Developing an Ipv6 Address Plan and Deploying Ipv6 Jim Bailey, Solution Architect BRKRST-2619

#CLUS IPv6 Deployment Developing an IPv6 Address Plan and Deploying IPv6 Jim Bailey, Solution Architect BRKRST-2619

Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Live Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space

Webex Teams will be moderated cs.co/ciscolivebot#BRKXXX-xxxx by the speaker until June 18, 2018.

• Introduction

• Why are we doing this?

• What is an IPv6 Address?

• How do you break it down?

• How do I integrate IPv6?

• Conclusion

http://www.potaroo.net/tools/ipv4/

https://www.google.com/intl/en/ipv6/statistics.html#tab=ipv6-adoption&tab=ipv6-adoption Native IPv6 Traffic to Google.

https://www.facebook.com/ipv6/?tab=ipv6

• Continuity of Business • To ensure services are available to customers and partners • New products and enhanced service delivery • Government/Partner/Corporate mandates or regulations

Today • Cost IPv4 Free Pool • Avoid the risk and cost associated with unplanned and uncontrolled implementation of IPv6 • Avoid the increased cost of moving to IPv6 when Size of the Internet the industry and suppliers are driving the market ?

IPv6 Deployment

Time

• IPv6 addresses are 128 bits long • Segmented into 8 groups of four HEX characters (called HEXtets) • Separated by a colon (:) • Default is 50% for network ID, 50% for interface ID

Global Unicast Identifier Example Network Portion Interface ID gggg:gggg:gggg ssssxxxx:xxxx:xxxx:xxxx : :

Global Routing Prefix Subnet ID Host n <= 48 bits 64 – n bits 2001:0000:0000: 00A10000:0000:0000:1E2A Full Format :

Abbreviated Format 2001:0:0: A1::1E2A

• RFC 4291 IP Version 6 Addressing Architecture

• Link-Local Address (LLA)

• Unique Local Address (ULA) (RFC 4193) • Site-Local Address has been deprecated by IETF (RFC 3879, September 2004)

• Global Unicast Address

Link-Local Address Unique Local Global Address Address

How Do We Build an IPv6 Address Plan? Addressing Plan Requirements and Considerations Requirements Considerations • Clear addressing for different parts of • Length of prefix and bits to work with

the network • Enterprises usually multiple /48 (≥ 16 bits)

• WAN/Core, Campus, branch, DC, Internet • SPs should get /29 (≥ 35 bits) Edge etc. • Avoid breaking the nibble boundary • Different Locations • Think of # of prefixes at each level • Different services • Templates will be your friends • Encoding of information • Internal policy for using the Addressing • Ease of aggregation Plan

• Leaving space for growth

• Involvement of other teams

• E.g. Information Security

• Many ways of building an IPv6 Address Plan • Regional Breakdown, Purpose built or Generic buckets, Separate per business function • Hierarchy is key • Don’t worry too much about potential inefficiencies • Prefix length selection • Network Infrastructure links, Host/End System LAN • Addressing hosts • SLAAC, DHCP (stateful), DHCP (stateless), Manually assigned

• Building the IPv6 Address Plan • Cisco IPv6 Addressing White Paper http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_BN_IPv6AddressingGuide- Feb2013.pdf

• Do I Get PI or PA? • PI space is great for organizations who want to multihome to different SPs • PA if you are single homed or you plan to NAT/Proxy everything with IPv6 (not likely)

• Possible Options for PI • Get one large global block from local RIR and subnet out per region • Get a separate block from each of the RIR you have presence in

• Most organizations are going down the PI path • Getting assignments across regional registries provides “insurance” against changing policies • Traffic Engineering

• Link Local Address • Unique Local Address • First 64 bits are fixed • Not for end-point addressing • Interface Identifier can be modified • Unless in a closed system • Encoding external identifiers for • Needs Translation (NPTv6 or troubleshooting NAT66) on Internet Edge • VLAN number • Global Unicast Address • Router IDs • Vast number of prefixes • IPv4 address • Manage just one address space • Possible to leverage for IGP routing

Link-Local Address

Unique Local Address Global Address

A couple of versions of address Where should NAT be applied? translation related to IPv6 NAT66 NAT-PT Address hiding ??? Original specification That’s the way we do IPv4??? Deprecated It provides security??? NPTv6 Multi-homing Stateless translation method Only manipulate the prefix NAT64 NAT66 Boundaries between IPv4 only and IPv6 Stateful translation Highly successful in getting quick IPv6 access Not specified in RFC Cannot be the final state NAT64 Must move towards full IPv6 integration Translation between IPv6 and IPv4 address families http://www.potaroo.net/ispcol/2017-09/natdefence.html Stateless and stateful methods available

Stateless NAT64 Stateful NAT64

• 1:1 translation. • 1:N translation

• No conservation of IPv4 address. • Conserves IPv4 address.

