Enterprise Ipv6 Deployment Tim Martin CCIE #2020 BRKRST-2301

Enterprise IPv6 Deployment Tim Martin CCIE #2020 BRKRST-2301

@bckcntryskr Agenda

• General Design

• Host Configuration

• Campus Design

• Data Center

• Translation Techniques

• Internet Edge

• Conclusion General Design Project Planning for IPv6 Deployment

Create a project team, assign a PM Identify business value & impacts Assess equipment & applications for IPv6 Begin training & develop training plan Develop the architectural solution Obtain a prefix and build the address plan Define an exception process for legacy systems Update the security policy Deploy IPv6 trials in the network Test and monitor your deployment Enterprise IPv6 Guidance

• Updated White Paper – Cisco.com

• RFC 7381 Enterprise IPv6 Guidlines

• No Major change to 2/3 Tier Architecture

Access

Distribution Si

Core

Distribution

Access WAN Data Center Internet Global Address Assignment

• /32 given to ISP (/29 in some geo’s)

• ISP assigns /48 to customers IANA • 65,536 customers could receive /48

• /48 is the smallest route advertised in DFZ Registries RIR • 2001:db8:4646:xxxx::/64 • xxxx = subnets in your domain LIR ISP ORG

EntityLevel FourSubordinate Global Address Assignment • /32 given to ISP (/29 in some geo’s) PA • ISP assigns /48 to customers 2000::/3 IANA • 65,536 customers could receive /48

• /48 is the smallest route advertised in DFZ Registries /12 RIR • 2001:db8:4646:xxxx::/64 • xxxx = subnets in your domain LIR ISP /32 ORG

EntityLevel FourSubordinate /48 Global Address Assignment • /32 given to ISP (/29 in some geo’s) PA PI • ISP assigns /48 to customers 2000::/3 IANA 2000::/3 • 65,536 customers could receive /48

• /48 is the smallest route advertised in DFZ Registries /12 /12 RIR • 2001:db8:4646:xxxx::/64 /32 • xxxx = subnets in your domain LIR ISP /32 ORG /48

EntityLevel FourSubordinate /48 /48 Multi-national Model

• PA or PI from each region you operate in

• Coordination of advertised space within each RIR, policy will vary

• Most run PI from primary region Building the IPv6 Address Plan • Methods • Follow IPv4 (/24 only), Organizational, Location, Function based

• Hierarchy is key (A /48 example) • Bit twiddle's dream (16 bit subnet strategy) • 4 or 8 bits = (16 or 256) Regions (states, counties, agencies, etc..) • 4 or 8 more bits = (16 or 256) Sub Levels within those Regions • 4 more bits = (16) Traffic Types (Admin, Guest, Telephony, Video, etc..)

• Cisco IPv6 Addressing White Paper • www.cisco.com/go/ipv6

• Avoid Monotonical Assignments • (1000, 2000, 3000, etc.) vs. Sparse (0000, 4000, 8000, c000 ) Prefix Length Considerations

Hosts • Anywhere a host exists /64 /64 Core /64 or /127 • Point to Point /127 • Should not use all 0’s or 1’s in the host portion Pt 2 Pt • Nodes 1&2 are not in the /127 same subnet Servers • Loopback or Anycast /128 /64 Loopback WAN /128 • RFC 7421 /64 is here

• RFC 6164 /127 cache exhaust Where do I start? Access • Core-to-Access – Gain experience with v6 Layer

• Access-to-Core – Securing and monitoring Internet • Internet Edge – Business continuity Edge

ISP ISP

Campus Core

WAN

Servers

Branch Access Where do I start? Access • Core-to-Access – Gain experience with v6 Layer

• Access-to-Core – Securing and monitoring Internet • Internet Edge – Business continuity Edge

ISP ISP

Campus Core

WAN

Servers

Branch Access Where do I start? Access • Core-to-Access – Gain experience with v6 Layer

