440 likes | 618 Views
Cisco IPv6 Solutions Integration & Co-Existence. Benoit Lourdelet Technology Product Management, NSSTG blourdel@cisco.com. Agenda. IPv6 Rationales IPv6 Protocol overview General Deployment Concepts Enterprise Deployment Service Provider Deployment. IPv6 Rationales.
E N D
Cisco IPv6 Solutions Integration & Co-Existence Benoit Lourdelet Technology Product Management, NSSTG blourdel@cisco.com
Agenda • IPv6 Rationales • IPv6 Protocol overview • General Deployment Concepts • Enterprise Deployment • Service Provider Deployment
What is IPv6? Basic Perspectives The Network Manager Perspective Infrastructure focus Stable specifications, commercial implementations Cost of deployment and operation • The End-User Perspective • Applications & Services focus • Integration per application model • IP Agnostic
Key Aspects Reminder • IPv6 is NOT a feature. It is about the fundamental IP network layer model developed for end-to-end services and network transparency • Deployments of production IPv6 infrastructures are under way, the time has come to move our focus to edge, access and usage • 6Bone is phasing out, 6NET is closed,… • Today’s IPv6 deployment drivers do not rely on uncovering the “future killer application” anymore, they focus instead on: • Performing the same as on IPv4 but on a larger scale • Operational cost savings or simpler network models when deploying applications • Leading the innovation
WHEREAS, community access to Internet Protocol (IP) numbering Resources has proved essential to the successful growth of the Internet; and, WHEREAS, ongoing community access to Internet Protocol version 4 (IPv4) numbering resources can not be assured indefinitely; and, WHEREAS, Internet Protocol version 6 (IPv6) numbering resources are available and suitable for many Internet applications, BE IT RESOLVED, that this Board of Trustees hereby advises the Internet community that migration to IPv6 numbering resources is necessary for any applications which require ongoing availability from ARIN of contiguous IP numbering resources; and, BE IT ORDERED, that this Board of Trustees hereby directs ARIN staff to take any and all measures necessary to assure veracity of applications to ARIN for IPv4 numbering resources; and, BE IT RESOLVED, that this Board of Trustees hereby requests the ARIN Advisory Council to consider Internet Numbering Resource Policy changes advisable to encourage migration to IPv6 numbering resources where possible. Breaking news ARIN (ARIN Board of Trustees) 7 May 2007
Market Drivers • IPv4 address pool exhaustion – 2010-2015? • National IT strategy • U.S. Federal – OMB memo called for IPv6 infra in June 2008 • Japan, Korea,… • China Next Generation Internet (CNGI) project • European Commission sponsored projects • Emerging countries IPv6 Task Force, ie: India, Africa,… • Microsoft Windows Vista & Longhorn releases • And other O.S. or applications • Next Gen. Broadband: DOCSIS 3.0, Quad Play with HDTV,… • Mobile SP – 3G/4G/WiMax, IP NGN IMS, IP/TV on Mobiles • Networks in Motion • Networked Sensors,…
IPv6 Integration – Per Application Model Today, all O.S. are Dual-Stack • As soon as the infrastructure is IPv6 capable…IPv6 integration can follow a non-disruptive “per application” model New Generation of Internet Appliances
U 0 2 0 1 Fixed Network Infrastructures Public Broadband Private Government U-2010 – IPv6 Public Safety Framework Bio-Ecological Transportation disaster Health Risk Profiles Terrorism Rescue Natural disaster Sensors Instant Messenger Video Data Voice First Responders Public Information Crisis Management Management Localization Time Synch Directory services IPv6 - Common Networking Infrastructure Enabler • Secure environment • Bi-directional communications • IP Mobility • Ad-Hoc Networks • Traceability • Community of Interest Wireless Network Infrastructures WiFi GPRS/3G Satellite Radio WiMax DVB-H
