TCP UDP Ipv4 Ipv6

BRKRST-2619

IPv6 Deployment Developing an IPv6 Address Plan and Deploying IPv6

• Why are we doing this?

• What is an IPv6 Address?

• How do you break it down?

• How do I integrate IPv6?

• Conclusion

http://www.potaroo.net/tools/ipv4/

https://www.google.com/intl/en/ipv6/statistics.html#tab=ipv6-adoption&tab=ipv6-adoption

• Continuity of Business • To ensure services are available to customers and partners • New products and enhanced service delivery • Government/Partner/Corporate mandates or regulations

Today • Cost IPv4 Free Pool • Avoid the risk and cost associated with unplanned and uncontrolled implementation of IPv6 • Avoid the increased cost of moving to IPv6 when Size of the Internet the industry and suppliers are driving the market ?

IPv6 Deployment

Time

https://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/white-paper-c11-741490.pdf

• IPv6 addresses are 128 bits long • Segmented into 8 groups of four HEX characters (called HEXtets) • Separated by a colon (:) • Default is 50% for network ID, 50% for interface ID

Global Unicast Identifier Example Network Portion Interface ID gggg:gggg:gggg ssssxxxx:xxxx:xxxx:xxxx : :

Global Routing Prefix Subnet ID Host n <= 48 bits 64 – n bits 2001:0000:0000: 00A10000:0000:0000:1E2A Full Format :

Abbreviated Format 2001:0:0: A1::1E2A

• RFC 4291 IP Version 6 Addressing Architecture

• Link-Local Address (LLA)

• Unique Local Address (ULA) (RFC 4193) • Site-Local Address has been deprecated by IETF (RFC 3879, September 2004)

• Global Unicast Address

Link-Local Address Unique Local Global Address Address

How Do We Build an IPv6 Address Plan? Addressing Plan Requirements and Considerations Requirements Considerations • Clear addressing for different parts of • Length of prefix and bits to work with the network • Enterprises usually multiple /48 (≥ 16 • WAN/Core, Campus, branch, DC, bits) Internet Edge etc. • SPs should get /29 (≥ 35 bits) • Different Locations • Avoid breaking the nibble boundary

• Different services • Think of # of prefixes at each level • Encoding of information • Templates will be your friends • Ease of aggregation • Internal policy for using the • Leaving space for growth Addressing Plan • Involvement of other teams • E.g. Information Security

• Many ways of building an IPv6 Address Plan • Regional Breakdown, Purpose built or Generic buckets, Separate per business function • Hierarchy is key • Don’t worry too much about potential inefficiencies • Prefix length selection • Network Infrastructure links, Host/End System LAN • Addressing hosts • SLAAC, DHCP (stateful), DHCP (stateless), Manually assigned

• Building the IPv6 Address Plan • Cisco IPv6 Addressing White Paper http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_BN_IPv6AddressingGuide- Feb2013.pdf

• Do I Get PI or PA? • PI space is great for organizations who want to multihome to different SPs • PA if you are single homed or you plan to NAT/Proxy everything with IPv6 (not likely)

• Possible Options for PI • Get one large global block from local RIR and subnet out per region • Get a separate block from each of the RIR you have presence in

• Most organizations are going down the PI path • Getting assignments across regional registries provides “insurance” against changing policies • Traffic Engineering

• Link Local Address • Unique Local Address • First 64 bits are fixed • Not recommended for end-point • Interface Identifier can be modified addressing • Encoding external identifiers for Unless in a closed system troubleshooting • Needs Translation (NPTv6 or • VLAN number NAT66) on Internet Edge • Router IDs • Global Unicast Address • IPv4 address • Vast number of prefixes • Possible to leverage for IGP routing • Manage just one address space

Link-Local Address

Unique Local Address Global Address

A couple of versions of address Where should NAT be applied? translation related to IPv6 NAT66 NAT-PT Address hiding ??? Original IPv6-to-IPv4 specification That’s the way we do IPv4??? Deprecated It provides security??? NPTv6 Multi-homing Stateless translation method Only manipulate the prefix NAT64 NAT66 Boundaries between IPv4 only and IPv6 Stateful translation Highly successful in getting quick IPv6 access Not specified in RFC Cannot be the final state NAT64 Must move towards full IPv6 integration Translation between IPv6 and IPv4 address families http://www.potaroo.net/ispcol/2017-09/natdefence.html Stateless and stateful methods available

BRKRST-2619 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Methodology for writing an IPv6 Addressing Plan The 4 Rules Remember Rule #1 1. Simple • You don’t want to spend weeks explaining it!

