ATT IPV6 Migration Guide R1 February 2012.pdf - The Cisco ...
ATT IPV6 Migration Guide R1 February 2012.pdf - The Cisco ...
ATT IPV6 Migration Guide R1 February 2012.pdf - The Cisco ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
AT&T<br />
IPv6<br />
<strong>Migration</strong> <strong>Guide</strong><br />
Release 1.0<br />
<strong>February</strong> 29, 2012<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 1<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
Technical Assistance<br />
This is an AT&T proprietary document developed for use by AT&T customers. For additional technical<br />
assistance contact your AT&T sales team. (This document was prepared by AT&T Solution Center—<br />
Network Design and Consulting Division.)<br />
Legal Disclaimer<br />
This document does not constitute a contract between AT&T and a customer and may be withdrawn or<br />
changed by AT&T at any time without notice. Any contractual relationship between AT&T and a<br />
customer is contingent upon AT&T and a customer entering into a written agreement signed by<br />
authorized representatives of both parties and which sets forth the applicable prices, terms and<br />
conditions relating to specified AT&T products and services, and/or, to the extent required by law, AT&T<br />
filing a tariff with federal and/or state regulatory agencies and such tariff becoming effective. Such<br />
contract and/or tariff, as applicable, will be the sole agreement between the parties and will supersede all<br />
prior agreements, proposals, representations, statements or understandings, whether written or oral,<br />
between the parties relating to the subject matter of such contract and/or tariff.<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 2<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
Table of Contents<br />
1 Introduction ............................................................................................................................................ 5<br />
2 <strong>Migration</strong> Scenarios Overview ............................................................................................................... 6<br />
2.1 End-User Connections .................................................................................................................. 6<br />
2.2 Internet Content ............................................................................................................................ 7<br />
2.3 Remote Access ............................................................................................................................. 7<br />
2.4 Mobility ........................................................................................................................................ 7<br />
2.5 Corporate Internet Access............................................................................................................. 8<br />
3 IPv6 Strategy ........................................................................................................................................ 10<br />
3.1 IPv6 Addressing ......................................................................................................................... 10<br />
3.2 Planning ...................................................................................................................................... 12<br />
3.2.1 Assess Corporate Network Requirements ........................................................................ 12<br />
3.2.2 Provider Assigned or Provider Independent Addresses .................................................... 13<br />
3.2.3 Develop an Addressing Strategy ....................................................................................... 14<br />
3.3 Implementation ........................................................................................................................... 15<br />
3.4 Multi-Homing ............................................................................................................................. 16<br />
3.4.1 Single Carrier Multi-homing............................................................................................. 17<br />
3.4.2 Multi-Carrier Multi-homing.............................................................................................. 17<br />
3.4.3 Multi-Region Multi-homing ............................................................................................. 17<br />
4 Establish IPv6 Enabled Connectivity ................................................................................................... 19<br />
5 Access Router Configuration ............................................................................................................... 20<br />
5.1 BGP ............................................................................................................................................ 20<br />
5.2 Static ........................................................................................................................................... 21<br />
5.3 Access-List Formats ................................................................................................................... 22<br />
6 Security ................................................................................................................................................. 24<br />
6.1 Perimeter Security (Firewall) ..................................................................................................... 24<br />
6.1.1 Traffic Filters .................................................................................................................... 25<br />
6.1.2 Proxy and Translation ....................................................................................................... 26<br />
6.2 Internal Security ......................................................................................................................... 27<br />
6.2.1 Router Solicitation and Router Advertisement ................................................................. 27<br />
6.2.2 Automatic Tunneling ........................................................................................................ 27<br />
6.3 Candidate Best Practices............................................................................................................. 28<br />
7 Servers/Endpoints ................................................................................................................................. 29<br />
8 Domain Name System (DNS) .............................................................................................................. 31<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 3<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
9 Testing/Verification .............................................................................................................................. 35<br />
10 Conclusion ............................................................................................................................................ 36<br />
Appendix A ................................................................................................................................................. 37<br />
A-1 Establishing a Teredo Tunnel ........................................................................................................ 37<br />
A-2 IPv6 Address Example .................................................................................................................. 38<br />
A-3 Frequently Asked Questions: ........................................................................................................ 39<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 4<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
1 Introduction<br />
<strong>The</strong> purpose of this document is to provide guidance for customers adopting IPv6 into existing network<br />
environments. <strong>The</strong> information provided assumes an existing network environment based on IPv4 with<br />
the goal of adding IPv6 capabilities into the existing infrastructure to create what is referred to as “dualstack”.<br />
<strong>The</strong>re are a number of potential network environments that might need to adopt IPv6 (as outlined in<br />
<strong>Migration</strong> Scenarios Overview). <strong>The</strong> initial focus of this document is to address the public facing<br />
corporate infrastructure (i.e. web, mail, public application servers, etc). <strong>The</strong> secondary focus of this guide<br />
will be for migration of internal corporate networks. Future releases of this document will continue the<br />
process into the back-end for migration of corporate intranet applications and the private Wide Area<br />
Network (WAN).<br />
As IPv4 address space is exhausted, end-user services will be provided via IPv6. Most of these services<br />
will initially be structured to maintain connectivity to the IPv4 Internet via various transition mechanisms.<br />
As this process proceeds, an increasingly larger portion of the end-user population will have IPv6<br />
capabilities. For DMZs of corporate networks, this trend will drive the need to have public facing content<br />
reachable through IPv6 as well as the current IPv4.<br />
<strong>The</strong> broad use of private (RFC 1918) addressing in corporate networks helps lessen the urgency of IPv6<br />
migration for the ‘internal’ corporate network. For a limited base of internal users, IPv6 requirements can<br />
be addressed through transition mechanisms.<br />
IPv6 technology adoption is a moving target. This guide provides current best practices and<br />
recommendations. In addition, there are some areas highlighted where there may still be open technical<br />
issues, or best practices are still evolving. An initial focus on the public facing corporate infrastructure<br />
allows the organization to begin adopting the technology in a limited fashion. This provides a means for<br />
developing experience with IPv6 technology and addressing the more immediate emerging needs, while<br />
minimizing the technical risks associated with early adoption. As the technology matures and technical<br />
issues are resolved, broader based adoption can be pursued.<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 5<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
2 <strong>Migration</strong> Scenarios Overview<br />
This section outlines some of the primary areas that might be faced during IPv6 adoption in the near<br />
future. <strong>The</strong> current release of this document focuses on Corporate Internet Access along with some initial<br />
guidance and open issues on Corporate Intranet Access.<br />
Corporations typically deploy one or more Internet access facilities to support the enterprise. <strong>The</strong><br />
facilities are used to provide employees access to web-based content and applications, as well as to<br />
support Internet facing corporate resources such as web content, email servers, extranet applications, and<br />
remote user (e.g. IPSec) access. Additionally, DMZ based DNS servers, load balancers, and security<br />
appliances are common to this environment.<br />
<strong>The</strong> initial drivers for IPv6 deployment are most apparent in the consumer end-user space. IPv4 address<br />
exhaustion is prompting service providers to leverage IPv6 in consumer-based offers. Businesses with<br />
online consumer business models (search, social, retailing, gaming, etc) will need to add IPv6 to support<br />
Internet-based access to a migrating consumer customer base.<br />
For these enterprise networks, the initial IPv6 focus should be on external facing resources. An initial<br />
focus on web content, extranet apps, etc, allows the enterprise to gain experience and presence in the IPv6<br />
space. <strong>The</strong> technical issues for this level of migration are much less challenging and the reduced scope<br />
greatly reduces the negative implications if the approach needs to be modified as the technology matures.<br />
Most non-web centric enterprises make extensive use of private addressing and IPv4 NAT for internal<br />
resources and intranet connectivity. This greatly lessens the concern associated with IPv4 exhaustion for<br />
enterprise networks. Overall, this is a good thing because there are some unique technical challenges for<br />
migration of enterprise networks. If IPv6 deployment is required, there are a number of potential<br />
solutions; however this is still a very fluid area for IPv6 technology. For most enterprises, full migration<br />
to IPv6 throughout the enterprise is best deferred until best practices are more fully developed and<br />
accepted.<br />
<strong>The</strong> following paragraphs provide a brief context for some of the non-enterprise IPv6 adoption issues<br />
along with our description of a specific enterprise migration scenario as defined in the remainder of this<br />
guide.<br />
2.1 End-User Connections<br />
End-user refers to the consumer broadband Internet market, typically homes served by broadband (U-<br />
Verse, DSL, cable, etc). This segment of the market is the most active area in the adoption of IPv6.<br />
Adoption in this space is being driven largely by public IPv4 address exhaustion. While most active, this<br />
space is the least technically savvy. <strong>The</strong>re are a number of approaches being explored in the end-user<br />
access space.<br />
Many of these approaches involve assigning an IPv6 address to the customer’s connection while<br />
maintaining their existing in-house networks as-is (e.g. 192.168.x.x). This minimizes the impact on<br />
customers while allowing the service provider to provision new customers using IPv6 rather than IPv4.<br />
<strong>The</strong>se tunneling/gateway approaches are viewed as transitional, with a more comprehensive migration to<br />
follow. Movement toward dual-stack (IPv4 and IPv6) models allows connectivity to both domains.<br />
<strong>The</strong>se will typically attempt to use IPv6 as the first choice and fall back to IPv4 for resources that are not<br />
available via IPv6. This approach will facilitate the gradual phasing out of IPv4 content and connectivity.<br />
For the enterprise network architect, it is important to understand the movement in this space as it will be<br />
the predominant driver for the migration to IPv6. However, the approaches and technologies are largely a<br />
