache = ARP for IPv4• In dual-stack networks the first hop routers/switches will now have more memory
consumption due to IPv6 neighbor entries (can be multiple per host) + ARP entries
ARP entry for host in the campus distribution layer:
Internet 10.120.2.200 2 000d.6084.2c7a ARPA Vlan2
IPv6 Neighbor Cache entry:
2001:DB8:CAFE:2:2891:1C0C:F52A:9DF1 4 000d.6084.2c7a STALE Vl2
2001:DB8:CAFE:2:7DE5:E2B0:D4DF:97EC 16 000d.6084.2c7a STALE Vl2
FE80::7DE5:E2B0:D4DF:97EC 16 000d.6084.2c7a STALE Vl2
• There are some implications to managing the IPv6 neighbor cache when concentrating large numbers of end systems
BRKRST-2312 50
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Coexistence
IPv6 Router Advertisement
– Disable when not needed
– Still needed for default GW propagation
– Use RA Guard whenever possible
Over time as new operating systems come on line it will be harder to identify “IPv6” issues.
– Most organizations not aware that IPv6 is running in the network
– Need visibility for both transport protocols
Management of SLAs and Network Management
– Understand host behavior when multiple addresses are present.
– Saves time during testing and implementation at time expected address is not being used.
Coexistence
BRKRST-2312 51
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Co-Existence Implications
Resources considerations
‒ Memory (storing the same amount of IPv6 routes
requires less memory than might be expected)
‒ CPU (insignificant increase in the case of HW
platforms, additive in the case of SW platforms)
Control plane considerations
‒ Balance between IPv4/IPv6 control plane separation
and scalability of the number of sessions
Performance considerations
‒ Forwarding in the presence of advanced features
‒ Convergence of IPv4 routing protocols when IPv6 is
enabled
0
50000
100000
150000
200000
250000
300000
350000
400000
450000
0 500 1000 1500 2000 2500 3000
Number of Routes
Mem
ory
(b
yte
s)
IPv4
IPv6
Linear
(IPv6)Linear
(IPv4)
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
0.5
0 500 1000 1500 2000 2500 3000
Number of Perfixes
Tim
e
IPv4 OSPF
IPv4 OSPF
IPv6 OSPF
Linear (IPv4
OSPF IPv6
OSPF)Linear (IPv4
OSPF)
BRKRST-2312 52
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Coexistence Twist
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
0.5
0 500 1000 1500 2000 2500 3000
Number of Prefixes
Tim
e
IPv4 OSPF
IPv4 OSPF w/
IPv6 OSPF
Linear (IPv4
OSPF w/ IPv6
OSPF)Linear (IPv4
OSPF)
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0 500 1000 1500 2000 2500 3000
Number of Prefixes
Tim
e
IPv4 OSPF
IPv4 OSPF w/
IPv6 OSPF
Linear (IPv4
OSPF w/ IPv6
OSPF)Linear (IPv4
OSPF)
IPv6 IGP impact on the IPv4 IGP
convergence
Aggressive timers on both IGPs will highlight
competition for resources
Is parity necessary from day 1? Tuned IPv4 OSPF, Tuned IPv6 OSPF
Tuned IPv4 OSPF, Untuned IPv6 OSPF
BRKRST-2312 53
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6 and IPv4 Routing Protocols
OSPF
OSPFv2 for IPv4
OSPFv3 for IPv6
Distinct but similar protocols with OSPFv3 being a cleaner implementation that takes advantage of
IPv6 specificities
IS-ISExtended to support IPv6
Natural fit to some of the IPv6 foundational concepts
Supports Single and Multi Topology operation
EIGRPExtended to support IPv6
Some changes reflecting IPv6 characteristics
BGP Extended to support IPv6 through multi-protocol extensions
BRKRST-2022 Introduction to IPv6 Routing
BRKRST-2312 54
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
QoS Considerations
• IPv4 and IPv6 QoS features are mostly compatible (RFC 2460/3697)
• Both Transport uses DSCP (aka Traffic Class)
• Control plane Queues need to now take into account IPv6 Overhead too
• IPv6 classification can follow the same IP Precedence, Service Class, DSCP and EXP QOS Taxonomy values already defined for IPv4.
• CE devices will need additional configuration to set appropriate values on the IPv6 traffic class field.