2. Embed Information • To help troubleshooting and operation of the network • Examples: location, country, PIN, VLAN, IPv4 addresses in Link Local and/or Global Addresses 3. Build-in Reserve • Cater for future growth, mergers & acquisitions, new locations • Reserved vs. assigned 4. Aggregatable • Good aggregation is essential, just one address block (per location), we can take advantage of this (unlike in IPv4!) • Ensures scalability and stability

• Analyze, where will IPv6 be deployed? • Addressing plan needs to be designed globally

• Identify the structure of the addressing plan • Based on requirements and considerations discussed earlier • Top-down approach This might be different from the IPv4 days when # of hosts per subnet was important

• Where and how many locations • Countries, regions, locations, buildings, etc… • Needs to map onto the physical / logical network topology

• Which services, applications and systems connected in each location • E.g. Fixed networks, mobile networks, end-users, ERP, CRM, R&D, etc…

• How many prefixes will you need at each level of the addressing plan • Example: a BNG can handle 64000 subscribers = 64000 IPv6 prefixes • Example: the number of interconnects (P2P) in your network • As always, put aside a reserve • How many /64 prefixes (subnets) you need to deploy at a location • Example: desktops, WIFI, guestnet, sensors, CCTV, network infrastructure, etc… • As always, put aside a reserve! • Don’t worry about the number of hosts • We have 264 of IPv6 addresses for hosts!

• Remember transition mechanisms – these will have specific address format requirements • ISATAP, NAT64 (/96), 6rd, MAP

• Possible encoding of information in particular portions of the IPv6 prefix • VLANs in the prefix • VLAN 4096  2001:db8:1234:4096::/64 (alternatively in hex )

• The whole IPv4 address or just a portion – consider this carefully – trade-off between linkage vs. independence • IPv4 address 10.0.13.1  2001:db8:1234:100::10:0:13:1

• Router IDs in the Interface Identifier / IPv4 in Link-Local

• Consider security implications!

• How about router interconnects / point-to-point links? • First recommendations: configured /64, /112 or /126, • RFC 3627 (Sept. 2003 - /127 considered harmful) – moved to historic by RFC 6547 (Feb. 2012) • Since April 2011, RFC 6164 recommends /127 on inter-router links • Current recommendation /64, /126 or /127 – (/127 mitigates ND exhaustion attacks) • Allocate /64 from a block (e.g. /54) for infrastructure links but configure /127 • Example: 2001:420:1234:1:1::0/127 and 2001:420:1234:1:1::1/127

• Loopbacks • E.g. Dedicate /64 for Loopback addresses • Allocate /64 per Loopback but configure /128 • Example: 2001:420:1234:100:1::1/128 and 2001:420:1234:101:1::1/128 • Avoid a potential overlap with reserved address space (e.g. Embedded RP address)

Hosts /64 Core • Anywhere a host exists /64 /64 or /127

• Point to Point /127 Pt 2 Pt • Loopback or Anycast /128 /127 • RFC 7421 /64 is here Servers /64 Loopback WAN • RFC 6164 /127 cache exhaust /128

Exclusively use Link Local Addresses on R111#sh run int eth0/0 ! network infrastructure interface Ethernet0/0 ip address 10.112.0.111 255.255.255.0 ipv6 address FE80::111 link-local Prefix Lengths don’t matter anymore ipv6 enable ospfv3 1 ipv6 area 0 Network Infrastructure is un-reachable end R101 from outside of the network Smaller routing tables Will impact your network management R111 R111#sh ipv6 route system IPv6 Routing Table - default - 2 entries

