tony hain cisco systems ahain@ciscoprearranged addresses for both ipv4 & ipv6, manually...

1© 2003 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID

IPv6 Transition

Tony HainCisco [email protected]


OutlineBusiness CaseDeployment Tool SetEnvironmentsStrategy

333© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

Transition Variables• Business Requirements

Time frame required to meet a set of business requirements

Need for applications to communicate between administrative domains

New functions that can exist without extensive access to legacy IPv4 nodes

Mission critical applications that must interoperate with legacy nodes

• Network Security RequirementsFirewall support for both IPv4 & IPv6

Telecommuters and Mobile Node access methods

• Availability of software & hardware upgrades for existing nodesSource code availability for custom applications

• Order and rate for IPv6 deployment within a networkCurrent use of IPv4 private addresses and NAT

Provider support for IPv6


IPv4-IPv6 Transition / Co-Existence

A wide range of techniques have been identified and implemented, basically falling into three categories:

(1) Dual-stack techniques, to allow IPv4 and IPv6 toco-exist in the same devices and networks

(2) Tunneling techniques, to avoid order dependencies when upgrading hosts, routers, or regions

(3) Translation techniques, to allow IPv6-only devices to communicate with IPv4-only devices

Expect all of these to be used, in combination


Tools – Dual Stack

• Primary tool

• Allows continued 'normal' operation with IPv4-only nodes

• Address selection rules generally prefer IPv6

• DSTM variant allows temporary use of IPv4 pool

IPv6 Enabled

IPv6 Enabled IPv4-Only

Internet


Dual Stack Approach

• Dual stack node means:Both IPv4 and IPv6 stacks enabledApplications can talk to bothChoice of the IP version is based on name lookup and applicationpreference

TCP UDP

IPv4 IPv6

IPv6-enable Application

Data Link (Ethernet)

0x0800 0x86dd FrameProtocol ID

Preferred method on

Application’s servers

TCP UDP

IPv4 IPv6

Legacy Application

Data Link (Ethernet)

0x0800 0x86dd


Dual-Stack Approach

• When adding IPv6 to a system, do not delete IPv4this multi-protocol approach is familiar and

well-understood (e.g., for AppleTalk, IPX, etc.)note: in most cases, IPv6 will be bundled with

new OS releases, not an extra-cost add-on

• Applications (or libraries) choose IP version to usewhen initiating, based on DNS response:

prefer scope match first, when equal scope IPv6 over IPv4when responding, based on version of initiating packet

• This allows indefinite co-existence of IPv4 and IPv6, and gradual app-by-app upgrades to IPv6 usage


Dual Stack Approach & DNS

DNS Server

IPv4

IPv6

www.a.com= * ?

3ffe:b00::1

3ffe:b00::110.1.1.1

• In a dual stack case, an application that:Is IPv4 and IPv6-enabled

Asks the DNS for all types of addresses

Chooses one address and, for example, connects to the IPv6 address


Cisco IOS Dual Stack Configuration

IPv6 and IPv4 Network

Dual-StackRouter

IPv4: 192.168.99.1

IPv6: 2001:410:213:1::/64 eui-64

router#ipv6 unicast-routing

interface Ethernet0ip address 192.168.99.1 255.255.255.0ipv6 address 2001:410:213:1::/64 eui-64

• Cisco IOS is IPv6-enable:If IPv4 and IPv6 are configured on one interface, the router is dual-stacked

Telnet, Ping, Traceroute, SSH, DNS client, TFTP,…


Tools – Tunneling

• Nodes view IPv4 network as a logical NBMA link-layer

• May be used in conjunction with dual-stack

IPv6 Enabled

IPv6 Enabled

IPv4-Only

Internet

Note: Tunnels may be end to middle as shown, or middle to middle, or end to end.


IPv6 over IPv4 Tunnels

IPv4IPv6 Network

IPv6 Network

Tunnel: IPv6 in IPv4 packet

IPv6 Host

Dual-StackRouter

Dual-StackRouter

IPv6 Host

IPv6 HeaderIPv6 HeaderIPv4 HeaderIPv4 Header

IPv6 HeaderIPv6 Header Transport Header

Transport Header DataData

DataDataTransport Header

Transport Header

• Tunneling is encapsulating the IPv6 packet in the IPv4 packet

• Tunneling can be used by routers and hosts


Tunneling Mechanisms (operationally challenging)

• ConfiguredPrearranged addresses for both IPv4 & IPv6, manually configured

• Tunnel BrokerBuilds on configured tunnel via IPv4 auth scheme to establish mapping ; typically default route