service provider issue and out of scope for this guide. One notable exception is for corporate remote<br />
access solutions. Enterprise architects should be aware of residential consumer deployments in planning<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 6<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
and deploying remote access solutions for IPv6. This will be addressed more fully in subsequent releases<br />
of this document.<br />
2.2 Internet Content<br />
Internet content refers to the market segment with business models based primarily on providing Internetbased<br />
content and services. <strong>The</strong> initial migration guidance provided for enterprise migration is<br />
conceptually applicable to these environments, but the scale and diversity of technologies present<br />
additional layers of complexity well beyond the intent of this guide.<br />
To effectively serve their online consumer customer base, Internet content providers will likely be early<br />
adopters of IPv6 technology. It will be considered a competitive necessity to provide both IPv4 and IPv6<br />
access to commercial content and services. <strong>The</strong>se industries have unique challenges relative to content<br />
availability, distributed content, back-end systems, load distribution, etc. that are unique to the industry<br />
and often a key aspect of the company’s value proposition. <strong>The</strong>se businesses, together with Internet<br />
Service Providers and equipment vendors, represent the vanguard of IPv6 technology development. As<br />
mentioned, the complexity of these environments is well beyond the intended scope of this guide.<br />
By the same token, these businesses also have internal enterprise networks that face the same technology<br />
and migration challenges outlined in this guide. For the internal corporate network, this guide has some<br />
applicability for these businesses. An important caveat is that the urgency for providing IPv6 access to the<br />
internal user base may be somewhat higher due to the Internet centric nature of the business.<br />
2.3 Remote Access<br />
Remote access refers to the set of approaches that allow external users to access the corporate network,<br />
generally leveraging Internet connectivity at both the remote and the corporate site. <strong>The</strong>se capabilities<br />
may be leveraged by ‘work at home’ employees, travelling/mobile employees, and business partners.<br />
<strong>The</strong>re are many technologies and solutions currently in use for remote access. Some of the unique<br />
features of IPv6 are likely to expand the options in this space. As endpoints served by consumer services<br />
migrate to IPv6 capabilities, enterprises will need to re-evaluate and adapt their remote access<br />
mechanisms.<br />
<strong>The</strong> current version of this guide does not address Remote Access. Existing IPv4 mechanisms should<br />
continue to serve until native IPv6-only connectivity starts emerging as the norm. <strong>The</strong> guide will be<br />
amended as IPv6 Remote Access technologies are deployed and mature.<br />
2.4 Mobility<br />
Mobile cellular wireless technologies and applications are a high growth field. <strong>The</strong> mobility space is also<br />
fertile ground for “green field” or totally new kinds of network usage. Package tracking, smart grid<br />
meters, truck and rail car geo location, are just a few examples where huge numbers of endpoints need to<br />
be addressed. This would imply that mobile wireless growth should lead the way in IPv6 deployment.<br />
But cellular wireless networks are intimately tied to their end devices’ capabilities and configurations.<br />
Both networks and devices must evolve and deploy capabilities in coordination with each other. This<br />
tight coupling is largely due to the added cost of wireless spectrum and billing plans that feature usage<br />
charges and subscriptions based on types of services needed. End user devices that presume to use IPv6<br />
networking must be tested, approved, and be able to register for prearranged services. This creates a<br />
catch-22. Devices can’t support IPv6 until the network allows it, and the network development effort is<br />
complicated by huge demand for new capabilities, including VoIP, at a scale well beyond initial<br />
expectations. For now, it is expected that IPv6 cellular wireless ubiquity will lag behind wireline<br />
deployment.<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 7<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
2.5 Corporate Internet Access<br />
<strong>The</strong> figure below depicts a typical (simple) enterprise network. A firewall provides security functions<br />
with appropriate policies for a DMZ and the corporate Intranet. <strong>The</strong> DMZ contains a set of external<br />
resources such as the corporate web site and external email. <strong>The</strong> Enterprise consists of corporate<br />
employees/users, internal servers/applications and the LAN/WAN infrastructure for the corporation.<br />
Enterprise<br />
Network<br />
(LAN/WAN)<br />
Public Content<br />
-Web<br />
- Email<br />
- Etc<br />
Figure 2.5-Typical Enterprise Network<br />
<strong>The</strong> scope of the DMZ and associated ‘public’ resources is typically quite small compared to the<br />
enterprise intranet. <strong>The</strong> scope of the intranet can be quite extensive with significant implications for<br />
deployment of IPv6. <strong>The</strong> use of private addressing, however, greatly reduces the urgency of migration<br />
for the intranet portion of the enterprise.<br />
Intranet Complexities<br />
DMZ<br />
Internet<br />
Access<br />
Router<br />
Internet<br />
One of the fundamental differences between IPv4 and IPv6 is in the use of private addressing. Where<br />
IPv4 allows the use of private addressing in the corporate Intranet, and can take advantage of Network<br />
Address Translation (NAT) to provide a beneficial decoupling between internal corporate networks and<br />
the Internet. In contrast, the use of NAT is currently discouraged in IPv6, with the expectation that all<br />
devices will have globally unique addresses.<br />
This approach has been rationalized in the IPv6 community due to the abundance of available IPv6<br />
addresses, coupled with the desire to eliminate stateful NAT, and erroneous prevailing perception that it<br />
provides increased security. Unfortunately, this stance fails to recognize some of the additional benefits<br />
of NAT that are specific to the corporate Intranet.<br />
Within the DMZ, IPv4 addresses are typically provided by the service provider. If a corporation wants to<br />
switch to a new service provider, some degree of re-addressing is required. With NAT, the scope of this<br />
re-addressing effort is greatly reduced, affecting only the DMZ. <strong>The</strong> internal private addressing remains<br />
intact. Similarly, if Provider Assigned (versus Provider Independent) IPv6 addresses are used for the<br />
entire enterprise, the task of re-addressing the network to switch providers is much more complex.<br />
Automated addressing mechanisms have the potential to address this problem, but there is still significant<br />
work to be done before these technologies are fully mature.<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 8<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
Many enterprises use multiple internet access connections from diverse corporate locations and/or diverse<br />
carriers. With IPv4 it is quite common to have separate blocks of provider assigned addressing for each<br />
of these connections. Internal users will appear as the appropriate source address on the Internet based on<br />
passing through an independent NAT/Firewall function for each connection. This assures appropriate<br />
routing and session symmetry to maintain firewall state.<br />
<strong>The</strong>se multi-homing scenarios are much more complicated for IPv6. Given that IPv6 does not have a<br />
supported NAT equivalent, the enterprise must either deploy Provider Independent IPv6 addressing or<br />
assign multiple IPv6 host addresses to each end device. Even then, the issue of session symmetry must<br />
also be addressed, or a means of sharing state across diverse firewalls must be deployed.<br />
<strong>The</strong> issues surrounding NAT elimination, multi-homing, and automatic address assignment coupled with<br />
the scope and risk of unduly early intranet deployment warrant significant deliberation prior to IPv6<br />
deployment. Many of these issues are being addressed in current work. Best practice approaches will<br />
emerge going forward.<br />
Public Resource <strong>Migration</strong><br />
Accordingly, the initial focus for the enterprise should be on the public facing aspects of the network.<br />
<strong>The</strong>se represent a much smaller scope greatly reducing the negative implications of an initial misstep.<br />
This allows the enterprise architect a prudent learning curve in IPv6 technologies while allowing some of<br />
the emerging technologies and approaches to mature before wide scale deployment in the intranet.<br />
<strong>Migration</strong> of the public facing enterprise resources is a nicely bounded project that allows the business<br />
early participation in the IPv6 space while avoiding undue risk. It is this initial migration that is discussed<br />
in the remainder of the current version of this guide.<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 9<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
3 IPv6 Strategy<br />
With a goal of establishing dual-stack (simultaneous IPv4 and IPv6) internet access, the following<br />
fundamental sequence occurs:<br />
1. Establish an addressing plan<br />
2. Procure Dual-Stack Internet Service<br />
3. Configure the Access Router<br />
4. Configure the firewall<br />
5. Configure IPv6 on DMZ Resources<br />
6. Augment DNS<br />
7. Testing & Verification<br />
Steps for IPv6 Internet <strong>Migration</strong><br />
<strong>The</strong>se steps are covered directly in the subsequent sections of this document.<br />
Although it is not listed in the steps above, it is very important to conduct a thorough infrastructure<br />
assessment of current hardware and software’s ability to support IPv6. This goes beyond simply<br />
verifying that “<strong>IPV6</strong> networking support” is included in firewalls, routers, switches, application servers,<br />
name servers, user PCs, reporting tools, etc. IPv6 addresses are significantly larger and require more<br />
memory and additional processing. This creates an incremental burden on equipment that must,<br />
presumably, continue to support IPv4 networking. Running both protocols in a dual-stack scenario will<br />
be more than twice as complicated and require significant additional capacity from any hardware that<br />
participates in this transition. This document primarily addresses an early phase of IPv6 migration where<br />
one focuses on public facing elements (web, email, etc). We might also suggest that a serious assessment<br />
of the enterprise’s ability to handle the additional complexity and capacity demand of running two<br />
simultaneous protocols should be done in the early phases of migration. This allows for adjustment of<br />
capital expense budgets to cover the deficiencies that will be discovered.<br />
3.1 IPv6 Addressing<br />
This section provides an overview of considerations and implications for establishing an IPv6 addressing<br />
plan. <strong>The</strong> current version of this guide only addresses migration of the ‘public’ facing side of the<br />
enterprise, while counseling a more deliberate stance toward migration of the private side. <strong>The</strong> IPv6<br />
addressing plan, however, does not lend itself to the same level of private/public separation as there is for<br />
IPv4. Accordingly, some thought should be given to the IPv6 allocation plan for the entire enterprise<br />
even at this initial step. That said, the implications of a mis-step for the initial ‘public’ migration are not<br />
severe. If the addressing plan needs to be redone or re-worked the scope of changes required for public<br />
facing devices is fairly limited.<br />
One of the main differences between IPv4 and IPv6 is the size of the IPv6 address space. IPv6 provides<br />
significantly more IP addresses than IPv4. IPv4 uses 32-bit addressing which limits the number of IP<br />
addresses to 2 32 or about 4.3 billion addresses. In comparison, IPv6 provides 2 128 , or in the longer<br />
notation, that’s 340 undecillion, 282 decillion, 366 nonillion, 920 octillion, 938 septillion, 463 sextillion,<br />
463 quintillion, 374 quadrillion, 607 trillion, 431 billion, 768 million, 211 thousand and 456 addresses.<br />
Every conceivable device in the world could be assigned an IPv6 address, and there would still be plenty<br />
of addresses left over. With so many addresses, many IPv6 advocates believe there is no need for IPv6<br />
Network Address Translation. In fact, the industry best practice advocates the use of a public (or globalunique)<br />
IPv6 address on every device that requires connectivity to the IPv6 Internet. This applies not<br />
only to the public facing servers but also to the private internal devices inside a corporate network. This<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 10<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
may be a strange concept for network and security administrators who have viewed NAT as a security<br />
mechanism to hide internal devices from the outside world.<br />
Does this mean IPv6 networks are less secure than IPv4 networks? It can be argued that the private IPv6<br />
networks with publicly-assigned addresses are just as secure as IPv4 privately-addressed networks. First,<br />
the smallest subnet that is expected to be used in IPv6 networks is a 64-bit prefix. This means even the<br />
smallest IPv6 subnets will have significantly more addresses than the entire IPv4 Internet. Moreover, the<br />
smallest address space that should be allocated by an Internet Service Provider (ISP) to an enterprise<br />
customer is a 56-bit prefix and a 48-bit prefix if allocated directly by a Regional Internet Registrar (RIR).<br />
<strong>The</strong>refore, it would take a potential hacker a long time to completely probe the combination of 2 72 (128<br />
