IPv6 Implementation and Migration

IPv6 on the INTEROPNET

Interop, Wednesday, 3 October 2012

Brandon Ross, Routing Team Lead

Jeff Enters, WW IPv6 Portfolio Manager, HP

Aaron Hughes, CTO, 6connect

Chief Network Architect, Network Utility Force

http://www.netuf.net/

Agenda

• Background and Goals

• How IPv6 works on the InteropNET

• Subnetting and Addressing

• Challenges and Lessons Learned• Challenges and Lessons Learned

• Results and Statistics

• Conclusions

RFC 6540

• Are you aware of this requirement?

• Are your nodes IPv6 capable?

IPv6 Support Required for All IP-Capable Nodes – RFC 6540

• “Given the global lack of available IPv4 space, and limitations in IPv4 extension and transition technologies, this document advises that IPv6 support is no longer considered optional.”considered optional.”

• “IPv6 support must be equivalent or better in quality and functionality when compared to IPv4 support in a new or updated IP implementation.”

Background• IPv4 depletion is already occurring

• IPv6 adoption is accelerating

• Most network hardware supports IPv6

• For the most part, dual stack Just Works

http://www.potaroo.net/tools

IPv4 Free Pool Depletion

http://www.ipv6actnow.org/info/statistics/#alloc

IPv6 Routing Table Growth

US Feds Lesson Learned

The US federal government had a mandate for all public facing web services to support IPv6 by September 30, 2012.287 of 1494 sites had IPv6 web support by the deadline.

That’s nearly 20%. Not 100%, but far ahead of most other large organizations.

Source: http://usgv6-deploymon.antd.nist.gov//

Europe out of Free Pool

• Asia (APNIC) effectively ran out of free addresses in April, 2011

• Europe (RIPE) is also out of addresses as of September 14thof September 14th

• ARIN predicted to run out of free space in August (Geoff Huston, http://www.potaroo.net/tools/ipv4/index.html)

Goals

• Network must be fully dual stack (IPv4+IPv6)

• All IPv4 services should be reachable over IPv6IPv6

• Connections to IPv6-enabled websites should use IPv6 by default

• Nothing should break ☺

Agenda






• Conclusions

Connectivity and Routing

Autoconfiguration

• All client-facing networks use SLAAC to allow clients to auto-assign themselves an IPv6 address and default gateway on the correct subnetcorrect subnet

– Supported by all IPv6-capable devices

Auto-assigned

IPv6 address

Default Gateway

(Link-local from RA)

DNS

• All DNS services are provided by DynDNSand load-balanced by F5

• In order to connect to Google and Facebook over IPv6, we had to ask them Facebook over IPv6, we had to ask them to whitelist the InteropNET DNS servers

– As a result, DNS requests for google.com and

facebook.com receive AAAA (IPv6) responses

InteropNET NOC Services

• Goal was to provide all internal services over IPv6 as well as IPv4

• This required coordination with vendors to enable IPv6, make sure services were enable IPv6, make sure services were bound to their IPv6 ports, and publish AAAA records