• Assures end-to-end address transparency and • Uses address overloading, hence lacks in end- scalability. to-end address transparency.

• No state or bindings created on the translation. • State or bindings are created on every unique translation. • Requires IPv4-translatable IPv6 addresses assignment. • No requirement on the nature of IPv6 address assignment. • Requires either manual or DHCPv6 based address assignment for IPv6 hosts. • Free to choose any mode of IPv6 address assignment: Manual, DHCPv6, SLAAC.

#CLUS BRKRST-2619 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Stateless NAT64 interface GigabitEthernet0/2.112 nat64 enable interface Vlan70 Hosts receive (via static or DHCPv6) consistent, nat64 enable predictable IPv4-embedded IPv6 addresses nat64 prefix stateless 2001:DB8:FACE::/64 nat64 route 10.6.4.0/24 Vlan70

Switch 1

NAT64 64

Switch 2

IPv6 network IPv4 network

2001:DB8:FACE::A:604:A00:0 2001:DB8:FACE::4:404:400:0 10.6.4.10 4.4.4.4

IPv6 Only Data Center https://toreanderson.github.io/2016/02/22/ipv6-only-data-centre-rfcs-published.html #CLUS BRKRST-2619 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 interface GigabitEthernet0/2.112 nat64 enable interface Vlan70 Stateful NAT64: nat64 enable ipv6 access-list IPv6LIST permit ipv6 2001:DB8:FACE:0:A:604::/96 any

nat64 prefix stateful 2001:DB8:FACE::4:404/96 3560X nat64 v4 pool POOL 10.6.4.10 10.6.4.49 Client A 5/10 0/2 nat64 v6v4 list IPv6LIST pool POOL overload 5/12 Server D (IPv6) Ixia Ixia (IPv6) casSwitch93-45 1a 0/1 data vlan 70: 2911 ASR1002 2001:db8:cafe::200/64 IPv4: 10.6.4.10 /24 0/2/1 IPv6: 2001:DB8:FACE::000:A:604:A06:40A0A:0604:0A00/96:00 /96 (dynamic) 1/1 NAT64 0/2 0/2/0 rm93-41a 1/2 rp93-41a 0/2/2

Client B 1/0/1 Server C (IPv4/IPv6) Ixia 5/11 Ixia 5/9 1/0/2 casSwitch93-41 2b (IPv4) 3750X 4.4.4.4 /24 IPv6: 2001:DB8:FACE::0404:0404 /96 (dynamic)

IPv6 network IPv4 network

2001:DB8:FACE:::0:A:604:A06:40AA:604:A00:0 2001:DB8:FACE::404:404 10.6.4.10 4.4.4.4 NPTv6

NPTv6 is a stateless 1:1 translation of an internal IPv6 prefix to an external IPv6 prefix

ARS1k, CSR1k, ISR4k: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-16/nat-xe-16-book/iadnat-asr1k-nptv6.html

IPv6-to-IPv6 stateful translation

FW(config)# object network inside_v6 FW(config-network-object)# subnet 2001:db8:122:2091::/96 FW(config-network-object)# nat(inside,outside) dynamic interface ipv6

The configuration above allows for 1:N translation using PAT

Sourcefire https://www.cisco.com/c/en/us/td/docs/security/firepower/610/fdm/fptd-fdm-config-guide-610/fptd-fdm-nat.html#concept_5FBE69B32F8E4A499276904DF6A2BB21 ASA https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/firewall/asa-94-firewall-config/nat-reference.html#concept_5FBE69B32F8E4A499276904DF6A2BB21

#CLUS BRKRST-2619 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Methodology for writing an IPv6 Addressing Plan The 4 Rules Remember Rule #1 1. Simple • You don’t want to spend weeks explaining/building it!

2. Embed Information • To help troubleshooting and operation of the network • Examples: location, country, PIN, VLAN, IPv4 addresses in Link Local and/or Global Addresses 3. Build-in Reserve • Cater for future growth, mergers & acquisitions, new locations • Reserved vs. assigned 4. Aggregatable • Good aggregation is essential, just one address block (per location), we can take advantage of this (unlike in IPv4!) • Ensures scalability and stability

• Analyze, where will IPv6 be deployed? EVERYWHERE • Addressing plan needs to be designed globally • Identify the structure of the addressing plan • Based on requirements and considerations discussed earlier • Top-down approach (this might be different from the IPv4 days when #hosts/subnet was important)

• Where and how many locations • Countries, regions, locations, buildings, etc… • Needs to map onto the physical / logical network topology

• Which services, applications and systems connected in each location • E.g. Fixed networks, mobile networks, end-users, ERP, CRM, R&D, etc…

• How many prefixes will you need at each level of the addressing plan • Example: a BNG can handle 64000 subscribers = 64000 IPv6 prefixes • Example: the number of interconnects (P2P) in your network • As always, put aside a reserve! • How many /64 prefixes (subnets) you need to deploy at a location • Example: desktops, WIFI, guestnet, sensors, CCTV, network infrastructure, etc… • As always, put aside a reserve! • Don’t worry about the number of hosts • We have 264 of IPv6 addresses for hosts!

