Migration to IPv6; I am Jumping In the Lake

[NETWizz]

Well, I have been strongly considering the migration to IPv6 in a dual-protocol stack at work, were we have at least 5,000 computers. I know what you are thinking... Windows Vista, 7, 8, 8.1, 10, Mac, etc. ALL have IPv6 turned on and an IP address. IPv6 is NOT a replacement... it is a completely new protocol to run along-side IPv4 for probably the rest of our lives.

Well, you are correct, but the IP address they all have are Link-Local addresses, which are roughly equivalent to the 169.254.x.x addresses Windows boxes automatically generate . Simply put they work on a Local Area Network because the network portions match and the host portions are unique.
***************

For those of you unaware, IPv4 is 0.0.0.0 though 255.255.255.255 though admittedly there are plenty of other rules and tricks for classless interdomain routing, variable-lenght subnet masks, NATing, etc. They are 32-bit addresses.

IPv6 Addresses are NOT simply six octets... No they are128 bits; hence, if they were expressed in dotted decimal it would be 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 to 255.255.255.255.255.255.255.255.255.255.255.255.255.255.255.255

But instead we use Hex and colons
Hence: 0000:0000:0000:0000:0000:0000:0000:0000 to FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

Now, leading 0's are removed, so if you had 0000:0000:0000:0000:0000:0000:0000:0001 you could write it as 0:0:0:0:0:0:0:1

Now, anytime you have multiple groups of 0's, you can collapse this exactly once into a ::

Hence 0:0:0:0:0:0:0:1 could be most succinctly written as ::1

************************

Now, I want you to keep in mind why IPv6 is great is that it runs TCP, UDP and virtually every other Layer-4 protocol that worked on IPv4. What we will have are applications that support both for a long, long time... and antiquated applications should be straight-forward for developers to add in IPv6 support to carry out all of its network tasks.

Now, the vast majority of you know how to subnet, where you are basically specifying the network portion and host portion of a network. Many of you are probably used to the infamous 255.0.0.0, 255.255.0.0, and the 255.255.255.0 masks used on most common public/private networks... thouggh the vast majority of network admints balk at maks like 255.255.128.0, 255.255.192.0,255.255.224.0... After a while these become second nature for those who deal with this crap every day... they eventually just recognizetheir 128, 192, 224, 240, 248, 252, 254, and 255 without thinking about it, the wildcard masks, and CIDR notation becomes second nature too.

Suffice it to say we would rather represent 10.1.2.3/255.255.240.0 as 10.1.2.3/20 and we are well aware of quick mental tricks that if 255.255.240.0 is /20 then 255.240.0.0 would be /12 (you subtract 8)


*********************

The reason I bring this up is that IPv4 has a LOT of design flaws that bother me like the WAY DHCP can assign different IP addresses necessitating reservations OR static IP addresses on servers. How much of a PITA it is to change a subnet scheme or merge two organizations together with overlapping address space (i.e. if both use 10.x.x.x... it's a real blast combining the networks). Then you have NAT, which is a life-saver to IPv4... It is allowing us to have one (1) Internet IP at home or at work. Heck, we have 5,000 computers at work on the same Internet IP, BUT it breaks true end-to-end connectivity. I otherwise have to setup translation addresses, port forwarding, etc. to make stuff work. Basically, everything is a Band-Aid for poor design.

Meanwhile you have Sliding-window, Checksums, Broadcasts, ARP poisioning, etc... cannot find the default-gateway unless someone sets it or DHCP configures it, and the list grows. Ultimately, IPv6 addresses ALL of these shortcommings and more!



Alright, so I mentioned CIDR masks. With IPv6, even the delineators 's) are /16, /32, /48, /56, /64 ... /128

What I like:
1. The ISP provides an organization a /48 which is the first three sets. Hence, they may give you something like 201B8:ACAD... From here you are recommended to subnet to /64 Hence you have 201B8:ACAD:0/64 through 201B8:ACAD:FFFF/64 to specify your networks!

2. This leaves you with /64 less to address on every LAN! YOu may ask, "Why do I need an address space 4-billion times bigger than the entire IPv4 Internet?" Simple answer is DHCP has been revamped to not only be a two-way communication like it already is, but it ONLY provides the network/subnet information. The HOST generates its own HOST portion based on its MAC address and reports that back to DHCP, which records the lease and can dynamically update DNS with a new AAAA record.