• IPv6 will utilize the same Network Control, Voice,, Gold, Bronze, Silver, Best Effort classes
IPv6
DSCP
Fragment Offset
Flags
Total LengthType of Service
IHL
PaddingOptions
Destination Address
Source Address
Header ChecksumProtocolTime to Live
Identification
Version
IPv4
DSCP
BRKRST-2312 55
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
QoS CLI
• Class maps can match both IPv4 and IPv6 traffic
• Can be broken into “ip” and “ipv6” matching
• Design principles still the same
• Mark at the edge
• Trust boundaries still apply
• Queue sizing
class-map match-any Critical_Data
match dscp af21
class-map match-any Voice
match dscp ef
class-map match-all Scavenger
match dscp cs1
class-map match-any Bulk_Data
match dscp af11
!
policy-map DISTRIBUTION
class Voice
priority percent 10
class Critical_Data
bandwidth percent 25
random-detect dscp-based
class Bulk_Data
bandwidth percent 4
random-detect dscp-based
class Scavenger
bandwidth percent 1
class class-default
bandwidth percent 25
random-detect
DataVoice
VideoInternet
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Don’t Forget About Network Management
• Management and design strategies for IPv6 addressing policies and operation
• Introduction of extended IP services: DHCPv6, DNSv6, IPAM
• Managing security infrastructures: Firewall, IDS, AAA
• Tool visibility, insight and analysis of IPv6 traffic Netflowv9, IPv6 SLA
• Dual Stack Interfaces and tools
• Reporting combined v4 and V6 traffic statistics.
• Requires support in
• Instrumentation (MIB , Netflow records, etc.)
• NMS tools and systems
BRKRST-2312 58
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
NetFlow for IPv6
• Application Performance monitoring is a great differentiator for IPv6
• IPv6 support added as part of Flexible NetFlow (metering) and NetFlow v9 (exporting) Monitors the IPv6 traffic.
• Export is over an IPv4 Transport
• Exporting: NetFlow version 9
•Advantages: extensibility
• Integrate new technologies/data types quicker (MPLS, IPv6, BGP next hop, etc.)
• Integrate new aggregations quicker
•Note: for now, the template definitions are fixed
• Metering: Flexible NetFlow
•Advantages: cache and export content flexibility
• User selection of flow keys
• User definition of the records
BRKRST-2312 59
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Configure traffic statistics collection for IPv4 and IPv6 protocols
• IPv6 application reporting with Flexible NetFlow
Flexible NetFlowIPv6 Application Monitoring
BR
HQ
MC/B
R
MC/B
RBRMC/B
R
WAN2(IPVPN, DMVPN)
WAN1(IP-VPN)
BR
flow record RECORD-FNF-v6
match ipv6 source address
match ipv6 destination address
match application name
# sh flow monitor MONITOR-FNF-v6 cache format table
IPV6 SOURCE ADDRESS IPV6 DESTINATION ADDRESS APPL
NAME
2A01:E35:8ABF:9510:FA1E:DFFF:FEE1:E789 2A01:E35:8ABF:9510:222:55FF:FEE6:BA98 http
BRKRST-2312 60
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
L2
IPv6/IPv4 Dual Stack Hosts
IPv6Internet
Tunnel Filtering with ASA
Response measurement with IP SLA
IPv6 Traffic Metering with Flexible Netflow
Tunnel detection with NBAR2
L3
IPv6 Instrumentation
Campus
IPv6 FHSPort ACL
IPv6 MIBs
IPv6 over IPv4 tunnel
IDS/IPS signaturesPrefix Propagation
BRKRST-2312 61
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Troubleshooting IPv6 Issues
• IPv4 or IPv6 is transparent to a user since names are used to connect to web sites or other hosts
• http://www.google.com will take us to Google
• Typically an end user will notice issues if all of the following are true:
• IPv6 is enabled on the desktop
• The DNS query returns an IPv6 AAAA record
• IPv6 is preferred over IPv4
• There are connectivity problems over IPv6
TCP UDP
IPv4 IPv6
Data Link (Ethernet)
0x0800 0x86dd
BRKRST-2312 62
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Diagnosing IPv6 Issues• When a desktop needs to connect to a web site, the
first thing it does is resolve the DNS name to an IP address.
• If the address returned contains an AAAA record and IPv6 is enabled and preferred on the host, it will use IPv6 to reach that website.
• If there are issues with IPv6 connectivity further in the network, the host may not be able to connect (or load the page in a browser)
• The host will wait for IPv6 to time out before falling back to IPv4 (this is ~30 sec for windows) and leads to bad user experience.
• Basic troubleshooting using ping, tracert, ipconfig should help isolate the issue
BRKRST-2312 63
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6 Testing Considerations
• How do hosts react to auto-configuration?
• Are devices taking both a static and auto-configuration ?
– Understand so that security Policy is not affected?
• Should IPv6 RA’s be disabled how do devices re-act to that?
• Does application being used implement SAS (Source address selection) algorithm correctly?
• How do devices re-act with A and AAAA DNS records?
• What happens if IPv4 is disabled?
• What happens if IPv6 is impaired?