• Access-to-Core – Securing and monitoring Internet • Internet Edge – Business continuity Edge

ISP ISP

Campus Core

WAN

Servers

Branch Access Where do I start? Access • Core-to-Access – Gain experience with v6 Layer

• Access-to-Core – Securing and monitoring Internet • Internet Edge – Business continuity Edge

ISP ISP

Campus Core

WAN

Servers

Branch Access Dual Stack Mode

• Preferred Method, Versatile, Scalable and Highest Performance

• No Dependency on IPv4, runs in parallel on dedicated HW

• No tunneling, MTU, NAT or performance degrading technologies

• Does require IPv6 support on all devices

Access Distribution Core Aggregation Access Layer Layer Layer Layer (DC) Layer (DC)

IPv6/IPv4 Dual-stack Hosts

IPv6/IPv4 Dual-stack Server IPv4 & IPv6 Combined

• Should we use both on the same link at Layer 3?

• Separate links, possibly to collect protocol specific statistics

• Routing protocols OSPFv3, EIGRP combined or separate?

• Fate sharing between the data and control planes per protocol Internet

IPv4 & IPv6

OSPFv3 IPv4 & IPv6 2001:db8:1:1::/64 2001:db8:6:6::/64 EIGRP 198.51.100.0/24 192.168.4.0/24 Infrastructure using Link Local Addressing

• Topology hiding, Interfaces cannot be seen by off link devices

• Reduces routing table prefix count, less configuration

• Need to use ULA or GUA for generating ICMPv6 messages

• What about DNS?, Traceroute, WAN Connections, etc..

• RFC7404 – Details pros and cons ULA/GUA Internet fe80::/64 ULA/GUA

fe80::/64 ULA/GUA WAN/MAN ULA/GUA fe80::/64 ULA/GUA Unique Local Address (ULA)

• Automatic Prefix Generation (RFC 4193) non sequential /48, M&A challenges

• To be avoided in most cases, draft-ietf-v6ops-ula-usage-recommendations-05

• Caution with older OS’s (RFC 3484) using ULA & IPv4

• Multiple policies to maintain (ACL, QoS, Routing, etc..) Global Internet 2001:db8:cafe::/48

Corporate Backbone Branch 2

ULA Space fd9c:58ed:7d73::/48 Global – 2001:db8:cafe::/48 fd9c:58ed:7d73:3000::/64 fd9c:58ed:7d73::2::/64 2001:db8:cafe:3000::/64 To NAT or NOT

• NAT allows for client/server model, difficult to deploy peer-to-peer

• UDP/TCP only, ALG’s & protocol fixups, what about SCTP & DCCP..

• IETF does NOT recommend the use of NAT66 w/IPv6

• NAT ≠ Firewall – RFC 4864 (Local Network Protection)

• Wait, who did what – RFC 6269 (Issues with IP address sharing)

NAT-PT, NAT66, NPTv6, NAT64

Firewall+NAT Internet Host Configuration & Behavior IPv6 Host Portion Address Assignment Similar to IPv4 New in IPv6

Manually configured State Less Address Auto Configuration SLAAC EUI64

Assigned via DHCPv6 SLAAC Privacy Addressing

* Secure Neighbor Discovery (SeND) Address, Which Address?