IPv4 & IPv6 Header Comparison IPv4 Header IPv6 Header - field’s name kept from IPv4 to IPv6 - fields not kept in IPv6 - Name & position changed in IPv6 - New field in IPv6 Legend
IPv6 Packet Structure – RFC 2460 IPv6 Header Next Header = 6 (TCP) TCP header & payload IPv6 Header Next Header = 43 (Routing) Routing Header Next Header = 6 (TCP) TCP header & payload IPv6 Header Next Header = 43 (Routing) Routing Header Next Header = 51 (AH) Authentication Header Next Header = 6 (TCP) TCP header & payload • IPv6 hardware forwarding must be able to parse all fields to read about option headers and L4 details for packet filtering and monitoring • Ref. http://www.cisco.com/en/US/products/ps6553/products_white_paper0900aecd8054d37d.shtml
Address Allocation /48 /64 /32 • The allocation process is defined by the 5 Registries: • IANA allocates 2000::/3 as Global Unicast [RFC 4291] • Registries get ::/12 prefix(es) from IANA [formerly /23] under new policy - http://www.icann.org/announcements/announcement-12oct06.htm • Registry allocates a /32 prefix [formerly /35] to IPv6 ISP and others • Then policies recommend that the ISP allocates a /48 prefix to each customer (or potentially /64) • http://www.ripe.net/ripe/docs/ipv6policy.html • http://www.icann.org/announcements/ipv6-report-06sep05.htm • New Policy to assign PI and IX prefixes as /48 2001 0DB8 Interface ID ISP prefix Site prefix LAN prefix
IPv6 Technology Scope IP Service IPv4 Solution IPv6 Solution 32-bit, Network Address Translation 128-bit, Multiple Scopes Addressing Range Serverless, Reconfiguration,DHCP Autoconfiguration DHCP Security IPSec IPSec Mandated, works End-to-End Mobile IPwith Direct Routing Mobility Mobile IP Differentiated Service, Integrated Service Differentiated Service, Integrated Service Quality-of-Service IP Multicast IGMP/PIM/Multicast BGP MLD/PIM/Multicast BGP,Scope Identifier
DHCPv6 Prefix Delegation Internet Access IPv6 Global & ULA address space Explicit Context Based Access Control Introducing Local Network Protection for IPv6 • IPv4 Network Address Translation (NAT) is widely deployed and its success is due to the fact that today’s Internet is primarily running Client/Server applications. • No reason to treat NAT as evil, better to analyze “Market’s perceived benefits of IPv4 NAT”, then educate how similar benefits can be achieved with IPv6 • Topology hiding, addressing autonomy, simple security,… • Local Network Protection for IPv6 A set of IPv6 techniques that may be combined on an IPv6 site to simplify and protect the integrity of its network architecture, without the need for Address Translation • http://www.ietf.org/internet-drafts/draft-ietf-v6ops-nap-06.txt
2008 2007 2006 Q1 Q1 Q1 Q2 Q2 Q2 Q3 Q3 Q3 Q4 Q4 Q4 IPv6 – Planning Steps 2005 2009 201x Q1 Q2 Q3 Q4 Identifying the business case Network Assessment Cost Analysis Training Address planning Testing Deploying Production How long is needed for each phase of an IPv6 deployment project?
The Scope of IPv6 Deployment Server to Client Information Services Multimedia (Video Conf) Peer to Peer (ie: Instant Messenger) Operations and Training P r o v i s i o n i n g & M o n i t o r i n g Campus Enterprise WAN Provider Edge Provider Core Broadband Networks Integration & Co-Existence IPv6 over IPv4 Tunnels (Configured, 6to4, ISATAP, GRE) Native IPv4 & IPv6 Cisco IOS is Multi-Protocol Since Day 1 IPv6 over MPLS (AToM, 6PE/6VPE) IPv6 Services – The Cisco IOS Emphasis QoS Mobility Multicast Security Instrumentation IPv4-IPv6 Translation IPv6 Forwarding & Routing protocols (RIPng, EIGRP, OSPFv3, IS-ISv6, MP-BGP4) Frame Relay PPP HDLC POSIP ATM FE GE, 10GE Wireless xDSL Cable, FTTH
