Enterprise IPv6 Deployment Tim Martin CCIE #2020 BRKRST-2301

@bckcntryskr Agenda

• General Design

• Host Configuration

• Campus Design

• Data Center

• Translation Techniques

• Internet Edge

• Conclusion General Design Project Planning for IPv6 Deployment

Create a project team, assign a PM Identify business value & impacts Assess equipment & applications for IPv6 Begin training & develop training plan Develop the architectural solution Obtain a prefix and build the address plan Define an exception process for legacy systems Update the security policy Deploy IPv6 trials in the network Test and monitor your deployment Enterprise IPv6 Guidance

• Updated White Paper – Cisco.com

• RFC 7381 Enterprise IPv6 Guidlines

• No Major change to 2/3 Tier Architecture

Access

Distribution Si

Core

Distribution

Access WAN Data Center Internet Global Address Assignment

• /32 given to ISP (/29 in some geo’s)

• ISP assigns /48 to customers IANA • 65,536 customers could receive /48

• /48 is the smallest route advertised in DFZ Registries RIR • 2001:db8:4646:xxxx::/64 • xxxx = subnets in your domain LIR ISP ORG

EntityLevel FourSubordinate Global Address Assignment • /32 given to ISP (/29 in some geo’s) PA • ISP assigns /48 to customers 2000::/3 IANA • 65,536 customers could receive /48

• /48 is the smallest route advertised in DFZ Registries /12 RIR • 2001:db8:4646:xxxx::/64 • xxxx = subnets in your domain LIR ISP /32 ORG

EntityLevel FourSubordinate /48 Global Address Assignment • /32 given to ISP (/29 in some geo’s) PA PI • ISP assigns /48 to customers 2000::/3 IANA 2000::/3 • 65,536 customers could receive /48

• /48 is the smallest route advertised in DFZ Registries /12 /12 RIR • 2001:db8:4646:xxxx::/64 /32 • xxxx = subnets in your domain LIR ISP /32 ORG /48

EntityLevel FourSubordinate /48 /48 Multi-national Model

• PA or PI from each region you operate in

• Coordination of advertised space within each RIR, policy will vary

• Most run PI from primary region Building the IPv6 Address Plan • Methods • Follow IPv4 (/24 only), Organizational, Location, Function based

• Hierarchy is key (A /48 example) • Bit twiddle's dream (16 bit subnet strategy) • 4 or 8 bits = (16 or 256) Regions (states, counties, agencies, etc..) • 4 or 8 more bits = (16 or 256) Sub Levels within those Regions • 4 more bits = (16) Traffic Types (Admin, Guest, Telephony, Video, etc..)

• Cisco IPv6 Addressing White Paper • www.cisco.com/go/ipv6

• Avoid Monotonical Assignments • (1000, 2000, 3000, etc.) vs. Sparse (0000, 4000, 8000, c000 ) Prefix Length Considerations

Hosts • Anywhere a host exists /64 /64 Core /64 or /127 • Point to Point /127 • Should not use all 0’s or 1’s in the host portion Pt 2 Pt • Nodes 1&2 are not in the /127 same subnet Servers • Loopback or Anycast /128 /64 Loopback WAN /128 • RFC 7421 /64 is here

• RFC 6164 /127 cache exhaust Where do I start? Access • Core-to-Access – Gain experience with v6 Layer

• Access-to-Core – Securing and monitoring Internet • Internet Edge – Business continuity Edge

ISP ISP

Campus Core

WAN

Servers

Branch Access Where do I start? Access • Core-to-Access – Gain experience with v6 Layer

• Access-to-Core – Securing and monitoring Internet • Internet Edge – Business continuity Edge

ISP ISP

Campus Core

WAN

Servers

Branch Access Where do I start? Access • Core-to-Access – Gain experience with v6 Layer

• Access-to-Core – Securing and monitoring Internet • Internet Edge – Business continuity Edge

ISP ISP

Campus Core

WAN

Servers

Branch Access Where do I start? Access • Core-to-Access – Gain experience with v6 Layer

• Access-to-Core – Securing and monitoring Internet • Internet Edge – Business continuity Edge

ISP ISP

Campus Core

WAN

Servers

Branch Access Dual Stack Mode

• Preferred Method, Versatile, Scalable and Highest Performance

• No Dependency on IPv4, runs in parallel on dedicated HW

• No tunneling, MTU, NAT or performance degrading technologies

• Does require IPv6 support on all devices

Access Distribution Core Aggregation Access Layer Layer Layer Layer (DC) Layer (DC)

IPv6/IPv4 Dual-stack Hosts

IPv6/IPv4 Dual-stack Server IPv4 & IPv6 Combined

• Should we use both on the same link at Layer 3?

• Separate links, possibly to collect protocol specific statistics

• Routing protocols OSPFv3, EIGRP combined or separate?

• Fate sharing between the data and control planes per protocol Internet

IPv4 & IPv6

OSPFv3 IPv4 & IPv6 2001:db8:1:1::/64 2001:db8:6:6::/64 EIGRP 198.51.100.0/24 192.168.4.0/24 Infrastructure using Link Local Addressing

• Topology hiding, Interfaces cannot be seen by off link devices

• Reduces routing table prefix count, less configuration

• Need to use ULA or GUA for generating ICMPv6 messages

• What about DNS?, Traceroute, WAN Connections, etc..