• Remember transition mechanisms – these will have specific address format requirements • ISATAP, NAT64 (/96), 6rd, MAP

• Possible encoding of information in particular portions of the IPv6 prefix • VLANs in the prefix • VLAN 4096  2001:db8:1234:4096::/64 (alternatively in hex )

• The whole IPv4 address or just a portion – consider this carefully – trade-off between linkage vs. independence • IPv4 address 10.0.13.1  2001:db8:1234:100::10:0:13:1

• Router IDs in the Interface Identifier / IPv4 in Link-Local

• Consider security implications!

• How about router interconnects / point-to-point links? • First recommendations: configured /64, /112 or /126, • RFC 3627 (Sept. 2003 - /127 considered harmful) – moved to historic by RFC 6547 (Feb. 2012) • Since April 2011, RFC 6164 recommends /127 on inter-router links • Current recommendation /64, /126 or /127 – (/127 mitigates ND exhaustion attacks) • Allocate /64 from a block (e.g. /54) for infrastructure links but configure /127 • Example: 2001:420:1234:1:1::0/127 and 2001:420:1234:1:1::1/127

• Loopbacks • E.g. Dedicate /64 for Loopback addresses • Allocate /64 per Loopback but configure /128 • Example: 2001:420:1234:100:1::1/128 and 2001:420:1234:101:1::1/128 • Avoid a potential overlap with Embedded RP addresses

Hosts /64 Core • Anywhere a host exists /64 /64 or /127

• Point to Point /127 Pt 2 Pt • Loopback or Anycast /128 /127 • RFC 7421 /64 is here Servers /64 Loopback WAN • RFC 6164 /127 cache exhaust /128

R111#sh run int eth0/0 ! - Exclusively use Link Local Addresses interface Ethernet0/0 ip address 10.112.0.111 255.255.255.0 on network infrastructure ipv6 address FE80::111 link-local ipv6 enable ospfv3 1 ipv6 area 0 Prefix Lengths don’t matter anymore end R101 Network Infrastructure is un-reachable from outside of the network R111

R111#sh ipv6 route - Will impact your network management IPv6 Routing Table - default - 2 entries O 1::1/128 [110/10] system via FE80::101, Ethernet0/0 L FF00::/8 [0/0] Ping, traceroute, SNMP, TACACS, via Null0, receive RADIUS R111#sh ospfv3 neigh OSPFv3 1 address-family ipv6 (router-id 1.1.1.111)

Neighbor ID Pri State Dead Time Interface ID Interface - See RFC 7404 77.1.1.1 1 FULL/DR 00:00:36 3 Ethernet0/0 Using Only Link-Local Addressing inside an IPv6 Network

2 2 = 4 /54 Interconnects 1024x /64 P2P links /127 per P2P link /54s

/54 Loopbacks 1024x /64 Loopbacks /128 per Loopback

4 2 = 16 /52 Infrastructure /52s /54 reserve 210 = 1024 /64s 1024 /127 p-t-p links Allocated 1024 /128 loopbacks /48 location /54 reserve

/52 Desktops 212 = 4096 /64 subnets

/52 Wireless 212 = 4096 /64 subnets • Follow the logical flow • How many subnets in each location? /52 etc. • What does sit under infrastructure? • How many point-to-point links? • Where is the reserve?

/32 for Private Addressing /40 for Core Network /64 for Loopbacks (/128s) Internal Services

/40 for Enterprise DC /30 Internal

/32 for Internal Addressing /40 for Enterprise Campus External

/40 for Core Network External Services /29 from RIPE /32 for External Addressing /40 for Enterprise DC (non-Subsribers) External

/40 for Enterprise Infrastructure External

/32 as a reserve /40 for Enterprise Campus External

/30 for Subscribers /36 per PoP /40 per BNG /56 per Subscriber

• Not just a spreadsheet, please! Prone to error 

• There are many IP Address Management tools on the market Cisco Prime Network Registrar http://www.cisco.com/en/US/products/ps11808/index.html • Work with an IPv6 prefix calculator Example: http://www.gestioip.net/cgi-bin/subnet_calculator.cgi

• Link-Local Address • Normally, first 64 bits are fixed • Interface Identifier can be modified • Encoding e.g. VLAN number, router IDs, IPv4 address, may make the troubleshooting easier Keep it simple Restrict it to Network Infrastructure • Default is EUI-64 Example 1: EUI-64 FE80::ABDC:12FF:FE34:5678