• 6over4Any address, but requires IPv4 multicast for ND

• AutomaticHost-to-host – IPv4 address embedded in low 32 bits with prefix ::/96 deprecated as it requires injecting IPv4 BGP table into IPv6 routing


Tunneling Mechanisms (primary set)

• 6to4Automatic prefix allocation based on public IPv4

• ISATAPIntra-site automatic tunneling with any prefix

• TeredoIPv6 over UDP/IPv4 to traverse NAT


Manually Configured Tunnel (RFC 2893)

IPv4IPv6 Network

IPv6 Network

Dual-StackRouter2

Dual-StackRouter1

IPv4: 192.168.99.1 IPv6: 3ffe:b00:c18:1::3

IPv4: 192.168.30.1 IPv6: 3ffe:b00:c18:1::2

router1#

interface Tunnel0ipv6 address 3ffe:b00:c18:1::3/64tunnel source 192.168.99.1tunnel destination 192.168.30.1tunnel mode ipv6ip

router2#

interface Tunnel0ipv6 address 3ffe:b00:c18:1::2/64tunnel source 192.168.30.1tunnel destination 192.168.99.1tunnel mode ipv6ip

• Manually Configured tunnels require:Dual stack end points

Both IPv4 and IPv6 addresses configured at each end


IPv4 Compatible Tunnel (RFC 2893)

• IPv4-compatible addresses are easy way to autotunnel, but it:

May be deprecated soon

IPv4

Dual-StackRouter

Dual-StackRouter

IPv4: 192.168.99.1 IPv6: ::192.168.99.1 IPv4: 192.168.30.1

IPv6: ::192.168.30.1


6to4 Tunnel (RFC 3056)

IPv4IPv6 Network

IPv6 Network

6to4 6to4 Router2Router2

6to4 6to4 Router1Router1

192.168.99.1 192.168.30.1Network prefix:

2002:c0a8:6301::/48Network prefix:

2002:c0a8:1e01::/48= =

E0 E0

router2#interface Loopback0ip address 192.168.30.1 255.255.255.0ipv6 address 2002:c0a8:1e01:1::/64 eui-64

interface Tunnel0no ip addressipv6 unnumbered Ethernet0tunnel source Loopback0tunnel mode ipv6ip 6to4

ipv6 route 2002::/16 Tunnel0

• 6to4 Tunnel: Is an automatic tunnel methodGives a prefix to the attached IPv6 network2002::/16 assigned to 6to4Requires one global IPv4 address on each Ingress/Egress site

2002 Public IPv4 address

/48 /64

Interface IDSLA

/16


6to4 Relay

IPv4IPv6 Network

IPv6 Network

6to4 Router1

192.168.99.1Network prefix:2002:c0a8:6301::/48 IPv6 address:

2002:c0a8:1e01::1=

6to4 Relay IPv6

Internet

router1#interface Loopback0ip address 192.168.99.1 255.255.255.0ipv6 address 2002:c0a8:6301:1::/64 eui-64

interface Tunnel0no ip addressipv6 unnumbered Ethernet0tunnel source Loopback0tunnel mode ipv6ip 6to4

ipv6 route 2002::/16 Tunnel0ipv6 route ::/0 2002:c0a8:1e01::1

• 6to4 relay: Is a gateway to the rest of the IPv6 InternetDefault routerAnycast address (RFC 3068) for multiple 6to4 Relay


Tunneling issues

• IPv4 fragmentation needs to be reconstructed at tunnel endpoint.

• No translation of Path MTU messages between IPv4 & IPv6.

• Translating IPv4 ICMP messages and pass back to IPv6 originator.

• May result in an inefficient topology.


Tunneling issues II

• Tunnel interface is always up. Use routing protocol to determine link failures.

• Be careful with using the same IPv4 source address for several tunneling mechanisms. Demultiplexing incoming packets is difficult.


Tools – BGP tunnel

IPv6Island

IPv6Island

IPv4-onlycore

• Service provider can incrementally upgrade PE routers with active customers

• Sites are connected to Dual Stack MP-BGP-speaking edge router

• Transport across the IPv4 core can be any tunneling mechanism


IPv6 Provider Edge Router (6PE) over MPLS

P

P

P

Pv6

IPv4MPLSv4

v6

v4

v4

v6

v6

MP-iBGP sessions

CE

CE

6PE

6PE 6PE

6PE

192.254.10.0

2001:0421::

2001:0420::

192.76.10.0

145.95.0.0

2001:0621::

2001:0620::

Dual Stack IPv4-IPv6 routersDual Stack IPv4-IPv6 routersDual Stack IPv4-IPv6 routersDual Stack IPv4-IPv6 routers