• RFC7404 – Details pros and cons ULA/GUA Internet fe80::/64 ULA/GUA

fe80::/64 ULA/GUA WAN/MAN ULA/GUA fe80::/64 ULA/GUA Unique Local Address (ULA)

• Automatic Prefix Generation (RFC 4193) non sequential /48, M&A challenges

• To be avoided in most cases, draft-ietf-v6ops-ula-usage-recommendations-05

• Caution with older OS’s (RFC 3484) using ULA & IPv4

• Multiple policies to maintain (ACL, QoS, Routing, etc..) Global Internet 2001:db8:cafe::/48

Corporate Backbone Branch 2

ULA Space fd9c:58ed:7d73::/48 Global – 2001:db8:cafe::/48 fd9c:58ed:7d73:3000::/64 fd9c:58ed:7d73::2::/64 2001:db8:cafe:3000::/64 To NAT or NOT

• NAT allows for client/server model, difficult to deploy peer-to-peer

• UDP/TCP only, ALG’s & protocol fixups, what about SCTP & DCCP..

• IETF does NOT recommend the use of NAT66 w/IPv6

• NAT ≠ Firewall – RFC 4864 (Local Network Protection)

• Wait, who did what – RFC 6269 (Issues with IP address sharing)

NAT-PT, NAT66, NPTv6, NAT64

Firewall+NAT Internet Host Configuration & Behavior IPv6 Host Portion Address Assignment Similar to IPv4 New in IPv6

Manually configured State Less Address Auto Configuration SLAAC EUI64

Assigned via DHCPv6 SLAAC Privacy Addressing

* Secure Neighbor Discovery (SeND) Address, Which Address?

• Link Local (fe80::/10) is required for any device with IPv6 enabled

• At least 2 addresses per interface for global connectivity

• Majority of access layer devices will have LL as their Default Gateway

DfG W

Host Addresses Router Addresses Ethernet B8:E8:56:1A:2B:3C Ethernet 02:00:0C:3A:8B:18 IPv6 Link Local fe80::b8e8:56ff:fe1a:2b3c IPv6 Link Local fe80::46:1 IPv6 Global 2001:db8:1:46:a1b2:c:3:d4e5 IPv6 Global 2001:db8:1:46::1 Default Gwy. fe80::46:1 RA Prefix 2001:db8:1:46::/64 RA Provisioning Type: 134 (RA) Code: 0 • M-Flag – Stateful DHCPv6 to acquire IPv6 address Checksum: 0xff78 [correct] • O-Flag – Stateless DHCPv6 in addition to SLAAC Cur hop limit: 64 ∞ Flags: 0x84 • Preference Bits – Low, Med, High 1… …. = Managed (M flag) .0.. …. = Not other (O flag) • Router Lifetime – Must be >0 for Default ..0. …. = Not Home (H flag) …0 1… = Router pref: High • Options - Prefix Information, Length, Flags Router lifetime: (s)1800 Reachable time: (ms) 3600000 • L bit –Host installs the prefix as On Link Retrans timer: (ms) 1000 ICMPv6 Option 3 (Prefix Info) • A bit – Set to 0 for DHCP to work properly Prefix length: 64 ∞ Flags: 0x80 1… …. = On link (L Bit) RA .1.. …. = No Auto (A Bit) Prefix: 2001:0db8:4646:1234::/64 Host Address Acquisition C:\Documents and Settings\>netsh netsh>interface netsh interface ipv6>show address Querying active state... Interface 5: Local Area Connection Addr Type DAD State Valid Life Pref. Life Address ------Public Preferred 29d23h58m25s 6d23h58m25s 2001:0db8:2301:1:202:8a49:41ad:a136 Temporary Preferred 6d21h48m47s 21h46m 2001:0db8:2301:1:bd86:eac2:f5f1:39c1 Link Preferred infinite infinite fe80::202:8a49:41ad:a136 netsh interface ipv6>show route Querying active state... Publish Type Met Prefix Idx Gateway/Interface Name ------no Autoconf 8 2001:0db8:2301:1::/64 5 Local Area Connection no Autoconf 256 ::/0 5 fe80::20d:bdff:fe87:f6f9 DHCPv6

• Source – FE80::1234, Destination - FF02::1:2 SOLICIT (any servers)

• Client UDP 546, Server UDP 547 ADVERTISE (want this address)

• DUID – Different from v4, used to identify clients REQUEST (I want that address) • ipv6 dhcp relay destination 2001:db8::feed:1 REPLY (It’s yours)

DHCPv6 Server 2001:db8::feed:1 DHCPv6

• Source – FE80::1234, Destination - FF02::1:2 SOLICIT (any servers)

• Client UDP 546, Server UDP 547 ADVERTISE (want this address)

• DUID – Different from v4, used to identify clients REQUEST (I want that address) • ipv6 dhcp relay destination 2001:db8::feed:1 REPLY (It’s yours)

DHCPv6 Relay

DHCPv6 Solicit DHCPv6 Server 2001:db8::feed:1 Client Provisioning DHCPv6 & SLAAC

• How about both.. Reality for the foreseeable future

• SLAAC address tracking, Radius Accounting, Syslog, CAM table Scrapes • Microsoft wont support RDNSS in RA’s

• DHCPv6 Challenges, MAC Address for Reservations, Inventory, Tracking • Android doesn’t support DHCPv6

• Understand the Implications of Switching Methods DHCPv6 • Inconsistent amongst the OS’s Server Internet

