IPv6 Design and Transition Mechanisms BRKSPG-2067

Transcription

1 Design and Transition Mechanisms BRKSPG-2067

2 World Launch As the successor to the current Internet Protocol,, is critical to the Internet's continued growth as a platform for innovation and economic development. 6 th June Get involved BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 2

3 The Prize

4 The Buddy Throughout the presentation there will be 3 clues Answer will only be accepted at the end of the presentation First correct answer wins BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 4

5 The Question What is the length of a 1500 byte packet transmitted over Gigabit Ethernet? First bit Last bit????? BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 Agenda Planning Integration Deployment Dual Stack Tunnelling Techniques MPLS Solutions NAT Protocol Translation Addressing Security Shared Issues with Unique Issues to Enforcing Policy Best Practices Summary BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 Planning Integration

8 Integration or Migration? Application Migration + Integration Application Migration PE P P PE CE + Core CE Some applications at the edge will MIGRATE to Network infrastructures will INTEGRATE will be around for a very long time Networks will support both protocols Many hardware components will be dual-stack capable (+) is a gradual and controlled process of INTEGRATION BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 Planning Steps Evaluate effect on business model 1 Establish project team 2 Assess network hardware and software readiness 3 Establish training strategy 4 Obtain prefixes 5 Decide architectural solution 6 Test application software and services 7 Develop procurement plan 8 Develop exception strategy 9 Develop security policy 10 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 Planning Integration (1) Evaluate affect on business operation/model New applications, opportunities, threats/issues To maximise ROI effect - must minimise disruption Do you need to do it? (Most likely!) Establish project management team Help from partners (Cisco, Microsoft, SIs) Project Management Office Establish goals, critical path and timelines Network Hardware & Software assessment Check Cisco + 3rd party hardware for correct memory/software Use Cisco Network Assessor Tool Ensure any new hardware/software is compliant/capable Establish upgrade plan BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Planning Integration (2) Create training strategy and plan Operations staff need to know how to manage Design architects must understand capabilities Security architects must understand risks and mitigation Obtain an prefix Can be Provider Assigned (PA) Or Provider Independent (PI) Decide on architectural solution Native, Dual Stack, 4to6 tunnels, 6PE, 6VPE Develop addressing plan How will the addresses be distributed to customers? BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 Planning Integration (3) Test/identify application software and services Establish a lab for testing applications and services Check NMS and billing systems Test interoperability Develop security policy has same security threats as Protect against threats that may arise during transition Develop procurement plan All future hardware, software and applications should be compliant Develop exception strategy Identify components that will remain on Could be for many reasons technical, business or cost BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Deployment

14 Deployment Options Dual Stack (in devices/hosts and networks) and operate in tandem over shared or dedicated links Applications Dual Stack Aware Shared Links Tunnelling over or MPLS confined to the edge of the / MPLS core /MPLS Tunnel Only is the only protocol operating in the network Dedicated Links /MPLS 6to4 Protocol Translation (BEHAVE IETF Working Group) Allow -only devices to communicate with -only devices BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Where do I start? Based on Timeframe/Use case Campus Block Core-to-Edge Fewer things to touch Edge-to-Core Challenging but doable Internet Edge Business continuity DC Access DC Aggregation DC/Campus Core Internet Edge ISP ISP WAN Servers Branch Branch BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Dual Stack Technique

17 using Dual Stack Backbone Dual Stack App + Edge + Core and/or edge CE PE P P PE CE / Core configured interface All P + PE routers are capable of + support Two IGPs supporting and Memory considerations for larger routing tables Native multicast support Some or all interfaces in cloud dual configured All traffic routed in global space configured interface Good for content distribution and global services (Internet) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Dual Stack Configuration The Basics Dual Stack App + Edge + Core and/or edge Interface Ethernet0/0 CE PE P P PE CE / Core! ipv6 unicast-routing ipv6 cef! interface Ethernet0/0 ip address ipv6 address 2001:db8:213:1::1/64! BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 Dual Stack Configuration More Realistic Dual Stack App + Edge + Core and/or edge Interface Ethernet0/0 CE s1/0 s2/0 PE P P PE CE / Core! interface Ethernet0/0 ip address ipv6 address 2001:db8:213:1::1/64 ospfv3 1 area 0 ipv6! interface Serial 1/0 ip address ipv6 address 2001:db8:ffff:1::1/64! interface Serial 2/0 ip address ipv6 address 2001:db8:ffff:2::1/64! router ospfv3 1 address-family ipv6 unicast exit-address-family! router bgp address-family ipv4 neighbor activate neighbor activate! address-family ipv6 neighbor 2001:db8:ffff:1::2 activate neighbor 2001:db8:ffff:2::2 activate... BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 Application Dual Stack Approach Application Enabled Application TCP UDP TCP UDP 0x0800 0x86dd 0x0800 0x86dd Frame Protocol ID Data Link (Ethernet) Data Link (Ethernet) Dual stack in a device means Both and stacks enabled Applications can talk to both Choice of the IP version is based on DNS and application preference Dual stack at edge does not necessarily mean dual stack backbone BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 Dual Stack Approach & DNS = *? DNS Server www IN A www IN AAAA 2001:db8:1::1 2001:db8:1::1 In a dual stack network an application that is and -enabled: Can query the DNS for records (A) and/or (AAAA) records The transport used for the lookup is not related to the resource record required. e.g. Use transport to ask for AAAA records Chooses one address and, for example, connects to the address BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 DNS query in IOS Query= TYPE= AAAA Resp= 2001:db8:1::1 Type= AAAA Router A OR Resp= NONE B DNS server Query= TYPE= A Resp= Type= A DNS resolver picks AAAA record first stacks on Windows XP, W7, Linux, FreeBSD, MacOS etc also pick address before address if both exist BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 DNS Query on Windows 7 (Dual Stack) msecs between last packet sent Domain name with address only msecs Source Destination Prot Info DNS Standard query A ipv6.google.com DNS Standard query response CNAME ipv6.l.google.com Initial Query over for A record DNS response refers to an alias/canonical address DNS Standard query AAAA ipv6.google.com Host immediately sends a request for AAAA record (original FQDN) address of canonical name returned DNS Standard query response CNAME ipv6.l.google.com AAAA 2404:6800:8004::68 msecs Source Destination Prot Info Domain name with both addresses DNS Standard query A DNS Standard query response A DNS Standard query AAAA DNS Standard query response AAAA 2001:dc0:2001:11:: :420:1:fff:2 2001:dc0:2001:11::211 ICMPv6 Echo request (Unknown (0x00)) Initial Query over for A record address returned Host immediately sends a request for AAAA record address of FQDN returned Hosts prefers address (configurable) :dc0:2001:11:: :420:1:fff::2 ICMPv6 Echo reply (Unknown (0x00)) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 Tunnelling Techniques