O 1::1/128 [110/10] Ping, traceroute, SNMP, TACACS, via FE80::101, Ethernet0/0 RADIUS L FF00::/8 [0/0] via Null0, receive

See RFC 7404 R111#sh ospfv3 neigh Using Only Link-Local Addressing inside OSPFv3 1 address-family ipv6 (router-id 1.1.1.111) Neighbor ID Pri State Dead Time Interface ID Interface an IPv6 Network 77.1.1.1 1 FULL/DR 00:00:36 3 Ethernet0/0

22 = 4 /54s

24 = 16 /52s 210 = 1024 /64s 1024 /127 p-t-p links Allocated 1024 /128 loopbacks

212 = 4096 /64 subnets

212 = 4096 /64 subnets • Follow the logical flow • How many subnets in each location? • What does sit under infrastructure? • How many point-to-point links? • Where is the reserve?

• Not just a spreadsheet, please! Prone to error 

• There are many IP Address Management tools on the market Cisco Prime Network Registrar http://www.cisco.com/en/US/products/ps11808/index.html Other IPAM tools include Infoblox, BlueCat, BT Diamond

• Work with an IPv6 prefix calculator Example: http://www.gestioip.net/cgi-bin/subnet_calculator.cgi

• Link-Local Address • Interface Identifier can be modified Stay on the 64 bit boundary!!! • Encoding e.g. VLAN number, router IDs, IPv4 address, may make the troubleshooting easier Keep it simple Restrict it to Network Infrastructure • Default is EUI-64 Example 1: EUI-64 FE80::ABDC:12FF:FE34:5678

Example 2: Router ID 1.1.1.1 => FE80::1:1:1:1 Identifies the device rather than a link, all interfaces on one device have the same LLA

Example 3: VLAN number 1006 => FE80::1006 VLAN to which a server is connected to

• Unique Local Address • Don’t deploy Not for end-point addressing Unless in a closed system Needs translation for outside of domain communication

• Global Unicast Address • Take advantage of the vast number of prefixes • Manage just one address space

• Remember: an Interface has multiple IPv6 addresses

• Link-local

• Global unicast and/or Anycast

• All nodes multicast

• Multicast address of all groups it subscribes to

• Its own solicited-node multicast address

• Loopback (::1) • Per node

BRKRST-2619 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 For Your IPv6 Addresses per Interface Reference • Router output Cat3750-X#show ipv6 int GigabitEthernet1/1/1 GigabitEthernet1/1/1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::523D:E5FF:FE1D:4142 Global unicast address(es): 2001:428:E204:FD00::23, subnet is 2001:428:E204:FD00::22/127 Joined group address(es): FF02::1 FF02::2 FF02::5 FF02::1:FF00:23 FF02::1:FF1D:4142 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 30000) ND RAs are suppressed (all) Hosts use stateless autoconfig for addresses.

Source: Cisco Jabber – output of “show ipv6 cef” command

Manual Stateless Stateful DHCPv6

Pros Address is stable Scales well Well understood process Controlled assignment Time to deploy Controlled assignment Well understood process Widely implemented Time to deploy

Cons Does not scale No control on assignment process Implementation in OS Time to deploy Not well understood Must design for HA Lack of management

• The choice of assignment depends on the existing processes and the adaptability of that process • Remember that the methods are not mutually exclusive - all three can be used • Regardless of choice must still control the stateless address assignment of addresses

• Likely to use combination of at least 2 methods

• Usage depends on the place in the network (PIN) & end-devices

• P2P/Infrastructure links/devices & “heavily” managed environment (e.g. public servers) • Manual assignment • Link-Local addresses only? • Using Only Link-Local Addressing Inside an IPv6 Network . End-user VLAN • Stateful DHCPv6 . Non-managed environment (e.g. Public Hotspots) • SLAAC + stateless DHCPv4 • Remember: EUI-64 => MAC exposed in the address on the Internet

• Is fe80:1bd:8a71:145::1 a legitimate IPv6 address?

