IPv6 deployment at the departmental level
- Define your IPv6 addressing standard
- Firewall standards
- Manual IPv6 address testing
- Domain Name Service (DNS) setup
- Strategies for DHCPv6 address allocations
- Setting up a DHCPv6 server
- Enabling IPv6: Router Advertisements
- Using DNS to define servers and hosts accessible by IPv6
This document presents a strategy for deploying an IPv6 network alongside a pre-existing IPv4 departmental network. While this strategy has been tested only at a departmental network at our university, the hope is that it's applicable to any similar type of local area network.
To understand our network topology, we have a flat Ethernet network throughout the department. Connectivity to the university backbone network and the Internet is provided by the university network services, who employ Cisco routers for the networking infrastructure.
Many technical details of IPv6 network protocols have been described in the accompanying page IPv6_configuration. To learn about IPv6 in general you should first consult that page. In particular, you need to understand the new 128-bit IPv6_addressing.
The IPv6 deployment steps are presented below and may be summarized as:
- Allocate your IPv6 address range.
- Design IPv6 firewall rules.
- Manually configure IPv6 on two or more hosts for testing.
- In your DNS server configure IPv6 AAAA records for the testing hosts.
- Define your DHCPv6 address allocation strategy.
- Configure a DHCPv6 server on your network.
- Enable Router_Advertisements.
At this point the IPv6 deployment has been completed.
Some links to useful IPv6 deployment documentation:
As a prerequisite to the deployment process described below, in the IT-forum group's fildeling on Campusnet you will find IPv6 deployment documents written by Hugo Connery which provide much more technical detail, and in particular defining the allocation of IPv6 addresses and security considerations within a department. DTU's standard IPv6 firewall rules will probably be all you need to begin with.
You must consult your upstream/central networking people to obtain an IPv6 "subnet". Usually a /64 (64 bits out of 128) subnet is allocated to the departmental level, for example:
2001:0878:0200::/48 (university level) 2001:0878:0200:xxxx::/64 (department level)
Note that an IPv6 address consists of exactly 8 quartets (i.e., 4 hexadecimal digits) separated by : characters. The notation :: signifies one or more quartets containing zeroes (can be used only once in an address). Read more about IPv6_addressing.
This document assumes that you have chosen appropriate addresses for any fixed-address host in the form:
where xxxx, yyyy, and zzzz have given values for any host on your network. Note how :: means one or more quartets containing zeroes.
Your network people must configure firewall rules to protect your IPv6 network. At DTU we have defined standard firewall rules as described in the above mentioned Campusnet documentation (see the document DTU IPv6 Addressing Standard).
The main purpose is to expose only your designated servers (for example, web and mail servers) to the Internet, whereas PC, printers etc. should be fully shielded against access from the outside Internet.
At this stage in the process firewall rules should be planned for, but no IPv6 traffic is permitted yet, so firewall rules are for a later stage.
You want to familiarize yourself with configuring manually IPv6 on (at least) two hosts on your network. See IPv6_configuration for some examples on how to configure IPv6 on various types of operating systems.
You should select computers which do not provide any kind of services, for example, some PCs. Select addresses such as 2001:0878:0200:xxxx:yyyy::zzzz with different values for zzzz for each host.
First make sure that your testing hosts have IPv6 enabled in the OS: They should already have Link_Local addresses (network fe80::/10, see IPv6_addressing) which are non-routable, i.e., confined to your local network. Check the status of the network interfaces:
ifconfig -a (Linux) ipconfig /all (Windows)
For any pairs of hosts, try to ping from one IPv6 address to the other:
hostA> ping 2001:0878:0200:xxxx:yyyy::zzzz (hostB)
On Linux you must use the ping6 command in stead. Make sure the host firewall permits IPv6 communication.
Next step is to define IPv6 addresses in your authoritative DNS server. At DTU this may either be a DNS server controlled by the department, or a central DNS server (in which case you must contact the DTU networking people). The DNS server software must not be too ancient, otherwise IPv6 may be poorly implemented.
