You are on page 1of 41

AT&T IPv6 Migration Guide

Release 1.0

February 29, 2012

NDC Release 1.0

© 2012 AT&T Knowledge Ventures. All rights reserved. AT&T is a registered trademark of AT&T Knowledge Ventures.


Technical Assistance This is an AT&T proprietary document developed for use by AT&T customers. For additional technical assistance contact your AT&T sales team. (This document was prepared by AT&T Solution Center — Network Design and Consulting Division.) Legal Disclaimer This document does not constitute a contract between AT&T and a customer and may be withdrawn or changed by AT&T at any time without notice. Any contractual relationship between AT&T and a customer is contingent upon AT&T and a customer entering into a written agreement signed by authorized representatives of both parties and which sets forth the applicable prices, terms and conditions relating to specified AT&T products and services, and/or, to the extent required by law, AT&T filing a tariff with federal and/or state regulatory agencies and such tariff becoming effective. Such contract and/or tariff, as applicable, will be the sole agreement between the parties and will supersede all prior agreements, proposals, representations, statements or understandings, whether written or oral, between the parties relating to the subject matter of such contract and/or tariff.

NDC Release 1.0

© 2012 AT&T Knowledge Ventures. All rights reserved. AT&T is a registered trademark of AT&T Knowledge Ventures.


Table of Contents
1 2 Introduction ............................................................................................................................................ 5 Migration Scenarios Overview ............................................................................................................... 6 2.1 2.2 2.3 2.4 2.5 3 3.1 3.2 End-User Connections .................................................................................................................. 6 Internet Content ............................................................................................................................ 7 Remote Access ............................................................................................................................. 7 Mobility ........................................................................................................................................ 7 Corporate Internet Access............................................................................................................. 8 IPv6 Addressing ......................................................................................................................... 10 Planning ...................................................................................................................................... 12 3.2.1 Assess Corporate Network Requirements ........................................................................ 12 3.2.2 Provider Assigned or Provider Independent Addresses.................................................... 13 3.2.3 Develop an Addressing Strategy ....................................................................................... 14 3.3 3.4 Implementation ........................................................................................................................... 15 Multi-Homing ............................................................................................................................. 16 3.4.1 Single Carrier Multi-homing............................................................................................. 17 3.4.2 Multi-Carrier Multi-homing.............................................................................................. 17 3.4.3 Multi-Region Multi-homing ............................................................................................. 17 4 5 Establish IPv6 Enabled Connectivity ................................................................................................... 19 Access Router Configuration ............................................................................................................... 20 5.1 5.2 5.3 6 6.1 BGP ............................................................................................................................................ 20 Static ........................................................................................................................................... 21 Access-List Formats ................................................................................................................... 22 Perimeter Security (Firewall) ..................................................................................................... 24 6.1.1 Traffic Filters .................................................................................................................... 25 6.1.2 Proxy and Translation ....................................................................................................... 26 6.2 Internal Security ......................................................................................................................... 27 6.2.1 Router Solicitation and Router Advertisement ................................................................. 27 6.2.2 Automatic Tunneling ........................................................................................................ 27 6.3 7 8 Candidate Best Practices............................................................................................................. 28 Servers/Endpoints ................................................................................................................................. 29 Domain Name System (DNS) .............................................................................................................. 31

IPv6 Strategy ........................................................................................................................................ 10

Security................................................................................................................................................. 24

NDC Release 1.0

© 2012 AT&T Knowledge Ventures. All rights reserved. AT&T is a registered trademark of AT&T Knowledge Ventures.



Testing/Verification.............................................................................................................................. 35

10 Conclusion ............................................................................................................................................ 36 Appendix A ................................................................................................................................................. 37 A-1 Establishing a Teredo Tunnel........................................................................................................ 37 A-2 IPv6 Address Example .................................................................................................................. 38 A-3 Frequently Asked Questions: ........................................................................................................ 39

NDC Release 1.0

© 2012 AT&T Knowledge Ventures. All rights reserved. AT&T is a registered trademark of AT&T Knowledge Ventures.


mail. The secondary focus of this guide will be for migration of internal corporate networks. 5 . The initial focus of this document is to address the public facing corporate infrastructure (i. An initial focus on the public facing corporate infrastructure allows the organization to begin adopting the technology in a limited fashion. while minimizing the technical risks associated with early adoption. As the technology matures and technical issues are resolved. etc). or best practices are still evolving. This guide provides current best practices and recommendations. public application servers. This provides a means for developing experience with IPv6 technology and addressing the more immediate emerging needs. As IPv4 address space is exhausted.1 Introduction The purpose of this document is to provide guidance for customers adopting IPv6 into existing network environments. Most of these services will initially be structured to maintain connectivity to the IPv4 Internet via various transition mechanisms.0 © 2012 AT&T Knowledge Ventures. this trend will drive the need to have public facing content reachable through IPv6 as well as the current IPv4. NDC Release 1. As this process proceeds. IPv6 technology adoption is a moving target. end-user services will be provided via IPv6. For a limited base of internal users. there are some areas highlighted where there may still be open technical issues.e. All rights reserved. web. Future releases of this document will continue the process into the back-end for migration of corporate intranet applications and the private Wide Area Network (WAN). The broad use of private (RFC 1918) addressing in corporate networks helps lessen the urgency of IPv6 migration for the ‘internal’ corporate network. There are a number of potential network environments that might need to adopt IPv6 (as outlined in Migration Scenarios Overview). In addition. For DMZs of corporate networks. an increasingly larger portion of the end-user population will have IPv6 capabilities. broader based adoption can be pursued. IPv6 requirements can be addressed through transition mechanisms. AT&T is a registered trademark of AT&T Knowledge Ventures. The information provided assumes an existing network environment based on IPv4 with the goal of adding IPv6 capabilities into the existing infrastructure to create what is referred to as “dualstack”.

Many of these approaches involve assigning an IPv6 address to the customer’s connection while maintaining their existing in-house networks as-is (e. gaming. This segment of the market is the most active area in the adoption of IPv6. AT&T is a registered trademark of AT&T Knowledge Ventures. as well as to support Internet facing corporate resources such as web content. load balancers. the initial IPv6 focus should be on external facing resources. Overall. However. typically homes served by broadband (UVerse.x. Corporations typically deploy one or more Internet access facilities to support the enterprise. Adoption in this space is being driven largely by public IPv4 address exhaustion. If IPv6 deployment is required. however this is still a very fluid area for IPv6 technology. retailing. etc) will need to add IPv6 to support Internet-based access to a migrating consumer customer base. The current release of this document focuses on Corporate Internet Access along with some initial guidance and open issues on Corporate Intranet Access. it is important to understand the movement in this space as it will be the predominant driver for the migration to IPv6. etc). 6 . This minimizes the impact on customers while allowing the service provider to provision new customers using IPv6 rather than IPv4. DMZ based DNS servers. this is a good thing because there are some unique technical challenges for migration of enterprise networks. These will typically attempt to use IPv6 as the first choice and fall back to IPv4 for resources that are not available via IPv6. Additionally.g. Most non-web centric enterprises make extensive use of private addressing and IPv4 NAT for internal resources and intranet connectivity.x). email servers. extranet apps. IPv4 address exhaustion is prompting service providers to leverage IPv6 in consumer-based offers. allows the enterprise to gain experience and presence in the IPv6 space. and remote user (e. and security appliances are common to this environment. this space is the least technically savvy. For these enterprise networks. These tunneling/gateway approaches are viewed as transitional. For the enterprise network architect. IPSec) access. Movement toward dual-stack (IPv4 and IPv6) models allows connectivity to both domains. One notable exception is for corporate remote access solutions. This approach will facilitate the gradual phasing out of IPv4 content and connectivity. extranet applications. Enterprise architects should be aware of residential consumer deployments in planning NDC Release 1. 192. The facilities are used to provide employees access to web-based content and applications. cable. there are a number of potential solutions.2 Migration Scenarios Overview This section outlines some of the primary areas that might be faced during IPv6 adoption in the near future. etc. the approaches and technologies are largely a service provider issue and out of scope for this guide. There are a number of approaches being explored in the end-user access space.g. All rights reserved. DSL. with a more comprehensive migration to follow. This greatly lessens the concern associated with IPv4 exhaustion for enterprise networks. An initial focus on web content. full migration to IPv6 throughout the enterprise is best deferred until best practices are more fully developed and accepted. Businesses with online consumer business models (search. For most enterprises. 2. The initial drivers for IPv6 deployment are most apparent in the consumer end-user space. social.1 End-User Connections End-user refers to the consumer broadband Internet market. While most active.168. The following paragraphs provide a brief context for some of the non-enterprise IPv6 adoption issues along with our description of a specific enterprise migration scenario as defined in the remainder of this guide.0 © 2012 AT&T Knowledge Ventures. The technical issues for this level of migration are much less challenging and the reduced scope greatly reduces the negative implications if the approach needs to be modified as the technology matures.

load distribution. etc. As mentioned. Devices can’t support IPv6 until the network allows it. By the same token. As endpoints served by consumer services migrate to IPv6 capabilities. generally leveraging Internet connectivity at both the remote and the corporate site. enterprises will need to re-evaluate and adapt their remote access mechanisms. But cellular wireless networks are intimately tied to their end devices’ capabilities and configurations. 2. these businesses also have internal enterprise networks that face the same technology and migration challenges outlined in this guide. represent the vanguard of IPv6 technology development. it is expected that IPv6 cellular wireless ubiquity will lag behind wireline deployment. and business partners. travelling/mobile employees. These capabilities may be leveraged by ‘work at home’ employees. The current version of this guide does not address Remote Access. but the scale and diversity of technologies present additional layers of complexity well beyond the intent of this guide. and the network development effort is complicated by huge demand for new capabilities. and be able to register for prearranged services. Existing IPv4 mechanisms should continue to serve until native IPv6-only connectivity starts emerging as the norm. 7 . These industries have unique challenges relative to content availability. NDC Release 1. Both networks and devices must evolve and deploy capabilities in coordination with each other. This will be addressed more fully in subsequent releases of this document. There are many technologies and solutions currently in use for remote access. 2. smart grid meters.4 Mobility Mobile cellular wireless technologies and applications are a high growth field. are just a few examples where huge numbers of endpoints need to be addressed. These businesses.3 Remote Access Remote access refers to the set of approaches that allow external users to access the corporate network. the complexity of these environments is well beyond the intended scope of this guide. truck and rail car geo location. For the internal corporate network. back-end systems. AT&T is a registered trademark of AT&T Knowledge Ventures. End user devices that presume to use IPv6 networking must be tested. Package tracking. Some of the unique features of IPv6 are likely to expand the options in this space. This would imply that mobile wireless growth should lead the way in IPv6 deployment. The mobility space is also fertile ground for “green field” or totally new kinds of network usage. Internet content providers will likely be early adopters of IPv6 technology. together with Internet Service Providers and equipment vendors. 2. including VoIP.0 © 2012 AT&T Knowledge Ventures. this guide has some applicability for these businesses. The guide will be amended as IPv6 Remote Access technologies are deployed and mature. This tight coupling is largely due to the added cost of wireless spectrum and billing plans that feature usage charges and subscriptions based on types of services needed. The initial migration guidance provided for enterprise migration is conceptually applicable to these environments. To effectively serve their online consumer customer base. at a scale well beyond initial expectations. This creates a catch-22. All rights reserved. approved. distributed content. that are unique to the industry and often a key aspect of the company’s value proposition.2 Internet Content Internet content refers to the market segment with business models based primarily on providing Internetbased content and services. An important caveat is that the urgency for providing IPv6 access to the internal user base may be somewhat higher due to the Internet centric nature of the business. It will be considered a competitive necessity to provide both IPv4 and IPv6 access to commercial content and services. For now.and deploying remote access solutions for IPv6.