25 Clue 1 The speed of light is 299,792,458 m/s Though data transmission is ~2/3 the speed of light. So let s say 200,000,000 m/s BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 Using Tunnels for Deployment Tunnelling encapsulates an packet into an packet Host to Router, Router to Router, Router to Host, or Host to Host Manually configured tunnels Manual Tunnel (RFC 2893) over GRE (RFC 2473) Semi-automated tunnels Tunnel broker (RFC 3053) Automatic tunnels 6to4 (RFC 3056) ISATAP (RFC 5214) Dynamic Multipoint VPN 6rd (RFC5969) LISP (IETF Working Group & Internet Draft) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 Tunnels Agenda Manual Tunnel (RFC 2893) over GRE (RFC 2473) ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) 6rd (6 Rapid Deployment) LISP (Locator/ID Separation Protocol) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 Manual Tunnel (RFC 2893) Header Customer Network :db8:a:b::1/64 One of the first transition mechanisms developed for Static P2P tunnel, IP protocol type = 41, no additional header, NAT breaks Terminates on dual stack end points end point address must be routable prefix configured on tunnel interface CE Access Network Difficult to scale and manage For link few sites in fixed long term topology Use across access network to reach Provider PE Access Network P Manual Tunnel P PE CE Provider Network :db8:a:b::2/64 Dual Stack BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 Manual Tunnel Configuration Header Customer Network Access Network Provider Network :db8:a:b::1/ :db8:a:b::2/64 PE Access Network Manual Tunnel PE CE P P CE Dual Stack interface tunnel 100 ipv6 address 2001:db8:a:b::1/64 tunnel source tunnel destination tunnel mode ipv6ip interface tunnel 100 ipv6 address 2001:db8:a:b::2/64 tunnel source tunnel destination tunnel mode ipv6ip Only supports routing protocols that use IP encapsulation ISIS is itself a network layer protocol (not dependant upon IP) Therefore will not work over IP Protocol-Type=41 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 Tunnels Agenda Manual Tunnel (RFC 2893) over GRE (RFC 2473) ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) 6rd (6 Rapid Deployment) LISP (Locator/ID Separation Protocol) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 over GRE Tunnel GRE Header Header Network Backbone Network Network (e0/0) 2001:db8:a:b::1/64 CE PE Backbone Network P GRE Tunnel P PE CE (e0/0) 2001:db8:a:b::2/64 Similar to Manual Tunnel (RFC 2893) But can transport non IP packets Hence can be used to support ISIS across the tunnel GRE header uses 0x86DD to identify payload Similar scale and management issues L2TPv3 is another tunnelling option BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 over GRE Tunnel Configuration GRE Header Header Network Backbone Network Network (e0/0) 2001:db8:a:b::1/64 CE PE Backbone Network P GRE Tunnel P PE CE (e0/0) 2001:db8:a:b::2/64 interface tunnel 100 ipv6 address 2001:db8:a:b::1/64 tunnel source e0/0 tunnel destination tunnel mode gre ip ipv6 router isis interface tunnel 100 ipv6 address 2001:db8:a:b::2/64 tunnel source e0/0 tunnel destination tunnel mode gre ip ipv6 router isis BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 Tunnels Agenda Manual Tunnel (RFC 2893) over GRE (RFC 2473) ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) 6rd (6 Rapid Deployment) LISP (Locator/ID Separation Protocol) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 ISATAP Overview (RFC 5214) Intra Site Automatic Tunnel Addressing Protocol Tunnel from a dual stack HOST PC to an gateway Operates within single administrative domain Primarily for Corporate and Academic networks Creates a virtual link over an backbone network treated as an NBMA link layer Routers provide ISATAP service DNS may hold potential router list or ISATAP gateways Caveat: DNS entry can be automatically found by hosts and used To control access use static configuration ISATAP does not currently support multicast NAT is not supported BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 34

