Introduction

 

 

 

World IPv6 Day is coming on June 8, 2011. For 24 hours, some of the world’s most popular websites, such as Google, Yahoo, and Facebook, will activate IPv6 connectivity for their main websites. What are the implications of this event? How might it affect you or your customers? How should you prepare? Should your own site activate IPv6 on that day?

 

Phil Remaker is a distinguished support engineer at Cisco and is recognized for his wide range of knowledge and skills in Cisco products, networking protocols, and systems. He currently works as a technical leader in the Cisco Services Technical Services organization focusing on vexing problems around security, software release, and product manageability. He holds a CCIE certification number 1034.

 

This document contains all the questions that were asked to Phil during the CSC Expert Series Live Webcast.

 

In the live webcast, Phil provided a simple overview of a dual IPv6 and IPv6 stacked environment and explains typical failure modes in IPv6 transport and DNS that might be experienced. It introduced some websites you can use to test your IPv6 connectivity in advance of World IPv6 Day and will talk about IPv6 connectivity options for websites and end users. Thel links are in the related information section at the bottom of this document.

 

The following Cisco experts were helping Phil to answer many of the questions asked during the session: Escalation support engineer Wen Zhang, architect Yenu Gobena, distinguished support engineer Salman Asadullah, technical leader Andrew Yourtchenko, distinguished support engineer Carlos Pignataro, and architect Jim Bailey. All these experts have vast knowledge in routing topics including IPv6.

 

The related "Ask The Expert" sessions is available here. The complete recording of this live webcast can be accessed here.

 

The presentation provided during the live event is attached to this document. Scroll down to the bottom to be able to download it.

 

Guidelines

Q. Can you suggest any comprehensive books on understanding / deploying IPv6?

A. There are 3 good deployment books: Deploying IPv6 in Broadband Access Networks by - Adeel Ahmed, Salman Asadullah, John Wiley & Sons Publications.There are a few great books depending on what your are looking for. Two good Cisco Press Book on this topic are: Global IPv6 Strategies: From Business Analysis to Operational Planning and Deploying IPv6 Networks.

.

Q. Are there DNS IPv6 test tools? It appears that DNS will be the biggest transition problem to IPv6.

A. The test-ipv6.com does a series of DNS tests and it depends on the what type of DNS issue you are taking about. The biggest DNS problems are if a host deals up bad information through DNS. There are researchers at Cisco testing about the various DNS issues. There are some crazy situations where people return link local address to DNS queries over the global Internet. For example: If I make a request for www.example.com and it comes as 192.168.1.5, which is wrong.The DNS itself is not going to be the problem. It's more by people misconfiguring their DNS that is going to be the problem. DNS can work over IPv4 or IPv6. It turns out that if you run your DNS protocol over IPv4, you can still learn IPv6 addresses over the IPv4 protocol, so that won't be a problem. There weren't many public servers at one point doing DNS over IPv6, but now there are more and more public servers appearing that speak IPv6 and do the DNS protocol over IPv6. Testing tools like test-ipv6.com website will test to make sure that your DNS client is configured correctly. In terms of your DNS server configured correctly, that's a little tricky. I need to check on whether there is any particular test tool to make sure that you have the same DNS configuration on your server side. Its a good question since more people look for it in support forums!!!

.

Q. Any datasheet from Cisco to show IPv6 capable products in one page?

A. Please visit - http://www.cisco.com/en/US/technologies/collateral/tk648/tk872/tk373/technologies_white_paper_09186a00802219bc_ps6 553_Products_White_Paper.html

.

Q. Is there a good example of a best practices ACL for Internet facing interfaces?

A. Check out the Cisco Press IPv6 Security book by Eric Vyncke and Scott Hogg. It is a comprehensive IPv6 security resource and does have a suggested perimeter ACL for IPv6 traffic.Please take a look at table 4.1 for the perimeter ACL's http://212.50.14.233/Nikon/Books/Computing%20& %20Games/Networking/IPv6%20Security.pdfhttp://212.50.14.233/Nikon/Books/Computing%20& %20Games/Networking/IPv6%20Security.pdf

 

Q. What about CCNA certification? Does this mean that there will be a new CCNA Certification version after June 9?

A. CCNA is IPv6 Forum Gold Education Certified, see https://learningnetwork.cisco.com/docs/DOC-10327 and http://www.cisco.com/web/learning/le3/le2/le0/le9/learning_certification_type_home.html &nbs p;

 

Q. Are there any guidelines how to develop an IPv6 adressing plan for enterprises that have locations worldwide (where different RIR's are responsible for handing out prefixes). E.g., if a company gets address space from RIPE, but has locations in U.S.