All rights reserved. internal servers/applications and the LAN/WAN infrastructure for the corporation. Intr anet Complexities One of the fundamental differences between IPv4 and IPv6 is in the use of private addressing. with the expectation that all devices will have globally unique addresses. Automated addressing mechanisms have the potential to address this problem. Enterprise Network (LAN/WAN) Internet Internet Access Router Public Content -Web . If a corporation wants to switch to a new service provider.Etc DMZ Figure 2. if Provider Assigned (versus Provider Independent) IPv6 addresses are used for the entire enterprise. The Enterprise consists of corporate employees/users. With NAT.5-Typical Enterprise Network The scope of the DMZ and associated ‘public’ resources is typically quite small compared to the enterprise intranet. this stance fails to recognize some of the additional benefits of NAT that are specific to the corporate Intranet. The use of private addressing. NDC Release 1. and erroneous prevailing perception that it provides increased security. In contrast. and can take advantage of Network Address Translation (NAT) to provide a beneficial decoupling between internal corporate networks and the Internet. greatly reduces the urgency of migration for the intranet portion of the enterprise.0 © 2012 AT&T Knowledge Ventures. however.Email . the task of re-addressing the network to switch providers is much more complex. some degree of re-addressing is required.2. the scope of this re-addressing effort is greatly reduced. 8 . The internal private addressing remains intact. the use of NAT is currently discouraged in IPv6. but there is still significant work to be done before these technologies are fully mature.5 Corporate Internet Access The figure below depicts a typical (simple) enterprise network. Within the DMZ. A firewall provides security functions with appropriate policies for a DMZ and the corporate Intranet. Similarly. Unfortunately. Where IPv4 allows the use of private addressing in the corporate Intranet. affecting only the DMZ. The DMZ contains a set of external resources such as the corporate web site and external email. This approach has been rationalized in the IPv6 community due to the abundance of available IPv6 addresses. The scope of the intranet can be quite extensive with significant implications for deployment of IPv6. AT&T is a registered trademark of AT&T Knowledge Ventures. coupled with the desire to eliminate stateful NAT. IPv4 addresses are typically provided by the service provider.

The issues surrounding NAT elimination. 9 . and automatic address assignment coupled with the scope and risk of unduly early intranet deployment warrant significant deliberation prior to IPv6 deployment. the issue of session symmetry must also be addressed. All rights reserved. Best practice approaches will emerge going forward. These multi-homing scenarios are much more complicated for IPv6. the initial focus for the enterprise should be on the public facing aspects of the network. NDC Release 1. Internal users will appear as the appropriate source address on the Internet based on passing through an independent NAT/Firewall function for each connection. Many of these issues are being addressed in current work.Many enterprises use multiple internet access connections from diverse corporate locations and/or diverse carriers. AT&T is a registered trademark of AT&T Knowledge Ventures. Migration of the public facing enterprise resources is a nicely bounded project that allows the business early participation in the IPv6 space while avoiding undue risk. or a means of sharing state across diverse firewalls must be deployed. Public Resour ce Migr ation Accordingly. This allows the enterprise architect a prudent learning curve in IPv6 technologies while allowing some of the emerging technologies and approaches to mature before wide scale deployment in the intranet.0 © 2012 AT&T Knowledge Ventures. Even then. the enterprise must either deploy Provider Independent IPv6 addressing or assign multiple IPv6 host addresses to each end device. These represent a much smaller scope greatly reducing the negative implications of an initial misstep. With IPv4 it is quite common to have separate blocks of provider assigned addressing for each of these connections. It is this initial migration that is discussed in the remainder of the current version of this guide. This assures appropriate routing and session symmetry to maintain firewall state. multi-homing. Given that IPv6 does not have a supported NAT equivalent.

or in the longer notation. Running both protocols in a dual-stack scenario will be more than twice as complicated and require significant additional capacity from any hardware that participates in this transition. the implications of a mis-step for the initial ‘public’ migration are not severe. 7. 431 billion. presumably. 768 million. however. IPv6 addresses are significantly larger and require more memory and additional processing. In comparison. application servers. 211 thousand and 456 addresses. the following fundamental sequence occurs: 1. user PCs. IPv4 uses 32-bit addressing which limits the number of IP addresses to 232 or about 4. 10 . 2. This goes beyond simply verifying that “IPV6 networking support” is included in firewalls. name servers. 607 trillion.1 IPv6 Addressing This section provides an overview of considerations and implications for establishing an IPv6 addressing plan. This applies not only to the public facing servers but also to the private internal devices inside a corporate network. continue to support IPv4 networking. IPv6 provides 2128.3 IPv6 Strategy With a goal of establishing dual-stack (simultaneous IPv4 and IPv6) internet access.3 billion addresses. 920 octillion. Accordingly. some thought should be given to the IPv6 allocation plan for the entire enterprise even at this initial step. Every conceivable device in the world could be assigned an IPv6 address. routers. and there would still be plenty of addresses left over. 938 septillion. 374 quadrillion. Establish an addressing plan Procure Dual-Stack Internet Service Configure the Access Router Configure the firewall Configure IPv6 on DMZ Resources Augment DNS Testing & Verification Steps for IPv6 Internet Migration These steps are covered directly in the subsequent sections of this document. 282 decillion. while counseling a more deliberate stance toward migration of the private side. This NDC Release 1. 3. does not lend itself to the same level of private/public separation as there is for IPv4. If the addressing plan needs to be redone or re-worked the scope of changes required for public facing devices is fairly limited. This creates an incremental burden on equipment that must. One of the main differences between IPv4 and IPv6 is the size of the IPv6 address space. switches. The current version of this guide only addresses migration of the ‘public’ facing side of the enterprise. reporting tools. 463 quintillion. 3. many IPv6 advocates believe there is no need for IPv6 Network Address Translation. Although it is not listed in the steps above. etc). That said. 5. The IPv6 addressing plan.0 © 2012 AT&T Knowledge Ventures. In fact. the industry best practice advocates the use of a public (or globalunique) IPv6 address on every device that requires connectivity to the IPv6 Internet. it is very important to conduct a thorough infrastructure assessment of current hardware and software’s ability to support IPv6. 463 sextillion. With so many addresses. email. 6. We might also suggest that a serious assessment of the enterprise’s ability to handle the additional complexity and capacity demand of running two simultaneous protocols should be done in the early phases of migration. This document primarily addresses an early phase of IPv6 migration where one focuses on public facing elements (web. 4. IPv6 provides significantly more IP addresses than IPv4. All rights reserved. 366 nonillion. This allows for adjustment of capital expense budgets to cover the deficiencies that will be discovered. AT&T is a registered trademark of AT&T Knowledge Ventures. etc. that’s 340 undecillion.

intrusion prevention systems. The drawbacks to using public addresses inside a corporate intranet include: • • • • NAT based IPv4 networks segregate the task of internal addressing from external/public addressing. Among the work in progress in support of NAT features for IPv6.0 © 2012 AT&T Knowledge Ventures. One of the perceived benefits of IPv6 (i. One vendor reported it will have its first release of IPv6 NAT sometime in 2012. While it is possible to simply overlay this approach within specific IPv6 subnets. more and more network equipment vendors have been warming up to IPv6 NAT. For IPv6. This helps maintain the difficulty of potential hackers enumerating a corporate network. First. These drawbacks are significant.x.x. Similar precautions and protection must be deployed in IPv6 networks. This means even the smallest IPv6 subnets will have significantly more addresses than the entire IPv4 Internet. All rights reserved. Moreover. Does this mean IPv6 networks are less secure than IPv4 networks? It can be argued that the private IPv6 networks with publicly-assigned addresses are just as secure as IPv4 privately-addressed networks.x. 11 . Recently.may be a strange concept for network and security administrators who have viewed NAT as a security mechanism to hide internal devices from the outside world. it is not advised. If a killer application emerges that does not work over NAT.1 or x. and other security software and appliances. Although NAT provides a clean delineation between private and public networks. Best practice is to use the full hexadecimal range afforded in the IPv6 format. This also avoids the need for exception routes in the global Internet and/or the need for multiple host address assignments to end devices in the enterprise. Network administrators no longer have NAT to rely on to mask overlapping or misappropriated addresses.x. Private addressing in IPv4 lends itself to the use of relatively simple address assignments (x. In effect due to such large address allocation.e. public addressing) is providing a network environment to foster direct (peer to peer) communication between endpoints without the aid of intermediate gateways. the smallest subnet that is expected to be used in IPv6 networks is a 64-bit prefix. the publicly-addressed IPv6 devices could be as tough if not tougher to discover than the privately addressed IPv4 devices. there may be some hope for proponents of NAT. Finally network administrators must be more careful about allocating IPv6 addresses to the rest of the corporate network and not just the public facing servers. Therefore. It does not provide a corporate network any meaningful security mechanisms from outside attackers. This maintains symmetric routing in the enterprise which simplifies stateful firewall implementation. If there is a need to change public addresses the internal private addressing is unaffected.254 for instance). it should not be viewed as a security mechanism. the smallest address space that should be allocated by an Internet Service Provider (ISP) to an enterprise customer is a 56-bit prefix and a 48-bit prefix if allocated directly by a Regional Internet Registrar (RIR). It is like a hacker trying to probe the entire IPv4 Internet address space a trillion times repeatedly—not practical. AT&T is a registered trademark of AT&T Knowledge Ventures. then corporations may be forced to maintain a NATless network environment. though the adoption rate of this future technology has to be proven. it would take a potential hacker a long time to completely probe the combination of 272 (128 bits minus 56-bit prefix) addresses and all potential TCP/UDP ports in an attempt to enumerate a network. and much of the current work in the IPv6 community is aimed at addressing these inherent drawbacks. RFC 6296 proposes the use of stateless NAT where the internal NDC Release 1. Geographically dispersed networks with multiple Internet connections and/or providers can use separate NAT functions to the public addressing allocated for each individual ISP connection. Network security is the implementation of a security policy and is provided by network firewalls.