• How many addresses can you assign to an interface?

• Is 2001:db8:1234::/128 usable as a loopback address?

• Are 2001:db8:567:43ab::9 and 2001:db8:567:43ab::10 on the same /127 subnet?

• What is the air speed velocity of an unladen swallow?

Planning and coordination is required from many across the organization, including …

Network engineers & operators Security engineers Application developers Desktop / Server engineers Web hosting / content developers Business development managers …

Moreover, training will be required for all involved in supporting the various IPv6 based network services

• Core-to-Access – Gain experience with IPv6 Access Layer • Turn up your servers – Enable the experience

• Access-to-Core – Securing and monitoring Internet Edge • Internet Edge – Business continuity Core

ISP ISP

WAN Servers

Branch Access

BRKRST-2619 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 Common Deployment Models for Internet Edge Internet, Partner, Branch Pure Dual Stack Conditional Dual Stack Translation as a Service

IPv4/IPv6 IPv4/IPv6 Host Host

Multi- Enterprise Enterprise Tenant

Edge Edge Core

Agg + Agg + Agg + Services Services Services

Phy/Virt. Phy/Virt. Phy/Virt. AFT Access Access Access Storage Storage Storage Compute Compute Compute

IPv4-only Dual Stack Mixed Hosts Hosts Hosts IPv6 IPv4

• A key and mandatory step to evaluate the impact of IPv6 integration Evaluate costs and define timelines Define the scope of integration

• Should be split in several components Network Infrastructure

Service Providers

End Systems Applications Operations Addressing

• Break the project down into phases • Avoids false positives and cuts back on upgrade costs • Determine place in the network (PIN), platforms, features that are needed in each phase • RIPE-554 • IPv6 Ready Logo Program • Work with your vendor to address the gaps • Applies to all of your vendors

Most commercial applications won’t be your problem – it will be the custom/home-grown apps that are difficult

BRKRST-2619 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 What Defines an Application? What about these? Are These Applications HTTP 80 Are these 20/21 FTP applications? POP3 110

IMAP 143 Or just ports? HTTPS 443

SMTP 25 IPv4/IPv6 transport

. Internet Service

. Application

. Cloud Services

. Content Management . DNS . Deployment Type

. Dual Stack,

. Native or Overlay . What kind of services are offered

Are they “IPv6 Capable”?

If not, when will IPv6 be integrated?

Questions to ask your Internet Service Provider http://docwiki.cisco.com/wiki/What_To_Ask_From_Your_Service_Provider_About_IPv6

• Evaluate the tools in the NMS for IPv6 capability • All tools across the FCAPS model

• Define what is critical and what can wait • Is it critical to support netflow or anycast DNS?

• Custom scripts • Updated to accommodate dual transports Override default behavior to prefer one over the other • Are there new scripts needed? Are both transports available? # addresses per host, DNS queries/response, validating summarization

Better visibility into • Assess how the existing IPv4 how the existing Can better answer address space is used Address space is when IPv6 is critical • Useful information for used • IPv6 integration • IPv4 address consolidation • Reclaiming unused address space

• Use existing tools • IPAM • ARP tables • Routing tables • DHCP logs

Customer Customer Subscriber Network Network Network

IPv4 Dual Stack 6VPE MPLS IPv4 Core WAN WAN 6VPE

Customer Customer Subscriber Network Network Network

Using Tunnels Dual Stack IPv4/IPv6 6VPE Service Manually configured tunnels Dual StackCE CPEs CEDual Stack IPv4 / IPv6 IPv6 over GRE Dual Stack Headquarters 6VPE VPN Service LISP Dual Stack WAN IPSecCarrier Tunnels Grade NAT Dynamic Multipoint VPN (DMVPN) FlexVPN

