Deploying IPv6 in Enterprise Networks

I was invited to present my views on the IPv6 deployment in enterprise networks during the local IPv6 summit. Instead of joining the cheering few or the dubious crowds, I’m trying to present a realistic view answering questions like “what do I have to do”, “when should I start” and “where should I focus my efforts”.

Here’s the outline of my presentation, any feedback, additional thoughts or insightful critique is most welcome.

Background information

Scenario: Enterprise network connected to the Internet. No need for internal IPv6 (RFC 1918 is good enough).

Question: where shall I focus my IPv6 efforts?

Facts of life:

  • IPv6 is a reality, get used to it.
  • Migration is supposed to be easy, but you will get stuck on details.
  • Start small, but start now.

Phases of public IPv6 deployment:

Phase#1: Dual stack content (starting now)

Phase#2: IPv6-only Internet clients (in a few years)

Phase#3: IPv6-only major content providers (10+ years from now)

Obviously this is just my perception of the critical milestones, as they apply to enterprise network deployment.

Proposed action plan

Phase#1 has already started, get ready for it:

  • Establish IPv6 connectivity with all the upstream providers
  • Deploy IPv6 on your public servers. Start with small, non-critical applications to get hands-on experience.
  • Change your whole DMZ into dual-stack DMZ.

As an enterprise network, you don't care about Phase #2:

  • Your content is reachable over IPv4 and IPv6
  • Interesting content is reachable over IPv4.
  • Use this time to plan your internal IPv6 deployment.

When the public content becomes available only over IPv6 (phase #3) you might be in a morass if your internal network is not yet dual-stack (you’ll have to face ugly 4to6 NAT). Deploy dual-stack throughout your network:

  • RFC1918 + 4to4 NAT
  • Public IPv6 address space

2 comments:

  1. I've have some things to think about prior to any of the above. How do I subnet and allocate a shiny new /32 without doing something that I'll regret a decade from now?

    --Mike

    ReplyDelete
  2. RFC 5375 gives guidelines for subnet allocations. But as I understand it, it boils down to this: you receive your new /48 from the provider (or bigger if you deserve). The /48 will be carved out so each site is assigned a /56 which is 256 /64 subnets. Physical subnets and VLANs within sites should be assigned /64 regardless if they deserved smaller or point-to-point /126 or /127, which might save you the future headaches. So, I guess the task at hand is figuring out how this integrates in the various DMZs.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.