In addition to this document. and it represents a much simpler approach than stateful IPv4 NAT.2. Assess corporate network requirements 2. Enterprises should conduct some level of assessment of the entire corporate network before migrating the 1 The stateless NAT approach is a bit more complex than a 1:1 mapping of the subnet bits. This step is just as important as the first step. For more details on IPv6 NAT. Develop an addressing strategy There are three key steps in developing an IPv6 addressing plan. However. Determine the type of public address 3. What IPv6 prefix boundary should be used for point to point connections? How about segments with small. AT&T is a registered trademark of AT&T Knowledge Ventures. © 2012 AT&T Knowledge Ventures. NAT was covered to highlight the present issues and potential impacts in outlining a corporate addressing plan. All rights reserved. large number of devices? What specific addresses will be assigned to actual devices? Some of these questions will be addressed in the following sections. and the DMZ. It is very important to understand the overall corporate network requirements. The final step is to craft an addressing strategy that will be assigned to the public facing network. 12 NDC Release 1. federal agencies are mandated to make their Internet services available to support IPv6 users by the end of 2012.2 Planning 1. Many enterprises may not have this tight timeline but will likely follow a similar path to IPv6 by initially starting at the Internet edge and then into the core corporate network. please refer to RFC6296—“IPv6-to-IPv6 Network Prefix Translation”. By 2014. but this description captures the concept. then the network may need to be completely readdressed later—a major undertaking. Does the enterprise operate only in the US market or in other countries? Is the Enterprise divided into different Lines of Business (LoB)? Are there multiple corporate Internet connections? Is the Internet service with one or more ISPs? These are only some of the questions that should be considered before moving forward. customer router to firewall. In fact. please review Section 2 of the AT&T’s “IPv6 Fundamentals Guide” for more information on IPv6 addressing. The following sections place more emphasis on the public-facing network infrastructure. medium. A second step is to decide on the type of global-unique address that is right for the corporate network. 3. these agencies must upgrade their internal networks to IPv6. and readers should use the information to determine the appropriate strategy that is right for them.1 Assess Corporate Network Requirements It will be very rare to see an enterprise upgrading their entire corporate network to IPv6 all at once. 3. This is significantly different from today’s IPv4 NAT that is stateful.0 . A stateless implementation for IPv6 would avoid most of these issues while maintaining the advantages / avoiding the drawbacks of not having NAT. Most enterprises will take a phased approach over a course of several years with the initial focus on the public facing network. If a poor decision is made in this step.5. The RFC proposes a prefix replacement while maintaining most of the host bits 1. there are three network segments that are public facing: customer router to ISP router. Referring to Figure 2.prefix is replaced with the public prefix. the U. The rest of this section primarily focuses on planning and implementation of IPv6 addresses without the use of NAT.S. this does not mean the corporate network requirements should be collected in phases. Many of the complexities and application issues associated with IPv4 NAT can be traced to its stateful implementation.

This is partly due to the fact that IPv4 addresses owned by one ISP are accepted by another ISP. IPv6 will change the size of the network block that an ISP accepts. but some up front attention can avoid pitfalls and rework later. All rights reserved.000 customers could be represented on the Internet by a single IPv6 route. There are obvious benefits for the ISP and the global Internet community in conserving memory. In addition. but a smaller global routing table translates to better performing and more efficient Internet especially when routers are expected to maintain both IPv4 and IPv6 routes with an IPv6 route taking up more memory space and resources. At the time of this writing. Potentially. a network administrator may choose a 64-bit IPv6 prefix to assign to the Internet servers because it spells a recognizable address such as 2001:DB8:ACE::/64.2 Provider Assigned or Provider Independent Addresses There are two types of IPv6 global-unique addresses: Provider-Assigned (PA) and Provider-Independent (PI). Once the overall corporate network requirements are understood. but this option will interrupt Internet services while the devices are being updated. Instead. and the PI addresses are allocated directly by the RIR such as ARIN. then most ISPs will accept another provider’s address into their network. If a company changes service providers. Some may argue the first option is probably the best approach in tackling this issue since there are plenty of IPv6 addresses go around. PA addresses are more or less owned by the ISP. However if this action is taken too frequently. the attention can now be given to the Internet network segments referenced in Figure 2.5.2. an enterprise loses the ability to advertise their allocated space into the global routing table. then it would have to forfeit the NDC Release 1. 3. They are listed here to give readers some ideas of the types of questions that must be addressed in documenting the overall corporate network requirements. processor. For instance. /8 to /24). Why is it important to identify requirements for internal networks during this phase? It is not critical to have a fully developed plan incorporating all aspects of the corporate infrastructure. Either PA or PI addresses must be used in order to access content on the IPv6 Internet. One of the main advantages of using the PA address is it helps to control the amount of routes maintained by Internet routers. an enterprise’s PA routes are aggregated by the ISP who owns the larger PA prefix. IPv6 should not be treated as just another protocol.e. and other resources. One acceptable solution could be to ignore the issue and to simply skip over the entire /56 prefix that the hex “ACE” prefix resides within. or one may overlook important requirements or dependencies.0 © 2012 AT&T Knowledge Ventures. an ISP with over 10. ISPs will not accept another provider’s PA address.public network. This results in underutilization of IPv6 addresses--255 unused 64-bit prefixes. 13 . Whatever the approach. The PA addresses are allocated by the ISP. A more streamlined global Internet also translates to reduced costs for infrastructure equipment and peering facilities. AT&T is a registered trademark of AT&T Knowledge Ventures. By using a PA address. then it will lead to fragmented addressing that could place more burden on network routers in maintaining and processing additional IPv6 routes. nothing should be taken for granted. but later finds out that this address space conflicts with the corporate addressing plan that was later developed to allocate a contiguous 56-bit prefix to each branch office. Endusers may not be able to perceive the performance improvement. The other option might be to readdress the Internet devices to a different 64-bit prefix. but why should the end-users care? Better performance. What IPv6 prefix and prefix length will be allocated to each network segment? What IPv6 services will be allowed through the Internet router and the corporate firewall? What is the approach for making the corporate services available to IPv6 Internet users? Will the servers be dual-stacked? Or will there be physically separate servers to support IPv6 users? These are some of the probing questions that must be answered during this first step. The terms represent two avenues an enterprise can use to obtain public addresses. Typically if an IPv4 block is /24 or shorter (i. The number of individual IPv4 subnets in the global routing table has been steadily increasing for many years.

This is even true across a point to point connection where /30 is typically used in IPv4 networks. The subnet must be exactly 64-bit network prefix in order for autoconfiguration to work properly. RFC 5375 points out several drawbacks of using variable subnetting such as misuse of reserved address space. 3. enterprises may need to request prefixes larger than 48-bits from RIRs.4 quintillion IPv6 addresses would go unused for a small network. NDC Release 1. This seems to be an overallocation for a branch office that perhaps has just three subnets for a data network. IPv6 does not promote the use of variable subnetting. It is overwhelming to develop an overall addressing strategy that satisfies immediate and future network needs.) Some ISPs may accept longer prefixes (i. a PI prefix may be the most prudent option to avoid network readdressing in the future and to get around routing policy restrictions. Therefore.2. it comes down to individual companies to determine what addressing scheme is appropriate for their environment. many enterprises are electing to apply for PI addresses that are directly allocated by RIRs and provide the flexibility to take the addresses to any provider without the concern of network readdressing. This means the entire corporate network must be re-addressed using a new PA block from the new ISP. (Please note: There is an annual maintenance fee associated with PI addresses. At the time of this writing it is uncertain whether RFC6164 will be readily adopted by the industry. Best practices will continue to evolve and develop in this space. It is made even more challenging with the understanding that Industry best practices are still being formulated and RFCs are being updated based on real-world deployments and lessons learned. but they will likely be filtered across peering connections either by the ISP. The details of the corporate LAN and WAN addressing will be covered in future releases of this guide.0 © 2012 AT&T Knowledge Ventures. or both. Most ISPs will not accept PI prefixes longer than a 48-bit prefix.PA address back to the ISP. Longer prefixes may be supported by the directly connected ISP. then about 18. etc. 56-bit prefix boundary should be used as a guide and not as a strict standard. and a special application network. or 63-bits.3 Develop an Addressing Strategy This step is perhaps the toughest. a voice network. CE-Firewall LAN. This group of prefixes should be chosen from either the upper or the lower bounds of the IPv6 address pool. RFC 6164 was created to introduce a new standard that advocates the use of 127-bit prefixes for point-to-point links. Since there are plenty of IPv6 addresses. For the public facing networks. However the main disadvantage of variable subnetting is that autoconfiguration does not work if the subnet boundary is not exactly 64-bits. autoconfiguration may be appropriate to avoid manual configuration or to deploy a DHCP infrastructure. However for larger enterprises. underutilization of IP address space is not much of a concern for IPv6 advocates. If the present best practice of 64-bit subnet is deployed. Depending on the corporate requirements and the Internet routing policies. It can not be 65-bits. Recently. This translates to 256 sites and 256 64-bit subnets per site. Subsequently. /49 through /64). The industry standard advocates the use of a 64-bit prefix on every network segment regardless of its size. peering partners. This should not be a major issue for a point-to-point or small network like a DMZ since devices on these networks are manually configured. However it is unlikely that these longer prefixes will be announced to Internet peering partners. /48 is the longest prefix handed out by RIRs. the present best practice is to allocate 48-bit prefix to an enterprise and 56-bit prefix to a site. The PI address may also be a required element when developing a multi-homing network solution. Please visit the RIR’s website for the pricing list. Please consult with your ISP about their routing policies and determine if PA is sufficient to satisfy the corporate network requirements. Ultimately. 14 . For a small branch office. 127-bits. All rights reserved. AT&T is a registered trademark of AT&T Knowledge Ventures. For instance. In fact. Use the appropriate boundary prefix for each site that satisfies the present and the future requirements. companies must select a group of 64-bit prefixes from their overall IPv6 address pool to assign to the public network segments such as the DMZ.e.

