1 / 20

IPv6 Enterprise Case Study

IPv6 Enterprise Case Study. Tim Chown tjc@ecs.soton.ac.uk School of Electronics and Computer Science University of Southampton (UK) IEC 21st Century Conference, 27th March 2006, London. Case Study. In this slot we look at an IPv6 deployment in a small-medium enterprise network

issac
Download Presentation

IPv6 Enterprise Case Study

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPv6 EnterpriseCase Study Tim Chown tjc@ecs.soton.ac.uk School of Electronics and Computer Science University of Southampton (UK) IEC 21st Century Conference, 27th March 2006, London

  2. Case Study • In this slot we look at an IPv6 deployment in a small-medium enterprise network • Electronics and Computer Science @ Southampton • Philosophy is dual-stack • Consider IPv6-only elements at a later date • A production deployment • Aim to make key network services IPv6 enabled • Facilitate deployment of IPv6-only nodes if desired • Must therefore be robust; introducing IPv6 must not adversely affect IPv4 service • Academic setting, but services still critical

  3. ECS specifics • Medium sized department network • Around 1,000 hosts in around 16 IPv4 subnets • Mixed Win 2000/XP, MacOS/X, Linux, Solaris, Irix • New Cisco switch-routers • Cisco 6509 (1) and 3750 (30+) • Run all own infrastructure Internet services • DNS, SMTP (MX servers), web, NTP, … • IPv4 connectivity supplied by LeNSE and JANET • Regional and backbone academic providers • Includes IPv4 multicast • Limited but good IPv6 knowledge in staff • Ran a training course for JANET community in 2005

  4. Deployment scenario • Goal to deploy pervasively in ECS • We decided to deploy dual-stack • Enable IPv6 in all host and router platforms where possible • Enable all key applications and services • Support teaching and research • Facilitate IPv6 access for potential overseas students • Need to also consider offering remote IPv6 access • Some form of tunnelling considered • But those services provided at JANET level now • 6to4 relay and IPv6 tunnel broker • Thus focused here on internal ECS deployment

  5. ECS IPv4 topology

  6. IETF documents • Considered (and co-authored) during the process • Enterprise Scenarios • Issues to consider for the transition • RFC4057 • Enterprise Analysis • Considers applicability of the transition tools • draft-ietf-v6ops-ent-analysis-04 • Campus Transition • A specific case study (discussed here today) • draft-chown-v6ops-campus-transition-02

  7. Phase 1: Advanced planning • Introduce IPv6 requirements into all tenders • Ensure you have ability to turn IPv6 on when ready • Obtain IPv6 address block allocation from ISP • Enterprise allocation by default a /48 • Includes DNS forward and reverse delegation • Establish IPv6 training programme • Determine ‘hands-on’ trial requirements for operational staff, perhaps via a tunnel broker • Review IPv6 security issues • Review and revise security policies

  8. Phase 2a: testbeds/trials • Assign and deploy IPv6 capable access router(s) and security devices (firewall) • Isolated dual-stack environment, e.g. IPv4 DMZ • Establish IPv6 connectivity to provider • Configure desired routing protocols, if required • Connect testbed hosts on internal network • For an initial testbed a single /64 subnet should suffice • Deploy IPv6 DNS • e.g. using BIND9 on a Unix platform • Enable IPv6 on the host systems • Configure applications and services

  9. Phase 2b: Preparation • Survey systems, applications and services for IPv6 capability • Includes management/monitoring/OSS components • Assess porting options for IPv4-only elements • Consider alternative solutions if no IPv6 capability available • Formulate an IPv6 site addressing plan • How to allocate your /48 • May administratively overlap with existing IPv4 plan • Document IPv6 related policies • e.g. Stateless vs Stateful address assignment, use of IPv6 privacy addresses

  10. Phase 3: Deployment • Configure IPv6 on dual-stack routing equipment • Access router and firewall(s) • Enable IPv6 on the wire on chosen links • e.g. Server subnet(s) and selected client subnets • Add IPv6 addresses to DNS servers and configure servers to respond over IPv6 • Enable IPv6 on management elements • Enable IPv6 on selected production services • e.g. Web, DNS, mail Mxes • Include IPv6 in all ongoing security tests • Peroidic penetration tests, etc.