• Link Local (fe80::/10) is required for any device with IPv6 enabled

• At least 2 addresses per interface for global connectivity

• Majority of access layer devices will have LL as their Default Gateway

DfG W

Host Addresses Router Addresses Ethernet B8:E8:56:1A:2B:3C Ethernet 02:00:0C:3A:8B:18 IPv6 Link Local fe80::b8e8:56ff:fe1a:2b3c IPv6 Link Local fe80::46:1 IPv6 Global 2001:db8:1:46:a1b2:c:3:d4e5 IPv6 Global 2001:db8:1:46::1 Default Gwy. fe80::46:1 RA Prefix 2001:db8:1:46::/64 RA Provisioning Type: 134 (RA) Code: 0 • M-Flag – Stateful DHCPv6 to acquire IPv6 address Checksum: 0xff78 [correct] • O-Flag – Stateless DHCPv6 in addition to SLAAC Cur hop limit: 64 ∞ Flags: 0x84 • Preference Bits – Low, Med, High 1… …. = Managed (M flag) .0.. …. = Not other (O flag) • Router Lifetime – Must be >0 for Default ..0. …. = Not Home (H flag) …0 1… = Router pref: High • Options - Prefix Information, Length, Flags Router lifetime: (s)1800 Reachable time: (ms) 3600000 • L bit –Host installs the prefix as On Link Retrans timer: (ms) 1000 ICMPv6 Option 3 (Prefix Info) • A bit – Set to 0 for DHCP to work properly Prefix length: 64 ∞ Flags: 0x80 1… …. = On link (L Bit) RA .1.. …. = No Auto (A Bit) Prefix: 2001:0db8:4646:1234::/64 Host Address Acquisition C:\Documents and Settings\>netsh netsh>interface ipv6 netsh interface ipv6>show address Querying active state... Interface 5: Local Area Connection Addr Type DAD State Valid Life Pref. Life Address ------Public Preferred 29d23h58m25s 6d23h58m25s 2001:0db8:2301:1:202:8a49:41ad:a136 Temporary Preferred 6d21h48m47s 21h46m 2001:0db8:2301:1:bd86:eac2:f5f1:39c1 Link Preferred infinite infinite fe80::202:8a49:41ad:a136 netsh interface ipv6>show route Querying active state... Publish Type Met Prefix Idx Gateway/Interface Name ------no Autoconf 8 2001:0db8:2301:1::/64 5 Local Area Connection no Autoconf 256 ::/0 5 fe80::20d:bdff:fe87:f6f9 DHCPv6

• Source – FE80::1234, Destination - FF02::1:2 SOLICIT (any servers)

• Client UDP 546, Server UDP 547 ADVERTISE (want this address)

• DUID – Different from v4, used to identify clients REQUEST (I want that address) • ipv6 dhcp relay destination 2001:db8::feed:1 REPLY (It’s yours)

DHCPv6 Server 2001:db8::feed:1 DHCPv6

• Source – FE80::1234, Destination - FF02::1:2 SOLICIT (any servers)

• Client UDP 546, Server UDP 547 ADVERTISE (want this address)

• DUID – Different from v4, used to identify clients REQUEST (I want that address) • ipv6 dhcp relay destination 2001:db8::feed:1 REPLY (It’s yours)

DHCPv6 Relay

DHCPv6 Solicit DHCPv6 Server 2001:db8::feed:1 Client Provisioning DHCPv6 & SLAAC

• How about both.. Reality for the foreseeable future

• SLAAC address tracking, Radius Accounting, Syslog, CAM table Scrapes • Microsoft wont support RDNSS in RA’s

• DHCPv6 Challenges, MAC Address for Reservations, Inventory, Tracking • Android doesn’t support DHCPv6

• Understand the Implications of Switching Methods DHCPv6 • Inconsistent amongst the OS’s Server Internet

A B C Disabling Privacy Addresses

• Enable DHCPv6 via the M flag • Disable auto configuration via the A bit in the Prefix Info option • Enable Router preference to high • Enable DHCPv6 relay

interface fastEthernet 0/0 ipv6 address 2001:db8:1122:acc1::/64 eui-64 ipv6 nd managed-config-flag ipv6 nd prefix default no-autoconfig ipv6 nd router-preference high ipv6 dhcp relay destination 2001:db8:add:café::1 Campus Design First Hop Router Redundancy RA • Neighbor Unreachability Detection Reach-time • Rudimentary HA at the first HOP, that is slow to detect failures • Hosts use “reachable time” to cycle next known default • HSRP for IPv6 • Modification to NA, RA and ICMPv6 redirects • Virtual MAC derived from HSRP group # and virtual IPv6 LLA HSRP HSRP Active Standby • GLBP for IPv6 • Default Gateway is announced via RA’s from Virtual MAC • Responds to NDP, directs hosts to Active Virtual Forwarder • VRRP for IPv6 GLBP GLBP AVG AVG • Multi-vendor interoperabilty AVF AVF IPv6 QoS Policy & Syntax