35 ISATAP Address Format ISATAP hosts use a special IPV6 address format Interface ID carries information Rightmost 32 bits contains the host address Leftmost 32 bits contains 0000:5efe Global prefix provided by ISATAP router Interface ID portion remain static for all packets Link-Local addresses used for solicitation of global address Interface ID Host Address Unicast Prefix 0000:5efe: c0a8:0201 ISATAP Address Can be Link-local or Global ISATAP ID Address of Host BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 ISATAP prefix advertisement Header Dual Stack Host ( Mode) Enterprise Network Network DNS Query ISATAP Reply ISATAP Host PE Source: Dest: Source: Dest: Corporate Network P ISATAP Tunnel Router Solicitation fe80::5efe:c0a8:0201 fe80::5efe:c0a8:0401 P PE Encaps in :db8:face:2::5efe:c0a8:0401 ISATAP Router Network Request: ISATAP Prefix? Encaps in Source: Dest: Source: Dest: Router Advertisement fe80::5efe:c0a8:0401 fe80::5efe:c0a8:0201 Reply: 2001:db8:face:2/64 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 ISATAP Nodes Use 3 Addresses Header Dual Stack Host Enterprise Network Network PE Corporate Network ISATAP Tunnel PE :db8:face:2::5efe:c0a8:0401 Network ISATAP Host P P ISATAP Router Address Value Address Value : Link-Local: Global: fe80::5efe:c0a8: :db8:face::5efe:c0a8:0201 : Link-Local: Global: fe80::5efe:c0a8: :db8:face::5efe:c0a8:0401 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 ISATAP Configuration (Windows) Header Dual Stack Host Enterprise Network Network XP ISATAP Host PE Corporate Network P ISATAP Tunnel P PE :db8:face:2::5efe:c0a8:0401 ISATAP Router Network netsh interface ipv6 install netsh interface ipv6 isatap set router PC config does not use DNS EUI-64 allows router to generate Link ID portion of address Turn off ND message suppression interface Ethernet0 ip address ! interface Tunnel0 ipv6 address 2001:db8:face:2::/64 eui-64 no ipv6 nd suppress-ra tunnel source Ethernet0 tunnel mode ipv6ip isatap BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 Tunnels Agenda Manual Tunnel (RFC 2893) over GRE (RFC 2473) ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) 6rd (6 Rapid Deployment) LISP (Locator/ID Separation Protocol) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 39

40 Rapid Deployment (6rd) Overview 6rd is a tunnelling method specified in RFC 5969 Superset of 6to4 tunnelling [RFC3056] 6rd utilises an SP's own address prefix - avoids well-known prefix (2002::/16) Method of incrementally deploying to end sites in an SP network SP access and aggregation infrastructure remains End site is provided a dual stack service Access/Aggregation between SP and end sites looks like multipoint network End sites share a common prefix allocated by SP 6rd primarily supports deployment to A customer site (residential gateway) To an individual host acting as a CE. BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 40

41 6rd Tunnels (RFC 5969) Header 6rd End Site Access Network Internet 2001:db8:0f01 6rd Tunnel Service Provider 2001:db8:0f :db8:0d01 CE PE Tunnel between CPEs P 6rd Relay/CPE Tunnels P 6rd Border Relay Native dual-stack IP service to the end site Simple, stateless, automatic -in- encap and decap functions Embedded address needs to match address in Tunnel header for security traffic automatically follows Routing ( address used as tunnel endpoint) BRs placed at edge, addressed via anycast for load-balancing and resiliency BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 6rd Logical NBMA Behaviour Header 6rd End Site Access Network Internet 2001:db8:0f01 Service Provider Single multipoint tunnel interface 2001:db8:0f :db8:0d01 CE PE 6rd Tunnel P P 6rd Border Relay 6rd views the network as an NBMA link layer for Border Relay serves has a single multipoint interface No per user state, serves all users in 6rd domain 6rd Domain (All use same configured 6rd prefix :db8) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 42

43 6rd Delegated Prefix Every customer site is assigned a 6rd delegated prefix Delegated prefix is created by Combining the SP s 6rd prefix and all or part of the CE address Not all 32 bits of address need be carried Common prefix and suffix can be pre-configured 0-64 bits 0-32 bits 0-16 bits 128 other fields 6rd Prefix Fragment Subnet Interface ID Delegated Prefix 0-32 bits 0-32 bits Common Prefix Fragment Common Suffix Complete address Pre configured on router Optional Cisco specific implementation BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 43

44 Destination Dynamically Computed Example Header 6rd End Site Access Network 6rd End Site 2001:db8:0f01::/ (e0/0) PE Backbone Network 6rd Tunnel PE (e0/0) 2001:db8:0f07::/ :db8:0f01::2 (Host) CE 2001:db8:0f01::1 (e0/1) P P CE 2001:db8:0f07::1 (e0/1) 2001:db8:0f07::2 (Server) 6rd Parameter Value 6rd Prefix 2001:db8::/32 Common Prefix /16 Common Suffix 0/0 (Cisco specific) 6rd Prefix 32 bits 16 bits Subnet 16 bits Interface ID 2001:0db8: 0f07: 0000: 0000:0000:0000:0002 Server Address Common Prefix (16bits) 6rd tunnel end point in Network (Src) 2001:0db8:0f01::2 Header Header (Dst) 2001:0db8:0f07::2 (Src) (Dst) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 44

45 6rd CE Configuration (IOS) Header 6rd End Site Backbone Network 6rd End Site (e0/0) 2001:db8:0f01::/48 PE Backbone Network 6rd Tunnel PE (e0/0) 2001:db8:0f07::/ :db8:0f01::2 (Host) CE 2001:db8:0f01::1 (e0/1) P P CE 2001:db8:0f07::1 (e0/1) 2001:db8:0f07::2 (Server)! ipv6 general-prefix 6rd-prefix 6rd Tunnel1 ipv6 unicast-routing ipv6 cef! interface Tunnel1 ipv6 enable tunnel source Ethernet0/0 tunnel mode ipv6ip 6rd tunnel 6rd prefix 2001:db8::/32 tunnel 6rd ipv4 prefix-len16 tunnel 6rd br Config to Border Relay! interface Ethernet0/0 description Shared infrastructure ip address ! interface Ethernet1/0 description End Site LAN ipv6 address 6rd-prefix ::1/64! ipv6 route 2001:db8::/32 tunnel1 ipv6 route ::/0 Tunnel1 2001:db8:1:: Default to BR BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 45