  11. Address allocations • JANET is academic ISP in the UK • Assigned 2001:630::/32 by the RIPE RIR • Southampton requested a prefix • Assigned 2001:630:d0::/48 • University has 15-20 Schools • ECS allocated a /56 prefix • Allows 256 subnets of size /64 • Allocated in a way that allows us to go back for more • Allocated to be congruent with existing IPv4 subnets • Address management • Using manual/SLAAC, with early DHCPv6 trials

  12. Service enabling • DNS • BIND9 running on three primary DNS servers • Mail MX • IPv6 running on three sendmail-based MX systems • (No IPv6 for MS Exchange yet, server side) • Web • IPv6 integral to Apache 2 • Running around 200 domains • NTP • Using Meinberg and RIPE TT systems (roof GPS-based)

  13. DNS • Two aspects to consider • IPv6 records for hosts in DNS • Use new AAAA record for IPv6: • ns0.ecs.soton.ac.uk. 1800 IN A 152.78.70.1 • ns0.ecs.soton.ac.uk. 1800 IN AAAA 2001:630:d0:f116::53 • IPv6 transport for the lookups • Nominet support IPv6 transport to .uk • JANET supports IPv6 transport to .ac.uk • Some root servers now support IPv6 transport • Supported out of the box in BIND9 • General advice to deploy local dual-stack DNS resolver

  14. Client enabling • IPv6 availability good on all systems • Windows XP • Turn on with ‘netsh ipv6 install’ • Mac OS/X • On by default • Linux • Varies by flavour; often on by default • Solaris • Enable at install or subsequently • Available on some ‘unexpected’ systems • e.g. Symbian-based Nokia 9500 via WLAN interface

  15. Microsoft future • Windows Vista and Server “Longhorn” • Two good feature articles: • http://www.microsoft.com/technet/itsolutions/network/evaluate/new_network.mspx • http://www.microsoft.com/technet/community/columns/cableguy/cg1005.mspx • Both have integrated IP stack • Most importantly IPv6 is on by default • Strong IPv6 support, including: • IPsec support • Teredo (IPv6 tunneling through IPv4 NATs) • IPv6 over PPP • MLDv2 (for IPv6 source-specific multicast) • DHCPv6 client (for stateful configuration)

  16. Routing • Recently procured internal routing equipment • Included IPv6 requirements in tender • Included IETF IPv6 RFC specifications • IPv6 network management and monitoring capability • Some advanced services • IPv6 Multicast • MLD (IPv6 multicast) snooping in Layer 2 devices • Plus many IPv4 features! • Ultimately chose Cisco 6509 and 3750 solution • Deployed from Day 1 with IPv6 enabled

  17. ECS dual-stack topology

  18. Improved IP Multicast • IPv6 offers streamlined multicast deployment • Multicast is base part of the IPv6 protocol • No MSDP for IPv6 • Instead use Embedded RP (RFC3956) • RP address included in IPv6 multicast group address • Thus no need for protocol to interconnect RPs • Developed in 6NET project (www.6net.org) • Also strong interest in IPv6 SSM multicast model • Alternative simplified multicast architecture - no RPs • Has led to two student-led innovations • ECS-TV and Surge Radio

  19. Monitoring tools • Use several tools, including • Cisco Netflow for IPv6 • SNMP with MRTG • RIPE NCC Test Traffic measurement server • Example below shows IPv6 traffic to/from a DMZ link • Sun-Sun 19th-26th March 2006

  20. Summary • IPv6 has been deployed dual-stack • Enabled on all links • Many hosts IPv6 enabled • Key (external facing) services IPv6 enabled • DNS, Mail MXs, web • No adverse impact on IPv4 service • Seeing some student innovation • Also (CS) students using IPv6 in home networks • Positive experience to date • Next steps: Mobile IPv6 trials, IPv6-only trials • Also dual-stack firewall and IDS trials

More Related