David

IPv6 - updates and topics

David — Sat, 09 Jun 2007 02:36:00 GMT

Sorry for the long gap in time, but many other pressing issues came up, not the least of which were medical in nature... But, back to the topic at hand…

I finally managed to get the financing for the public IPv6 address space taken care of at work (it wasn't the amount mind you, just the paperwork which is the real pain as anyone in a large corporation will tell you). I'm currently working on an education plan for our Network Engineering and Network Management group to get things rolling. I've written a reasonable overview doc (see my earlier post for a link to a generic version of it), but I need to present it in a classroom format so that they can ask questions and get a discussion going. Plus I need a bit more time on the 4 to 6 transition mechanisms like Teredo and ISATAP as I have not had much opportunity to work with them.

One of the most important items is coming up with the allocation scheme. IPv6 subnets are, for all practical purposes, infinitely large, so you don’t need multiple subnets for sizing reasons, but for segregating traffic, it’s important to lay them out carefully. My company has separate networks for VoIP, Wireless, Wired, Industrial equipment, etc. So we have at least 7 subnets in most sites today. We do break things up on reasonable boundaries so that we don’t have too many routes being advertised at a given site, but with v6 we can bring it down to a single summarized route per site. We’re looking at about 16 network ranges per site which will include the previously mentioned networks, plus the serial link network and a single network range for loopback addresses (broken into /128 host addresses). This will make it a bit cleaner for route advertisements than we are able to accomplish today.

BTW - For those of you who are interested, especially in larger organizations, you can receive a /48 allocation direct from ARIN (North America) IF you already have a direct IPv4 allocation. A /48 is a no questions asked allocation if you already have a IPv4 direct allocation of any size; if you want a larger block, you'll have to justify it. They are currently waiving the annual fees (nothing new for you more recent allocation recipients, but for those who have had their v4 allocation since "dirt" you may have to pay a fee, see www.arin.net ) since you already pay them for your current v4 allocation. You will, unfortunately, have to cough up $500 US for the "registration" fee. Seems rather petty to me since they're really trying to encourage v6 adoption, but for the moment, at least, that's the deal. Most folks will probably get their allocation from the upstream ISP which is the better way to go if you aren't multi-homing. If you are multi-homing, you'll definitely want to look into a PI allocation (provider independent a.k.a. portable address range like direct v4 allocations from ARIN) as it makes multi-homing significantly less complicated to deal with.

I would like to emphasize the importance of setting up a lab and playing with IPv6 before even thinking of deploying it. I have been tinkering about with IPv6 for over a year now, and I’m just now getting a real comfort level with the details (I’m not a slow learner, mind, but as this is personal time stolen out of 50-60 hr work weeks, so it’s sometimes hard to explain to the wife about the extra couple of hours spent in the lab especially in my home lab).

I posted the contents of my home network in a prior entry, a few changes have happened since then (gee that never happens in a lab :), so I figured I’d post an update to the inventory (and yes, I’m a big B5 fan if you couldn’t tell from the system names):

HomeLab

Servers:
7 Win 2003 R2 Servers
2 Win 2003 Servers
2 SuSE 10 Servers
1 SPLAT Firewall manager
1 Nokia IPSO Firewall

Workstations:
2 Win XP Desktops
1 Win XP Laptop
1 Vista Ultimate Laptop

Network:
1 Cisco 3640 router
1 Cisco 3620 router
1 Cisco 3750 POE switch
2 Extreme Summit 200-48 switches
1 TrendNet Wireless AP
1 3Com TR Hub

Other:
Avaya VoIP Phone

WorkLab

3 HP DL380 servers (scratch boxes at the moment)
2 WinXP desktops
1 Nokia IPSO Firewall
1 Nortel 1750 Contivity VPN Router
1 Cisco 3620 router
4 Cisco 3750 (2 x 2 switch stacks)
1 Cisco 3750 POE switch
1 Extreme Summit 200-48 switch
Avaya VoIP Phone