Network Assessment • A key and mandatory step to evaluate the impact of IPv6 integration • May be split in several phases • Infrastructure – networking devices • Hosts, Servers and applications • Must be as complete as possible to allow upgrade costs evaluation and planning • Hardware type, memory size, interfaces, CPU load,… • Software version, features enabled, license type,… • Difficult to complete if a set of features is not defined per device’s category for a specific environment • IPv6-capable definition, knowledge of the environment and applications, design goals
IPv6 Addressing Considerations • Understand the IPv6 addressing model • Several IETF related documents (RFC 4291 (3513), 3041, 3056, 3879, 4007, 4193, 4214…) • IANA and Registries policies and prefix allocation rules • http://www.arin.net/policy/nrpm.html#ipv6 • Internal rules • Develop an addressing plan • Leverage hierarchical addressing system within network, for route aggregation and consolidation at the core • Address are assigned to interfaces as on IPv4, but interfaces expected to have multiple addresses • Address type, scope and lifetime • Unicast, Anycast, Multicast • Valid and preferred lifetime – RFC 4192 on Renumbering
Education It is a very important aspect of planning. Knowledgeable staff would make better decisions in planning the deployment. The sooner it is initiated the less expensive and more valuable it is. Many education options: • Formalized training used to train-the-trainer. • Global resources- 6Bone(http://www.6bone.net) - IPv6 Forum (http://www.ipv6forum.com)- IPv6 Task Force (http://www.ipv6tf.org) North- America (http://www.nav6tf.org) Europe (http://www.ipv6tf.org/meet/tf/eutf.php) Japan (http://www.v6pc.jp/en/index.html)
Education (cont.) Many education options: • Reference Projects- 6DISS (http://www.6diss.org) - 6NET (http://www.6net.org) - Euro6IX (http://www.euro6ix.org) - Moonv6 (http://moonv6.sr.unh.edu) • Cisco resources- Partner e-Learning Connection: http://www.cisco.com/warp/public/10/wwtraining/pec/peclogin.html- Cisco Learning Connection:http://www.cisco.com/en/US/learning/le31/le46/learning_customer_e-learning_connection_tool_launch.shtml
Dual Stack Dual Stack Dual Stack Dual Stack Campus IPv6 Deployment OptionsDual-stack IPv4/IPv6 IPv6/IPv4 Dual Stack • Requires switching/routing platforms to support hardware based forwarding for IPv4 and IPv6 • IPv6 is transparent on L2 switches except for multicast - MLD snooping • IPv6 management—Telnet/SSH/HTTP/SNMP • Requires robust control plane for both IPv4 and IPv6 • Variety of routing protocols—The same ones in use today with IPv4 • Requires support for IPv6 multicast, QoS, infrastructure security, etc… • IPv4 and IPv6 control planes and data planes must not impact each other (See RST-3301) AccessLayer L2/L3 DistributionLayer v6-Enabled v6-Enabled DualStack CoreLayer AggregationLayer (DC) v6-Enabled v6-Enabled AccessLayer (DC) IPv6 Server
Offers IPv6 connectivity via multiple options Dual-stack Configured tunnels – L3-to-L3 ISATAP – Host-to-L3 Leverages existing network Offers natural progression to full dual-stack design May require tunneling to less-than-optimal layers (i.e. Core layer) ISATAP creates a flat network (all hosts on same tunnel are peers) Create tunnels per VLAN/subnet to keep same segregation as existing design (not clean today) Provides basic HA of ISATAP tunnels via old Anycast-RP idea ISATAP does not support IPv6 Multicast Configured tunnels do support IPv6 Multicast ISATAP Tunnel Configured Tunnel Dual Stack Dual Stack Campus IPv6 Deployment OptionsHybrid Model Hybrid Model AccessLayer L2/L3 DistributionLayer Not v6-Enabled v6-Enabled Not v6-Enabled v6- Enabled CoreLayer AggregationLayer (DC) v6-Enabled v6-Enabled AccessLayer (DC) Dual-stack Server