So it may be best to choose an IPv6 address that is not easily guessed. Even with manual configuration. In order to avoid this.x. Bit 71 is used to identify whether the address is universally or locally administered. all zeros and all ones should be avoided since they are reserved anycast address. The 71st bit should be set. this is not true. it tells the world that the address is used for multicast services. All rights reserved. the Internet servers may assume multiple IPv6 addresses and potentially cause issues if the server responds with a different address than the addresses used to setup the session. Many enterprises may attempt to continue this practice in IPv6. However.254) for the default gateways. administrators can disable router advertisement on the default gateway devices such as the Internet router or the firewall. administrators are more prone to mistakes in configuring the IPv6 addresses. NDC Release 1. Recall that even if there may only be three devices on a network. AT&T is a registered trademark of AT&T Knowledge Ventures. these addresses should be avoided as a best practice to minimize issues in the future if these anycast addresses are treated differently Administrators should also pay attention to their choice of variable subnet prefix or manually configured address that defines bits 71 and 72 bits of the address.1 or x.x. these anycast addresses can be assigned much like any unicast addresses without limitations. then choose the prefixes from the 2001:DB:1234:: or the 2001:DB:FFFF::. 3.5 will likely be manually configured with an address. One way to “hide” them from the Internet is to assign a more complex and unrecognizable IPv6 address with access filtering enabled. In today’s implementation. However one must consider that there are 0:0:0:0 to FFFF:FFFF:FFFF:FFFF number of addresses to choose from in a 64 bit prefix boundary. However this is prone to human errors.x. The RFC claims the addresses will fail Duplicate Address Detection queries. a 64-bit prefix is expected to be used. There are no technical issues with this approach.0 © 2012 AT&T Knowledge Ventures. the Industry standard dictates that a 64-bit prefix is allocated to any network segment regardless of size. By setting this bit. these bits are ignored by most IPv6 devices. As mentioned previously. Bit 72 defines whether the address is a unicast or multicast address.For instance if the assigned address pool is 2001:DB:1234::/48. companies can elect to depart from this standard by incorporating variable subnetting and use longer prefixes to accommodate smaller number of devices. Internet address for the corporate servers will be well known to potential hackers via DNS lookup. A common IPv4 practice is to use either the lowest or highest number (x. Please see Appendix A-2 for an example of IPv6 address allocation to the public facing infrastructure. With a more complex hexadecimal addressing scheme. Even so. 15 . but it may be utilized in the future. according to RFC 5375.x. if the host address is based on an industry standard such as a MAC address then it is considered universally administered. This approach makes it easier for potential hackers to map your network. The actual number of required 64-bit prefixes will be determined by whether the Industry best practice is followed. Technically. This does not mean that the corporate firewalls or other Internet devices need to be made easy to discover. it is advised that careful research and tests are conducted to ensure non-standard deployment doesn’t cause issues within the public infrastructure. However. Enterprises should always test the final configuration to ensure devices are configured and working correctly. Otherwise.3 Implementation While most of the corporate LAN may use DHCPv6 or autoconfiguration. According to RFC 3627. network administrators should be mindful and choose addresses wisely. Please see Section 9 Testing & Ver ification for test options. network devices shown in Figure 2. This approach will aid in avoiding address conflicts as prefixes are allocated to the corporate LAN in the next phase of IPv6 implementation. There are also other considerations when using manual address configuration. IPv6 devices may also assign autoconfigured addresses if the subnet is on a 64-bit boundary. Therefore. In the real world operations. For instance. One could choose 0:0:0:1 as the host address for a default gateway or servers.

Each /48 are advertised as the primary route through ISP#1 and ISP#2. Without IPv6 NAT. it depicts an enterprise that has an active/active Corporate Internet requirement. However. Many enterprises claim they have migrated their services to dual-stack environment. enterprises should be cautious in rolling out an IPv6 multi-homing solution and should expect to run into obstacles along the way. global-unique addresses will be assigned to internal corporate network devices. Therefore enterprises must pay closer attention to the internal corporate routing in ensuring that internal hosts are routed correctly out through the appropriate Internet PoP that is advertising the aggregate address of the host’s prefix. Most enterprises may maintain a simple IPv6 Internet network until IPv6 multi-homing issues are better understood and addressed by the Industry. In order for this host to receive packets from the Internet. AT&T is a registered trademark of AT&T Knowledge Ventures. IPv6 is brand new territory for the networking Industry.3. Otherwise.0 © 2012 AT&T Knowledge Ventures. For instance in Figure 3.4. but if you look under the covers. it would be apparent that most are partial deployments.4 Multi-Homing Deploying a multi-homed Internet solution can be very challenging whether it is over an IPv4 or IPv6 network. it must be NDC Release 1. 16 . All rights reserved. without the level of redundancy or advanced functionality that has been established to provide highly available.4—IPv6 Multi-homing As an example. high performance and secure IPv4 networks. one of the biggest challenges of designing a multi-homing network solution is addressing the asymmetric routing issue. This scenario assumes the enterprise has obtained a /47 PI prefix from RIRs and has divided it up to two /48 prefix. There are simply not enough enterprises that have fully deployed an IPv6 Internet solution to share lessonslearned or establish best practices. IPv6 is further complicated by the fact that IPv6 deployment is in its infancy. Most enterprises are doing just enough to make their Internet services available to potential IPv6 users. One host is assigned out of the “2001:DB8:1235:ffff::/56” prefix. asymmetric routing may occur where the inbound traffic is not forwarded to the same Internet PoP that it originated from. In short. Figure 3.

If there isn’t a match. However this practice is forbidden in IPv6 networks. Some of the enterprises today use the ISP’s allocated address space to develop an IPv4 multi-homing solution. an ISP will not advertise across its peering connections a prefix longer than a /48. AT&T is a registered trademark of AT&T Knowledge Ventures. In today’s IPv4 networks. If the Internet connections are used as primary and backup. then the surviving Internet connection will receive traffic that was destined for the other connection following the summary route similar to a typical IPv4 multi-homing implementation. If for some reason the host was routed out through ISP#1. If one of the Internet connections fails. then the packet is dropped.4. All rights reserved. 17 . This can be in the form of multiple Internet connections at a single location or a geographically separated location. an enterprise can elect to use either the PA or the PI addresses. A minimum of /48 for each Internet connection is required as shown above in Figure 3. In order to achieve a resilient multi-provider solution. and it is NDC Release 1. Another benefit may be that some ISPs may allow longer IPv6 prefixes into the network. The benefit of using the PA addresses is that the enterprise does not need to apply for the PI addresses which could take time and money. routing policies are still being finalized.4. This is one of the key examples as to why enterprises should not have a myopic view of focusing just on the public-facing infrastructure. Another important point to consider in a multi-provider solution is the size of the prefix that may be required to satisfy the network requirements. 48-bit prefix can be advertised via eBGP with a shorter or longer ASN hop to prefer one carrier’s Internet over another. then multiple 48-bit prefixes may be required since ISPs will not forward routes longer than a 48-bit prefix. There must be some investment made in reviewing the overall corporate network requirements during initial Internet deployment. then the return traffic would be returned through ISP#2 since it’s advertising a more specific /48 prefix. This means enterprises will be forced to readdress their corporate network whenever they decide to change providers. The ISP may accept a longer prefix such as 64-bit prefix into the network. By using multiple ISPs.3 Multi-Region Multi-homing The present best practice dictates that enterprises that operate in multiple continents acquire addresses from each RIR where they operate. However the main drawback of PA addresses is that ISPs do not allow enterprises to take PA addresses to another ISP. 3. Each connection can advertise a /48 as the primary address and a summary route for failover. This may give enterprises flexibility to implement a better load-distribution solution based on granular prefixes or subnets. However. As a general rule. 3.4.routed out through the Internet service connecting to ISP#2. enterprises will likely need to use PI addresses to be able to failover a prefix block from one provider to another. the enterprise’s prefix will not be visible beyond the ISP’s network. This is not the desired result since the firewall will not have a matching session in its state table.0 © 2012 AT&T Knowledge Ventures. This is because the aggregate address “2001:DB8:1235::/48” encompassing the host’s prefix (2001:DB8:1235:FFFF::/56) is advertised out of this connection. It may be advantageous even for single provider enterprises to use PI addresses to allow flexibility to move to another ISP but also to implement multi-provider solution if the corporate requirements change in the future.2 Multi-Carrier Multi-homing Multi-provider multi-homing is the most popular solution for regional or global enterprises that operate within a single continent. However if multiple Internet connections are actively utilized simultaneously. Most if not all ISPs will not accept another ISP’s PA addresses. ISPs allow enterprises to advertise another ISP’s address into their network. Most Tier-1 ISPs will likely allow enterprises with PI addresses from one region to use them in another region. then a single 48-bit prefix may be sufficient.1 Single Carrier Multi-homing Single provider multi-homing is typically deployed by small to midsize corporations that require redundant Internet services. When multi-homing with a single provider. Otherwise.4. 3. An ISP may allow 64-bit prefix to be advertised into their network. enterprises can have the peace of mind that a major outage on one provider’s network will not grossly impact their business. but the enterprise will need to also advertise a summary prefix 48bits or shorter.

iana. The longest IPv6 prefix that is allocated to RIRs is 23-bits long. Since Tier-1 ISPs have no control over the policies of smaller ISPs. but it is unclear whether other European ISPs (that AT&T peers with) will honor the advertised address into their network. AT&T is a registered trademark of AT&T Knowledge Ventures. and WAN routing can be further simplified through summarization based on regional addresses.xml. For instance. it is recommended that regional address space is used in multi-region solution at this time. (Please visit the following link to see other regional allocations -http://www.) An ISP may decide to filter based on this 23-bit prefix boundary. NDC Release 1.0 © 2012 AT&T Knowledge Ventures.uncertain how non-regional addresses will be treated by smaller ISPs in a particular region. ARIN-obtained address is accepted by AT&T in other regions like Europe and 18 . In an effort to minimize the number of IPv6 routes in the core. It also provides a clean delineation between each region. an ISP may decide to filter longer non-regional prefixes from entering its Internet. All rights reserved.

At a minimum a minor outage should be planned to allow reconfiguration of carrier equipment and/or re-homing to alternate carrier facilities. When ready. AT&T provides an IPv6 address to be used for the Internet WAN connection. this address is used to establish the IPv6 BGP session with AT&T.4 Establish IPv6 Enabled Connectivity Establishing IPv6 connectivity is a simple matter of procuring an Internet connection with Dual-Stack functionality. the customer can configure the Internet access router with the appropriate IPv6 elements to begin using the Dual-Stack capabilities of the connection. If BGP peering is specified. Additional provider assigned addressing may also be provided by AT&T. this would be a simple logical change to the existing connection.0 © 2012 AT&T Knowledge Ventures. with no outages and no changes required to the existing environment. the connection continues to provide IPv4 connectivity as before. this may not be feasible. AT&T is a registered trademark of AT&T Knowledge Ventures. This is used on the customer access router for the Internet interface. Due to functional differences across hardware platforms and availability of dual-stack service. As part of the procurement process. or a customer may choose to use their own (Provider Independent) addressing (refer to IPv6 Addressing). Once provisioned. NDC Release 1. Ideally. All rights reserved. 19 .

