IPv6 deployment at the departmental level

Introduction

This document presents a strategy for deploying an IPv6 network alongside a pre-existing IPv4 departmental network. While this strategy has been tested only at a departmental network at our university, the hope is that it's applicable to any similar type of local area network.

We try to give a step-by-step procedure from no IPv6 at all to a fully functional IPv6 network alongside the preexisting IPv4 network.

To understand our network topology, we have a flat Ethernet network throughout the department. Connectivity to the university backbone network and the Internet is provided by the university network services, who employ Cisco routers for the networking infrastructure.

Many technical details of IPv6 network protocols have been described in the accompanying page IPv6_configuration. To learn about IPv6 in general you should first consult that page. In particular, you need to understand the new 128-bit IPv6_addressing.

The IPv6 deployment steps are presented below and may be summarized as:

  • Allocate your IPv6 address range.
  • Design IPv6 firewall rules.
  • Manually configure IPv6 on two or more hosts for testing.
  • In your DNS server configure IPv6 AAAA records for the testing hosts.
  • Define your DHCPv6 address allocation strategy.
  • Configure a DHCPv6 server on your network.
  • Enable Router_Advertisements.

At this point the IPv6 deployment has been completed.

Documentation for DTU departmental network administrators

As a prerequisite to the deployment process described below, in the IT-forum group's fildeling on Campusnet you will find IPv6 deployment documents written by Hugo Connery which provide much more technical detail, and in particular defining the allocation of IPv6 addresses and security considerations within a department. DTU's standard IPv6 firewall rules will probably be all you need to begin with.

Define your IPv6 addressing standard

You must consult your upstream/central networking people to obtain an IPv6 "subnet". Usually a /64 (64 bits out of 128) subnet is allocated to the departmental level, for example:

2001:0878:0200::/48       (university level)
2001:0878:0200:xxxx::/64  (department level)

Note that an IPv6 address consists of exactly 8 quartets (i.e., 4 hexadecimal digits) separated by : characters. The notation :: signifies one or more quartets containing zeroes (can be used only once in an address). Read more about IPv6_addressing.

This document assumes that you have chosen appropriate addresses for any fixed-address host in the form:

2001:0878:0200:xxxx:yyyy::zzzz

where xxxx, yyyy, and zzzz have given values for any host on your network. Note how :: means one or more quartets containing zeroes.

Firewall standards

Your network people must configure firewall rules to protect your IPv6 network. At DTU we have defined standard firewall rules as described in the above mentioned Campusnet documentation (see the document DTU IPv6 Addressing Standard).

The main purpose is to expose only your designated servers (for example, web and mail servers) to the Internet, whereas PC, printers etc. should be fully shielded against access from the outside Internet.

At this stage in the process firewall rules should be planned for, but no IPv6 traffic is permitted yet, so firewall rules are for a later stage.

Manual IPv6 address testing

You want to familiarize yourself with configuring manually IPv6 on (at least) two hosts on your network. See IPv6_configuration for some examples on how to configure IPv6 on various types of operating systems.

You should select computers which do not provide any kind of services, for example, some PCs. Select addresses such as 2001:0878:0200:xxxx:yyyy::zzzz with different values for zzzz for each host.

First make sure that your testing hosts have IPv6 enabled in the OS: They should already have Link_Local addresses (network fe80::/10, see IPv6_addressing) which are non-routable, i.e., confined to your local network. Check the status of the network interfaces:

ifconfig -a    (Linux)
ipconfig /all  (Windows)

For any pairs of hosts, try to ping from one IPv6 address to the other:

hostA> ping 2001:0878:0200:xxxx:yyyy::zzzz  (hostB)

On Linux you must use the ping6 command in stead. Make sure the host firewall permits IPv6 communication.

Domain Name Service (DNS) setup

Next step is to define IPv6 addresses in your authoritative DNS server. At DTU this may either be a DNS server controlled by the department, or a central DNS server (in which case you must contact the DTU networking people). The DNS server software must not be too ancient, otherwise IPv6 may be poorly implemented.

If you have two hosts, hostA and hostB, with manual IPv6 configuration, add IPv6 AAAA records (pronounced quad A) in DNS for the testing hosts alongside with the current IPv4 A records.

For example, the host ns1.fysik.dtu.dk has been configured with these A and AAAA DNS records:

ns1 IN A    130.225.86.6
    IN AAAA 2001:878:200:2010::6

Test your DNS setup by pinging the DNS host names:

hostA> ping hostB

On Linux use ping6.

Reverse-DNS IPv6 setup

To configure IPv6 Reverse_DNS_lookup (certainly you want this for your servers), your DNS server must be configured for this. This is a bit more involved than the simple forward DNS lookups.

Whereas IPv4 uses the special DNS domain in-addr.arpa. for reverse DNS, IPv6 uses the special domain ip6.arpa. As with IPv4, you also need to contact your upstream (university) network administrator to delegate authority of your reverse-DNS domain to your DNS server.

For example, reverse DNS for the network 2001:878:200:2010::/64 must be delegated to this DNS domain:

0.1.0.2.0.0.2.0.8.7.8.0.1.0.0.2.ip6.arpa.

where the order of the hexadecimal characters has been reversed and . characters separate the hexadecimal digits (read this from right to left).

