lt03 idnog04 - dewangga - ipv6 implementation for end users
TRANSCRIPT
IPv6 Implementation for End Users (RA)
On RouterOS Device
Transition Problems
• IPv6 subnetting ?
• Hardware or firmware support ?
• We are afraid to deploy new technology ? :-)
Why IPv6?
• IPv4 NAT issue on approximately thousand(s) device(s) connected at the same time -- no CGN :-)
• Utilize bandwidth usage both IPv4 and IPv6 at the same time.
• End-to-end encryption and low-risk man-in-the-middle attack(s)
Limitations
• Deployment using RouterOS (MikroTik)
• SME (Small-Medium Enterprise) Infrastructure
Net Diagram
Branch ARouter
Branch BRouter
Branch AClients
Branch BClients
CORE Router
CORE Switch2001:6400:dead:beef::/64 2001:6400:dead:beef::2/64
2001:6400:dead:beef::1/64
Branch A: 2001:6400:dead:b33f::/64Branch B: 2001:6400:dead:b055::/64
Configurations – Core Router
[[email protected]] > /ipv6 addr
add interface=ether2 address=2001:6400:dead:beef::/64\
advertise=no
[[email protected]] > /ipv6 rou
add dst-address=2001:6400:dead:b33f::/64 \
gateway=2001:6400:dead:beef::1 check-gateway=ping
add dst-address=2001:6400:dead:b055::/64 \
gateway=2001:6400:dead:beef::2 check-gateway=ping
Configurations – Router Branch A
[[email protected]] > /ipv6 addr
add interface=ether1 \
address=2001:6400:dead:beef::1/64 advertise=no
add interface=ether2 \
address=2001:6400:dead:b33f::/64 advertise=no
[[email protected]] > /ipv6 rou
add dst-address=::/0 \
gateway=fe80::e68d:8cff:fe3f:6732%ether1 \
check-gateway=ping
Configurations – Router Branch B
[[email protected]] > /ipv6 addr
add interface=ether1 \
address=2001:6400:dead:beef::2/64 advertise=no
add interface=ether2 \
address=2001:6400:dead:b055::/64 advertise=no
[[email protected]] > /ipv6 rou
add dst-address=::/0 \
gateway=fe80::e68d:8cff:fe3f:6732%ether1 \
check-gateway=ping
Configurations – Router Advertisement (A & B)
[[email protected]] > /ipv6 nd
set [ find default=yes ] disabled=yes
add advertise-mac-address=no interface=ether2 \
managed-address-configuration=yes mtu=1500 \
other-configuration=yes reachable-time=10s \
retransmit-interval=5s
[[email protected]] > /ipv6 nd prefix
add interface=ether2 prefix=2001:6400:dead:b33f::/64
[[email protected]] > /ipv6 nd prefix \
default set autonomous=no
Clients Configuration
• Just enable IPv6 Configuration on your operating system that support ipv6 RA (latest operating system are native IPv6 Support by default)
• Client should be received IPv6 from RA (eg: 2001:6400:dead:b33f:5054:ff:fe3d:498f or 2001:6400:dead:b33f:f5a6:5d7b:6647:2bf5)
In GUI :-)
Conclusion
• Do NOT do any deployment if you aren't ready yet. Don't leave any vulnerable system exposed to the world wide.
• By enabling IPv6 to end user(s), we are helping the operators to reduce usage of CGN and Router CPU Resource because of NAT.
• Ensure the scalability, reachability and connectabilityfor end user(s).
Thanks