Note: IPv4 address family is not required in order for an IPv4 BGP relationship to be established.5 Access Router Configuration This section provides sample router configurations that can be applied on the Internet edge routers.168. there is no need to redefine the remote AS under the address family. Since the IPv4 and IPv6 neighbors have been defined with the r emote-as of the peer under the main BGP process. 20 .168. AT&T is a registered trademark of AT&T Knowledge Ventures. All rights reserved. When the router-id is not defined.2 remote-as 7018 NDC Release 1. the router-id should be specifically defined under the BGP process. Cisco routers will default to using the highest loopback IPv4 address. the IPv6 commands are very similar to IPv4 commands but with slight differences. If no IPv4 addresses are present on the router. Note there is a slight difference in the syntax of the IPv6 networ k command in that it allows the use of the /nn subnet instead of the mask keyword used with IPv4 prefixes. BGP Configuration: router bgp 65000 bgp router-id 192. Instead the neighbors are activated to establish a BGP relationship with the peer by including the activate keyword with the neighbor command as shown below. BGP (for IPv4) can be initiated under the main BGP process without defining the IPv4 address family. By default when an IPv4 address family is defined.1 BGP BGP router configuration for a dual-stack Internet service requires the use of address families to define IPv4 and IPv6 peers and corresponding advertisement of routes. Listed below are some guidelines for configuring BGP on the customer’s router. The IPv4 and IPv6 BGP neighbors must be defined under the main BGP process with the corresponding Autonomous System Number (ASN) of its peer. the IPv6 BGP session will not be established with its peer. both the IPv4 and IPv6 neighbors that were created in the first step will appear automatically under the IPv4 address family. To do this. the IPv6 neighbor must be disabled under the IPv4 address family by issuing the no neighbor <IPv6 addr ess> activate command and added under the IPv6 address family. The IPv6 neighbor should only be defined under the IPv6 address family. 5. Customers can then advertise IPv4/IPv6 BGP routes through the use of the familiar networ k <ipv4/IPv6 addr esses> command. As such. Therefore as a best practice.10. The last section provides information on applying IPv6 access lists. The IPv4 and IPv6 address families need to be configured via addr ess-family [ipv4/IPv6].2 neighbor 192. BGP configuration steps: • Create a BGP router-id • Configure IPv4 and IPv6 BGP neighbors • Create IPv4 and IPv6 address families • Advertise BGP network routes within each address family The first step is to define the BGP router-id under the BGP process.10. It does not reset the BGP session. some customers may choose to only create the IPv6 address family and maintain the IPv4 relationship under the main BGP process. However there is no harm in creating the IPv4 address family. It includes examples of IPv6 BGP configurations to establish IPv4 and IPv6 BGP neighbor relationships with the ISP’s router. For the most part.0 © 2012 AT&T Knowledge Ventures. It also may be an easier way to manage the BGP configuration by organizing IPv4 and IPv6 BGP configurations under their respective address family. It also provides sample configurations for static routes for those who may not be comfortable with BGP.

255. The “::/0” is short hand for: 0000:0000:0000:0000:0000:0000:0000:0000/0 One would agree that “::/0” is much easier to type and less prone to typographic mistakes. the /56 route will not appear in the global routing table because most ISPs will not advertise the longer PA prefixes to their peering partners. So. 5.10.255. These longer /56 PA prefixes are typically filtered by the ISP and are summarized into the aggregate PA prefix for the ISP. The last argument is the next-hop and is shown in the above example as 2001:DB8:124F::2 An IPv6 static route that will be commonly used is the default route. then configuring IPv6 static routes will appear to be very similar but with some slight differences. A /56 prefix will likely be assigned by the ISP from the Provider Assigned (PA) block.1-BGP Configuration In the above table. These PI blocks will be forwarded to their peering partners. All rights reserved. Even though /56 is announced into an ISP. If readers are familiar with configuring IPv4 static routes on Cisco routers. The next argument is the IPv6 network. The configuration of IPv6 static routes requires the following format: IPv6 route IPv6-network/prefix next-hop Below is an example of a static route command for IPv6: IPv6 route 2001:DB8:124F:1::/64 2001:DB8:124F::2 Note (as with most IPv6 commands).168. Most customers with Provider-Independent (PI) addresses will be allocated /48 or shorter prefixes. The example below shows how the IPV6 static default route is expressed: IPv6 route ::/0 2001:DB8:C00:4F00::EEF6:A0EA The syntax for the IPv6 default route is very different from IPv4. 2001:DB8:124F:1::/64 is the network with a /64 prefix.100.0 © 2012 AT&T Knowledge Ventures.2 activate !enable BGP for neighbor (enabled by default) no neighbor 2001:DB8::2 activate !disable IPv6 neighbor relationship network 192. However ISPs will implement a policy to prevent longer prefixes (ranging from /48 to /128) from being advertised. The word “route” indicates this to be a static route. 21 .168. the static route command begins with the key word “IPv6”.0 mask 255. ISPs will however allow customers to advertise PI blocks as long as they are /48 or shorter. AT&T is a registered trademark of AT&T Knowledge Ventures. NDC Release 1. The longer prefixes may be allowed within the ISP network but will be filtered and not allowed beyond the ISP’s network.neighbor 2001:DB8::2 remote-as 7018 !configure IPv6 neighbor address/ASN address-family ipv4 !define ipv4 address family neighbor 192.2 Static This section briefly describes how to configure IPv6 static routes. This policy may vary between service providers. the /56 prefix under the IPv6 address family was used only as an example.0 !network address to be advertised address-family IPv6 !define IPv6 address family neighbor 2001:DB8::2 activate !enable BGP for IPv6 neighbor network 2001:DB8:F::/56 !define network address to be advertised Table 5.

22 . AT&T is a registered trademark of AT&T Knowledge Ventures. The standard ACL functionality in IPv6 is similar to standard ACLs in IPv4. and allows filtering based on source. there are some subtleties to consider.3 Access-List Formats This section will briefly describes ACL formats as used on Cisco routers. Format in IPv6: IPv6 traffic-filter access-list-name in IPv6 traffic-filter access-list-name out Example: NDC Release 1. An access list determines what traffic is blocked and what traffic is forwarded at router interfaces. all IPv4 IOS ACLs have an implicit “deny ip any any” at the end of the ACL. protocol type. Adding the statement “deny IPv6 any any log” will override the implicit permits. When deploying ACLs in IPv6. What is not shown is the implicit permit and deny statements mentioned earlier. For instance. The format is shown below: IPv6 access-list access-list-name permit protocol source-IPv6-prefix/prefix-length destination-IPv6prefix/prefix-length. as shown below: permit icmp any any nd-na permit icmp any any nd-ns deny IPv6 any any The permit statements are added so that Neighbor Discovery (which performs the equivalent functionality of ARP in IPv4) is not disabled when an ACL is applied to an interface.5. destination. port number. Each access list has an implicit deny statement at the end. With IPv6. and neighbor discovery traffic will be denied.0 © 2012 AT&T Knowledge Ventures. All rights reserved. and inbound/outbound directions on a specific interface. the IOS ACLs have the following 2 implicit permit statements along with a deny statement. or deny protocol source-IPv6-prefix/prefix-length destination-IPv6prefix/prefix-length Below is an example of an IPv6 ACL: IPv6 access-list RFC4890-in-partial permit icmp any any echo-reply permit icmp any any echo-request permit icmp any any 1 3 permit icmp any any 1 4 permit icmp any any packet-too-big permit icmp any any time-exceeded permit icmp any any parameter-problem deny icmp any any router-advertisement The above IPv6 ACL is named “RFC4890-in-partial”. Using Cisco IOS ACLs has changed slightly in IPv6. Applying an IPv6 ACL to an interface is not the same as it was in IPv4. IPv6 IOS ACLs only use “named” ACLs. This can lead to problems if one wants to enable the log option on the ACLs. So be careful when using the log option. There are seven permits and one deny statements.

All rights reserved. NDC Release 1.0 © 2012 AT&T Knowledge Ventures. AT&T is a registered trademark of AT&T Knowledge Ventures. 23 .interface FastEthernet0/1 IPv6 traffic-filter RFC4890-in-partial in The following section on security contains additional information on traffic filters and examples of router and switch configurations.

software deficiencies are very commonly found in IPv4 enabled network elements. It is critical to denote that a current Security Policy must be the strategy that drives the security policies. New features and mechanisms introduced in an IPv6 enabled world that can become problematic in a security discussion. Some have envisioned an abandonment of classical perimeter security as currently implemented by firewalls. An important first step in migrating to an IPv6 presence. But those are notions for the future. in favor of end-to-end security models for each TCP/IP session. The concept of a perimeter still remains and must be guarded. Further. includes additional header extensions. and needs specific consideration for analysis of potential vulnerabilities. upgrades. This is a critical issue for securing the perimeter and will remain an enduring issue even if IPv6 firewalls are largely relegated to passing IPSec tunnels to an ultimate destination for authentication. The remainder of this section will identify new elements of good security practices aimed at reinforcing public interfaces to preclude new IPv6 based attacks. rule imposition. NDC Release 1. even on the outside of the perimeter. The firewall must be able to support IPv6 and meet the internal certification of both the hardware and software for your enterprise.6 Security The long view of security in an IPv6 world may include dramatic enhancements over the current set of IPv4 best practices. AT&T is a registered trademark of AT&T Knowledge Ventures. and general guidelines to adopt inside the enterprise to prevent unauthorized tunneling through the firewall. 6. Analyzing an IPv6 packet as if it were an IPv4 packet could give unpredictable results.0 © 2012 AT&T Knowledge Ventures. blanket inbound blocking. All rights reserved. is to carefully consider the firewall’s ability to support and analyze IPv6 packets.1 Perimeter Security (Firewall) An IPv6 firewall is not just an IPv4 firewall with extra rules. That same idealism might want the firewall to give way to per-session based authentication and authorization. Use of NAT in a security model has become a common discussion point in the migration to IPv6 networking.” “If it is a private address it won’t be allowed outside the fence without first being scrubbed. “If it’s not a private address. Typical enterprise connections to the public Internet allow for a DMZ to host public facing web services and file servers. The IPv6 IP header is very different. But idealistic views of IPv6 consider NAT as a roadblock to a future of creative and innovative end to end communications.” These are typical sentiments of current firewall strategies. This section will presume to build from existing IPv4 best practices and augment them based on new features and new mechanisms occurring in IPv6. NAT alone is not comprehensive protection but it does identify where the fence is. New constructs. and it is anticipated that IPv6 enabled network elements will also have a range of deficiencies that will require patching. Below we show a configuration that accommodates both IPv4 and IPv6 connectivity to the Internet. 24 . including Extension Headers at the IP layer Numerous dual-stack and v4<->v6 translation scenarios that will likely be embraced in typical migration scenarios. particularly during a migration phase. etc) are implemented at this same juncture. Presumably other constructs of good perimeter security (stateful inspection. A common best practice in IPv4 perimeter security models includes network address translation (NAT). it hasn’t been scrubbed by a firewall. include • • • • • Automatic assignment of endpoint addressing Automatic identification of routers and gateways Lack of standard support for IPv6 private addressing (IPv6 NAT). or work-arounds to address.