Provides ability to rapidly deploy IPv6 services without touching existing network Provides tight control of where IPv6 is deployed and where the traffic flows (maintain separation of groups/locations) Provides basic HA of ISATAP ISATAP tunnels from PCs in Access layer to service Block switches In this example configured tunnels are used from Data Center to Service Block Dependency on ISATAP alienates IPv6 multicast applications 1) Leverage existing ISP block for both IPv4 and IPv6 access 2) Use dedicated ISP connection just for IPv6 – Can use IOS FW or PIX/ASA appliance Campus IPv6 Deployment OptionsIPv6 Service Block – An Interim Approach Red VLAN Blue VLAN IPv4-only Campus Block ISATAP Access Layer IPv6 Service Block 2 Distribution Layer Dedicated FW Internet Core Layer IOS FW Agg Layer Primary ISATAP Tunnel 1 Secondary ISATAP Tunnel WAN/ISP Block Equal-cost Configured Tunnel (Mesh) Data Center Block
Internet Internet Frame IPv6 Enabled BranchTake Your Pick – Mix-and-Match Branch Single Tier Branch Dual Tier Branch Multi-Tier HQ HQ HQ MPLS Internet Dual-Stack IPSec VPN (IPv4/IPv6) IOS Firewall (IPv4/IPv6) Integrated Switch (MLD-snooping) Dual-Stack IPSec VPN or MPLS (6PE/6VPE) Firewall (IPv4/IPv6) Switches (MLD-snooping) Dual-Stack IPSec VPN or Frame Relay IOS Firewall (IPv4/IPv6) Switches (MLD-snooping)
Tunnel(s) Cisco VPN Client in IPv6 environment IPv4 IPSec Termination (PIX/ASA/IOS VPN/ Concentrator) IPv6 Tunnel Termination Remote User IPv6 Traffic IPv4 Traffic IPv6 Link IPv4 Link Internet Corporate Network Firewall IPsec VPN Dual-Stack server IPv6-in-IPv4 Tunnel • Requirement • Cisco IOS release with either Configured or ISATAP tunnels • Cisco VPN Client 4.x
Cisco IPv6 Security Solutions • IPv6 Firewall • IOS Firewall 12.3T, 12.4, 12.4T • PIX 7.x • ASA 5500 series • FWSM 3.x • IPv6 IPSec HW Encryption • 7200 VAM2+ SPA • ISR AIM VPN • next gen. 5G IPsec VPN SPA • IPsec – Secure Connectivity • IPv6 over IPv4 IPsec tunnels • IPv4 dynamic IPSec to protect IPv6 over IPv4 tunnels with dynamic IPv4 end point • IPv6 IPSec Authentication for OSPFv3 • IPv6 IPsec Tunnel Router-to-Router • Packet filtering – Threat protection • Standard, reflexive, extended access control list • Enhanced extended ACL – filtering on Routing Type • Hardware e-ACL filtering capabilities (CRS-1, C12K, C7600, C6500,…) including parsing option headers
Looking at IPv6 Network Management • Network Management evolution needs to be integrated in the IPv6 deployment strategy • In a dual-stack network, both IPv4 and IPv6 environments must be managed with the best optimization to decrease the cost of operations • 3 areas to consider • Instrumentation (MIBs, Netflow record, IP SLA,…) • New IP MIBs, RFC 4001 compliancy • Network Protocol (SNMP, TFTP, Syslog, Telnet, SSH,…over IPv6) • NMS & Applications for IPv6 • DNS/DHCP server (CNR 6.2), Netflow Collector 5.x, Ciscoworks LMS 2.5 (Topology, User Tracking,…)
DMZ Lab Lab Lab Lab Cisco SJC Internal Net Cisco SJC DMZ Cisco Global Network IPv6Internet IPv4Internet Cisco IT IPv6 Deployment Development Labs Network Monitoring Host DMZ Tunnel Router IPv4Firewall IPv4 Internet Access Router Address Management& DNS DMZ Development Lab IPv6 Firewall & Tunnel Termination Router (incl. ISATAP)
ISP’s Aggregation IPv6 IX Dual Stack IPv4-IPv6 Enterprise • IPv6 IX Peering • IPv6 Transit services • IPv6 enables on Core Routers • IPv6 services to Enterprise customers • IPv6 services to Home Users • Additional Services • 6to4 relay courtesy service • IPv6 Multicast for streaming (Triple Play) Dual-Stack or Dedicated L2 circuits DSL, Cable FTTH 6to4 Relay Courtesy Service Dual-Stack Core IPv6 Broadband Users 802.11 Hot-Spot Peering
