World IPv6 Day is coming on June 8, 2011. For 24 hours, some of the world’s most popular websites, such as Google, Yahoo, and Facebook, will activate IPv6 connectivity for their main websites. What are the implications of this event? How might it affect you or your customers? How should you prepare? Should your own site activate IPv6 on that day?
Phil Remaker is a distinguished support engineer at Cisco and is recognized for his wide range of knowledge and skills in Cisco products, networking protocols, and systems. He currently works as a technical leader in the Cisco Services Technical Services organization focusing on vexing problems around security, software release, and product manageability. He holds a CCIE certification number 1034.
This document contains all the questions that were asked to Phil during the CSC Expert Series Live Webcast.
In the live webcast, Phil provided a simple overview of a dual IPv6 and IPv6 stacked environment and explains typical failure modes in IPv6 transport and DNS that might be experienced. It introduced some websites you can use to test your IPv6 connectivity in advance of World IPv6 Day and will talk about IPv6 connectivity options for websites and end users. Thel links are in the related information section at the bottom of this document.
The following Cisco experts were helping Phil to answer many of the questions asked during the session: Escalation support engineer Wen Zhang, architect Yenu Gobena, distinguished support engineer Salman Asadullah, technical leader Andrew Yourtchenko, distinguished support engineer Carlos Pignataro, and architect Jim Bailey. All these experts have vast knowledge in routing topics including IPv6.
The presentation provided during the live event is attached to this document. Scroll down to the bottom to be able to download it.
A. There are 3 good deployment books: Deploying IPv6 in Broadband Access Networks by - Adeel Ahmed, Salman Asadullah, John Wiley & Sons Publications.There are a few great books depending on what your are looking for. Two good Cisco Press Book on this topic are: Global IPv6 Strategies: From Business Analysis to Operational Planning and Deploying IPv6 Networks.
A. The test-ipv6.com does a series of DNS tests and it depends on the what type of DNS issue you are taking about. The biggest DNS problems are if a host deals up bad information through DNS. There are researchers at Cisco testing about the various DNS issues. There are some crazy situations where people return link local address to DNS queries over the global Internet. For example: If I make a request for www.example.com and it comes as 192.168.1.5, which is wrong.The DNS itself is not going to be the problem. It's more by people misconfiguring their DNS that is going to be the problem. DNS can work over IPv4 or IPv6. It turns out that if you run your DNS protocol over IPv4, you can still learn IPv6 addresses over the IPv4 protocol, so that won't be a problem. There weren't many public servers at one point doing DNS over IPv6, but now there are more and more public servers appearing that speak IPv6 and do the DNS protocol over IPv6. Testing tools like test-ipv6.com website will test to make sure that your DNS client is configured correctly. In terms of your DNS server configured correctly, that's a little tricky. I need to check on whether there is any particular test tool to make sure that you have the same DNS configuration on your server side. Its a good question since more people look for it in support forums!!!
A. Check out the Cisco Press IPv6 Security book by Eric Vyncke and Scott Hogg. It is a comprehensive IPv6 security resource and does have a suggested perimeter ACL for IPv6 traffic.Please take a look at table 4.1 for the perimeter ACL's http://220.127.116.11/Nikon/Books/Computing%20& %20Games/Networking/IPv6%20Security.pdf
A. RFC5969 - though it is relatively recent and I assume you meant DHCP on v4 - since if you already have IPv6, then there is no need for 6rd).
A. There are more Qos bits available to play with in IPv6. If we are using Video multicast, there are larger number of multicast channels to be used in IPv6. But I don't see any specific advantage running mutli video over IPv6.
A. Cisco is IPv6 leader and largest IPv6 product support.
A. Almost all of them these days, including Android and iPhone/iPad.
A. SLAAC – if there is an IPv6 capable router, they WILL get an address! No DHCP needed except to pick up DNS server information, but it will share that information as learned from DHCPv4.
A. Well, the deprecated NAT-PT and the new NAT64 will let you do that, but you lose the end-to-end promises of IPv6 connectivity and still have a stateful NAT box no better than your current NAT44. However, NAT64 can be a useful stepping stone to make your IPv4 infrastructure visible to the IPv6 Internet.
A.Use your ISP if they have it, otherwise a free tunnel from a Tunnel broker. LISP is also an option. See the note on the support forums.
A. Across the whole Internet.Though its not adopted very much but in certain technical communities it has leaped up like InterOP storey here. Also more trade shows do IPv6,more networks support IPv6. Latent IPv6 stacks will light up when the network is enabled.
A. Refer to RFC4980. Also make sure NOT to block ICMPv6, host firewalls are pretty good.
A. Use the URL reference, DNS whitelist or use whitelisted server or go to the special sites when set up.
A. Not at all. You will need dual stack. However, increasingly they will demand suppliers provide websites/content and connections via IPv6.
