1 Confidential IPv6 @ VMware Integration Engineering Christian Elsen May 2014
Jun 21, 2015
1 Confidential
IPv6 @ VMware Integration Engineering
Christian Elsen
May 2014
2 Confidential
Agenda
Who is VMware Integration Engineering?
Why IPv6 @ Integration Engineering?
Physical Infrastructure
Virtual Testbeds (vPods)
What worked well
Unresolved questions
Conclusion
2
3 Confidential
Who is VMware Integration Engineering?
Customer[0]
• Run IT like a customer would do:
• Racks in 3 global Colocation Facilities (US West, US East, Europe)
• Provide feedback on VMware products:
• Improve operational aspects of VMware products
Global Infrastructure
3
4 Confidential
Why IPv6 @ Integration Engineering?
What we do?
• Run VMware products like a real customer would do
• This includes IPv6!
What’s needed?
• Ability to provide feedback on IPv6 effort
• Knowledge and expertise around
migrating to and operating with IPv6
• IPv6 enabled infrastructure to validate
and test VMware products
4
5 Confidential
Implementation Phases: Physical Infrastructure
5431 2 6
Network AuditWhat can run IPv6 today,
and what needs to be
upgraded?
Procuring IPv6
address spaceGet IPv6 addresses and
transit for them
Enable Mgmt.
ServicesThis includes Active Directory,
DNS, NTP, ...
Network
OptimizationIs the IPv4 network the best
it can be?
Deploying IPv6 in
networkRoll-Out IPv6 addressing
and routing in the network
Connect
End-UsersProcedures for onboard end-
users with IPv6 connectivity
5
6 Confidential
Virtual Testbeds (vPods) – What is it?
Virtual Construct in internal vCloud Director deployment
• Provide container with network for multiple VMs
• Complete Isolation (IP addresses, MAC addresses, UUIDs, …) of content
• Lifecycle of vPod can be managed in content catalog
• Used internally for training and Dev/Test
vPods at VMWorld
• Underlying technology of VMWorld
• Today: Fully enabled for IPv6
• VMWorld 2014 HoL will use IPv6 vPods
Very successful!
6
7 Confidential
Virtual Testbeds (vPods) – Example
Base vPod
• Multiple L2 network segments
• Linux-based Router (vPodRouter) for L3 and basic network services
• SLAAC, DHCPv6, NTP, much more if you want to
• ControlCenter as Jump Host and to offer Data Center services
• Active Directory, DNS
7
8 Confidential
Virtual Testbeds (vPods) – Examples
Simple vSphere Setup
• Multiple ESXi hosts + vCenter
• Network-based storage (NFS/iSCSI)
• Isolated (non-routed) networks: NFS/iSCSI + VMotion
8
vPod
ControlCenterJump Host,
ActiveDirectory, DNS
vPodRouter
External Network / IPv4 only
Internal Networks (Fenced), IPv4 / IPv6 Dualstack
ESXiesx-01a
ESXiesx-02a
vCentervc-01a
NASstga-01a
9 Confidential
Virtual Testbeds (vPods) – Examples
Network Equipment Setup
• VM-based Router / L3 switches / firewalls / load balancer
• Interconnected via various L2 links
• Simulate, experiment, learn various complex network scenarios
• This includes IPv6!
9
vPod
ControlCenterJump Host,
ActiveDirectory, DNS
vPodRouter
External Network / IPv4 only
Internal Networks (Fenced), IPv4 / IPv6 Dualstack
RouterR1
RouterR2
RouterR3
RouterR4
10 Confidential
What worked well
Addressing plan
• Read RIPE’s document on “Preparing an IPv6 address plan”
• Lot’s of good info! No need to re-invent the wheel
• ULA address range for internal only infrastructure components
(IPSEC VPN, Router to Router links)
• ULA address range fd53::/64 for DNS Anycast
• Our DNS Resolvers: fd53::11 and fd53::12, everywhere!
• Use Link Local addresses as default gateway for static addressing
• Our IPv6 Def. Gateway is fe80::1, everywhere!