Example 2: Router ID 1.1.1.1 => FE80::1:1:1:1 Identifies the device rather than a link, all interfaces on one device have the same LLA

Example 3: VLAN number 1006 => FE80::1006 VLAN to which a server is connected to

• Unique Local Address • Don’t deploy Not for end-point addressing Unless in a closed system Needs translation for outside of domain communication

• Global Unicast Address • Take advantage of the vast number of prefixes • Manage just one address space

• Remember: an Interface has multiple IPv6 addresses

• Link-local

• Global unicast and/or Anycast

• All nodes multicast

• Multicast address of all groups it subscribes to

• Its own solicited-node multicast address

• Loopback (::1) • Per node

#CLUS BRKRST-2619 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 For Your IPv6 Addresses per Interface Reference • Router output Cat3750-X#show ipv6 int GigabitEthernet1/1/1 GigabitEthernet1/1/1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::523D:E5FF:FE1D:4142 Global unicast address(es): 2001:428:E204:FD00::23, subnet is 2001:428:E204:FD00::22/127 Joined group address(es): FF02::1 FF02::2 FF02::5 FF02::1:FF00:23 FF02::1:FF1D:4142 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 30000) ND RAs are suppressed (all) Hosts use stateless autoconfig for addresses.

Source: Cisco Jabber – output of “show ipv6 cef” command

Manual Stateless Stateful DHCPv6

Pros Address is stable Scales well Well understood process Controlled assignment Time to deploy Controlled assignment Well understood process Widely implemented Time to deploy

Cons Does not scale No control on assignment process Implementation in OS Time to deploy Not well understood Must design for HA Lack of management Privacy concerns

• The choice of assignment depends on the existing processes and the adaptability of that process • Remember that the methods are not mutually exclusive - all three can be used • Regardless of choice must still control the stateless address assignment of addresses

• Likely to use combination of at least 2 methods

• Usage depends on the place in the network (PIN) & end-devices

• P2P/Infrastructure links/devices & “heavily” managed environment (e.g. public servers) • Manual assignment • Link-Local addresses only? • Using Only Link-Local Addressing Inside an IPv6 Network . End-user VLAN • Stateful DHCPv6 . Non-managed environment (e.g. Public Hotspots) • SLAAC + stateless DHCPv4 • Remember: EUI-64 => MAC exposed in the address on the Internet

• Is fe80:1bd:8a71:145::1 a legitimate IPv6 address?

• How many addresses can you assign to an interface?

• Is 2001:db8:1234::/128 usable as a loopback address?

• Are 2001:db8:567:43ab::9 and 2001:db8:567:43ab::10 on the same /127 subnet?

• What is the air speed velocity of an unladen sparrow?

Planning and coordination is required from many across the organization, including …

Network engineers & operators Security engineers Application developers Desktop / Server engineers Web hosting / content developers Business development managers …

Moreover, training will be required for all involved in supporting the various IPv6 based network services

#CLUS BRKRST-2619 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 Where do I start? Access • Core-to-Access – Gain experience with IPv6 Layer • Turn up your servers – Enable the experience

• Access-to-Core – Securing and monitoring Internet Edge • Internet Edge – Business continuity Core

ISP ISP

WAN Servers

Branch Access

#CLUS BRKRST-2619 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 Common Deployment Models for Internet Edge Internet, Partner, Branch Pure Dual Stack Conditional Dual Stack Translation as a Service

IPv4/IPv6 IPv4/IPv6 Host Host

Multi- Enterprise Enterprise Tenant

Edge Edge Core

Agg + Agg + Agg + Services Services Services

Phy/Virt. Phy/Virt. Phy/Virt. AFT Access Access Access Storage Storage Storage Compute Compute Compute

IPv4-only Dual Stack Mixed Hosts Hosts Hosts IPv6 IPv4

• A key and mandatory step to evaluate the impact of IPv6 integration Evaluate costs and define timelines Define the scope of integration

• Should be split in several components Network Infrastructure

Service Providers

End Systems Applications Operations Addressing

• Break the project down into phases • Avoids false positives and cuts back on upgrade costs • Determine place in the network (PIN), platforms, features that are needed in each phase • RIPE-554 • IPv6 Ready Logo Program • Work with your vendor to address the gaps • Applies to all of your vendors

Most commercial applications won’t be your problem – it will be the custom/home-grown apps that are difficult

#CLUS BRKRST-2619 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 What Defines an Application? What about these? Are These Applications HTTP 80 Are these 20/21 FTP applications? POP3 110

IMAP 143 Or just ports? HTTPS 443

SMTP 25 IPv4/IPv6 transport

#CLUS BRKRST-2619 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 Services Assessment . Evaluate the organizations that are going to provide services to support your deployment

. Internet Service

. Application

. Cloud Services

. Content Management . DNS . Deployment Type

. Dual Stack,

. Native or Overlay . What kind of services are offered

Are they “IPv6 Capable”?