IPv6 over MPLS Infrastructure • Service Providers have already deployed MPLS in their IPv4 backbone for various reasons • MPLS/VPN, MPLS/QoS, MPLS/TE, ATM + IP switching • Several IPv6 over MPLS scenarios • IPv6 Tunnels configured on CE (no impact on MPLS) • IPv6 over Circuit_over_MPLS (no impact on IPv6) • IPv6 Provider Edge Router (6PE) over MPLS & IPv6 VPN over MPLS (6VPE) with no impact on MPLS core • Native IPv6 MPLS (require full network upgrade) • Upgrading software to IPv6 Provider Edge Router (6PE) • Low cost and risk as only the required Edge routers are upgraded or installed • Allows IPv6 Prefix delegation by ISP
v4/v6 v6 v4 Minimum Infrastructure Upgrade for 6PE POP 6PE router 6PE router DSL MP-iBGP session CE POP MPLS Core up to OC-192 Data Center IPv6 Network FTTH Only IPv6 segment NAT-PT GE GE IPv4 Server GE GE MPLS/IPv4 Cisco 7600 Sup.720 as 6PE IPv6 Server • 6PE – RFC 4798 – defined by Cisco and available from IOS • MPLS/IPv4 Core Infrastructure is IPv6-unaware • PEs are updated to support Dual Stack/6PE • IPv6 reachability exchanged among 6PEs via iBGP (MP-BGP) • IPv6 packets transported from 6PE to 6PE inside MPLS
2001:201::/64 10.201/16 2001:101::/64 10.101/16 IPv6 Integration on MPLS VPN infrastructure Dual-stack ipv4 addresses: 10.100/16 ipv6 addresses: 2001:100::/64 vrf Address-family IPv4 Address-family IPv6 • MPLS/IPv4 Core Infrastructure is IPv6-unaware • PEs are updated to support Dual Stack/6VPE • IPv6 VPN can co-exist with IPv4 VPN – same scope and policies • 6VPE – RFC 4659– Cisco authored for IPv6 VPN over MPLS/IPv4 infrastructure • Cisco IOS 12.2(33)SRB on 7600, IOS-XR 3.5 on C12000 Dual-stack network P2 P1 Dual-stack network Site-1 CE1 CE2 Site-2 PE1 PE2 VRF red iGP-v4 (OSPF, ISIS) LDP-v4 Dual stack server VRF red MP-eBGP session Address-family IPv4 Address-family IPv6 MP-eBGP session Address-family IPv4 Address-family IPv6 MP-iBGP session Address-family VPNv4 Address-family VPNv6 vrf definition site1 rd 100:1 route-target import 100:1 route-target export 100:1 address-family ipv4 address-family ipv6 ! interface ethernet0/0 vrf forwarding site1 ip address 10.100.1.2 255.255.0.0 ipv6 address 2001:100::72b/64
Cisco IOS IPv6 Broadband Access Solutions Layer 2 Encapsulation(s) IPv4/IPv6 Firewall PIX, IOS FW PSTN ISP A Dial NAS Internet DSL DSLAM BAS Enterprise DOCSIS 3.0 proposal Cable Head-end Distributed Computing (GRID) Access Ethernet IPv6 Prefix Pools IPv6 Radius (Cisco VSA and RFC 3162) DHCPv6 Prefix Delegation Stateless DHCPv6 DHCPv6 Relay Generic Prefix 802.11 Video IPv6 Multicast RAN Mobile IPv4/IPv6 Dual-Stack or MPLS (6PE) Core • ATM RFC 1483 Routed or Bridged (RBE) • PPP, PPPoA, PPPoE, Tunnel (Cable)
Prefix/Options Assignment Host CPE PE ISP DHCP Client DHCP Server ISP provisioning system (1) CPE sends DHCP solicit with ORO = PD (2) PE sends RADIUS request for the user (3) RADIUS responds with user’s prefix(es) (4) PE sends DHCP REPLY with Prefix Delegation options (5) CPE configures addresses from the prefix on its downstream interfaces, and sends an RA. O-bit is set to on (6) Host configures addresses based on the prefixes received in the RA. As the O-bit is on, it sends a DHCP INFORMATION-REQUEST message, with an ORO = DNS (7) CPE sends a DHCP REPLY containing request options AAA DHCP ND/DHCP
Summary Markets Perspective IPv6 enables innovation, scalability and simplicity Software Developer Perspective Applications must be “IP agnostic” Network Manager Perspective Infrastructure must be deliver IPv6 up to the edge/access layer The End-User Perspective IP version needs to be transparent Ensure an orderly and secured transition using Cisco IPv6 Solutions
More Information • CCO IPv6 - http://www.cisco.com/ipv6 • Cisco IPv6 Solutions • http://www.cisco.com/en/US/tech/tk872/technologies_white_paper09186a00802219bc.shtml • IPv6 Application Notes • http://www.cisco.com/warp/public/732/Tech/ipv6/ipv6_techdoc.shtml • Cisco IOS IPv6 manuals • http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ipv6_vcg.htm