What to Expect
When Expecting IPv6
Tim Helming
Director of Product Management
Corey, Nachreiner, CISSP,
Sr. Network Security Strategist
,
Welcome to WatchGuard’s IPv6 Webinar
Series!
1
2
3
4
What To Expect from IPv6
You’re here because v6 matters to you
We’re here to help!
Things we’ll answer:
• What ISPs are doing today with IPv6
• How to prepare your own network
Part 1: Current IPv6 Readiness
IPv6 Readiness
Growing daily
…but still a drop in the bucket
Remember this? Hasn’t changed much!
Breadth, not depth
All regions are participating
Traffic Volumes Low
Source: Elise Gerich, IANA/ICANN
WIPv6D: Native v6 traffic nearly doubled!
From .025% of all traffic
…to…
.041% of all traffic
Source: http://asert.arbornetworks.com/2011/06/world-ipv6-day-final-look-and-wagons-ho/
ISP IPv6 Readiness Varies Greatly
A few are 100% ready
Many are getting close
A few are just not there at
all—still planning
Bottom Line:
Your ISP may not have all the
answers, yet…
…but they are eager to talk v6
More Detail in Part 2 today!
Part 2: Three Steps to IPv6
Three Steps to Implementing IPv6
Research and Discovery
Planning & Migration
Strategies
Implementation & Transition
Research and Discovery
Find the Answer to Three Questions
Does your ISP support
IPv6?
What’s your network look
like today?
What needs an upgrade?
(or a transition technology)
The State of IPv6 Among ISPs
Your ISP is your gateway to the Internet. As such,
the IPv6 migration strategies available to you
depend heavily on what IPv6 services your ISP
offers today.
Native IPv6 support
IPv6 transition services
IPv4 only (v6 is your problem)
Real-World IPv6 Readiness: An ISP Survey
RFC 6036: Emerging Service Provider Scenarios
for IPv6 Deployment
30 ISPs
Participated
Served from
30
customers to
40 million
66% EMEA,
20% N.Amer,
4% APAC
Published
2010
ISP Survey Trends and Highlights
Big Customers
Requesting IPv6
Current
IPv6 Customers
Support
UseYes
IPv6 No
1%
0%
No
40% 40%
Yes
60%
60%
Use IPv4
99%
•Estimated IPv4 depletion 2015
•93% plan Dual-stack backbone
•40% run or plan to run 6to4 relay
•CPE often doesn’t support IPv6
•Prefixes offered:
•/48 most common
•/64 (especially among mobile)
•/56
•/52, /60 sometimes
A Quick Look at N. American ISPs
• Testing internally w/FIOS
network April 2010
• IPv6 running on back end
• Offer transition service for
businesses
• Have started public trials
• Offered Tunneling in
Phase 1
• Moving to Dual stack CPE
• One of the best US
options for residential
IPv6 today
• Supports dual-stack
• Limited customer trials
during 2011.
• Will offer businesses IPv6
DIA Sept. 2011
• Expects full support 1H
2012.
Comcast
Time Warner
• No clear time frame for
IPv6 support
• (but they say they’ve been
working on it)
• IPv6 trials with Business
Customers
• IPv6 at core
• Says they will extend trials
soon.
• IPv6 in core
• Offers IPv6 trials to
business customers
• MPLS supports IPv6
Rogers
Cox
Qwest/CenturyLink
Verizon
Hurricane Electric is a global Internet
backbone provider (and transit ISP), with a
specific focus on IPv6
The largest IPv6 backbone in the world
First to connect 1000 IPv6 networks
Offers a free IPv6 tunnel broker service
Offers a free IPv6 certification service
Offers a free, IPv6 capable DNS service
RECAP: IPv6 Hierarchical Addressing
Global Routing
Prefix
Prefix
SLA ID
Interface ID
2561:1900:4545:0003:0200:F8FF:FE21:67CF
RIR
NIR/LIR
IPv6 Subnetting
•CIDR only (slash notation)
•No concept of subnet masks
•/ followed by prefix size (decimal number 1-128)
2001:1900:4545:0003:0200:F8FF:FE21:67CF
/16 /32 /48
2001:1900:4545::/48
=
2001:1900:4545:0000:0000:0000:0000:0000 2001:1900:4545:FFFF:FFFF:FFFF:FFFF:FFFF
CIDR to range tool: http://www.ultratools.com/tools/ipv6CIDRToRange
Regional Internet Registry (RIR)
Current ARIN
IPv6 Blocks:
2001:1856:4A5f::/64
•2001:0400::/23
•2001:1800::/23
•2001:4800::/23
•2600:0000::/12
•2610:0000::/23
Local Internet Registry (LIR)
ARIN IPv6 Block:
2001:1800::/23
ISP IPv6 Blocks:
•ISP A
•2001:1800::/32
•ISP B
•2001:1801::/32
•ISP C
•2001:1802::/32
ISP A
ISP C
2001:1800:1234::/64
ISP B
2001:1802:1234::/64
The Multi-Homed Issue: PA vs. PI
Provider Aggregated Addressing
(PA)
• Temporary address block
provided by ISP/LIR.
