Nov 01, 2014
IPv6 in the Enterprise, an outsider view
The very high level view
• The outside
• The inside
Diving down
• Actual deployment approaches
January 2010© gogo6 2012 2
The Very High Level View
January 2010© gogo6 2012 3
What do I need to do to my
external resources?Nothing
• If you are 100% sure all your website (or other services)
users have good IPv4 access
• If you feel no need to be prepared for some users not
getting to your website
Make your external facing servers IPv6
• Users might be running IPv6
• If you do business in Asia some might soon be IPv6 only
• A web proxy might be all you need for now
January 2010© gogo6 2012 4
Adding IPv6 to websites can be easy
• Most webservers do support IPv6
• A simple Apache server can be used as a proxyListen [2001:db8:1000:f::3]:80
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule include_module modules/mod_include.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mem_cache_module modules/mod_mem_cache.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://10.10.10.10/
ProxyPreserveHost On
• Load balancers are starting to offer IPv6 proxy
functionality
• Tracking and security likely going to be your biggest
challenges
January 2010© gogo6 2012 5
Adding IPv6 to other servers
Other externally facing servers that need IPv6:
• DNS
• Other… depending on what you service up to external users
Might not be as easy as with the websites
• DNS will likely have to be upgraded to support IPv6
• It has been supported for some time now
• Alternative is to use separate servers for IPv6
• E-mail could be done using a relay server that takes inbound IPv6 e-mail and forwards to the actual servers
• Outbound will be a completely different story
Firewall
• Whatever firewalling that was done before has to be replicated for IPv6
• Separate proxy for IPv6 might be beneficial in this case
January 2010© gogo6 2011 6
What do I need to do internally?
Nothing
• If you are 100% that no one in the company needs to
access anything IPv6
Add IPv6
• Develop a plan for having IPv6 access available to users
who might need it
• Look at path forward to an IPv6 centric network
• Roll out IPv6
January 2010© gogo6 2012 7
Deployment Approaches
January 2010© gogo6 2012 8
Deploying IPv6 in an Enterprise
Large enterprise and government face similar challenges
as small ISPs
• A small enterprise will likely have more options
• Security requirements are very different
Need to provide IPv6 to a set of users and network
segments
• Instead of enabling IPv6 throughout the network limited
access might preferable
• Access to IPv6 for remote users might also be important
In addition to internal connectivity there is a need to
provide IPv6 to outside facing servers
January 2010© gogo6 2012 9
IPv6 Deployment Using Tunneling
A large enterprise will need to connect individual users certain network segments to IPv6 in order to access external sources or to collaborate with customers/partners
• In many cases a limited deployment to certain network segments or specific users will be preferable
• Using a managed tunneling solution will provide control without requiring additional upgrades of the network
Instead of upgrading the whole infrastructure an enterprise can use managed tunneling to provide IPv6 in a controlled manner
• Even when doing a more wide deployment of IPv6 a managed tunneling solution can prove to be a viable alternative
• It offers a controlled rollout and will allow minimal changes to the existing network
January 2010© gogo6 2012 10
IPv6 Deployment Using Tunneling
January 2010© gogo6 2012 11
Servers
IPv6 only
networks
IPv4 only
networks
IPv4/IPv6
dual –stack
networks
v6 in v4 tunnels
Main office
Internet
Client Network
Dual Stack Network
Deploying IPv6 throughout keeping IPv4 gives the best
support
• Full access to both IPv4 and IPv6
But creates extra overhead in the long run
• Stuck running two network
• Having to mix reduces the possibilities of designing around
IPv6 and maximizing the use of it
• Still the same issues with IPv4 address management
January 2010© gogo6 2012 12
IPv6 Deployment Using Tunneling
January 2010© gogo6 2012 13
Servers
IPv6 only
networks
IPv4 only
networks
IPv4/IPv6
dual –stack
networks
v6 in v4 tunnels
Main office
Internet
Client Network
IPv6 Centric Network with Legacy
IPv4 SupportSome enterprise will benefit of moving to an IPv6 centric environment
• Since it is a managed environment it is possible
• Large enterprise has the most to gain from an IPv6 only network as it can remove the issue of overlapping private networks and make integrating new networks in the future easier
Even if most of the environment can be IPv6 only, support for IPv4 will be needed
• Externally facing servers will need IPv4
• Some applications and services might be costly to replace and will need IPv4 to function
• Some users and offices might need IPv4 to collaborate with the outside world
Going IPv6 internally might add the need of an external IPv6 access as well
January 2010© gogo6 2012 14
IPv6 Centric Network with legacy
IPv4 support
January 2010© gogo6 2012 15
Servers
IPv6 only
networks
IPv4 only
networks
IPv4/IPv6
dual –stack
networks
v6 in v4 tunnels
v4 in v6 tunnels
Main office
Internet
Client Network
November 2012
© gogo6 20121616
Thank you.
gogo6.com