Download - IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

Transcript
Page 1: IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

IPv6 in the Enterprise Sector

Andy Davidson - LONAP / NetSumo NANOG 46Monday June 15th, 2009 Philadelphia, PA, USA

Thursday, 11 June 2009

Page 2: IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

Agenda

• Business Drivers for v6 rollout

• Process

• Problems

• Observations

Thursday, 11 June 2009

Page 3: IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

Interviewed

• Fred Wettling, Bechtel

• Paul Hoogsteder, DOK Delft Library

• Rich Groves, Microsoft IT

Thursday, 11 June 2009

Page 4: IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

Business Drivers

• All interviewees reported similar business drivers

• Drive to ‘everything IP’ = enormous demand for addresses

• V4 exhaustion a real concern

• Maximise global routing reachability

• V6 a new customer requirement, e.g. government requirements from 2005

Thursday, 11 June 2009

Page 5: IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

Drive to early rollout

• Gradual change much cheaper than ‘big bang’ rollout

• Early adoption leads to lower risk and greater continuity

Thursday, 11 June 2009

Page 6: IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

Process

• Modify procurement specification to mandate v6 support

• Use existing change control process to gradually introduce v6

• Rollout has to be ‘business as usual’

Thursday, 11 June 2009

Page 7: IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

Initial Observations

• Routing infrastructure, Desktop OS, all well supported

• Service infrastructure (firewalls, load balancers) & applications have relatively poor maturity

Thursday, 11 June 2009

Page 8: IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

$ ! £

Datacentre

Branchoffice

HQ

Partners

ipsec

encrypted

tunnels

layer2

ISP

encrypted

tunnels

Services

Load BalancerMore Services

DB / StorageSecrets!!!!

Wifi gatewaysUsers

Users

Control devices

Noc/Monitoring

VPN GW

ISPISP

ISP

Roving users Roving users

CUSTOMERS

ISP

ISP

ISP

ISPISP

ISP

Thursday, 11 June 2009

Page 9: IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

$ ! £

Datacentre

Branchoffice

HQ

Partners

ipsec

encrypted

tunnels

layer2

ISP

encrypted

tunnels

Services

Load BalancerMore Services

DB / StorageSecrets!!!!

Wifi gatewaysUsers

Users

Control devices

Noc/Monitoring

VPN GW

ISPISP

ISP

Roving users Roving users

CUSTOMERS

ISP

ISP

ISP

ISPISP

ISP

Broad support

User operating systems tend to be acceptably

compliant

Users don’t notice - this should be a design goal

However, many applications which

talk over the network are not

v6 aware

Thursday, 11 June 2009

Page 10: IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

$ ! £

Datacentre

Branchoffice

HQ

Partners

ipsec

encrypted

tunnels

layer2

ISP

encrypted

tunnels

Services

Load BalancerMore Services

DB / StorageSecrets!!!!

Wifi gatewaysUsers

Users

Control devices

Noc/Monitoring

VPN GW

ISPISP

ISP

Roving users Roving users

CUSTOMERS

ISP

ISP

ISP

ISPISP

ISP

Broad support

Server Operating Systems also

appear to work

Support in Open Source platforms now very mature

Thursday, 11 June 2009

Page 11: IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

$ ! £

Datacentre

Branchoffice

HQ

Partners

ipsec

encrypted

tunnels

layer2

ISP

encrypted

tunnels

Services

Load BalancerMore Services

DB / StorageSecrets!!!!

Wifi gatewaysUsers

Users

Control devices

Noc/Monitoring

VPN GW

ISPISP

ISP

Roving users Roving users

CUSTOMERS

ISP

ISP

ISP

ISPISP

ISP

Good

Core routing infrastructure

tends to be good (the stuff SPs also

use!)

Specific problems that require

complex labbing (more shortly)

Thursday, 11 June 2009

Page 12: IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

$ ! £

Datacentre

Branchoffice

HQ

Partners

ipsec

encrypted

tunnels

layer2

ISP

encrypted

tunnels

Services

Load BalancerMore Services

DB / StorageSecrets!!!!

Wifi gatewaysUsers

Users

Control devices

Noc/Monitoring

VPN GW

ISPISP

ISP

Roving users Roving users

CUSTOMERS

ISP

ISP

ISP

ISPISP

ISP

Support Varies

Service providers in different

geographies have strongly different

v6 adoption maturity

For every service provider that is

extremely mature, there are many more who have not started adoption process

Thursday, 11 June 2009

Page 13: IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

$ ! £

Datacentre

Branchoffice

HQ

Partners

ipsec

encrypted

tunnels

layer2

ISP

encrypted

tunnels

Services

Load BalancerMore Services

DB / StorageSecrets!!!!

