suggestion for an ipv6 roll out

36
IPv6 Roll-out Where do we start? Olivier MJ Crépin-Leblond PhD http://www.gih.com/ocl.html - [email protected] © 2009 Global Information Highway Ltd Version 200908.1

Upload: olivier-mj-crepin-leblond

Post on 01-Jun-2015

2.822 views

Category:

Technology


4 download

DESCRIPTION

With the IPv4 free address pool decreasing in size daily, it is high time for an organisation to start work on implementing IPv6. But such an important process is complex, so where does one start? This presentation proposes a novel way to roll-out IPv6 in an organisation by starting with the easiest services first.Feedback is welcome.

TRANSCRIPT

Page 1: Suggestion for an IPv6 Roll Out

IPv6 Roll-out

Where do we start?

Olivier MJ Crépin-Leblond PhD http://www.gih.com/ocl.html - [email protected]

© 2009 Global Information Highway Ltd

Version 200908.1

Page 2: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 2

IPv4 address depletion

• How quickly are new addresses allocated?• How soon are we running out of addresses?• Why do I need to think about this now?• Why has it taken so much time to get there?• Can’t I just wait until IPv4 addresses run out?• Isn’t this going to be costly?• Okay – so where/how do I start?

© 2009 Global Information Highway Ltd

Page 3: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 3

RIR IPv4 Address Assignments

Source: http://www.potaroo.net/tools/ipv4/ Figure 9© 2009 Global Information Highway Ltd

Page 4: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 4

IPv4 Address Depletion

Source: http://www.potaroo.net/tools/ipv4/ Figure 30© 2009 Global Information Highway Ltd

Page 5: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 5

IPv4 address depletion

• Pool of IANA unallocated IPv4 address blocks depleted by about mid-2011. Pool of Regional Internet Registry (RIR) IPv4 address blocks depleted 6-8 months later.

• 3 options for a new project: 100% IPv6, or using IPv4 Network Address Translation (NAT), or (after 2012) purchase IPv4 address on the market. By that time, IPv4 address market will likely make those addresses more expensive to obtain.

• The only sustainable way out of this dilemma is to start transferring services to IPv6 now!

© 2009 Global Information Highway Ltd

Page 6: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 6

So where do we start?

• The difficulty in implementing dual stack, ie. IPv4/IPv6 dual capability, varies from service to service.

• Since IPv6 is different to IPv4, a period of training, testing and adaptation is required for the network installers and operators.

• Start as soon as possible in order to be able to perform a tidy and natural network upgrade.

• The traditional method in rolling out new networks is to start with the backbone and then implement services

• This leads to faster implementation but because it triggers the need to upgrade everything at once, it looks expensive to managers who will need to sign for the project.

© 2009 Global Information Highway Ltd

Page 7: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 7

A typical corporate network

© 2009 Global Information Highway Ltd

Page 8: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 8

Textbook roll-out in a large successful IT focused organization

• Traditionally, roll-out of a network starts in the following order:• Access: set-up access router/firewall and IPv6 access.

Defining a clear networking numbering plan

• Install Client Computers / Backbone / Local Offices

• Implement full dual-stack resilience in network

• Set-up DNS, Email, Web Servers, Database Servers etc.

• Draft a comprehensive IPv6 company policy

• Where are the barriers to this implementation?

© 2009 Global Information Highway Ltd

Page 9: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 9

The textbook roll-out

© 2009 Global Information Highway Ltd

Stage Title Difficulty Cost Status

1 Access Router/FW 3/5 $$ Test

2 Client Computers 1/5 $$$ Test

3 Backbone Router 3/5 $$ Test

4 Local Hubs 2/5 $$ Test

5 Dual Stack Resilience 2/5 $$ Test

6 (*) DNS Server 1/5 $ Test

7 (*) Email Server 1/5 $ Test

8 (*) Web Server 1/5 $ Test

9 (*) Database Server 3/5 $$$ Test

10 Write IPv6 policy 5/5 $$

Problem: high implementation difficulty and high costs at early stages of implementation act as a barrier to entry, to which a corporation might be unwilling to commit. (*) these stages can take place simultaneously.

Page 10: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 10

Order of Traditional Roll-out

© 2009 Global Information Highway Ltd

Digit color: cost / Box color: difficulty

Page 11: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 11

So where do we start?

• Regardless of network topology (which we’ll ignore in our example diagram), start with the “easier” services first! Go for quick wins!

• Those are services already running on hosts which are naturally IPv6 compatible and can run dual stack in a stable way:• You will be surprised how many such hosts exist;

• You will be surprised how easy it is to make them run IPv4 & IPv6 simultaneously.