A record
AAAA record
ARP request
RA
DHCP reply
DNS reply
BRKRST-2312 64
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPV6 Testing Considerations
• Create base line template that should be run as part of all IPv6 solution testing
• Hosts/Servers/End Systems
• Routers/Switches
• Firewalls/IPS
• Template should consist of basic IPv6 RFC 2460 functionality.
• IPv6 Ready Logo - http://www.ipv6ready.org
• USGv6 - http://www-x.antd.nist.gov/usgv6/index.html
• RIPE-554 - http://www.ripe.net/ripe/docs/current-ripe-documents/ripe-554
BRKRST-2312 65
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6 Tools Different ways to check on what is happening
Where’s my prefix?
‒ Route servers and looking glasses - http://www.bgp4.as/looking-glasses
‒ Look at your network from the outside in
Pings, traceroutes, SSLcert and DNS queries
‒ https://atlas.ripe.net/results/
IPv6 troubleshooting tools for mobile devices (iOS & Android)
IPv6 toolkit HE.net Netalyzr LanDroid Netstat
BRKRST-2312 66
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv4 IPv6
Hostname to
IP Address
A Record:
www.abc.test. A 192.168.30.1
IPv6 and DNS
AAAA Record:
www.abc.test AAAA 2001:db8:C18:1::2
IP Address to
Hostname
PTR Record: 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0.
8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test.
PTR Record:
1.30.168.192.in-addr.arpa. PTR
www.abc.test.
BRKRST-2312 68
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AAAA Records on the Wire
BRKRST-2312 69
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNS as an Integration Tool
Government Agencies
When
Who is www.cisco.com?
DNS serverwww.cisco.com is
A 173.37.145.84
AAAA 2001:420:1101:1::a
End System
Internetwww.cisco.com
Corporate
Who
Business PartnersWho is www.cisco.com?
DNS server
End System
Internetwww.cisco.com
Corporate
End System
www.cisco.com is
A 173.37.145.84
AAAA 2001:420:1101:1::a
Who is www.cisco.com?
www.cisco.com is
A 173.37.145.84
How
DNS server
www.cisco.com is
A 173.37.145.84
www.ipv6.cisco.com
IPv6
Internet consumers
Remote
Who is www.cisco.com?
End System
Internet
www.cisco.com
CorporateEnd System
Who is www.ipv6.cisco.com? www.ipv6.cisco.com is
AAAA 2001:420:1101:1::a
BRKRST-2312 70
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6 Security
In 5 slides or less…
Can’t be done
Please see the following sessions for a much more detailed treatment
BRKSEC-2003 Introduction to IPv6 Security
BRKSEC-3003 Advanced IPv6 Security in the LAN
BRKSEC-3200 Advanced IPv6 Security in the Core
BRKSEC-3772 Advanced Web Security Deployment with WSA in IPv4 & IPv6 Networks
BRKRST-2312 72
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Considerations
Dual Stack increases the types and size of your
attack vectors
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dual Stack Host Considerations
Host security on a dual-stack device
Applications can be subject to attack on both IPv6 and IPv4
Fate sharing: as secure as the least secure stack...
Host security controls should block and inspect traffic from both stacks
Host intrusion prevention, personal firewalls, VPN clients, etc.
Does the IPSec Client Stop an Inbound IPv6 Exploit?Dual Stack
Client
IPv4 IPSec VPN with No Split Tunneling
IPv6 HDR IPv6 Exploit
Clear IPv6 Transport
BRKRST-2312 74
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Securing the Edge, FW, Perimeter Router
• Address Range
• Source of 2000::/3 at minimum vs. “any”, permit assigned space
• ICMPv6
• RFC 4890 “Recommendations for Filtering ICMPv6 Messages in Firewalls”
• Extension Headers
• Allow Fragmentation, others as needed. Block HBH & RH type 0
• IPv6 ACL’s
• IPv6 traffic-filter – to apply ACL to an interface
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any log
BRKRST-2312 75
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Infrastructure Security - Management Plane
ipv6 access-list VTY
permit ipv6 2001:db8:0:1::/64 any
line vty 0 4
ipv6 access-class VTY in
In IOS-XR: The command is ‘access-class VTY ingress’,
And
The IPv4 and IPv6 ACL must have the same name
• SSH, syslog, SNMP, NetFlow all work over IPv6
• Dual-stack management plane
More resilient: works even if one stack is down
More exposed: can be attacked over IPv4 and IPv6
• RADIUS over IPv6 is recent but IPv6 RADIUS attributes can be transported over IPv4
• As usual, infrastructure ACL is your friend as well as out-of-band management
BRKRST-2312 76
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Control Plane Policing
Control Plane Policing can be applied to IPv6
Adapt what’s in place today to accommodate IPv6
‒ Routing protocols
‒ Management protocols
Remember the extended functionality of ICMP
Monitor carefully to see what shows up in the logs
Remember the default rules at the end of all IPv6 ACLs
permit ipv6 any any nd-na
permit ipv6 any any nd-ns
deny ipv6 any any
‒ They apply to any CoPP policy that uses ACLs to match
policy-map COPPr
class ICMP6_CLASS
police 8000
class OSPF_CLASS
police 200000
class class-default
police 8000
!