If not, when will IPv6 be integrated?

Questions to ask your Internet Service Provider http://docwiki.cisco.com/wiki/What_To_Ask_From_Your_Service_Provider_About_IPv6

• Evaluate the tools in the NMS for IPv6 capability • All tools across the FCAPS model

• Define what is critical and what can wait • Is it critical to support netflow or anycast DNS?

• Custom scripts • Updated to accommodate dual transports Override default behavior to prefer one over the other • Are there new scripts needed? Are both transports available? # addresses per host, DNS queries/response, validating summarization

Better visibility • Assess how the existing IPv4 into how the Can better answer address space is used existing when IPv6 is critical • Useful information for Address space is • IPv6 integration used • IPv4 address consolidation • Reclaiming unused address space

• Use existing tools • IPAM • ARP tables • Routing tables • DHCP logs

Customer Customer Subscriber Network Network Network

IPv4 Dual Stack 6VPE MPLS IPv4 Core WAN WAN 6VPE

Customer Customer Subscriber Network Network Network

Using Tunnels Dual Stack IPv4/IPv6 6VPE Service Manually configured tunnels Dual StackCE CPEs CEDual Stack IPv4 / IPv6 IPv6 over GRE Dual Stack Headquarters 6VPE VPN Service LISP Dual Stack WAN IPSecCarrier Tunnels Grade NAT IPv6 Rapid Deployment Dynamic Multipoint VPN (DMVPN)

IPv4 Core Dual Stack Core Dual Stack Dual Stack Core Dual Stack Core Core 6rd BR LNS AFTR 4rd BR NAT + NAT 4rd or DS 6↔4 v6 6rd or L2TP v4 Access IPv6 Access IPv4 over over (ex: DOCSIS 3.0) Network v4 v6

PE -

Lite PE

SubscriberNAT CE CE CE CE Subscriber Subscriber Network Subscriber Subscriber Network Network Network Network

IPv4 CarrierNAT444 Grade NAT IPv66 Rapid Rapid Deployment Deployment (6rd Broad BandNative Connectivity IPv6IPv4-Only via IPv6 Access Network IPv6-AFT64Only Subscriber L2TP Dual DualStack Stack Core Using DS-Lite (w/NAT44) MAP-E – Encap All Softwires DOCSIS Access MAP-T - L3 and L4 in header For more info see: http://www.cisco.com/go/cgv6 Lw4over6 4rd #CLUS 464Xlat© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61 Coexistence Considerations Scalability and Performance

• IPv6 Neighbor Cache = ARP for IPv4 • In dual-stack networks the first hop routers/switches will now have more memory consumption due to IPv6 neighbor entries (can be multiple per host) + ARP entries

ARP entry for host in the campus distribution layer: Internet 10.120.2.200 2 000d.6084.2c7a ARPA Vlan2 IPv6 Neighbor Cache entry: 2001:DB8:CAFE:2:2891:1C0C:F52A:9DF1 4 000d.6084.2c7a STALE Vl2 2001:DB8:CAFE:2:7DE5:E2B0:D4DF:97EC 16 000d.6084.2c7a STALE Vl2 FE80::7DE5:E2B0:D4DF:97EC 16 000d.6084.2c7a STALE Vl2

• There are some implications to managing the IPv6 neighbor cache when concentrating large numbers of end systems

#CLUS BRKRST-2619 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 Neighbor Unreachability Detection (NUD) • The neighbor cache maintains mapping information Neighbor’s reachability state is also maintained

• Neighbors can be in one of 5 possible states INCOMPLETE – Address resolution is in progress and link-layer address is not yet known. REACHABLE – Neighbor is known to be reachable within last reachable time interval. STALE – Neighbor requires re-resolution, traffic may flow to neighbor. DELAY – Neighbor pending re-resolution, traffic might flow to neighbor. PROBE – Neighbor re-resolution in progress, traffic might flow to neighbor.

• Every entry that is marked STALE in the neighbor cache will need to have it’s state verified Traffic will be forwarded using the STALE entry NUD will use NS/NA to detect reachability

• How often NUD runs depends on the value of AdvReachableTime that is set in RA messages Cisco default is 30 seconds

• Consider CPU load for maintaining state for thousands to tens of thousands of entries!

• What to do?