Blocking all ICMPv6 traffic would disable NDP and be equivalent to blocking ARP traffic in IPv4. and ftp servers as a set of publicly available services. ICMP is frequently blocked altogether.0 © 2012 AT&T Knowledge Ventures. With the increased role of ICMP in IPv6. or in testing reachability. But even these are often viewed as not worth the exposure to ICMP based attacks. firewalls largely treat ICMP traffic as a potential security problem for denial-of-service flood attacks. however. and it is not uncommon for firewalls and border routers to block all ICMP traffic. These are all part of a new Neighbor Discovery Protocol (NDP). NDC Release 1.1.1 Traffic Filters One of primary differences between IPv4 and IPv6 firewall filters has to do with ICMP traffic. the treatment of specific traffic flows may differ. 6. IPv6 neighbors and routers discover reachability details to each other using solicitations and advertisements over automatically defined link local subnets. In IPv6. blocking all ICMP messages is not recommended. The two networks (IPv4 and IPv6) operate independently but both use the same physical links. 25 . We focus here on DMZ access for IPv6 based services while presuming to preclude IPv6 access into the larger enterprise. There are some instances in IPv4 where ICMP packets provide useful information. such as path MTU detection (packet-too-big replies). Being independent of each other. In IPv4. email. All rights reserved.IPv6 can initially be used to enable IPv6 web. while IPv4 continues to provide two way (firewalled) traffic from the enterprise to the IPv4 Internet. AT&T is a registered trademark of AT&T Knowledge Ventures. ICMP packets are used in new ways that become critical to discovering layer-two reachability information.

RFC 4890 describes ICMPv6 filtering recommendations for firewalls. AT&T is a registered trademark of AT&T Knowledge Ventures. These are examples and should not be taken as hard recommendations. One specific extension header that has been deprecated in IPv6 is the routing extension header type 0 because of its similarity to the IPv4 source routing option. Another new element in IPv6 networking involves header extensions. extension headers complicate IPv6 and present problems for firewalls to effectively analyze.0 © 2012 AT&T Knowledge Ventures.But allowing all ICMPv6 traffic still carries the risk of certain denial of service flood attacks. and Routing options. so a specific strategy should be devised based on what ICMP traffic is deemed appropriate for needed functions. A proxy firewall essentially terminates outbound requests and initiates a new request from the outside boundary of the firewall.1. Intended to add functionality for specific purposes. Each firewall policy needs to consider these carefully.2 Proxy and Translation A possible option in early phases of migration to IPv6 might be to use a firewall that performs proxy and translation functions for outbound requests that resolve to IPv6-only endpoints. All rights reserved. Fragmentation. Adding IPv6 translation allows the firewall to communicate with IPv6 destinations on the public side and translate return packets into IPv4 for reply back to internal IPv4-only hosts. 6. Firewalls are typically configured to drop such packets in both IPv4 and IPv6. NDC Release 1. Other extension headers need specific consideration in IPv6. The table below shows typical ICMP treatments in both IPv4 and IPv6. 26 . These are used for various functions including supporting IPSec definitions. Mobility.

NDC Release 1. Since you can filter router advertisement on a workstation and you don’t want to deny router advertisements from an actual router.0 © 2012 AT&T Knowledge Ventures. To prevent this from occurring filters need to be applied at the port level. 6. this is the only way to prevent a rogue device from becoming a router on the LAN.1 Internal Security Router Solicitation and Router Advertisement As discussed above. All rights reserved. 27 . Cisco and other vendors have features on their switches to allow layer 3 filters to be applied to a layer 2 port. NDP uses ICMPv6 to determine link layer reachability between nodes on a common subnet. The router with high priority will be the primary default router for the LAN and become the default gateway for LAN devices. Also. there is still a risk of internal hosts attempting to automatically launch IPv4 based tunnels to Internet based tunnel gateways.2.6. This can automate the process of discovering router gateways and network prefix assignments. But this can also present the risk of a rogue entity on the subnet announcing itself as the priority gateway and hijacking traffic.2 Automatic Tunneling Even though we have defined this early phase of IPv6 migration to consist of an Internet connection and public servers in a DMZ with the internal enterprise remaining IPv4. not all switches support this feature. Below is a snippet from a Cisco switch: IPv6 access-list ACCESS_PORT remark **Block all traffic DHCP server -> client** deny udp any eq 547 any eq 546 remark **Block Router Advertisements** deny icmp any any router-advertisement permit any any Interface GigabitEthernet 1/0/1 switchport IPv6 traffic-filter ACCESS_PORT in The filter above will deny any router advertisements for a particular port on the switch (the filter also shows how to deny DHCP server packets). This guide is primarily focused on the firewall and DMZ. In addition to neighbor solicitations and advertisements. AT&T is a registered trademark of AT&T Knowledge Ventures. NDP also includes router solicitations and advertisements to determine default routing gateways. The table below offers help in blocking automatic tunnels at the perimeter firewall.2 6. The administrator responsible for device configuration should contact the appropriate network equipment vendor to get a list of supported switches. All IPv6 devices on a LAN segment will receive the announcement and discover the priority of any advertising router (low. Default routing behaviors should be defined on servers and router gateways in the DMZ to avoid the risk of rogue router advertisements. medium and high). Security policies should be defined and host configurations administered to prevent this (assuming it is an unwanted behavior).2.

28 .6.3 Candidate Best Practices The bullet point list below is taken from a Cisco presentation and offers consideration points for possible best practice security steps to consider. • Implement privacy extensions carefully • Filter internal-use IPv6 addresses at the enterprise border routers • Filter unneeded services at the firewall • Selectively filter ICMP • Maintain host and application security • Determine what extension headers will be allowed through the access control device • Determine which ICMPv6 messages are required • Deny IPv6 fragments destined to an internetworking device when possible • Ensure adequate IPv6 fragmentation filtering capabilities • Drop all fragments with less than 1280 octets (except the last one) • Implement RFC 2827-like filtering and encourage your ISP to do the same • Document procedures for last-hop traceback • Use cryptographic protections where critical • Use static neighbor entries for critical systems • Implement ingress filtering of packets with IPv6 multicast source addresses • Use traditional authentication mechanisms on BGP and IS-IS • Use IPsec to secure protocols such as OSPFv3 and RIPng • Use IPv6 hop limits to protect network devices • Use static tunneling rather than dynamic tunneling • Implement outbound filtering on firewall devices to allow only authorized tunneling endpoints NDC Release 1.0 © 2012 AT&T Knowledge Ventures. All rights reserved. AT&T is a registered trademark of AT&T Knowledge Ventures.

it may take several iterations or releases before some issues are identified and resolved. There are newly found flaws that come to light from time to time. With IPv6. but it is not until the greater user community gets their hands on the applications that unexpected issues and flaws are discovered. This approach eliminates the need for a separate server which minimizes the capital cost. If the customer base is not pushing on Vendors for IPv6. Or as an alternative. 29 . IPv4 applications have been thoroughly tested as can be. but software vendors and customers are quick to remediate these issues. NDC Release 1. they could also consider using Network Address Translation (NAT64) or load-balancers to intercept IPv6 sessions and present it to the corporate servers as IPv4.1. However. some enterprises may elect to deploy a separate physical server for IPv6. vendors can make their attempts to thoroughly test their applications for problems. In Figure 7. Most enterprises will likely deploy a dual-stack infrastructure where an IPv6 address is added to the same interface that an IPv4 address is already assigned.0 © 2012 AT&T Knowledge Ventures. IPv4 has been around for many years.7 Servers/Endpoints There is not a single right approach to making the corporate public facing application services available to IPv6 end users. vendors will not invest the resources to support it. While vendors may state their application is IPv6 ready. it illustrates how an enterprise can use NAT64 to service IPv6 users while keeping their Internet servers IPv4 only. some enterprises may feel uneasy about supporting an immature IPv6 service on a stable IPv4 server. For this reason. AT&T is a registered trademark of AT&T Knowledge Ventures. Like most software. there is not an industry-wide support for it at the time being. All rights reserved.

1.1—NAT64 Note in the above example. The destination address 2001:DB8:8400::C1:101 is replaced with 12. NDC Release 1. As far as the Webserver is concerned. The source address is also translated to an IPv4 address. the enterprise Webserver www. There are some drawbacks with this approach. AT&T encourages readers to conduct their own research and test the solution thoroughly before rolling them out in your production environment.abccompany. AT&T is a registered trademark of AT&T Knowledge Ventures. a NAT’ing device translates the IPv6 address to IPv4.Figure At the site.0 © 2012 AT&T Knowledge Ventures.1. The packets follow the appropriate routing path to the destination is only assigned an IPv4 address of 12. When an IPv6 user attempts to access this site. 30 . the user is given the IPv6 address (2001:DB8:8400::C1:101) in the DNS response. All rights reserved. it is processing an IPv4 request and is not aware of the initial IPv6 request.

1—Standard-A DNS Request If the end-user is dual-stacked as shown in Figure then the client will likely issue DNS requests using its IPv6 address instead of IPv4. the dual-stack end-user is pointing only to an IPv4 DNS server. www. please make sure the corporate Internet gateways/servers are accessible over both IPv4 and IPv6 However. it will use the IPv4 address to request both a Standard-A and a Quad-A record from the DNS server.0 © 2012 AT&T Knowledge Ventures. As long as the DNS server has the Quad-A record for the requested domain name. Notice in the figure below. In a typical IPv4 network environment depicted in Figure is associated with both an IPv4 and an IPv6 address with a DNS entry for both addresses.abccompany. In this example. 31 . These requests are referred to as a “Standard A” record request. the user is configured to support IPv4-only addressing and will likely request just a “Standard A” or IPv4 address from the DNS server. the DNS server is IPv4-only and does not have an IPv6 address assigned.abccompany. This is fine since both the Standard-A and Quad-A requests are made using IPv4 source/destination addresses. AT&T is a registered trademark of AT&T Knowledge Ventures. it will provide the IPv6 address back to the end-user in its response. It will receive only the IPv4 address corresponding to www. This is the default behavior of most operating system. Premature announcement of domain name may result in black-holing traffic sometimes referred to as “internet brokenness”. The application uses the underlying operating system to issue a DNS query to resolve the domain name to an IPv4 address. Quad-A or AAAA is associated with the IPv6 address. Standard-A is an IPv4 address record associated with a domain name. All rights reserved. If the end-user has a choice between IPv4 and IPv6 destination addresses. it will send two DNS requests to its DNS server: one for Standard-A and second for Quad-A. If the DNS server was also dual-stacked. then most operating system will prefer IPv6 over IPv4. an IPv4 user enters an easily recognizable or memorable domain name into an application such as a web browser. As mentioned above. a DNS server will respond with an answer containing the IPv4 address associated with the requested domain name. Upon receiving a “Standard A” request. Figure 8. Therefore. NDC Release 1. Note: this default behavior can be changed by modifying the “prefixpolicy” table of the operating system. In Figure 8.8 Domain Name System (DNS) Before moving forward with this section.