I have these two labs tied together via a VPN connection over IPv4 as mentioned earlier. I have also connected a work peer’s home network via VPN connection as well. All three lab networks are using IPv6 over IPv4 tunnels with BGP between them for peering. The work lab also has a connection to a remote Linux server using a 6over4 tunnel as well. The Cisco 3620 work lab router connects to the SIT virtual interface on the Linux system. I’m not running any routing over it, so I had to include a default route on the Linux side pointing back to the 3620 in the lab. All three lab networks can reach this remote server via IPv6. If you want to learn how to setup the SIT interface, check out the man page on ifcfg-tunnel. The Cisco side is configured just like any other 6over4 tunnel and the Linux box is configured with a static SIT tunnel using its local Ethernet IPv4 interface.

Next steps for work include the aforementioned lunch-and-learns, some high-level marketing to the technical managers, and getting the official data center lab rigged with IPv6. The data center lab has a much larger variety of hardware available including IBM P-Series servers, E-Series servers, z/OS system, Cisco chassis switches, Cisco VoIP equipment, and other expensive toys that I’m not able to “acquire” for my little test lab. My current expectations are to have a formal lab environment setup by year end, and possible pilot deployment overlaying the IPv4 environment in a small number of sites by Q2 2008. We’ll have to see…

Until next time.

The story I referenced in an earlier post...

David — Sat, 23 Sep 2006 15:26:00 GMT

I mentioned that the TR hub in my network had a story behind it... Well, here it is.

My network is made up of castoffs and other people's junk, so I don't have the most up-to-date hardware to run things on (like the TR hub :). Well I was trying to install the MS Vista Beta 2 on an old Compaq Armada E500. Unfortunately, there were no drivers for the ethernet card with the Beta2 distro. So, I looked around and found an old IBM turbo token ring PC card and yanked down an XP driver for it. I got this to work so that I could get to the MS Update page and pull down a driver for the Ethernet card in the E500. So, I had to use TR to jumpstart the Ethernet (gee that sounds historical doesn't it). At any rate, without the TR hub and such, it would have been much more difficult to do as I don't have a wireless setup at home yet.

Hope you get a chuckle out of this too.

IPv6 Presentations

David — Sat, 23 Sep 2006 15:09:00 GMT

I created two presentations for work. I've included an edited version of them here...

A technical overview and a short management presentation.

Feel free to peruse them.

IPv6 and DNS PTRs

David — Fri, 22 Sep 2006 22:00:00 GMT

Haven't posted for a while, been busy with other more pressing issues... I finally had a bit of time to figure out one of the little niggling details that I wasn't able to get around to earlier on. PTR records for v6. Unfortunately, PTR records are a bit ugly, actually a lot ugly especially the way that Microsoft's snap-in for DNS presents it. Microsoft's IPv6 stack won't post a dynamic DNS PTR record for v6 like it does for v4. If you want one, you have to do it by hand, which is a pain (so much for DHCP and DynDNS saving the day here). It's not even real consistent with forward lookup registration either. I had a few systems that did, and some that didn't.

At any rate, the documentation on Microsoft's site is pretty good, but they do lack for examples on certain things. Creating the zone for the v6 reverse can be done two ways, the recommended way is to use the dnscmd on the cmd shell to create it. If you use the snap-in you end up with this gobblygook hierarchy since it creates a sub-level for each nibble. You can use the now deprecated INT format, or the preferred and accepted ip6.arpa format. I went with the ip6.arpa format since I didn’t have anything done yet anyway. It took me a while to figure out how to create the zone since there’s not much in the way of any examples for how to use the dnscmd. A couple of things. The server wants things in nibble format. There’s supposedly a new format out that ISC BIND 9x works with that’s a bit string which is easier, but MS hasn’t gone to that (yet?)… Nibble format is simply putting dots between each of the hex characters. You can’t abbreviate here, though, it has to be the whole deal. For example: f:1:f would be equivalently 000f:0001:000f which would be 0.0.0.f.0.0.0.1.0.0.0.f in nibble format. You’d then take this address and reverse it. For the lazy (myself included) I found a site that will take an IPv6 address and put it in nibble format and reverse it for you: http://www.ipv6.logix.cz/tools.xp