Wifi gatewaysUsers

Users

Control devices

Noc/Monitoring

VPN GW

ISPISP

ISP

Roving users Roving users

CUSTOMERS

ISP

ISP

ISP

ISPISP

ISP

Frustrating

CPE poor at v6

Complaints:Hard to buy CPE

that does it

Wifi kit that refuses to pass v6 frames

Some glimmers of hope in next-gen kit

Success with:Apple AirportAVM Fritz!boxA&A Firebrick

Cisco 837, 1800

Thursday, 11 June 2009

Page 14: IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

$ ! £

Datacentre

Branchoffice

HQ

Partners

ipsec

encrypted

tunnels

layer2

ISP

encrypted

tunnels

Services

Load BalancerMore Services

DB / StorageSecrets!!!!

Wifi gatewaysUsers

Users

Control devices

Noc/Monitoring

VPN GW

ISPISP

ISP

Roving users Roving users

CUSTOMERS

ISP

ISP

ISP

ISPISP

ISP

Bad

v6 forwarding performance lower

(asic support missing)

v6 interfaces often missing

Inconsistent feature set in product range, e.g. Protocol41 on

ASA

Success with:ASA > v7

Checkpoint (v4 mgmt)Linux ip6tables/Sun ipf

Screenos > v5

Thursday, 11 June 2009

Page 15: IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

$ ! £

Datacentre

Branchoffice

HQ

Partners

ipsec

encrypted

tunnels

layer2

ISP

encrypted

tunnels

Services

Load BalancerMore Services

DB / StorageSecrets!!!!

Wifi gatewaysUsers

Users

Control devices

Noc/Monitoring

VPN GW

ISPISP

ISP

Roving users Roving users

CUSTOMERS

ISP

ISP

ISP

ISPISP

ISP

Bad

e.g. Handheld devices, or control units, or cameras,

etc.

Was often serial, now driving ‘ip everywhere’ &

address consumption

RFID ethernet?

Often cheap and old technology

with no v6 support

Thursday, 11 June 2009

Page 16: IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

$ ! £

Datacentre

Branchoffice

HQ

Partners

ipsec

encrypted

tunnels

layer2

ISP

encrypted

tunnels

Services

Load BalancerMore Services

DB / StorageSecrets!!!!

Wifi gatewaysUsers

Users

Control devices

Noc/Monitoring

VPN GW

ISPISP

ISP

Roving users Roving users

CUSTOMERS

ISP

ISP

ISP

ISPISP

ISP

Bad

v6 missing in many VPN feature

sets

Thursday, 11 June 2009

Page 17: IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

$ ! £

Datacentre

Branchoffice

HQ

Partners

ipsec

encrypted

tunnels

layer2

ISP

encrypted

tunnels

Services

Load BalancerMore Services

DB / StorageSecrets!!!!

Wifi gatewaysUsers

Users

Control devices

Noc/Monitoring

VPN GW

ISPISP

ISP

Roving users Roving users

CUSTOMERS

ISP

ISP

ISP

ISPISP

ISP

BadUrgently important

to most large enterprises

LB logic/expectations engrained in

enterprise software, hard to migrate

between platforms

v6 support really lacking here

Vendor interest - A10 Networks

CitrixApache /

mod_proxy_balancerThursday, 11 June 2009

Page 18: IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

Key Grumbles

• Infrastructure has different v4/v6 commands

• Infrastructure has no v6 in some interfaces (e.g. cisco ASA has no v6 in web GUI)

• Vendors must be more consistent!

• Availability of v6 in some regions poor, some excellent - hard to predict availability

• First Hop Redundancy protocols considered poor

Thursday, 11 June 2009

Page 19: IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

More Grumbles

• “Interesting” bugs you wish you’d found in the Lab

• Various things can cause all forwarding to happen on the CPU rather than in hw, e.g. c6500/802.1ah

• Lots of platforms can’t measure v4/v6 traffic volumes independently (helps you find these bugs!)

• Enterprise v6 maturity feels a bit like routing v6 maturity did a few years ago

• Transitional technologies (will expand more)

Thursday, 11 June 2009

Page 20: IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

Transitional Technology

• All wanted to avoid Transitional Tech

• Tunnels considered to provide poor service levels, native strongly preferred

• Device support for transitional tech (e.g. 41) not as good as support for native

• Partial roll followed by full roll is twice the work, and engineers prefer to party

Thursday, 11 June 2009

Page 21: IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

Successes

• Users don’t notice the difference

• Helpdesk training not complex

Thursday, 11 June 2009

Page 22: IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

Killer Apps?• As if “more addresses” was not enough .......

• Microsoft Direct Access

• Creates Always On ad-hoc VPNs that use IPSec over IPv6.

• Coming in Windows 7

• Is really just an extension of the end-to-end debate - this innovation is possible because v6 end-to-end is a reality today and new p2p apps will follow.

Thursday, 11 June 2009

Page 23: IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

What nobody mentioned

• NAT6 - perhaps we don’t need it after all

• Good. :-)

• Though ISATAP (or ALG layers) is a necessary evil for now to get reach of v6 from v4 only world.

Thursday, 11 June 2009

Page 24: IPv6 in the - NANOG Archive · ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Broad support User operating ... Killer Apps? • As if “more ... debate -

Questions and Comments at the end

[email protected]

Andy Davidson

Thursday, 11 June 2009