IPv6 Strategic Planning Details

YOUR ORG ID

Architectural Model

Planning and coordination is required from many across the organization, including …

Network engineers & operators Security engineers Application developers Desktop / Server engineers Web hosting / content developers Business development managers …

Create a project team & plan Identify business value, requirements & impacts Assess equipment & applications for IPv6 Begin training & develop training plan Develop the architectural solution Obtain a prefix and build the address plan Define an exception process for legacy systems Update the security policy Deploy IPv6 trials in the network Test and monitor your deployment

IPv6 Planning Steps

Project Manager (PM) Executive Sponsor Team Member Team Member Team Member Across IT

Security Server Admins Desktop Support Application Developers

IPv6 Project Team

Create Executive Briefing Assign key IT resources, Project Manager (PM)

Build the team Document the process

Aligned to overall IT strategy Develop timeline

Define measurable Align to lifecycle management

Include IPv6 as part of upcoming projects Vendor selection, RFP’s, cloud, SDN, etc..

IPv6 Project Plan

The adoption of IPv6 worldwide provides a practically unlimited number of device addresses

Globalization has necessitated the need to communicate with customers and branch offices in regions that had only IPv6 accessibility

ARIN, the North American address authority has exhausted its public IPv4 address allocation

As IPv6 is adopted worldwide, Public Internet resources will be transitioning to IPv6

Ability to provide IPv6 support to current and potential I-NET customers

Benefits of IPv6

"You don’t need a business case for IPv6. It’s a business continuity solution.” – IPspace.net

Communications with agencies and partners using IPv6 security framework

Our Internet providers and peers currently support IPv6 IPv6 features more efficient routing and improved data

transmission speeds Our network infrastructure is IPv6 ready

Benefits of IPv6 Cont.

8

Must be low-cost and low-risk Must co-exist with existing IPv4 infrastructure Must allow access to public IPv4 Internet Must be incrementally deployable Must understand the cost of adding a new services Must not impact existing services. Nobody should know the integration occurred

Requirements for any IPv6 Transition Strategy

Need of large volume of devices that have to be readdressed Need of security rules and functions to be addressed (IPv6 maturity in

security products) Requirement of Staff with technical knowledge of IPv6 Possibility of attack as the attackers might have more expertise with IPv6

than an organization in the early stages of deployment. Need of good understanding of addressing impact on hardware requirement Requirement of Audit of any associated services and devices that may be

impacted by IPv6 transition. Difficulty in detecting and managing unknown or unauthorized IPv6 assets

on existing IPv4 production networks.

Challenges in migration from IPv4 to IPv6

A key and mandatory step to evaluate the impact of IPv6 integration May be split in several phases

Infrastructure – networking devices and services systems Applications, servers, storage, services, clients Hardware type, memory size, interfaces, CPU load… Software version, features enabled, license type… Known limitations, best practices, etc…

Defined set of features per device’s category for a specific environment Break down into “places in the network” for a more accurate assessment

Core, data center, Internet edge, WAN, wired access, wireless access Cost analysis and time lines

Readiness Assessment

10

Core & Distribution Access Layer ISP Applications Host OS’s Security devices (FW, IPS, SEIM)

IPv6 Assessment Results

Pre architecture deployment team training Onsite Online Confernece, Cisco Live, Task Force

Security team Application developers Expertise garnered by the initial deployment team is spread

throughout the organization Server Admin’s, desktop support, operations

IPv6 Training Plan

PI vs. PA, spanning RIR geography Infrastructure addressing Dual Stack Network, subnet planning ULA vs. Global Host assignment (SLAAC or DHCPv6) Multi home, multi provider (BGP)

IPv6 Architectural Strategy

Windows XP Mainframe Printers

Exception Plan for Legacy Devices

Do you support dual stack peering? Do you have a separate (SLA) for IPv6? Do you support BGP peering over IPv6? Do you have a FULL IPV6 route table? What is the maximum prefix length?

What about DNS…

Checking in with the ISP

Similarities to IPv4 ICMPv6 (PTB, NA, NS) Extension Headers Bogons BCP38, RFC2827 Access layer (Wired & Wireless)

Update to Security Policy

Internal phase Core, Distribution Access (Wired, Wireless) WAN Data Center

External Phase Carrier, provider capabilities Web, Mail, DNS, SLB Security (FW, IPS, Edge Router)

IPv6 Deployment Phases

Security Event Incident Management (SEIM) NOC, network management tools Configuration management database Handheld Testing tools (LanDroid, IPv6 toolkit) Wireshark IPAM, DHCPv6, Radius logs Server logs

Testing & Monitoring IPv6

Legacy IP as a service Removing support for legacy IP More test and monitor

Sunsetting IPv4

CISCO

IPv6 is there already, are you?tmartin@cisco.com

@bckcntryskr tjmartin2020