bits minus 56-bit prefix) addresses and all potential TCP/UDP ports in an attempt to enumerate a network.<br />
In effect due to such large address allocation, the publicly-addressed IPv6 devices could be as tough if not<br />
tougher to discover than the privately addressed IPv4 devices. It is like a hacker trying to probe the entire<br />
IPv4 Internet address space a trillion times repeatedly—not practical. Although NAT provides a clean<br />
delineation between private and public networks, it should not be viewed as a security mechanism. It<br />
does not provide a corporate network any meaningful security mechanisms from outside attackers.<br />
Network security is the implementation of a security policy and is provided by network firewalls,<br />
intrusion prevention systems, and other security software and appliances. Similar precautions and<br />
protection must be deployed in IPv6 networks.<br />
<strong>The</strong> drawbacks to using public addresses inside a corporate intranet include:<br />
• NAT based IPv4 networks segregate the task of internal addressing from<br />
external/public addressing. If there is a need to change public addresses the internal<br />
private addressing is unaffected.<br />
• Geographically dispersed networks with multiple Internet connections and/or<br />
providers can use separate NAT functions to the public addressing allocated for each<br />
individual ISP connection. This maintains symmetric routing in the enterprise which<br />
simplifies stateful firewall implementation. This also avoids the need for exception<br />
routes in the global Internet and/or the need for multiple host address assignments to<br />
end devices in the enterprise.<br />
• Private addressing in IPv4 lends itself to the use of relatively simple address<br />
assignments (x.x.x.1 or x.x.x.254 for instance). While it is possible to simply overlay<br />
this approach within specific IPv6 subnets, it is not advised. Best practice is to use<br />
the full hexadecimal range afforded in the IPv6 format. This helps maintain the<br />
difficulty of potential hackers enumerating a corporate network.<br />
• Finally network administrators must be more careful about allocating IPv6 addresses<br />
to the rest of the corporate network and not just the public facing servers. Network<br />
administrators no longer have NAT to rely on to mask overlapping or<br />
misappropriated addresses.<br />
<strong>The</strong>se drawbacks are significant, and much of the current work in the IPv6 community is aimed at<br />
addressing these inherent drawbacks. Among the work in progress in support of NAT features for IPv6,<br />
there may be some hope for proponents of NAT. Recently, more and more network equipment vendors<br />
have been warming up to IPv6 NAT. One vendor reported it will have its first release of IPv6 NAT<br />
sometime in 2012, though the adoption rate of this future technology has to be proven. One of the<br />
perceived benefits of IPv6 (i.e. public addressing) is providing a network environment to foster direct<br />
(peer to peer) communication between endpoints without the aid of intermediate gateways. If a killer<br />
application emerges that does not work over NAT, then corporations may be forced to maintain a NATless<br />
network environment. For IPv6, RFC 6296 proposes the use of stateless NAT where the internal<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 11<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
prefix is replaced with the public prefix. <strong>The</strong> RFC proposes a prefix replacement while maintaining most<br />
of the host bits 1<br />
. This is significantly different from today’s IPv4 NAT that is stateful. Many of the<br />
complexities and application issues associated with IPv4 NAT can be traced to its stateful<br />
implementation. A stateless implementation for IPv6 would avoid most of these issues while maintaining<br />
the advantages / avoiding the drawbacks of not having NAT. For more details on IPv6 NAT, please refer<br />
to RFC6296—“IPv6-to-IPv6 Network Prefix Translation”.<br />
<strong>The</strong> rest of this section primarily focuses on planning and implementation of IPv6 addresses without the<br />
use of NAT. NAT was covered to highlight the present issues and potential impacts in outlining a<br />
corporate addressing plan. <strong>The</strong> following sections place more emphasis on the public-facing network<br />
infrastructure.<br />
In addition to this document, please review Section 2 of the AT&T’s “IPv6 Fundamentals <strong>Guide</strong>” for<br />
more information on IPv6 addressing.<br />
3.2 Planning<br />
<strong>The</strong>re are three key steps in developing an IPv6 addressing plan.<br />
1. Assess corporate network requirements<br />
2. Determine the type of public address<br />
3. Develop an addressing strategy<br />
It is very important to understand the overall corporate network requirements. Does the enterprise operate<br />
only in the US market or in other countries? Is the Enterprise divided into different Lines of Business<br />
(LoB)? Are there multiple corporate Internet connections? Is the Internet service with one or more ISPs?<br />
<strong>The</strong>se are only some of the questions that should be considered before moving forward.<br />
A second step is to decide on the type of global-unique address that is right for the corporate network.<br />
This step is just as important as the first step. If a poor decision is made in this step, then the network<br />
may need to be completely readdressed later—a major undertaking. <strong>The</strong> final step is to craft an<br />
addressing strategy that will be assigned to the public facing network.<br />
Referring to Figure 2.5, there are three network segments that are public facing: customer router to ISP<br />
router, customer router to firewall, and the DMZ. What IPv6 prefix boundary should be used for point to<br />
point connections? How about segments with small, medium, large number of devices? What specific<br />
addresses will be assigned to actual devices? Some of these questions will be addressed in the following<br />
sections, and readers should use the information to determine the appropriate strategy that is right for<br />
them.<br />
3.2.1 Assess Corporate Network Requirements<br />
It will be very rare to see an enterprise upgrading their entire corporate network to IPv6 all at once. Most<br />
enterprises will take a phased approach over a course of several years with the initial focus on the public<br />
facing network. In fact, the U.S. federal agencies are mandated to make their Internet services available<br />
to support IPv6 users by the end of 2012. By 2014, these agencies must upgrade their internal networks<br />
to IPv6. Many enterprises may not have this tight timeline but will likely follow a similar path to IPv6 by<br />
initially starting at the Internet edge and then into the core corporate network.<br />
However, this does not mean the corporate network requirements should be collected in phases.<br />
Enterprises should conduct some level of assessment of the entire corporate network before migrating the<br />
1 <strong>The</strong> stateless NAT approach is a bit more complex than a 1:1 mapping of the subnet bits, but this description<br />
captures the concept, and it represents a much simpler approach than stateful IPv4 NAT.<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 12<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
public network. Why is it important to identify requirements for internal networks during this phase? It is<br />
not critical to have a fully developed plan incorporating all aspects of the corporate infrastructure, but<br />
some up front attention can avoid pitfalls and rework later.<br />
For instance, a network administrator may choose a 64-bit IPv6 prefix to assign to the Internet servers<br />
because it spells a recognizable address such as 2001:DB8:ACE::/64, but later finds out that this address<br />
space conflicts with the corporate addressing plan that was later developed to allocate a contiguous 56-bit<br />
prefix to each branch office. One acceptable solution could be to ignore the issue and to simply skip over<br />
the entire /56 prefix that the hex “ACE” prefix resides within. This results in underutilization of IPv6<br />
addresses--255 unused 64-bit prefixes. <strong>The</strong> other option might be to readdress the Internet devices to a<br />
different 64-bit prefix, but this option will interrupt Internet services while the devices are being updated.<br />
Some may argue the first option is probably the best approach in tackling this issue since there are plenty<br />
of IPv6 addresses go around. However if this action is taken too frequently, then it will lead to<br />
fragmented addressing that could place more burden on network routers in maintaining and processing<br />
additional IPv6 routes.<br />
Once the overall corporate network requirements are understood, the attention can now be given to the<br />
Internet network segments referenced in Figure 2.5. What IPv6 prefix and prefix length will be allocated<br />
to each network segment? What IPv6 services will be allowed through the Internet router and the<br />
corporate firewall? What is the approach for making the corporate services available to IPv6 Internet<br />
users? Will the servers be dual-stacked? Or will there be physically separate servers to support IPv6<br />
users? <strong>The</strong>se are some of the probing questions that must be answered during this first step. <strong>The</strong>y are<br />
listed here to give readers some ideas of the types of questions that must be addressed in documenting the<br />
overall corporate network requirements.<br />
Whatever the approach, nothing should be taken for granted. IPv6 should not be treated as just another<br />
protocol, or one may overlook important requirements or dependencies.<br />
3.2.2 Provider Assigned or Provider Independent Addresses<br />
<strong>The</strong>re are two types of IPv6 global-unique addresses: Provider-Assigned (PA) and Provider-Independent<br />
(PI). Either PA or PI addresses must be used in order to access content on the IPv6 Internet. <strong>The</strong> terms<br />
represent two avenues an enterprise can use to obtain public addresses. <strong>The</strong> PA addresses are allocated<br />
by the ISP, and the PI addresses are allocated directly by the RIR such as ARIN. One of the main<br />
advantages of using the PA address is it helps to control the amount of routes maintained by Internet<br />
routers. By using a PA address, an enterprise loses the ability to advertise their allocated space into the<br />
global routing table. Instead, an enterprise’s PA routes are aggregated by the ISP who owns the larger PA<br />
prefix. Potentially, an ISP with over 10,000 customers could be represented on the Internet by a single<br />
IPv6 route. <strong>The</strong>re are obvious benefits for the ISP and the global Internet community in conserving<br />
memory, processor, and other resources, but why should the end-users care? Better performance. Endusers<br />
may not be able to perceive the performance improvement, but a smaller global routing table<br />
translates to better performing and more efficient Internet especially when routers are expected to<br />
maintain both IPv4 and IPv6 routes with an IPv6 route taking up more memory space and resources. A<br />
more streamlined global Internet also translates to reduced costs for infrastructure equipment and peering<br />
facilities.<br />
<strong>The</strong> number of individual IPv4 subnets in the global routing table has been steadily increasing for many<br />
years. This is partly due to the fact that IPv4 addresses owned by one ISP are accepted by another ISP.<br />
Typically if an IPv4 block is /24 or shorter (i.e. /8 to /24), then most ISPs will accept another provider’s<br />
address into their network. IPv6 will change the size of the network block that an ISP accepts. At the<br />
time of this writing, ISPs will not accept another provider’s PA address. In addition, PA addresses are<br />
more or less owned by the ISP. If a company changes service providers, then it would have to forfeit the<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 13<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
PA address back to the ISP. This means the entire corporate network must be re-addressed using a new<br />
PA block from the new ISP.<br />
<strong>The</strong>refore, many enterprises are electing to apply for PI addresses that are directly allocated by RIRs and<br />
provide the flexibility to take the addresses to any provider without the concern of network readdressing.<br />
<strong>The</strong> PI address may also be a required element when developing a multi-homing network solution. Most<br />
ISPs will not accept PI prefixes longer than a 48-bit prefix. Subsequently, /48 is the longest prefix<br />
handed out by RIRs. (Please note: <strong>The</strong>re is an annual maintenance fee associated with PI addresses.<br />
Please visit the RIR’s website for the pricing list.) Some ISPs may accept longer prefixes (i.e. /49<br />
through /64). However it is unlikely that these longer prefixes will be announced to Internet peering<br />
partners. Longer prefixes may be supported by the directly connected ISP, but they will likely be filtered<br />
across peering connections either by the ISP, peering partners, or both. Depending on the corporate<br />
requirements and the Internet routing policies, enterprises may need to request prefixes larger than 48-bits<br />
from RIRs.<br />
Please consult with your ISP about their routing policies and determine if PA is sufficient to satisfy the<br />
corporate network requirements. However for larger enterprises, a PI prefix may be the most prudent<br />
option to avoid network readdressing in the future and to get around routing policy restrictions.<br />
3.2.3 Develop an Addressing Strategy<br />
This step is perhaps the toughest. It is overwhelming to develop an overall addressing strategy that<br />
satisfies immediate and future network needs. It is made even more challenging with the understanding<br />
that Industry best practices are still being formulated and RFCs are being updated based on real-world<br />
deployments and lessons learned.<br />
For instance, IPv6 does not promote the use of variable subnetting. <strong>The</strong> industry standard advocates the<br />