A. Please look at RFC 5375 (appendix for a enterprise case study) Also: IPv6 for Enterprise Networks - Shannon McFarland, Muninder Sambi, Nikhil Sharma, Sanjay Hooda, Cisco Press®.

.

Q. Isn't there a RFC out where DHCPv6 provide 6rd configuration options?

A. RFC5969 - though it is relatively recent and I assume you meant DHCP on v4 - since if you already have IPv6, then there is no need for 6rd).

Q. Any advantage for IPv6 for voice and video communication over IPv4?

A. There are more Qos bits available to play with in IPv6. If we are using Video multicast, there are larger number of multicast channels to be used in IPv6. But I don't see any specific advantage running mutli video over IPv6.

.

Q. I have seen a demo by Spirent where a router (vendor unknown) drastically lost IPv4 performance after enabling IPv6 and having only little IPv6 traffic. Can this happen to Cisco routers?

A. Cisco is IPv6 leader and largest IPv6 product support.

 

Basic Functionality

Q. Which operating systems support IPv6?

A. Almost all of them these days, including Android and iPhone/iPad.

 

Q. How will my devices get IPv6 addresses assigned to my devices? Do I need a DHCP server?

A. SLAAC – if there is an IPv6 capable router, they WILL get an address! No DHCP needed except to pick up DNS server information, but it will share that information as learned from DHCPv4.

 

Q. Can I run an internal IPv6 network and just have it get translated to IPv4 rather than getting an IPv6 connection?

A. Well, the deprecated NAT-PT and the new NAT64 will let you do that, but you lose the end-to-end promises of IPv6 connectivity and still have a stateful NAT box no better than your current NAT44. However, NAT64 can be a useful stepping stone to make your IPv4 infrastructure visible to the IPv6 Internet.

 

Q. What is the easiest way to get IPv6 connectivity set up for my company?

A.Use your ISP if they have it, otherwise a free tunnel from a Tunnel broker. LISP is also an option. See the note on the support forums.

 

Q. How widely adopted is IPv6?

A. Across the whole Internet.Though its not adopted very much but in certain technical communities it has leaped up like InterOP storey here. Also more trade shows do IPv6,more networks support IPv6. Latent IPv6 stacks will light up when the network is enabled.

 

Q. What precautions do I need to take on my firewall if I allow IPv6?

A. Refer to RFC4980. Also make sure NOT to block ICMPv6, host firewalls are pretty good.

 

Q. How do I access Google/YouTube/Facebook using IPv6?

A. Use the URL reference, DNS whitelist or use whitelisted server or go to the special sites when set up.

 

Q. I hear the US Government is requiring the use of IPv6. Does this mean we will need IPv6 to reach Government sites?

A. Not at all. You will need dual stack. However, increasingly they will demand suppliers provide websites/content and connections via IPv6.

 

Q. How to ping IPv6?

A. Use the command "ping IPv6 address". Typically you can also use "ping - 6" or "ping6" if you are pinging a FQDN or domain name and want to choose IPv6.

 

Q. Does it mean that the ping in IPv6 is in the same format of IPv4? Does this DOS command support IPv6?

A. Use the "ping6" command in DOS to test IPv6 connectivity. For more information about ping6 refer to http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en- us/sag_ip_v6_pro_diag_ping6_conn.mspx?mfr=true

.

Q. If the translation of IPv6 to IPv4 is done on the router, does it mean that the end user will receive an IPv4 address?

A. If you are running NAT64 on the router, the clients of the router will get IPv6 address and the router does the translation to reach the IPv4 only hosts in the networks.So the idea is,with the NAT64 you can run IPv6 only network inside the enterprise and have IPv6 addresses to still be reach out to IPv4 hosts.

In case of reverse situation where an IPv4 host needs to reach the IPv6 only device, we recommend to implement IPv6 on the network and use NAT64 to reach IPv4 only hosts.