© 2009 Global Information Highway Ltd

Page 12: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 12

Set-up dual stack backbone test

© 2009 Global Information Highway Ltd

Page 13: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 13

A step by step approach

• Most recent routers support IPv6 and IPv4 dual stack.• Software upgrade required for older routers. • If your backbone routers cannot support IPv6, it might be

time to consider replacing them (except in some cases when you could run IPv6 on IPv4)

• It might be costly to upgrade front end router management software, although manufacturers are releasing new versions.

• New numbering plan is required. Design it carefully.

© 2009 Global Information Highway Ltd

Stage Title Difficulty Cost Status

1 Backbone Router 3/5 $$ Test

Page 14: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 14

Implement dual stack DNS

© 2009 Global Information Highway Ltd

Page 15: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 15

A step by step approach

• Most DNS servers run on Unix/Linux hosts which are inherently IPv6 compatible.

• Software upgrade required for older servers.• Can be batched with other DNS server upgrades, such as,

for example, DNSSEC, DKIM text, SPF, etc.• Custom-written Front End input software is the stumbling

block here because it might be more costly to upgrade.

© 2009 Global Information Highway Ltd

Stage Title Difficulty Cost Status

2 DNS Server 1/5 $ Test

Page 16: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 16

Implement dual stack E-mail /SMTP

© 2009 Global Information Highway Ltd

Page 17: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 17

A step by step approach

• Most Email servers run on Unix/Linux hosts which are inherently IPv6 compatible*.

• Software upgrade required for older servers.• If IPv6 does not work, email automatically falls back to

IPv4.• Use of IPv6 for Email opens the door to IP whitelisting

and possible future anti-spam & authentication methods.

© 2009 Global Information Highway Ltd

Stage Title Difficulty Cost Status

3 Email Server 1/5 $ Test

(*) http://smtpsurvey.stillhq.com/smtp-survey.cgi?dashboard=1

Page 18: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 18

Connect to outside world via IPv6

© 2009 Global Information Highway Ltd

Page 19: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 19

A step by step approach

• Most recent Firewalls support IPv6 and IPv4 dual stack.• Software upgrade required for older Firewalls. • If your Firewalls cannot support IPv6, it is time to get ready to replace

them.• New numbering plan is required etc.• New company-wide Firewall rules are required.• Access Router/FW can access native IPv6 directly or through a tunnel.• No more Network Address Translation (NAT) so Firewall rules need

to be precise!

© 2009 Global Information Highway Ltd

Stage Title Difficulty Cost Status

4 Access Router/FW 3/5 $$ Test

Page 20: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 20

IPv6 Internet Service Provider?

• Is your ISP IPv6 compatible?• Yes: no problem – you can now connect to the Internet using IPv6

• No: your Firewall/Access Router can access the Internet through a Tunnel to an IPv6 tunneling service:

• This is not as hard as it sounds. Many ISPs offer IPv6 tunneling and setting up is no harder than setting up a Virtual Private Network.

• However: when your ISP will offer Native IPv6, the move from tunneled IPv6 to native IPv6 will be require renumbering, so this is only advisable for smaller networks.

© 2009 Global Information Highway Ltd

Stage Title Difficulty Cost Status

4.5 Access Router/FW 2/5 $ Test

Page 21: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 21

Set-up dual stack Web Server

© 2009 Global Information Highway Ltd

Page 22: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 22

A step by step approach

• Most Web servers run on Unix/Linux hosts + Apache which are inherently IPv6 compatible*.

• Software upgrade required for older servers.• Load balancing software and other custom-written

front end software might be the stumbling block here because it might be more costly to upgrade or rewrite. However, not all Web sites use this.

© 2009 Global Information Highway Ltd

Stage Title Difficulty Cost Status

5 Web Server 1/5 $ Test

(*) http://news.netcraft.com/archives/web_server_survey.html

Page 23: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 23

Upgrade Intranet Databases to Dual Stack

© 2009 Global Information Highway Ltd

Page 24: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 24

A step by step approach

• Many database servers run on Unix/Linux hosts which are inherently IPv6 compatible.

• Software upgrade required for older servers.• Older Operating Systems and custom-written software are

the stumbling blocks here.• Some of these systems might be legacy systems which

cannot be upgraded. This is where investment is required for an IPv6 – IPv4 NAT implementation.

© 2009 Global Information Highway Ltd

Stage Title Difficulty Cost Status

6 Database Server 3/5 $$$ Test

Page 25: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 25

Set-up local hub dual stack tests

© 2009 Global Information Highway Ltd

Page 26: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 26

A step by step approach

• Most recent routers support IPv6 and IPv4 dual stack.• Software upgrade required for older routers. • If your local routers cannot support IPv6, it is time to get ready to

replace them.• It might be costly to upgrade front end router management software,

although manufacturers are releasing new versions.• New numbering plan is required etc.• Knowledge has already been acquired from upgrading backbone.

