ipv6: we care so you don't have to
DESCRIPTION
Is it time to panic? Are we completely out of IP addresses? Do I have to learn to speak hexadecimal? What is IPv6 and should you care? In this session, we'll attempt to answer these questions and more and we're likely to have more questions than answers. IPv6 is the newest version of the IP/Internet Protocol (currently referred to as IPv4) and was created primarily to address the shortage of IP addresses across the world. However, there's a lot more going on with IPv6 than just addressing changes. This session will address just what the campus has done and still needs to do and what you need to worry about as IPv6 comes closer to your front door.TRANSCRIPT
IPv6: We Care ….So You Don’t Have To
Jim GoganDirector, ITS Comm Tech/Networking
2011 CTC Retreat
Setting the Stage
• So, if you don’t care …. why are you here?• Can you run right out after this and start using
IPv6 on campus? …… no• Are there still lots of implementation issues?
…… yep• Can you ask questions during the
presentation? …… it depends• What were YOU doing on World IPv6 Day?
What is IP?
• Do I need to ask?• Current predominant implementation: IPv4– What’s wrong with IPv4? – Addressing: 32 bits – the famous quad-dotted-
decimal notation (e.g. 152.19.145.93)– Provides for 4,294,967,296 IP addresses– Devices are statically configured for all necessary
information or use DHCP for all necessary information
IPv4 Addresses Exhausted
Solutions for Addressing Addressing
• NAT? – NO!! NAT is evil – NAT violates the end-to-end principle
that’s the foundation of the Internet – NAT sucks …..• Large business failures?
– “Microsoft has managed to purchase 666,624 IP addresses from the bankrupt Canadian company Nortel for $7.5 million.”
– Doesn’t scale unless the economy REALLY gets bad• IPv6
– Bringing you a new address plan since 1998 (13 years ago!)
IPv6 Addresses
• 128 bit addresses instead of 32 bits• Allows for
340,282,366,920,938,463,463,374,607,431,768,211,456 nodes
• 52 trillion trillion addresses per person in the world
• “Allows for scalable, simple and easily understandable addressing schemes” (pause for chuckle)
IPv6 Addressing Format• IPv6 address consists of 8 sets of 16 bit hex values, totaling 128
bits– Ex: 2610:0028:3090:5001:dddd:7a76:9e51:aacc
• 16 bit hex values separated by colons• Abbreviation is possible
– Can omit leading zeros– Consecutive zeroes in contiguous blocks can be represented by double
colons• Ex: 2610:0028:0000:3090:0000:0000:9e51:aacc becomes
2610:28:0:3090::9e51:aacc (ahhh … MUCH better …..)
• Network prefix like IPv4 CIDR – 152.19.145.0/24• IPv6 network prefix has similar notation –
2610:28:3090:5001::/64
First Impression of IPv6 Addresses
What Else Does IPv6 Offer?
• No more broadcast addresses: IPv6 uses multicast instead (oh, joy!!)
• SLAAC: Stateless Address Auto-Configuration– Router advertises itself (Router Advertisement)– Router provides IP address prefix info; host portion comes from
end station itself– Uses ICMPv6 (all those sites blocking ICMP on systems --- one
word: don’t!)– Still need DHCPv6 though and that presents other issues
• No router fragmentation (jumbo frames users take note!)• No ARP – Neighbor Discovery Protocol instead (which also
uses ICMPv6 and multicast)
IPv6 Addressing Model
• Interfaces can have multiple addresses
• Addresses have different scopes– Link-local– Unique-local– Global
Global (Unicast) Addresses
• Routable across the Internet• Structured hierarchically to allow address aggregation
– 1st 32 bits: ISP (3 high level bits set to 001)– Next 16 bits: Site Level Aggregator– Next 16 bits: LAN designation– Final 64 bits: Interface ID
• /48 network prefix allows for 65,536 LANs (subnets)• So ….. All LANs have 64 bits of network prefix vs.
variable length network prefix of IPv4• Ex: 2610:28:3090:5001:dddd:7a76:9e51:aacc
Unique-Local (Unicast) Addresses
• Analogous to RFC-1918 IPv4 private addresses• Not routable on the Internet• Represented by FD00::/8• Not recommended to use BOTH Global and
ULA– SAS (Source Address Selection) determines when
to use which address; ULA should talk to ULA and Global should talk to Global; has issues
Link-Local (Unicast) Addresses
• Mandatory addresses used between IPv6 devices on the same link
• Automatically assigned by device on startup• Not routed• Begin with FE80::/10
Multicast Addresses
• Prefix of FF00::/8• Second octet defines lifetime (permanent or
temporary) and scope (node/link/site/organization/global)
• Used for Router Advertisements, DHCP, NDP, multicast apps
So, How Much IPv6 Is Out There?
• Not much– Maybe around .04-.08% of all Internet traffic– Around 6% of all networks on the Internet advertise an IPv6
network• World IPv6 Day
– June 8th 2011– Hundreds (wow!) of web companies and industry players
enabled v6 on their main websites for 24 hours– Brought attention to the efforts; demonstrated what issues
there were; demonstrated what issues there weren’t– UNC was a participant
IPv6 Status at UNC
• Not much• Range:
– Campus: 2610:28:3090::/47• Public: 2610:28:3090::/48• On-campus only: 2610:28:3091::/48
– UNC HealthCare (Hospital): 2610:28:8000::/48• NCREN has IPv6 routing enabled locally and with relevant peers• IPv6 disabled on CCI load• Enabled on a small number of campus VLANs, but we still had a
presence on World IPv6 Day– http://www.unc.edu was accessible by IPv6-only clients but without
IPv6 running on the web servers; how’d we do that?
Implementation Strategy
• Dual-stack!!! Run BOTH IPv4 and IPv6 on critical infrastructure services, on servers that need IPv6 access and on limited number of clients that need IPv6 (helps for testing and troubleshooting)
• Implement IPv6 records on DNS servers– A records for IPv4; AAAA records for IPv6– Campus BIND DNS servers in dual-stack mode
• Use static addresses or SLAAC for now (not good long-term strategy); working on DHCPv6 deployment, but there’s ….. issues …..
Issues for Deployment
• Security • Monitoring tools• Security • Measurement tools• Security • Security • And …….
What We Learned Prepping for World IPv6 Day
• FQDN references = good; quad-dotted decimal references = bad
• Is all of your content local? (i.e. do you reference off-site URLs for content?)
• Caching servers (impacted Facebook v6 pages)• Multicast is VERY important and not trivial to
troubleshoot• Windows prefers IPv6 over IPv4 • Solaris has ….. Issues• Default RHEL ip6tables blocks DHCPv6 by default
But Wait, There’s More
• Router Advertisements• DHCPv6– Apple … finally …– DUID (DHCP Unique Identifier)• No longer required to be MAC address• Issue with imaging systems
• More tunnels than the Swiss Alps• IPv6 routing not in current “fluffy” code:
coming soon
Where Do We Go From Here?
• Slowly• Don’t see near-term requirement for IPv6 client
access (other than troubleshooting server setups)• First priorities: server resources that require access
from anywhere in the world (particularly Asia) – Talk to us first– Harden up those servers– Ask for static v6 addresses and register AAAA records– Monitor usage carefully
Resources
• http://ipv6.unc.edu• http://www.getipv6.info/index.php/Main_Page (ARIN IPv6
Wiki)• http://ndtv701ipv6.net.unc.edu:7123/