A. Use the command "ping IPv6 address". Typically you can also use "ping - 6" or "ping6" if you are pinging a FQDN or domain name and want to choose IPv6.
A. If you are running NAT64 on the router, the clients of the router will get IPv6 address and the router does the translation to reach the IPv4 only hosts in the networks.So the idea is,with the NAT64 you can run IPv6 only network inside the enterprise and have IPv6 addresses to still be reach out to IPv4 hosts.
In case of reverse situation where an IPv4 host needs to reach the IPv6 only device, we recommend to implement IPv6 on the network and use NAT64 to reach IPv4 only hosts.
A. That's a great Question!!! If you are a dual stack client, you can run IPv6 link locally on the wired until you get assigned a global IPv6 address through stateless address autoconfiguration or through DHCPv6. Your dual stack clients will not have a problem until they get a global IP address. The only way they would pick up a global address is if there is a router that will assign them a global IP address. If you have a router, configure it to run IPv6 which will let them get a global address. In turn, it communicates with the global IPv6 Internet.A quick check can be done if you run ipconfig on the Windows 7 device. Take a look at the IPv6 address and if it starts with the letter F, then it is a link local address. If your IPv6 address starts with 2, then it is a global IPv6 address. You do want to visit one of the test sites. Site test- ipv6.com is my personal favorite. It will do a quick analysis and tell you if there are problems.
If you have a dual stack client, but your routers are running IPv6, until you get a global IPv6 address, your device will not attempt to get connect to IPv6 Internet. There are certain home routers that will automatically built an IPv6 tunnel using an automatic configuration tunneling protocol called "6 to 4". This is another issue and you need to be careful about it. It may be doing that quietly in the background without your knowledge and then in turn advertising IPv6 router advertisements which give your host IPv6 addresses. In that case, you will be running IPv6 and you don't know it. The quick test site test-ipv6.com will tell you whether you are running IPv4 or IPv6. If it is IPv6, it will tell your IPv6 address and also gives you a good estimate of whether you have problems or not.
A. The format of IPv6 is Hexadecimal (example; 2001:0db8::). For the rules on textual representation of IPv6 addresses, refer to RFC 5952.
A. You need to ask the ISP. Maybe they could allocate some more address space. Giving out just a /64 sounds incorrect. This is the cleanest solution to this problem. There are of course other less nice ones, but they are not practical beyond a small network.
A. I your are looking for IPv6 to IPv4, then you need a feature called NAT64 and it comes in two flavors - NAT64 stateless and statefull. It comes about in newer releases of code and on a certain platform.
A. Subnetting in IPv6 is quite different from IPv4. The recommended prefix length for host/server segments is /64. There is no need to properly size those segments with the expanded address space. Network infrastructure links can support longer prefix lengths, such as /96, /112, 126 or /127. The choice comes down to how you want to manage the space.
A. You can divide it across the globe, but only if the providers at each part of the globe will accept the prefix. Most large companies get a prefix from each region where their devices are to ensure that the local carrier will carry that prefix.
A. It can be as small as a /127. By the way, there is no longer the concept of broadcast with IPv6, there is only multicast. As far as protecting against scanning attacks, some of the best practices include using Link Local addresses and infrastructure ACL's when applied.
A. Yes. It would be worthwhile to verify that your application works well with IPv6 because IPv6 is coming and can take advantage of IPv6 based transport.
A. All protocols are expected to evolve, based on limitations, new deployment models, etc. The design of IPv6 is such that address space is not a limitation.
A. There are several ways that you can do this. Phil mentioned a couple of tunnel service providers. Any one of these providers could allow you to route IPv6 to the internet. Similarly you could do an internal tunnel overlay if you wanted to support IPv6 on your internal network. At some point, this overlay is not scalable, but it does give an interim step for IPv6 integration and allows your provider to catch up on IPv6 integration.
A. Yes, there can be problems. One of the issues in IPv4 is packet fragmentation can happen in the network. So any router in the network, if it gets the packet too big can fragment and send it on its way. In case of IPv6, there will be no fragmentation at the router. Only the host will do the fragmentation if it needs to be done. So that relies on the host reliably learning the MTU of the entire path from end to end. The mechanism is built-in path MTU discovery called PMTUD where by a router that receives the packet thats too big to carry will echo back an ICMPv6 type 2 packet called PTB (Packet Too Big) message and sends the PTB message back. As long as there is no firewall that blocks the ICMPv6 packet, it can pass through and MTU works fine. There are many misguided network designs which blocks all ICMP packets and in such a network if a packet send to a router is too big and gets dropped way back to the sender, the connection hangs forever. In this case, the MTU needs to be lowered to 1280 or lower the TCP MSS to 1240. There are many service providers providing MTU 1280 in order to avoid the MTU problems saying that PMTUD is unreliable. But one of the largest service provider decided to send 1500 so that they can debug the MTU issues if people are facing problems in reaching out the ISP. So when you a misconfigured network that handles IPv6 wrong, there will be MTU issues. Cisco is one of the organizations that decided to send 1500 packets and will dig in to the PMTU issues.