Sample configurations for the ISC BIND DNS server is shown in http://www.zytrax.com/books/dns/ch3/#ipv6

Your DNS server must serve reverse DNS lookups for your ip6.arpa subdomain. An example reverse DNS record for the domain 0.1.0.2.0.0.2.0.8.7.8.0.1.0.0.2.ip6.arpa. may be configured in an ISC BIND DNS server like:

; Server machines 2001:878:200:2010:0:0:0:x
$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.2.0.0.2.0.8.7.8.0.1.0.0.2.ip6.arpa.
6.0.0.0 PTR     ns1.fysik.dtu.dk.

Strategies for DHCPv6 address allocations

At this stage strategic choices must be made about client authorization and address selection according to your organization's IT security policies.

The Router_Advertisement_flags determine how hosts on your local network will configure their IPv6 addresses:

  • RA flag M=off: Clients are unmanaged and will form IPv6 addresses automatically on their own.
  • RA flag M=on: Clients are managed and must request their IPv6 addresses from the local DHCPv6 server.

The managed strategy may be required by your organization's IT security policy because it enables the following features:

  • Only authorized clients will receive a routable IPv6 address.
  • Unknown clients may be configured to use a local, unroutable IPv6 address space.
  • Trackability of clients doing network traffic violating your IT security policy.

The unmanaged strategy will prohibit the above IT security related points. This may be acceptable in a public area network, for example.

For further information read the dhcpv6-service page.

Setting up a DHCPv6 server

It is mandatory that your network has a DHCPv6 server on your local network. At a minimum the DHCPv6 service has the following function:

  • Inform DHCPv6 clients about the addresses of their local recursive DNS_resolvers.

Optionally, a number of other data may be offered by the DHCPv6 server, for example:

  • Your own DNS domain name.
  • DNS domain search list.

For further information read the dhcpv6-service page.

Testing the DHCPv6 service

Even in the absence of Router_Advertisements, you can start the dhcpv6-service and test it. The DHCPv6 server will be listening on port 547 and offer DHCPv6 address leases to all IPv6-enabled clients. You should monitor the server's log to see if things are working correctly.

Client machines IPv6 address setup should be monitored at this stage to make sure the correct IPv6 addresses have been assigned from the DHCPv6 server. Any additional automatically formed IPv6 addresses (besides the required fe80:: Link_Local network) outside the scope of the DHCPv6 server should be investigated, as it may point to incorrect configuration.

See the above section Manual IPv6 address testing. Further information is in the OS-specific subsections in IPv6_configuration for various operating systems (Windows, Linux) which we have tested.

Enabling IPv6: Router Advertisements

Hosts on your network will not configure routable IPv6 addresses until Router_Advertisements (RA) are being sent on the Link_Local (see IPv6_addressing) IPv6 local network.

The following steps are required:

  1. Router firewall rules must be enabled at this stage! From an external network, try to access any internal IPv6 hosts to make sure your firewall is working correctly!
  2. Open your router for IPv6 traffic flowing between your local network and the Internet.
  3. Now comes the final turning point where IPv6 will be activated on all IPv6-enabled hosts on your network:

    • You must be very careful that all of the above prerequisites have been successfully configured and tested before proceeding!
  4. Router_Advertisements must be configured differently depending on your DHCPv6 addressing standard:

    • Auto-configured unmanaged IPv6 addresses: The RA prefix length must be included in the RAs.
    • DHCPv6 managed addresses: The RA prefix length must not be included in the RAs or, alternatively, the Router_Advertisement_flags field "A" (Address Configuration Flag) must be set to off.

Testing IPv6

Test IPv6 connectivity from inside your network to external IPv6 hosts. For example:

ping www.google.com

On Linux use ping6.

At this stage IPv6 is fully functional in your network.

Using DNS to define servers and hosts accessible by IPv6

No internal servers or hosts are offering IPv6 services at this stage because you haven't yet configured their IPv6 addresses in DNS (except possibly for the above mentioned testing hosts)!

The continued IPv6 deployment strategy is now:

  • Configure IPv6 manually or through DHCPv6 on the servers and other hosts which you want to provide services via IPv6.
  • Check the IPv6 firewall rules in the hosts offering services (for example, a web-server must permit access to ports 80 and 443).
  • Test access to the host's services through its IPv6 address (for example, 2001:878:200:2010::6).
  • When the service is working correctly, add an AAAA DNS record to the pre-existing IPv4 A record. Do not forget to add also reverse DNS records as described above!

At this point client machines will become aware of the server's IPv6 address by means of its AAAA DNS record. Most operating systems will preferentially use IPv6, and only if this fails attempt communication by IPv4 (after some timeout period).

Of course, clients may not yet be configured to use IPv6 at this stage. Therefore you must continue to provide services to both IPv4 and IPv6 clients!

You can now use DNS AAAA records to control client usage of IPv6 in a normal mode of operations, just as you have done in the past using IPv4.

IT-wiki: IPv6_deployment (last edited 2016-02-16 13:31:51 by OleHolmNielsen)