Enterprise IPv6 Deployment Strategies: The NAT is back

Transcription

1 Enterprise IPv6 Deployment Strategies: The NAT is back IPv6 Forum (Singapore Chapter) Sanjeev Gupta 0-1 IPv6 Forum (Singapore Chapter). CC-BY-SA

2 IPv6 Forum (Singapore Chapter). CC-BY-SA Agenda What is IPv6? Why deploy IPv6? Deploying in Enterprises.

3 IPv6 Forum (Singapore Chapter). CC-BY-SA What is IPv6? You are in the wrong session We will assume you all know this It has been 10 years since deployment started.

4 IPv6 Forum (Singapore Chapter). CC-BY-SA What is IPv6? Latest revision of the Internet Protocol (IP). Developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of IPv4 address exhaustion.

5 IPv6 Forum (Singapore Chapter). CC-BY-SA

6 IPv6 Forum (Singapore Chapter). CC-BY-SA Why deploy IPv6? Because the market demands it Imagine trying to convince a business in 1998 to get Or, in 2005, that they should have a web page Or, in 2012, that they need a social media strategy For IPv6, the time has come.

7 IPv6 Forum (Singapore Chapter). CC-BY-SA IPv6 Deployment

8 IPv6 Forum (Singapore Chapter). CC-BY-SA IPv6 Deployment (Weekly cycles)

9 IPv6 Forum (Singapore Chapter). CC-BY-SA Deploying IPv6 in Enterprises What is an Enterprise? For this talk, End-user Has an IT Department Runs servers Possibly multi-locational Relies on IT to run its business But not a Fortune 500.

10 IPv6 Forum (Singapore Chapter). CC-BY-SA After the test labs, what? By now, most of you have attended training You are familiar with the theory Many of you have implemented small test labs Set up tunnels, played with your routers Some of you have actual IPv6 service from your ISPs So now, how do you roll out?

11 IPv6 Forum (Singapore Chapter). CC-BY-SA Quick Primer: IPv6 addressing Your ISP will give you enough IPv6 to address your network Smallest allocation you can get is: 18,446,744,073,709,551,616 addresses All globally routable Most will get 16 times more Should be enough for you But how do you actually deploy this?

12 IPv6 Forum (Singapore Chapter). CC-BY-SA Enterprise IPv6 Addressing: Option 1 You are connected to one ISP only and receiving your public IP address from your upstream ISP. You are not a member of APNIC yet.

13 IPv6 Forum (Singapore Chapter). CC-BY-SA Enterprise IPv6 Addressing: Option 2 You are connected to one ISP only and receiving your public IP address from and Internet Number Registry i.e. APNIC Member

14 IPv6 Forum (Singapore Chapter). CC-BY-SA Enterprise IPv6 Addressing: Option 3 You are connected to more then one ISP and receiving your public IP address from any ONE of your upstream ISP

15 IPv6 Forum (Singapore Chapter). CC-BY-SA Enterprise IPv6 Addressing: Option 4 You are connected to more then one ISP and receiving your public IP address from an Internet Number Registry

16 IPv6 Forum (Singapore Chapter). CC-BY-SA Comparing the four options Advantages 1 Single home, non-portable Simplest to implement. Low costs Disadvantages Tied to your ISP 2 Single home, portable Simple to implement Annual membership costs 3 Multi-home, non-portable Redundancy Tied to the primary ISP, can change secondary ISPs 4 Multi-home, portable Very flexible, can shop for new ISP every year Annual membership costs

17 IPv6 Forum (Singapore Chapter). CC-BY-SA Is there an Option 5? What we want is: No NAT Clean addressing Smart subnets (by department, floor, etc) Yet, changing my upstream ISP should not mean IP address of the printer changes And no need to pay address ownership costs (ie, APNIC membership).

18 IPv6 Forum (Singapore Chapter). CC-BY-SA A digression: What is wrong with NAT? Much maligned technology Yet, it kept the Internet running for 20 years and still does Why do we hate it?

19 IPv6 Forum (Singapore Chapter). CC-BY-SA A digression: What is wrong with NAT? Because we are hiding many nodes behind one IP address, we need to maintain state Rebooting the NAT device means transactions break No logs, so no audit of who was using Facebook The NAT administrator becomes the de facto Firewall admin Opening and closing ports, and keeping track, is a fulltime job Routing and Firewalling are mixed up.

20 IPv6 Forum (Singapore Chapter). CC-BY-SA A digression: What is wrong with NAT? But these are not disadvantages of NAT, these are disadvantages of the way we have been forced to do NAT in an address-scarce world There is nothing basically evil about NAT.

