IPv6 and reality

I’ve been doing quite a bit of research lately regarding the practicality of implementing IPv6 into production networks and I’ve got to say that at this point there are still some pretty big questions to be answered.  I’ve reached out to a few other blogs and vendors and have yet to really get a straight answer.  So here I’ll attempt to outline IPv6 the way a “boots on the ground” network admin would, and I hope someone out there reading has some input.

First let’s cover the basics as I understand them.

There are private address ranges in IPv6 just like in IPv4, however it isn’t recommended they actually be used in production.  IPv6 marks the death of NAT and all of the problems that NAT bring.  Ie..  port starvation, NAT rules to forward particular traffic from the WAN to LAN, etc..  However, I would argue that there are actually some benefits delivered by NAT.  A topic I will cover below..  So three types of IPv6 addresses:

2000::/3 through E000::/3 – Global unicast, public registered IP.  Internet routable addresses.
FC00::/7 – private routable IP addresses. Local unicast.
FE80::/10 – link local, none internet routable IP address.  Only unique within your network.

Throw everything you know about DHCP away with IPv6.  The default gateway is not set using DHCP like with IPv4, it’s done with a “router advertisement”.  The concept of IP addressing is a little different than with IPv4 too..  not just because the IP addresses are now 128 bits, but you actually have more options than “dynamic” or “static” like wth IPv4.  The router advertisement can be configured with one of the following 3 flags which changes the behavior of your client:

A: Auto-stateless
M: DHCPv6
O: Stateless DHCPv6

So with flag “A”, the DNS server is actually handed out by the router advertisement and there is no need for DHCP at all.  The client looks at the router advertisement, sees the “A” flag and says “oh, I need to create my own address using the advertised prefix”..  2001::1/64 for example is the advertised prefix.  The client uses it’s own 48 bit MAC address to generate the rest of the host portion of the IPv6 address.  However, the IP address is still short on bits..  The Router gave us 64 and the network adapter MAC gave us 48, so we still need to make up for a missing 16 bits to make the full 128 bit IPv6 address.  So the client pads the 48 bit MAC address with “FF:FE” right in the middle.  For example, a MAC address of 00:14:D1:B0:17:70 becomes 0014:D1FF:FEB0:1770 creating a full 64 bit host IP address that can be added to the 64 bit prefix that was given out by the router.  Then the DNS servers are also obtained by the router advertisement.

The “M” flag works a little more traditionally as to my understanding.  Once the client sees the “M” flag on a router advertisement it already knows the prefix and the default gateway, however it actually pulls the host address from the DHCPv6 server as well as other settings like domain name, DNS, and other options.

The “O” flag confused me at first.  Let me know if I am off base, but my understanding is that the “O” flag functions very similarly to the “A” flag, with the exception that DHCP options like DNS, Domain Name, etc. can still be set by a DHCPv6 server.  However the address is still automatically generated.  So in this method the DHCPv6 server isn’t actually handing out addresses.  So you couldn’t do a reservation for example with this flag.

Now for my practical integration questions (the heat of the meat)

So any admin that has been responsible for administering IPv4 based networks will have some immediate questions that come up before they’ll consider integrating this into their environment.  The day is coming when it isn’t really something you can put off, but at the time of writing this post (Feb 2017) there are still ISP’s I run into that don’t even offer native IPv6 support.  Here is my “beef” with IPv6 and I am hoping someone out there with more experience can comment.

Failover
With IPv4 it was pretty trivial to use a gateway/NAT router and connect multiple ISPs with different IPv4 networks given out by that ISP and failover between them.  If ISP one goes down, no big deal, the router is probing out that interface and will just dynamically change the NAT policy/zero route to push all traffic through the ISP that is up and running.  This doesn’t address inbound services, but I will get to that.

Now with IPv6 the entire internal network is addressed by your ISP.  So now the process of failing between circuits requires that your entire internal network and all subnets get readdressed.  It sounds like you can do this pretty quickly by changing router advertisements, but yikes this sounds like a mess.

A couple of ideas I have had about dealing with this:
1. Use private IPv6 addressing and still do NAT.  But is this really recommended?  Everything I read says to avoid this config like the plague.  But it is technically possible.  To deal with port mapping and public services that break with NAT, you could even consider doing like a 1:1 translation to your internal network assuming they used the same prefix length…

2. Buy IP space from ARIN so that you own your IPv6 space and it isn’t tied to the ISP circuit.  Ya, because the traditional gateway failover method was exactly the same as running BGP and purchasing IP space right?  NOT.  The skill set necessary to accomplish this configuration is significantly different.  As well as time and monetary investment.  This is the best option if you have publicly accessible internal resources that need 100% uptime, but wasn’t always necessary for just ensuring redundant outbound access to the internet.

3. Run both private and public addresses on your network?  This one is a long shot and I couldn’t get it to work myself.  I can’t find any information confirming that it should function..  Basically the thought was that you have two different IPv6 address schemes on your network.  One that gets you access to the internet and that can change at any time and the other was a static private address scheme for internal communication only.  It means double router advertisements for the same network segment and what address ends up getting registered in your internal DNS servers?  I could only ever get a client to obtain one or the other address in the lab, never both.

IPv6 isn’t available!
What do you do with this?  You’ve decided to go all in IPv6 and boom, half your sites have an ISP that don’t even offer it.  Do you wait?  Or do you get your Popsicle sticks and bubble gum out and start using IPv6 over IPv4 tunnel providers?  Ya, that sounds like fun.  Perhaps there are SDN WAN solutions that can help with this?  For circuit failover too for that matter?

Talking with folks in the industry, IPv6 is still really just not implemented.  With how long the technology has been out I really am astounded at the lack of real life implementations at the level of network that I administer (approx 400 endpoints and below).  Most people just ignore it and are looking for someone else to come up with an easier solution before jumping in.  Wonder what will happen on the day that you can’t get to an internet resource because you don’t have IPv6 connectivity?  Guess it depends if it’s a destination that the CEO wants or the guy in accounting…

Thanks for reading, look forward to some feedback!

Regards,
Adam Tyler

 

***Edit 20180406

I just discovered an IPv6 RFC that may be an option 4 to my list above.  1:1 NAT for the entire public subnet to your internal IPv6 network.  Nice!

https://tools.ietf.org/html/rfc6296#section-1.1

Leave a Reply