use of a 64-bit prefix on every network segment regardless of its size. This is even true across a point to<br />
point connection where /30 is typically used in IPv4 networks. Recently, RFC 6164 was created to<br />
introduce a new standard that advocates the use of 127-bit prefixes for point-to-point links. At the time of<br />
this writing it is uncertain whether RFC6164 will be readily adopted by the industry. RFC 5375 points<br />
out several drawbacks of using variable subnetting such as misuse of reserved address space. However<br />
the main disadvantage of variable subnetting is that autoconfiguration does not work if the subnet<br />
boundary is not exactly 64-bits. It can not be 65-bits, 127-bits, or 63-bits. <strong>The</strong> subnet must be exactly<br />
64-bit network prefix in order for autoconfiguration to work properly. This should not be a major issue<br />
for a point-to-point or small network like a DMZ since devices on these networks are manually<br />
configured. For a small branch office, autoconfiguration may be appropriate to avoid manual<br />
configuration or to deploy a DHCP infrastructure. If the present best practice of 64-bit subnet is<br />
deployed, then about 18.4 quintillion IPv6 addresses would go unused for a small network.<br />
Since there are plenty of IPv6 addresses, underutilization of IP address space is not much of a concern for<br />
IPv6 advocates. In fact, the present best practice is to allocate 48-bit prefix to an enterprise and 56-bit<br />
prefix to a site. This translates to 256 sites and 256 64-bit subnets per site. This seems to be an overallocation<br />
for a branch office that perhaps has just three subnets for a data network, a voice network, and<br />
a special application network.<br />
Ultimately, it comes down to individual companies to determine what addressing scheme is appropriate<br />
for their environment. 56-bit prefix boundary should be used as a guide and not as a strict standard. Use<br />
the appropriate boundary prefix for each site that satisfies the present and the future requirements. Best<br />
practices will continue to evolve and develop in this space. <strong>The</strong> details of the corporate LAN and WAN<br />
addressing will be covered in future releases of this guide.<br />
For the public facing networks, companies must select a group of 64-bit prefixes from their overall IPv6<br />
address pool to assign to the public network segments such as the DMZ, CE-Firewall LAN, etc. This<br />
group of prefixes should be chosen from either the upper or the lower bounds of the IPv6 address pool.<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 14<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
For instance if the assigned address pool is 2001:DB:1234::/48, then choose the prefixes from the<br />
2001:DB:1234:: or the 2001:DB:FFFF::. This approach will aid in avoiding address conflicts as prefixes<br />
are allocated to the corporate LAN in the next phase of IPv6 implementation. <strong>The</strong> actual number of<br />
required 64-bit prefixes will be determined by whether the Industry best practice is followed. As<br />
mentioned previously, the Industry standard dictates that a 64-bit prefix is allocated to any network<br />
segment regardless of size. Recall that even if there may only be three devices on a network, a 64-bit<br />
prefix is expected to be used. Technically, companies can elect to depart from this standard by<br />
incorporating variable subnetting and use longer prefixes to accommodate smaller number of devices.<br />
However, it is advised that careful research and tests are conducted to ensure non-standard deployment<br />
doesn’t cause issues within the public infrastructure.<br />
Please see Appendix A-2 for an example of IPv6 address allocation to the public facing infrastructure.<br />
3.3 Implementation<br />
While most of the corporate LAN may use DHCPv6 or autoconfiguration, network devices shown in<br />
Figure 2.5 will likely be manually configured with an address. Even with manual configuration, IPv6<br />
devices may also assign autoconfigured addresses if the subnet is on a 64-bit boundary. In order to avoid<br />
this, administrators can disable router advertisement on the default gateway devices such as the Internet<br />
router or the firewall. Otherwise, the Internet servers may assume multiple IPv6 addresses and potentially<br />
cause issues if the server responds with a different address than the addresses used to setup the session.<br />
<strong>The</strong>re are also other considerations when using manual address configuration. According to RFC 3627,<br />
all zeros and all ones should be avoided since they are reserved anycast address. <strong>The</strong> RFC claims the<br />
addresses will fail Duplicate Address Detection queries. However, according to RFC 5375, this is not<br />
true. In the real world operations, these anycast addresses can be assigned much like any unicast<br />
addresses without limitations. Even so, these addresses should be avoided as a best practice to minimize<br />
issues in the future if these anycast addresses are treated differently<br />
Administrators should also pay attention to their choice of variable subnet prefix or manually configured<br />
address that defines bits 71 and 72 bits of the address. Bit 71 is used to identify whether the address is<br />
universally or locally administered. For instance, if the host address is based on an industry standard such<br />
as a MAC address then it is considered universally administered. <strong>The</strong> 71 st bit should be set. Bit 72<br />
defines whether the address is a unicast or multicast address. By setting this bit, it tells the world that the<br />
address is used for multicast services. In today’s implementation, these bits are ignored by most IPv6<br />
devices, but it may be utilized in the future. <strong>The</strong>refore, network administrators should be mindful and<br />
choose addresses wisely.<br />
A common IPv4 practice is to use either the lowest or highest number (x.x.x.1 or x.x.x.254) for the<br />
default gateways. Many enterprises may attempt to continue this practice in IPv6. <strong>The</strong>re are no technical<br />
issues with this approach. However one must consider that there are 0:0:0:0 to FFFF:FFFF:FFFF:FFFF<br />
number of addresses to choose from in a 64 bit prefix boundary. One could choose 0:0:0:1 as the host<br />
address for a default gateway or servers. This approach makes it easier for potential hackers to map your<br />
network. So it may be best to choose an IPv6 address that is not easily guessed. Internet address for the<br />
corporate servers will be well known to potential hackers via DNS lookup. This does not mean that the<br />
corporate firewalls or other Internet devices need to be made easy to discover. One way to “hide” them<br />
from the Internet is to assign a more complex and unrecognizable IPv6 address with access filtering<br />
enabled. However this is prone to human errors. With a more complex hexadecimal addressing scheme,<br />
administrators are more prone to mistakes in configuring the IPv6 addresses. Enterprises should always<br />
test the final configuration to ensure devices are configured and working correctly. Please see Section 9<br />
Testing & Verification for test options.<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 15<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
3.4 Multi-Homing<br />
Deploying a multi-homed Internet solution can be very challenging whether it is over an IPv4 or IPv6<br />
network. However, IPv6 is further complicated by the fact that IPv6 deployment is in its infancy. <strong>The</strong>re<br />
are simply not enough enterprises that have fully deployed an IPv6 Internet solution to share lessonslearned<br />
or establish best practices. Many enterprises claim they have migrated their services to dual-stack<br />
environment, but if you look under the covers, it would be apparent that most are partial deployments.<br />
Most enterprises are doing just enough to make their Internet services available to potential IPv6 users,<br />
without the level of redundancy or advanced functionality that has been established to provide highly<br />
available, high performance and secure IPv4 networks. IPv6 is brand new territory for the networking<br />
Industry. Most enterprises may maintain a simple IPv6 Internet network until IPv6 multi-homing issues<br />
are better understood and addressed by the Industry. In short, enterprises should be cautious in rolling out<br />
an IPv6 multi-homing solution and should expect to run into obstacles along the way.<br />
Figure 3.4—IPv6 Multi-homing<br />
As an example, one of the biggest challenges of designing a multi-homing network solution is addressing<br />
the asymmetric routing issue. Without IPv6 NAT, global-unique addresses will be assigned to internal<br />
corporate network devices. <strong>The</strong>refore enterprises must pay closer attention to the internal corporate<br />
routing in ensuring that internal hosts are routed correctly out through the appropriate Internet PoP that is<br />
advertising the aggregate address of the host’s prefix. Otherwise, asymmetric routing may occur where<br />
the inbound traffic is not forwarded to the same Internet PoP that it originated from. For instance in<br />
Figure 3.4, it depicts an enterprise that has an active/active Corporate Internet requirement. This scenario<br />
assumes the enterprise has obtained a /47 PI prefix from RIRs and has divided it up to two /48 prefix.<br />
Each /48 are advertised as the primary route through ISP#1 and ISP#2. One host is assigned out of the<br />
“2001:DB8:1235:ffff::/56” prefix. In order for this host to receive packets from the Internet, it must be<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 16<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
outed out through the Internet service connecting to ISP#2. This is because the aggregate address<br />
“2001:DB8:1235::/48” encompassing the host’s prefix (2001:DB8:1235:FFFF::/56) is advertised out of<br />
this connection. If for some reason the host was routed out through ISP#1, then the return traffic would<br />
be returned through ISP#2 since it’s advertising a more specific /48 prefix. This is not the desired result<br />
since the firewall will not have a matching session in its state table. If there isn’t a match, then the packet<br />
is dropped. This is one of the key examples as to why enterprises should not have a myopic view of<br />
focusing just on the public-facing infrastructure. <strong>The</strong>re must be some investment made in reviewing the<br />
overall corporate network requirements during initial Internet deployment.<br />
3.4.1 Single Carrier Multi-homing<br />
Single provider multi-homing is typically deployed by small to midsize corporations that require<br />
redundant Internet services. This can be in the form of multiple Internet connections at a single location<br />
or a geographically separated location. When multi-homing with a single provider, an enterprise can elect<br />
to use either the PA or the PI addresses. <strong>The</strong> benefit of using the PA addresses is that the enterprise does<br />
not need to apply for the PI addresses which could take time and money. Another benefit may be that<br />
some ISPs may allow longer IPv6 prefixes into the network. An ISP may allow 64-bit prefix to be<br />
advertised into their network. This may give enterprises flexibility to implement a better load-distribution<br />
solution based on granular prefixes or subnets. However the main drawback of PA addresses is that ISPs<br />
do not allow enterprises to take PA addresses to another ISP. This means enterprises will be forced to<br />
readdress their corporate network whenever they decide to change providers. It may be advantageous<br />
even for single provider enterprises to use PI addresses to allow flexibility to move to another ISP but<br />
also to implement multi-provider solution if the corporate requirements change in the future.<br />
3.4.2 Multi-Carrier Multi-homing<br />
Multi-provider multi-homing is the most popular solution for regional or global enterprises that operate<br />
within a single continent. By using multiple ISPs, enterprises can have the peace of mind that a major<br />
outage on one provider’s network will not grossly impact their business. Some of the enterprises today<br />
use the ISP’s allocated address space to develop an IPv4 multi-homing solution. In today’s IPv4<br />
networks, ISPs allow enterprises to advertise another ISP’s address into their network. However this<br />
practice is forbidden in IPv6 networks. Most if not all ISPs will not accept another ISP’s PA addresses.<br />
In order to achieve a resilient multi-provider solution, enterprises will likely need to use PI addresses to<br />
be able to failover a prefix block from one provider to another. As a general rule, an ISP will not<br />
advertise across its peering connections a prefix longer than a /48. <strong>The</strong> ISP may accept a longer prefix<br />
such as 64-bit prefix into the network, but the enterprise will need to also advertise a summary prefix 48bits<br />
or shorter. Otherwise, the enterprise’s prefix will not be visible beyond the ISP’s network.<br />
Another important point to consider in a multi-provider solution is the size of the prefix that may be<br />
required to satisfy the network requirements. If the Internet connections are used as primary and backup,<br />
then a single 48-bit prefix may be sufficient. 48-bit prefix can be advertised via eBGP with a shorter or<br />
longer ASN hop to prefer one carrier’s Internet over another. However if multiple Internet connections<br />
are actively utilized simultaneously, then multiple 48-bit prefixes may be required since ISPs will not<br />
forward routes longer than a 48-bit prefix. A minimum of /48 for each Internet connection is required as<br />
shown above in Figure 3.4. Each connection can advertise a /48 as the primary address and a summary<br />
route for failover. If one of the Internet connections fails, then the surviving Internet connection will<br />
receive traffic that was destined for the other connection following the summary route similar to a typical<br />
IPv4 multi-homing implementation.<br />
3.4.3 Multi-Region Multi-homing<br />
<strong>The</strong> present best practice dictates that enterprises that operate in multiple continents acquire addresses<br />