Upon receiving these records. If the authoritative DNS servers are available by an IPv6 address.2—Quad-A DNS Request Before a Quad-A record can be provided by any DNS server. Therefore. IPv4 address). In the near term. most service providers should exchange domain information across both IPv4 and dual-stacked DNS servers.0 © 2012 AT&T Knowledge it must first exist in an authoritative DNS server for the requested domain name. it is very important to update the corporate profile with the domain registrar. many dual-stack end-users have experienced “internet brokenness”. A dual-stack user will typically request and receive both a Standard-A and a Quad-A record from their upstream DNS servers assuming both records exist. This information is imported into the root server from the domain name registrars. The DNS server does not need to be IPv6 capable. then there is a chance some end-users may not receive a DNS response. the requested domain name may not be cached on the initial DNS server an end-user is pointing to. AT&T is a registered trademark of AT&T Knowledge Ventures. Why isn’t this server reachable NDC Release 1. This will give most users the impression that the content server is down. Moreover. As mentioned earlier. If the destination is not reachable via IPv6. The root server should have the IPv4 and IPv6 addresses of the authoritative DNS servers for the requested domain. All rights reserved. enterprises can decide to dual-stack their DNS servers and make their domains accessible by IPv4 or IPv6 users.abccompany. To eliminate this uncertainty. a dual-stack user will use its IPv6 address to connect to the remote server via IPv6 because operating systems by default prefer IPv6 over However dual-stacked DNS servers do not completely resolve connectivity issues. .com. enterprises can choose to migrate their internet gateways or servers to IPv6 while keeping their DNS servers IPv4-only with very little drawback. As mentioned above. the Quad-A records can be obtained from an IPv4-only addressed DNS server. and dual-stacked DNS servers. The corporate profile will include at minimum the primary domain name and an IP address of the DNS servers. 32 .Figur e 8. an IPv6-only host can request “Standard A” record ( should also appear on the dual-stack DNS servers even though the authoritative DNS server is only available via IPv4 address. Therefore www. etc. . However if the service providers support IPv6-only DNS servers or not share domain information between IPv4.e. It is an acceptable migration approach since most end-users are expected to be dual-stacked for many years. IPv6. it is available via its IPv4 address. “Brokenness” occurs when a dualstack end-user is not able to access contents via IPv6 address. then the session may time out without trying to access the destination via IPv4. Otherwise. “Quad-A” record requests can be made using either the IPv4 or IPv6 protocol. the DNS server will query its upstream DNS servers and may contact the root DNS server for the requested domain zone such as . other non-authoritative DNS servers will not know who to contact to access the DNS information via IPv6. Conversely. but in reality. If the entry does not exist. then the profile must be updated to include the new IPv6 address. In most situations. but the destination is accessible via IPv4 address.

Therefore ISP(C) will not have an IPv6 route to www. In addition. This issue may persist for some time until the peering or network relationships become more mature. Even though the end-user on ISP(C)’s network has connectivity to IPv6. many enterprises have chosen to setup a secondary domain name to host their IPv6 web servers. AT&T is a registered trademark of AT&T Knowledge Ventures. The main benefit of this approach is it eliminates the “brokenness” issue. This means that ISP(A) will not pass routes learned from its peers to another peering partner. All rights reserved. ISPs may have an IPv4 peering relationship with another provider. ISPs will tag routes learned from its peers as non-transit routes. For instance. but it also introduces other challenges. This is quite for IPv4 users.abccompany.3 where a destination is reachable via IPv4. Figure 8. For instance instead of www. the long delay may not be acceptable. but it is highly unlikely that these users would be provided IPv6-only addresses without the ISP providing some type of translation services to give them access to IPv4 to access the web server via IPv6? If the end-user is dual-stacked. In previous Windows versions.via IPv6? One reason may be that IPv6 Internet service is not supported by all to cater to IPv6 users and maintain www.abccompany.3--Internet Brokenness and IPv6 Peering Because of the “brokenness” issue. One of the questions it raises is how would IPv6 users know to use IPv6.abccompany. but it may not have an IPv6 connection between the ISPs. IPv6 peering relationship is still being established between providers. Presently.abccompany. and NDC Release 1. Unfortunately. but it is not reachable via IPv6. In most peering relationships. However in recent lab tests. this approach does not help those IPv6-only addressed end-users. As shown below.0 © 2012 AT&T Knowledge Ventures. Windows 7 clients are now resolving to the IPv4 website when IPv6 connection isn’t available. but more work is needed in this the browser timed out without attempting the IPv4 addresses of the destination server. For some impatient users. ISP(A) will not advertise routes learned from ISP(B) to ISP(C). this user does not have access to all contents on the IPv6 Internet. but a hub/spoke IPv6 relationship between ISP(A) to other two providers. 33 .com that is hosted on ISP(B)’s network. three ISPs have a fully-meshed IPv4 peering relationship with each other.abccompany. This will create a situation depicted in Figure 8. Some vendors have begun to address the “brokenness” issue. the enterprise would use IPv6. it is taking some time to failover to the IPv4 site due to retries and timeouts. then a company could place a link on the IPv4 homepage to redirect these users to the IPv6 site.

the users may click away from the site before it has an opportunity to retrieve the data. Eventually these connectivity issues will be addressed by vendors. enterprises. Otherwise the enterprises may lose out on potential customers and revenue. In the meantime. and/or end-users. 34 . AT&T is a registered trademark of AT&T Knowledge Ventures. All rights reserved. NDC Release 1. some users may struggle with inconsistent IPv6 service. ISPs. Therefore a faster discovery and failover solution must be incorporated to make the transition seamless to the end-user as documented in Internet Draft—“Happy Eyeballs: Success with Dual-Stack Hosts dr aft-ietf-v6opshappy-eyeballs-04”.0 © 2012 AT&T Knowledge Ventures.

35 . It can also be used to conduct preliminary security tests of the firewall. NDC Release 1. If the application is able to retrieve the information. This should allow testers to confirm there is IPv6 connectivity to the Corporate Internet and key servers/gateways. The Teredo service may be a quick and easy way to connect to the IPv6 internet. “-6” option will force the client’s operating system to issue a Quad-A request for the domain name. it is likely the data was retrieved via IPv6. Alternatively. For DNS. the test can issue either “ping” or “tracert” with the “-6” option using the domain name as the destination. As another option. The test may need to go into the “nslookup” mode and issue “set type=aaaa” to force the “nslookup” application to request Quad-A request. There are for-free tunnel brokers like Hurricane Electric that may require user registration. one can use the Teredo service that is readily supported on most Windows and Linux operating systems. The Teredo service can be used by any users with an IPv4 Internet connection. This Internet connection must not be the same IPv6 connection that the corporate servers are on. Therefore. the tester can use “nslookup” to perform DNS query against its DNS server. There are some security tools for IPv6 that can be used to verify that the implemented rule-sets are working properly. it is highly recommended that Wireshark is used to determine if the client is using IPv6 or IPv4 addresses to access the destination.0 © 2012 AT&T Knowledge Ventures. All rights reserved. By default. So if the domain name resolves to both IPv4 and IPv6 addresses. Once connected to the IPv6 Internet. However if the tester is using Teredo service. AT&T is a registered trademark of AT&T Knowledge Ventures. the tester can use the typical network troubleshooting tools like “ping” or “tracert” to test connectivity to IPv6 destination addresses.9 Testing/Verification This is perhaps the most important step in the IPv6 migration process. Now. One must determine if the following questions can be answered with a firm yes: 1) Do you have access to the corporate Internet router from the IPv6 Internet? 2) Are the security rule-sets implemented correctly? 3) Are you receiving Quad-A DNS responses? 4) And ultimately. then the tester may need to modify the “prefixpolicy”. One may need to use the option “6” for IPv6 along with these commands. the tester is ready to test the application by typing the URL for the server into the application. the testing personnel must first connect to the IPv6 Internet. It can be a 3rd party transition service such as an IPv6 tunnel broker or Teredo tunnel service. then the Windows 7 client will use IPv4 address to access the data. can you access the corporate Internet servers from the IPv6 Internet? Before tackling the above questions. Windows Operating System prefers IPv4 over IPv6 destination address.

Given the lack of maturity of the IPv6 software stack on many vendors. it is strongly urged that enterprises carefully evaluate and test the IPv6 functionality from devices that they choose to manage. from security policy reviews to equipment upgrades to application testing to legal review. or look at a service provider to deliver the managed abilities. Organizations must be engaged in an IPv6 adoption team now that.10 Conclusion The migration to dual stack capabilities will bring a lot of change. Unlike Year 2000. dual stack services will be needed at a point of demand. AT&T is a registered trademark of AT&T Knowledge Ventures. similar to the Year 2000 event. 36 . All rights reserved. versus a date on the calendar.0 © 2012 AT&T Knowledge Ventures. delivers a holistic approach to dual stack support. NDC Release 1.

