IPv6 Network Design and Establishing Contiguous End-to-End Reachability
Scott HoggBeginning the IPv6 Network Design
Many organizations are just now starting to plan their IPv6 deployments. Whether they intentionally or unintentionally delayed their IPv6 plans may have compressed their IPv6 deployment timeline. Regardless, now is the time to start getting serious about IPv6 planning.
Some enterprises may be wondering about the best recommendations for how to start their IPv6 journey. A comprehensive IPv6 plan typically starts with an IPv6 business case and getting teams trained on IPv6. The next steps should be to create a high-level IPv6 design and document the network routing design. These two activities are the focus on this article.
High-Level Design
One of the first steps an enterprise takes is to create a high-level design for the IPv6 deployment. This design is based on the business case and prioritizes IPv6 deployment on networks and systems and applications that derive the most benefits from IPv6. The high-level design takes into consideration the current high-level network architecture and design and how the environment is connected.
When searching the Internet for IPv6 deployment advice, some might encounter decades old information about tunneling IPv6 packets within IPv4 packets. The advice from nearly 20 years ago was “Dual stack where you can; tunnel where you must”. Now that static tunnels and dynamic tunneling approaches (such as 6to4, Teredo, and ISATAP) are nearly extinct, the dominant transition method is to employ dual-stack. Dual-stack means running IPv4 and IPv6 in parallel on the network and on computers side-by-side and allowing either protocol to function.
The high-level design creates an initial order of environments that will be IPv6-enabled. IPv6 deployment typically begins at the Internet perimeter then progress inward across the internal network. Then locations such as offices, data centers, remote sites, access networks and such are IPv6-enabled.
Internet Edge IPv6 Deployment Model
Since IPv6 is an Internet Protocol and much of the Internet already uses IPv6, the Internet perimeter is the logical place to begin IPv6 enablement. The enterprise Internet edge is the logical area to focus initial IPv6 efforts. That is where organizations have Internet connectivity, authoritative DNS servers, E-mail systems, and Internet-facing applications. Organizations must IPv6-enable the Internet edge before they deploy IPv6 further into their internal backbone network.
This same good advice for enterprises approaching an IPv6 project have been documented and widely shared. For example, the IETF RFC 7381 “Enterprise IPv6 Deployment Guidelines” is very common guidance for enterprises to start with a “Preparation and Assessment Phase”. IETF RFC 7381 provides guidance for enterprises and Sections 3 and 4 covers deployment. The general guidance is to start with the “External Phase” then move to the “Internal Phase”. This is clear by looking at the table of contents of this RFC.
Establishing Contiguous End-to-End Network Reachability
IPv6, just like its predecessor IPv4, is a routed protocol. This means that IPv6 connectivity must be deployed contiguously so it can grow one layer-3 hop at a time. This is a key IPv6 network design and deployment principle that guides how IPv6 implementation will proceed.
Another fun way to think about this is to draw the analogy between IPv6 deployment and something that sweeps over the landscape. You might recall the movie “The Blob” from 1958 with Steve McQueen. In the movie this fictional gelatinous mass consumes objects and people in its path. Back then this was a horror movie, but today, this is comical.
Take, for example, this extremely high-level and idealized picture of a typical enterprise network topology. It has an Internet perimeter with public-facing applications. It has a core network, a legacy on-premises data center, offices, and a intranet WAN connecting remote sites. Of course, modern enterprises have cloud environments and may have a Software-Defined WAN (SD-WAN topology instead of this older architecture. However, for describing this concept, this diagram will suffice.
IPv6 deployment (the blue blob) starts on the Internet edge routers northbound toward the ISP(s). A larger enterprise could use the BGP routing protocol to advertise their Provider Independent (PI) global unicast IPv6 address prefix that they obtained from their friendly neighborhood Regional Internet Registry (RIR). The enterprise configures IPv6 on those routers and establishes IPv6 Internet reachability. The blue blob is coming our way. Watch Out!
The next step is to enable IPv6 inward on the perimeter security systems and on the network segments hosting public-facing applications. In this illustration we show IPv6 enablement of web servers, E-mail servers, and of course DNS servers. It is often recommended that organizations dual-stack their DNS servers early in the process.
Now at this point there is full contiguous IPv6 Internet reachability to and from the security perimeter demilitarized zone (DMZ). The blue blob has now consumed that part of the network topology and it is headed toward the rest of the enterprise. Oh My!
The next step in the establishment of contiguous IPv6 network reachability is to enable IPv6 across the core backbone network and toward the data center networks. This creates IPv6 connectivity for the shared services applications in the data center prior to configuring static IPv6 addresses on those servers. Shared services like DNS, DHCPv6, authentication, Single Sign-On (SSO), certificate authorities (CAs), IT management and monitoring, cybersecurity protection measures, patch management, and many other functions will need to be configured with IPv6 before enabling IPv6 deeper into the topology.
Once the shared services are IPv6-enabled then IPv6 connectivity can be configured on layer-3 hop at a time outward to end-user access networks and to remote sites across the WAN (or SD-WAN). At this point the IPv6 blob has fully engulfed the entire enterprise network topology. Now that wasn’t so scary, was it?
Network Routing Design
The current network topology will be in-scope for IPv6 implementation. Once the high-level design is documented, then the network routing design will be developed. This will determine how IPv6 addressing and reachability will be facilitated using dynamic routing protocols. The organization’s current use of BGP, OSPF, IS-IS, EIGRP, RIP, and static routing will be considered in the routing design. It is common to use IPv6 dynamic routing using similar routing protocols the organization uses to facilitate their IPv4 network reachability. The plan is to maintain contiguous routed IPv6 network connectivity as IPv6 deployment proceeds across the network infrastructure.
Moving Toward IPv6-Only
Enterprise organizations also need to make a design decision regarding when to use dual-stack versus IPv6-only. Most enterprises start by adding IPv6 to their existing Internet perimeter systems and then bringing IPv6 inward across the core. IPv6-enabling shared services in data center networks is the next logical step. This lays the dual-protocol groundwork for enabling IPv6 on end-user access networks or further into the data center. Once end-to-end IPv6 connectivity exists, then IPv6-only networks can be constructed.
Establishing IPv6 connectivity across the enterprise is a dependency before work can be done to remove IPv4 from various environments. Organizations can begin to move to IPv6-only once there is end-to-end IPv6 network connectivity and the required shared services are reachable over IPv6 transport. Unfortunately, organizations can’t remove IPv4 network connectivity while applications and systems still have IPv4 dependencies. As products and software is updated, these IPv4 dependencies will vanish and lead to more IPv6-only application environments.
In this final phase of the IPv6 transition, organizations are following the design principle of “IPv6-Only Where You Can, Dual-Stack Where You Must”.
Other Information on IPv6
Hogg Networking provides other information on IPv6. This information can be accessed via the website. If you need additional information on IPv6, then please contact me (info@hoggnet.com) and I’ll share it with you.