21 IPv6 Forum (Singapore Chapter). CC-BY-SA Enterprise IPv6 Addressing: Option 5 An Enterprise deployment option Use Unique Local Addresses (ULA) for all internal addressing You have a sufficient range, a /48 at the least (that is times more than the 18 billion billion number earlier).

22 IPv6 Forum (Singapore Chapter). CC-BY-SA What is a ULA? A unique local address (ULA) is an IPv6 address in the block fd00::/8, defined in RFC It is the approximate IPv6 counterpart of the IPv4 private address. Unique local addresses are available for use in private networks, e.g. inside a single site or organization or spanning a limited number of sites or organizations. They are not routable in the global IPv6 Internet.» -- Wikipedia

23 IPv6 Forum (Singapore Chapter). CC-BY-SA Enterprise IPv6 Addressing: Option 5 Use 1-to-1 NAT to map these to your ISP addresses Now each internal node has a equivalent global address, controlled by the firewall (not the NAT) Internal communication uses ULA addresses External communication is mapped onto whatever ISP range you have The trick is to use 1-to-1 NAT, symmetrical, both SNAT and DNAT.

24 IPv6 Forum (Singapore Chapter). CC-BY-SA Comparing the four options Advantages 1 Single homed, non-portable Simplest to implement. Low costs Disadvantages Tied to your ISP 2 Single homed, portable Simple to implement Annual membership costs 3 Multi-homed, non-portable Redundancy Tied to the primary ISP, can change secondary ISPs 4 Multi-homed, portable Very flexible, can shop for new ISP every year 5 Single homed, ULA No internal renumbering when you change ISPs Annual membership costs None, really.

25 IPv6 Forum (Singapore Chapter). CC-BY-SA Enterprise IPv6 Addressing: Option 5 Internet ISP 2 ISP 1 Firewall Firewall 1-to1 NAT Enterprise ULA

26 IPv6 Forum (Singapore Chapter). CC-BY-SA Example: With ISP1 Internal ULA ISP1 Range Firewall Allowed? Comment fd00:8181:9191::7 2405:fc00::7 None Printer fd00:8181:9191:: :fc00::21 Specific ports DVR fd00:8181:9191:: :fc00::80 tcp/80 and tcp/443 Web Server fd00:8181:9191::fd8 2405:fc00::fd8 ALL VIP Laptop fd00:8181:9191::a :fc00::a11 None Accounts PC fd00:8181:9191:: :fc00::1777 None Accounts PC fd00:8181:9191::21ac 2405:fc00::21ac No incoming, all outgoing Sales PC fd00:8181:9191:: :fc00::53 tcp/53 and udp/53 DNS Server fd00:8181:9191:: :fc00::321 ALL IT staff

27 IPv6 Forum (Singapore Chapter). CC-BY-SA Example: With ISP2 Internal ULA ISP2 Range Firewall Allowed? Comment fd00:8181:9191::7 2345:a111::7 None Printer fd00:8181:9191:: :a111::21 Specific ports DVR fd00:8181:9191:: :a111::80 tcp/80 and tcp/443 Web Server fd00:8181:9191::fd8 2345:a111::fd8 ALL VIP Laptop fd00:8181:9191::a :a111::a11 None Accounts PC fd00:8181:9191:: :a111::1777 None Accounts PC fd00:8181:9191::21ac 2345:a111::21ac No incoming, all outgoing Sales PC fd00:8181:9191:: :a111::53 tcp/53 and udp/53 DNS Server fd00:8181:9191:: :a111::321 ALL IT staff

28 IPv6 Forum (Singapore Chapter). CC-BY-SA What are we doing? Note that the host part of the IPv6 address remains the same No port numbers change, and no checksums have to be recalculated (unlike NAT44) Only the prefix is re-written. See RFC 6296 for an excellent example This makes forensics easier We reduce the impact of a loss of state What we are doing is not really NAT66, but NPTv6 (Network Prefix Translation).

29 IPv6 Forum (Singapore Chapter). CC-BY-SA Summary NAT is not always bad, it depends on what you use it for It can make your life easier, if you use it correctly and cleanly You can start deploying IPv6 in office today, without having to renumber when you change ISPs.

30 IPv6 Forum (Singapore Chapter). CC-BY-SA References and Citations - Nurul Islam Roman, President, bdnog, for the diagrams of options IPv6-to-IPv6 Network Prefix Translation