IPv6 - Where Is It At?

deanwebb · October 12, 2021, 08:16:51 AM

C-Level Management: "We need to get serious about IPv6!"

Meeting happens, everyone agrees, yes, we need to get serious about IPv6.

Production outage happens, IPv6 discussions are put on the back burner for another year or more...

... or is IPv6 getting traction where you are? If so, where?

icecream-guy · October 12, 2021, 04:25:44 PM

Quote from: deanwebb on October 12, 2021, 08:16:51 AM
C-Level Management: "We need to get serious about IPv6!"

Meeting happens, everyone agrees, yes, we need to get serious about IPv6.

Production outage happens, IPv6 discussions are put on the back burner for another year or more...

... or is IPv6 getting traction where you are? If so, where?

Federal mandate
a. At least 20% of IP-enabled assets on Federal networks are operating in IPv6-only
environments by the end of FY 2023; 13
b. At least 50% of IP-enabled assets on Federal networks are operating in IPv6-only
environments by the end of FY 2024;
c. At least 80% ofIP-enabled assets on Federal networks are operating in IPv6-only
environments by the end of FY 2025; and
d. Identify and justify Federal information systems that cannot be converted to use
IPv6 and provide a schedule for replacing or retiring these systems;

we hope to be pure IPv6 by 2025. but then again all the gung ho, is all about customer facing IPv6, getting the entire monitoring/management/backups/logging to go IPv6 native is not on everyone's hot list. it will certainly cause issues.

deanwebb · October 13, 2021, 08:03:48 AM

Ouch, yeah, especially if there are legacy IPv4 networks that get ignored... potential major security holes.

I'm thinking IPv4 is the COBOL of networking. It's going to be around for a lot longer than anybody expected or even wanted, and it's the oldsters that will be running it.

Otanx · October 13, 2021, 09:41:14 AM

Quote from: icecream-guy on October 12, 2021, 04:25:44 PM
Federal mandate
a. At least 20% of IP-enabled assets on Federal networks are operating in IPv6-only
environments by the end of FY 2023; 13
b. At least 50% of IP-enabled assets on Federal networks are operating in IPv6-only
environments by the end of FY 2024;
c. At least 80% ofIP-enabled assets on Federal networks are operating in IPv6-only
environments by the end of FY 2025; and
d. Identify and justify Federal information systems that cannot be converted to use
IPv6 and provide a schedule for replacing or retiring these systems;

we hope to be pure IPv6 by 2025. but then again all the gung ho, is all about customer facing IPv6, getting the entire monitoring/management/backups/logging to go IPv6 native is not on everyone's hot list. it will certainly cause issues.

Same mandate we have. However, this is the 3rd or 4th time this has been extended. Nobody in leadership really cares as there is no funding to go along with the requirement. With no funding for hours, or anything we will do what we can. The last time this came around we got a /48 from ARIN so we don't need any budget there. We also have 50% of our external BGP peers setup, and advertising our space. However, with everyone at about 125% utilization this isn't going to get touched much to get it extended to endpoints.

-Otanx

deanwebb · October 13, 2021, 10:49:45 AM

... and if it's been extended before, it'll be extended again. I know a guy almost 70, still doing COBOL...

icecream-guy · October 13, 2021, 12:16:27 PM

Quote from: deanwebb on October 13, 2021, 10:49:45 AM
... and if it's been extended before, it'll be extended again. I know a guy almost 70, still doing COBOL...

bet he makes BANK$ since there are very few COBOL programmers left these days.

deanwebb · October 13, 2021, 12:17:16 PM

He's comfortable, no question there.

config t · October 13, 2021, 10:15:48 PM

I've never heard a single discussion about transitioning to IPv6 with any of my past customers. It has become one of those things I re-learn whenever I need to test on it and then forget how to subnet it again afterwards.

deanwebb · October 14, 2021, 07:33:27 AM

Quote from: config t on October 13, 2021, 10:15:48 PM
I've never heard a single discussion about transitioning to IPv6 with any of my past customers. It has become one of those things I re-learn whenever I need to test on it and then forget how to subnet it again afterwards.

Even worse for me. I'm in management now, so I just pound my fists on the table and shout "Priorities! Synergies! Transformations!" until there's a major outage and I can go back to shouting about things I understand.

icecream-guy · October 15, 2021, 07:33:21 AM

Quote from: config t on October 13, 2021, 10:15:48 PM
I've never heard a single discussion about transitioning to IPv6 with any of my past customers. It has become one of those things I re-learn whenever I need to test on it and then forget how to subnet it again afterwards.

there is no need to subnet
/112 on the transit links
/64 on the hosts networks

now the problem turns into a security one, at least for the network scanners.
then some IPv6 addresses in the /64 need to be blocked outbound.

deanwebb · October 15, 2021, 10:07:29 AM

I see /64 and think it's half a /32... I am in need of re-training on basic concepts, methinks...

Otanx · October 15, 2021, 10:51:55 AM

Quote from: icecream-guy on October 15, 2021, 07:33:21 AM
there is no need to subnet
/112 on the transit links
/64 on the hosts networks

now the problem turns into a security one, at least for the network scanners.
then some IPv6 addresses in the /64 need to be blocked outbound.

Any reason you use /112 instead of /127? Also don't forget /128s for loopbacks. I have not done it yet, but we are even looking at not addressing p2p links. Let it use link-local, and loopbacks have real addresses.

The cyber teams are going to have to step up their game with IPv6. No more ping or arp scanning an entire subnet to see what is there. They actually need to look at the network traffic and look for traffic to or from unexpected hosts.

-Otanx

deanwebb · October 16, 2021, 02:03:53 PM

^In that case, they can just try to detect existing IPv4 and then mark a "Fail" if they do find any.

icecream-guy · October 16, 2021, 04:30:24 PM

Quote from: Otanx on October 15, 2021, 10:51:55 AM
Quote from: icecream-guy on October 15, 2021, 07:33:21 AM
there is no need to subnet
/112 on the transit links
/64 on the hosts networks

now the problem turns into a security one, at least for the network scanners.
then some IPv6 addresses in the /64 need to be blocked outbound.

Any reason you use /112 instead of /127? Also don't forget /128s for loopbacks. I have not done it yet, but we are even looking at not addressing p2p links. Let it use link-local, and loopbacks have real addresses.

The cyber teams are going to have to step up their game with IPv6. No more ping or arp scanning an entire subnet to see what is there. They actually need to look at the network traffic and look for traffic to or from unexpected hosts.

-Otanx

yes, with dual homed links. ie.
.1 HSRP
.2 Router PE1
.3 Router PE2
.4 Firewall1
.5 Firewall2

the /127 just isn't enough for the redundancy.

so HSRP runs between PE1 and PE2
and Firewall1 and Firewall2 are on active/standby failover configuration.
that builds in the redundancy so that either PE can reach either firewall.
this is our standard.

Otanx · October 18, 2021, 08:17:24 AM

That makes sense. Feel like I should have been able to figure that one out. I will have to keep that in mind when we do our address planning.

-Otanx