from each RIR where they operate. Most Tier-1 ISPs will likely allow enterprises with PI addresses from<br />
one region to use them in another region. However, routing policies are still being finalized, and it is<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 17<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
uncertain how non-regional addresses will be treated by smaller ISPs in a particular region. For instance,<br />
ARIN-obtained address is accepted by AT&T in other regions like Europe and Asia, but it is unclear<br />
whether other European ISPs (that AT&T peers with) will honor the advertised address into their<br />
network. In an effort to minimize the number of IPv6 routes in the core, an ISP may decide to filter<br />
longer non-regional prefixes from entering its Internet. <strong>The</strong> longest IPv6 prefix that is allocated to RIRs<br />
is 23-bits long. (Please visit the following link to see other regional allocations --<br />
http://www.iana.org/assignments/IPv6-unicast-address-assignments/IPv6-unicast-addressassignments.xml.)<br />
An ISP may decide to filter based on this 23-bit prefix boundary. Since Tier-1 ISPs<br />
have no control over the policies of smaller ISPs, it is recommended that regional address space is used in<br />
multi-region solution at this time. It also provides a clean delineation between each region, and WAN<br />
routing can be further simplified through summarization based on regional addresses.<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 18<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
4 Establish IPv6 Enabled Connectivity<br />
Establishing IPv6 connectivity is a simple matter of procuring an Internet connection with Dual-Stack<br />
functionality. Ideally, this would be a simple logical change to the existing connection, with no outages<br />
and no changes required to the existing environment. Due to functional differences across hardware<br />
platforms and availability of dual-stack service, this may not be feasible. At a minimum a minor outage<br />
should be planned to allow reconfiguration of carrier equipment and/or re-homing to alternate carrier<br />
facilities.<br />
As part of the procurement process, AT&T provides an IPv6 address to be used for the Internet WAN<br />
connection. This is used on the customer access router for the Internet interface. If BGP peering is<br />
specified, this address is used to establish the IPv6 BGP session with AT&T. Additional provider<br />
assigned addressing may also be provided by AT&T, or a customer may choose to use their own<br />
(Provider Independent) addressing (refer to IPv6 Addressing).<br />
Once provisioned, the connection continues to provide IPv4 connectivity as before. When ready, the<br />
customer can configure the Internet access router with the appropriate IPv6 elements to begin using the<br />
Dual-Stack capabilities of the connection.<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 19<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
5 Access Router Configuration<br />
This section provides sample router configurations that can be applied on the Internet edge routers. It<br />
includes examples of IPv6 BGP configurations to establish IPv4 and IPv6 BGP neighbor relationships<br />
with the ISP’s router. It also provides sample configurations for static routes for those who may not be<br />
comfortable with BGP. <strong>The</strong> last section provides information on applying IPv6 access lists. For the most<br />
part, the IPv6 commands are very similar to IPv4 commands but with slight differences.<br />
5.1 BGP<br />
BGP router configuration for a dual-stack Internet service requires the use of address families to define<br />
IPv4 and IPv6 peers and corresponding advertisement of routes. Note: IPv4 address family is not<br />
required in order for an IPv4 BGP relationship to be established. BGP (for IPv4) can be initiated under<br />
the main BGP process without defining the IPv4 address family. As such, some customers may choose to<br />
only create the IPv6 address family and maintain the IPv4 relationship under the main BGP process.<br />
However there is no harm in creating the IPv4 address family. It does not reset the BGP session. It also<br />
may be an easier way to manage the BGP configuration by organizing IPv4 and IPv6 BGP configurations<br />
under their respective address family. Listed below are some guidelines for configuring BGP on the<br />
customer’s router.<br />
BGP configuration steps:<br />
• Create a BGP router-id<br />
• Configure IPv4 and IPv6 BGP neighbors<br />
• Create IPv4 and IPv6 address families<br />
• Advertise BGP network routes within each address family<br />
<strong>The</strong> first step is to define the BGP router-id under the BGP process. When the router-id is not defined,<br />
<strong>Cisco</strong> routers will default to using the highest loopback IPv4 address. If no IPv4 addresses are present on<br />
the router, the IPv6 BGP session will not be established with its peer. <strong>The</strong>refore as a best practice, the<br />
router-id should be specifically defined under the BGP process.<br />
<strong>The</strong> IPv4 and IPv6 BGP neighbors must be defined under the main BGP process with the corresponding<br />
Autonomous System Number (ASN) of its peer. <strong>The</strong> IPv4 and IPv6 address families need to be<br />
configured via address-family [ipv4/IPv6]. By default when an IPv4 address family is defined, both the<br />
IPv4 and IPv6 neighbors that were created in the first step will appear automatically under the IPv4<br />
address family. <strong>The</strong> IPv6 neighbor should only be defined under the IPv6 address family. To do this, the<br />
IPv6 neighbor must be disabled under the IPv4 address family by issuing the no neighbor activate command and added under the IPv6 address family.<br />
Since the IPv4 and IPv6 neighbors have been defined with the remote-as of the peer under the main BGP<br />
process, there is no need to redefine the remote AS under the address family. Instead the neighbors are<br />
activated to establish a BGP relationship with the peer by including the activate keyword with the<br />
neighbor command as shown below. Customers can then advertise IPv4/IPv6 BGP routes through the use<br />
of the familiar network command. Note there is a slight difference in the syntax<br />
of the IPv6 network command in that it allows the use of the /nn subnet instead of the mask keyword<br />
used with IPv4 prefixes.<br />
BGP Configuration:<br />
router bgp 65000<br />
bgp router-id 192.168.10.2<br />
neighbor 192.168.10.2 remote-as 7018<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 20<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
neighbor 2001:DB8::2 remote-as 7018 !configure IPv6 neighbor<br />
address/ASN<br />
address-family ipv4 !define ipv4 address family<br />
neighbor 192.168.10.2 activate !enable BGP for neighbor<br />
(enabled by default)<br />
no neighbor 2001:DB8::2 activate !disable IPv6 neighbor<br />
relationship<br />
network 192.168.100.0 mask 255.255.255.0 !network address to be<br />
advertised<br />
address-family IPv6 !define IPv6 address family<br />
neighbor 2001:DB8::2 activate !enable BGP for IPv6 neighbor<br />
network 2001:DB8:F::/56 !define network address to be<br />
advertised<br />
Table 5.1-BGP Configuration<br />
In the above table, the /56 prefix under the IPv6 address family was used only as an example. Most<br />
customers with Provider-Independent (PI) addresses will be allocated /48 or shorter prefixes. A /56 prefix<br />
will likely be assigned by the ISP from the Provider Assigned (PA) block. <strong>The</strong>se longer /56 PA prefixes<br />
are typically filtered by the ISP and are summarized into the aggregate PA prefix for the ISP. Even<br />
though /56 is announced into an ISP, the /56 route will not appear in the global routing table because most<br />
ISPs will not advertise the longer PA prefixes to their peering partners. ISPs will however allow<br />
customers to advertise PI blocks as long as they are /48 or shorter. <strong>The</strong>se PI blocks will be forwarded to<br />
their peering partners. However ISPs will implement a policy to prevent longer prefixes (ranging from<br />
/48 to /128) from being advertised. <strong>The</strong> longer prefixes may be allowed within the ISP network but will<br />
be filtered and not allowed beyond the ISP’s network. This policy may vary between service providers.<br />
5.2 Static<br />
This section briefly describes how to configure IPv6 static routes. If readers are familiar with configuring<br />
IPv4 static routes on <strong>Cisco</strong> routers, then configuring IPv6 static routes will appear to be very similar but<br />
with some slight differences. <strong>The</strong> configuration of IPv6 static routes requires the following format:<br />
IPv6 route IPv6-network/prefix next-hop<br />
Below is an example of a static route command for IPv6:<br />
IPv6 route 2001:DB8:124F:1::/64 2001:DB8:124F::2<br />
Note (as with most IPv6 commands), the static route command begins with the key word “IPv6”. <strong>The</strong><br />
word “route” indicates this to be a static route. <strong>The</strong> next argument is the IPv6 network. So,<br />
2001:DB8:124F:1::/64 is the network with a /64 prefix. <strong>The</strong> last argument is the next-hop and is shown<br />
in the above example as 2001:DB8:124F::2<br />
An IPv6 static route that will be commonly used is the default route. <strong>The</strong> example below shows how the<br />
<strong>IPV6</strong> static default route is expressed:<br />
IPv6 route ::/0 2001:DB8:C00:4F00::EEF6:A0EA<br />
<strong>The</strong> syntax for the IPv6 default route is very different from IPv4. <strong>The</strong> “::/0” is short hand for:<br />
0000:0000:0000:0000:0000:0000:0000:0000/0<br />
One would agree that “::/0” is much easier to type and less prone to typographic mistakes.<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 21<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
5.3 Access-List Formats<br />
This section will briefly describes ACL formats as used on <strong>Cisco</strong> routers.<br />
Using <strong>Cisco</strong> IOS ACLs has changed slightly in IPv6. <strong>The</strong> standard ACL functionality in IPv6 is similar to<br />
standard ACLs in IPv4. An access list determines what traffic is blocked and what traffic is forwarded at<br />
router interfaces, and allows filtering based on source, destination, protocol type, port number, and<br />
inbound/outbound directions on a specific interface. Each access list has an implicit deny statement at the<br />
end.<br />
When deploying ACLs in IPv6, there are some subtleties to consider. For instance, all IPv4 IOS ACLs<br />
have an implicit “deny ip any any” at the end of the ACL. With IPv6, the IOS ACLs have the following 2<br />
implicit permit statements along with a deny statement, as shown below:<br />
permit icmp any any nd-na<br />
permit icmp any any nd-ns<br />
deny IPv6 any any<br />
<strong>The</strong> permit statements are added so that Neighbor Discovery (which performs the equivalent functionality<br />
of ARP in IPv4) is not disabled when an ACL is applied to an interface. This can lead to problems if one<br />
wants to enable the log option on the ACLs. Adding the statement “deny IPv6 any any log” will override<br />
the implicit permits, and neighbor discovery traffic will be denied. So be careful when using the log<br />
option.<br />
IPv6 IOS ACLs only use “named” ACLs. <strong>The</strong> format is shown below:<br />
IPv6 access-list access-list-name<br />
permit protocol source-IPv6-prefix/prefix-length destination-IPv6prefix/prefix-length,<br />
or<br />
deny protocol source-IPv6-prefix/prefix-length destination-IPv6prefix/prefix-length<br />
Below is an example of an IPv6 ACL:<br />
IPv6 access-list RFC4890-in-partial<br />
permit icmp any any echo-reply<br />
permit icmp any any echo-request<br />
permit icmp any any 1 3<br />
permit icmp any any 1 4<br />
permit icmp any any packet-too-big<br />
permit icmp any any time-exceeded<br />
permit icmp any any parameter-problem<br />
deny icmp any any router-advertisement<br />
<strong>The</strong> above IPv6 ACL is named “RFC4890-in-partial”. <strong>The</strong>re are seven permits and one deny statements.<br />
What is not shown is the implicit permit and deny statements mentioned earlier.<br />
Applying an IPv6 ACL to an interface is not the same as it was in IPv4.<br />
Format in IPv6:<br />
IPv6 traffic-filter access-list-name in<br />
IPv6 traffic-filter access-list-name out<br />
Example:<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 22<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
interface FastEthernet0/1<br />
IPv6 traffic-filter RFC4890-in-partial in<br />
<strong>The</strong> following section on security contains additional information on traffic filters and examples of router<br />
and switch configurations.<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 23<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
6 Security<br />
<strong>The</strong> long view of security in an IPv6 world may include dramatic enhancements over the current set of<br />
IPv4 best practices. Some have envisioned an abandonment of classical perimeter security as currently<br />
implemented by firewalls, in favor of end-to-end security models for each TCP/IP session. Use of NAT in<br />
a security model has become a common discussion point in the migration to IPv6 networking. A<br />
common best practice in IPv4 perimeter security models includes network address translation (NAT).<br />
NAT alone is not comprehensive protection but it does identify where the fence is. Presumably other<br />
constructs of good perimeter security (stateful inspection, rule imposition, blanket inbound blocking, etc)<br />
are implemented at this same juncture. “If it’s not a private address, it hasn’t been scrubbed by a<br />
firewall.” “If it is a private address it won’t be allowed outside the fence without first being scrubbed.”<br />
<strong>The</strong>se are typical sentiments of current firewall strategies. But idealistic views of IPv6 consider NAT as a<br />
roadblock to a future of creative and innovative end to end communications. That same idealism might<br />
want the firewall to give way to per-session based authentication and authorization.<br />
But those are notions for the future. This section will presume to build from existing IPv4 best practices<br />