For example, the host ns1.fysik.dtu.dk has been configured with these A and AAAA DNS records:
ns1 IN A 18.104.22.168 IN AAAA 2001:878:200:2010::6
Test your DNS setup by pinging the DNS host names:
hostA> ping hostB
On Linux use ping6.
Whereas IPv4 uses the special DNS domain in-addr.arpa. for reverse DNS, IPv6 uses the special domain ip6.arpa. As with IPv4, you also need to contact your upstream (university) network administrator to delegate authority of your reverse-DNS domain to your DNS server.
For example, reverse DNS for the network 2001:878:200:2010::/64 must be delegated to this DNS domain:
where the order of the hexadecimal characters has been reversed and . characters separate the hexadecimal digits (read this from right to left).
Sample configurations for the ISC BIND DNS server is shown in http://www.zytrax.com/books/dns/ch3/#ipv6
Your DNS server must serve reverse DNS lookups for your ip6.arpa subdomain. An example reverse DNS record for the domain 0.1.0.2.0.0.2.0.22.214.171.124.126.96.36.199.ip6.arpa. may be configured in an ISC BIND DNS server like:
; Server machines 2001:878:200:2010:0:0:0:x $ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.2.0.0.2.0.188.8.131.52.184.108.40.206.ip6.arpa. 220.127.116.11 PTR ns1.fysik.dtu.dk.
At this stage strategic choices must be made about client authorization and address selection according to your organization's IT security policies.
- RA flag M=off: Clients are unmanaged and will form IPv6 addresses automatically on their own.
- RA flag M=on: Clients are managed and must request their IPv6 addresses from the local DHCPv6 server.
The managed strategy may be required by your organization's IT security policy because it enables the following features:
- Only authorized clients will receive a routable IPv6 address.
- Unknown clients may be configured to use a local, unroutable IPv6 address space.
- Trackability of clients doing network traffic violating your IT security policy.
The unmanaged strategy will prohibit the above IT security related points. This may be acceptable in a public area network, for example.
For further information read the dhcpv6-service page.
It is mandatory that your network has a DHCPv6 server on your local network. At a minimum the DHCPv6 service has the following function:
- Inform DHCPv6 clients about the addresses of their local recursive DNS_resolvers.
Optionally, a number of other data may be offered by the DHCPv6 server, for example:
- Your own DNS domain name.
- DNS domain search list.
For further information read the dhcpv6-service page.
Even in the absence of Router_Advertisements, you can start the dhcpv6-service and test it. The DHCPv6 server will be listening on port 547 and offer DHCPv6 address leases to all IPv6-enabled clients. You should monitor the server's log to see if things are working correctly.
Client machines IPv6 address setup should be monitored at this stage to make sure the correct IPv6 addresses have been assigned from the DHCPv6 server. Any additional automatically formed IPv6 addresses (besides the required fe80:: Link_Local network) outside the scope of the DHCPv6 server should be investigated, as it may point to incorrect configuration.
See the above section Manual IPv6 address testing. Further information is in the OS-specific subsections in IPv6_configuration for various operating systems (Windows, Linux) which we have tested.
The following steps are required:
- Router firewall rules must be enabled at this stage! From an external network, try to access any internal IPv6 hosts to make sure your firewall is working correctly!
- Open your router for IPv6 traffic flowing between your local network and the Internet.
Now comes the final turning point where IPv6 will be activated on all IPv6-enabled hosts on your network:
- You must be very careful that all of the above prerequisites have been successfully configured and tested before proceeding!
The continued IPv6 deployment strategy is now:
- Configure IPv6 manually or through DHCPv6 on the servers and other hosts which you want to provide services via IPv6.
- Check the IPv6 firewall rules in the hosts offering services (for example, a web-server must permit access to ports 80 and 443).
- Test access to the host's services through its IPv6 address (for example, 2001:878:200:2010::6).
- When the service is working correctly, add an AAAA DNS record to the pre-existing IPv4 A record. Do not forget to add also reverse DNS records as described above!
At this point client machines will become aware of the server's IPv6 address by means of its AAAA DNS record. Most operating systems will preferentially use IPv6, and only if this fails attempt communication by IPv4 (after some timeout period).