If your MAC address is 11-22-33-44-55-66 it ads FFFE in the middle hence 1122:33FF:FE44:5566 is the rest of the IP, so the computer above on the 1st subnet would become 201B8:ACAD:1:1122:33FF:FE44:5566. No matter how long you have it offline, or lock it in a closet, when you set it up, it again gets the SAME IP. No more static IP or reservations really needed unless you realluy want to create extra work overriding this.


3. ARP has been replaced with Neighbor Discovery Protocl, which is built into the protocol. It is more efficent and more secure. Switches will NOT have to work so hard to find LAN neighbors.

4. Now what's really awesome is the way there is a Gateway or Router discoveyr protocol. Think of it like a routing protocl similar to OSPF that simply advertises the presence of the network's default-gateway!

5. IPv6 no longer has CRC check sequences in the header but leaves the error checking to Ethernet and higher protocols such as TCP. Simply put, networks are more reliable than ever and not having routers verifying checksum vastly reduces latency!

6. IPv6 sumarizes much nicer in routing tables keeping them much smaller and therefore more efficent and easier to troubleshoot.

7. NAT in IPv4 more or less MUST be used to reseve IP addresses. It is what we all use to convert our 192.168/16, 172.16/12 or 10.0.0.0/8 networks to the Intenet. Looking above, this is completely unique 201B8:ACAD:1:1122:33FF:FE44:5566... it is perfect for both inside and external use to the Internet.

8. I know everyone balks saying NAT is for security, but it really is not. A firewall can just as easily control traffic and security with or without a NAT.

*****************************************************************

What I am doing is petitioning our ISP, AT&T we use at work for an Internet Routable /48... Then I am just going to subnet with 0, 1, 2, 3, 4 etc up to /64 and leave the rest for hosts. While this is a HUGE waste of space, it is best practice. I think I will use the "0" subnet for the WAN-side of our network. Hence the entire backbone can be connected on one subnet... and AT&T can do our mesh routing between all our sites.

I need only tie some IPv6 IPs to our firewall interfaces and set each Gateway (LAN SIDE) with a different subnet such as 1, 2, 3, 4 ... all the way to FFFF not that we will need 65k subnets, ever!

Simply then need to enable DHCPv6 and populate the scopes... need to set the IPv6 helper's on the routers, and that should do it. Every computer should then have a unique Internet Routable IPv6 as well as a Link-Local IPv6.

Then I need only make a default rule on the firewall that allows our DNS servers to query via IPv6 to others... and allows our computers to talk outside on IPv6 at least for HTTP & HTTPS.



I think it will REALLY set us up thinking forward for the future.

 

[NETWizz]

Here is an example, where I use three (3) subnets.

Simply put, I used 2001B8:ACAD as my /48 (i.e. this is the ISP part). I used Subnet 2 for the WAN connection and Subnet 1 to connect the network PCA is on and subnet 3 to connect the network PCB is on.




The switches do not have any config and are really just Lyaer-2 stuff. They were put in for habit.

Here is the config:
R1#sh run

Building configuration...



Current configuration : 753 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname R1

!

!

!

!

!

!

!

!

ip cef

ipv6 unicast-routing

!

no ipv6 cef

!

!

!

!

license udi pid CISCO1941/K9 sn FTX1524ADT7

!

!

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface GigabitEthernet0/0

description toR2

no ip address

duplex auto

speed auto

ipv6 address 2001B8:ACAD:2::1/64

!

interface GigabitEthernet0/1

description toLAN

no ip address

duplex auto

speed auto

ipv6 address 2001B8:ACAD:1::1/64

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

ip flow-export version 9

!

ipv6 route ::/0 2001B8:ACAD:2::2

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

no login

!

!

!

end



R1#sh run

Building configuration...



Current configuration : 753 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname R1

!

!

!

!

!

!

!

!

ip cef

ipv6 unicast-routing

!

no ipv6 cef

!

!

!

!

license udi pid CISCO1941/K9 sn FTX1524ADT7

!

!

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface GigabitEthernet0/0

description toR2

no ip address

duplex auto

speed auto

ipv6 address 2001B8:ACAD:2::1/64

!

interface GigabitEthernet0/1

description toLAN

no ip address

duplex auto

speed auto

ipv6 address 2001B8:ACAD:1::1/64

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

ip flow-export version 9

!

ipv6 route ::/0 2001B8:ACAD:2::2

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

no login

!

!