A B C Disabling Privacy Addresses

• Enable DHCPv6 via the M flag • Disable auto configuration via the A bit in the Prefix Info option • Enable Router preference to high • Enable DHCPv6 relay

interface fastEthernet 0/0 2001:db8:1122:acc1::/64 eui-64 ipv6 nd managed-config-flag ipv6 nd prefix default no-autoconfig ipv6 nd router-preference high ipv6 dhcp relay destination 2001:db8:add:café::1 Campus Design First Hop Router Redundancy RA • Neighbor Unreachability Detection Reach-time • Rudimentary HA at the first HOP, that is slow to detect failures • Hosts use “reachable time” to cycle next known default • HSRP for IPv6 • Modification to NA, RA and ICMPv6 redirects • Virtual MAC derived from HSRP group # and virtual IPv6 LLA HSRP HSRP Active Standby • GLBP for IPv6 • Default Gateway is announced via RA’s from Virtual MAC • Responds to NDP, directs hosts to Active Virtual Forwarder • VRRP for IPv6 GLBP GLBP AVG AVG • Multi-vendor interoperabilty AVF AVF IPv6 QoS Policy & Syntax

• IPv4 syntax has used “ip” following match/set statements • Example: match ip dscp, set ip dscp • New match criteria • match dscp • match precedence • New set criteria • set dscp • set precedence

• Supports both versions Zeroconf over IPv6

• ff02::fb – Multicast DNS – mDNS (Apple Bonjour) (Chromecast)

• ff02::2:ff/104 – Node Information Query (FreeBSD)

• ff02::c – Simple Service Discovery Protocol – SSDP, UPnP (Microsoft)

• ff02::1:3 – Link Local Multicast Name Resolution – LLMNR (File Sharing)

Personal Computer Appliances & AV Equipment Operating Systems Networking • Speakers • Windows • Printers • Cameras • Mac OS X • Access Points • Displays • Linux • Switches • AV Receivers • Routers IPv4 vulnerabilities & Countermeasures

• Catalyst Integrated Security Features (CISF) Port • Dug Song - dsniff Security IPv6 Hacking Tool’s

• ARP is replaced by Neighbor Discovery Protocol • Nothing authenticated • Static entries overwritten by dynamic ones

• Stateless Address Autoconfiguration • rogue RA (malicious or not)

• Attack tools are real! • Parasit6 • Fakerouter6 • Alive6 • Scapy6 • … IPv6 First Hop Security (FHS)

RA DHCPv6 Source/Prefix Destination RA ND Guard Guard Guard Guard Throttler Multicast Suppress

Protection: Protection: Protection: Protection: Facilitates: Reduces: • Rogue or • Invalid DHCP • Invalid source • DoS attacks • Scale • Control traffic malicious RA Offers address • Scanning converting necessary for • MiM attacks • DoS attacks • Invalid prefix • Invalid destination multicast traffic proper link • MiM attacks • Source address address to unicast operations to spoofing improve performance

Core Features Advance Features Scalability & Performance IPv6 Snooping IPv6 FHS RA Guard – RFC 6105

• Port ACL interface FastEthernet0/2 ipv6 traffic-filter ACCESS_PORT in deny icmp any any router-advertisement

• Feature Based interface FastEthernet0/2 ipv6 nd raguard

• Policy Based ipv6 snooping policy HOST security-level guard limit address-count 2 device-role node interface GigabitEthernet1/0/2 ipv6 snooping attach-policy HOST IPv6 FHS RA Guard – RFC 6105

• Port ACL RA interface FastEthernet0/2 ipv6 traffic-filter ACCESS_PORT in ROUTER deny icmp any any router-advertisement Device-role • Feature Based RA interface FastEthernet0/2 ipv6 nd raguard

• Policy Based ipv6 snooping policy HOST

security-level guard RA limit address-count 2 device-role node interface GigabitEthernet1/0/2 ipv6 snooping attach-policy HOST RA IPv6 FHS RA Guard – RFC 6105

• Port ACL interface FastEthernet0/2 ipv6 traffic-filter ACCESS_PORT in deny icmp any any router-advertisement

• Feature Based interface FastEthernet0/2 ipv6 nd raguard HOST Device-role • Policy Based

ipv6 snooping policy HOST RA security-level guard limit address-count 2 device-role node interface GigabitEthernet1/0/2 ipv6 snooping attach-policy HOST IPv6 FHS RA Guard – RFC 6105

• Port ACL interface FastEthernet0/2 ipv6 traffic-filter ACCESS_PORT in deny icmp any any router-advertisement

• Feature Based interface FastEthernet0/2 ipv6 nd raguard

• Policy Based

ipv6 snooping policy HOST RA security-level guard limit address-count 2 device-role node interface GigabitEthernet1/0/2 ipv6 snooping attach-policy HOST IPv6 FHS – DHCPv6 Guard

• Prevent Rogue DHCP responses from misleading the client

DHCP Server

DHCP Client IPv6 FHS – DHCPv6 Guard

• Prevent Rogue DHCP responses from misleading the client

DHCP Server

DHCP Client

DHCP Req. IPv6 FHS – DHCPv6 Guard

• Prevent Rogue DHCP responses from misleading the client

DHCP Server

DHCP Client

DHCP Req.

I am a DHCP Server IPv6 FHS – DHCPv6 Guard

• Prevent Rogue DHCP responses from misleading the client

DHCP Server

DHCP Client

DHCP Req.

