IPv6 Enterprise Case Study - PowerPoint PPT Presentation

ipv6 enterprise case study n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
IPv6 Enterprise Case Study PowerPoint Presentation
Download Presentation
IPv6 Enterprise Case Study

play fullscreen
1 / 20
IPv6 Enterprise Case Study
182 Views
Download Presentation
issac
Download Presentation

IPv6 Enterprise Case Study

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. IPv6 EnterpriseCase Study Tim Chown tjc@ecs.soton.ac.uk School of Electronics and Computer Science University of Southampton (UK) IEC 21st Century Conference, 27th March 2006, London

  2. Case Study • In this slot we look at an IPv6 deployment in a small-medium enterprise network • Electronics and Computer Science @ Southampton • Philosophy is dual-stack • Consider IPv6-only elements at a later date • A production deployment • Aim to make key network services IPv6 enabled • Facilitate deployment of IPv6-only nodes if desired • Must therefore be robust; introducing IPv6 must not adversely affect IPv4 service • Academic setting, but services still critical

  3. ECS specifics • Medium sized department network • Around 1,000 hosts in around 16 IPv4 subnets • Mixed Win 2000/XP, MacOS/X, Linux, Solaris, Irix • New Cisco switch-routers • Cisco 6509 (1) and 3750 (30+) • Run all own infrastructure Internet services • DNS, SMTP (MX servers), web, NTP, … • IPv4 connectivity supplied by LeNSE and JANET • Regional and backbone academic providers • Includes IPv4 multicast • Limited but good IPv6 knowledge in staff • Ran a training course for JANET community in 2005

  4. Deployment scenario • Goal to deploy pervasively in ECS • We decided to deploy dual-stack • Enable IPv6 in all host and router platforms where possible • Enable all key applications and services • Support teaching and research • Facilitate IPv6 access for potential overseas students • Need to also consider offering remote IPv6 access • Some form of tunnelling considered • But those services provided at JANET level now • 6to4 relay and IPv6 tunnel broker • Thus focused here on internal ECS deployment

  5. ECS IPv4 topology

  6. IETF documents • Considered (and co-authored) during the process • Enterprise Scenarios • Issues to consider for the transition • RFC4057 • Enterprise Analysis • Considers applicability of the transition tools • draft-ietf-v6ops-ent-analysis-04 • Campus Transition • A specific case study (discussed here today) • draft-chown-v6ops-campus-transition-02

  7. Phase 1: Advanced planning • Introduce IPv6 requirements into all tenders • Ensure you have ability to turn IPv6 on when ready • Obtain IPv6 address block allocation from ISP • Enterprise allocation by default a /48 • Includes DNS forward and reverse delegation • Establish IPv6 training programme • Determine ‘hands-on’ trial requirements for operational staff, perhaps via a tunnel broker • Review IPv6 security issues • Review and revise security policies

  8. Phase 2a: testbeds/trials • Assign and deploy IPv6 capable access router(s) and security devices (firewall) • Isolated dual-stack environment, e.g. IPv4 DMZ • Establish IPv6 connectivity to provider • Configure desired routing protocols, if required • Connect testbed hosts on internal network • For an initial testbed a single /64 subnet should suffice • Deploy IPv6 DNS • e.g. using BIND9 on a Unix platform • Enable IPv6 on the host systems • Configure applications and services

  9. Phase 2b: Preparation • Survey systems, applications and services for IPv6 capability • Includes management/monitoring/OSS components • Assess porting options for IPv4-only elements • Consider alternative solutions if no IPv6 capability available • Formulate an IPv6 site addressing plan • How to allocate your /48 • May administratively overlap with existing IPv4 plan • Document IPv6 related policies • e.g. Stateless vs Stateful address assignment, use of IPv6 privacy addresses

  10. Phase 3: Deployment • Configure IPv6 on dual-stack routing equipment • Access router and firewall(s) • Enable IPv6 on the wire on chosen links • e.g. Server subnet(s) and selected client subnets • Add IPv6 addresses to DNS servers and configure servers to respond over IPv6 • Enable IPv6 on management elements • Enable IPv6 on selected production services • e.g. Web, DNS, mail Mxes • Include IPv6 in all ongoing security tests • Peroidic penetration tests, etc.