control-plane cef-exception
service-policy input COPPr
BRKRST-2312 77
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Routing Protocol Authentication - Control Plane BGP, ISIS, EIGRP no change:
‒ MD5 authentication of the routing update
OSPFv3 has changed and pulled MD5
authentication from the protocol and instead
rely on transport mode IPsec (for
authentication and confidentiality)
Or New Alternative is Authentication trailer for
OSPFv3 (Refer to RFC 6506)
IPv6 routing attack best practices
‒ Use traditional authentication mechanisms
on BGP and IS-IS
‒ Use IPsec to secure protocols such as
OSPFv3
interface Ethernet0/0
ipv6 ospf 1 area 0
ipv6 ospf authentication ipsec spi 500 md5
1234567890ABCDEF1234567890ABCDEF
interface Ethernet0/0
ipv6 authentication mode eigrp 100 md5
ipv6 authentication key-chain eigrp 100 MYCHAIN
key chain MYCHAIN
key 1
key-string 1234567890ABCDEF1234567890ABCDEF
accept-lifetime local 12:00:00 Dec 31 2006 12:00:00 Jan
1 2008
send-lifetime local 00:00:00 Jan 1 2007 23:59:59 Dec 31
2007
No crypto maps, no ISAKMP:
transport mode with static
session keys
BRKRST-2312 78
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Perimeter Security: Anti-Spoofing and Bogon Filters
IPv6
Internet
Inter-Networking Device
with uRPF Enabled
IPv6 Unallocated
Source Address
X IPv6 Intranet /
Internet (SP)
No Route to SrcAddr => Drop
Similar to IPv4, IPv6 has Bogons
Anti-spoofing in IPv6 same as IPv4
=> Same technique for single-homed edge= uRPF
ipv6 access-list NO_BOGONS
remark Always permit ICMP unreachable (PMTUD)
permit icmp any any unreachable
remark Permit only large prefix blocks from IANA
permit ip 2001::/16 any
permit ip 2002::/16 any
permit ip 2003::/18 any
permit ip 2400::/12 any
permit ip 2600::/10 any
permit ip 2800::/12 any
permit ip 2a00::/12 any
permit ip 2c00::/12 any
Remark implicit deny at the end
http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
For Full list of Bogons:
BRKRST-2312 79
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6 Snooping
IPv6 First Hop Security (FHS)
IPv6 FHS
RA Guard
DHCPv6 Guard
Source/Prefix Guard
Destination Guard
Protection:• Rouge or
malicious RA• MiM attacks
Protection:• Invalid DHCP
Offers• DoS attacks• MiM attacks
Protection:• Invalid source
address• Invalid prefix• Source address
spoofing
Protection:• DoS attacks • Scanning• Invalid destination
address
RA Throttler
ND Multicast Suppress
Reduces:• Control traffic
necessary for proper link operations to improve performance
Core Features Advance Features Scalability & Performance
Facilitates:• Scale
converting multicast traffic to unicast
BRKRST-2312 80
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• IPv4 addresses have been exhausted
• Adoption of IPv6 on the Internet is increasing
• IPv6 integration has a lengthy deployment cycle
• IPv6 integration involves all aspects of IT
State of IPv6 Deployment Today
http://6lab.cisco.com/stats/
BRKRST-2312 82
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Call to Arms
• Take a systematic wide approach to IPv6 planning and execution
• Take opportunities to be IPv6 ready in technology refresh cycles
• Learn from others who have undertaken the journey
• Make the leap!
• Be the IPv6 “Nut”
BRKRST-2312 83
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Recommended Reading
BRKRST-2312 84
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.
BRKRST-2312 85
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKRST-2312 86
Please join us for the Service Provider Innovation Talk featuring:
Yvette Kanouff | Senior Vice President and General Manager, SP Business
Joe Cozzolino | Senior Vice President, Cisco Services
Thursday, July 14th, 2016
11:30 am - 12:30 pm, In the Oceanside A room
What to expect from this innovation talk
• Insights on market trends and forecasts
• Preview of key technologies and capabilities
• Innovative demonstrations of the latest and greatest products
• Better understanding of how Cisco can help you succeed
Register to attend the session live now or
watch the broadcast on cisco.com