46 Internet Access through 6rd Border Relay Header Network Backbone Network Network 2001:db8:0f01::2 (Host) (e0/0) 2001:db8:0f01 CE PE 6rd tunnel to closest BR Backbone Network P PE /32 (lo0) 2001:db8:1::/64 (e0/0) P 6rd Border Relay 6rd Border Relay Internet 2000::/ /32 (lo0) 2001:db8:1::/64 (e0/0) Receive packet at CE from LAN side 6rd Border Relay allows access to global Internet If destination outside of 6rd prefix then tunnel packet to border relay Can use tunnel pre-provisioned Anycast address 6rd CE router finds closest 6rd BR router based on IGP Default route to Internet, usually pre-provisioned by the ISP Y Extract destination from header Does DEST contain 2001:db8:: N Use 6rd Border Relay ADDR Destination is CE Destination is BR BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 46

47 6rd Border Relay Configuration (IOS) Header Network Backbone Network Network 2001:db8:0f01::2 (Host) (e0/0) 2001:db8:0f01 CE! ipv6 unicast-routing ipv6 cef! interface Tunnel1 ipv6 enable tunnel source Loopback0 tunnel mode ipv6ip 6rd tunnel 6rd prefix 2001:db8::/32 tunnel 6rd ipv4 prefix-len16 PE 6rd tunnel to closest BR Backbone Network P PE /32 (lo0) 2001:db8:1::/64 (e0/0) P 6rd Border Relay 6rd Border Relay Internet 2000::/ /32 (lo0) 2001:db8:1::/64 (e0/0) interface Ethernet0/0 description Internet ipv6 address 2001:db8:1::/64! interface Loopback0 description Shared infrastructure ip address ! ipv6 route 2001:db8::/32 tunnel1 ipv6 route ::/0 2001:db8:2::! Or use routing protocol BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 47

48 Tunnels Agenda Manual Tunnel (RFC 2893) over GRE (RFC 2473) ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) 6rd (6 Rapid Deployment) LISP (Locator/ID Separation Protocol) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 48

49 LISP Overview Locator/Identity Split creates a Level of indirection by using two namespaces EID and RLOC EID = Endpoint Identifier RLOC = Routing Locator LISP creates two Name Spaces: EID (Endpoint Identifier) is the host IP address Same as today it s what is used in DNS In LISP, the EID can move independently of the RLOC. RLOC (Routing Locator) is the infrastructure IP address of the LISP router Routed in the Internet just like today! Globally routed and aggregated along Internet connectivity topology EID packets are encapsulated inside RLOC packets and forwarded over the RLOC infrastructure (Internet / WAN cloud / Enterprise) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 49

50 LISP Overview Only affects edge devices LISP ITR = LISP Ingress Tunnel Router LISP ETR = LISP Egress Tunnel Router Devices that undertake both roles are termed LISP xtr Map Server (MS) ETRs register EID prefixes with the MS (just like authoritative DNS) Map Resolver (MR) ITRs send LISP Map Requests to the MR to be resolved (just like a DNS resolver) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 50

51 LISP Network Topology (EID) (EID) RLOC (EID) Private Network Public Network Private Network 2001:db8:beef:1::/ PE Network PE :db8:f00d:1::/64 SPOKE1-LISP CE (xtr) SPOKE P PE P CE (xtr) SPOKE SPOKE2-LISP MS/MR Mapping Database CE HUB 2001:db8:cafe:1::/ HQ-LISP BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 51

52 LISP Mapping Database vrf definition lisp rd 1:1! interface LISP0! lisp site HQ-LISP description LISP HQ Site authentication-key s3cr3t-hq eid-prefix 2001:db8:cafe:1::/48 lisp site Spoke1-LISP description LISP Spoke Site 1 authentication-key s3cr3t-1 eid-prefix 2001:db8:beef:1::/48 lisp site Spoke2-LISP description LISP Spoke Site 2 authentication-key s3cr3t-2 eid-prefix 2001:db8:f00d:1::/48! ipv6 lisp map-server ipv6 lisp map-resolver ipv6 lisp alt-vrf lisp! BRKSPG-2067 MS/MR Mapping Database Network PE 2001:db8:cafe:1::/64 HQ-LISP CE (xtr)hub ipv6 lisp database-mapping 2001:db8:cafe:1::/ priority 1 weight 100 ipv6 lisp itr map-resolver ipv6 lisp itr ipv6 lisp etr map-server key s3cr3t-hq ipv6 lisp etr! 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

53 LISP Spoke Setup 2001:db8:beef:1::/ PE Network SPOKE1-LISP CE (xtr) SPOKE! ipv6 unicast routing ipv6 cef! interface LISP0! ipv6 lisp database-mapping 2001:db8:beef:1::/ priority 1 weight 100! ipv6 lisp itr map-resolver ipv6 itr ipv6 etr map-server key s3cr3t-1 ipv6 lisp etr! ipv6 route ::/0 Null0 Same config would be applied to SPOKE2-LISP Only change of prefix & map-server key BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 53

54 LISP Traffic Flow (EID) (EID) RLOC (EID) Private Network Public Network Private Network 2001:db8:beef:1::/ PE DNS Network Dynamic Spoke to Spoke Tunnel PE :db8:f00d:1::/64 CE (xtr) SPOKE P PE P CE (xtr) SPOKE :db8:f00d:1::ff Mapping Database CE (xtr) HUB 2001:db8:cafe:1::/ DNS Lookup ( AAAA reply (2001:db8:f00d:1::ff) dst:2001:db8:f00d:1::ff MR Lookup RLOC for EID MR Reply : RLOC = Dynamically tunnel to RLOC dst:2001:db8:f00d:1::ff BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 54

