What to Expect When Expecting IPv6

What to ExpectWhen Expecting IPv6

Tim HelmingDirector of Product Management

Corey, Nachreiner, CISSP, Sr. Network Security Strategist,

Welcome to WatchGuard’s IPv6 Webinar Series!1 2 43

What To Expect from IPv6

You’re here because v6 matters to you

Part 1: Current IPv6 Readiness

IPv6 Readiness

Remember this? Hasn’t changed much!

Source: Elise Gerich, IANA/ICANN

WIPv6D: Native v6 traffic nearly doubled!

…to…

Source: http://asert.arbornetworks.com/2011/06/world-ipv6-day-final-look-and-wagons-ho/

ISP IPv6 Readiness Varies Greatly

Bottom Line:

More Detail in Part 2 today!

Part 2: Three Steps to IPv6

Three Steps to Implementing IPv6

Research and Discovery

Find the Answer to Three Questions

The State of IPv6 Among ISPs

Your ISP is your gateway to the Internet. As such, the IPv6 migration strategies

available to you depend heavily on what IPv6 services your ISP offers today.

Real-World IPv6 Readiness: An ISP Survey

RFC 6036: Emerging Service Provider Scenarios for IPv6 Deployment

ISP Survey Trends and Highlights

•Estimated IPv4 depletion 2015•93% plan Dual-stack backbone•40% run or plan to run 6to4 relay•CPE often doesn’t support IPv6•Prefixes offered:

•/48 most common•/64 (especially among mobile)•/56•/52, /60 sometimes

A Quick Look at N. American ISPs

Hurricane Electric is a global Internet backbone provider (and transit ISP), with a

specific focus on IPv6

RECAP: IPv6 Hierarchical Addressing

2561:1900:4545:0003:0200:F8FF:FE21:67CF

Interface IDSLA IDGlobal Routing Prefix

RIR NIR/LIR

Prefix

IPv6 Subnetting

•CIDR only (slash notation)•No concept of subnet masks•/ followed by prefix size (decimal number 1-128)

•CIDR only (slash notation)•No concept of subnet masks•/ followed by prefix size (decimal number 1-128)

2001:1900:4545:0003:0200:F8FF:FE21:67CF

2001:1900:4545::/48 =2001:1900:4545:0000:0000:0000:0000:0000 -

2001:1900:4545:FFFF:FFFF:FFFF:FFFF:FFFF

/16 /32 /48

CIDR to range tool: http://www.ultratools.com/tools/ipv6CIDRToRange

Regional Internet Registry (RIR)

Current ARIN IPv6 Blocks:

•2001:0400::/23•2001:1800::/23•2001:4800::/23•2600:0000::/12•2610:0000::/23

2001:1856:4A5f::/642001:1856:4A5f::/64

Local Internet Registry (LIR)

ISP A ISP C

ISP B

ARIN IPv6 Block:2001:1800::/23

ISP IPv6 Blocks:

•ISP A•2001:1800::/32

•ISP B•2001:1801::/32

•ISP C•2001:1802::/32

2001:1800:1234::/642001:1800:1234::/64

2001:1802:1234::/642001:1802:1234::/64

The Multi-Homed Issue: PA vs. PI

Map Your Network

You should identify:

•Your core infrastructure (routers, switches, etc)•Security devices•Hosts and OSs on your network•Enumerate you DNS and DHCP servers•Your application servers (Public & Private)•Other networks devices (printers, NAS, etc..)

What Needs an Upgrade?

The goal of the previous network enumeration process is to figure out what supports

IPv6 and what does not.

Place in three buckets:•No support•Partial support•Full support (w/dual-stack)

Devices lacking support will require eventual upgrade or transition

services

Planning and Migration Strategies

Planning and Migration Strategy

IPv6 Transition Technologies

•Dual-Stack: IPv4 and IPv6 run together on all/most devices. Dual-Stack routing devices can handle translation, if necessary

•Tunneling: Allow IPv6 devices to communicate over an IPv4 network via tunnels (a lot like VPN)

• Manual: Require configuration. More control, thus more secure

• Automatic: Little setup. May sneak out your network• Tunnel Brokers: Companies that offer easy IPv6

tunneling services

•Translation: Re-writing one protocol packets to another protocol (IPv6 to IPv4, and vice versa).

•Application-specific proxies: Translation only for specific services (web, email, etc). IPv6 client connects to proxy server, it makes IPv4 connection to a service…

Common Tunneling and Translation Protocols

Three Migration Strategies

A Simplified Network Internet

IPv4 Core Network

ISP

IPv4 Network (DMZ)IPv4 Network (LAN)

IPv4 Network

Core Migration

IPv6 Tunnel broker or endpoint

IPv4 Core Network

ISP

IPv4 Network (DMZ)IPv4 Network (LAN)

IPv4 Network

IPv6 Core Network

IPv6 ISP

IPv6 Routers (or Dual-stack)

Dual-stack Routers

IPv4 ISP

Internet

Application Server Migration Internet

IPv4 Core Network

ISP

IPv4 Network (LAN)

IPv4 Network

IPv4 Network (DMZ)IPv4/IPv6 Network

Depending on ISP capabilities, Tunneling or Translation services used for IPv6 Internet access.

Client-side Migration Internet

IPv4 Core Network

ISP

IPv4 Network (DMZ)

IPv4 Network

IPv4 Network (LAN)IPv4/IPv6 Network

Again, Tunneling or Translation services used

where needed

Implementation and Transition

IPv6 Deployment: Eating the Elephant

“[IPv6 deployment] is very much an

’eating the elephant’ problem, but at one mouthful at a time,

it appears to be surprisingly easy.

Just do it, bit by bit."

From Islands to Oceans

Internet

IPv4 OceanIPv4 network

IPv6 IslandIPv6 OceanIPv4 IslandIPv6 Network

IPv4 Island

Even if you converted to full IPv6 tomorrow,

you will still need translation tech until everyone does IPv6

Expect a Long-term Transition Phase

Wrapping Up

It’s Up To You!

Resources for further reading:• “0 to IPv6 in 3 Months” Case Study (PDF): goo.gl/jpnX7• ARIN Number Resource Policy: http://goo.gl/G5fse• World IPv6 Day Experiences: http://goo.gl/kGeQa• RFC 6036 - Emerging Service Provider Scenarios for IPv6 Deployment: http://goo.gl/WSMzR•IPv4-to-IPv6 Transition Strategies: http://goo.gl/8GOzJ•IPv6 Transition Strategies: http://goo.gl/U5iV6•IPv6 Calculator Tools: http://goo.gl/OqDw5

Thank You!