CE

• IPv4 or MPLS Core Infrastructure is IPv6-unaware• PEs are updated to support Dual Stack/6PE • IPv6 reachability exchanged among 6PEs via iBGP (MP-BGP)• IPv6 packets transported from 6PE to 6PE inside MPLS


Tools – Translation

IPv6 Enabled

IPv4-Only

Internet

• Tool of last resort

• Allows for the case where some components are IPv6-only while others are IPv4-only

• Pay attention to scaling properties

• Same application issues as IPv4/IPv4 translation


IPv6-IPv4 Translation Mechanisms

• StatelessSIIT

Address & protocol translation

BIS (Bump-In-the-Stack)

Augmentation between IPv4 stack & device driver (RFC 2767)

BIA (Bump-In-the-API

Supports IPv4 apps over IPv6 stack

• StatefulNAT-PT (RFC 2766)

requires ALG for each application

TRT TCP-UDP Relay (RFC 3142)

SOCKS-based Gateway (RFC 3089)

IGMP / MLD proxy

Joins opposing groups & maps addresses


NAT-PT Overview

ipv6 nat prefix 2010::/96

NAT-PTIPv4-onlynetwork

IPv4 Host IPv6 Host

IPv6-onlynetwork

2001:0420:1987:0:2E0:B0FF:FE6A:412C

Src: 2001:0420:1987:0:2E0:B0FF:FE6A:412CDst: PREFIX::1

1

2

Src: 172.17.1.1Dst: 172.16.1.1

3

Src: 172.16.1.1Dst: 172.17.1.1 Src: PREFIX::1

Dst: 2001:0420:1987:0:2E0:B0FF:FE6A:412C

4

172.16.1.1

PREFIX is a 96-bit field that allows routing back to the NAT-PT device


Translation

• May prefer to use IPv6-IPv4 protocol translation for:new kinds of Internet devices (e.g., cell phones, cars, appliances)

benefits of shedding IPv4 stack (e.g., serverless autoconfig)

• This is a simple extension to NAT techniques, to translate header format as well as addresses

IPv6 nodes behind a translator get full IPv6 functionality when talking to other IPv6 nodes located anywhere

they get the normal (i.e., degraded) NAT functionality when talking to IPv4 devices

drawback : minimal gain over IPv4/IPv4 NAT approach


Configuring Cisco IOS NAT-PT

LAN2: 192.168.1.0/24

LAN1: 2001:2::/64

Ethernet-2

Ethernet-1NATed prefix 2010::/96

.200interface ethernet-1

ipv6 address 2001:2::10/64ipv6 nat prefix 2010::/96ipv6 nat

!interface ethernet-2

ip address 192.168.1.1 255.255.255.0ipv6 nat

!ipv6 nat v4v6 source 192.168.1.100 2010::1!ipv6 nat v6v4 source route-map map1 pool v4pool1ipv6 nat v6v4 pool v4pool1 192.168.2.1 192.168.2.10 prefix-length 24!route-map map1 permit 10match interface Ethernet-1

DNS

.100

Network Address Translation-Protocol TranslationRFC 2766• IP Header and Address translation

• Support for ICMP and DNS embedded translation

• Auto-aliasing of NAT-PT IPv4 Pool Addresses

2001:2::1


Transition environments

Telecommuter

Residential

Dual Stack or MPLS & 6PEDual Stack or MPLS & 6PE

IPv6 over IPv4 tunnels or IPv6 over IPv4 tunnels or Dedicated data link layersDedicated data link layers

Cable

IPv6 over IPv4 TunnelsIPv6 over IPv4 Tunnels

IPv6 IX

IPv6 over IPv4 tunnels or Dedicated data link layers

DSL,FTTH,Dial

Aggregation

IPv6 over IPv4 tunnels or Dual stack

ISP’s

6Bone

6to4 Relay

Dual Stack

ISATAP

Enterprise

Enterprise

WAN: 6to4, IPv6 over IPv4, Dual Stack


Environments

Service Provider

EnterpriseUnmanaged


Environments – Unmanaged

• No administrative staff to manage configuration or policies

• Devices need to be plug-n-play appliances

• Network & hosts share administrative policies

• Tool automation a primary concern


Issues

• ISP offers IPv6 serviceEdge device acquires a prefix to redistribute

• ISP still IPv4-only service(may be due to device limitations like docsis modems)