This is not what we want since this will black-hole the IPv6 traffic. So now. Then go to Local Computer Policy> Admin Templates> Network> TCPIP Settings> IPv6 Transition Tech> Teredo Default Qualified. When this is done. In this "active" state. At a quick glance. IPv6. This will force all IPv6 traffic to this default gateway. In the “ipconfig /all” results. a) By default. This address is a legitimate IPv6 address reserved for Teredo service and can give users the wrong impression that they are connected to a Teredo Tunnel server. This command will provide a report of all IP addresses (IPv4 and IPv6) assigned to the system’s interfaces. They are actually in a dormant mode and not connected to a live Tunnel server. Since most enterprises are planning to migrate to Windows 7 Operating System in the next few years. So this means most Teredo clients will not be able to get to any IPv6 websites since the IPv6 domain name will not resolve to an IPv6 address or Quad-A response. If the Teredo client attempts to surf to IPv6. However this is not the case. an IPv6 default route (::/0) will be added pointing to the default gateway address that was manually entered. It’s simple to verify that a Windows system is running IPv6 by issuing a very familiar DOS command “ipconfig /all”. Since Teredo service is a tunneling protocol. Windows XP users must manually install the IPv6 protocol stack. IPv4 users can send IPv6 packets inside the tunnel. Change it to Enabled. AT&T is a registered trademark of AT&T Knowledge Ventures. It is actually in an "active" state. This shows that IPv6 protocol is running on the system. the Teredo interface may appear to be up and running. 37 . users must manually enable the Teredo protocol using the following steps: 1) Open up the Group Policy Manager console (gpedit. the Wireshark trace shows that the Teredo client only requests a standard A record. b) Workaround is to assign an IPv6 address and a default gateway manually to an active interface. an IPv6 address (2001::/32) is assigned to the Interface. there should be an IPv6 link-local address that starts with FE80::/64. Vista. Teredo can be used as a quick way to connect to the IPv6 Internet to test connectivity as discussed in Section 9. IPv6 protocol stack is enabled by default on Windows 7. Once the tunnel is established. Unlike Windows Under each interface. Windows Vista and 7 will not request a Quad-A record if there is no non-link local address assigned to the interface. For instance. it bypassed most conventional firewalls and intrusion detection systems because these systems were not capable of reading deeper into the encapsulated packets. this section will mainly focus on enabling Teredo service on Windows 7 clients and does not cover instructions for other Windows platforms. However you must follow the directions below to force Windows to perform Quad-A record request. etc. So NDC Release is only reachable via IPv6 address. Some principles discussed in this section may also apply to Windows XP. these two Windows operating system will not ask for a Quad-A record for a domain name. Teredo Interface is ignored by the operating system. All rights reserved. 2) Now the Teredo service should be up and running.0 © 2012 AT&T Knowledge Ventures. one should also see a pseudo interface for the Teredo Tunnel service. Even if a global unique address out of the (2001::/32) range is assigned to the Teredo interface.Appendix A Appendix A A-1 Establishing a Teredo Tunnel Teredo is an IPv4 tunneling protocol that enables IPv4 users to access IPv6 resources. IPv4 users build an IPv4 tunnel across their existing IPv4 WAN and Internet to a publicly available Teredo Tunnel This is likely to address the criticism of the previous Windows releases that automatically connected to a tunnel server.

a total of thirty-two 64-bit prefixes have been allocated. then it can support greater number of point to point connections. a 64-bit was allocated to the CE-Firewall LAN. Therefore there isn’t much a customer needs to do for this link. Once this is done. Between the DMZ and CE-Firewall network segments. If the present Industry standard is followed. If possible. There is no one correct method. CE-Firewall LAN. If longer prefixes such as 127-bit prefix are used. That takes about another sixteen 64-bit prefixes. the DMZ LAN segment is assigned a 64-bit prefix from a larger 60-bit that was taken from the aggregate 48-bit prefix. DMZ LAN. All rights reserved. AT&T is a registered trademark of AT&T Knowledge Ventures. Similarly. or half-octet boundaries.Appendix A we must add a default gateway that points to the Teredo Interface IPv6 address with a lower metrics than the existing ::/0 route in the routing table. This is just an example. Double-octet is 16 bits wide and is represented by four hex digits within the two colons (:0000:) in IPv6. A 60-bit prefix is carved out from the aggregate 48-bit prefix for point to point connections. It takes up two hex NDC Release 1. 38 . a 64-bit prefix should be allocated across this LAN even though there are just two devices in it. Next is the CE-Firewall LAN subnet. This gives sixteen 64-bit prefixes that could be used for other point to point connections. From which. A-2 IPv6 Address Example The figure below illustrates an approach for allocating IPv6 prefixes within an enterprise network.0 © 2012 AT&T Knowledge Ventures. The CE-PE link addresses are typically provided by the ISP. Teredo clients will be able to access some IPv6 sites. The diagram depicts four network segments that require IPv6 addresses: CE-PE WAN. an enterprise has been allocated a 48-bit prefix. An octet is a byte or 8-bits. octet. and Corporate LAN. This will help to avoid overlapping prefixes. That leaves a total of 254 contiguous 56-bit prefixes to be assigned to the rest of the enterprise network. Each enterprise must carefully evaluate its corporate requirements and determine the appropriate addressing strategy that is right for them. IPv6 prefixes should be allocated across double-octet. In this example.

The date when IANA will exhaust is the most widely quoted and predicted date. consumer AT&T is a registered trademark of AT&T Knowledge Ventures. Some may be deploying devices that require large blocks of addresses for inventory/tracking purposes. Here are the links of interest.arin. ISPs and Non-ISPs can request larger block if they can provide legitimate justification for more What are the main use cases (applications) of these v6 customers? E. http://www.htm Some customers are interested in IPv6 to make sure they don't lose out on potential IPv6 only customers. If not. A-3 Frequently Asked Questions: Why do we need IPv6? With huge growth in wireless technology/devices and expansion of IP networks.nro. or RIPE. What's the process for requesting IPv6 addresses? Organizations must meet certain minimum requirements to receive IPv6 addresses directly from ARIN.html https://www.arin.potaroo.tndh.g. the CE-Firewall and DMZ prefixes were chosen from the upper bounds of the 48-bit aggregate prefix. Customers should review the policies listed below to determine if they qualify for IPv6 addresses. it's wise for organizations to begin thinking about IPv6 and planning for the future. Although IPv4 networks will continue to be supported for many years to come. How can I track exhaust of IPv4? There are several sites that provide information about IPv4 address allocation and exhaust predictions.html For non-ISPs in the US. It will be clearly understood that upper bound is reserved for special purposes.html http://www. • • For ISPs in the US. Other dates include when each RIR will exhaust.arin.arin. With this approach. network administrators do not have to be concerned about prefix overlaps or address conflicts. The actual prefix boundary will be determined by the enterprise addressing NRO Geoff Huston Tony Hain ARIN Web surfing.. Most ISPs will be assigned /32 network.0 © 2012 AT&T Knowledge Ventures. when all RIRs will exhaust and then when ISPs and enterprises will exhaust their addresses. 39 . Half-octet is 4bits or one hex digit. Many ISP such as AT&T will likely offer IPv6 services as dual-stack service that supports both IPv4/IPv6 addresses to enable organizations to slowly adopt IPv6.Appendix A digits. Individual motivation to migrate to IPv6 varies for each customer.html NDC Release many network service providers are expecting to run out of IPv4 addresses soon. use the following link: https://www. • • • • • IANA space. they will need to request IPv6 addresses from their ISP. All rights reserved. Non-ISPs will typically be assigned minimum of /48 network address.iana. they should follow the instructions listed in the following linke: https://www. Others may be pushed to support IPv6 due to business requirements levied on them by extranet partners who are migrating to IPv6. In this example.

please read the IPv6 policies listed in the link: http://ftp.html Here's a link to IANA website listing the IPv6 blocks that have been allocated to the Regional Internet Registrars: http://iana. IPv6 address must be directly assigned to the customer by their regional internet registry organization like ARIN. the customer must own the desired IPv6 address they want to advertise. Those who are considering a complete migration have the added challenge of providing their IPv6 users access to internet/intranet resources that remain on IPv4 network. In addition. For each NDC Release 1.. Please see the attached charts to see summary of the information about DHCPv6 and Auto-configuration. Most customers are electing to deploy a dual-stack infrastructure to support both IPv4 and IPv6 services.e.) information for IPv4 and IPv6. Do you have any v6 only customers? If so.g. AT&T will not accept IPv6 addresses that are owned by another provider. AT&T will not advertise anything longer than /48 subnet to the Internet. Within the AT&T network. However there is a slight difference in DHCPv6 compared to DHCPv4. connection to AT&T and another ISP). maintain and update information of WHOIS records per RFC 1491. AT&T is a registered trademark of AT&T Knowledge Ventures. Auto-configuration allows IPv6 clients to assign themselves IPv6 address based on Neighbor Discovery Protocol called Route Advertisement packets. DHCP allocates addresses dynamically to clients. why? Because no more v4 addressing or for some other reason? There are very few customers who are considering a complete migration to IPv6 network. the IPv6 address block must be a minimum of /48 subnet. Manual addressing allows users to statically assign IPv6 address on clients. How many IPv6 routes does AT&T dual-stack MIS support? BGP route advertisement is done on an exception basis. Do you accept v6 blocks from other RIRs? E. 40 .. However. AT&T will not advertise a prefix longer than a /48 subnet. IPv6 policies are listed in the following link: accept a RIPE block from a NY peering? AT&T will only accept PI (Provider Independent) addresses and AT&T assigned PA (Provider Assigned) from a customer.0 © 2012 AT&T Knowledge Ventures. AT&T will add the route into the allowed filter list on the PE router to allow the route to be accepted into the network. Do you SWIP the PA IPv6 address space that is assigned to a customer? The answer is yes.xml What IPv6 address assignment options are available? There are 3 addressing options: manual. There should not be any difference in the information provided with the SWIP (Shared WHOIS Project is the process used to submit. DHCP. or auto-configuration.Appendix A • • For organizations in For EMEA organizations. It can not be an address provided by another service provider. the customer can advertise a longer subnet. All rights reserved. There are two parameter options that must be enabled to turn on DHCP and to allocate other DHCP information to clients.. What's AT&T Policy regarding IPv6 Internet multi-homing? If a customer is interested in a multi-homing internet solution (i.apnic.

This requires software to be installed on the user's PC.Appendix A What 6-4/4-6 translation methods do you use? AT&T is actively testing 2 transition technologies: 1) NAT64 to allow IPv6-only MIS customers to access IPv4 internet resources and 2) T6 gateway to allow IPv4-only internet users to access MIS customers' IPv6-only internet servers. customer should be able to establish native IPv4-Ipv4 and IPv6-IPv6 IPSec sessions without issues. We are actively engaged with many customers in discussing and strategize the best approach to migrating to IPv6. IPv4 only clients can request a Quad-A record. Customer should test their applications and systems to better understand DNS behavior. In the dual-stack were both v6 & v4 capable? How would you send v6 customers AAAA records while v4 customers regular A records? DNS servers will provide standard A or Quad-A record to any client that requests the information. If you are trying to establish a tunnel via v4v6 NAT.g. The actual request may vary depend on client operating system.0 © 2012 AT&T Knowledge Ventures. then you will run into issues. then VPN tunnel will be fine. then the extended headers are stripped and you lose the IPSec session information. 41 . It's because IPv6 utilizes the extended headers for IPSec. What does AT&T see in 2012 and beyond in terms of v6 deployment and # of v6 customers? We expect a significant increase in interest and in actual adoption of IPv6 network services in 2012. and IPv6 only client can ask for standard A record. what if www. NDC Release Is there any impact on encrypted VPN tunnels with IPv6? If it's native IPv6 end-to-end. AT&T is a registered trademark of AT&T Knowledge Ventures.. If NAT is performed in the path. All rights reserved. How is v6 DNS handled for Web sites that are both v6 and v4 capable using the same domain name? E.