I am a DHCP Server IPv6 FHS – Snooping

• Source Address Validation Improvement (SAVI) link security feature • Analyzes control or data traffic, detect IP address and switch port • Stores and updates a Binding Table to ensure rogue users cannot spoof

IPv6 Binding Table (RFC6620) • Deep control packet Inspection

Intf IPv6 MAC VLAN State • Address Glean (ND , DHCP, data) • Address watch, Binding Guard g1/0/10 ::000A 001A 110 Active g1/0/11 ::001C 001C 110 Stale g1/0/16 ::001E 001E 200 Verifying

IPv6 Source IPv6 Destination Device Tracking Guard Guard IPv6 FHS – IPv6 Source Guard

• Mitigates Address High Jacking, Ensures Proper Prefix

Intf IPv6 MAC VLAN State Intf IPv6 MAC VLAN State g1/0/10 ::000A 001A 110 Active g1/0/10 ::000A 001A 110 Active g1/0/11 ::001C 001C 110 Stale g1/0/11 ::001C 001C 110 Stale g1/0/16 ::001E 001E 200 Verifying g1/0/16 ::001E 001E 200 Verifying g1/0/21 ::0021 0021 200 Active g1/0/21 ::0021 0021 200 Active

Host A Host A First Hop Switch

NA NA IPv6 FHS – IPv6 Source Guard

• Mitigates Address High Jacking, Ensures Proper Prefix

Intf IPv6 MAC VLAN State Intf IPv6 MAC VLAN State g1/0/10 ::000A 001A 110 Active g1/0/10 ::000A 001A 110 Active g1/0/11 ::001C 001C 110 Stale g1/0/11 ::001C 001C 110 Stale g1/0/16 ::001E 001E 200 Verifying g1/0/16 ::001E 001E 200 Verifying g1/0/21 ::0021 0021 200 Active g1/0/21 ::0021 0021 200 Active

Host A Host A First Hop Switch

NA

NA NA

~Host A IPv6 FHS – IPv6 Source Guard

• Mitigates Address High Jacking, Ensures Proper Prefix

Intf IPv6 MAC VLAN State Intf IPv6 MAC VLAN State g1/0/10 ::000A 001A 110 Active g1/0/10 ::000A 001A 110 Active g1/0/11 ::001C 001C 110 Stale g1/0/11 ::001C 001C 110 Stale g1/0/16 ::001E 001E 200 Verifying g1/0/16 ::001E 001E 200 Verifying g1/0/21 ::0021 0021 200 Active g1/0/21 ::0021 0021 200 Active

Host A Host A First Hop Switch

NA

NA

NA NA

~Host A ~Host A IPv6 Destination Guard

• Mitigate prefix-scanning attacks and Protect ND cache

• Drops packets for destinations without a binding entry IPv6 Destination Guard

• Mitigate prefix-scanning attacks and Protect ND cache

• Drops packets for destinations without a binding entry

Ping 2001:db8::4 Ping 2001:db8::3 Ping 2001:db8::2 Ping 2001:db8::1 IPv6 Destination Guard

• Mitigate prefix-scanning attacks and Protect ND cache

• Drops packets for destinations without a binding entry

Ping 2001:db8::4 Ping 2001:db8::3 Ping 2001:db8::2 Ping 2001:db8::1

Intf IPv6 MAC VLAN State

g1/0/10 ::0001 001A 110 Active

g1/0/11 ::001C 001C 110 Stale

g1/0/16 ::001E 001E 200 Verifying IPv6 Destination Guard

• Mitigate prefix-scanning attacks and Protect ND cache

• Drops packets for destinations without a binding entry

Ping 2001:db8::4 Ping 2001:db8::3 Ping 2001:db8::2 Ping 2001:db8::1

NS 2001:db8::1

Intf IPv6 MAC VLAN State

g1/0/10 ::0001 001A 110 Active

g1/0/11 ::001C 001C 110 Stale

g1/0/16 ::001E 001E 200 Verifying IPv6 Destination Guard

• Mitigate prefix-scanning attacks and Protect ND cache

• Drops packets for destinations without a binding entry

Ping 2001:db8::4 Ping 2001:db8::3 Ping 2001:db8::2 Ping 2001:db8::1

NS 2001:db8::1

Intf IPv6 MAC VLAN State

g1/0/10 ::0001 001A 110 Active

Lookup g1/0/11 ::001C 001C 110 Stale Table No g1/0/16 ::001E 001E 200 Verifying found

Yes Forward packet Private VLAN’s

• Prevent Node-Node Layer-2 communication • Promiscuous (router port) talks to all other port types • Isolated port can only contact a promiscuous port/s • Community ports can contact their group and promiscuous port/s

• DAD ND Proxy • Prevents address conflicts

• Internet Edge, Data Center • Reducing attack surface, malware propagation

• Service Provider Promiscuous CommunityCommunity • Client/customer isolation Port PortsPorts Isolated Port WiFi Wireless LAN Controller BCP’s

• WLC version 8.x increases support of IPv6 • CAPWAP, SNMP, NTP, Radius, Syslog, CDP, WebAuth • Interface groups, same SSID over multiple VLAN’s • IPv6 binding table supports FHS & ND Multicast suppression Wireless LAN Controller BCP’s BRKEWN-2006

• WLC version 8.x increases support of IPv6 • CAPWAP, SNMP, NTP, Radius, Syslog, CDP, WebAuth • Interface groups, same SSID over multiple VLAN’s • IPv6 binding table supports FHS & ND Multicast suppression Wi-Fi Multicast Background

• Radio is a shared media • Hosts must “awaken” to see if Multicast is for them • Multicat packets are not acknowledged or retransmitted • AP transmits bcast/mcast frames at the lowest possible rate • Broadcast/Multicast up to 10x more time in air • IEEE 802.11a mcast: 6 Mbps, ucast up to 54 Mbps • IEEE 802.11n mcast: 15 Mbps, ucast up to 150 Mbps