• IPv4 syntax has used “ip” following match/set statements • Example: match ip dscp, set ip dscp • New match criteria • match dscp • match precedence • New set criteria • set dscp • set precedence

• Supports both versions Zeroconf over IPv6

• ff02::fb – Multicast DNS – mDNS (Apple Bonjour) (Chromecast)

• ff02::2:ff/104 – Node Information Query (FreeBSD)

• ff02::c – Simple Service Discovery Protocol – SSDP, UPnP (Microsoft)

• ff02::1:3 – Link Local Multicast Name Resolution – LLMNR (File Sharing)

Personal Computer Appliances & AV Equipment Operating Systems Networking • Speakers • Windows • Printers • Cameras • Mac OS X • Access Points • Displays • Linux • Switches • AV Receivers • Routers IPv4 vulnerabilities & Countermeasures

• Catalyst Integrated Security Features (CISF) Port • Dug Song - dsniff Security IPv6 Hacking Tool’s

• ARP is replaced by Neighbor Discovery Protocol • Nothing authenticated • Static entries overwritten by dynamic ones

• Stateless Address Autoconfiguration • rogue RA (malicious or not)

• Attack tools are real! • Parasit6 • Fakerouter6 • Alive6 • Scapy6 • … IPv6 First Hop Security (FHS)

RA DHCPv6 Source/Prefix Destination RA ND Guard Guard Guard Guard Throttler Multicast Suppress

Protection: Protection: Protection: Protection: Facilitates: Reduces: • Rogue or • Invalid DHCP • Invalid source • DoS attacks • Scale • Control traffic malicious RA Offers address • Scanning converting necessary for • MiM attacks • DoS attacks • Invalid prefix • Invalid destination multicast traffic proper link • MiM attacks • Source address address to unicast operations to spoofing improve performance

Core Features Advance Features Scalability & Performance IPv6 Snooping IPv6 FHS RA Guard – RFC 6105

• Port ACL interface FastEthernet0/2 ipv6 traffic-filter ACCESS_PORT in deny icmp any any router-advertisement

• Feature Based interface FastEthernet0/2 ipv6 nd raguard

• Policy Based ipv6 snooping policy HOST security-level guard limit address-count 2 device-role node interface GigabitEthernet1/0/2 ipv6 snooping attach-policy HOST IPv6 FHS RA Guard – RFC 6105

• Port ACL RA interface FastEthernet0/2 ipv6 traffic-filter ACCESS_PORT in ROUTER deny icmp any any router-advertisement Device-role • Feature Based RA interface FastEthernet0/2 ipv6 nd raguard

• Policy Based ipv6 snooping policy HOST

security-level guard RA limit address-count 2 device-role node interface GigabitEthernet1/0/2 ipv6 snooping attach-policy HOST RA IPv6 FHS RA Guard – RFC 6105

• Port ACL interface FastEthernet0/2 ipv6 traffic-filter ACCESS_PORT in deny icmp any any router-advertisement

• Feature Based interface FastEthernet0/2 ipv6 nd raguard HOST Device-role • Policy Based

ipv6 snooping policy HOST RA security-level guard limit address-count 2 device-role node interface GigabitEthernet1/0/2 ipv6 snooping attach-policy HOST IPv6 FHS RA Guard – RFC 6105

• Port ACL interface FastEthernet0/2 ipv6 traffic-filter ACCESS_PORT in deny icmp any any router-advertisement

