o o aaaa ooz aaaa o · 2020. 10. 15. · o o aaaa ooz aaaa o . o c c m . Title: 2020-10-15 12:14
Network Automation for IPv6 - Association G6g6.asso.fr/wp-content/uploads/2012/04/infoblox.pdf ·...
Transcript of Network Automation for IPv6 - Association G6g6.asso.fr/wp-content/uploads/2012/04/infoblox.pdf ·...
© 2011 Infoblox Inc. All Rights Reserved.
Anton Holleman, Senior Consulting Engineer, EMEA
Network Automation for IPv6
1
© 2011 Infoblox Inc. All Rights Reserved.
The Network and its core services
Core Network Services:
DNS, DHCP, IPAM
Applications
Network:
Glue between network and all applications Track and automate change Secure and reliable service delivery
Discovery and inventory Track and automate change Proactive check against policy
© 2011 Infoblox Inc. All Rights Reserved. 3
What are the benefits?
Implementing IPv6
© 2011 Infoblox Inc. All Rights Reserved.
Drivers to IPv6
! You can’t get enough IPv4 addresses
! Your business partners are using IPv6
! Clean up your current network architecture
! Performance and security enhancements
4
© 2011 Infoblox Inc. All Rights Reserved. 5
How do we get there?
IPv6 Implementation Challenges
© 2011 Infoblox Inc. All Rights Reserved.
What do you have now?
! Make sure you know what you have:
– Current/accurate network inventory and map
– Inventory of all firewalls, NATs, load balancers, anything with ACLs
– Current/accurate desktop and server inventory
– Inventory of all software/apps and services you use
6
© 2011 Infoblox Inc. All Rights Reserved.
IP devices and network infra
! Do you need to:
– Replace
– Upgrade
– Buy new/additional hardware
– Reconfigure existing hardware
7
© 2011 Infoblox Inc. All Rights Reserved.
IPv6 Migration Challenges
! Dual infrastructure for foreseeable future
! IPv4 and IPv6 will coexist
requiring infrastructure support
for both
! IPv6 expertise is scarce
! Existing management
tools/scripts won’t work
! IP Address Management with
spreadsheets will not scale
! Subnet creation will require new
diligence
! DNS management will be error
prone 8
© 2011 Infoblox Inc. All Rights Reserved. 9
Why Automate?
IPv6 Deployment
© 2011 Infoblox Inc. All Rights Reserved.
Is everyone ready for that? Or, do we need new tools?
Are you ready? Old methods just don’t work.
10.34.12.5
2001:1868:ad01:1::33
2001:1868:ad01:1::c62c:3ff:fe30:16c1
Can you remember?
10
© 2011 Infoblox Inc. All Rights Reserved.
Traditional IP Allocation Process
! Spreadsheet tracks inventory
! To add a host – User request starts procedure
– Help desk forwards the request to the network or server team
– Network team determines allocation
– DNS administrator:
• Edits forward-mapping zone file and adds an AAAA record, updates zone’s serial number and saves file
• Edits reverse-mapping zone file and adds a PTR record, updates zone’s serial number and saves file
• Restarts/reloads name server
! Spreadsheet gets updated with new information
! Troubleshoot if needed 11
© 2011 Infoblox Inc. All Rights Reserved.
Automation Use Case: Address Allocation Process
! To add a host with IPAM
– Coordinate IPv4 and IPv6 addresses
– Instant feedback
– Easy to resolve conflicts
! DNS and DHCP records are updated instantly
! Change logged and classified in audit log
– Who changed it
– What changed
– When it changed
12
Name
IPv4 Address
IPv6 Address
© 2011 Infoblox Inc. All Rights Reserved.
Automating Network Allocation
Benefits ! Shorten planning cycle
- View network
- Select available or existing
- Reduce or enlarge
! Eliminate dependencies and procedural delays
! Built-in error checking
- Closed loop update
- Synchronize changes to both DNS and DHCP configuration
- Logged and classified in the audit log
IPv6 Containers IPv6 Networks
Bounds of IPv6 Address Space
Quickly view available IPv6 address space
13
© 2011 Infoblox Inc. All Rights Reserved.