IPv4 Core Dual Stack Core Dual Stack Dual Stack Core Dual Stack Core Core 6rd BR LNS AFTR 4rd BR NAT + NAT 4rd or DS 6↔4 v6 6rd or L2TP v4 Access IPv6 Access IPv4 over over (ex: DOCSIS 3.0) Network v4 v6

PE -

Lite PE

SubscriberNAT CE CE CE CE Subscriber Subscriber Network Subscriber Subscriber Network Network Network Network

IPv4 CarrierNAT444 Grade NAT IPv66 Rapid Rapid Deployment Deployment (6rd Broad BandNative Connectivity IPv6IPv4-Only via IPv6 Access Network IPv6-AFT64Only Subscriber L2TP Dual DualStack Stack Core Using DS-Lite (w/NAT44) MAP-E – Encap All Softwires DOCSIS Access MAP-T - L3 and L4 in header For more info see: http://www.cisco.com/go/cgv6 Lw4over6 4rd 464Xlat© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Coexistence Considerations Scalability and Performance

• IPv6 Neighbor Cache = ARP for IPv4 • In dual-stack networks the first hop routers/switches will now have more memory consumption due to IPv6 neighbor entries (can be multiple per host) + ARP entries

ARP entry for host in the campus distribution layer: Internet 10.120.2.200 2 000d.6084.2c7a ARPA Vlan2 IPv6 Neighbor Cache entry: 2001:DB8:CAFE:2:2891:1C0C:F52A:9DF1 4 000d.6084.2c7a STALE Vl2 2001:DB8:CAFE:2:7DE5:E2B0:D4DF:97EC 16 000d.6084.2c7a STALE Vl2 FE80::7DE5:E2B0:D4DF:97EC 16 000d.6084.2c7a STALE Vl2

• There are some implications to managing the IPv6 neighbor cache when concentrating large numbers of end systems

BRKRST-2619 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57 Neighbor Unreachability Detection (NUD) • The neighbor cache maintains mapping information Neighbor’s reachability state is also maintained

• Neighbors can be in one of 5 possible states INCOMPLETE – Address resolution is in progress and link-layer address is not yet known. REACHABLE – Neighbor is known to be reachable within last reachable time interval. STALE – Neighbor requires re-resolution, traffic may flow to neighbor. DELAY – Neighbor pending re-resolution, traffic might flow to neighbor. PROBE – Neighbor re-resolution in progress, traffic might flow to neighbor.

• Every entry that is marked STALE in the neighbor cache will need to have it’s state verified Traffic will be forwarded using the STALE entry NUD will use NS/NA to detect reachability

• How often NUD runs depends on the value of AdvReachableTime that is set in RA messages Cisco default is 30 seconds

• Consider CPU load for maintaining state for thousands to tens of thousands of entries!

• What to do?

• Don’t Panic! • Unless you forgot your towel

• New features to manage the neighbor cache • Extend the reachable time advertised in RA’s(max value is 1 hour) • Unsolicited NA glean (more to avoid traffic disruption) • ND cache timers (control how long an entry is maintained in STALE state; default is 4 hours) • ND cache refresh (run NUD before purging STALE neighbors) • NUD exponential retransmit (spread out the NS packets)

. Resources considerations 450000 400000 ‒ Memory (storing the same amount of IPv6 routes 350000 requires less memory than might be expected) 300000 IPv4 250000 IPv6 200000 150000 Linear (IPv6) ‒ CPU (insignificant increase in the case of HW Memory (bytes) 100000 Linear 50000 (IPv4) platforms, additive in the case of SW platforms) 0 0 500 1000 1500 2000 2500 3000 . Control plane considerations Number of Routes

‒ Balance between IPv4/IPv6 control plane separation 0.5 and scalability of the number of sessions 0.45 0.4 0.35 IPv4 OSPF 0.3 . Performance considerations 0.25

Time IPv4 OSPF 0.2 IPv6 OSPF 0.15 ‒ Forwarding in the presence of advanced features 0.1 Linear (IPv4 0.05 OSPF IPv6 0 OSPF) Linear (IPv4 ‒ Convergence of IPv4 routing protocols when IPv6 is 0 500 1000 1500 2000 2500 3000 OSPF) Number of Perfixes enabled

