[159870] in North American Network Operators' Group
Re: IPV6 in enterprise best practices/white papaers
daemon@ATHENA.MIT.EDU (Sander Steffann)
Sat Jan 26 11:41:50 2013
From: Sander Steffann <sander@steffann.nl>
In-Reply-To: <CAKb_Nupf4GAY4cFnyyb3hewFCWk6Vp4zLyyKnc4ct-0T4K356A@mail.gmail.com>
Date: Sat, 26 Jan 2013 17:41:31 +0100
To: Pavel Dimow <paveldimow@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi,
> I have read many of those ipv6 documents and they are great but I
> still luck to find something like "real word" scenario.
Keep an eye on Deploy360: http://www.internetsociety.org/deploy360/ipv6/
> What I mean is that for example I want to start implementation of ipv6
> in my enterprise according to mu knowledge so far
> my first step is to create address plan
Yes. I wrote a document on that for SURFnet a couple of years ago (in =
Dutch). The RIPE NCC translated it to English: =
http://www.ripe.net/lir-services/training/material/IPv6-for-LIRs-Training-=
Course/IPv6_addr_plan4.pdf
> , then implement security on routers/switches then on hosts,
You'll at least have to think about security at this point. Think about =
how you do security for IPv4. If you do DHCP snooping for IPv4 then you =
might want to do it for IPv6. One thing to pay attention to is Router =
Advertisements (RA). Most operating systems these days listen to RA =
packets and will auto-configure their IPv6 stack based on the =
information in them. Someone (accidentally or on purpose) sending wrong =
RAs on your LAN can cause problems. But then: anybody who can access =
your LAN can cause trouble. This is a risk you already have, but still =
something to think about.
> and after that I can start to create AAAA record and PTR records in =
DNS
Well, first you'll have to configure your systems and services to be =
available over IPv6. So you'll have to check the configurations of your =
web servers, DNS servers, mail servers, etc. Once you are confident that =
the service will work just as well over IPv6 as over IPv4 then add the =
DNS records.
First make it work, and only then add the DNS records to advertise it.
> and after that I should configure my dhcp servers
Think about whether you want a stateful DHCPv6 server (to keep track of =
every IPv6 address used by a system, to be able to do DHCP snooping on =
switches, etc) or whether a stateless DHCPv6 server (only supply DNS =
information and other configuration parameters, but not managing the =
client's addresses). If you don't do DHCP snooping now and you don't =
really care which IPv6 addresses a PC gets then stateless DHCP is fine.
> and after all has been done I can test ipv6 in LAN and
Once you start sending RAs and deploying DHCPv6 you will already have =
IPv6 in those LANs...
> after that I can start configure bgp with ISP.
No. *First* talk to your ISP, get address space (either from your ISP or =
provider independent), make an addressing plan, configure your firewalls =
and configure your back bone, then connect to your ISP, then deploy IPv6 =
on servers and clients (first on small test networks in your lab if =
possible), then advertise it in DNS.
> Is this correct procedure? Any thoughts? If all is correct I have a
> few questions..
>=20
> Regarding DNS, if I give a /64 to host
You give a /64 subnet to a LAN, and the systems on that LAN get =
addresses from that subnet.
> using SLAAC or DHCP how do I maintain PTR for this /64? I should use =
DDNS?
That depends. I know many organisations that don't care about reverse =
DNS for workstations, only for servers. Servers you usually give a =
static address, so you can configure the PTR records manually. When you =
use SLAAC (with optionally stateless DHCPv6) and you want to maintain =
the PTR records then you might use DDNS. If you use stateful DHCPv6 then =
let the DHCPv6 server handle the DNS updates.
> What do you use in your enterprise SLAAC or DHCP? If SLAAC why not =
DHCP?
I think I already answered this question above somewhere :-)
> Any other hints/tips?
Deploy on test networks first. =46rom your questions it seems that you =
have little hands-on experience with IPv6. Get that experience first =
before working on your production networks. Maybe even get an IPv6 =
tunnel with a /48 of IPv6 addresses from HE / tunnerbroker.net to play =
with in your lab. It's free and works very well, especially for getting =
experience!
Cheers,
Sander