  11. Address allocations • JANET is academic ISP in the UK • Assigned 2001:630::/32 by the RIPE RIR • Southampton requested a prefix • Assigned 2001:630:d0::/48 • University has 15-20 Schools • ECS allocated a /56 prefix • Allows 256 subnets of size /64 • Allocated in a way that allows us to go back for more • Allocated to be congruent with existing IPv4 subnets • Address management • Using manual/SLAAC, with early DHCPv6 trials

  12. Service enabling • DNS • BIND9 running on three primary DNS servers • Mail MX • IPv6 running on three sendmail-based MX systems • (No IPv6 for MS Exchange yet, server side) • Web • IPv6 integral to Apache 2 • Running around 200 domains • NTP • Using Meinberg and RIPE TT systems (roof GPS-based)

  13. DNS • Two aspects to consider • IPv6 records for hosts in DNS • Use new AAAA record for IPv6: • ns0.ecs.soton.ac.uk. 1800 IN A 152.78.70.1 • ns0.ecs.soton.ac.uk. 1800 IN AAAA 2001:630:d0:f116::53 • IPv6 transport for the lookups • Nominet support IPv6 transport to .uk • JANET supports IPv6 transport to .ac.uk • Some root servers now support IPv6 transport • Supported out of the box in BIND9 • General advice to deploy local dual-stack DNS resolver

  14. Client enabling • IPv6 availability good on all systems • Windows XP • Turn on with ‘netsh ipv6 install’ • Mac OS/X • On by default • Linux • Varies by flavour; often on by default • Solaris • Enable at install or subsequently • Available on some ‘unexpected’ systems • e.g. Symbian-based Nokia 9500 via WLAN interface

  15. Microsoft future • Windows Vista and Server “Longhorn” • Two good feature articles: • http://www.microsoft.com/technet/itsolutions/network/evaluate/new_network.mspx • http://www.microsoft.com/technet/community/columns/cableguy/cg1005.mspx • Both have integrated IP stack • Most importantly IPv6 is on by default • Strong IPv6 support, including: • IPsec support • Teredo (IPv6 tunneling through IPv4 NATs) • IPv6 over PPP • MLDv2 (for IPv6 source-specific multicast) • DHCPv6 client (for stateful configuration)

  16. Routing • Recently procured internal routing equipment • Included IPv6 requirements in tender • Included IETF IPv6 RFC specifications • IPv6 network management and monitoring capability • Some advanced services • IPv6 Multicast • MLD (IPv6 multicast) snooping in Layer 2 devices • Plus many IPv4 features! • Ultimately chose Cisco 6509 and 3750 solution • Deployed from Day 1 with IPv6 enabled

  17. ECS dual-stack topology

  18. Improved IP Multicast • IPv6 offers streamlined multicast deployment • Multicast is base part of the IPv6 protocol • No MSDP for IPv6 • Instead use Embedded RP (RFC3956) • RP address included in IPv6 multicast group address • Thus no need for protocol to interconnect RPs • Developed in 6NET project (www.6net.org) • Also strong interest in IPv6 SSM multicast model • Alternative simplified multicast architecture - no RPs • Has led to two student-led innovations • ECS-TV and Surge Radio

  19. Monitoring tools • Use several tools, including • Cisco Netflow for IPv6 • SNMP with MRTG • RIPE NCC Test Traffic measurement server • Example below shows IPv6 traffic to/from a DMZ link • Sun-Sun 19th-26th March 2006

  20. Summary • IPv6 has been deployed dual-stack • Enabled on all links • Many hosts IPv6 enabled • Key (external facing) services IPv6 enabled • DNS, Mail MXs, web • No adverse impact on IPv4 service • Seeing some student innovation • Also (CS) students using IPv6 in home networks • Positive experience to date • Next steps: Mobile IPv6 trials, IPv6-only trials • Also dual-stack firewall and IDS trials