.

Q. I have Win7 clients that are dual-stacked. I only route IPv4 internally and externally. Will my dual-stacked clients have issues on World IPv6 day?

A. That's a great Question!!! If you are a dual stack client, you can run IPv6 link locally on the wired until you get assigned a global IPv6 address through stateless address autoconfiguration or through DHCPv6. Your dual stack clients will not have a problem until they get a global IP address. The only way they would pick up a global address is if there is a router that will assign them a global IP address. If you have a router, configure it to run IPv6 which will let them get a global address. In turn, it communicates with the global IPv6 Internet.A quick check can be done if you run ipconfig on the Windows 7 device. Take a look at the IPv6 address and if it starts with the letter F, then it is a link local address. If your IPv6 address starts with 2, then it is a global IPv6 address. You do want to visit one of the test sites. Site test- ipv6.com is my personal favorite. It will do a quick analysis and tell you if there are problems.

 

If you have a dual stack client, but your routers are running IPv6, until you get a global IPv6 address, your device will not attempt to get connect to IPv6 Internet. There are certain home routers that will automatically built an IPv6 tunnel using an automatic configuration tunneling protocol called "6 to 4". This is another issue and you need to be careful about it. It may be doing that quietly in the background without your knowledge and then in turn advertising IPv6 router advertisements which give your host IPv6 addresses. In that case, you will be running IPv6 and you don't know it. The quick test site test-ipv6.com will tell you whether you are running IPv4 or IPv6. If it is IPv6, it will tell your IPv6 address and also gives you a good estimate of whether you have problems or not.

Q. What is the format of IPv6? Is it hexadecimal or decimal?

A. The format of IPv6 is Hexadecimal (example; 2001:0db8::). For the rules on textual representation of IPv6 addresses, refer to RFC 5952.

.

Q. How to be connected to IPv6 if the ISP gives me a /64 to my router?

A. You need to ask the ISP. Maybe they could allocate some more address space. Giving out just a /64 sounds incorrect. This is the cleanest solution to this problem. There are of course other less nice ones, but they are not practical beyond a small network.

 

Q. If I buy an IPv6 address from my ISP, can I still use my NAT router for my network, or do I need to add some additional configuration?

A. I your are looking for IPv6 to IPv4, then you need a feature called NAT64 and it comes in two flavors - NAT64 stateless and statefull. It comes about in newer releases of code and on a certain platform.

 

Q. Is Subnetting in IPv6 a different procedure than in IPv4?

A. Subnetting in IPv6 is quite different from IPv4. The recommended prefix length for host/server segments is /64. There is no need to properly size those segments with the expanded address space. Network infrastructure links can support longer prefix lengths, such as /96, /112, 126 or /127. The choice comes down to how you want to manage the space.

 

Q. We have seen issues with a /32 prefix. Can we subdivide this across the globe or do we need to get a block of addresses from each registrar?

A. You can divide it across the globe, but only if the providers at each part of the globe will accept the prefix. Most large companies get a prefix from each region where their devices are to ensure that the local carrier will carry that prefix.

.

Q. What's the smallest subnet being used on private networks for IPv6? My thought here is regarding the impact of viruses that use broadcast to discover hosts to attack.

A. It can be as small as a /127. By the way, there is no longer the concept of broadcast with IPv6, there is only multicast. As far as protecting against scanning attacks, some of the best practices include using Link Local addresses and infrastructure ACL's when applied.

.

Q. If my company has plenty of 1918 address space left to cover us and we only have one IPv4 block of space to the Internet, what benefits would implementing IPv6 have vs. the cost to implement?

A. There are multiple reasons of deploying IPv6 depending on needs. Some verticals would go to IPv6 later then others. You seems like a enterprise. Please read this: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/whitepaper_c11- 586154.html

.

Q. If I am a software vendor that sells a distributed product that uses TCP for connecting between its various servers, should I check that my product works well with IPv6? Our customers install our product within their organization on their IT infrastructure.

A. Yes. It would be worthwhile to verify that your application works well with IPv6 because IPv6 is coming and can take advantage of IPv6 based transport.

 

Q. What are the top three differences between IPv6 and IPv4?

A.