55 Solutions using MPLS

56 over MPLS over MPLS Pseudowires Transparent to service provider over tunnels over MPLS (Manual Tunnels) PE must be aware, core remains Transit using MPLS 6PE PE must be aware, core remains VPN using MPLS 6VPE PE provide VPN services for, core remains No LDPv6 available as yet Core control plane must be MPLS+LDP using IGP Previous solutions discussed can also work over MPLS ISATAP, Manual Tunnels, GRE, 6 to 4, 6rd BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 56

57 over MPLS Agenda Transit using MPLS 6PE VPN using MPLS 6VPE BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 57

58 Transit using MPLS 6PE (RFC 4798) BGP Label LDP Label Network MPLS Backbone Network CE3 6PE3 P P 6PE4 CE MPLS 2001:db8:f00d:: CE1 6PE1 P ibgp P 6PE2 exchange CE2 2001:db8:cafe:: 6PEs must support dual stack + (acts as normal PE) packets transported from 6PE to 6PE over Label Switch Path addresses exist in global table of PE routers only addresses exchanged between 6PE using MP-BGP session Core uses control plane (LDPv4, TEv4, IGPv4, MP-BGP) Benefits from MPLS features such as FRR, TE BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 58

59 Services using MPLS 6PE BGP Label LDP Label Network MPLS Backbone Network CE3 6PE3 P P 6PE4 CE MPLS 2001:db8:f00d:: CE1 6PE1 P ibgp P 6PE2 exchange CE2 2001:db8:cafe:: Connects islands over MPLS core (Transits edge to edge) Transition mechanism for providing unicast access Coexistence mechanism for combining and services As other tunnel technologies, enables services such as Internet Access Peer-to-peer connectivity Access to services supplied by the SP itself BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 59

60 6PE Notes LDP Label Outer label that provides connectivity to the destination 6PE MP-BGP Label Inner label used by egress 6PE for forwarding Older IOS use pool of 16 labels shared amongst all prefixes P routers hash this label if payload is not for load balancing IOS that support MPLS Forwarding Infrastructure (MFI) [12.4(20)T & XR] use per prefix labels Some code also allows P routers to hash addresses This label is needed to avoid PHP dropping packet BGP Label also referred to as Aggregate Label Aggregate labels execute pop label + lookup at egress 6PE BGP NH is a Special Use to Mapped Address ::ffff: A.B.C.D ::ffff: Fixed Value Loopback of 6PE BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 60

61 6PE Routing And Label Distribution Example BGP Label LDP Label Network MPLS Backbone Network CE3 6PE3 P P 6PE4 CE MPLS CE1 2001:db8:f00d:: ebgp 6PE1 P ibgp P 6PE2 exchange ebgp CE2 2001:db8:cafe:: IGPv4 IGPv4 IGPv reachable reachable reachable LDPv4 {Pop} Binds label {Pop} to LDPv4 {27} LDPv4 {48} Binds label {27} to Binds label {48} to BRKSPG-2067 MP-eBGP Advertises 2001:db8:f00d:: to 6PE1 MP-iBGP Advertises 2001:db8:f00d:: to 6PE2 BGP Next Hop ::ffff: Label Binding {65} MP-eBGP Advertises 2001:db8:f00d:: to CE Cisco and/or its affiliates. All rights reserved. Cisco Public 61

62 6PE Label Forwarding LDP Label BGP Label Network MPLS Backbone Network CE3 6PE3 P P 6PE4 CE MPLS CE1 2001:db8:f00d:: 6PE1 P P 6PE2 CE2 2001:db8:cafe:: Item Value Prefix: BGP Label: BGP NH: NH: LDP Label: 2001:db8:f00d:: {65} ::ffff: {48} MPLS MPLS MPLS {27} {48} LDP Label {65} {65} {65} BGP Label 2001:f00d:: 2001:f00d:: 2001:f00d:: 2001:f00d:: 2001:f00d:: Prefix BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 62

63 6PE Configuration BGP Label LDP Label Network MPLS Backbone Network CE3 6PE3 P P 6PE4 CE4 as MPLS as65015 CE1 2001:db8:f00d:: 6PE1 P P 6PE2 CE2 2001:db8:cafe:: ipv6 unicast-routing! interface loopback0 ip address ! router bgp neighbor 2001:db8:f00d:1::1 remote-as neighbor remote-as neighbor update-source lo0! address-family ipv6 neighbor activate 6PE2 neighbor send-label neighbor 2001:db8:f00d:1::1 activate CE1 ipv6 unicast-routing! interface loopback0 ip address ! router bgp neighbor 2001:db8:cafe:1::1 remote-as neighbor remote-as neighbor update-source lo0! address-family ipv6 neighbor activate 6PE1 neighbor send-label neighbor 2001:db8:cafe:1::1 activate CE2 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 63

64 6PE Route BGP Label LDP Label Network MPLS Backbone Network CE3 6PE3 P P 6PE4 CE4 as MPLS as65015 CE1 2001:db8:f00d:: 6PE1 P P 6PE2 CE2 2001:db8:cafe:: 6PE-2#show ipv6 route B 2001:db8:f00d::/48 [200/0] via ::ffff: , -mpls 6PE-1#show ipv6 cef internal [snip] 2001:F00D::/64, nexthop ::ffff: LDP BGP fast tag rewrite with F0/1, , tags imposed {48 65} BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 64

65 over MPLS Agenda Transit using MPLS 6PE VPN using MPLS 6VPE BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 65