and augment them based on new features and new mechanisms occurring in IPv6.<br />
New features and mechanisms introduced in an IPv6 enabled world that can become problematic in a<br />
security discussion, particularly during a migration phase, include<br />
• Automatic assignment of endpoint addressing<br />
• Automatic identification of routers and gateways<br />
• Lack of standard support for IPv6 private addressing (IPv6 NAT).<br />
• New constructs, including Extension Headers at the IP layer<br />
• Numerous dual-stack and v4v6 translation scenarios that will likely be embraced<br />
in typical migration scenarios.<br />
<strong>The</strong> remainder of this section will identify new elements of good security practices aimed at reinforcing<br />
public interfaces to preclude new IPv6 based attacks, and general guidelines to adopt inside the enterprise<br />
to prevent unauthorized tunneling through the firewall. It is critical to denote that a current Security<br />
Policy must be the strategy that drives the security policies. Further, software deficiencies are very<br />
commonly found in IPv4 enabled network elements, and it is anticipated that IPv6 enabled network<br />
elements will also have a range of deficiencies that will require patching, upgrades, or work-arounds to<br />
address.<br />
6.1 Perimeter Security (Firewall)<br />
An IPv6 firewall is not just an IPv4 firewall with extra rules. <strong>The</strong> IPv6 IP header is very different,<br />
includes additional header extensions, and needs specific consideration for analysis of potential<br />
vulnerabilities. Analyzing an IPv6 packet as if it were an IPv4 packet could give unpredictable results.<br />
This is a critical issue for securing the perimeter and will remain an enduring issue even if IPv6 firewalls<br />
are largely relegated to passing IPSec tunnels to an ultimate destination for authentication. <strong>The</strong> concept<br />
of a perimeter still remains and must be guarded.<br />
An important first step in migrating to an IPv6 presence, even on the outside of the perimeter, is to<br />
carefully consider the firewall’s ability to support and analyze IPv6 packets. <strong>The</strong> firewall must be able to<br />
support IPv6 and meet the internal certification of both the hardware and software for your enterprise.<br />
Typical enterprise connections to the public Internet allow for a DMZ to host public facing web services<br />
and file servers. Below we show a configuration that accommodates both IPv4 and IPv6 connectivity to<br />
the Internet.<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 24<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
IPv6 can initially be used to enable IPv6 web, email, and ftp servers as a set of publicly available services,<br />
while IPv4 continues to provide two way (firewalled) traffic from the enterprise to the IPv4 Internet. <strong>The</strong><br />
two networks (IPv4 and IPv6) operate independently but both use the same physical links. Being<br />
independent of each other, the treatment of specific traffic flows may differ. We focus here on DMZ<br />
access for IPv6 based services while presuming to preclude IPv6 access into the larger enterprise.<br />
6.1.1 Traffic Filters<br />
One of primary differences between IPv4 and IPv6 firewall filters has to do with ICMP traffic. In IPv4,<br />
firewalls largely treat ICMP traffic as a potential security problem for denial-of-service flood attacks.<br />
ICMP is frequently blocked altogether. <strong>The</strong>re are some instances in IPv4 where ICMP packets provide<br />
useful information, such as path MTU detection (packet-too-big replies), or in testing reachability. But<br />
even these are often viewed as not worth the exposure to ICMP based attacks, and it is not uncommon for<br />
firewalls and border routers to block all ICMP traffic.<br />
In IPv6, however, ICMP packets are used in new ways that become critical to discovering layer-two<br />
reachability information. IPv6 neighbors and routers discover reachability details to each other using<br />
solicitations and advertisements over automatically defined link local subnets. <strong>The</strong>se are all part of a new<br />
Neighbor Discovery Protocol (NDP). Blocking all ICMPv6 traffic would disable NDP and be equivalent<br />
to blocking ARP traffic in IPv4.<br />
With the increased role of ICMP in IPv6, blocking all ICMP messages is not recommended.<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 25<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
But allowing all ICMPv6 traffic still carries the risk of certain denial of service flood attacks, so a specific<br />
strategy should be devised based on what ICMP traffic is deemed appropriate for needed functions. RFC<br />
4890 describes ICMPv6 filtering recommendations for firewalls. <strong>The</strong> table below shows typical ICMP<br />
treatments in both IPv4 and IPv6. <strong>The</strong>se are examples and should not be taken as hard recommendations.<br />
Each firewall policy needs to consider these carefully.<br />
Another new element in IPv6 networking involves header extensions. <strong>The</strong>se are used for various<br />
functions including supporting IPSec definitions, Fragmentation, Mobility, and Routing options.<br />
Intended to add functionality for specific purposes, extension headers complicate IPv6 and present<br />
problems for firewalls to effectively analyze. One specific extension header that has been deprecated in<br />
IPv6 is the routing extension header type 0 because of its similarity to the IPv4 source routing option.<br />
Firewalls are typically configured to drop such packets in both IPv4 and IPv6. Other extension headers<br />
need specific consideration in IPv6.<br />
6.1.2 Proxy and Translation<br />
A possible option in early phases of migration to IPv6 might be to use a firewall that performs proxy and<br />
translation functions for outbound requests that resolve to IPv6-only endpoints. A proxy firewall<br />
essentially terminates outbound requests and initiates a new request from the outside boundary of the<br />
firewall. Adding IPv6 translation allows the firewall to communicate with IPv6 destinations on the public<br />
side and translate return packets into IPv4 for reply back to internal IPv4-only hosts.<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 26<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
6.2 Internal Security<br />
6.2.1 Router Solicitation and Router Advertisement<br />
As discussed above, NDP uses ICMPv6 to determine link layer reachability between nodes on a common<br />
subnet. In addition to neighbor solicitations and advertisements, NDP also includes router solicitations<br />
and advertisements to determine default routing gateways. This can automate the process of discovering<br />
router gateways and network prefix assignments. But this can also present the risk of a rogue entity on<br />
the subnet announcing itself as the priority gateway and hijacking traffic.<br />
All IPv6 devices on a LAN segment will receive the announcement and discover the priority of any<br />
advertising router (low, medium and high). <strong>The</strong> router with high priority will be the primary default router<br />
for the LAN and become the default gateway for LAN devices. To prevent this from occurring filters<br />
need to be applied at the port level. <strong>Cisco</strong> and other vendors have features on their switches to allow layer<br />
3 filters to be applied to a layer 2 port. Below is a snippet from a <strong>Cisco</strong> switch:<br />
IPv6 access-list ACCESS_PORT<br />
remark **Block all traffic DHCP server -> client**<br />
deny udp any eq 547 any eq 546<br />
remark **Block Router Advertisements**<br />
deny icmp any any router-advertisement<br />
permit any any<br />
Interface GigabitEthernet 1/0/1<br />
switchport<br />
IPv6 traffic-filter ACCESS_PORT in<br />
<strong>The</strong> filter above will deny any router advertisements for a particular port on the switch (the filter also<br />
shows how to deny DHCP server packets). Since you can filter router advertisement on a workstation and<br />
you don’t want to deny router advertisements from an actual router, this is the only way to prevent a<br />
rogue device from becoming a router on the LAN. Also, not all switches support this feature. <strong>The</strong><br />
administrator responsible for device configuration should contact the appropriate network equipment<br />
vendor to get a list of supported switches. This guide is primarily focused on the firewall and DMZ.<br />
Default routing behaviors should be defined on servers and router gateways in the DMZ to avoid the risk<br />
of rogue router advertisements.<br />
6.2.2 Automatic Tunneling<br />
Even though we have defined this early phase of IPv6 migration to consist of an Internet connection and<br />
public servers in a DMZ with the internal enterprise remaining IPv4, there is still a risk of internal hosts<br />
attempting to automatically launch IPv4 based tunnels to Internet based tunnel gateways. Security<br />
policies should be defined and host configurations administered to prevent this (assuming it is an<br />
unwanted behavior). <strong>The</strong> table below offers help in blocking automatic tunnels at the perimeter firewall.<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 27<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
6.3 Candidate Best Practices<br />
<strong>The</strong> bullet point list below is taken from a <strong>Cisco</strong> presentation and offers consideration points for possible<br />
best practice security steps to consider.<br />
• Implement privacy extensions carefully<br />
• Filter internal-use IPv6 addresses at the enterprise border routers<br />
• Filter unneeded services at the firewall<br />
• Selectively filter ICMP<br />
• Maintain host and application security<br />
• Determine what extension headers will be allowed through the access control device<br />
• Determine which ICMPv6 messages are required<br />
• Deny IPv6 fragments destined to an internetworking device when possible<br />
• Ensure adequate IPv6 fragmentation filtering capabilities<br />
• Drop all fragments with less than 1280 octets (except the last one)<br />
• Implement RFC 2827-like filtering and encourage your ISP to do the same<br />
• Document procedures for last-hop traceback<br />
• Use cryptographic protections where critical<br />
• Use static neighbor entries for critical systems<br />
• Implement ingress filtering of packets with IPv6 multicast source addresses<br />
• Use traditional authentication mechanisms on BGP and IS-IS<br />
• Use IPsec to secure protocols such as OSPFv3 and RIPng<br />
• Use IPv6 hop limits to protect network devices<br />
• Use static tunneling rather than dynamic tunneling<br />
• Implement outbound filtering on firewall devices to allow only authorized tunneling<br />
endpoints<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 28<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
7 Servers/Endpoints<br />
<strong>The</strong>re is not a single right approach to making the corporate public facing application services available to<br />
IPv6 end users. Most enterprises will likely deploy a dual-stack infrastructure where an IPv6 address is<br />
added to the same interface that an IPv4 address is already assigned. This approach eliminates the need<br />
for a separate server which minimizes the capital cost. However, some enterprises may feel uneasy about<br />
supporting an immature IPv6 service on a stable IPv4 server. IPv4 has been around for many years. IPv4<br />
applications have been thoroughly tested as can be. <strong>The</strong>re are newly found flaws that come to light from<br />
time to time, but software vendors and customers are quick to remediate these issues. With IPv6, there is<br />
not an industry-wide support for it at the time being. If the customer base is not pushing on Vendors for<br />
IPv6, vendors will not invest the resources to support it. Like most software, vendors can make their<br />
attempts to thoroughly test their applications for problems, but it is not until the greater user community<br />
gets their hands on the applications that unexpected issues and flaws are discovered. While vendors may<br />
state their application is IPv6 ready, it may take several iterations or releases before some issues are<br />
identified and resolved. For this reason, some enterprises may elect to deploy a separate physical server<br />
for IPv6. Or as an alternative, they could also consider using Network Address Translation (NAT64) or<br />
load-balancers to intercept IPv6 sessions and present it to the corporate servers as IPv4. In Figure 7.1, it<br />
illustrates how an enterprise can use NAT64 to service IPv6 users while keeping their Internet servers<br />
IPv4 only.<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 29<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
Figure 7.1—NAT64<br />
Note in the above example, the enterprise Webserver www.abccompany.com is only assigned an IPv4<br />
address of 12.1.1.1. When an IPv6 user attempts to access this site, the user is given the IPv6 address<br />
(2001:DB8:8400::C1:101) in the DNS response. <strong>The</strong> packets follow the appropriate routing path to the<br />
destination site. At the site, a NAT’ing device translates the IPv6 address to IPv4. <strong>The</strong> destination<br />
address 2001:DB8:8400::C1:101 is replaced with 12.1.1.1. <strong>The</strong> source address is also translated to an<br />
IPv4 address. As far as the Webserver is concerned, it is processing an IPv4 request and is not aware of<br />
the initial IPv6 request. <strong>The</strong>re are some drawbacks with this approach. AT&T encourages readers to<br />
conduct their own research and test the solution thoroughly before rolling them out in your production<br />
environment.<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 30<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
8 Domain Name System (DNS)<br />
Before moving forward with this section, please make sure the corporate Internet gateways/servers are<br />
accessible over both IPv4 and IPv6 Internet. Premature announcement of domain name may result in<br />
black-holing traffic sometimes referred to as “internet brokenness”. In a typical IPv4 network<br />
environment depicted in Figure 8.1, an IPv4 user enters an easily recognizable or memorable domain<br />