Now on to the DNS bit…

First, here’s one example system I want reverse entries for:
bridge.the-taylor-family.org (my dns server). It has an IPv6 address of: fd15:a9b8:480d:1:2d0:59ff:fe2d:62fe
The full PTR record for this would be: e.f.2.6.d.2.e.f.f.f.9.5.0.d.2.0.1.0.0.0.d.0.8.4.8.b.9.a.5.1.d.f.ip6.arpa

So, here we go. First, have to create the zone:

Network fd15:a9b8:480d::/48
Zone Name: d.0.8.4.8.b.9.a.5.1.d.f.ip6.arpa
Command to create it:
dnscmd bridge.the-taylor-family.org /zoneadd d.0.8.4.8.b.9.a.5.1.d.f.ip6.arpa /dsprimary

Here’s the breakdown:

bridge.the-taylor-family.org is the DNS server I’m creating the zone file on
/zoneadd – add a zone
zone name – 5.6.4.4.0.f.d.3.0.a.d.f.ip6.arpa (from first example)
/dsprimary – Directory AD enabled – you don’t have to do this, but it makes it easier for me since I’ve got an AD infrastructure and my DNS lives on it.

Next since I was already scripting things, here’s the command to add a reverse lookup:
dnscmd bridge.the-taylor-family.org /recordadd d.0.8.4.8.b.9.a.5.1.d.f.ip6.arpa e.f.2.6.d.2.e.f.f.f.9.5.0.d.2.0.1.0.0.0 PTR bridge.the-taylor-family.org.

That’s actually one long line so don’t split it when you’re doing your own. Once again:
bridge… DNS server
/recordadd – adding a record (PTR in this case)
d.0.8.4.8.b.9.a.5.1.d.f.ip6.arpa – is the zone I’m dumping it in
e.f.2.6.d.2.e.f.f.f.9.5.0.d.2.0.1.0.0.0 – this is the reversed host portion with subnet of the address in nibble format (see link above for lazy folks like me)

Unfortunately, the records get added as a long list of sub-networks in the DNS server due to the way that MS does their bit. Oh well, maybe Longhorn will fix that. Hope this helps somebody else as I would have appreciated this information the easier way rather than having to trial-n-error myself through it…

IPv6 remote connectivity...

David — Sun, 13 Aug 2006 00:32:00 GMT

I set up a remote connection over a IPv4 VPN connection to a remote lab. It took quite a bit of tinkering to get things to work correctly, so I figured I'd share the effort in case somebody else tries to do it.

I have a connection with my work lab set up so that I can do testing on remote networks across a slow speed link (as compared to the LAN). I have a Cisco 3620 on the remote side attached to the lab network with a few workstations behind it. A VPN connection gets me up to the network that the router and lab equipment is attached to (this is a IPv6 only forwarding router the way its set up). I created a tunnel interface following Cisco's documentation for a v6 over v4 tunnel and had no problems with that. Originally, I set up RIPng to make sure that the connection works, which it did, but I wanted to create a BGP connection as it was more of a challenge to do.

BTW, just a little side note, the 3620 is running 12.3 code which is the latest Cisco made for that platform. The config allows you to enter ipv6 router ospf 1, but it doesn't actually do anything. It doesn't show up in the running config and it won't let you enable it on any interface, so when running the 12.3 code, you have to run RIP or static (I don't do ISIS, so I am uncertain about setting it up with IPv6)..