66 VPN 6VPE (RFC 4659) VPN Label LDP Label / Network / :db8:beef:1::/64 MPLS Backbone P P / Network / :db8:beef:2::/64 CE1 VRF 6VPE1 MPLS 6VPE2 VRF CE / :db8:cafe:1::/64 P P / :db8:cafe:3::/64 6VPE uses existing MPLS infrastructure to provide VPN Core uses control plane (LDPv4, TEv4, IGPv4) PEs must support dual stack + Offers same architectural features as MPLS-VPN for RTs, VRFs, RDs are appended to to form VPNv6 address MP-BGP distributed both VPN address families BGP NH uses to mapped address format ::ffff:a.b.c.d VRF can contain both VPNv4 and VPNv6 routes BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 66

67 Services Using 6VPE VPN Label LDP Label / Network / :db8:beef:1::/64 MPLS Backbone P P / Network / :db8:beef:2::/64 CE1 VRF 6VPE1 MPLS 6VPE2 VRF CE / :db8:cafe:1::/64 P P / :db8:cafe:3::/64 For VPN customers, VPN service is exactly as VPN service 6PE is like VPN but prefixes are in global table, 6VPE is true VPN 6VPE enables services such as VPN Access Carriers Supporting Carrier Access to services supplied by the SP itself BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 67

68 CE1 Configuration VPN Label LDP Label / Network / :db8:beef:1::/64 MPLS Backbone P P / Network / :db8:beef:2::/64 CE1 VRF 6VPE1 MPLS 6VPE2 VRF CE / :db8:cafe:1::/64 ipv6 unicast-routing ipv6 cef! interface Ethernet0/0 description Link to PE1 ip address ipv6 address 2001:db8:cafe:1::1/64! interface Ethernet1/0 description to GREEN LAN ip address ipv6 address 2001:db8:beef:1::1/64 ipv6 rip GREEN enable P / :db8:cafe:3::/64 router bgp 500 neighbor 2001:db8:cafe:1::2 remote-as 100 neighbor remote-as 100! address-family ipv4 redistribute eigrp 100 neighbor activate 6VPE1 exit-address-family! address-family ipv6 neighbor 2001:db8:cafe:1::2 activate 6VPE1 redistribute rip GREEN exit-address-family BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 68 P

69 New Multi-AF VRF Configuration VPN Label LDP Label / Network / :db8:beef:1::/64 MPLS Backbone P P / Network / :db8:beef:2::/64 CE1 VRF 6VPE1 MPLS 6VPE2 VRF CE / :db8:cafe:1::/64 P P / :db8:cafe:3::/64 vrf definition GREEN rd 200:1! Common RT policies go here address-family ipv4 route-target export 200:1 route-target import 200:1 exit-address-family! address-family ipv6 route-target export 200:1 route-target import 200:1 exit-address-family New VRF AF definition Allows address-families Each with unique or common policies vrf upgrade-cli multi-af-mode {common-policies non-common-policies} [vrf <name>] This command can update existing VRF definitions BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 69

70 6VPE1 General Configuration VPN Label LDP Label / Network / :db8:beef:1::/64 MPLS Backbone P P / Network / :db8:beef:2::/64 CE1 VRF 6VPE1 MPLS 6VPE2 VRF CE / :db8:cafe:1::/64 ipv6 unicast-routing ipv6 cef! interface Loopback0 ip address ! interface Ethernet0/0 Description Link to CE1 vrf forwarding GREEN ip address ipv6 address 2001:db8:cafe:1::2/64 P P / :db8:cafe:3::/64! interface Ethernet2/0 description Link to Core Network ip address mpls ip! router ospf 1 log-adjacency-changes redistribute connected subnets passive-interface Loopback0 network area 0 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 70

71 6VPE1 BGP Configuration VPN Label LDP Label / Network / :db8:beef:1::/64 MPLS Backbone P P / Network / :db8:beef:2::/64 CE1 VRF 6VPE1 MPLS 6VPE2 VRF CE / :db8:cafe:1::/64 router bgp 100 neighbor remote-as 100 neighbor update-source lo0! address-family ipv4 Internet Routes neighbor activate no auto-summary no synchronization exit-address-family! address-family vpnv4 To 6VPE2 neighbor activate neighbor send-community ext exit-address-family P P / :db8:cafe:3::/64 address-family vpnv6 To 6VPE2 neighbor activate neighbor send-community ext exit-address-family! address-family ipv4 vrf GREEN To CE1 redistribute connected neighbor remote-as 500 neighbor activate exit-address-family! address-family ipv6 vrf GREEN To CE1 neighbor 2001:db8:cafe:1::1 remote-as 500 neighbor 2001:db8:cafe:1::1 activate exit-address-family BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 71

72 6VPE2 VRF Routes VPN Label LDP Label / Network / :db8:beef:1::/64 MPLS Backbone P P / Network / :db8:beef:2::/64 CE1 VRF 6VPE1 MPLS 6VPE2 VRF CE / :db8:cafe:1::/64 6VPE2#show ipv6 route vrf GREEN B 2001:db8:beef:1::/64 [200/0] via B 2001:db8:beef:2::/64 [20/0] via FE80::A8BB:CCFF:FE01:FA00, Ethernet1/0 B 2001:db8:cafe:1::/64 [200/0] via C 2001:db8:cafe:3::/64 [0/0] via Ethernet1/0, directly connected L 2001:db8:cafe:3::2/128 [0/0] via Ethernet1/0, receive L FF00::/8 [0/0] via Null0, receive P / :db8:cafe:3::/64 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 72 P

73 6VPE1 BGP VPNv6 Table VPN Label LDP Label / Network / :db8:beef:1::/64 MPLS Backbone P P / Network / :db8:beef:2::/64 CE1 VRF 6VPE1 MPLS 6VPE2 VRF CE / :db8:cafe:1::/64 6VPE1#show bgp vpnv6 unicast all Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 200:1 (default for vrf GREEN) *> 2001:db8:beef:1::/ :db8:cafe:1::1 Route from CE ? *>i2001:db8:beef:2::/64 ::FFFF: Route from CE2 via 6VPE ? *>i2001:db8:cafe:3::/64 ::FFFF: PE/CE Connected route from 6VPE ? P P / :db8:cafe:3::/64 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 73

