420 likes | 428 Views
What to Expect When Expecting IPv6. Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist ,. Welcome to WatchGuard’s IPv6 Webinar Series!. 3. 1. 4. 2. What To Expect from IPv6. You’re here because v6 matters to you.
E N D
What to ExpectWhen Expecting IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist ,
Welcome to WatchGuard’s IPv6 Webinar Series! 3 1 4 2 What To Expect from IPv6
Remember this? Hasn’t changed much! Source: Elise Gerich, IANA/ICANN
WIPv6D: Native v6 traffic nearly doubled! …to… Source: http://asert.arbornetworks.com/2011/06/world-ipv6-day-final-look-and-wagons-ho/
Bottom Line: More Detail in Part 2 today!
The State of IPv6 Among ISPs Migration to IPv6 is possible in all of these scenarios… only the “how” changes. Your ISP is your gateway to the Internet. As such, the IPv6 migration strategies available to you depend heavily on what IPv6 services your ISP offers today.
Real-World IPv6 Readiness: An ISP Survey • RFC 6036: Emerging Service Provider Scenarios for IPv6 Deployment
ISP Survey Trends and Highlights • Estimated IPv4 depletion 2015 • 93% plan Dual-stack backbone • 40% run or plan to run 6to4 relay • CPE often doesn’t support IPv6 • Prefixes offered: • /48 most common • /64 (especially among mobile) • /56 • /52, /60 sometimes
Hurricane Electric is a global Internet backbone provider (and transit ISP), with a specific focus on IPv6
RECAP: IPv6 Hierarchical Addressing Interface ID Global Routing Prefix Prefix SLA ID 2561:1900:4545:0003:0200:F8FF:FE21:67CF RIR NIR/LIR
IPv6 Subnetting • CIDR only (slash notation) • No concept of subnet masks • / followed by prefix size (decimal number 1-128) 2001:1900:4545:0003:0200:F8FF:FE21:67CF 2001:1900:4545::/48 = /16 /32 /48 2001:1900:4545:0000:0000:0000:0000:0000 - 2001:1900:4545:FFFF:FFFF:FFFF:FFFF:FFFF CIDR to range tool: http://www.ultratools.com/tools/ipv6CIDRToRange
Regional Internet Registry (RIR) • Current ARIN • IPv6 Blocks: • 2001:0400::/23 • 2001:1800::/23 • 2001:4800::/23 • 2600:0000::/12 • 2610:0000::/23 2001:1856:4A5f::/64
Local Internet Registry (LIR) • ARIN IPv6 Block: • 2001:1800::/23 ISP A ISP C ISP B • ISP IPv6 Blocks: • ISP A • 2001:1800::/32 • ISP B • 2001:1801::/32 • ISP C • 2001:1802::/32 2001:1800:1234::/64 2001:1802:1234::/64
The Multi-Homed Issue: PA vs. PI 2001:4911::/32
Map Your Network • You should identify: • Your core infrastructure (routers, switches, etc) • Security devices • Hosts and OSs on your network • Enumerate you DNS and DHCP servers • Your application servers (Public & Private) • Other networks devices (printers, NAS, etc..) Nmap can help!
What Needs an Upgrade? • Place in three buckets: • No support • Partial support • Full support (w/dual-stack) Devices lacking support will require eventual upgrade or transition services The goal of the previous network enumeration process is to figure out what supports IPv6 and what does not.
Planning and Migration Strategy This info will help you choose a migration strategy:
IPv6 Transition Technologies • Dual-Stack: IPv4 and IPv6 run together on all/most devices. Dual-Stack routing devices can handle translation, if necessary • Tunneling: Allow IPv6 devices to communicate over an IPv4 network via tunnels (a lot like VPN) • Manual: Require configuration. More control, thus more secure • Automatic: Little setup. May sneak out your network • Tunnel Brokers: Companies that offer easy IPv6 tunneling services • Translation: Re-writing one protocol packets to another protocol (IPv6 to IPv4, and vice versa). • Application-specific proxies: Translation only for specific services (web, email, etc). IPv6 client connects to proxy server, it makes IPv4 connection to a service…
A Simplified Network Internet ISP IPv4 Core Network IPv4 Network (LAN) IPv4 Network (DMZ) IPv4 Network
IPv6 Tunnel broker or endpoint Core Migration Internet ISP IPv6 ISP IPv4 ISP • IPv6 Routers (or Dual-stack) IPv4 Core Network IPv6 Core Network • Dual-stack Routers IPv4 Network (LAN) IPv4 Network (DMZ) IPv4 Network
Application Server Migration Internet ISP Depending on ISP capabilities, Tunneling or Translation services used for IPv6 Internet access. IPv4 Core Network IPv4 Network (LAN) IPv4 Network (DMZ) IPv4 Network IPv4/IPv6 Network
Client-side Migration Internet ISP Again, Tunneling or Translation services used where needed IPv4 Core Network IPv4 Network (LAN) IPv4 Network (DMZ) IPv4 Network IPv4/IPv6 Network
IPv6 Deployment: Eating the Elephant “[IPv6 deployment] is very much an ’eating the elephant’ problem, but at one mouthful at a time, it appears to be surprisingly easy. Just do it, bit by bit."
From Islands to Oceans Even if you converted to full IPv6 tomorrow, you will still need translation tech until everyone does IPv6 Internet IPv6 Network IPv4 Ocean IPv6 Ocean IPv4 network IPv6 Island IPv4 Island IPv4 Island
Resources for further reading: • “0 to IPv6 in 3 Months” Case Study (PDF): goo.gl/jpnX7 • ARIN Number Resource Policy: http://goo.gl/G5fse • World IPv6 Day Experiences: http://goo.gl/kGeQa • RFC 6036 - Emerging Service Provider Scenarios for IPv6 Deployment: http://goo.gl/WSMzR • IPv4-to-IPv6 Transition Strategies: http://goo.gl/8GOzJ • IPv6 Transition Strategies: http://goo.gl/U5iV6 • IPv6 Calculator Tools: http://goo.gl/OqDw5