Moving to IPv6

LynK · January 21, 2021, 02:07:43 PM

Hey guys/gals!

I hope you are all doing well. We are going to be dual-stacking our ISPs soon and starting the migration to IPv6! Do you have any good design guides/books you recommend? Also, for those of you who deployed IPv6 Did you use ULA or GUA addresses for your internal network? I do not see why we would not just use our GUA addresses and let the firewall control what can talk to them.

deanwebb · January 21, 2021, 04:09:09 PM

Good luck with that. I'm still in a 100% IPv4 world. If IPv6 is going on, nooooooooooooobody wants to talk about it.

wintermute000 · January 21, 2021, 04:30:25 PM

I find stuff like NANOG presentations (conference recordings as well) excellent for seeing what people IRL are saying/doing. Like theres all sorts of crazy stuff because the protocol is simply way too non-prescriptive e.g. you can literally set all default GW link local addresses to ::1 and have every host on the network using ::1 as the default route. Confusing or convenient?

As for books, I read IPv6 fundamentals and IPv6 for Enterprise Networks. However you'll want to take the current pulse re: client behaviour (i.e. WTF is modern android or Win10 doing with various IPv6 behaviours?)
I'm with you, I'd just use GUA, however there is a large faction that believes in 'dual routing' using ULA for all internal purposes and GUA for all external purposes. The excuse is security and also if you don't have PI space.
I find this simply confusing and unnecessary, you have a FW and PI addressing right.

https://www.ausnog.net/sites/default/files/ausnog-2019/presentations/2.3_Mark_Smith_AusNOG2019.pdf
Unfortunately I'm with Dean, I've read all the theory and done a ton of labs (well a few years ago anyway) but IRL nobody is talking to me about it.

Otanx · January 21, 2021, 06:46:47 PM

Same as Dean, and Wintermute000. NANOG, and I have the IPv6 fundamentals book as well. We started working on IPv6, and got a /48 from ARIN, but there was no real driver for us to do anything so it never gets done. Just keep NATing and everything keeps working.

As for GUA vs ULA I don't see a use for ULA. It is almost no effort or cost to get PI space. Off the top of my head I think it was $1,300USD for a /48. Then 100 a year for ARIN registration. We were already paying the 100 a year for our AS and IPv4 so that shouldn't really count.

Some stuff from what I remember of our design docs that we had planned;
1. Starting with our /48 we are using 8 bits for a area designation. So external is 1, DMZ 2, clients 3, etc. This gives us 256 areas which I think we are using about 60.
2. After the area we used another 8 bits for subnet/vlan. Each area gets 256 vlans with the largest area only having 15 or 20.
3. Every subnet gets a /64 so all the auto addressing stuff works.
4. For backbone L3 links use sub interfaces to seperate the IPv4 and IPv6. The reason for this was we wanted to be able to graph the IPv6 vs IPv4 traffic. One of our ISPs suggested this.
5. One of our areas (I think 0) was reserved for network stuff. Loopbacks/point to points, etc.

A note on items 1 and 2. You will be seeing the addresses in hex so make sure you split on 4 bit boundaries so it is easy to identify when looking at the IP. We used 8 so two hex digits each.

Also IPv6 has more security items you have to think about. RA suppression, multiple IPs on a box. Duplicate link local addresses across the network will be a thing, and servers will use link local. If I remember correctly OSPFv3 uses link local to build neighbors.

-Otanx

Dieselboy · January 21, 2021, 08:52:47 PM

Conceptually, think about your ipv6 deployment as a complete other network that you need to manage. You will have ipv6 firewall rules and ACLs to think about. You have doubled the size of your network by implementing ipv6 across it.

icecream-guy · January 22, 2021, 08:25:21 AM

we use public assigned IPv6 addresses throughout
/64 for networks
/112 for transits.

I hear there are plenty of IPv6 addresses

deanwebb · January 22, 2021, 09:08:08 AM

Quote from: ristau5741 on January 22, 2021, 08:25:21 AM
we use public assigned IPv6 addresses throughout
/64 for networks
/112 for transits.

I hear there are plenty of IPv6 addresses

Watch us run out in 2034...

wintermute000 · January 22, 2021, 06:09:27 PM

TIL /112s are RFC compliant. Makes more sense even than /126 or 127 once you look at the subnetting.

Still, If it were up to me I'd simply go /64 everywhere, decimal trained human brain no likey hex.

icecream-guy · January 23, 2021, 03:53:48 PM

Quote from: wintermute000 on January 22, 2021, 06:09:27 PM
TIL /112s are RFC compliant. Makes more sense even than /126 or 127 once you look at the subnetting.

Still, If it were up to me I'd simply go /64 everywhere, decimal trained human brain no likey hex.

see above

Quote from: deanwebb on January 22, 2021, 09:08:08 AM

Watch us run out in 2034...

problem becomes when you want to scan your nets for vulnerabilities.
it you don't limit. e.g DHCP reserved IP addresses your tenable/redseal scans will run for days
so you would need to limit the DCHP assignment range and then block everything else from going anywhere using ACL's

LynK · January 25, 2021, 07:45:46 AM

Wow... thanks for the info ristau & otanx. I was building out my transports with /127's. The more you know.

We are unfortunately being pushed to IPv6. I recently moved to a new company with has been using provider owned IPs since the dawn of man. Obviously getting multiple /24's from ARIN is near impossible right now, but there is a plethora of IPv6. They currently use two full /24's, so we would need atleast 3 /24's to make it work, and I do not see us getting those additional two /24s any time soon.

So we are kind of being pushed to move IPv6 because we were given a /32.

We will be doing /64 networks, like you had mentioned, for all of our internal infrastructure. The good news (I guess) is we have a lot of silo'd (DMZs) so it should make the transition for those smooth (in theory).

Thanks for the info, the recommendations of the books, and the wisdom. Is appreciated.

jprins · February 14, 2021, 05:55:37 PM

Hi,

I dualstacked my network about 10 years ago, and at the moment the majority of my network is IPv6 only.
Everywhere I don't need IPv4 I drop it and go IPv6 only.
I don't think it will be long before I only have IPv4 on the edge of my network. Some proxies and a few servers delivering content to the outside world.

More space.
No headaches about having assigned a /24 to a VLAN and realizing it should have been a /22 to begin with.

Love it.
Jan Hugo

deanwebb · February 15, 2021, 10:40:15 AM

How long did it take to transition to majority IPv6?

luispolanco · November 13, 2021, 03:44:53 AM

in very few countries ipv6 is implemented