74 6VPE1 LFIB VPN Label LDP Label / Network / :db8:beef:1::/64 MPLS Backbone P P / Network / :db8:beef:2::/64 CE1 VRF 6VPE1 MPLS 6VPE2 VRF CE / :db8:cafe:1::/64 6VPE1#show mpls forwarding Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 16 Pop Label /30 0 Et2/ /30 0 Et2/ Pop Label /32 0 Et2/ /32 0 Et2/ /32 0 Et2/ No Label /24[V] 0 Et0/ Aggregate /24[V] 570 GREEN 25 No Label 2001:db8:beef:1::/64[V] \ 570 Et0/0 FE80::A8BB:CCFF:FE01:F Aggregate 2001:db8:cafe:1::/64[V] \ GREEN P P / :db8:cafe:3::/64 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 74

75 6VPE Summary RFC4659 BGP-MPLS IP Virtual Private Network (VPN) Extension for VPN 6VPE adds support to MPLS VPN feature For end-users: VPNv6 is same as VPNv4 services QoS, Hub and Spoke, Internet Access, etc For Providers Same configuration operation for VPNv4 and VPNv6 VPN No upgrade of MPLS core ( unaware) Upgrade of affected PE routers BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 75

76 Cisco Carrier-Grade v6

77 Clue 2 Make everything a common unit. Use bits Use seconds Use meters There is no trick with the packet size. I m not expecting pre-amble or L2 headers. It is just 1500 bytes. BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 77

78 Cisco Carrier-Grade (CGv6) CGV6 is a Cisco framework for moving to Consisting of three pronged approach Preserve, Prepare, Prosper Preserve investments and assets Objective: Support continued use of after address exhaustion Solutions: Carrier Grade NAT (Millions NAT44, NAT444) This is a short to medium term solution Prepare to deliver interoperable services Objective: Upgrade to whilst co-existing with Solutions: Dual-Stack, 6PE/6VPE, Softwire Mesh, Translation (AFT) Prosper from accelerated growth and innovation Objective: end-to-end for most devices/things Solution: Mostly dual-stack and standalone clouds BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 78

79 Cisco Carrier-Grade (CGv6) Built on carrier-scale address translation and protocol tunnelling capability Preserve By extending Private IP into the IP-NGN for continued growth Private Translation Public Prepare By enabling interoperable / services over existing IP-NGN infrastructure Address Family Translation Public 6over4 / 4over6 Tunnelling Public BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 79

80 Preserve - Double NAT Provides additional space for the short term Subscribers Provider Internet NAT (Private Private) Private Private NAT (Private Public) Private Public Carrier Grade NAT (Private Public) Public NAT and no NAT Private Public BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 80

81 Prepare - Address Family Translation (AFT) Allows access between and networks (IETF BEHAVE) Subscribers Provider Internet only Public IETF BEHAVE working group on AFT for NAT64 and DNS64 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 81

82 Prepare - Rapid Deployment (6rd) Tunnel over access network to 6rd gateway Subscribers Provider Internet Tunnelled 6 to 4 Private 6rd Gateway Private Private Public Private 6rd gateway can also perform AFT function for Source/ destination combinations BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 82

83 Prepare - Dual-Stack Lite (4Over6, 4rd) Tunnel over access network to DS gateway (more v6 than v4) Subscribers Provider Internet Tunnelled 4 to 6 Private DS-Lite Gateway BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 83

84 Prosper - All All (some time away?) Subscribers Provider Internet BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 84

85 The Carrier-Grade Services Engine CGSE - engine for massive Cisco CGv6 deployments 20+ million active translations 100s of thousands of subscribers 1+ million connections per second 20Gb/s of throughput per CGSE Cisco CGSE CGN (NAT44/NAT64/6rd) also supported on Cisco ASR1k Cisco CRS ASR1k Cisco CGv6 deployments Assumes ESP40 and RP2 2+ million active translations 200k sessions per second 40G system throughput BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 85

86 NAT64 Summary Translate between and Protocol Translator -only hosts -only hosts Choice of Translation or Tunnelling? Always choose tunnel Translation (NAT) has worse side effects BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 86

87 NAT-PT: The Historic Way to Translate to NAT-PT combined all scenarios to is problematic; space is bigger Broke DNSSEC RFC4966 said / translation causes other side effects But: And some are not solvable addresses near exhaustion Effectively no Internet access and no content anywhere in the world We can t tunnel everywhere BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 87

88 / Translation Stateless Stateful 1:1 translation N:1 translation NAT Any Protocol Helps ensure end-to-end address transparency and scalability No state or bindings created on the translation Session can be initiated from either side Requires -translatable address assignment (mandatory requirement) Requires either manual or Domain Host Configuration Protocol Version 6 (DHCPv6)-based address assignment for hosts No address savings (Just like NAT) NAPT TCP, UDP, ICMP Uses address overloading; hence lacks end-to-end address transparency State or bindings created on every unique translation Session must be initiated from side No requirement for the characteristics of address assignment Capability to choose any mode of address assignment: manual, DHCPv6, or stateless address auto-configuration (SLAAC) Saves addresses BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 88

89 / Translation Framework Scenarios Network Internet stateful stateless Internet Network ** Internet Network Network Internet Not viable because too few addresses **Possible with nat64 v6v4 static mappings BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 89

90 / Translation Framework Scenarios stateful stateless Network Network Network Network ** Internet Internet Cannot be done Internet Internet Cannot be done **Possible with nat64 v6v4 static mappings BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 90