• Feature Based interface FastEthernet0/2 ipv6 nd raguard

• Policy Based

ipv6 snooping policy HOST RA security-level guard limit address-count 2 device-role node interface GigabitEthernet1/0/2 ipv6 snooping attach-policy HOST IPv6 FHS – DHCPv6 Guard

• Prevent Rogue DHCP responses from misleading the client

DHCP Server

DHCP Client IPv6 FHS – DHCPv6 Guard

• Prevent Rogue DHCP responses from misleading the client

DHCP Server

DHCP Client

DHCP Req. IPv6 FHS – DHCPv6 Guard

• Prevent Rogue DHCP responses from misleading the client

DHCP Server

DHCP Client

DHCP Req.

I am a DHCP Server IPv6 FHS – DHCPv6 Guard

• Prevent Rogue DHCP responses from misleading the client

DHCP Server

DHCP Client

DHCP Req.

I am a DHCP Server IPv6 FHS – Snooping

• Source Address Validation Improvement (SAVI) link security feature • Analyzes control or data traffic, detect IP address and switch port • Stores and updates a Binding Table to ensure rogue users cannot spoof

IPv6 Binding Table (RFC6620) • Deep control packet Inspection

Intf IPv6 MAC VLAN State • Address Glean (ND , DHCP, data) • Address watch, Binding Guard g1/0/10 ::000A 001A 110 Active g1/0/11 ::001C 001C 110 Stale g1/0/16 ::001E 001E 200 Verifying

IPv6 Source IPv6 Destination Device Tracking Guard Guard IPv6 FHS – IPv6 Source Guard

• Mitigates Address High Jacking, Ensures Proper Prefix

Intf IPv6 MAC VLAN State Intf IPv6 MAC VLAN State g1/0/10 ::000A 001A 110 Active g1/0/10 ::000A 001A 110 Active g1/0/11 ::001C 001C 110 Stale g1/0/11 ::001C 001C 110 Stale g1/0/16 ::001E 001E 200 Verifying g1/0/16 ::001E 001E 200 Verifying g1/0/21 ::0021 0021 200 Active g1/0/21 ::0021 0021 200 Active

Host A Host A First Hop Switch

NA NA IPv6 FHS – IPv6 Source Guard

• Mitigates Address High Jacking, Ensures Proper Prefix

Host A Host A First Hop Switch

NA NA

~Host A IPv6 FHS – IPv6 Source Guard

• Mitigates Address High Jacking, Ensures Proper Prefix

Host A Host A First Hop Switch

NA NA

~Host A ~Host A IPv6 Destination Guard

• Mitigate prefix-scanning attacks and Protect ND cache

• Drops packets for destinations without a binding entry IPv6 Destination Guard

• Mitigate prefix-scanning attacks and Protect ND cache

• Drops packets for destinations without a binding entry

Ping 2001:db8::4 Ping 2001:db8::3 Ping 2001:db8::2 Ping 2001:db8::1 IPv6 Destination Guard

• Mitigate prefix-scanning attacks and Protect ND cache

• Drops packets for destinations without a binding entry

Ping 2001:db8::4 Ping 2001:db8::3 Ping 2001:db8::2 Ping 2001:db8::1

Intf IPv6 MAC VLAN State

g1/0/10 ::0001 001A 110 Active

g1/0/11 ::001C 001C 110 Stale

g1/0/16 ::001E 001E 200 Verifying IPv6 Destination Guard

• Mitigate prefix-scanning attacks and Protect ND cache

• Drops packets for destinations without a binding entry

Ping 2001:db8::4 Ping 2001:db8::3 Ping 2001:db8::2 Ping 2001:db8::1

NS 2001:db8::1

Intf IPv6 MAC VLAN State

g1/0/10 ::0001 001A 110 Active

g1/0/11 ::001C 001C 110 Stale

g1/0/16 ::001E 001E 200 Verifying IPv6 Destination Guard

• Mitigate prefix-scanning attacks and Protect ND cache

• Drops packets for destinations without a binding entry

Ping 2001:db8::4 Ping 2001:db8::3 Ping 2001:db8::2 Ping 2001:db8::1

NS 2001:db8::1

Intf IPv6 MAC VLAN State

g1/0/10 ::0001 001A 110 Active

Lookup g1/0/11 ::001C 001C 110 Stale Table No g1/0/16 ::001E 001E 200 Verifying found