• Don’t Panic! • Unless you forgot your towel

• New features to manage the neighbor cache • Extend the reachable time advertised in RA’s(max value is 1 hour) • Unsolicited NA glean (more to avoid traffic disruption) • ND cache timers (control how long an entry is maintained in STALE state; default is 4 hours) • ND cache refresh (run NUD before purging STALE neighbors) • NUD exponential retransmit (spread out the NS packets)

#CLUS BRKRST-2619 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65 Other Coexistence Considerations . IPv6 Router Advertisement – Disable when not needed Coexistence – Still needed for default GW propagation – Use RA Guard whenever possible . Over time as new operating systems come on line it will be harder to identify “IPv6” issues. – Most organizations not aware that IPv6 is running in the network – Need visibility for both transport protocols . Management of SLAs and Network Management – Understand host behavior when multiple addresses are present. – Saves time during testing and implementation at time expected address is not being used.

. Resources considerations 450000 400000 ‒ Memory (storing the same amount of IPv6 routes 350000 requires less memory than might be expected) 300000 IPv4 250000 IPv6 200000 150000 Linear (IPv6) ‒ CPU (insignificant increase in the case of HW Memory (bytes) 100000 Linear 50000 (IPv4) platforms, additive in the case of SW platforms) 0 0 500 1000 1500 2000 2500 3000 . Control plane considerations Number of Routes

‒ Balance between IPv4/IPv6 control plane separation 0.5 and scalability of the number of sessions 0.45 0.4 0.35 IPv4 OSPF 0.3 . Performance considerations 0.25

Time IPv4 OSPF 0.2 IPv6 OSPF 0.15 ‒ Forwarding in the presence of advanced features 0.1 Linear (IPv4 0.05 OSPF IPv6 0 OSPF) Linear (IPv4 ‒ Convergence of IPv4 routing protocols when IPv6 is 0 500 1000 1500 2000 2500 3000 OSPF) Number of Perfixes enabled

IPv4 DSCP • IPv4 and IPv6 QoS features are mostly compatible (RFC Type of Version IHL Total Length 2460/3697) Service Fragment Identification Flags • Both Transport uses DSCP (aka Traffic Class) Offset Time to Live Protocol Header Checksum

• Control plane Queues need to now take into account IPv6 Source Address overhead too Destination Address Options Padding • IPv6 classification can follow the same IP Precedence, IPv6 Service Class, DSCP and EXP values already defined for DSCP IPv4.

• IPv6 will utilize the same Network Control, Voice,, Gold, Bronze, Silver, Best Effort classes

#CLUS BRKRST-2619 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68 class-map match-any Critical_Data QoS CLI match dscp af21 class-map match-any Voice • Class maps can match both IPv4 and IPv6 match dscp ef traffic class-map match-all Scavenger match dscp cs1 • Can be broken into “ip” and “ipv6” matching class-map match-any Bulk_Data match dscp af11 • Design principles still the same ! policy-map DISTRIBUTION • Mark at the edge class Voice • Trust boundaries still apply priority percent 10 class Critical_Data • Queue sizing bandwidth percent 25 random-detect dscp-based Data class Bulk_Data Voice bandwidth percent 4 random-detect dscp-based class Scavenger Video bandwidth percent 1 Internet class class-default bandwidth percent 25 random-detect #CLUS BRKRST-2619 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 Management and Operations Don’t Forget About Network Management

• Management and design strategies for IPv6 addressing policies and operation

• Introduction of extended IP services: DHCPv6, DNSv6, IPAM

• Managing security infrastructures: Firewall, IDS, AAA

• Tool visibility, insight and analysis of IPv6 traffic Netflowv9, IPv6 SLA

• Dual Stack Interfaces and tools • Reporting combined v4 and V6 traffic statistics. • Requires support in • Instrumentation (MIB , Netflow records, etc.) • NMS tools and systems

IPv6/IPv4 Dual Stack Hosts

IPv6 FHS Port ACL IPv6 MIBs L2 Campus IPv6 Traffic Metering with Flexible Netflow L3 IPv6 over IPv4 Response measurement with IP SLA tunnel

IPv6 Tunnel detection with NBAR2 Internet

• IPv4 or IPv6 is transparent to a user since names are used to connect to web sites or other hosts • http://www.google.com will take us to Google

TCP UDP • Typically an end user will notice issues if all of the following are true: • IPv6 is enabled on the desktop • The DNS query returns an IPv6 AAAA record IPv4 IPv6 • IPv6 is preferred over IPv4 • There are connectivity problems over IPv6 0x0800 0x86dd Data Link (Ethernet)

• When a desktop needs to connect to a web site, the first thing it does is resolve the DNS name to an IP address.

• If the address returned contains an AAAA record and IPv6 is enabled and preferred on the host, it will use IPv6 to reach that website.

• If there are issues with IPv6 connectivity further in the network, the host may not be able to connect (or load the page in a browser)

• The host will wait for IPv6 to time out before falling back to IPv4 (this is ~30 sec for windows) and leads to bad user experience.