• 802.11 Header: • Protected Frame Field delineates acknowledged frames

Neighbor Discovery Multicast Suppression

• Scaling 802.11 multicast reliability issues

• NDP process is multicast “chatty”, Unicasting reduces the effect

• Caching allows the Controller to “proxy” the NA, based on gleaning

2

4 Neighbor Discovery Multicast Suppression

• Scaling 802.11 multicast reliability issues

• NDP process is multicast “chatty”, Unicasting reduces the effect

• Caching allows the Controller to “proxy” the NA, based on gleaning

2

4 (NS) Neighbor Discovery Multicast Suppression

• Scaling 802.11 multicast reliability issues

• NDP process is multicast “chatty”, Unicasting reduces the effect

• Caching allows the Controller to “proxy” the NA, based on gleaning

2

4 (NS) Neighbor Discovery Multicast Suppression

• Scaling 802.11 multicast reliability issues

• NDP process is multicast “chatty”, Unicasting reduces the effect

• Caching allows the Controller to “proxy” the NA, based on gleaning

00:24:56:75:44:33 2001:db8:0:20::2 00:24:56:11:93:28 2001:db8:0:20::4 2

4 (NS) Neighbor Discovery Multicast Suppression

• Scaling 802.11 multicast reliability issues

• NDP process is multicast “chatty”, Unicasting reduces the effect

• Caching allows the Controller to “proxy” the NA, based on gleaning

00:24:56:75:44:33 2001:db8:0:20::2 00:24:56:11:93:28 2001:db8:0:20::4 2

(Unicast NA) 4 (NS) Router Advertisement Throttler

• Scaling the mobility access environment

• NDP process is multicast “chatty”, consumes airtime

• Rate limit RA’s from the legitimate router

• Inspect the RS, convert the responding RA to L2 Unicast Router Advertisement Throttler

• Scaling the mobility access environment

• NDP process is multicast “chatty”, consumes airtime

• Rate limit RA’s from the legitimate router

• Inspect the RS, convert the responding RA to L2 Unicast

Periodic (RA’s) Router Advertisement Throttler

• Scaling the mobility access environment

• NDP process is multicast “chatty”, consumes airtime

• Rate limit RA’s from the legitimate router

• Inspect the RS, convert the responding RA to L2 Unicast

Periodic (RA’s)

Triggered (RA)

Router Solicitation (RS) Routing Protocols Routing Considerations

• Enable IPv6 routing • “ipv6 unicast-routing” • “no switchport” • IPv6 Next Hop • Link local addresses • Router ID • Unique 32-bit number that identifies the router • Happens to be written in dotted decimal notation  Management Routing

• Resource Utilization Switching Services Routing Considerations BRKRST-2022

• Enable IPv6 routing • “ipv6 unicast-routing” • “no switchport” • IPv6 Next Hop • Link local addresses • Router ID • Unique 32-bit number that identifies the router • Happens to be written in dotted decimal notation  Management Routing

• Resource Utilization Switching Services Static Routing Ipv6 unicast-routing • IGP’s use Link Local Address’s ! • Redistribution needs GUA or ULA !direct • May need “Multi-Hop” Ipv6 route 2001:db8:2::/48 ethernet 1/0 ! • Static can be tragic, no auto update !recursive Ipv6 route 2001:db8:5::/48 2001:db8:4::1 EIGRP (IP 88) Ipv6 unicast-routing • fe80::/64 Source  ff02::A Destination ! Interface loopback0 • 2 New TLV’s – internal-type & external-type Ipv6 address 2001:db8:1000::1/128 • No Split Horizon, Auto Summary Disabled Ipv6 eigrp 11 • Stub reduces topology & queries ! Interface ethernet 0/0 • Large scale hub and spoke environments Ipv6 address 2001:db8:5000:31::1/64 Ipv6 eigrp 11 ! Ipv6 router eigrp 11 Passive-interface loopback0 Eigrp router-id 10.10.10.10 OSPFv3 (IP 89) Ipv6 unicast-routing • fe80::/64 Source  ff02::5, ff02::6 (DR’s) ! • Link-LSA (8) – Local Scope, NH Interface loopback0 • Intra-Area-LSA (9) – Routers Prefix’s Ipv6 address 2001:db8:1000::1/128 • Use Inter-Area-Prefix (3) – Between ABR’s Ipv6 ospf 8 area 0 ! • Full mesh environments, if tuned correctly Interface ethernet 0/0 • RFC 5838 (AF), RFC 7166 (AT) Ipv6 address 2001:db8:5000:31::1/64 Ipv6 ospf 8 area 0 ! Ipv6 router ospf 8 router-id 10.10.10.10 passive-interface loopback0 Wide Area Network WAN Branch

• Private Circuit – Business as usual, Routing Protocols

• Internet Circuit – DMVPN for scalability and resiliency

• Local Internet “hop off” is Multi homing

Branch Main Site ::2 ::1 ::1 ::2 ::2 ::4 WAN ::2 ::3 ::3 ::5 ::3 ::3 ::1 DMVPN with IPv6

• Scaling IPSec VPN’s BR1-1 HE1 WAN • Simple GRE tunneling HE2 BR1-2 • NHRP for dynamic site discovery interface Tunnel2 description to HUB no ip address ipv6 address 2001:DB8:CAFE:C5C0::B/127 ipv6 mtu 1400 no ipv6 redirects ipv6 nhrp authentication CISCO ipv6 nhrp network-id 100 ipv6 nhrp holdtime 300 IPv6 Transport ipv6 nhrp nhs 2001:DB8:CAFE:C5C0::A nbma 2001:DB8:CAFE:37::B multicast ipv6 nhrp shortcut ipv6 eigrp 10 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ipv6 tunnel key 100 tunnel protection ipsec profile SPOKE IPv6 & MPLS

• 6PE (RFC 4798) • Utilizes Existing IPv4 Transport • MP-BGP Next Hop ::ffff:A.B.C.D/96