Yes Forward packet Private VLAN’s

• Prevent Node-Node Layer-2 communication • Promiscuous (router port) talks to all other port types • Isolated port can only contact a promiscuous port/s • Community ports can contact their group and promiscuous port/s

• DAD ND Proxy • Prevents address conflicts

• Internet Edge, Data Center • Reducing attack surface, malware propagation

• Service Provider Promiscuous CommunityCommunity • Client/customer isolation Port PortsPorts Isolated Port WiFi Wireless LAN Controller BCP’s

• WLC version 8.x increases support of IPv6 • CAPWAP, SNMP, NTP, Radius, Syslog, CDP, WebAuth • Interface groups, same SSID over multiple VLAN’s • IPv6 binding table supports FHS & ND Multicast suppression Wireless LAN Controller BCP’s BRKEWN-2006

• Radio is a shared media • Hosts must “awaken” to see if Multicast is for them • Multicat packets are not acknowledged or retransmitted • AP transmits bcast/mcast frames at the lowest possible rate • Broadcast/Multicast up to 10x more time in air • IEEE 802.11a mcast: 6 Mbps, ucast up to 54 Mbps • IEEE 802.11n mcast: 15 Mbps, ucast up to 150 Mbps

• 802.11 Header: • Protected Frame Field delineates acknowledged frames

Neighbor Discovery Multicast Suppression

• Scaling 802.11 multicast reliability issues

• NDP process is multicast “chatty”, Unicasting reduces the effect

• Caching allows the Controller to “proxy” the NA, based on gleaning

4 Neighbor Discovery Multicast Suppression

• Scaling 802.11 multicast reliability issues

• NDP process is multicast “chatty”, Unicasting reduces the effect

• Caching allows the Controller to “proxy” the NA, based on gleaning

4 (NS) Neighbor Discovery Multicast Suppression

• Scaling 802.11 multicast reliability issues

• NDP process is multicast “chatty”, Unicasting reduces the effect

• Caching allows the Controller to “proxy” the NA, based on gleaning

4 (NS) Neighbor Discovery Multicast Suppression

• Scaling 802.11 multicast reliability issues

• NDP process is multicast “chatty”, Unicasting reduces the effect

• Caching allows the Controller to “proxy” the NA, based on gleaning

00:24:56:75:44:33 2001:db8:0:20::2 00:24:56:11:93:28 2001:db8:0:20::4 2

4 (NS) Neighbor Discovery Multicast Suppression

• Scaling 802.11 multicast reliability issues

• NDP process is multicast “chatty”, Unicasting reduces the effect

• Caching allows the Controller to “proxy” the NA, based on gleaning

00:24:56:75:44:33 2001:db8:0:20::2 00:24:56:11:93:28 2001:db8:0:20::4 2

(Unicast NA) 4 (NS) Router Advertisement Throttler

• Scaling the mobility access environment

• NDP process is multicast “chatty”, consumes airtime

• Rate limit RA’s from the legitimate router

• Inspect the RS, convert the responding RA to L2 Unicast Router Advertisement Throttler

• Scaling the mobility access environment

• NDP process is multicast “chatty”, consumes airtime

• Rate limit RA’s from the legitimate router

• Inspect the RS, convert the responding RA to L2 Unicast

Periodic (RA’s) Router Advertisement Throttler

• Scaling the mobility access environment

• NDP process is multicast “chatty”, consumes airtime

• Rate limit RA’s from the legitimate router

• Inspect the RS, convert the responding RA to L2 Unicast

Periodic (RA’s)