1. The big difference is the 128 bits for address used in IPV6 vs. 32 bits used in IPv4
2. The IPv6 base header is also a fixed length at 40 bytes vs. a variable length IPv4 header.
3. The concept of extension headers is also new to IPv6. Extension headers allow for a fixed base header.
   

You can also check differences at http://en.wikipedia.org/wiki/IPv6#Comparison_to_IPv4

 

Q. Will IPv6 have its own limitations requiring further updates in the future? Any forecast when this might occur?

A. All protocols are expected to evolve, based on limitations, new deployment models, etc. The design of IPv6 is such that address space is not a limitation.

.

Q. What is the best way to implement IPv6 if we have IPv6 address block from our Internet provider? We cannot yet route IPv6 over our WAN provider?

A. There are several ways that you can do this. Phil mentioned a couple of tunnel service providers. Any one of these providers could allow you to route IPv6 to the internet. Similarly you could do an internal tunnel overlay if you wanted to support IPv6 on your internal network. At some point, this overlay is not scalable, but it does give an interim step for IPv6 integration and allows your provider to catch up on IPv6 integration.

 

Q. Are there any problems with the size of MTU while using IPv6?

A. Yes, there can be problems. One of the issues in IPv4 is packet fragmentation can happen in the network. So any router in the network, if it gets the packet too big can fragment and send it on its way. In case of IPv6, there will be no fragmentation at the router. Only the host will do the fragmentation if it needs to be done. So that relies on the host reliably learning the MTU of the entire path from end to end. The mechanism is built-in path MTU discovery called PMTUD where by a router that receives the packet thats too big to carry will echo back an ICMPv6 type 2 packet called PTB (Packet Too Big) message and sends the PTB message back. As long as there is no firewall that blocks the ICMPv6 packet, it can pass through and MTU works fine. There are many misguided network designs which blocks all ICMP packets and in such a network if a packet send to a router is too big and gets dropped way back to the sender, the connection hangs forever. In this case, the MTU needs to be lowered to 1280 or lower the TCP MSS to 1240. There are many service providers providing MTU 1280 in order to avoid the MTU problems saying that PMTUD is unreliable. But one of the largest service provider decided to send 1500 so that they can debug the MTU issues if people are facing problems in reaching out the ISP. So when you a misconfigured network that handles IPv6 wrong, there will be MTU issues. Cisco is one of the organizations that decided to send 1500 packets and will dig in to the PMTU issues.

 

World IPv6 Day

Q. On World IPv6 Day, will the websites be available on IPv6 only, or on both IPv6 and IPv4? If IPv6 only, will this mean that translation takes place for end users on IPv4 only?

A. They will be available on both IPv4 and IPv6.

Q. For IPv6 day, if my network is IPv4 only, what are the problems I may face on the day? The only form of IPv6 on my network may be from automatic tunnels like 6to4

A. Please check out: http://getipv6.info/index.php/Customer_problems_that_could_occur which provides great information.

Q. Will I need to have IPv6 in order to access sites participating World IPv6 Day?

A. No, you will fall back to use IPv4.

 

Q. What should I do if I can't get to Cisco/Google/etc on World IPv6 Day?

A. In most cases, you either just fix your IPv6 issue or disable IPv6 to fix it; the troubleshooting sites (especially the ARIN wiki) can help.

 

Q. Does IPv4 reach a limit where it need to use IPv6? Does IPv6 provides other benefits over IPv4 rather than just scalability?

A. Most people say that they don't have a use for IPv6 address because it does the same thing as IPv4 except it provides more addresses. But there are other benefits out of IPv6 because of the way IPv6 works. One of the interesting benefit that you get out of IPv6 is management benefit. For example Google runs IPv6 almost exclusively in their internal networks. The transition from one subnet to another is extremely easy because you can have multiple IPv6 addresses on the interface where you can take your old address and new address and run them at the same time. So subnetting becomes a very easy process with IPv6. In terms of enterprise management changing subnets and subnets remembering becomes very easy.

One of the other advantages is if you cut a stateful device out of your network, if you communicate from IPv6 to IPv6, you cut the network address translator out of your discussion which prevent network address translator time out, prevents having additional state, it has one less device that can go wrong in the path.

