Jeff Schwab Don’t Panic! February 3, 2011 IANA (Internet Assigned Numbers Authority) hands out the last 5 available /8 address pools to ARIN, LACNIC, AFRINIC, RIPE, and APNIC Over the next several months these pools will be exhausted After that, requests will be queued until addresses are returned to the pool Address space exhaustion first discussed in the early 1990s! Three competing proposals: 64 bit SIPP (Simple Internet Protocol Plus) 128 bit SIPP Variable length address “TUBA” (ISO based) In 1994, at Toronto meeting IETF announced plans to use 128 bit SIPP 2128 = 3.40282367 * 1038 Assuming one address per cubic meter, this gives us a sphere just short of the orbit of Neptune Certainly, this will be enough After all, a PC only needs 64K of memory IPv4 addresses are usually represented as: Four period separated decimals (0-255) 128.210.11.1 Stored in DNS “A” records IPv6 addresses are usually represented as: Eight colon separated hex numbers (0-FFFF) 2001:18E8:0800:F4FF:0000:0000:0000:0001 Stored in DNS “AAAA” records Any one group of consecutive zeros can be replaced by :: 2001:18E8:800:F4FF::1 Basic Format Host Part Manually configured Mapped from EUI-48 (MAC address) Mapped rom EUI-64 (Infiniband/Firewire) Concerns about privacy/tracking if MAC address is used Many different proposals floated Two early favorites 1) Provider based addressing 13 bits at top level (8192 top level “routes”) Severely limits number of “Tier-1” providers Good for routing table 2) Geographic addressing Good for routing and aggregation Requires more cooperation among providers than we can ever expect Provider/entity based addressing Provider part comes from regional registry (ARIN, etc.) End sites customarily receive a /48 Residential users will get less But we still may be able to get rid of NAT Providers can actually get more than a /32 Almost any large enterprise can receive a /32 The current definition of enterprise is rather loosely interpreted ARIN allocated 2001:18E8::/32 to the Indiana Gigapop Indiana Gigapop allocated 2001:18E8:0800/44 to Purdue University Purdue University allocated 2001:18E8:0800/48 to the West Lafayette campus Initially, West Lafayette campus can allocate 65,536 subnets with 264 potential hosts on each Multicast Anycast Start with ff00::/8 Scoping rules used to limit propagation Highest 128 interface addresses on a subnet Broadcast Gone. Can use scoped multicast instead IPv6 Packet Headers Fixed length header to simplify processing IPv4 headers had variable length due to options Hop Limit – Analogous to IPv4 TTL Next Header – Type of Extension header (Layer 3 or Layer 4) – can be chained Payload Length – Number of octets (unless jumbo extension header follows) Replace (and augment) IPv4 options Source routing Authentication Encryption Layer-4 protocols TCP, UDP, ICMP TCP and UDP Bit for bit the same as with IPv4 ICMP Slightly modified, all IPv4 functionality is there Includes some old IGMP (multicast) functionality Adds functions for neighbor/router discovery ARP Gone! Functionality merged into ICMP RIP OSPF Still there Parallel to IPv4, but two do not interact BGP Can support both IPv4 and IPv6 in same session Static Manual Configuration Router gateway, network address/mask, DNS Just like today only numbers are larger More typing Two Network based options SLAAC DHCPv6 StateLess Automatic Address Configuration IPv6 “Plug and Play” Uses ICMP to find router and local network Host part of address comes from MAC address Some OS’s (Windows) randomize this for privacy But “Privacy addresses” may break firewalls But… No DNS info No generally accepted extensions for DNS Works similarly to DHCP for IPv4 DHCPv6 servers now available But… Currently not implemented by Apple Routers and switches will need to support IPv6 Most current generation hardware does IPv6 to some extent. Routing protocols are available for IPv6 Older hardware will need to be updated May have enough time to work into LCR plan Wireless is usually easy if just bridging Firewalls and Load Balancers Support for IPv6 mostly just starting Some upgraded code for existing hardware May require a forklift upgrade Beating up vendors can help IPv6 is supported in most modern OS’s Generally enabled by default Windows XP does not support DNS over IPv6 “Privacy addresses” on by default in Windows Apple does not support DHCPv6 Server side Many critical pieces already have IPv6 aware versions Apache, Sendmail, Bind, MySQL Client side Most services just rely on underlying OS support Major browsers are IPv6 aware Firefox, Opera, Safari Many sites are enabling IPv6 Industry does not want to lose IPv6 clientelle Facebook, Netflix, and Google are IPv6 ready Google requires whitelisting currently Eventually, IPv6 will be the only protocol Probably after most of us are retired Meanwhile, we need to work in both worlds We will start with islands of IPv6 in an IPv4 world Will transition to islands of IPv4 in an IPv6 world Tunnels will evolve to carry traffic between the islands Will need to support both protocols and forms of tunneling and NAT servers to support access Host supports and talks to both IPv6 and IPv4 Cleanest answer Future-proof Generally transparent to end user As long as everything is “working correctly” Difficult to debug when things go wrong Not enough address bits to be easy “DS-Lite” – Dual Stack Light NAT based solution Needs to play DNS tricks Rumored Comcast trial DNS Alg (DNS64) Special resolver on IPv6-only network If a AAAA record, use it Else put address from A record into bottom 32 bits of special IPv6 prefix May not work well with DNSSEC NAT64 Relay router Dual stack on outside, IPv6 only on inside State table to maintain IPv4 pool “Real” IPv6 addresses used unchanged Special addresses from DNS64 mapped back to IPv4 addresses NATs Lots of NATs Lots and lots and lots of NATs Performance suffers End to end applications fail Lose access to overseas markets/clients Lose access when travelling New remote sites may not be able to get IPv4 space Eventually lose access to domestic markets/clients “Unfunded Mandate” Replace as much hardware as possible in LCR DO NOT buy any new hardware that isn’t IPv6 ready Routers Firewalls Network Appliances Pressure your vendors for software upgrades, etc. Engineering costs to set up new address scheme Cost of running transitional appliances Work IPv6 into hardware LCR Prepare your networking infrastructure for IPv6 Your “Internet presence” (servers) will be most painful conversion Printers and other internal only appliances are lowest priority It’s the End of the World as We Know it We can’t ignore the problem We have some time Start experimenting! World IPv6 Day – June 8, 2011 Questions? Comments? Live Poultry? Acknowledgements: Michael Lambert, Pittsburg Supercomputing Center Internet2 IPv6 Working Group