name into an application such as a web browser. <strong>The</strong> application uses the underlying operating system to<br />
issue a DNS query to resolve the domain name to an IPv4 address. <strong>The</strong>se requests are referred to as a<br />
“Standard A” record request. Upon receiving a “Standard A” request, a DNS server will respond with an<br />
answer containing the IPv4 address associated with the requested domain name. In Figure 8.1,<br />
www.abccompany.com is associated with both an IPv4 and an IPv6 address with a DNS entry for both<br />
addresses. However, the user is configured to support IPv4-only addressing and will likely request just a<br />
“Standard A” or IPv4 address from the DNS server. It will receive only the IPv4 address corresponding<br />
to www.abccompany.com.<br />
Figure 8.1—Standard-A DNS Request<br />
If the end-user is dual-stacked as shown in Figure 8.2, it will send two DNS requests to its DNS server:<br />
one for Standard-A and second for Quad-A. As mentioned above, Standard-A is an IPv4 address record<br />
associated with a domain name. Quad-A or AAAA is associated with the IPv6 address. As long as the<br />
DNS server has the Quad-A record for the requested domain name, it will provide the IPv6 address back<br />
to the end-user in its response. Notice in the figure below, the DNS server is IPv4-only and does not have<br />
an IPv6 address assigned. This is fine since both the Standard-A and Quad-A requests are made using<br />
IPv4 source/destination addresses. In this example, the dual-stack end-user is pointing only to an IPv4<br />
DNS server. <strong>The</strong>refore, it will use the IPv4 address to request both a Standard-A and a Quad-A record<br />
from the DNS server. If the DNS server was also dual-stacked, then the client will likely issue DNS<br />
requests using its IPv6 address instead of IPv4. This is the default behavior of most operating system. If<br />
the end-user has a choice between IPv4 and IPv6 destination addresses, then most operating system will<br />
prefer IPv6 over IPv4. Note: this default behavior can be changed by modifying the “prefixpolicy” table<br />
of the operating system.<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 31<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
Figure 8.2—Quad-A DNS Request<br />
Before a Quad-A record can be provided by any DNS server, it must first exist in an authoritative DNS<br />
server for the requested domain name. In most situations, the requested domain name may not be cached<br />
on the initial DNS server an end-user is pointing to. If the entry does not exist, the DNS server will query<br />
its upstream DNS servers and may contact the root DNS server for the requested domain zone such as<br />
.com, .net, .edu, etc. <strong>The</strong> root server should have the IPv4 and IPv6 addresses of the authoritative DNS<br />
servers for the requested domain. This information is imported into the root server from the domain name<br />
registrars. <strong>The</strong>refore, it is very important to update the corporate profile with the domain registrar. <strong>The</strong><br />
corporate profile will include at minimum the primary domain name and an IP address of the DNS<br />
servers. If the authoritative DNS servers are available by an IPv6 address, then the profile must be<br />
updated to include the new IPv6 address. Otherwise, other non-authoritative DNS servers will not know<br />
who to contact to access the DNS information via IPv6.<br />
As mentioned above, the Quad-A records can be obtained from an IPv4-only addressed DNS server. <strong>The</strong><br />
DNS server does not need to be IPv6 capable. “Quad-A” record requests can be made using either the<br />
IPv4 or IPv6 protocol. Conversely, an IPv6-only host can request “Standard A” record (i.e. IPv4<br />
address). In the near term, enterprises can choose to migrate their internet gateways or servers to IPv6<br />
while keeping their DNS servers IPv4-only with very little drawback. It is an acceptable migration<br />
approach since most end-users are expected to be dual-stacked for many years. Moreover, most service<br />
providers should exchange domain information across both IPv4 and dual-stacked DNS servers.<br />
<strong>The</strong>refore www.abccompany.com should also appear on the dual-stack DNS servers even though the<br />
authoritative DNS server is only available via IPv4 address. However if the service providers support<br />
IPv6-only DNS servers or not share domain information between IPv4, IPv6, and dual-stacked DNS<br />
servers, then there is a chance some end-users may not receive a DNS response. To eliminate this<br />
uncertainty, enterprises can decide to dual-stack their DNS servers and make their domains accessible by<br />
IPv4 or IPv6 users.<br />
However dual-stacked DNS servers do not completely resolve connectivity issues. As mentioned earlier,<br />
many dual-stack end-users have experienced “internet brokenness”. “Brokenness” occurs when a dualstack<br />
end-user is not able to access contents via IPv6 address, but the destination is accessible via IPv4<br />
address. A dual-stack user will typically request and receive both a Standard-A and a Quad-A record<br />
from their upstream DNS servers assuming both records exist. Upon receiving these records, a dual-stack<br />
user will use its IPv6 address to connect to the remote server via IPv6 because operating systems by<br />
default prefer IPv6 over IPv4. If the destination is not reachable via IPv6, then the session may time out<br />
without trying to access the destination via IPv4. This will give most users the impression that the<br />
content server is down, but in reality, it is available via its IPv4 address. Why isn’t this server reachable<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 32<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
via IPv6? One reason may be that IPv6 Internet service is not supported by all ISPs. In addition, IPv6<br />
peering relationship is still being established between providers. ISPs may have an IPv4 peering<br />
relationship with another provider, but it may not have an IPv6 connection between the ISPs. This will<br />
create a situation depicted in Figure 8.3 where a destination is reachable via IPv4, but it is not reachable<br />
via IPv6. As shown below, three ISPs have a fully-meshed IPv4 peering relationship with each other, but<br />
a hub/spoke IPv6 relationship between ISP(A) to other two providers. In most peering relationships, ISPs<br />
will tag routes learned from its peers as non-transit routes. This means that ISP(A) will not pass routes<br />
learned from its peers to another peering partner. For instance, ISP(A) will not advertise routes learned<br />
from ISP(B) to ISP(C). <strong>The</strong>refore ISP(C) will not have an IPv6 route to www.abccompany.com that is<br />
hosted on ISP(B)’s network. Even though the end-user on ISP(C)’s network has connectivity to IPv6,<br />
this user does not have access to all contents on the IPv6 Internet. This issue may persist for some time<br />
until the peering or network relationships become more mature.<br />
Figure 8.3--Internet Brokenness and IPv6 Peering<br />
Because of the “brokenness” issue, many enterprises have chosen to setup a secondary domain name to<br />
host their IPv6 web servers. For instance instead of www.abccompany.com, the enterprise would use<br />
IPv6.abccompany.com to cater to IPv6 users and maintain www.abccompany.com for IPv4 users. <strong>The</strong><br />
main benefit of this approach is it eliminates the “brokenness” issue, but it also introduces other<br />
challenges. One of the questions it raises is how would IPv6 users know to use IPv6.abccompany.com to<br />
access the web server via IPv6? If the end-user is dual-stacked, then a company could place a link on the<br />
IPv4 homepage to redirect these users to the IPv6 site. Unfortunately, this approach does not help those<br />
IPv6-only addressed end-users, but it is highly unlikely that these users would be provided IPv6-only<br />
addresses without the ISP providing some type of translation services to give them access to IPv4 sites.<br />
Some vendors have begun to address the “brokenness” issue. In previous Windows versions, the browser<br />
timed out without attempting the IPv4 addresses of the destination server. However in recent lab tests,<br />
Windows 7 clients are now resolving to the IPv4 website when IPv6 connection isn’t available. This is<br />
quite promising, but more work is needed in this area. Presently, it is taking some time to failover to the<br />
IPv4 site due to retries and timeouts. For some impatient users, the long delay may not be acceptable, and<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 33<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
the users may click away from the site before it has an opportunity to retrieve the data. <strong>The</strong>refore a faster<br />
discovery and failover solution must be incorporated to make the transition seamless to the end-user as<br />
documented in Internet Draft—“Happy Eyeballs: Success with Dual-Stack Hosts draft-ietf-v6opshappy-eyeballs-04”.<br />
Otherwise the enterprises may lose out on potential customers and revenue.<br />
Eventually these connectivity issues will be addressed by vendors, ISPs, enterprises, and/or end-users. In<br />
the meantime, some users may struggle with inconsistent IPv6 service.<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 34<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
9 Testing/Verification<br />
This is perhaps the most important step in the IPv6 migration process. One must determine if the<br />
following questions can be answered with a firm yes:<br />
1) Do you have access to the corporate Internet router from the IPv6 Internet?<br />
2) Are the security rule-sets implemented correctly?<br />
3) Are you receiving Quad-A DNS responses?<br />
4) And ultimately, can you access the corporate Internet servers from the IPv6 Internet?<br />
Before tackling the above questions, the testing personnel must first connect to the IPv6 Internet. This<br />
Internet connection must not be the same IPv6 connection that the corporate servers are on. It can be a 3 rd<br />
party transition service such as an IPv6 tunnel broker or Teredo tunnel service. <strong>The</strong>re are for-free tunnel<br />
brokers like Hurricane Electric that may require user registration. Alternatively, one can use the Teredo<br />
service that is readily supported on most Windows and Linux operating systems. <strong>The</strong> Teredo service can<br />
be used by any users with an IPv4 Internet connection. <strong>The</strong> Teredo service may be a quick and easy way<br />
to connect to the IPv6 internet.<br />
Once connected to the IPv6 Internet, the tester can use the typical network troubleshooting tools like<br />
“ping” or “tracert” to test connectivity to IPv6 destination addresses. One may need to use the option “-<br />
6” for IPv6 along with these commands. This should allow testers to confirm there is IPv6 connectivity to<br />
the Corporate Internet and key servers/gateways. It can also be used to conduct preliminary security tests<br />
of the firewall. <strong>The</strong>re are some security tools for IPv6 that can be used to verify that the implemented<br />
rule-sets are working properly. For DNS, the tester can use “nslookup” to perform DNS query against its<br />
DNS server. <strong>The</strong> test may need to go into the “nslookup” mode and issue “set type=aaaa” to force the<br />
“nslookup” application to request Quad-A request. As another option, the test can issue either “ping” or<br />
“tracert” with the “-6” option using the domain name as the destination. “-6” option will force the client’s<br />
operating system to issue a Quad-A request for the domain name. Now, the tester is ready to test the<br />
application by typing the URL for the server into the application. If the application is able to retrieve the<br />
information, it is likely the data was retrieved via IPv6. However if the tester is using Teredo service,<br />
then the tester may need to modify the “prefixpolicy”. By default, Windows Operating System prefers<br />
IPv4 over IPv6 destination address. So if the domain name resolves to both IPv4 and IPv6 addresses,<br />
then the Windows 7 client will use IPv4 address to access the data. <strong>The</strong>refore, it is highly recommended<br />
that Wireshark is used to determine if the client is using IPv6 or IPv4 addresses to access the destination.<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 35<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
10 Conclusion<br />
<strong>The</strong> migration to dual stack capabilities will bring a lot of change, from security policy reviews to<br />
equipment upgrades to application testing to legal review. Organizations must be engaged in an IPv6<br />
adoption team now that, similar to the Year 2000 event, delivers a holistic approach to dual stack support.<br />
Unlike Year 2000, dual stack services will be needed at a point of demand, versus a date on the calendar.<br />
Given the lack of maturity of the IPv6 software stack on many vendors, it is strongly urged that<br />
enterprises carefully evaluate and test the IPv6 functionality from devices that they choose to manage, or<br />
look at a service provider to deliver the managed abilities.<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 36<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
Appendix A<br />
Appendix A<br />
A-1 Establishing a Teredo Tunnel<br />
Teredo is an IPv4 tunneling protocol that enables IPv4 users to access IPv6 resources. IPv4 users build<br />
an IPv4 tunnel across their existing IPv4 WAN and Internet to a publicly available Teredo Tunnel server.<br />
Once the tunnel is established, IPv4 users can send IPv6 packets inside the tunnel. Teredo can be used as<br />
a quick way to connect to the IPv6 Internet to test connectivity as discussed in Section 9. Since most<br />
enterprises are planning to migrate to Windows 7 Operating System in the next few years, this section<br />
will mainly focus on enabling Teredo service on Windows 7 clients and does not cover instructions for<br />
other Windows platforms. Some principles discussed in this section may also apply to Windows XP,<br />
Vista, etc.<br />
Unlike Windows XP, IPv6 protocol stack is enabled by default on Windows 7. Windows XP users must<br />