IPv4 DSCP • IPv4 and IPv6 QoS features are mostly compatible (RFC Type of Version IHL Total Length 2460/3697) Service Fragment Identification Flags • Both Transport uses DSCP (aka Traffic Class) Offset Time to Live Protocol Header Checksum

• Control plane Queues need to now take into account IPv6 Source Address overhead too Destination Address Options Padding • IPv6 classification can follow the same IP Precedence, IPv6 Service Class, DSCP and EXP values already defined for DSCP IPv4.

• IPv6 will utilize the same Network Control, Voice,, Gold, Bronze, Silver, Best Effort classes

BRKRST-2619 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61 class-map match-any Critical_Data QoS CLI match dscp af21 class-map match-any Voice • Class maps can match both IPv4 and IPv6 match dscp ef traffic class-map match-all Scavenger match dscp cs1 • Can be broken into “ip” and “ipv6” matching class-map match-any Bulk_Data match dscp af11 • Design principles still the same ! policy-map DISTRIBUTION • Mark at the edge class Voice • Trust boundaries still apply priority percent 10 class Critical_Data • Queue sizing bandwidth percent 25 random-detect dscp-based Data class Bulk_Data Voice bandwidth percent 4 random-detect dscp-based class Scavenger Video bandwidth percent 1 Internet class class-default bandwidth percent 25 random-detect © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Management and Operations Don’t Forget About Network Management

• Management and design strategies for IPv6 addressing policies and operation

• Introduction of extended IP services: DHCPv6, DNSv6, IPAM

• Managing security infrastructures: Firewall, IDS, AAA

• Tool visibility, insight and analysis of IPv6 traffic Netflowv9, IPv6 SLA

• Dual Stack Interfaces and tools • Reporting combined v4 and V6 traffic statistics. • Requires support in • Instrumentation (MIB , Netflow records, etc.) • NMS tools and systems

IPv6/IPv4 Dual Stack Hosts

IPv6 FHS Port ACL IPv6 MIBs L2 Campus IPv6 Traffic Metering with Flexible Netflow L3 IPv6 over IPv4 Response measurement with IP SLA tunnel

IPv6 Tunnel detection with NBAR2 Internet

• IPv4 or IPv6 is transparent to a user since names are used to connect to web sites or other hosts • http://www.google.com will take us to Google

TCP UDP • Typically an end user will notice issues if all of the following are true: • IPv6 is enabled on the desktop • The DNS query returns an IPv6 AAAA record IPv4 IPv6 • IPv6 is preferred over IPv4 • There are connectivity problems over IPv6 0x0800 0x86dd Data Link (Ethernet)

• When a desktop needs to connect to a web site, the first thing it does is resolve the DNS name to an IP address.

• If the address returned contains an AAAA record and IPv6 is enabled and preferred on the host, it will use IPv6 to reach that website.

• If there are issues with IPv6 connectivity further in the network, the host may not be able to connect (or load the page in a browser)

• The host will wait for IPv6 to time out before falling back to IPv4 (this is ~30 sec for windows) and leads to bad user experience.

• Basic troubleshooting using ping, tracert, ipconfig should help isolate the issue

BRKRST-2619 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 IPv6 Testing Considerations • How do hosts react to auto-configuration? • Are devices taking both a static and auto-configuration? • Should IPv6 RA’s be disabled? How do devices re-act to that? • Does application being used implement SAS (Source address selection) algorithm correctly? • How do devices react with A and AAAA DNS records? A record • What happens if IPv4 is disabled? AAAA record • What happens if IPv6 is impaired? ARP request RA DHCP reply DNS reply

• Create base line template that should be run as part of all IPv6 solution testing

• Hosts/Servers/End Systems • Routers/Switches • Firewalls/IPS • Operating Systems • Applications

• Template should consist of basic IPv6 RFC 2460 functionality. • IPv6 Ready Logo - http://www.ipv6ready.org • USGv6 - http://www-x.antd.nist.gov/usgv6/index.html • RIPE-554 - http://www.ripe.net/ripe/docs/current-ripe-documents/ripe-554

. Different ways to check on what is happening . Where’s my prefix?