IPAM – Knowledge is Power
Without a clear understanding of your IP assets and utilization, it is impossible to automate your network environment effectively
– Allocate address ranges for specific function or applications
– Real time decision making
– Coordinate IP allocation between different organizations/groups – Time to determine what is available
• Ping before assign is not always accurate
• Checking spreadsheets is time intensive and difficult to manage
14
© 2011 Infoblox Inc. All Rights Reserved.
Network Change Control and Management
Making decisions based on outdated or inaccurate information about IP addresses, DNS and DHCP can effect the stability of the network
Discovery: ! You need to know when new assets are added to the network
! Not everything follows the right process!
Capacity planning ! As new services are to be deployed, you need to know if
the address space is available.
! Tracking switch ports in use is also critical to planning
15
© 2011 Infoblox Inc. All Rights Reserved.
DHCPv6 – Stateful vs. Stateless
! Client receives all required information from the router to configure default gateway and address
! Generally no DHCP options – However, additional options provided by DHCP if available
! Very similar to IPv4 DHCP
! Client receives address from the DHCP server
! Client receives options from the DHCP server
! Server can track which IP address is in use by which client
16
Stateless Deployments Stateful Deployments
Which one will you use?
© 2011 Infoblox Inc. All Rights Reserved.
Infoblox solutions enable IPv6 migration
DNS/DHCP/IPAM Automation IPv6 Enabled Network Configuration Automation ! Network change automation ! Configuration management ! Compliance, policy enforcement & auditing
! DNS/DNSSEC configuration automation
! IP address management automation
17
© 2011 Infoblox Inc. All Rights Reserved.
Conclusions
! IPv6 gives you the opportunity to design and build a new network
! Execution without a plan is planning for failure
! Timing is right to start to plan now
! Without automation, your plan will fail
18
© 2011 Infoblox Inc. All Rights Reserved.
DNS64 – The Universal Translator Needed When IPv6 Only Clients Reach IPv4 Only Hosts
IPv4 IPv6
Dual Stack Web Server
Dual Stack SMTP Server
Dual Stack External DNS
DMZ
Firewall with IPv4 NAT
Translation
Internal IPv4 Network
I only speak IPv6
I only speak IPv4
19
© 2011 Infoblox Inc. All Rights Reserved.
For More Information…
20
IPv6 Center of Excellence www.infoblox.com/IPv6CoE Cricket IPv6 White Paper – 7 deadly traps www.infoblox.com/en/resources/white-papers/seven-deadly-traps-of-ipv6-deployment.html Cricket O’Reilly book www.infoblox.com/en/landing/dns-on-windows-server.html
© 2011 Infoblox Inc. All Rights Reserved. 21
Questions?
© 2011 Infoblox Inc. All Rights Reserved.
Internet
DNS64 – The Inner Workings
Recursive Name Server
running DNS64
IPv4 IPv6
NAT64 Protocol
Translator
www.v4only.com
ns1.v4only.com Client sends query for www.v4only.com/AAAA to local recursive name server
64:ff9b::/64 1
2
2
3 4
5
6
7
1
2
3
4
5
6
7
Recursive name server sends www.v4only.com/AAAA query to name server, gets negative response, sends www.v4only.com/A query, gets response
Recursive name server synthesizes an IPv6 address to return to client in AAAA record using 64:ff9b::/64 prefix
Client sends packet to synthesized IPv6 address, which routes to NAT64
NAT64 sends packet to destination IPv4 address
IPv4-only web server returns response over IPv4 to NAT64
NAT64 converts packet to IPv6, returns to originating client
22
© 2011 Infoblox Inc. All Rights Reserved. 23
To Learn More
© 2011 Infoblox Inc. All Rights Reserved.
Get your own tunnel
! Hurricane Electric – http://ipv6.he.net
! SIXXS - http://www.sixxs.net/main
! HE Certification: – On the Hurricane Electric IPv6 site is a certification program.
Completing the program is an excellent introduction to IPv6 in a working environment.
24
© 2011 Infoblox Inc. All Rights Reserved.
Books to look at
! IPv6 Essentials - Silvia Hagen
! Running IPv6 - Iljitsch van Beijnum
! IPv6 Security – Scott Hogg and Eric Vyncke
25
© 2011 Infoblox Inc. All Rights Reserved.
Handy Web Resources
! NIST Guidlines for the Secure Deployment of IPv6 – http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf
! ARIN IPv6 Wiki – http://www.getipv6.info
! IPv6 Forum – http://ipv6forum.com
!"#