Transcription
IPv6 in theEnterprise SectorAndy Davidson - LONAP / NetSumoMonday June 15th, 2009Thursday, 11 June 2009NANOG 46Philadelphia, PA, USA
Agenda Business Drivers for v6 rollout Process Problems ObservationsThursday, 11 June 2009
Interviewed Fred Wettling, Bechtel Paul Hoogsteder, DOK Delft Library Rich Groves, Microsoft ITThursday, 11 June 2009
Business Drivers All interviewees reported similar business drivers Drive to ‘everything IP’ enormous demandfor addresses V4 exhaustion a real concern Maximise global routing reachability V6 a new customer requirement, e.g.government requirements from 2005Thursday, 11 June 2009
Drive to early rollout Gradual change much cheaper than ‘bigbang’ rollout Early adoption leads to lower risk andgreater continuityThursday, 11 June 2009
Process Modify procurement specification tomandate v6 support Use existing change control processto gradually introduce v6 Rollout has to be ‘business as usual’Thursday, 11 June 2009
Initial Observations Routing infrastructure, Desktop OS, allwell supported Service infrastructure (firewalls, loadbalancers) & applications have relativelypoor maturityThursday, 11 June 2009
DB / StorageSecrets!!!!UsersServicesBranchofficeISPMore ServicesLoad BalancerUsersWifi ISP ISPISP ISPISPISPlayer2ipsecHQPartnersControl devicesISPCUSTOMERS ! Thursday, 11 June 2009VPN GWISPISPNoc/MonitoringRoving usersRoving users
DB / StorageSecrets!!!!UsersServicesBranchofficeISPMore ServicesBroadsupportLoad BalancerUsersWifi ISP ISPISP ISPISPISPlayer2ipsecHQPartnersControl devices ! Thursday, 11 June 2009ISPISPNoc/MonitoringUsers don’tnotice - thisshould be adesign goalVPN GWISPCUSTOMERSUser operatingsystems tend tobe acceptablycompliantRoving usersRoving usersHowever, manyapplications whichtalk over thenetwork are notv6 aware
DB / StorageSecrets!!!!UsersServicesBranchofficeISPMore ServicesBroadsupportLoad BalancerUsersWifi gatewaysencryptedtunnelsServer OperatingSystems alsoappear to workDatacentreencryptedtunnelsISP ISPISP ISPISPISPlayer2ipsecHQPartnersControl devicesISPCUSTOMERS ! Thursday, 11 June 2009VPN GWISPISPNoc/MonitoringRoving usersRoving usersSupport in OpenSource platformsnow very mature
GoodDB / StorageSecrets!!!!UsersServicesBranchofficeISPMore ServicesLoad BalancerUsersWifi ISP ISPISP ISPISPISPlayer2ipsecHQPartnersControl devicesISPCUSTOMERS ! Thursday, 11 June 2009VPN GWISPISPNoc/MonitoringRoving usersRoving usersCore routinginfrastructuretends to be good(the stuff SPs alsouse!)Specific problemsthat requirecomplex labbing(more shortly)
DB / StorageSecrets!!!!UsersServicesBranchofficeISPMore ServicesSupportVariesLoad BalancerUsersWifi gatewaysService providersin differentgeographies havestrongly differentv6 dtunnelsISP ISPISP ISPISPISPlayer2ipsecHQPartnersControl devicesISPCUSTOMERS ! Thursday, 11 June 2009VPN GWISPISPNoc/MonitoringRoving usersRoving usersFor every serviceprovider that isextremelymature, there aremany more whohave not startedadoption process
FrustratingDB / StorageSecrets!!!!UsersServicesBranchofficeISPMore ServicesLoad BalancerUsersWifi gatewaysComplaints:encryptedtunnelsHard to buy CPEthat does itDatacentreencryptedtunnelsISP ISPISP ISPISPISPlayer2Wifi kit that refusesto pass v6 framesipsecHQPartnersControl devices ! Thursday, 11 June 2009VPN GWISPCUSTOMERSISPISPNoc/MonitoringCPE poor at v6Roving usersRoving usersSome glimmers ofhope in next-gen kitSuccess with:Apple AirportAVM Fritz!boxA&A FirebrickCisco 837, 1800