!

end


*********************

Here is a routing table on Router 2:
Router#sh ipv6 route

IPv6 Routing Table - 6 entries

Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP

U - Per-user Static route, M - MIPv6

I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary

O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2

ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2

D - EIGRP, EX - EIGRP external

S ::/0 [1/0]

via 2001B8:ACAD:2::1

C 2001B8:ACAD:2::/64 [0/0]

via GigabitEthernet0/0, directly connected

L 2001B8:ACAD:2::2/128 [0/0]

via GigabitEthernet0/0, receive

C 2001B8:ACAD:3::/64 [0/0]

via GigabitEthernet0/1, directly connected

L 2001B8:ACAD:3::1/128 [0/0]

via GigabitEthernet0/1, receive

L FF00::/8 [0/0]

via Null0, receive

And on Router 1:

R1#sh ipv6 route

IPv6 Routing Table - 6 entries

Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP

U - Per-user Static route, M - MIPv6

I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary

O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2

ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2

D - EIGRP, EX - EIGRP external

S ::/0 [1/0]

via 2001B8:ACAD:2::2

C 2001B8:ACAD:1::/64 [0/0]

via GigabitEthernet0/1, directly connected

L 2001B8:ACAD:1::1/128 [0/0]

via GigabitEthernet0/1, receive

C 2001B8:ACAD:2::/64 [0/0]

via GigabitEthernet0/0, directly connected

L 2001B8:ACAD:2::1/128 [0/0]

via GigabitEthernet0/0, receive

L FF00::/8 [0/0]

via Null0, receive



Here is a Ping to PC A from PC B... though the routers:

FastEthernet0 Connectiondefault port)



Link-local IPv6 Address.........: FE80::201:C9FF:FE54:E275

IPv6 Address....................: 2001B8:ACAD:3::10/64

Default Gateway.................: 2001B8:ACAD:3::1

DHCPv6 Client DUID..............: 00-01-00-01-DC-B6-C0-36-00-01-C9-54-E2-75



PC>ping 2001B8:ACAD:1::10



Pinging 2001B8:ACAD:1::10 with 32 bytes of data:



Reply from 2001B8:ACAD:1::10: bytes=32 time=2ms TTL=126

Reply from 2001B8:ACAD:1::10: bytes=32 time=0ms TTL=126

Reply from 2001B8:ACAD:1::10: bytes=32 time=0ms TTL=126

Reply from 2001B8:ACAD:1::10: bytes=32 time=0ms TTL=126



Ping statistics for 2001B8:ACAD:1::10:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 2ms, Average = 0ms

 

[YeOldeStonecat]

*I dread the day I have to jump in the lake. I may tie a few cement blocks to my feet.

For one...my head works pretty well with numbers, I can rip through IP4 setups without having to stop 'n think about it. Our common class C subnets are easy to pick apart and put back together in our heads...when working on clients networks.
I can quickly tell someone the IP address of some printer or server....in a millisecond, going from memory.

....now envision trying to do this with an IP6 addy.

I am also a firm believer in hiding a network behind NAT. I know NAT is not a true firewall...as many here know, I like to put clients networks behind a UTM....more than NAT. But NAT by itself, even though it's a "dumb" firewall...it is still a basic firewall that hides the network behind it by default. It's like a scupper on a boat...lets anything out, but blocks anything from coming in...uninvited. A totally unprotected, un-updated, Windows XP pre-service pack 1 computer can sit at idle (not surfing..just running at desktop) behind a NAT router, blank Administrator password...and not pickup those worms that crawl around the internet. Stick that PC outside of NAT, on a public IP....and within 15 seconds it will be stuffed to the gills with bots, worms, hacked to pieces.

 

[purdybread]

What they said...

 

[Mainstay]

That was a really great intro to IPv6.

I admit, I don't understand all that you've said, but your passion and knowledge of the topic is abundantly clear.

I don't (and probably never will) encounter large enough networks that require me to think outside of IPv4. I agree with @YeOldeStonecat, I can rattle off a client's network without much hesitation: access points & repeaters at the beginning of the range: .2, .3, .4, servers reserved in round numbers in the low end .10, .20, .30, NAS's at odd low numbers: .15, .25, .35, printers and print servers at .50, .51, .52, DHCP Pool at .100 - .200, and odd-ball servers, WS's held up at .225-250.

Ask me a system and I can likely tell you it's IP.

But with IPv6, yikes! Your explanation was nice, though... thank you.

 

[nlinecomputers]

I really need an IPv6 for dummies book because my head hurts every time I try to tackle that concept. I'm gonna be the guy next to stonecat in the lake. LOL.

