Internet Edge IPv6 Deployment

Start at your Internet edge when deploying IPv6

We are in an awkward point in the history of the Internet. IPv4 address depletion has occurred yet we expect to use IPv4 for the next 15 to 20 years. Organizations see two paths before them. One alternative is to use continue to use IPv4 and expect to use multiple layers of NAT for many years to come. The other alternative is to start to use IPv6, however, the majority of enterprise organizations and content providers have not embraced the protocol.

U.S. Federal organizations should be working on meeting the September 2012 Office of Management and Budget (OMB) mandate to IPv6-enable all government Internet-facing web applications. The glacial speed of the federal government combined with government budget issues makes it difficult for them to meet "yet another unfunded IPv6 mandate".

Most enterprises have ignored IPv6. They believe they have plenty of IPv4 addresses for their own needs that they do not have a need for IPv6. The global economic downturn has caused IT organizations to "do more with less" and they have less time to learn and deploy new-fangled technologies like IPv6. Even though IPv6 has been standardized for many years, there is a general lack of knowledge and experience with IPv6 and now many enterprises are starting to realize the position they are in. Furthermore, the vast majority of organizations are confused about how to start planning for IPv6.

Many organizations get stalled with their IPv6 deployments. They feel they must plan for a full transition to IPv6 which requires all devices that use an IPv4 address migrate to using IPv6. This is not practical and it is more likely that organizations will gradually deploy dual-protocol configurations various portions of their environment to over the course of many years. There will be legacy systems in network environments that will only use IPv4 until they are decommissioned. For example, the computer-room Uninterruptable Power Supply has a network interface that only works with IPv4. It is not feasible to replace the UPS just to gain IPv6-management capabilities.

IPv6 has had time to "mature" and now it comes standard in many products. The good news is that much of the network infrastructure, operating systems and applications already contain IPv6 capabilities. DNS Servers and most of the Internet root name servers now support IPv6. Internet Service Providers now offer IPv6 Internet connectivity options. Routers, firewalls, and other systems already have robust IPv6 functionality.

Organizations should strive to use the dual-stack migration strategy. This is where you add IPv6 to your existing systems to make them function using both IP versions simultaneously. Tunneling and translation techniques should be used when dual-protocol configuration is not possible. The mantra of "dual stack where you can, tunnel where you must" is the order of the day.

For many years, IPv6 experts have been urging organizations to IPv6-enable their Internet perimeter systems. The thought was that it is the logical first step and focused on the enterprise getting upstream IPv6 Internet connectivity. It makes sense that perimeter DNS systems, web applications and e-mail servers would be the first zones of the network topology to get IPv6. Through the process of migrating the perimeter to IPv6, an organization would learn most of what they needed to know about IPv6. Too many organizations try to "boil the ocean" and get overwhelmed thinking about everything in the enterprise that needs to migrate to IPv6. The "Internet-edge" deployment method defines a finite scope that helps an organization focus their efforts.

Organizations will need to IPv6-enable the Internet-edge before they deploy IPv6 further into their internal backbone network. Native IPv6 connectivity must be deployed one layer-3-hop at a time to maintain contiguous IPv6 routing. Stepwise deployment of IPv6 is required to prevent discontiguous networks that would need to be bridged with a manually configured tunnel.

The first step in this plan is to establish IPv6 Internet connectivity. Your current ISP may already have native IPv6 Internet connectivity available for no additional cost. Organizations might contact their existing ISP to find that they do not offer native IPv6 Internet activity. In this situation, an organization could use a manually-configured tunnel on their Internet router to quickly get IPv6 Internet connectivity. Organizations may also start to perform a search for other carriers who offer native IPv6 connectivity in their service area. Starting out with a tunnel to the IPv6 Internet, it is better than doing nothing. Another option is to use Locator/ID Separation Protocol (LISP) on the Internet router can create a LISP-tunnel for reaching the IPv6 Internet. However, tunnels can add complexity and administrative burdens, they reduce the effective MTU-size. This is why many consider tunneled IPv6 Internet connectivity less preferred to operating both protocols natively simultaneously. However, the organization could continue to strive for dual-stack upstream Internet connectivity and then decommission the tunnel.

Both commercial enterprises and federal organizations need a streamlined approach to establish IPv6 communications to their Internet web applications. Virtually all of an organization's web applications run on dual-protocol-capable operating systems but they are on IPv4-only networks. Therefore, most of these applications are accessible by clients using only IPv4. These perimeter servers and services may remain IPv4-only for some time but organizations need an easy way to make them IPv6-reachable.

Organizations should focus on their Internet edge as their first step in transitioning their environment to IPv6. Starting from the Internet and then moving inward is the logical step-wise method for adopting IPv6. Start with your upstream Internet connectivity, IPv6-enable your Internet routers, IPv6 enable your firewalls, then add IPv6 addresses to your authoritative DNS, then you can IPv6-enable SLB/ADC appliances to go ahead and natively IPv6-enable your perimeter application servers. As you IPv6-enable the perimeter you will learn about IPv6 and that experience can be leveraged as you deploy IPv6 further into your organization's internal environment.

Many people have been advocating the Internet-edge IPv6 deployment model for many years. John Curran, President and CEO of ARIN has been advocating organizations start their IPv6 deployments by connecting their web and e-mail servers to the IPv6 Internet. Cisco has recently published their "Cisco Enterprise Internet Edge Design Guide" which provides some great examples of how to go about this type of deployment. On December 13, 2011 in New York at the Network World event "The Critical Path to IPv6" I gave a presentation titled "Strategies for Getting Started with IPV6".

I have also wrote a couple of articles (Network World Clear Choice Test) that give more information about specific products that can aid organizations with their IPv6 deployment in their DMZs.

IPv6 deployment starts at the network edge

Six ADCs deliver IPv6 capabilities to apps hosted on IPv4 Web servers

How to shop for Application Delivery Controllers

Scott

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10