[159968] in North American Network Operators' Group
Re: IPV6 in enterprise best practices/white papaers
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Jan 29 16:58:57 2013
From: Owen DeLong <owen@delong.com>
In-Reply-To: <5108260A.6080603@dougbarton.us>
Date: Tue, 29 Jan 2013 13:55:36 -0800
To: Doug Barton <dougb@dougbarton.us>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
>=20
>>> Whereas, with IPv6 you have most, if not all of the same factors
>>> to consider, but there is some marginal added complexity around
>>> things like SLAAC/RA, some different terminology, binary math in
>>> hex instead of octal, network sizes are many orders of magnitude
>>> larger, etc. So the net effect is that even though "under the hood"
>>> it's not all that different, it all feels new and strange. And we
>>> all know how humans react to things that are new and strange. :)
>>=20
>> I think "marginal added complexity" is probably a polite
>> understatement;
>=20
> No, it really isn't. I realize that the IPv6 zealots hate it when I =
say
> this, but in many ways you can treat IPv6 just like IPv4 with bigger
> addresses.
>=20
I'm a pretty well known IPv6 zealot and I completely agree with you.
> 1. Don't filter ICMPv6.
> 2. Treat a /64 roughly the way you'd treat a /24 in IPv4.
Actually, I'd say treat a /64 roughly the way you'd treat any sized =
subnet
in IPv4, whether it's a /24, a /31, or something in between or even a =
really
large IPv4 single network such as a /22.
If it's an IPv4 /32, then think IPv6 /128.
> 3. Put SLAAC on the networks you have DHCPv4 on.
> 4. Statically assign addresses and networks for v6 on the systems you
> statically assign them on v4 (servers, etc.)
> 5. Neighbor Discovery (ND) replaces arp, but mostly you don't every =
need
> to worry about it (just like you hardly ever need to worry about arp).
>=20
> Voila! You've just learned 80% of what you need to know to be =
successful
> with IPv6.
Agreed. The remainder has to do with:
1. Understanding and configuring RDNSS support if you're going to use =
SLAAC.
2. Understanding and configuring DHCPv6 if you want to use that.
3. Managing AAAA records and dealing with ip6.arpa (nearly identical to =
A and in-addr.arpa)
4. IPv6 routing protocols (if you are in a larger environment)
5. Security policies that are more complex than simply =
default-deny-all-inbound/permit-outbound.
There's really not a whole lot else one needs to learn for most =
environments.
> No, quite the opposite. What I'm saying is that if you already
> understand how to run a network with v4 that learning the v6 =
terminology
> and equivalent concepts, plus the few extra things that you actually =
do
> need to manage for v6, is not that difficult. It just *seems* hard
> because before you tackle it, it's all new and strange.
>=20
I 100% agree with this summary.
Owen