 

[NETWizz]

You should NOT dread the day you have to jump in the lake... I promise it is not going to be bad once you have a few turn-ups under your belt. First of all, IPv6 subnetting is way easier because there is enough address space to break on an even /16, where in IPv4, you often use all sorts of strange subnet lengths like /20, /19 etc, which leaves you doing binary math. In IPv6 where you break it is more likely to be your choice. On IPv4, it is always nice to subnet to /16 or /24, but how often do you find that is NOT what really happens in practice (except on tiny networks)?

You end up with questions like is10.1.11.32/21 ... is on the same subnet as 10.1.9.21/21? ... but at first glance you don't necessarily know. i.e. /21 = 8+8+5, so are the first five(5) bits of 11 and 9 the same? YES Or you get to the point you can do subnet masks to CIDR in your head because you recognize patters like 128, 192, 224, 240, 248, 252, 254, 255 automatically... and you know wildcard masks in your head are simple subtraction. I.e. 255 -255 = 0, 255 -254 is 1, etc. At some point you know what they all are and can take a /21 and come up with a wildcard mask of 0.0.7.255... and that tells me right of the bat every 8 is a new subnet, 0, 8, 16, 24 etc... Hence you know implicitly the 11 and 21 are on the same subnet... that said, you still long for the days when people used to break on even octets.

Try giving another tech an IP address of 10.1.11.255 / 255.255.248.0 or perhaps 10.1.11.0 / 255.255.248.0... They freak out with the .0 or .255, which is NOT the broadcast or the network ID. It would be 10.1.8.0/21 and 10.1.15.255/21 hence the aforementioned are perfectly usable, but try explaining this to other IT people!

Back on topic:

I work with NATs all the time, and they do not provide security; that is a myth. NAT is all about providing shared public IP addresses typically to a private network. Yes, the internal network is obfuscated to the outside, but that is NOT what provides the security... I know NAT feels great though because it is what we all know. What provides the true security is a Stateful Firewall, which does NOT allow new connections inside from outside, but it does allow inside devices to setup new connections and established sessions to communicate. The way I see it is NAT causes me more pain and suffering as a network admin that about about anything else... it constantly get in the way of DNSSec, IPSec, and things I am asked to do all the time!

Let me delve in...

When I do a NAT translation I have a TON of choices. I can do a SOURCE NAT dynamic-ip-and-port (or just dynamic ip) to translate a source ip and source port to to an inside ip address, an internal subnet, or a range of IPs (think of it like load balancing). Creating a rule you always look at the original packet because that is what firewall security rules apply to. Destination NATs are simple too.

What still gets the better of me sometimes are U-Turn NATs.

For example, I will let traffic from the outside get to our VPN zone and put the OUTSIDE of a Cisco ASA firewall on the VPN zone... then the Cisco can authenticate users via AnyConnect VPN and bring them to the inside. Hence, I have a firewall plugged into a firewall to use one firewall's VPN through another firewall.

Here is all about NATs:

https://live.paloaltonetworks.com/s...17-102-7-11647/Understanding_NAT-4.1-RevC.pdf


You will see the real reason is NOT security.

 

[jzukerman]

I believe some day in the future, in my lifetime, IPv6 will be the replacement of IPv4; IPv4 will be sunset in other words. It'll take awhile to get to that point though.

A couple of years ago I figured out how to setup an IPv6 tunnel on my pfSense box at home, as TWC at the time wasn't doing IPv6. I still have it running, via HE.net. Works pretty darn well most of the time. For awhile I found surfing the web via IPv6 was faster (to IPv6 enabled sites like Facebook, Google, etc) than IPv4, though that was probably my perception and not factually true.

 

[dombooth]

Bookmarked, for reading again when this migraine has subsided...

But seriously thank you, that it a great intro to IPv6

 

[Moltuae]

I need to get my head around IPv6 some day. I understand enough about it to use it, but not enough to be confident that I could properly configure and secure anything more than the smallest of networks.

There's just so much to learn in this profession (even just to keep up with changing technology) that studying IPv6 networking is not at the top of my priorities right now.

In the meantime, if the need arises to configure an IPv6 network, I'm gonna hire NETWizz

 

[NETWizz]

I need to get my head around IPv6 some day. I understand enough about it to use it, but not enough to be confident that I could properly configure and secure anything more than the smallest of networks.

There's just so much to learn in this profession (even just to keep up with changing technology) that studying IPv6 networking is not at the top of my priorities right now.

In the meantime, if the need arises to configure an IPv6 network, I'm gonna hire NETWizz

Oh, oh... please hire me... I will do it free for a round-trip to the UK... Cheers.