‒ Route servers and looking glasses - http://www.bgp4.as/looking-glasses

‒ Look at your network from the outside in . Pings, traceroutes, SSLcert and DNS queries

‒ https://atlas.ripe.net/results/ . IPv6 troubleshooting tools for mobile devices (iOS & Android) IPv6 toolkit HE.net Netalyzr LanDroid Netstat

IPv4 IPv6

Hostname to A Record: AAAA Record: IP Address www.abc.test. A 192.168.30.1 www.abc.test AAAA 2001:db8:C18:1::2

PTR Record: IP Address to PTR Record: 1.30.168.192.in-addr.arpa. PTR 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0. Hostname www.abc.test. 8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test.

BRKRST-2619 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75 DNS as an Integration Tool Who is www.ipv6.cisco.com? www.ipv6.cisco.com is DNS server AAAA 2001:420:1101:1::a How IPv6 Remote End System Corporate Internet Internet consumers www.ipv6.cisco.com End System www.cisco.com is www.cisco.com Who is www.cisco.com? A 173.37.145.84

DNS server www.cisco.com is Who A 173.37.145.84 AAAA 2001:420:1101:1::a Who is www.cisco.com? End System

Internet Corporate www.cisco.com End System www.cisco.com is Who is www.cisco.com? A 173.37.145.84 Business Partners

www.cisco.com is Government Agencies When A 173.37.145.84 DNS server AAAA 2001:420:1101:1::a Internet Corporate www.cisco.com End System Who is www.cisco.com?

• In 5 slides or less…

• Can’t be done

• Please see the following session for a much more detailed treatment BRKSEC-3200 Advanced IPv6 Security Threats and Mitigation

Dual Stack increases the types and size of your attack vectors

• Host security on a dual-stack device • Applications can be subject to attack on both IPv6 and IPv4 • Fate sharing: as secure as the least secure stack...

• Host security controls should block and inspect traffic from both stacks • Host intrusion prevention, personal firewalls, VPN clients, etc.

IPv4 IPSec VPN with No Split Tunneling

Clear IPv6 Transport

IPv6 HDR IPv6 Exploit

Dual Stack Client Does the IPSec Client Stop an Inbound IPv6 Exploit?

• Address Range • Source of 2000::/3 at minimum vs. “any”, permit assigned space

• ICMPv6 • RFC 4890 “Recommendations for Filtering ICMPv6 Messages in Firewalls”

• Extension Headers • Allow Fragmentation, others as needed. Block HBH & RH type 0

• IPv6 ACL’s permit icmp any any nd-na • IPv6 traffic-filter – to apply ACL to an interface permit icmp any any nd-ns deny ipv6 any any log

• SSH, syslog, SNMP, NetFlow all work over IPv6

• Dual-stack management plane • More resilient: works even if one stack is down • More exposed: can be attacked over IPv4 and IPv6

• RADIUS over IPv6 is recent but IPv6 RADIUS attributes can be transported over IPv4

• As usual, infrastructure ACL is your friend as well as out-of-band management

ipv6 access-list VTY In IOS-XR: The command is permit ipv6 2001:db8:0:1::/64 any ‘access-class VTY ingress’, And line vty 0 4 The IPv4 and IPv6 ACL must have the same name ipv6 access-class VTY in

BRKRST-2619 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82 Control Plane Policing policy-map COPPr class ICMP6_CLASS • Control Plane Policing can be applied to IPv6 police 8000 class OSPF_CLASS • Adapt what’s in place today to accommodate IPv6 police 200000 • Routing protocols class class-default police 8000 • Management protocols ! • Remember the extended functionality of ICMP control-plane cef-exception service-policy input COPPr • Monitor carefully to see what shows up in the logs