A. They will be available on both IPv4 and IPv6.
A. No, you will fall back to use IPv4.
A. In most cases, you either just fix your IPv6 issue or disable IPv6 to fix it; the troubleshooting sites (especially the ARIN wiki) can help.
A. Most people say that they don't have a use for IPv6 address because it does the same thing as IPv4 except it provides more addresses. But there are other benefits out of IPv6 because of the way IPv6 works. One of the interesting benefit that you get out of IPv6 is management benefit. For example Google runs IPv6 almost exclusively in their internal networks. The transition from one subnet to another is extremely easy because you can have multiple IPv6 addresses on the interface where you can take your old address and new address and run them at the same time. So subnetting becomes a very easy process with IPv6. In terms of enterprise management changing subnets and subnets remembering becomes very easy.
One of the other advantages is if you cut a stateful device out of your network, if you communicate from IPv6 to IPv6, you cut the network address translator out of your discussion which prevent network address translator time out, prevents having additional state, it has one less device that can go wrong in the path.
Another interesting fact is that the world of warcraft has adopted IPv6 addresses. The newest world of warcraft client has IPv6.In the gaming scenarios, instead of going to some Meet Me point that could do the translation. One of the problems in gaming is that If two persons in the gaming going through the NAT, its tricky to make sure that to send my packets directly through my NAT and to your NAT to you.If your are running IPv6 direct peer to peer connectivity is a lot simpler. In gaming situations it reduces latency since it has a more direct path and also it cut outs the additional box which acts a relay for you tell how to pass through i.e NAT devices. So using IPv6 we get enhanced peer to peer connectivity some administrative advantages and additional address space.
One of the other advantage Bit Torrent is very popular in IPv6 as well because its a peer to peer application.Any kind of peer to peer application that can cut out a NAT device, cut out the meet me center has much more efficient communication.
Those are some of the additional advantages other than space and scalability of running IPv6.
A. With unmanaged 6->4 transition techniques such as 6to4 and Teredo, there are certainly security implications. For example, your FW / IPS will no longer have visibility into the payload information to do the proper stateful inspection. There's probably not much impact if you are a provider that provides IPv4 transport. The security implication is more relevant to the end host stack than the transit IPv4 transport. Also, as an ISP, refer to
A. On the 3550 no layer 3 for IPv6. However on layer 2 it is just a Ethernet frame so works with no issues.
A. I love stateless auto address configuration because it doesn't require any additional configuration except for the fact that Stateless auto address configuration only gives you the address.It doesn't tell you anything about your DNS server or any other information that you need to know in your network.It just tells your address.I think the stateless auto address configuration is going to win in places where there is low over head and need for simplicity,particularly in small networks. Large enterprise networks need to maintain a lot more authoritative and administrative control over the desktops. In places where greater administrative control is needed, DHCPv6 is going to have a lot more attraction. It gives a lot more control over the client parameter, nodes and network. The needs are not uniform throughout the entire user community on the Internet. I think different people will be using SLAAC and DHCPv6 for different purposes. Since they serve different purposes, I think we would be using both of them.
A. Privacy Extensions for Stateless address autoconfiguration (SLAAC), RFC 4941, gives you an option.
A. That's actually a more realistic threat than most people would think. Check out www.thc.org for some pretty cool (depending your point of view) hacker tools. One of them will launch a rogue RA type of attack, which does exactly what you asked. It is possible that a host could be sending out rogue router announcements and providing IPv6 services to include tunneling? The key here is to be aware of what is happening and make sure that your operations staff knows about IPv6 and how to detect it.
A. On the latest 6500 code we support HSRP on the global IP.
A. You can review the Cisco Press IPv6 security book by Eric Vyncke and Scott Hogg. It is a comprehensive book on IPv6 security and does have a suggested ACL to apply at the perimeter.
A. If you have dual-stack network (IPv4 / IPv6), then it could be simple. You could use IPv4 as a transport and use IPv6 MIBs on top of it to pool the IPv6 information. However, you have to have a NMS strategy to support IPv6.
A. Additionally, consider using a tunnel provider like Tunnelbroker.net.You might want to look at , the Saudi Arabia IPv6 Task force.
A. Most of the 6to4 tunneling techniques use raw IP protocol 41 (6to4, 6in4, 6rd, etc.), or UDP encap in the case of Teredo tunnels. So as long as you allow those, you should be fine.