Ok, BGP is a bit trickier to set up as you have to set up the multi-protocol pieces to make it work correctly. This was a new one for me and I had to actually get the docs out to do it rather than just whipping it out from previous configs. It's pretty straightforward once you get the where things go... The first section is about normal except for the no bgp default ipv4-unicast statement for creating a pure IPv6 BGP setup. Next after configuring the main section with your neighbor statements, you have to create a section for the IPv6 address family. You actually activate your neighbor here and add your network and redistribute statements in this section rather than in the main router bgp section. Below, I've attached the config for the my core router (minus a few extraneous details like passwords :) I did leave one item in for illustration, the name server address. The DNS server is a Win2003 server and it listens on IPv6 for resolving addresses. Cisco does the DNS over IPv6 just fine too.

A couple of items. BGP, in the configuration below only talks on IPv6 (over the tunnel), but BGP v4 has a couple of limitations:

The router id is a 4 byte number. If you set up a completely IPv6 network, you'll need to give the router-id some unique IPv4 address for its identity.
The cluster id used on route reflectors is a also a4 byte number, so the same limitation applies here too.

Have fun with the configs...

Here's the local side network config
hostname Core
!
ip cef
!
ip name-server FD15:A9B8:480D:1:290:27FF:FEA1:7F81
!
ipv6 unicast-routing
ipv6 cef
!
interface Tunnel1
description Connection to RemoteNet
no ip address
ipv6 address FD15:A9B8:480D:FFF1::1/64
tunnel source FastEthernet0/0
tunnel destination 10.254.54.34
tunnel mode ipv6ip
!
interface Loopback0
ip address 10.255.1.1 255.255.255.255
ipv6 address FD15:A9B8:480D:FFFF::1/128
ipv6 enable
ipv6 rip 1 enable
!
interface FastEthernet0/0
description Primary Ethernet Network
ip address 172.30.255.1 255.255.255.224
ip route-cache flow
duplex auto
speed auto
ipv6 address FD15:A9B8:480D:1::1/64
ipv6 address autoconfig default
ipv6 enable
ipv6 rip 1 enable
!
router bgp 65011
bgp router-id 172.30.255.1
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor FD15:A9B8:480D:FFF1::2 remote-as 65010
!
address-family ipv6
neighbor FD15:A9B8:480D:FFF1::2 activate
neighbor FD15:A9B8:480D:FFF1::2 route-map remotev6 in
network FD15:A9B8:480D::/48
redistribute static
redistribute rip 1
no synchronization
exit-address-family
!
ipv6 route FD15:A9B8:480D::/48 Null0
ipv6 route FDA0:3DF0:4465:FFFF::1/128 FD15:A9B8:480D:FFF1::2
ipv6 router ospf 1
router-id 10.255.1.1
log-adjacency-changes
!
ipv6 router rip 1
!
ipv6 prefix-list remotev6 seq 5 permit FDA0:3DF0:4465::/48 le 128
ipv6 prefix-list remotev6 seq 10 deny ::/0
route-map remotev6 permit 10
match ipv6 address prefix-list remotev6
!

Here's the remote side network config:

hostname remotelab
!
ip cef
ip name-server FD15:A9B8:480D:1:2D0:59FF:FE2D:62FE
ip name-server FD15:A9B8:480D:1:290:27FF:FEA1:7F81
!
ipv6 unicast-routing
!
interface Loopback0
no ip address
ipv6 address FDA0:3DF0:4465:FFFF::1/128
ipv6 enable
!
interface Tunnel1
description Connection to HomeLab
no ip address
ipv6 address FD15:A9B8:480D:FFF1::2/64
tunnel source Ethernet0/1
tunnel destination 172.30.255.1
tunnel mode ipv6ip
!
interface Ethernet0/0
no ip address
full-duplex
ipv6 address FDA0:3DF0:4465:D200::1/64
ipv6 enable
ipv6 rip 1 enable
!
interface Ethernet0/1
ip address 10.254.54.34 255.255.255.224
full-duplex
!
router bgp 65010
bgp router-id 10.254.54.33
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor FD15:A9B8:480D:FFF1::1 remote-as 65011
!
address-family ipv6
neighbor FD15:A9B8:480D:FFF1::1 activate
neighbor FD15:A9B8:480D:FFF1::1 route-map homev6 in
network FDA0:3DF0:4465::/48
no synchronization
redistribute static
redistribute rip 1
exit-address-family
!
ipv6 route FD15:A9B8:480D:FFFF::1/128 FD15:A9B8:480D:FFF1::1
ipv6 route FDA0:3DF0:4465::/48 Null0
ipv6 router rip 1
!
ipv6 prefix-list homev6 seq 15 permit FD15:A9B8:480D::/48 le 128
ipv6 prefix-list homev6 seq 20 deny ::/0
route-map homev6 permit 10
match ipv6 address prefix-list homev6