• Remember the default rules at the end of all IPv6 ACLs • permit ipv6 any any nd-na • permit ipv6 any any nd-ns • deny ipv6 any any • They apply to any CoPP policy that uses ACLs to match

RA DHCPv6 Source/Prefix Destination RA ND Guard Guard Guard Guard Throttler Multicast Suppress

Protection: Protection: Protection: Protection: Facilitates: Reduces: • Rouge or • Invalid DHCP • Invalid source • DoS attacks • Scale • Control traffic malicious RA Offers address • Scanning converting necessary for • MiM attacks • DoS attacks • Invalid prefix • Invalid multicast proper link • MiM attacks • Source address destination traffic to operations to spoofing address unicast improve performance

Core Features Advance Features Scalability & Performance IPv6 Snooping

• IPv4 addresses have been exhausted • Adoption of IPv6 on the Internet is increasing • IPv6 integration has a lengthy deployment cycle • IPv6 integration involves all aspects of IT

http://6lab.cisco.com/stats/

• Take a systematic wide approach to IPv6 planning and execution • Take opportunities to be IPv6 ready in technology refresh cycles

• Learn from others who have undertaken the journey

• Make the leap!

• Be the IPv6 “Nut”

• Preparing an IPv6 Addressing Plan • SurfNet white paper

• www.ripe.net/lir-services/training/material/IPv6-for-LIRs-Training-Course/IPv6_addr_plan4.pdf

• RFC 6177 IPv6 Address Assignment to End Sites

• Cisco IPv6 Addressing white paper • http://www.cisco.com/en/US/docs/solutions/SBA/August2012/Cisco_SBA_BN_IPv6Addressing Guide-Aug2012.pdf

• ULA voluntary registry • https://www.sixxs.net/tools/grh/ula/list/

BRKRST-2619 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89 More IPv6 Sessions When Session Title 29 Jan 2019 / 11:00 BRKIP6-2191 IPv6: The Protocol 29 Jan 2019 / 14:15 LABSPG-3122 Advanced IPv6 Routing and services lab 29 Jan 2019 / 14:30 BRKIP6-2616 Beyond Dual-Stack: Using IPv6 like you’ve never imagined 30 Jan 2019 / 11:00 BRKSPG-2602 IPv4 Exhaustion: NAT and Transition to IPv6 for Service Providers 30 Jan 2019 / 14:30 BRKIP6-2301 Intermediate - Enterprise IPv6 Deployment

31 Jan 2019 / 08:30 BRKRST-3304 Hitchhiker's Guide to Troubleshooting IPv6 - Advanced

31 Jan 2019 / 11:00 BRKRST-2619 IPv6 Deployment: Developing an IPv6 Addressing Plan and Deploying IPv6

31 Jan 2019 / 11:00 BRKSEC-3200 Advanced IPv6 Security Threats and Mitigation

31 Jan 2019 / 14:00 LTRIPV-2494 IPv6 Transformation Lab

31 Jan 2019 / 14:00 LABSPG-3122 Advanced IPv6 Routing and services lab

LABIPV-2261 IPv6 planning, deployment and transition LABCRS-1000 Intro IPv6 Addressing and Routing Lab

• Infoblox IPv6 CoE blog https://community.infoblox.com/t5/IPv6-CoE-Blog/bg-p/IPv6

• Facebook IPv6 Group https://www.facebook.com/groups/2234775539/?ref=bookmarks

• ARIN IPv6 Info Center https://www.arin.net/knowledge/ipv6_info_center.html

• RIPE IPv6 Info Center https://www.ripe.net/publications/ipv6-info-centre

Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space cs.co/ciscolivebot#BRKRST-2619

• Please complete your Online Session Survey after each session

• Complete 4 Session Surveys & the Overall Conference Survey (available from Thursday) to receive your Cisco Live T- shirt

• All surveys can be completed via the Cisco Events Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com

BRKRST-2619 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 93 Continue Demos in Walk-in Meet the Related your the Cisco self-paced engineer sessions education campus labs 1:1 meetings