A. A lot of folks are starting to focus on application assessments and trying to understand which ones are address family independent. In regards to operating systems new OS like Windows 7 is starting to ship with IPv6 on by default and preferred over IPv6.
A. If you are using stateless auto configuration then you will need a /64 prefix length for client subnets. Otherwise the prefix length is dependent on the host operating system. It is recommended to use a /64 prefix for client subnets.
A. Providers will be giving out big blocks for home networking and you can break it up as you see fit within your home network.
A. Not at this moment in time.
A. NAT66 is still going through the IETF standardization process. NAT66 is not currently supported on Cisco products. Please follow up with your account for the roadmap of this feature.
A. The FWSM does support IPv6. However IPv6 traffic is handled in the software path. Because of that IPv6 performance on the FWSM is not good. The recommended security appliance is the ASA.
A. FWSM IPv6 performance is a platform limitation, there is no changes around this.
A. Please take the ASA route.
A.IPv4 and IPv6 will co-exist for many years. There is no flag day for transition.There should be minimal impact to QoS other than the added traffic. Video traffic is still video traffic regardless of the underlying transport. Video traffic will still have the same service requirements from the network. Same is true for voice. The application is independent of the transport
A. Dual stack acts as ships in the night.
A. You can request another block from the provider or work with the provider to allow a you to advertise more specific routes out of your peering points.
A. Yes, the end-to-end addressing capability would definitely help.
A. Yes you will need to have a feature like NAT64 for that scenario to work.
A. There are a lot of providers who have enormous investments in IPv4 DSLAMS (Digital Subscriber Line Access Multiplexers.) These subscriber's multiplexers probably cannot be expanded in software/hardware to support IPv6.
The provider called Free.fr in France pioneered a technique where by they provided IPv6 tunneling inside Ipv4. This required absolutely minimum amount of code requirement in CPE and had a fully stateless connection that could scale to very large numbers. This standard eventually developed in to 6rd or 6 rapid deployment.
The best practice to implement IPv6 on a legacy access network that already has IPv4 is 6rd.In order for 6rd to work, the ISP has to have control of the code of the CPE's. In case of free.fr, they had customized the CPE's and can control them. If the users have broad mix of CPEs, it would be a problem to control all devices. The easy way to bring up IPv6 without disturbing the IPv4 infrastructure is to use 6rd.
In inverse situations, you could use the protocol Dual Stack-Lite, where in a IPv6 capable access network, IPv4 tunneling inside IPv6 to the NAT devices inside the core. So there are different ways of doing it and 6rd technique is one of the common one among the US carriers, where by tunneling they maintain the tunnel translation point.
In terms of cable vendors coming up with stable IPv6 code, there is lot of work happening around native and tunneling IPv6 capabilities on the CPE.
A.All the solutions that you mention will work and we've seen organizations use them. It comes down to what you are trying to accomplish with your implementation and how you are trying to deliver services to your customers.
A. I am not sure what is happening in this case. You can try to do trace route using IPv6 to see where the path is breaking down.
A. The best way to buy an IPv6 address block is to start by talking to your ISP. You can get the IPv6 address block from ARIN(American Registry For Internet Numbers).ARIN is the authority that hands out of blocks of addresses.Once you have the block of addresses you have to find the service provider that would carry the block of addresses. Even if you get a block independent of the service provider from ARIN, still you need to search for an IPv6 service provider to advertise those blocks. So its better to start with your service provider to ask for a block of IPv6 addresses. It also depends where do you sit in the hierarchy. You could either get an address range from your local SP or get it directly from your local registry: https://www.arin.net/knowledge/v4-v6.html
A. The answer is No. If you look in to the IPF, there is NAT 66 working group which translates NAT to NAT. The good news is although NAT does not go away, the stateful NAT can go away. One of the biggest problem with NAT is that overloading port numbers on the IP addresses, trying to pile more users on a single IP address and maintaining all that states and its timeout. So maintaining all those stateful oriented mapping makes it more difficult to work with NAT. The good news here is almost all the NAT 66 proposals are all about translating one addresses to the other for administrative purposes. For example if I have a provider independent IPv6 address space inside my network and I have 2 or 3 different carriers that provide provider dependant space. For this I would use NAT 66, so that I could maintain my address pool but then project them out to provider dependant address space seamlessly to my end users and external users. Almost all the Ipv6 NAT will be one to one because the address space is so big which means it will be a completely stateless situation where once the mapping is done, the mapping can effectively stay there forever. The good news is IPv6 will reduce the need for NAT if its done right, but I don't think NAT will ever go away.
There are standards by these working on IPv6 to IPv6 NAT translation and also there's whole separate discussion about NAT 64 which is allowing IPv6 network address to be network translated in to IPv4.There are still different users who use NAT for different purposes other than address overloading, so those people will still have a NAT standard to work with IPv6.