© 2009 Global Information Highway Ltd

Stage Title Difficulty Cost Status

7 Local Hubs 2/5 $$ Test

Page 27: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 27

Set-up dual stack clients

© 2009 Global Information Highway Ltd

Page 28: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 28

A step by step approach

• Ease of use depends on operating system:• Pre-windows XP: unlikely to upgrade.• Windows XP: possible to upgrade but not ideal.• Windows Vista: IPv6 compatible.• Windows 7: 100% IPv6 compatible + special added features.• Mac OSX: IPv6 compatible.

• Not all software compatible either.• Consider upgrading to latest O/S + Software in next

replacement cycle.

© 2009 Global Information Highway Ltd

Stage Title Difficulty Cost Status

8 Client Computers 1/5 $$$ Test

Page 29: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 29

Expand dual stack resilience

© 2009 Global Information Highway Ltd

Page 30: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 30

A step by step approach

• Most recent routers support IPv6 and IPv4 dual stack.• Software upgrade required for older routers. • If your backbone routers cannot support IPv6, it is time to

get ready to replace them.• New numbering plan is required etc.• By that time, hands-on experience has already been

acquired thanks to test phase. Less time is spent testing.

© 2009 Global Information Highway Ltd

Stage Title Difficulty Cost Status

9 Dual Stack Resilience 2/5 $$

Page 31: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 31

Full dual stack IPv6 Roll-out

© 2009 Global Information Highway Ltd

Page 32: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 32

A step by step approach

• Includes interfacing with legacy databases.• Includes WIFI access, as well as IP telephony.• New numbering plan is followed etc.• By that time, valuable hands-on experience has already

been acquired thanks to test phases so costs are reduced.• The challenge is integration of all new devices.

© 2009 Global Information Highway Ltd

Stage Title Difficulty Cost Status

10 Full Roll-out 5/5 $$

Page 33: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 33

Summary

© 2009 Global Information Highway Ltd

Stage Title Difficulty Cost Status

1 Backbone Router 3/5 $$ Test

2 DNS Server 1/5 $ Test

3 Email Server 1/5 $ Test

4 Access Router/FW 3/5 $$ Test

5 Web Server 1/5 $ Test

6 Database Server 3/5 $$$ Test

7 Local Hubs 2/5 $$ Test

8 Client Computers 1/5 $$$ Test

9 Dual Stack Resilience 2/5 $$

10 Full Roll-out 5/5 $$

A stage by stage roll-out of IPv6/IPv4 dual stack, leading to a migration towards IPv6 is possible and can be seamless if started today. Costs can be spread over time and training can take place in early testing stages.

Page 34: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 34

Graphical Summary of proposal

© 2009 Global Information Highway Ltd

Page 35: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 35

Conclusion

• Immediately: Ensure that IPv6 compatibility is compulsory for all new purchases of IT & Telecom Equipment (whether directly or through bids).

• Do not wait for a need to push you to transition: starting this gradual process immediately, will ensure a smoother transition process.

• Starting immediately, your IT personnel will more easily be introduced to IPv6.

• A more serene approach to resolve this challenge.• Reduced Risks; Reduced costs.

Treat this as “inside information”

© 2009 Global Information Highway Ltd

Page 36: Suggestion for an IPv6 Roll Out

Version 200908.1

Page 36

Proprietary document.

By taking delivery of this Presentation (hereafter “Presentation”), you accept on behalf of your company or organization to comply with the following. No other property rights are granted by the delivery of this Presentation than the right to read it and reproduce it in its entirety, for the sole purpose of information. This Presentation, its content, illustrations and photos shall not be modified without prior written consent of Global Information Highway Ltd (hereafter “GIH”). It can be reproduced in part provided its source is duly acknowledged. Some parts of this Presentation (illustrations and basic Mask/Layout) are copyrighted by third parties including but not limited to Microsoft® as well as Sources quoted. This Presentation and the materials it contains shall not, in whole or in part, be sold, rented, or licensed to any third party subject to payment or not. This Presentation may contain market-sensitive or other information that is correct at the time of going to press. This information involves a number of factors which could change over time, affecting the true public representation. GIH assumes no obligation to update any information contained in this document or with respect to the information described herein. The statements made herein do not constitute an offer or form part of any contract. They are based on GIH information and are expressed in good faith but no warranty or representation is given as to their accuracy. When additional information is required, its author can be contacted to provide further details. GIH shall assume no liability for any damage in connection with the use of this Presentation and the materials it contains, even if GIH has been advised of the likelihood of such damages. This licence is governed by English law and exclusive jurisdiction is given to the courts and tribunals of England without prejudice to the right of GIH to bring proceedings for infringement of copyright or any other intellectual property right in any other court of competent jurisdiction. All Rights Reserved. © 2009 Global Information Highway Ltd.

Global Information Highway Ltd

7 Kensington Church CourtLondon W8 4SPUnited Kingdom