• 6PE (RFC 4659) • Utilizes Address Family (AF) in VRF Context • Allows for VPN Functionality

• LDPv6 (RFC 7552) • LDP session ove IPv6 • Peer discovery • TTL security VRF VRF Segment Routing over IPv6

• The notion of a “segment” is not new in IPv6 • Segments can be used for service chaining or forwarding

• Segment Routing leverages RFC 2460 Routing Header by defining a new type • Improves Routing Header • Enhance the source routing model • Introduces security

• Segment Routing does NOT require a forklift upgrade of the network • SR and non-SR nodes can co-exist • Gradual deployment IPv6 Hdr

• Full interoperability B C D SR Header Segments: C,F,H • Backward compatibility A H E F G PAYLOAD

SR-IPv6 Data Center IPv6 Transition Stages in the Data Center

• IPv4 Only Data Center • IPv6 Translation on the Front End • Dual Stack • Both IPv4 & IPv6 Into the Data Center • IPv6 Only Data Center • IPv4 Translation on the Front End • What is the Cost of Each Stage? Traditional IPv4 Only

• Legacy

• Load Balancer inline

• No translation in this design

• Services are Firewalled

IPv4

Internet Edge Router Firewall Load Balancer Switch Web, Email, Etc. IPv4 Only Data Center

• Dual Stack Front End

• Translation via NAT/Proxy/SLB

• Easy to Turn Up

• Hard to Move Forward

• False Sense of Accomplishment NAT/Proxy/SLB IPv4/IPv6 IPv4

Internet

Edge Router Firewall Load Balancer Switch Web, Email, Etc. Dual Stacked

• IPv4 & IPv6 Addressing on All Devices

• Incremental Operational Cost (~20%)

• Double Everything (ACL’s, SLA’s, etc.)

• Two Data Planes, Two Control Planes

• Recommended Approach

IPv4/IPv6

Internet Edge Router Firewall Load Balancer Switch Web, Email, Etc. IPv6 Only Data Center

• Dual Stack Front End

• Translation via NAT/Proxy/SLB

• Forces Developers to use IPv6

• Reduces Operational Costs

• Eliminates Complexity within the DC NAT/Proxy/SLB IPv4/IPv6 IPv6

Load Balancer Switch Web, Email, Etc. Migrating Applications to IPv6

• Inconsistent API’s use of IPv6 Addresses • Data types, Headers, Structures, Sockets, oh my • Home grown App’s may only support IPv4 • Pressure vendors to move to protocol agnostic framework

198.51.100.44:8080  [2001:db8:café:64::26]:8080

• RFC 3493 – Open Socket Call, 64 bit structure align to HW • RFC 3542 – Raw Socket, ping, Traceroute, r commands IPv6 Application Porting

• RFC 4038 - http://tools.ietf.org/html/rfc4038 • Covers Application Aspects of IPv6 Transition

• RFC 5014 - http://tools.ietf.org/html/rfc5014 • Covers IPv6 Socket API for Source Address Selection

• If you have developers trying to figure out how to port their applications • https://www.arin.net/knowledge/preparing_apps_for_v6.pdf • https://www.getipv6.info/display/IPv6/Porting+Applications Translation Techniques Translation Techniques Proxy Server Load Balancer Stateful NAT64

IPv6 IPv6 IPv4 Internet Internet Internet IPv6 IPv6 IPv4

IPv4 IPv4 IPv6

SW = Poor Performance Application Support Client Visibility Versio Traffic Class Flow Label Version IHL Type of Service Total Length n

Identification Flags Fragment Offset Payload Length Next Header Hop Limit Framework for Translation Time to Live Protocol Header Checksum Source Address Source Address

Destination Address • RFC 6144 • 8 Total Scenarios (4, 7, 8 are NA) Destination Address • 1, 2, 3 Involve Internet Connectivity IPv6 IPv4 • 5 & 6 Are Focused on Intranet Connectivity 1 Network Internet

• Stateless Translation IPv4 IPv6 • Algorithmic Mapping 2 Internet Network • Initiation from IPv4 or IPv6 IPv6 IPv4 3 Internet Network • Stateful Translation IPv6 IPv4 • Uses a State Table for Translation 5 Network Network

• Generally Initiation is from IPv6 IPv4 IPv6 6 Network Network DNS64

DNS46

Network-Specific Prefix 3001::/96 ::2 .1 2001:db8:122:344::/64 192.0.2.0/24

IPv6 PC DNS Server 2001:db8:122:344::6 192.168.90.101 AAAA Record

DNS64 DNS64

DNS46

Network-Specific Prefix 3001::/96 ::2 .1 2001:db8:122:344::/64 192.0.2.0/24

IPv6 PC DNS Server 2001:db8:122:344::6 192.168.90.101

DNS64

Step 1 IPv6 PC queries AAAA Record for v4 ServerAAAA Record DNS64

DNS46

Network-Specific Prefix 3001::/96 ::2 .1 2001:db8:122:344::/64 192.0.2.0/24

IPv6 PC DNS Server 2001:db8:122:344::6 192.168.90.101

DNS64

Step 1 IPv6 PC queries AAAA Record for v4 Server Step 2 DNS responds “empty” AAAA Record DNS64

DNS46

Network-Specific Prefix 3001::/96 ::2 .1 2001:db8:122:344::/64 192.0.2.0/24

IPv6 PC DNS Server 2001:db8:122:344::6 192.168.90.101 A Record

DNS64

Step 1 IPv6 PC queries AAAA Record for v4 Server Step 2 DNS responds “empty” AAAA Record Step 3 Translator Sends A Record for v4Server DNS64 Step 4 DNS Server responds A Record for IPv4Server A Record