 

Another interesting fact is that the world of warcraft has adopted IPv6 addresses. The newest world of warcraft client has IPv6.In the gaming scenarios, instead of going to some Meet Me point that could do the translation. One of the problems in gaming is that If two persons in the gaming going through the NAT, its tricky to make sure that to send my packets directly through my NAT and to your NAT to you.If your are running IPv6 direct peer to peer connectivity is a lot simpler. In gaming situations it reduces latency since it has a more direct path and also it cut outs the additional box which acts a relay for you tell how to pass through i.e NAT devices. So using IPv6 we get enhanced peer to peer connectivity some administrative advantages and additional address space.

 

One of the other advantage Bit Torrent is very popular in IPv6 as well because its a peer to peer application.Any kind of peer to peer application that can cut out a NAT device, cut out the meet me center has much more efficient communication.

 

Those are some of the additional advantages other than space and scalability of running IPv6.

.

Features

Q. I am a IPv4 only broadband ISP, so the only IPv6 on my network is from users doing 6to4 or Teredo automatically on their OS. What are the risks or known issues in such case?

A. With unmanaged 6->4 transition techniques such as 6to4 and Teredo, there are certainly security implications. For example, your FW / IPS will no longer have visibility into the payload information to do the proper stateful inspection. There's probably not much impact if you are a provider that provides IPv4 transport. The security implication is more relevant to the end host stack than the transit IPv4 transport. Also, as an ISP, refer to http://tools.ietf.org/html/draft-ietf-v6ops-6to4-advisory- 01

.

Q. Does Catalyst 3550 support IPv6 on layer 3?

A. On the 3550 no layer 3 for IPv6. However on layer 2 it is just a Ethernet frame so works with no issues.

.

Q. Do you expect stateless auto-config or DHCPv6 to be more popular?

A. I love stateless auto address configuration because it doesn't require any additional configuration except for the fact that Stateless auto address configuration only gives you the address.It doesn't tell you anything about your DNS server or any other information that you need to know in your network.It just tells your address.I think the stateless auto address configuration is going to win in places where there is low over head and need for simplicity,particularly in small networks. Large enterprise networks need to maintain a lot more authoritative and administrative control over the desktops. In places where greater administrative control is needed, DHCPv6 is going to have a lot more attraction. It gives a lot more control over the client parameter, nodes and network. The needs are not uniform throughout the entire user community on the Internet. I think different people will be using SLAAC and DHCPv6 for different purposes. Since they serve different purposes, I think we would be using both of them.

 

Q. How can I prevent as a IPv6 client to be tracked with the IPv6 address over days? NAT?

A. Privacy Extensions for Stateless address autoconfiguration (SLAAC), RFC 4941, gives you an option.

.

Q. Would it be a possible threat to have a malicious host inside my network handing out global IPv6 addresses to my Windows 7 clients? Would it be possible for this malicious host to tunnel v6 traffic from my hosts to and from the Internet?

A. That's actually a more realistic threat than most people would think. Check out www.thc.org for some pretty cool (depending your point of view) hacker tools. One of them will launch a rogue RA type of attack, which does exactly what you asked. It is possible that a host could be sending out rogue router announcements and providing IPv6 services to include tunneling? The key here is to be aware of what is happening and make sure that your operations staff knows about IPv6 and how to detect it.

 

Q. When will Cisco routers support Global IPs as the HSRP address instead of Link Local?

A. On the latest 6500 code we support HSRP on the global IP.

Q. Is there a best practice for an IPv6 ACL to put at the public IPv6 border router to filter all IPv6 bogus traffic at the perimeter (like private IPv6 space) so the firewall is only filtering normal traffic like web traffic?

A. You can review the Cisco Press IPv6 security book by Eric Vyncke and Scott Hogg. It is a comprehensive book on IPv6 security and does have a suggested ACL to apply at the perimeter.

.

Q. In terms of IPv6 management, what does it mean compared to IPv4?

A. If you have dual-stack network (IPv4 / IPv6), then it could be simple. You could use IPv4 as a transport and use IPv6 MIBs on top of it to pool the IPv6 information. However, you have to have a NMS strategy to support IPv6.

.

Q. I am from Saudi Arabia, a customer company. I don't think we have any ISP who has BGPv6. Suppose I got my provider independent IPv6 subnet and an Autonomous System. Now I want to have BGPv6 relationship over Internet for IPv6 subnet to be available for IPv6.

