CAv6TF Meeting - 2014-05-27 - IPv6@ VMware Integration Engineering

1 Confidential

IPv6 @ VMware Integration Engineering

Christian Elsen

May 2014

2 Confidential

Agenda

Who is VMware Integration Engineering?

Why IPv6 @ Integration Engineering?

Physical Infrastructure

Virtual Testbeds (vPods)

What worked well

Unresolved questions

Conclusion

2

3 Confidential

Who is VMware Integration Engineering?

Customer[0]

• Run IT like a customer would do:

• Racks in 3 global Colocation Facilities (US West, US East, Europe)

• Provide feedback on VMware products:

• Improve operational aspects of VMware products

Global Infrastructure

3

4 Confidential

Why IPv6 @ Integration Engineering?

What we do?

• Run VMware products like a real customer would do

• This includes IPv6!

What’s needed?

• Ability to provide feedback on IPv6 effort

• Knowledge and expertise around

migrating to and operating with IPv6

• IPv6 enabled infrastructure to validate

and test VMware products

4

5 Confidential

Implementation Phases: Physical Infrastructure

5431 2 6

Network AuditWhat can run IPv6 today,

and what needs to be

upgraded?

Procuring IPv6

address spaceGet IPv6 addresses and

transit for them

Enable Mgmt.

ServicesThis includes Active Directory,

DNS, NTP, ...

Network

OptimizationIs the IPv4 network the best

it can be?

Deploying IPv6 in

networkRoll-Out IPv6 addressing

and routing in the network

Connect

End-UsersProcedures for onboard end-

users with IPv6 connectivity

5

6 Confidential

Virtual Testbeds (vPods) – What is it?

Virtual Construct in internal vCloud Director deployment

• Provide container with network for multiple VMs

• Complete Isolation (IP addresses, MAC addresses, UUIDs, …) of content

• Lifecycle of vPod can be managed in content catalog

• Used internally for training and Dev/Test

vPods at VMWorld

• Underlying technology of VMWorld

• Today: Fully enabled for IPv6

• VMWorld 2014 HoL will use IPv6 vPods

Very successful!

6

7 Confidential

Virtual Testbeds (vPods) – Example

Base vPod

• Multiple L2 network segments

• Linux-based Router (vPodRouter) for L3 and basic network services

• SLAAC, DHCPv6, NTP, much more if you want to

• ControlCenter as Jump Host and to offer Data Center services

• Active Directory, DNS

7

8 Confidential

Virtual Testbeds (vPods) – Examples

Simple vSphere Setup

• Multiple ESXi hosts + vCenter

• Network-based storage (NFS/iSCSI)

• Isolated (non-routed) networks: NFS/iSCSI + VMotion

8

vPod

ControlCenterJump Host,

ActiveDirectory, DNS

vPodRouter

External Network / IPv4 only

Internal Networks (Fenced), IPv4 / IPv6 Dualstack

ESXiesx-01a

ESXiesx-02a

vCentervc-01a

NASstga-01a

9 Confidential

Virtual Testbeds (vPods) – Examples

Network Equipment Setup

• VM-based Router / L3 switches / firewalls / load balancer

• Interconnected via various L2 links

• Simulate, experiment, learn various complex network scenarios

• This includes IPv6!

9

vPod

ControlCenterJump Host,

ActiveDirectory, DNS

vPodRouter

External Network / IPv4 only

Internal Networks (Fenced), IPv4 / IPv6 Dualstack

RouterR1

RouterR2

RouterR3

RouterR4

10 Confidential

What worked well

Addressing plan

• Read RIPE’s document on “Preparing an IPv6 address plan”

• Lot’s of good info! No need to re-invent the wheel

• ULA address range for internal only infrastructure components

(IPSEC VPN, Router to Router links)

• ULA address range fd53::/64 for DNS Anycast

• Our DNS Resolvers: fd53::11 and fd53::12, everywhere!

• Use Link Local addresses as default gateway for static addressing

• Our IPv6 Def. Gateway is fe80::1, everywhere!