Enabling IPv6 in the Lab

David — Sat, 12 Aug 2006 21:29:00 GMT

I have a fairly extensive lab that I built to help me simulate a small business environment. I've rebuilt it so many times that I don't even remember the count. The network lately has been, more or less, stable as far as the systems themselves go, but I have reworked the network a couple of times recently. In fact, as I was trying to rewire the network and migrate to a upgraded firewall platform, I spent about 12 straigt hours (skipped sleep on a work night) trying to get things to work before I backed out. I finished the network redesign, but still pending on the firewall. To provide a perspective on things, here's the system count:

7 Windows 2003 Servers
2 SuSE Linux Servers
2 Windows XP desktops
3 Windows XP laptops
2 Linux based FW managers (one destined to go away soon)
1 Linux based FW (destined to go away soon)
1 IPSO based FW
1 Avaya 4620 IP Phone
1 Cisco 7960 IP Phone
2 Extreme Summit 200 48 port switches
1 Cisco 3500xl 24 port switch
1 Cisco 3750 24 port PoE switch
1 Cisco 3640 router
1 Cisco 3620 router
1 3Com TR Hub (yes, I know it's a museum piece, but it still works - there's a story here too)
1 Netgear 4 port mini switch

All this, plus associated KVM and related items, probably contributes something like $70-$80 to the power bill every month.

I've managed to get IPv6 running on most all of the equipment. The exceptions are:

The Extreme switches won't do it with the code that's available for them.
One of the XP laptops needs to be rebuilt as it won't install the v6 stack properly (and has a number of other issues).
The 3500xl isn't worth the effort to try and do.
Cisco apparently doesn't support v6 on TR, so I can't get the TR network set w/IPv6.
Both IP Phones are IPv4 only at this point, not sure when (or if on these models) they will support 6.
The Netgear switch is unmanaged, so nothing there (a remote drop for the kitchen - haven't had time to do the hardwire bit and don't have wireless rigged yet).

Other than those, everything else has a IPv6 address and works ok. The Windows DNS is a bit of a problem and I've had to figure out quite a bit about how Microsoft did their IPv6 implementation, but I'm getting there.

More on things later, including the Cisco stuff and v6 over v4 tunnels...

IPv6 - My Beginning

David — Sat, 12 Aug 2006 20:18:00 GMT

I've known about IPv6 in the back of my mind for quite some time. Every now and again I'd go out and take a look at the various sites and blogs to get an idea of where v6 stood in the world of IT, but I never spent much energy on it. Lately, I've been seeing more articles in trade rags about v6 and related items, so I figured it was about time to go take a harder look at what an implementation might look like inside my company.

I plan on putting up a number of articles on my blog about where my research goes and what I learn. If nothing else, it will give me a place to go back and see what I was thinking about, but hopefully, if anyone else reads it, they might find a helpful tidbit here or there.

Easter...

David — Sun, 16 Apr 2006 23:14:00 GMT

Took a brief moment to upload some pictures... have to finish filing the taxes, and oh, yeah, I think I have a few minutes left for some sleep before I have to go to work tomorrow.

Enough grumbling, though. I am thankful for my Lord sacrificing himself for me, unworthy as I am. May he bless my family and I and watch over us all. I hope everyone else had a good Easter Sunday. Remember, the reason for the holiday has nothing to do with cute white rabbits distributing candy to children, rather that Jesus Christ sacrificed himself for our sins and gave all of us sinners a way to come home.

Yours in Christ...