A. Additionally, consider using a tunnel provider like Tunnelbroker.net.You might want to look at http://www.ipv6.org.sa/, the Saudi Arabia IPv6 Task force.

 

Q. I am running IPv4 only right now with no specific plans to move to IPv6 in the near future. I am trying to experiment with it using a tunnelbroker service. What is the best way to get this through my NAT firewall?

A. Most of the 6to4 tunneling techniques use raw IP protocol 41 (6to4, 6in4, 6rd, etc.), or UDP encap in the case of Teredo tunnels. So as long as you allow those, you should be fine.

.

Q. I see a lot of emphasis on the network impact, but is the same effort being made on the apps world?, I just heard something from Windows7!

A. A lot of folks are starting to focus on application assessments and trying to understand which ones are address family independent. In regards to operating systems new OS like Windows 7 is starting to ship with IPv6 on by default and preferred over IPv6.

Q. The ISP free.fr is on the first to use 6rd and actually gives us /64 to be used. Can we bridge IPv6 Packet when my router speaks only IPv6?

A. I think the best in the case of free.fr would be to look around/ask in the forums like www.aduf.org and universfreebox.com

.

Q. Are there any experiences with IPv6 client subnets with prefix >/64 without regard to stateless autoconfiguration?

A. If you are using stateless auto configuration then you will need a /64 prefix length for client subnets. Otherwise the prefix length is dependent on the host operating system. It is recommended to use a /64 prefix for client subnets.

Q. Without stateful NAT do you expect providers to offer several IPv6 addresses to home consumers when today they were only able to get one IPv4 address and have to NAT all their home devices.

A. Providers will be giving out big blocks for home networking and you can break it up as you see fit within your home network.

Q. Is there any way for a Cisco ASA devices to terminate a tunnelbroker IPv6 tunnel or other transition technologies?

A. Not at this moment in time.

.

Q. NAT66 is not possible on Cisco equipment?

A. NAT66 is still going through the IETF standardization process. NAT66 is not currently supported on Cisco products. Please follow up with your account for the roadmap of this feature.

Q. FWSM on the 6500 switch support IPv6?

A. The FWSM does support IPv6. However IPv6 traffic is handled in the software path. Because of that IPv6 performance on the FWSM is not good. The recommended security appliance is the ASA.

.

Q. Do you have a solution for the IPv6 performance on the FWSM?

A. FWSM IPv6 performance is a platform limitation, there is no changes around this.

 

Q. Any test done with SIP and H.323 protocol for IPv6?

A. You can refer to http://www.tahi.org/sip-ipv6/ua6/index.html

.

Q. I have a ASA in the edge but in the LAN I have is a FWSM into a 6500. This is a problem to my migration. What do you recommend?

A. Please take the ASA route.

Q. What is a goof IPv6 calc site or tool?

A. http://www.subnetonline.com/pages/subnet-calculators/ipv6-subnet-calculator.php

.

Q. Explain DS-Lite?

A. Some basic info at http://en.wikipedia.org/wiki/IPv6_transition_mechanisms#Dual-Stack_Lite_.28DS-Lite.29

Q. How long will this IPV6 process take in the world and how does this impact the QOS process?

A.IPv4 and IPv6 will co-exist for many years. There is no flag day for transition.There should be minimal impact to QoS other than the added traffic. Video traffic is still video traffic regardless of the underlying transport. Video traffic will still have the same service requirements from the network. Same is true for voice. The application is independent of the transport

Q. If I dual stack my router, are there any potential issues for IPv4 traffic transiting the router, or is IPv4 totally unaffected if I dual stack the router?

A. Dual stack acts as ships in the night.

.

Q. How can I use IPv6 multihome at different ISP without my own IPv6 space (think about small business.) In IPv4 we used NAT to translate to the correct ISP addresses, in IPv6 there is no NAT, now what to do?

A. You can request another block from the provider or work with the provider to allow a you to advertise more specific routes out of your peering points.

.

Q. Wouldn't the possible lack of NAT be a video conference benefit? Direct point to point connectivity!

A. Yes, the end-to-end addressing capability would definitely help.

Q. My ISP uses IPv6 and I get a global IPv6 from them to use it on my NATrouter. In my internal network I use IPv4. Do I have to reconfigure my NAT router?