• Point-to-Point links: Reserve /64 for the link, but address it as a /127 for 2

member addresses or /126 for 4 member addresses (VRPP/HSRP)

• Number all loopbacks out of one /64. /128 per loopback

• Only subnet on nibble boundaries (network mask which aligns on a 4-bit

boundary).

10

11 Confidential

What worked well

DHCP

• Address Management: Statefull DHCPv6 only

• O(ther) + M(anaged) flag set; (A)utonomous flag unset

• No clients support RDNSS (RFC 6106) today. Don’t bother.

• Provide DHCP + DHCPv6 via DHCP relay

• IPv4: Hosts .10-.250 for dynamic with reverse DNS entry

• IPv6: Hosts :00 - :FF for dynamic with reverse DNS entry

Network Edge

• No more NAT: Be happy and don’t try to revive it with NPT or NAT66

• Tried both NPT with ULA as well as Global Address space

• No benefits with NPT and ULA. Only more work and hassles.

• Use Global Address space along with proper access lists

11

12 Confidential

Unresolved questions

How to handle DNS?

• Idea: 3 DNS zones:

• corp.local (forward via CNAMEs to A and AAAA for services)

• ipv4.corp.local (forward and reverse for IPv4 including DHCP)

• ipv6.corp.local (forward and reverse for IPv6 including DHCPv6)

• Example:

• ads.corp.local -> ads.ipv4.corp.local + ads.ipv6.corp.local

• ads.ipv4.corp.local -> 192.168.123.11

192.168.123.11 -> ads.ipv4.corp.local

• ads.ipv6.corp.local -> fdba:dd06:f00d:ab12::11

fdba:dd06:f00d:ab12::11 -> ads.ipv6.corp.local

• Challenge: Dualstack host acquires IPv4 via DHCP and IPv6 via DHCPv6.

Associated DNS names don’t match.

• RFC 4361 should fix this, but vendor support missing.

• Right now:

• IPv4: 10-11-12-13-dyn.ipv4.corp.local

• IPv6: abcd-1234-dyn.ipv6.corp.local

12

13 Confidential

Unresolved questions

Network Edge

• Security: Don’t be fooled, NAT is not for security. Don’t pretend it is!

• Use proper access lists to keep internal hosts secure

• Watch out for ICMPv6 and Extension Headers

• Use best practices (BCP38) on filtering traffic and prevent address spoofing

• Don’t send out traffic that didn’t originate in your address space

• Don’t accept inbound traffic that supposedly originated in your address space

• Filter out bogon networks

• Big question: How does a good common IPv6 ACL for the edge look like?

13

ipv6 access-list egress6

permit ipv6 2001:abcd::/32 any

deny ipv6 any any log

14 Confidential

Conclusion

Mindset

• IPv6 is not a bolt-on to IPv4. It will replace IPv4, eventually

• Someone who gives you “ping6” besides “ping” just doesn’t get it

Network Audit

• IPv6 Readiness: Products from all vendors have IPv6 bugs and issues

• Unrealistic to just “move” an Enterprise network to IPv6 today

• Test required IPv6 functionality yourself! Don’t believe vendor specs

• Get rid of vendors who don’t have a roadmap to support IPv6: It’s 2014!

Optimization

• Clean Up: IPv6 rollout is your perfect chance to cleanup your current mess

• Simplify – Reduce complexity

• Unify – More coherence, less headaches

• Amplify – Plan big, really big this time!

14

15 Confidential

Conclusion

IPv6 Address Space

• Today: Easy to acquire address space and get transit

Deploying IPv6

• Configuration: Very easy to implement if you’ve done all your homework

Soft Factors

• Training and exposure: Absolute key to success!

• Sad example: Ops Team “ripped out” IPv6 after stumbling over non-IPv6 related (DNS

propagation time) issues Blame game

• Hard to put arms around IPv6: Very similar to IPv4, yet different enough to

stumble at times

• Work on the Mindset: IPv4 is the past, IPv6 is the future; know your history,

but put your energy into the future.

15

16 Confidential

Questions?

Feedback!

16