• Point-to-Point links: Reserve /64 for the link, but address it as a /127 for 2
member addresses or /126 for 4 member addresses (VRPP/HSRP)
• Number all loopbacks out of one /64. /128 per loopback
• Only subnet on nibble boundaries (network mask which aligns on a 4-bit
boundary).
10
11 Confidential
What worked well
DHCP
• Address Management: Statefull DHCPv6 only
• O(ther) + M(anaged) flag set; (A)utonomous flag unset
• No clients support RDNSS (RFC 6106) today. Don’t bother.
• Provide DHCP + DHCPv6 via DHCP relay
• IPv4: Hosts .10-.250 for dynamic with reverse DNS entry
• IPv6: Hosts :00 - :FF for dynamic with reverse DNS entry
Network Edge
• No more NAT: Be happy and don’t try to revive it with NPT or NAT66
• Tried both NPT with ULA as well as Global Address space
• No benefits with NPT and ULA. Only more work and hassles.
• Use Global Address space along with proper access lists
11
12 Confidential
Unresolved questions
How to handle DNS?
• Idea: 3 DNS zones:
• corp.local (forward via CNAMEs to A and AAAA for services)
• ipv4.corp.local (forward and reverse for IPv4 including DHCP)
• ipv6.corp.local (forward and reverse for IPv6 including DHCPv6)
• Example:
• ads.corp.local -> ads.ipv4.corp.local + ads.ipv6.corp.local
• ads.ipv4.corp.local -> 192.168.123.11
192.168.123.11 -> ads.ipv4.corp.local
• ads.ipv6.corp.local -> fdba:dd06:f00d:ab12::11
fdba:dd06:f00d:ab12::11 -> ads.ipv6.corp.local
• Challenge: Dualstack host acquires IPv4 via DHCP and IPv6 via DHCPv6.
Associated DNS names don’t match.
• RFC 4361 should fix this, but vendor support missing.
• Right now:
• IPv4: 10-11-12-13-dyn.ipv4.corp.local
• IPv6: abcd-1234-dyn.ipv6.corp.local
12
13 Confidential
Unresolved questions
Network Edge
• Security: Don’t be fooled, NAT is not for security. Don’t pretend it is!
• Use proper access lists to keep internal hosts secure
• Watch out for ICMPv6 and Extension Headers
• Use best practices (BCP38) on filtering traffic and prevent address spoofing
• Don’t send out traffic that didn’t originate in your address space
• Don’t accept inbound traffic that supposedly originated in your address space
• Filter out bogon networks
• Big question: How does a good common IPv6 ACL for the edge look like?
13
ipv6 access-list egress6
permit ipv6 2001:abcd::/32 any
deny ipv6 any any log
14 Confidential
Conclusion
Mindset
• IPv6 is not a bolt-on to IPv4. It will replace IPv4, eventually
• Someone who gives you “ping6” besides “ping” just doesn’t get it
Network Audit
• IPv6 Readiness: Products from all vendors have IPv6 bugs and issues
• Unrealistic to just “move” an Enterprise network to IPv6 today
• Test required IPv6 functionality yourself! Don’t believe vendor specs
• Get rid of vendors who don’t have a roadmap to support IPv6: It’s 2014!
Optimization
• Clean Up: IPv6 rollout is your perfect chance to cleanup your current mess
• Simplify – Reduce complexity
• Unify – More coherence, less headaches
• Amplify – Plan big, really big this time!
14
15 Confidential
Conclusion
IPv6 Address Space
• Today: Easy to acquire address space and get transit
Deploying IPv6
• Configuration: Very easy to implement if you’ve done all your homework
Soft Factors
• Training and exposure: Absolute key to success!
• Sad example: Ops Team “ripped out” IPv6 after stumbling over non-IPv6 related (DNS
propagation time) issues Blame game
• Hard to put arms around IPv6: Very similar to IPv4, yet different enough to
stumble at times
• Work on the Mindset: IPv4 is the past, IPv6 is the future; know your history,
but put your energy into the future.
15
16 Confidential
Questions?
Feedback!
16