Six Simple Steps to IPv6

It’s easy to understand how one would be perplexed by the multitude of IPv6 deployment options and approaches. And depending on the extent of your network on which you plan to deploy IPv6 as well as the state of your current IPv4 network and computing environment, the task of IPv6 deployment may range from being quite straightforward to being very complicated.
But to help you get started in determining where your environment lies on this complexity continuum, I’d propose the following steps to keep it SIMPLE! These steps may be iterative if you split your deployment into phases, but the same basic process should apply on each iteration:
  • Scope - The first step is to define the scope of your IPv6 deployment. For example, are you planning to implement IPv6 on Internet-facing infrastructure only or throughout your network? You may plan to implement IPv6 throughout your network eventually but decide to deploy in phases, starting with a small, controlled portion of your network to gain experience and test for any unanticipated side effects. It will likely also be more appealing from the perspective of resource requirements to start small then expand deployment as well.
  • Itemize – If you don’t already have complete computing and network inventory, perform network discovery of end user devices, servers, infrastructure, IP subnets and address assignments as well as address pools within your chosen scope. This should also include applications, databases, security and network management products, and those employee “bring your own devices” (BYODs).
  • Mitigate – From your itemized list of computing components, identify which are IPv6-ready and which require upgrading or replacement. The latter forms the start of your “to-do” list. Recent vintage routers, switches and device/server operating systems support IPv6 today but it is instructive to take inventory and verify this is the case. Most applications that do not embed IP addresses within screens, configuration files or packet payloads should work with IPv4 as well as IPv6 though this should be verified as well. You may also need to invest in new infrastructure; e.g., DHCPv6 servers, so identify required new items for your “to-do” list, and also consider your security and network management products.
  • Plan – Based on your defined mitigation tasks, i.e., your “to-do” list, which identifies what components need to be procured or updated, determine the respective costs and align with the budget process, phasing in any required purchases as the budget permits. Define your IPv6 address plan and identify any IPv4-IPv6 transition technologies you plan to use, such as dual-stack, tunneling and translation techniques. Update your security policy to incorporate IPv6 protection policies, as well as management and change control policies to account for IPv6. Plan for training for personnel involved in IPv6 implementation and support. Integrate all of these planning tasks into an integrated project plan and identify resources required, dependencies, and planning time frames.
  • Lab test – The plan should incorporate a testing phase prior to production deployment to verify IPv4-IPv6 operations. To the extent possible, include as many components as possible in the testing, including security and management systems. Identify any issues and update plans or work with respective vendors to resolve.
  • Execute and manage – With a solid plan in hand and successful lab testing, the probability of successful plan execution can be maximized. However, even the best plans cannot predict every possible error condition. Carefully manage the deployment in accordance with the plan, invoking contingencies as needed. Communicate feedback to all involved including management to provide status updates and issues. Monitor security logs and management systems to baseline network operation and to identify anomalous conditions.
These “simple” steps provide a broad guideline for the process of IPv6 deployment. In attempting to keep things simple, try to focus the project only on deploying IPv6, and not to “throw in” additional network initiatives at the same time. This can lead to unexpected outcomes and complexity in troubleshooting and resolving error conditions. Stay focused and keep it simple!

Comments

Post a Comment

Popular posts from this blog

Handy AAAA filter in BIND 9.8

The ISC introduced a pair of new configuration file options in BIND 9.8 to enable administrators to easily filter who may receive AAAA record type responses even if valid responses exist. For example, clients on subnets that do not have IPv6 network access can be excluded from receiving affirmative answers for AAAA queries. This feature provides simpler administration than the alternative mechanism using views. The first option, filter-aaaa-on-v4,defines whether the server will return AAAA records to certain clients. Such clients are defined by the address match list parameter of the second option, filter-aaaa. Note that BIND must be compiled with the --enable-filter-aaaa option on the configure command line to enable AAAA filtering. The syntax of these options is as follows: filter-aaaa-on-v4 (yes | no | break-dnssec) ; filter-aaaa {addr_match_list;} ; The filter-aaaa option identifies the address match list for which the filter-aaaa-on-v4 option is to be applied as described
Read more

Inglorious DDI

We all know how critical DHCP/DNS/IPAM (DDI) services are. Your network cannot function without them. But like most foundational elements of anything, they are certainly not glamorous...like good luck finding a home designer who specializes in home foundations. I would not be shocked should HGTV pass on my brilliant concept for a foundation building show. I suppose most people would find a show detailing footing depths and concrete pouring techniques rather boring.  Nevertheless, there are countless shows for redesigning and remodeling homes. On most episodes the foundation is out of sight, out of mind. If it's stable, no one wants to pay it attention, they just expect it to keep doing its job, supporting the structure. Once in a while a foundational issue is brought up that unexpectedly threatens to raise the budget to heighten the drama. All work stops until the issue is addressed. And you'll notice that the owner never denies paying the extra amount to fix the issue.
Read more

BIND 9.8.0 Adds DNS64 Support - Part 2 - How is it configured?

BIND 9.8.0 introduced a new dns64 option statement that can be configured within the server named.conf options block or within a view options block. Recall from a prior post that DNS64 configures a recursive DNS server to issue A record queries on behalf of a client requesting AAAA records, then appends the returned IPv4 address to a defined IPv6 prefix. This manufactured IPv6 address enables the querying host to connect to a NAT64 gateway which will terminate the IPv6 connection from the client and map it to an outbound IPv4 connection to the appended IPv4 address, completing the connection! Whew! BIND offers a number of useful parameters within the dns64 statement to control this process. The statement syntax is: dns64 IPv6_prefix { [clients {address_match_list };] [mapped {address_match_list };] [exclude {address_match_list };] [suffix IPv6_addr;] [recursive-only (yes|no);] [break-dnssec (yes|no);] }; The IPv6_prefix parameter is the prefix to which returned
Read more