Do I need IPv6 in my Enterprise (again)

Ethan Banks, one of the masterminds behind the Packet Pushers podcast, wrote a spot-on blog describing why enterprises don’t deploy IPv6. Unfortunately, most of the enterprise networking engineers follow the same line of reasoning, and a few of them might feel like the proverbial deer caught in the headlights once something totally unexpected happen ... like their CEO vacationing in China, getting only IPv6 address on the iPhone, and thus not being able to access a mission-critical craplication. For a longer-term perspective, read an excellent reply written by Tom Hollingsworth.

I totally agree with Ethan that there’s no reason to deploy IPv6 throughout the enterprise network today, but that’s no excuse for lack of preparation and early deployment pilots. There are a number of things you can do today that won’t cost you much:

Make IPv6 support mandatory when re-negotiating contracts with your carriers. We did this in Slovenia with marvelous results: all three biggest ISPs offer IPv6 to business customers by default at no extra charge.

Buy only IPv6-enabled gear. You don’t have to deploy IPv6 today, but if you have to deploy it in rush, it helps if you can use the existing equipment. Use RIPE-501 (or its successor, once it comes out) as the purchasing guideline and be particularly careful with the data center gear (that’s where you’ll encounter IPv6 first).

Buy only applications tested to work over IPv6. Like the previous two points, buying off-the-shelf solutions or custom-developed applications that don’t support IPv6 is utterly shortsighted. If they don’t support IPv6 today, what are the chances they’ll be able to fix their code (and potentially their database structures) when you’ll need IPv6?

If you’re extremely nasty, make sure there’s only IPv6 connectivity in the room where the vendor is demonstrating the application ;)

Educate your application developers. Unless they write C/C++ code, they’re probably not exposed to the stupidities of the socket API, but they still need to understand that the IP addresses they get in REMOTE_ADDR CGI field might get longer than 14 characters and that the (\d+\.){3}\d+ regular expression no longer parses all network addresses.

Get provider-independent IPv6 address space. You could survive with Provider-Assigned (PA) address space if needed, but it makes no sense to expose yourself to unnecessary network renumbering. Get ready today.

Plan for rapid IPv6 deployment in your DMZ. If you can’t invest in proper planning, pilots, test and production deployment, at least develop an emergency plan that you can pull off the shelf when needed. It could be as easy as establishing a tunnel to Hurricane Electric, deploying IPv6 in one segment in your DMZ, and configuring 6-to-4 load balancing on your F5 BIG-IP or Cisco’s ACE-30 ... but you have to know what needs to be done.

Get educated and get some hands-on experience. Not because your company needs it, but because it won’t hurt your career to know a bit more than what you need to know to get your daily job done.

I did a Getting ready for IPv6 in 6 days presentation in early June; you might want to revisit it to get some emergency ideas ... and don’t forget what Martin Levy said:

You can either do a planned, careful migration, or you can do it in a panic. And you should know full well that panicking is more expensive.

More information

I’m running a 2-day IPv6 seminar (October 12th and 13th) in Rome; there might still be a few places left (and it’s always nice to have a reason to go to Rome).

IPv6 deployment issues in enterprise and service provider networks are described in two introductory webinars: Enterprise IPv6 – the First Steps and Service Provider IPv6 Introduction (register).

Various IPv6 access and network configurations are described in my Building IPv6 Service Provider Core webinar (buy the recording).

For more IPv6 webinars, check the IPv6 roadmap; all of them are available as part of the yearly subscription package.

7 comments:

  1. Just FYI, "getting only IPv6 address on the iPhone" ... as far as I know the iphone doesn't support either PDPv6 or PDPv4v6, so that's unlikely to happen (just yet).

    ReplyDelete
  2. I think he meant it on wifi... hopefully Iphone5 will be able to do PDPv6 or PDPv4v6

    ReplyDelete
  3. Hi,

    Check out this presentation on CheckPoints IPv6 support;

    http://blog.lachmann.org/2011-09-06_CPUGCON2011_IPv6_on_Check_Point_Security_Gateways.pdf

    ReplyDelete
  4. Although the recommendation is for a business to purchase it's own IPv6 address space, the APNIC document titled "IPv6 Address allocation and assignment policy" has a specific section that says the following:

    5.2 Initial allocation
    5.2.1 Initial allocation criteria
    To qualify for an initial allocation of IPv6 address space, an organization must:

    a.Be an LIR
    b.Not be an end site
    c.Plan to provide IPv6 connectivity to organizations to which it will make assignments.
    d.Meet one of the two following criteria:
    ◦Have a plan for making at least 200 assignments to other organizations within two years OR
    ◦Be an existing LIR with IPv4 allocations from an APNIC or an NIR, which will make IPv6 assignments or sub-allocations to other organizations and announce the allocation in the inter-domain routing system within two years
    Private networks (those not connected to the public Internet) may also be eligible for an IPv6 address space allocation provided they meet equivalent criteria to those listed above.

    Note B and C. This would tend to indicate that it is NOT possible for a business to purchase(lease) an address space.

    Am I missing something?

    ReplyDelete
  5. See 5.9.1 Small Multihoming Assignment

    ReplyDelete
  6. It's on my roadmap for next year to get IPv6 dual-stack moving along in my world (despite my article). I want to encourage adoption, because it does seem like the world is going to end up there, CGN notwithstanding. That said, my world is still filled with the day-to-day madness of running a network. IPv6 isn't on my management's radar at all beyond something neat to read about in the trade rags. It's a hard sell, essentially impossible to prioritize.

    ReplyDelete
  7. Romans Fomicevs11 October, 2011 14:13

    Implementing dual stack within Enterprise has a lot of fun, actually.

    As for reasons, I can mention one: Direct Access. We are moving towards it. Most likely we will face some weird things on our way, but the idea to drop 3rd party VPN clients sounds great to me.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.