• Most (but not all) services ended up reachable over IPv6

Wireless

• InteropNET wireless is provided by Xirrus

• Purpose-built VLANs are shared across all APs and all are dual-stack

IPAM

IPv6 Attack TrafficSrc. Port Dst. Addr. Dst. Port Seg. Port In

50854 2607:f8b0:4001:c02::bd 443 3

56597 2607:f8b0:400f:800::100a 443 3

56593 2607:f8b0:400f:800::1005 443 3

56598 2607:f8b0:400f:800::1000 443 3

49336 2404:6800:4003:802::1001 443 3

53427 2607:f8b0:400f:800::1000 80 3

49875 2607:fae0:1:1:426c:8fff:fe59:5172 22 3

51154 2607:f8b0:400f:800::100f 80 3

53425 2607:f8b0:400f:800::1006 80 3

49717 2607:fae0:1:1:426c:8fff:fe59:5172 22 3

51654 2607:f8b0:400f:800::1003 443 351654 2607:f8b0:400f:800::1003 443 3

49221 2607:f8b0:400f:801::1006 443 3

49233 2607:fae0:1:1:426c:8fff:fe59:5172 22 3

53616 2a03:2880:10:6f01:face:b00c::5 80 3

63077 2607:f8b0:4001:c02::bd 443 3

53419 2607:f8b0:400f:800::1002 80 3

58448 2607:f8b0:400f:800::1005 443 3

53416 2607:f8b0:400f:801::100e 80 3

60311 2607:f8b0:400f:800::100c 80 3

62773 2607:f8b0:4001:c02::bd 443 3

50390 2607:f8b0:400f:800::1003 443 3

53406 2607:f8b0:400f:800::1009 80 3

62751 2607:f8b0:4001:c02::bd 443 3

62320 2607:f8b0:4001:c02::bd 443 3

62059 2607:f8b0:400f:800::1006 443 3

50117 2001:4860:4007:801::1007 443 3

51679 2607:f8b0:400f:801::100f 443 3

Agenda






• Conclusions

State of Assignments

• All of the registries, for the most part, assign initial blocks for

� Service provider /32� Service provider /32

� Enterprise /48

What makes up a good addressing plan?

• Depends on the type of network, the size of the network, and problem to be solved

• Points to consider� Documentation� Ease of troubleshooting� Ease of troubleshooting� Aggregation� Standards compliance� Growth� SLAAC� Existing IPv4 addressing plan� Human factors

Algorithmic Approach

• Encode every IPv4 address in the network in an IPv6 address

10.10.10.10 (A0A0A0A)10.10.10.10 (A0A0A0A)

2001:DB8:A0A:A0A::

Link Numbering Issues

• OSPFv3 masks this problem, unlike in IPv4

• Separation of addressing from the link state

database means that OSPFv3 neighbor

relationships will establish, even on links with relationships will establish, even on links with

mismatched addressing and/or masks

• Link-local based forwarding prevents address

mismatches from being easily detected

because traffic flows normally and

traceroutes don’t appear too strange


• To detect link numbering errors, look for “Uturn” routing:

$ traceroute6 2620:144:B0C::

traceroute to 2620:144:B0C:: (2620:144:b0c::), 30 hops max, 80 byte packets

1 2620:144:8fc:: (2620:144:8fc::) 26.747 ms 26.730 ms 26.716 ms

2 2620:144:b0c::2 (2620:144:b0c::2) 29.137 ms 29.222 ms 29.264 ms

3 2620:144:8fc:: (2620:144:8fc::) 29.355 ms 29.335 ms 29.350 ms

4 2620:144:8fc:: (2620:144:8fc::) 29.438 ms !H 29.433 ms !H 4 2620:144:8fc:: (2620:144:8fc::) 29.438 ms !H 29.433 ms !H 29.413 ms !H

Note hop 2 is the misnumbered address. This traceroute should have looked like this:

$ traceroute6 2620:144:B0C::

traceroute to 2620:144:B0C:: (2620:144:b0c::), 30 hops max, 80 byte packets

1 2620:144:8fc:: (2620:144:8fc::) 32.473 ms 32.447 ms 32.427 ms



• Should you number your links at all or just use link-local?

• Loopback interfaces usually show up so you know which routers traffic is following, you know which routers traffic is following, so why waste address space on links?


• Using equal cost multipath?

• $ traceroute6 2001:DB8::5:2

• traceroute to 2001:DB8::5:2 (2001:DB8::5:2),

30 hops max, 80 byte packets

• 1 2001:DB8::6:1 (2001:DB8::6:1) 22.723 ms• 1 2001:DB8::6:1 (2001:DB8::6:1) 22.723 ms

26.730 ms 26.716 ms

• 2 2001:DB8::1:1 (2001:DB8::1:1) 80.233 ms

* ms 72.173 ms

• 3 2001:DB8::5:2 (2001:DB8::5:2) * ms

99.223 ms 29.350 ms

• Which link did it take?


• Does your management system use link numbering for

monitoring or circuit identification?

• Are you really saving any significant addressing by not

assigning addresses?


• $ traceroute6 2001:DB8::5:2

• traceroute to 2001:DB8::5:2

(2001:DB8::5:2), 30 hops max, 80 byte

packets

• 1 2001:DB8::6:1 (2001:DB8::6:1)

22.723 ms 26.730 ms 26.716 ms

• 2 2001:DB8::4 (2001:DB8::4) * ms

88.322 ms * ms

• 3 2001:DB8::5:2 (2001:DB8::5:2) *

ms 90.123 ms 100.110 ms

• Better, now we know which link is having issues.