Tunneling required

Prefix from tunnel broker or automated 6to4/Teredo

• If no auto-tunnel to native relays, may need both


Environments – Managed Enterprise

• Dedicated management staff & tools

• Network & hosts share administrative policies

• Applications will likely require recertification

Campus Network

Campus Network

WAN

SDP RO LI A NT 1 850R





Managed networks differentiation

Single geographic region, single administration & policy Multiple geographic regions, single administration & policy Multiple geographic regions, multiple administrations & policy Use of public network for transit service

Simple routed case looks like multi-multi aboveVPN tunneled case would look like multi-single w/circuit setup

New enterprise, looking to avoid a transition Deployment order - All at once by definition

For each of the 5 categories considerDeployment order - Hosts & Apps first vs. Network first ISP offering - IPv4-only IPv4 & IPv6 IPv6-only


Infrastructure concerns• Critical Applications• Addressing : Dynamic vs. controlled• DNS : Dynamic vs. controlled

Public visibility of name space• AAA : Internal & external

Mobility of road warrior & telecommutersMobility of nodes within the enterprise

• ICMP : PMTU & neighbor discovery• Management tools

Trust between host & network management teams


Multiple Address Issues

Renumbering simplified as old & new can overlapPrivacy addresses reduce attack profilePreferred vs. valid lifetimes

Improper configuration could lead to 100’s per interface

Diagnostics require more effortTE via addressing limits multi-homing flexibilitySite-local allows internal stability


Routing Issues

• Allocations of ::/48 should allow self aggregation by organizations with multiple IPv4 prefixes

• TunnelingDecouples network from end system deployment

Multicast less efficient

• Native serviceMay require hardware upgrades


Environments – Managed Service Provider

• Dedicated management staff & tools

• Network has different administrative policies than connected hosts or networks

• Interaction with Peer networks may require translation

• Services as Dual-stack

• Distributed tunnel relay service minimizes overhead AAA

DNSSMTP

NAT-PTTunnel Relay

Peer SP

BackboneSDP RO LI A NT 1 850R





Address Allocation Issues

• From Regional Registries::/32 minimum

HD ratio based on .8 utilization of ::/48s

• To Customers::/48 Prefix delegation via DHCPv6

(normal customer allocation)

::/64 Prefix delegation via RA or DHCPv6(for single subnet sites, ie: 802.11 hotspots)

• RFC 3041 addresses allow end system anonymity as they move between networks, but the allocated prefix still allows customer identification for LI conformance


Routing Issues

• Allocations should allow massive aggregationCurrent allocation policy all PA based, so global BGP table should approach number of origin AS’s

• Multi-homed sites still an unsolved problem


DNS Issues

• Dual-stack servers

• Consistency of the client and referral chain

• IPv6 glue records

• Sub-domain delegation to consumer customers?


SMTP Issues

• Dual-stack MTAs

• Consistency of clients and MX to A/AAAA mappings

• Broken DNS servers return 'nxdomain' for missing AAAA


How Do we Get There from Here?

• Network managers must include IPv6 as a core element of their deployment strategy.

Applications must become protocol agnostic

• IPv4 & IPv6 will coexist for the foreseeable future

No network wide Flag Day

• Education & Careful Planning are crucial.How long does it take to make changes in the environment?

• IPv4 & IPv6 implementations must be scalable, reliable, secure and feature rich.

Strategy that reflects this …

Starting with Edge upgrades enable IPv6 service offerings nowStarting with Edge upgrades enable IPv6 service offerings now


Strategy - Value to early deployment

• Allows early customer needs to help shape vendor priorities

• Enables smooth interaction with global economic partners motivated by limited IPv4 allocations

• Allows managing the pace of local action before the inevitable urgency arises


Strategy - Value in caution

• Allows others to work through early implementation inconsistencies

• Allows extended development and testing time for custom applications

• Allows normal life-cycle replacements to establish a capability baseline before turning on IPv6


Strategy - Value in transition tools

• Primary approach of dual-stack enables independent deployment of applications in line with local business need

• Tunneling tools decouple decisions about application & end system deployment from infrastructure deployment

• Transition tools allow timing upgrades as part of a normal life-cycle plan, or to optimize investments


Impediments to IPv6 deployment

Applications

Applications

Applications

The time to move to the new APIs is NOW

The most interesting applications will address business models that are not possible (or costly due to escalating operational complexity) using IPv4.


Summary

• Audit for business requirements and impacts

• Multiple transition technologies enable a wide variety of situations

Dual-stack is the primary approach

Tunneling decouples end-system & infrastructure timing

Translation as last resort - only when absolutely necessary

• Environment characteristics will dictate technology

• Production use of IPv6 is controlled by applications that are using the new APIs.

tony hain cisco systems ahain@ciscoprearranged addresses for both ipv4 & ipv6, manually...

Documents