Triggered (RA)

Router Solicitation (RS) Routing Protocols Routing Considerations

• Enable IPv6 routing • “ipv6 unicast-routing” • “no switchport” • IPv6 Next Hop • Link local addresses • Router ID • Unique 32-bit number that identifies the router • Happens to be written in dotted decimal notation  Management Routing

• Resource Utilization Switching Services Routing Considerations BRKRST-2022

• Resource Utilization Switching Services Static Routing Ipv6 unicast-routing • IGP’s use Link Local Address’s ! • Redistribution needs GUA or ULA !direct • May need “Multi-Hop” Ipv6 route 2001:db8:2::/48 ethernet 1/0 ! • Static can be tragic, no auto update !recursive Ipv6 route 2001:db8:5::/48 2001:db8:4::1 EIGRP (IP 88) Ipv6 unicast-routing • fe80::/64 Source  ff02::A Destination ! Interface loopback0 • 2 New TLV’s – internal-type & external-type Ipv6 address 2001:db8:1000::1/128 • No Split Horizon, Auto Summary Disabled Ipv6 eigrp 11 • Stub reduces topology & queries ! Interface ethernet 0/0 • Large scale hub and spoke environments Ipv6 address 2001:db8:5000:31::1/64 Ipv6 eigrp 11 ! Ipv6 router eigrp 11 Passive-interface loopback0 Eigrp router-id 10.10.10.10 OSPFv3 (IP 89) Ipv6 unicast-routing • fe80::/64 Source  ff02::5, ff02::6 (DR’s) ! • Link-LSA (8) – Local Scope, NH Interface loopback0 • Intra-Area-LSA (9) – Routers Prefix’s Ipv6 address 2001:db8:1000::1/128 • Use Inter-Area-Prefix (3) – Between ABR’s Ipv6 ospf 8 area 0 ! • Full mesh environments, if tuned correctly Interface ethernet 0/0 • RFC 5838 (AF), RFC 7166 (AT) Ipv6 address 2001:db8:5000:31::1/64 Ipv6 ospf 8 area 0 ! Ipv6 router ospf 8 router-id 10.10.10.10 passive-interface loopback0 Wide Area Network WAN Branch

• Private Circuit – Business as usual, Routing Protocols

• Internet Circuit – DMVPN for scalability and resiliency

• Local Internet “hop off” is Multi homing

Branch Main Site ::2 ::1 ::1 ::2 ::2 ::4 WAN ::2 ::3 ::3 ::5 ::3 ::3 ::1 DMVPN with IPv6

• Scaling IPSec VPN’s BR1-1 HE1 WAN • Simple GRE tunneling HE2 BR1-2 • NHRP for dynamic site discovery interface Tunnel2 description to HUB no ip address ipv6 address 2001:DB8:CAFE:C5C0::B/127 ipv6 mtu 1400 no ipv6 redirects ipv6 nhrp authentication CISCO ipv6 nhrp network-id 100 ipv6 nhrp holdtime 300 IPv6 Transport ipv6 nhrp nhs 2001:DB8:CAFE:C5C0::A nbma 2001:DB8:CAFE:37::B multicast ipv6 nhrp shortcut ipv6 eigrp 10 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ipv6 tunnel key 100 tunnel protection ipsec profile SPOKE IPv6 & MPLS

• 6PE (RFC 4798) • Utilizes Existing IPv4 Transport • MP-BGP Next Hop ::ffff:A.B.C.D/96

• 6PE (RFC 4659) • Utilizes Address Family (AF) in VRF Context • Allows for VPN Functionality

• LDPv6 (RFC 7552) • LDP session ove IPv6 • Peer discovery • TTL security VRF VRF Segment Routing over IPv6

• The notion of a “segment” is not new in IPv6 • Segments can be used for service chaining or forwarding