BadDB / StorageSecrets!!!!UsersServicesBranchofficeISPMore ServicesLoad BalancerUsersWifi gatewaysencryptedtunnelsDatacentrev6 interfaces oftenmissingencryptedtunnelsISP ISPISP ISPISPISPlayer2ipsecHQPartnersControl devicesThursday, 11 June 2009VPN GWISPCUSTOMERS ! v6 forwardingperformance lower(asic support missing)ISPISPNoc/MonitoringRoving usersRoving usersInconsistent featureset in product range,e.g. Protocol41 onASASuccess with:ASA v7Checkpoint (v4 mgmt)Linux ip6tables/Sun ipfScreenos v5
BadDB / StorageSecrets!!!!UsersServicesBranchofficeISPMore ServicesLoad BalancerUsersWifi ISP ISPISP ISPISPISPlayer2ipsecHQPartnersControl devicesISPCUSTOMERS ! Thursday, 11 June 2009VPN GWISPISPNoc/MonitoringRoving usersRoving userse.g. Handhelddevices, or controlunits, or cameras,etc.Was often serial,now driving ‘ipeverywhere’ &addressconsumptionRFID ethernet?Often cheap andold technologywith no v6 support
BadDB / StorageSecrets!!!!UsersServicesBranchofficeISPMore ServicesLoad BalancerUsersWifi ISP ISPISP ISPISPISPlayer2ipsecHQPartnersControl devicesISPCUSTOMERS ! Thursday, 11 June 2009VPN GWISPISPNoc/MonitoringRoving usersRoving usersv6 missing inmany VPN featuresets
BadDB / StorageSecrets!!!!UsersServicesBranchofficeISPMore ServicesLoad BalancerUsersWifi gatewaysencryptedtunnelsLB logic/expectationsengrained inenterprise software,hard to migratebetween platformsDatacentreencryptedtunnelsISP ISPISP ISPISPISPlayer2ipsecHQPartnersControl devices ! Thursday, 11 June 2009VPN GWISPCUSTOMERSUrgently importantto most largeenterprisesISPv6 support reallylacking hereISPVendor interest Noc/MonitoringRoving usersRoving usersA10 NetworksCitrixApache /mod proxy balancer
Key Grumbles Infrastructure has different v4/v6 commands Infrastructure has no v6 in some interfaces(e.g. cisco ASA has no v6 in web GUI) Vendors must be more consistent! Availability of v6 in some regions poor, someexcellent - hard to predict availability First Hop Redundancy protocols consideredpoorThursday, 11 June 2009
More Grumbles “Interesting” bugs you wish you’d found in the Lab Various things can cause all forwarding to happen onthe CPU rather than in hw, e.g. c6500/802.1ah Lots of platforms can’t measure v4/v6 trafficvolumes independently (helps you find these bugs!) Enterprise v6 maturity feels a bit like routing v6maturity did a few years ago Transitional technologies (will expand more)Thursday, 11 June 2009
Transitional Technology All wanted to avoid Transitional Tech Tunnels considered to provide poor servicelevels, native strongly preferred Device support for transitional tech (e.g.41) not as good as support for native Partial roll followed by full roll is twice thework, and engineers prefer to partyThursday, 11 June 2009
Successes Users don’t notice the difference Helpdesk training not complexThursday, 11 June 2009
Killer Apps? As if “more addresses” was not enough . Microsoft Direct Access Creates Always On ad-hoc VPNs that use IPSecover IPv6. Coming in Windows 7 Is really just an extension of the end-to-enddebate - this innovation is possible because v6end-to-end is a reality today and new p2p apps willfollow.Thursday, 11 June 2009
What nobody mentioned NAT6 - perhaps we don’t need it after all Good. :-) Though ISATAP (or ALG layers) is anecessary evil for now to get reach of v6from v4 only world.Thursday, 11 June 2009
Questions andComments at the endAndy Davidsonandy.davidson@netsumo.comThursday, 11 June 2009
Load Balancer More Services DB / Storage Secrets!!!! Wifi gateways Users Users Control devices Noc/Monitoring VPN GW ISP ISP ISP Roving users Roving users CUSTOMERS ISP ISP ISP ISP ISP ISP Bad e.g. Handheld devices, or control units, or cameras, . A10 Networks Citrix Apache / mod_proxy_balancer