• Basic troubleshooting using ping, tracert, ipconfig should help isolate the issue

#CLUS BRKRST-2619 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74 IPv6 Testing Considerations • How do hosts react to auto-configuration? • Are devices taking both a static and auto-configuration? • Should IPv6 RA’s be disabled? How do devices re-act to that? • Does application being used implement SAS (Source address selection) algorithm correctly? • How do devices react with A and AAAA DNS records? A record • What happens if IPv4 is disabled? AAAA record • What happens if IPv6 is impaired? ARP request RA DHCP reply DNS reply

• Create base line template that should be run as part of all IPv6 solution testing

• Hosts/Servers/End Systems • Routers/Switches • Firewalls/IPS • Operating Systems • Applications

• Template should consist of basic IPv6 RFC 2460 functionality. • IPv6 Ready Logo - http://www.ipv6ready.org • USGv6 - http://www-x.antd.nist.gov/usgv6/index.html • RIPE-554 - http://www.ripe.net/ripe/docs/current-ripe-documents/ripe-554

. Different ways to check on what is happening . Where’s my prefix?

‒ Route servers and looking glasses - http://www.bgp4.as/looking-glasses

‒ Look at your network from the outside in . Pings, traceroutes, SSLcert and DNS queries

‒ https://atlas.ripe.net/results/ . IPv6 troubleshooting tools for mobile devices (iOS & Android) IPv6 toolkit HE.net Netalyzr LanDroid Netstat

IPv4 IPv6

Hostname to A Record: AAAA Record: IP Address www.abc.test. A 192.168.30.1 www.abc.test AAAA 2001:db8:C18:1::2

PTR Record: IP Address to PTR Record: 1.30.168.192.in-addr.arpa. PTR 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0. Hostname www.abc.test. 8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test.

#CLUS BRKRST-2619 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80 DNS as an Integration Tool Who is www.ipv6.cisco.com? www.ipv6.cisco.com is DNS server AAAA 2001:420:1101:1::a How IPv6 Remote End System Corporate Internet Internet consumers www.ipv6.cisco.com End System www.cisco.com is www.cisco.com Who is www.cisco.com? A 173.37.145.84

DNS server www.cisco.com is Who A 173.37.145.84 AAAA 2001:420:1101:1::a Who is www.cisco.com? End System

Internet Corporate www.cisco.com End System www.cisco.com is Who is www.cisco.com? A 173.37.145.84 Business Partners

www.cisco.com is Government Agencies When A 173.37.145.84 DNS server AAAA 2001:420:1101:1::a Internet Corporate www.cisco.com End System Who is www.cisco.com?

• In 5 slides or less…

• Can’t be done

• Please see the following sessions for a much more detailed treatment • BRKSEC-2050 Firepower NGFW Internet Edge Deployment Scenarios • BRKSEC-3200 Advanced IPv6 Security Threats and Mitigation

Dual Stack increases the types and size of your attack vectors

• Host security on a dual-stack device • Applications can be subject to attack on both IPv6 and IPv4 • Fate sharing: as secure as the least secure stack...

• Host security controls should block and inspect traffic from both stacks • Host intrusion prevention, personal firewalls, VPN clients, etc.

IPv4 IPSec VPN with No Split Tunneling

Clear IPv6 Transport

IPv6 HDR IPv6 Exploit

Dual Stack Client Does the IPSec Client Stop an Inbound IPv6 Exploit?

• Address Range • Source of 2000::/3 at minimum vs. “any”, permit assigned space

• ICMPv6 • RFC 4890 “Recommendations for Filtering ICMPv6 Messages in Firewalls”

• Extension Headers • Allow Fragmentation, others as needed. Block HBH & RH type 0

• IPv6 ACL’s permit icmp any any nd-na • IPv6 traffic-filter – to apply ACL to an interface permit icmp any any nd-ns deny ipv6 any any log

• SSH, syslog, SNMP, NetFlow all work over IPv6

• Dual-stack management plane • More resilient: works even if one stack is down • More exposed: can be attacked over IPv4 and IPv6

• RADIUS over IPv6 is recent but IPv6 RADIUS attributes can be transported over IPv4

• As usual, infrastructure ACL is your friend as well as out-of-band management

ipv6 access-list VTY In IOS-XR: The command is permit ipv6 2001:db8:0:1::/64 any ‘access-class VTY ingress’, And line vty 0 4 The IPv4 and IPv6 ACL must have the same name ipv6 access-class VTY in

#CLUS BRKRST-2619 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 87 Control Plane Policing policy-map COPPr class ICMP6_CLASS • Control Plane Policing can be applied to IPv6 police 8000 class OSPF_CLASS • Adapt what’s in place today to accommodate IPv6 police 200000 • Routing protocols class class-default police 8000 • Management protocols ! • Remember the extended functionality of ICMP control-plane cef-exception service-policy input COPPr • Monitor carefully to see what shows up in the logs