• Segment Routing leverages RFC 2460 Routing Header by defining a new type • Improves Routing Header • Enhance the source routing model • Introduces security

• Segment Routing does NOT require a forklift upgrade of the network • SR and non-SR nodes can co-exist • Gradual deployment IPv6 Hdr

• Full interoperability B C D SR Header Segments: C,F,H • Backward compatibility A H E F G PAYLOAD

SR-IPv6 Data Center IPv6 Transition Stages in the Data Center

• IPv4 Only Data Center • IPv6 Translation on the Front End • Dual Stack • Both IPv4 & IPv6 Into the Data Center • IPv6 Only Data Center • IPv4 Translation on the Front End • What is the Cost of Each Stage? Traditional IPv4 Only

• Legacy

• Load Balancer inline

• No translation in this design

• Services are Firewalled

IPv4

Internet Edge Router Firewall Load Balancer Switch Web, Email, Etc. IPv4 Only Data Center

• Dual Stack Front End

• Translation via NAT/Proxy/SLB

• Easy to Turn Up

• Hard to Move Forward

• False Sense of Accomplishment NAT/Proxy/SLB IPv4/IPv6 IPv4

Internet

Edge Router Firewall Load Balancer Switch Web, Email, Etc. Dual Stacked

• IPv4 & IPv6 Addressing on All Devices

• Incremental Operational Cost (~20%)

• Double Everything (ACL’s, SLA’s, etc.)

• Two Data Planes, Two Control Planes

• Recommended Approach

IPv4/IPv6

Internet Edge Router Firewall Load Balancer Switch Web, Email, Etc. IPv6 Only Data Center

• Dual Stack Front End

• Translation via NAT/Proxy/SLB

• Forces Developers to use IPv6

• Reduces Operational Costs

• Eliminates Complexity within the DC NAT/Proxy/SLB IPv4/IPv6 IPv6

Load Balancer Switch Web, Email, Etc. Migrating Applications to IPv6

• Inconsistent API’s use of IPv6 Addresses • Data types, Headers, Structures, Sockets, oh my • Home grown App’s may only support IPv4 • Pressure vendors to move to protocol agnostic framework

198.51.100.44:8080  [2001:db8:café:64::26]:8080

• RFC 3493 – Open Socket Call, 64 bit structure align to HW • RFC 3542 – Raw Socket, ping, Traceroute, r commands IPv6 Application Porting

• RFC 4038 - http://tools.ietf.org/html/rfc4038 • Covers Application Aspects of IPv6 Transition

• RFC 5014 - http://tools.ietf.org/html/rfc5014 • Covers IPv6 Socket API for Source Address Selection

• If you have developers trying to figure out how to port their applications • https://www.arin.net/knowledge/preparing_apps_for_v6.pdf • https://www.getipv6.info/display/IPv6/Porting+Applications Translation Techniques Translation Techniques Proxy Server Load Balancer Stateful NAT64

IPv6 IPv6 IPv4 Internet Internet Internet IPv6 IPv6 IPv4

IPv4 IPv4 IPv6

SW = Poor Performance Application Support Client Visibility Versio Traffic Class Flow Label Version IHL Type of Service Total Length n

Identification Flags Fragment Offset Payload Length Next Header Hop Limit Framework for Translation Time to Live Protocol Header Checksum Source Address Source Address

Destination Address • RFC 6144 • 8 Total Scenarios (4, 7, 8 are NA) Destination Address • 1, 2, 3 Involve Internet Connectivity IPv6 IPv4 • 5 & 6 Are Focused on Intranet Connectivity 1 Network Internet

• Stateless Translation IPv4 IPv6 • Algorithmic Mapping 2 Internet Network • Initiation from IPv4 or IPv6 IPv6 IPv4 3 Internet Network • Stateful Translation IPv6 IPv4 • Uses a State Table for Translation 5 Network Network

• Generally Initiation is from IPv6 IPv4 IPv6 6 Network Network DNS64

DNS46