DNS46

Network-Specific Prefix 3001::/96 ::2 .1 2001:db8:122:344::/64 192.0.2.0/24

IPv6 PC DNS Server 2001:db8:122:344::6 192.168.90.101

DNS64

Step 1 IPv6 PC queries AAAA Record for v4 Server Step 2 DNS responds “empty” AAAA Record Step 3 Translator Sends A Record for v4Server DNS64 Step 5 Translates it to a AAAA Record Step 4 DNS Server responds A Record for IPv4Server

DNS46

AAAA Record Network-Specific Prefix 3001::/96 ::2 .1 2001:db8:122:344::/64 192.0.2.0/24

IPv6 PC DNS Server 2001:db8:122:344::6 192.168.90.101

DNS64

Step 1 IPv6 PC queries AAAA Record for v4 Server Step 2 DNS responds “empty” AAAA Record Step 3 Translator Sends A Record for v4Server NAT64

Static NAT46 Network-Specific Prefix 3001::/96

::2 .1 2001:db8:122:344::/64 192.0.2.0/24

IPv6 PC IPv4 Server 2001:db8:122:344::6 192.0.2.33 Dynamic NAT64 NAT64

Static NAT46 Network-Specific Prefix 3001::/96

::2 .1 2001:db8:122:344::/64 192.0.2.0/24

IPv6 PC IPv4 Server 2001:db8:122:344::6 192.0.2.33 Dynamic NAT64

 Source IPv6 2001:db8:122:344::6 Dest. IPv6 3001::c000:221 NAT64

Static NAT46 Network-Specific Prefix 3001::/96

::2 .1 2001:db8:122:344::/64 192.0.2.0/24

IPv6 PC IPv4 Server 2001:db8:122:344::6 192.0.2.33 Dynamic NAT64

 Source IPv6 2001:db8:122:344::6 Dest. IPv6 3001::c000:221 Source IPv4 192.0.2.1 Dest. IPv4 192.0.2.33 NAT64

Source IPv4 192.0.2.33 Dest. IPv4 192.0.2.1

Static NAT46 Network-Specific Prefix 3001::/96

::2 .1 2001:db8:122:344::/64 192.0.2.0/24

IPv6 PC IPv4 Server 2001:db8:122:344::6 192.0.2.33 Dynamic NAT64

 Source IPv6 2001:db8:122:344::6 Dest. IPv6 3001::c000:221 Source IPv4 192.0.2.1 Dest. IPv4 192.0.2.33 NAT64 Source IPv6 3001::c000:221 Dest. IPv6 2001:db8:122:344::6

Source IPv4 192.0.2.33 Dest. IPv4 192.0.2.1

Static NAT46 Network-Specific Prefix 3001::/96

::2 .1 2001:db8:122:344::/64 192.0.2.0/24

IPv6 PC IPv4 Server 2001:db8:122:344::6 192.0.2.33 Dynamic NAT64

 Source IPv6 2001:db8:122:344::6 Dest. IPv6 3001::c000:221 Source IPv4 192.0.2.1 Dest. IPv4 192.0.2.33 SLB64 Translation Technique

• Virtual IP (VIP), SNAT Pool ISP-A ISP-B

• Publish Appropriate AAAA Record

• IPv6 to IPv4, Similar to NAT64

• OS/App dictate design parameters Dual Stack • Rapid Time to Deploy

IPv4 Only

UCS Servers Servers WWW SLB64 Translation Technique

• Virtual IP (VIP), SNAT Pool ISP-A ISP-B

• Publish Appropriate AAAA Record

• IPv6 to IPv4, Similar to NAT64

• OS/App dictate design parameters Dual Stack • Rapid Time to Deploy

IPv4 Only

UCS Servers Servers WWW X-Forwarded-For (XFF)

• Web Server Logging for Geo Location, Analytics, Security, etc..

• Source IP of client requests will be logged as the SNAT or other NAT’d address

• Packet may go through multiple proxies X-Forwarded-For: client, proxy1, proxy2

GET / HTTP/1.1 Global IPv6 Address Host: www.foo.org ---Translation--- User-Agent: Mozilla Firefox/3.0.3 Source NAT Pool Accept: text/html,application/xhtml+xml,application/xml Accept-Language: en-us,en Keep-Alive: 300 x-forward-for: 2001:db8:ea5e:1:49fa:b11a:aaf8:91a5 Servers Connection: keep-alive WWW Internet Edge Web Cache Control Protocol (WCCPv2)

• Need WCCPv2 for IPv6 support

• Configure separate group instances for dual stack operation

ipv6 wccp 91 redirect-list lookat6 Internet ! interface vlan10 ipv6 address 2001:db8:babe:10::1/64 ipv6 wccp 91 redirect in ! ipv6 access-list lookat6 permit tcp 2001:db8:babe:10::/64 any eq www permit tcp 2001:db8:babe:10::/64 any eq 443 2001:db8:babe:10::/64 Internet Edge to ISP Internet Edge to ISP

Single Link Single ISP

ISP 1

Default Route

Enterprise Internet Edge to ISP

Single Link Dual Links Single ISP Single ISP

ISP 1 ISP 1 POP1 POP2

Default Route

Enterprise Enterprise Internet Edge to ISP

Single Link Dual Links Multi-Homed Single ISP Single ISP Multi-Prefix USA ISP 1 ISP 1 ISP 1 ISP2 POP1 POP2

BGP Default Route

Enterprise

Enterprise Enterprise

ISP3 ISP4

Europe Checking in with the ISP ISP-A ISP-B • Do you support dual stack peering?