• Follows prefix hierarchy.
• Readily available addresses
• You lose the address block
when you leave the ISP
Provider Independent
Addressing (PI)
• Permanent address block
provided by RIR (sometimes
through LIR)
• May break prefix hierarchy and
require interdomain routes
• Not as readily available
• You keep the address block
forever.
Map Your Network
You should identify:
•Your core infrastructure (routers, switches, etc)
•Security devices
•Hosts and OSs on your network
•Enumerate you DNS and DHCP servers
•Your application servers (Public & Private)
•Other networks devices (printers, NAS, etc..)
What Needs an Upgrade?
The goal of the previous
network enumeration process
is to figure out what supports
IPv6 and what does not.
Place in three buckets:
•No support
•Partial support
•Full support (w/dual-stack)
Devices lacking support will
require eventual upgrade or
transition services
Planning and Migration
Strategies
Planning and Migration Strategy
By now, you should know:
• If you ISP supports native IPv6,
Tunnels, or only IPv4
• How many devices are ready for
IPv6
• Which devices support dual-stack
• What mission critical applications
you serve
IPv6 Transition Technologies
•Dual-Stack: IPv4 and IPv6 run together on all/most devices. DualStack routing devices can handle translation, if necessary
•Tunneling: Allow IPv6 devices to communicate over an IPv4
network via tunnels (a lot like VPN)
• Manual: Require configuration. More control, thus more
secure
• Automatic: Little setup. May sneak out your network
• Tunnel Brokers: Companies that offer easy IPv6 tunneling
services
•Translation: Re-writing one protocol packets to another protocol
(IPv6 to IPv4, and vice versa).
•Application-specific proxies: Translation only for specific services
(web, email, etc). IPv6 client connects to proxy server, it makes IPv4
connection to a service…
Common Tunneling and Translation Protocols
Tunnel Protocols
• 6to4 (Auto)
• Teredo (Auto)
• ISATAP (Auto)
• 6rd (Auto)
• 4in6 (Configured)
• 6in4 (Configured)
Translation Protocols
• Stateless IP/ICMP
Translation (SIIT)
• NAT64
• DNS 64
• Dual-stack Lite (DSLite)
• NAT-PT (depreciated)
Three Migration Strategies
Core Migration
Application/Server Migration
Client-Side Migration
A Simplified Network
Internet
ISP
IPv4 Core Network
IPv4 Network (LAN)
IPv4 Network
IPv4 Network (DMZ)
IPv6 Tunnel broker
or endpoint
Core Migration
Internet
IPv6
IPv4
ISPISP
IPv6 Routers (or Dual-stack)
IPv6
IPv4 Core Network
IPv4 Network (LAN)
IPv4 Network
Dual-stack Routers
IPv4 Network (DMZ)
Application Server Migration
Internet
ISP
IPv4 Core Network
IPv4 Network (LAN)
IPv4 Network
Depending on ISP
capabilities, Tunneling or
Translation services used
for IPv6 Internet access.
IPv4
IPv4/IPv6
Network
Network
(DMZ)
Client-side Migration
Internet
ISP
Again, Tunneling or
Translation services used
where needed
IPv4 Core Network
IPv4
IPv4/IPv6
Network
Network
(LAN)
IPv4 Network
IPv4 Network (DMZ)
Implementation and
Transition
IPv6 Deployment: Eating the Elephant
“[IPv6 deployment] is
very much an ’eating
the elephant’ problem,
but at one mouthful at
a time, it appears to be
surprisingly easy. Just
do it, bit by bit."
From Islands to Oceans
IPv4 Island
Internet
IPv4 Island
Even if you converted
to full IPv6 tomorrow,
you will still need
translation tech until
everyone does IPv6
Network
IPv4 IPv6
IPv4
Ocean
network
IPv6 Ocean IPv6 Island
Expect a Long-term Transition Phase
Plan at least a 10 year IPv6 Transition phase
• It will actually take some organizations years to fully
convert to IPv6
• More importantly, even if you convert your entire
network to IPv6-only tomorrow, you will still need to
leverage 4to6 translation technologies to allow the
rest of the world to connect to you until they catch
up!
Wrapping Up
It’s Up To You!
ISPs are responding to customer
demand (somewhat unevenly)
You have choices (ISPs, internal
network configuration)
Your transition can start today,
and can happen swiftly
Resources for further reading:
• “0 to IPv6 in 3 Months” Case Study (PDF): goo.gl/jpnX7
• ARIN Number Resource Policy: http://goo.gl/G5fse
• World IPv6 Day Experiences: http://goo.gl/kGeQa
• RFC 6036 - Emerging Service Provider Scenarios for IPv6
Deployment: http://goo.gl/WSMzR
•IPv4-to-IPv6 Transition Strategies: http://goo.gl/8GOzJ
•IPv6 Transition Strategies: http://goo.gl/U5iV6
•IPv6 Calculator Tools: http://goo.gl/OqDw5
Thank You!