Standards Compliance

Networks smaller than /64 can be desirable, especially using /127s for point to point links (RFC 6164)

To avoid future breakage, allocate a /64 in your documentation but use the smaller blockdocumentation but use the smaller block

Similarly, reserve /48s for EVERYTHING you can, there’s no reason to allocate densely, there’s plenty of space

If you have a complex network, allocate in a sparse way to enable easy aggregation

Addressing and SubnettingRecommendations

• You can indeed add convenience and save on documentation by using an algorithmic approach

• But ONLY if you have reasonably few IPv4 blocks, if you have 100s, you’ll probably need blocks, if you have 100s, you’ll probably need a different approach unless you can get a large enough v6 allocation

• You DON’T want to reproduce IPv4 “cruft” into IPv6. If your IPv4 subnetting is a mess, it’s best to re-do it for IPv6.

Agenda






• Conclusions

DUID

• When a Windows machine is cloned, you can get two or more machines with the same DHCPv6 Unique IDentifier (DUID)

• This DUID is used by the DHCPv6 server to identify the client, so when two clients with the identify the client, so when two clients with the same DUID request IPv6 addresses with DHCPv6, they will both be given the same address

• When the second machine receives its address from the DHCPv6 server, it does IPv6 Duplicate Address Detection, determines there is an IP address conflict, and refuses the lease

Rogue RAs

• When a client is configured to run 6to4 (an automatic tunneling protocol) and Internet Connection Sharing, it will advertise itself as an IPv6 router by sending out RAs on its wireless interfaceinterface

• Clients receiving such RAs will auto-assign themselves an address in the wrong subnet

• Routers are generally configured with RA guard or equivalent on their wired ports

• Unfortunately there is no way to block rogue RAs over wireless APs (and some wired switches)

Agenda






• Conclusions

Usage Statistics – Internet Traffic

• IPv6 usage on averaged 3% of total traffic

• That’s up from 2% of Interop’s traffic last year

Usage Statistics – Internet Traffic

IPv4IPv4

IPv6

Usage Statistics – By Type

Most traffic is HTTP, probably not a surprise.

How much of that is peer2peer hiding in port 80?

Usage Statistics – interop.com

preferred IPv4 • Users inside the InteropNET preferred IPv4 to reach www.interop.com .• 29 GB delivered over IPv6

• 18 GB delivered over IPv4

• Possibly lower than previously due to Happy Eyeballs

Agenda






• Conclusions

Conclusions

• IPv6 works in the real world

• Over 60% of Interop attendees were using IPv6 to reach interop.com without even knowing it

• There are challenges to implementing IPv6, • There are challenges to implementing IPv6, but nothing show-stopping

• About 3% of the Internet’s content is reachable over IPv6 (and growing fast)

• A much smaller percentage of Internet users have IPv6 connectivity (though this may change quickly with IPv4 depletion)

World IPv6 Launch

Today’s Reality

Facts• There is a proliferation of IPv6 enabled mobile devices,

appliances, home networks, etc.

• Content is NOW served over IPv6

• More and more users are operating in an IPv6 world UNKNOWNINGLY!

- AND these users are having a better Quality of Experience

• Companies that have not deployed IPv6 can’t get to these • Companies that have not deployed IPv6 can’t get to these users and these users can’t get to them over IPv6

IPv6 adopters have a distinct competitive advantage!

Don’t be shut out !

IPv6 is INEVITABLE!

Vote for Me!

AC – Advisory Council “The Advisory Council serves in an advisory capacity to the

Board of Trustees on Internet number resource policy and Board of Trustees on Internet number resource policy and

related matters. Adhering to the procedures in the Policy

Development Process, the Advisory Council forwards

consensus-based policy proposals to the Board for ratification.”

Voting from October 24th-November 3rd

Election HQ site:

https://www.arin.net/app/election/

Learn More!

• http://www.getipv6.info/

• http://tunnelbroker.net/

• http://www.sixxs.net/

• http://www.ipv6ready.org

• https://www.arin.net/knowledge/ipv6_info_center.ht• https://www.arin.net/knowledge/ipv6_info_center.html

• Contact us:– Brandon Ross,

– Chief Network Architect and CEO

– Network Utility Force• [email protected] +1-404-635-6667

IPv6 Implementation and Migration

Technology

lessons learned results

link numbering issues

interopnet subnetting

ipv6 support

agenda background

ipv6 works

dhcpv6 server

30 hops max