Adventures in IPv6
Monday, 11. January 2010
Adventures in IPv6… Or how I spent my Xmas Vacation!
Whether you are a network administrator, an end user, or someone that falls in between, you are going to be hearing a lot about IPv6 in the coming years. If you’re in the business of delivering network services, then you need to get up to speed on this… Because before you know it, you will have a client or end user come up to you with a problem that IPv6 is involved in.
Over the Xmas vacation, I spent hours in the lab, and on the network edge, testing and configuring IPv6. I wanted to report on what I found regarding the “readiness” of IPv6 at all the areas of the network I deal with. This is not designed to be a tutorial on IPv6, it is a report of the state of the protocol at this time. If you are looking for a “HowTo”, there are some great ones out on the net.
IPv6 is not IPv4 with more addresses.
At first glance, IPv6 looks a lot like IPv4 with more addresses. Although knowing IPv4 is an advantage when working with IPv6, it can also be the cause of implementation mistakes. The first lesson I had to learn was “don’t assume anything about IPv6”.
Why I jumped into IPv6.
I got started with this whole project after talking to an ARIN Technical Specialist about address space for my company. I must admit, up until that conversation, I had been thinking about IPv6, but not really thinking of how I would be implementing it. After all, change is painful, and making changes can lead to unforeseen problems. But, he made some really valid points regarding the need to be ready for the exhaustion of IPv4 address space. That and the business opportunities I believe will be available to early adopters of IPv6 got me to jump into the fire. On December 15, 2009, ACT USA requested and received it’s initial IPv6 address allocation from ARIN.
Working from the edge in.
For most users, the starting point for IPv6 is setting up a tunnel, or using Teredo / Miredo to get a PC or small group of PCs onto the IPv6 backbone. For an ISP though, it’s a little different. An ISP needs to look at how they will advertise their address space to the net. ISPs currently use a protocol called “BGP” to advertise their IPv4 address space to both their peers and their transport providers. If IPv6 is going to be a viable global protocol, it will need to adapt into this current hierarchy to be adopted by the ISPs.
I decided to start here, and setup some routers in the lab to how the current devices we own, and the open source software we run, supported BGP for IPv6. I was pleasantly surprised to see that pretty much all the router hardware we run, whether commercial or open source based, supported multi-protocol BGP out of the box. And, as a bonus, it wasn’t that much different to manage and configure IPv6 neighbors then it is to manage IPv4 neighbors. Even better, we can use a single BGP session with a neighbor to advertise and receive both IPv6 and IPv4 routes. Now, that’s not to say that we didn’t have to upgrade to bleeding edge releases of the software, but from everything we’ve seen so far, it’s pretty solid.
One issue that did come up was that none of my transit providers, nor my peers support IPv6 yet. But, Hurricane Electric to the rescue! Not only do they provide IPv6 tunnels for end users, but they allow you to advertise your RiR IPv6 address space to be advertised through that tunnel! For me, this was a lifesaver, and got me a huge jump on my upstreams.
From the edge to the servers.
OK, so now I have IPv6 on the edge, and I’m advertising my address space to the backbone via Hurricane Electric. Now what? Well, the next step for my testing is dual stacking the core. So, this is where I got my first taste of IPv6 Network Discovery, Router Advertisement and Auto Configuration. The IPv4 RFC really didn’t mandate how hosts learned about the network they were on. IPv6 changes all that by expecting routers to advertise information about the networks they attach to and listen for information requests from hosts on that network. Hosts also expect routers to tell them what global network they are on, and if Auto Configuration is allowed on the network. And if that wasn’t enough, IPv6 has both stateless and stateful configuration methods, and the routers are suppose to tell the hosts about that too! Combine all this with a mixed level of adoption among projects and vendors, and you get a bit of a mess.
Fortunately, this mess is saved for later, as in the case of the core, nothing is dynamic or auto-configured. Well, at least it didn’t used to be, but for IPv6, I elected to take advantage of the Router Advertisement stuff to impliment hot fallover. So, in the case of the core, it’s another home run with no need for core routers to run VRRP or HSRP. Thank you IPv6!
From the servers to the services.
So, I have static IP addresses on the servers, now I need to get services up on IPv6. The first on my list is DNS. Actually, Bind9 is totally IPv6 compatible! All I had to do is add the AAAA and PTR records to the respective zone files, and off we go!
Now, on to HTTP. Amazingly, Apache is totally IPv6 ready. Even NamedVirtualHost works, but might be considered unnecessary considering the boggling number of IPv6 addresses available.
The email server was just as easy. A quick edit of the sendmail.mc file and the dovecot.conf file was all it took. And ProFTPD worked as well.
All and all, most services that we push to the public worked. One that didn’t was MySQL. And there were a few applications that I just didn’t bother with, like SNMP.
Securing the office network.
So, NAT has spoiled most network administrators. Why? Because if they just setup NAT on their default gateway, then they have a firewall by default. Well, guess what, there is no such thing as IPv6 NAT. So, you will need to actually learn how to configure a real firewall. I use Linux on all my firewalls, and am happy to report, that ip6tables works just like it’s IPv4 counterpart iptables.
So, as far as security, if you run a Linux firewall, you should be able to protect your network with ip6tables!
The end node.
So, here we are, at the computer on your desk and the network in your office. What does IPv6 mean for you and what is the current state of services that you use to make you a part of your office network. The good news is that Linux, BSD, and Mac are all pretty much IPv6 ready. I also understand that Windows 7 has full service IPv6 as well. Vista attempted to get IPv6 rolling using Teredo, but that breaks the IPv6 stack if global addresses are offered on the network already. And there are other problems. Remember auto configuration? Well, this is where it bites us. Different parts of the RFC are implemented in different ways by different vendors and projects. The only thing that seems to be a “sure thing” to work is auto address configuration and router advertisement. The current ISC DHCP Server works, but many clients don’t ask the right questions yet.
Sounds bad? Well remember, to get all the Internet, you still need IPv4 connectivity as well. It’s beleived that everyone will need to run dual stack for quite a few years to have total global network access. So, for now, we can get away with just address and router configuration. But just for now…
— Stu