A. Yes you will need to have a feature like NAT64 for that scenario to work.

.

Service Providers

Q. What are the best practices to implement IPv6 on the access networks? We don't see ADSL, or cable modems, or router vendors that have come up with the stable IPv6 code on the CPE devices and it seems like they are running pretty slow on enabling IPv6 features.

A. There are a lot of providers who have enormous investments in IPv4 DSLAMS (Digital Subscriber Line Access Multiplexers.) These subscriber's multiplexers probably cannot be expanded in software/hardware to support IPv6.

The provider called Free.fr in France pioneered a technique where by they provided IPv6 tunneling inside Ipv4. This required absolutely minimum amount of code requirement in CPE and had a fully stateless connection that could scale to very large numbers. This standard eventually developed in to 6rd or 6 rapid deployment.

The best practice to implement IPv6 on a legacy access network that already has IPv4 is 6rd.In order for 6rd to work, the ISP has to have control of the code of the CPE's. In case of free.fr, they had customized the CPE's and can control them. If the users have broad mix of CPEs, it would be a problem to control all devices. The easy way to bring up IPv6 without disturbing the IPv4 infrastructure is to use 6rd.

In inverse situations, you could use the protocol Dual Stack-Lite, where in a IPv6 capable access network, IPv4 tunneling inside IPv6 to the NAT devices inside the core. So there are different ways of doing it and 6rd technique is one of the common one among the US carriers, where by tunneling they maintain the tunnel translation point.

In terms of cable vendors coming up with stable IPv6 code, there is lot of work happening around native and tunneling IPv6 capabilities on the CPE.

.

Q. What is a recommended solution to make an IPv4 only server visible on the IPv6 Internet? NAT64/load balancer, reverse proxy, others? Let's assume that AAAA DNS record for this server is populated correctly.

A.All the solutions that you mention will work and we've seen organizations use them. It comes down to what you are trying to accomplish with your implementation and how you are trying to deliver services to your customers.

Q. I see my 6to4 address which is started with 2002: But when I go to one of your IPv6 test site I got: "Your internet connection is not IPv6 capable". Why is that?

A. I am not sure what is happening in this case. You can try to do trace route using IPv6 to see where the path is breaking down.

 

Q. How would I buy an IPv6 address block for my company?

A. The best way to buy an IPv6 address block is to start by talking to your ISP. You can get the IPv6 address block from ARIN(American Registry For Internet Numbers).ARIN is the authority that hands out of blocks of addresses.Once you have the block of addresses you have to find the service provider that would carry the block of addresses. Even if you get a block independent of the service provider from ARIN, still you need to search for an IPv6 service provider to advertise those blocks. So its better to start with your service provider to ask for a block of IPv6 addresses. It also depends where do you sit in the hierarchy. You could either get an address range from your local SP or get it directly from your local registry: https://www.arin.net/knowledge/v4-v6.html

 

Q. Is it true that NAT goes away with IPv6?

A. The answer is No. If you look in to the IPF, there is NAT 66 working group which translates NAT to NAT. The good news is although NAT does not go away, the stateful NAT can go away. One of the biggest problem with NAT is that overloading port numbers on the IP addresses, trying to pile more users on a single IP address and maintaining all that states and its timeout. So maintaining all those stateful oriented mapping makes it more difficult to work with NAT. The good news here is almost all the NAT 66 proposals are all about translating one addresses to the other for administrative purposes. For example if I have a provider independent IPv6 address space inside my network and I have 2 or 3 different carriers that provide provider dependant space. For this I would use NAT 66, so that I could maintain my address pool but then project them out to provider dependant address space seamlessly to my end users and external users. Almost all the Ipv6 NAT will be one to one because the address space is so big which means it will be a completely stateless situation where once the mapping is done, the mapping can effectively stay there forever. The good news is IPv6 will reduce the need for NAT if its done right, but I don't think NAT will ever go away.

There are standards by these working on IPv6 to IPv6 NAT translation and also there's whole separate discussion about NAT 64 which is allowing IPv6 network address to be network translated in to IPv4.There are still different users who use NAT for different purposes other than address overloading, so those people will still have a NAT standard to work with IPv6.

 

Related Information