• Do you have a separate (SLA) for IPv6? Routing

• Do you support BGP peering over IPv6? Switching • Do you have a FULL IPV6 route table?

• What is the maximum prefix length? Services

• What about DNS… Hosted Cloud Service • Maximum prefix length offered by the cloud provider? • Access to provisioning and billing portal over IPv6? • Global IPv6 addressing for VM’s in your environment? Multi Homed, Multi Prefix (BGP)

• Peer over IPv6 for IPv6 prefixes Internet

• Solve for Ingress & Egress separately ISP A ISP B • MD5 shared secret’s, IPSec could be used

• Controlling TTL, accepting >254 only (allow -1)

• Prefix Size Filtering, /32 - /48 router bgp 200 bgp router-id 4.6.4.6 neighbor 2001:db8:café:102::2 remote-as 2014 neighbor 2001:db8:café:102::2 ttl-security hops 1 neighbor 2001:db8:café:102::2 password cisco4646 Common Deployment Scenarios

• Avoid Over Tuning BGP Internet • Longest Match, Highest Local-Pref, Shortest AS-Path ISP A ISP B • Peer with IPv6, “no bgp default -unicast” • Split Your Allocation /44 = (2) /45’s • AS Path prepend to prefer one ISP over the other AS 64498 • iBGP link Between Edge Routers is Required • To avoid black hole. GRE, L3 VPN, MAN/WAN • Dynamic Routing Protocol or HSRP at FW • When more than one Edge Router is used AS 65535 AS 65534 • eBGP Multi-hop to Core thru FW • Increase Metrics, so that DCI Link is not Preferred EIGRP 10

Subnets X,Y,Z Subnets A,B,C Multi Homed – NPTv6 (RFC 6296)

• Small to Medium Enterprise ISP-A ISP-B • Swaps Left Most Bits of Address • Equal length Prefix’s • Modification of RFC 6724 API or RFC 7078 • Site scoped ULA connecting to GUA

• No Protocol “fixups”, Unless ALG’s are Supported 2001:db8:11::/48 2001:db8:55::/48

• “IETF does not recommend NAT technology for IPv6”

fd07:18:403e::/48 Client 172.16.99.100 Multi Homed (LISP) 2001:db8:ea5e:1::/64 Dual Stack Internet 2001:db8:cafe::/48 2001:db8:cafe::/48 • Small to Medium Enterprise MR/MS MR/MS PxTR PxTR • Tunneling the PA IPv6 over LISP • Provider Allocated /48 • Hosted by PxTR Provider 192.168.1.x/30 • Avoids Multi Prefix PA Issues xTRs • Possibly an ISP that is IPv4 Only 2001:db8:cafe:103::/64

• SHIM6, HIP, ILNP etc. • OS Mods, Code Change IPv6 Bogon and Anti-Spoofing Filtering

• Bogon filtering (data plane & BGP route-map): http://www.cymru.com/Bogons/ipv6.txt

• Anti-spoofing (RFC2827, BCP38), Multi homed filtering (RFC3704, BCP 84)

• uRPF – Unicast Reverse Path Forwarding

Enterprise Internet

B2B Securing the Edge, FW and/or Perimeter Router

• Address Range - Source of 2000::/3 at minimum vs. “any”, permit assigned space

• ICMPv6 - Error types thru, NDP to, RFC4890

• Extension Headers - Allow Fragmentation, others as needed. Block HBH & RH type 0

• IPv6 ACL’s - IPv6 traffic-filter – to apply ACL to an interface permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any log Operations & Management IPv6 and DNS

• Add an IPv6 address to a host, create AAAA record in DNS zone • Repeat for every name serverIPv4 from sub zones to parent zoneIPv6 • Glue records, add an entry in DNS for the IPv6 address of your name servers

• Inbound SMTP mail transferA record:agents (MTA) require reverse lookup (PTR)

Function IPv4 IPv6 Hostname A Record AAAA Record (Quad A) to www.abc.test. A 192.168.30.1 www.abc.test AAAA 2001:db8:C18:1::2 IP Address IP Address PTR Record PTR Record To 1.30.168.192.in-addr.arpa. PTR 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c. Hostname www.abc.test. 0.8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test. Resilient DDI Design

• Anycast Address for Client Access to DHCP/DNS DDI1 • Uses the same address in multiple locations 2001:db8:aa::21 • Simple, Scalable and Reliable Solution • Global Unicast Address (GUA) for Service Uptime DDI2 2001:db8:aa::21 • DNS server injects /128 via OSPF Command & I pick DNS1 2001:db8:aa:: closest metric Cost 10 DDI3 Control 2001:db8:aa::21 2001:db8:aa::21 2001:db8:aa:: GUA Cost 30

2001:db8:aa:: DDI4 Cost 20 2001:db8:aa::21 IPv6 In-band Operation & Management (iOAM6) A trip-recorder for your traffic at inline at rate performance Uses Destination Option extension header

Simplify Operations Optimize Planning Enhance Visibility Enhance Applications

Debug ECMP Networks Derive IPv6 Traffic Matrix Delay Trend Analysis Always on app visibility

Stop probing the wrong path with “ping” R1 R4

R2 R5

R3 R6

Trace the live traffic: Detect the flaky link! Charge level for battery-operated devices ! (sensors) included in data traffic: No need to drain battery for OAM IPv6 SP Troubleshooting Guide RIPE-631 Conclusion Key Take Away

• Gain Operational Experience now • IPv6 is already here and running well • Control IPv6 traffic as you would IPv4 • “Poke” your Provider’s • Lead your OT/LOB’s into the Internet Recommended Reading Complete Your Online Session Evaluation

• Please complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt.

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Thank you