• Remember the default rules at the end of all IPv6 ACLs • permit ipv6 any any nd-na • permit ipv6 any any nd-ns • deny ipv6 any any • They apply to any CoPP policy that uses ACLs to match

RA DHCPv6 Source/Prefix Destination RA ND Guard Guard Guard Guard Throttler Multicast Suppress

Protection: Protection: Protection: Protection: Facilitates: Reduces: • Rouge or • Invalid DHCP • Invalid source • DoS attacks • Scale • Control traffic malicious RA Offers address • Scanning converting necessary for • MiM attacks • DoS attacks • Invalid prefix • Invalid multicast proper link • MiM attacks • Source address destination traffic to operations to spoofing address unicast improve performance

Core Features Advance Features Scalability & Performance IPv6 Snooping

• IPv4 addresses have been exhausted • Adoption of IPv6 on the Internet is increasing • IPv6 integration has a lengthy deployment cycle • IPv6 integration involves all aspects of IT

http://6lab.cisco.com/stats/

• Take a systematic wide approach to IPv6 planning and execution • Take opportunities to be IPv6 ready in technology refresh cycles

• Learn from others who have undertaken the journey

• Make the leap!

• Be the IPv6 “Nut”

• Preparing an IPv6 Addressing Plan • SurfNet white paper

• www.ripe.net/lir-services/training/material/IPv6-for-LIRs-Training-Course/IPv6_addr_plan4.pdf

• RFC 6177 IPv6 Address Assignment to End Sites

• Cisco IPv6 Addressing white paper • http://www.cisco.com/en/US/docs/solutions/SBA/August2012/Cisco_SBA_BN_IPv6Addressing Guide-Aug2012.pdf

• ULA voluntary registry • https://www.sixxs.net/tools/grh/ula/list/

• Infoblox IPv6 CoE blog https://community.infoblox.com/t5/IPv6-CoE-Blog/bg-p/IPv6

• Facebook IPv6 Group https://www.facebook.com/groups/2234775539/?ref=bookmarks

• ARIN IPv6 Info Center https://www.arin.net/knowledge/ipv6_info_center.html

• RIPE IPv6 Info Center https://www.ripe.net/publications/ipv6-info-centre

#CLUS BRKRST-2619 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 94 Other IPv6 Related Sessions BRKRST-3302 Troubleshooting IS-IS 11-Jun-18 8:00 AM PSOCOL-1001 What's new in on-premises Collaboration - Collaboration Systems Release 12.X 11-Jun-18 8:00 AM BRKRST-2616 Beyond Dual-Stack: Using IPv6 like you have never imagined 11-Jun-18 8:30 AM BRKRST-2301 Intermediate - Enterprise IPv6 Deployment 11-Jun-18 1:30 PM BRKSEC-2050 Firepower NGFW Internet Edge Deployment Scenarios 11-Jun-18 1:30 PM BRKRST-2619 IPv6 Deployment: Developing an IPv6 Addressing Plan and Deploying IPv6 11-Jun-18 4:00 PM LTRRST-1179 BGP in the Enterprise for Fun and (fake) Profit: A Hands-On Lab 12-Jun-18 1:00 PM BRKEWN-2010 Design and Deployment of Enterprise WLANs 12-Jun-18 1:30 PM BRKSEC-2050 Firepower NGFW Internet Edge Deployment Scenarios 12-Jun-18 1:30 PM FLPRST-2116 Intermediate - IPv6 The Protocol, A Technical Talk 12-Jun-18 3:00 PM BRKSEC-3200 Advanced IPv6 Security Threats and Mitigation 12-Jun-18 4:00 PM BRKCCIE-3000 BGP is your Friend - BGP for the CCIE Candidates 13-Jun-18 8:00 AM BRKRST-2337 OSPF Deployment in Modern Networks 13-Jun-18 10:30 AM FLPSPG-2602 IPv4 Exhaustion: NAT and Transition to IPv6 for Service Providers 13-Jun-18 3:00 PM BRKRST-3304 Hitchhiker's Guide to Troubleshooting IPv6 - Advanced 14-Jun-18 8:00 AM LTRRST-2016 IPv6 in the Enterprise for Fun and (fake) Profit: A Hands-On Lab 14-Jun-18 8:00 AM BRKIPM-2249 Multicast and Segment Routing 14-Jun-18 1:00 PM LABCCIE-2010 CCIE Routing and Switching - IPv6 Technologies Practice Lab Walk-in LABRST-1000 Intro IPv6 Addressing and Routing Lab Walk-in #CLUS BRKRST-2619 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 95 Recommended Reading

Give us your feedback to be entered into a Daily Survey Drawing. Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.

#CLUS BRKRST-2619 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 97 Continue Demos in Walk-in Meet the Related your the Cisco self-paced engineer sessions education campus labs 1:1 meetings

Thank you

#CLUS #CLUS