manually install the IPv6 protocol stack. It’s simple to verify that a Windows system is running IPv6 by<br />
issuing a very familiar DOS command “ipconfig /all”. This command will provide a report of all IP<br />
addresses (IPv4 and IPv6) assigned to the system’s interfaces. Under each interface, there should be an<br />
IPv6 link-local address that starts with FE80::/64. This shows that IPv6 protocol is running on the<br />
system. In the “ipconfig /all” results, one should also see a pseudo interface for the Teredo Tunnel<br />
service. At a quick glance, the Teredo interface may appear to be up and running. However this is not<br />
the case. It is actually in an "active" state. In this "active" state, an IPv6 address (2001::/32) is assigned<br />
to the Interface. This address is a legitimate IPv6 address reserved for Teredo service and can give users<br />
the wrong impression that they are connected to a Teredo Tunnel server. <strong>The</strong>y are actually in a dormant<br />
mode and not connected to a live Tunnel server. This is likely to address the criticism of the previous<br />
Windows releases that automatically connected to a tunnel server. Since Teredo service is a tunneling<br />
protocol, it bypassed most conventional firewalls and intrusion detection systems because these systems<br />
were not capable of reading deeper into the encapsulated packets. So now, users must manually enable<br />
the Teredo protocol using the following steps:<br />
1) Open up the Group Policy Manager console (gpedit.msc). <strong>The</strong>n go to Local Computer Policy><br />
Admin Templates> Network> TCPIP Settings> IPv6 Transition Tech> Teredo Default<br />
Qualified. Change it to Enabled.<br />
2) Now the Teredo service should be up and running. However you must follow the directions<br />
below to force Windows to perform Quad-A record request.<br />
a) By default, Windows Vista and 7 will not request a Quad-A record if there is no non-link<br />
local address assigned to the interface. Teredo Interface is ignored by the operating<br />
system. Even if a global unique address out of the (2001::/32) range is assigned to the<br />
Teredo interface, these two Windows operating system will not ask for a Quad-A record for<br />
a domain name. For instance, IPv6.google.com is only reachable via IPv6 address. If the<br />
Teredo client attempts to surf to IPv6.google.com, the Wireshark trace shows that the<br />
Teredo client only requests a standard A record. So this means most Teredo clients will not<br />
be able to get to any IPv6 websites since the IPv6 domain name will not resolve to an IPv6<br />
address or Quad-A response.<br />
b) Workaround is to assign an IPv6 address and a default gateway manually to an active<br />
interface. When this is done, an IPv6 default route (::/0) will be added pointing to the<br />
default gateway address that was manually entered. This will force all IPv6 traffic to this<br />
default gateway. This is not what we want since this will black-hole the IPv6 traffic. So<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 37<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
Appendix A<br />
we must add a default gateway that points to the Teredo Interface IPv6 address with a<br />
lower metrics than the existing ::/0 route in the routing table.<br />
Once this is done, Teredo clients will be able to access some IPv6 sites.<br />
A-2 IPv6 Address Example<br />
<strong>The</strong> figure below illustrates an approach for allocating IPv6 prefixes within an enterprise network. This is<br />
just an example. <strong>The</strong>re is no one correct method. Each enterprise must carefully evaluate its corporate<br />
requirements and determine the appropriate addressing strategy that is right for them.<br />
<strong>The</strong> diagram depicts four network segments that require IPv6 addresses: CE-PE WAN, CE-Firewall<br />
LAN, DMZ LAN, and Corporate LAN. In this example, an enterprise has been allocated a 48-bit prefix.<br />
<strong>The</strong> CE-PE link addresses are typically provided by the ISP. <strong>The</strong>refore there isn’t much a customer needs<br />
to do for this link. Next is the CE-Firewall LAN subnet. If the present Industry standard is followed, a<br />
64-bit prefix should be allocated across this LAN even though there are just two devices in it. A 60-bit<br />
prefix is carved out from the aggregate 48-bit prefix for point to point connections. From which, a 64-bit<br />
was allocated to the CE-Firewall LAN. This gives sixteen 64-bit prefixes that could be used for other<br />
point to point connections. If longer prefixes such as 127-bit prefix are used, then it can support greater<br />
number of point to point connections. Similarly, the DMZ LAN segment is assigned a 64-bit prefix from<br />
a larger 60-bit that was taken from the aggregate 48-bit prefix. That takes about another sixteen 64-bit<br />
prefixes. Between the DMZ and CE-Firewall network segments, a total of thirty-two 64-bit prefixes have<br />
been allocated. That leaves a total of 254 contiguous 56-bit prefixes to be assigned to the rest of the<br />
enterprise network. If possible, IPv6 prefixes should be allocated across double-octet, octet, or half-octet<br />
boundaries. This will help to avoid overlapping prefixes. Double-octet is 16 bits wide and is represented<br />
by four hex digits within the two colons (:0000:) in IPv6. An octet is a byte or 8-bits. It takes up two hex<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 38<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
Appendix A<br />
digits. Half-octet is 4bits or one hex digit. <strong>The</strong> actual prefix boundary will be determined by the<br />
enterprise addressing strategy. In this example, the CE-Firewall and DMZ prefixes were chosen from the<br />
upper bounds of the 48-bit aggregate prefix. With this approach, network administrators do not have to<br />
be concerned about prefix overlaps or address conflicts. It will be clearly understood that upper bound is<br />
reserved for special purposes.<br />
A-3 Frequently Asked Questions:<br />
Why do we need IPv6?<br />
With huge growth in wireless technology/devices and expansion of IP networks, many network service<br />
providers are expecting to run out of IPv4 addresses soon. Although IPv4 networks will continue to be<br />
supported for many years to come, it's wise for organizations to begin thinking about IPv6 and planning<br />
for the future. Many ISP such as AT&T will likely offer IPv6 services as dual-stack service that supports<br />
both IPv4/IPv6 addresses to enable organizations to slowly adopt IPv6.<br />
How can I track exhaust of IPv4?<br />
<strong>The</strong>re are several sites that provide information about IPv4 address allocation and exhaust predictions.<br />
<strong>The</strong> date when IANA will exhaust is the most widely quoted and predicted date. Other dates include when<br />
each RIR will exhaust, when all RIRs will exhaust and then when ISPs and enterprises will exhaust their<br />
addresses.<br />
Here are the links of interest.<br />
• IANA http://www.iana.org/assignments/ipv4-address-space/ipv4-addressspace.xml<br />
• NRO http://www.nro.net/statistics/<br />
• Geoff Huston http://www.potaroo.net/tools/ipv4/index.html<br />
• Tony Hain http://www.tndh.net/~tony/ietf/ipv4-pool.htm<br />
• ARIN https://www.arin.net/knowledge/statistics/index.html<br />
https://www.arin.net/participate/meetings/ARIN-XXVI/<br />
What are the main use cases (applications) of these v6 customers? E.g., Web surfing,<br />
consumer apps, etc.<br />
Individual motivation to migrate to IPv6 varies for each customer. Some customers are interested in IPv6<br />
to make sure they don't lose out on potential IPv6 only customers. Others may be pushed to support IPv6<br />
due to business requirements levied on them by extranet partners who are migrating to IPv6. Some may<br />
be deploying devices that require large blocks of addresses for inventory/tracking purposes.<br />
What's the process for requesting IPv6 addresses?<br />
Organizations must meet certain minimum requirements to receive IPv6 addresses directly from ARIN,<br />
APNIC, or RIPE. Most ISPs will be assigned /32 network. Non-ISPs will typically be assigned minimum<br />
of /48 network address. ISPs and Non-ISPs can request larger block if they can provide legitimate<br />
justification for more addresses. Customers should review the policies listed below to determine if they<br />
qualify for IPv6 addresses. If not, they will need to request IPv6 addresses from their ISP.<br />
• For ISPs in the US, they should follow the instructions listed in the following linke:<br />
https://www.arin.net/resources/request/IPv6_initial_alloc.html<br />
• For non-ISPs in the US, use the following link:<br />
https://www.arin.net/resources/request/IPv6_initial_assign.html<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 39<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
Appendix A<br />
• For organizations in Asia-Pacific, please read the IPv6 policies listed in the link:<br />
http://ftp.apnic.net/apnic/docs/IPv6-address-policy<br />
• For EMEA organizations, IPv6 policies are listed in the following link:<br />
http://www.ripe.net/ripe/docs/IPv6policy.html<br />
Here's a link to IANA website listing the IPv6 blocks that have been allocated to the Regional Internet<br />
Registrars:<br />
http://iana.org/assignments/IPv6-unicast-address-assignments/IPv6-unicast-addressassignments.xml<br />
What IPv6 address assignment options are available?<br />
<strong>The</strong>re are 3 addressing options: manual, DHCP, or auto-configuration. Manual addressing allows users to<br />
statically assign IPv6 address on clients. DHCP allocates addresses dynamically to clients. However there<br />
is a slight difference in DHCPv6 compared to DHCPv4. <strong>The</strong>re are two parameter options that must be<br />
enabled to turn on DHCP and to allocate other DHCP information to clients. Auto-configuration allows<br />
IPv6 clients to assign themselves IPv6 address based on Neighbor Discovery Protocol called Route<br />
Advertisement packets. Please see the attached charts to see summary of the information about DHCPv6<br />
and Auto-configuration...<br />
Do you SWIP the PA IPv6 address space that is assigned to a customer?<br />
<strong>The</strong> answer is yes. <strong>The</strong>re should not be any difference in the information provided with the SWIP<br />
(Shared WHOIS Project is the process used to submit, maintain and update information of WHOIS<br />
records per RFC 1491.) information for IPv4 and IPv6.<br />
Do you accept v6 blocks from other RIRs? E.g., accept a RIPE block from a NY peering?<br />
AT&T will only accept PI (Provider Independent) addresses and AT&T assigned PA (Provider Assigned)<br />
from a customer. AT&T will not accept IPv6 addresses that are owned by another provider.<br />
What's AT&T Policy regarding IPv6 Internet multi-homing?<br />
If a customer is interested in a multi-homing internet solution (i.e. connection to AT&T and another ISP),<br />
the customer must own the desired IPv6 address they want to advertise. IPv6 address must be directly<br />
assigned to the customer by their regional internet registry organization like ARIN. It can not be an<br />
address provided by another service provider. In addition, the IPv6 address block must be a minimum of<br />
/48 subnet. AT&T will not advertise anything longer than /48 subnet to the Internet. Within the AT&T<br />
network, the customer can advertise a longer subnet. However, AT&T will not advertise a prefix longer<br />
than a /48 subnet.<br />
How many IPv6 routes does AT&T dual-stack MIS support?<br />
BGP route advertisement is done on an exception basis. For each route, AT&T will add the route into the<br />
allowed filter list on the PE router to allow the route to be accepted into the network.<br />
Do you have any v6 only customers? If so, why? Because no more v4 addressing or for some<br />
other reason?<br />
<strong>The</strong>re are very few customers who are considering a complete migration to IPv6 network. Most customers<br />
are electing to deploy a dual-stack infrastructure to support both IPv4 and IPv6 services. Those who are<br />
considering a complete migration have the added challenge of providing their IPv6 users access to<br />
internet/intranet resources that remain on IPv4 network.<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 40<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.
Appendix A<br />
What 6-4/4-6 translation methods do you use?<br />
AT&T is actively testing 2 transition technologies: 1) NAT64 to allow IPv6-only MIS customers to<br />
access IPv4 internet resources and 2) T6 gateway to allow IPv4-only internet users to access MIS<br />
customers' IPv6-only internet servers. This requires software to be installed on the user's PC.<br />
Is there any impact on encrypted VPN tunnels with IPv6?<br />
If it's native IPv6 end-to-end, then VPN tunnel will be fine. If you are trying to establish a tunnel via v4v6<br />
NAT, then you will run into issues. It's because IPv6 utilizes the extended headers for IPSec. If NAT is<br />
performed in the path, then the extended headers are stripped and you lose the IPSec session information.<br />
In the dual-stack offer, customer should be able to establish native IPv4-Ipv4 and IPv6-IPv6 IPSec<br />
sessions without issues.<br />
How is v6 DNS handled for Web sites that are both v6 and v4 capable using the same domain name?<br />
E.g., what if www.gs.com were both v6 & v4 capable? How would you send v6 customers AAAA<br />
records while v4 customers regular A records?<br />
DNS servers will provide standard A or Quad-A record to any client that requests the information. IPv4<br />
only clients can request a Quad-A record, and IPv6 only client can ask for standard A record. <strong>The</strong> actual<br />
request may vary depend on client operating system. Customer should test their applications and systems<br />
to better understand DNS behavior.<br />
What does AT&T see in 2012 and beyond in terms of v6 deployment and # of v6 customers?<br />
We expect a significant increase in interest and in actual adoption of IPv6 network services in 2012. We<br />
are actively engaged with many customers in discussing and strategize the best approach to migrating to<br />
IPv6.<br />
NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. 41<br />
AT&T is a registered trademark of AT&T Knowledge Ventures.