91 / Translation: Two Scenarios Connecting an network to the Internet You built an -only network, and want to access servers on the Internet Example: -only LTE handsets Connecting the Internet to an network You have servers, and want them available to the Internet Example: -only Data Centre (HTTP servers) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 91

92 Connecting an Network to the Internet -only clients DNS64 Protocol Translator (NAT64) An only network Network (Dual Stack) Internet (Dual Stack) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 92

93 DNS64 Synthesises AAAA records when AAAA are not present in the DNS With prefix of NAT64 translator -only host DNS64 Internet AAAA? (sent simultaneously) 2001:db8:6464:: AAAA? Empty answer A? BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 93

94 DNS64 flows BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 94

95 DNS64 example Topology Or Network Dual Stack Network Root Name Server Only Network & Network Internet 2001:db8:a:b:: BIND 9.8.x Authoritative Name Server options { dns :db8:6464::/96 { clients { any; }; mapped { any; }; exclude { 64:FF9B::/96; ::ffff:0000:0000/96; }; suffix ::; }; }; The NAT64 Well Known Prefix The address of clients allowed to use DNS64 The list of addresses which can be mapped into AAAA records The list of addresses that should not be mapped The filler after the synthesis point. Only applies where WKP is < 96 bits BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 95

96 DNS64 Works for applications that do DNS queries Well over 80% of applications. Breaks for applications that don t do DNS queries SIP, RTSP, H.323, etc. IP address literals Solutions: Application-level proxy for IP address literals (HTTP proxy) application learns NAT64 s prefix BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 96

97 NAT64 Stateless BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 97

98 Stateless NAT64 example Topology Using CGSE! service cgn CGN service-location preferred-active 0/3/CPU0! service-type nat64 stateless xlat1 ipv6-prefix 2001:db8:6464::/96 address-family ipv4 interface ServiceApp46! address-family ipv6 interface ServiceApp64! interface ServiceApp46 description the side NAT64 interface ipv4 address service cgn CGN service-type nat64 stateless! interface ServiceApp64 description the side NAT64 interface ipv6 address 2001:db8:a:b::1/64 service cgn CGN service-type nat64 stateless! router static address-family ipv4 unicast /24 ServiceApp46! address-family ipv6 unicast 2001:db8:6464::/96 ServiceApp :db8:a:b::2 2a01:db8:6464::/64 <LAN interface> BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 98

99 NAT64 Stateful BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 99

100 Stateful NAT64 example topology Network Network Only Network 2001:db8:cafe:beef:: :db8:cafe:beef:: :db8:cafe:f00d::abc Only Network 2001:db8:cafe:5555:: interface GigabitEthernet0/0/0 description to 6k-dmz-1 side no ip address ipv6 address 2001:db8:1234:abcd::1/64 nat64 enable! interface GigabitEthernet0/0/1 description to 6k-dmz-1 side ip address nat64 enable ipv6 access-list EDGE_ACL permit ipv6 any any! nat64 prefix stateful 2001:db8:cafe:beef::/96 nat64 v4 pool EDGE nat64 v6v4 list EDGE_ACL pool EDGE overload! nat64 v6v4 static 2001:db8:cafe:beef:: nat64 v6v4 static 2001:db8:cafe:beef:: ! nat64 v4v6 static :db8:cafe:f00d::abc BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 100

101 Stateful NAT64 example syntax nat64 v6v4 is used when: translating source to source (the port overload N:1 mappings) translating destination to destination (As per example)! nat64 v6v4 static 2001:db8:cafe:beef:: ! 2001:db8:cafe:beef:: :db8:6464::[] SRC nat64 v4v6 is used when translating source to source translating destination to destination (As per example)! nat64 v4v6 static :db8:cafe:f00d::abc! 2001:db8:cafe:beef::a1 2001:db8:cafe:f00d::abc BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 101

102 / Translation Issues address literals SIP, RTSP, etc. Application Layer Gateway, or application proxy FTP (EPSV, PASV) RTSP in mobile environments (3G) Others applications? draft-ietf-behave-ftp64 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 102

103 What if I can t Dual Stack? Server Load Balancer Stateful NAT64 Proxy Internet () Internet () Internet () -Apache, Squid -MSFT PortProxy -only Host -only Host -only Host BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 103

104 NAT64 for Data Centre Makes -only servers accessible on the Internet Requires stateful translation Because Internet is bigger than (can t represent every address in ) All connections come from translator s address Problem for abuse logging Lack of X-Forwarded-For: header Maybe application proxy is superior? e.g., lighthttpd But has poor TLS interaction BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 105

105 Addressing

106 PI and PA Allocation Process Provider Assigned 2000::/3 IANA 2000::/3 Provider Independent /12 Registries /12 /32 ISP Org /48 /48 Clients Level Four BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 108

107 Do I Get PI or PA? It depends PI space is great for RIR controlled space (not all RIRs have approved PI space) PA is a great space if you plan to use the same SP for a very long time Or you plan to NAT everything with (not likely) More important things to consider Do you get a prefix for the entire company Do you get one prefix per site (what defines a site?) Does your company cross international boundaries? Do outposts each need a PI/PA? BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 109

108 Link Level Prefix Length Considerations 64 bits > 64 bits Recommended by RFC3177 and IAB/IESG Consistency makes management easy MUST for SLAAC (MSFT DHCPv6 also) Significant address space loss ( Quintillion) Address space conservation Special cases: /126 valid for p2p /127 valid for p2p if you are careful (draft-kohno-ipv6-prefixlen-p2pxx/(rfc3627)) /128 loopback Must avoid overlap with specific addresses: Router Anycast (RFC3513) Embedded RP (RFC3956) ISATAP addresses Allocate /64s everywhere /64 + / on host networks 126 on P2P /64 + / on host networks 127 on P2P Always use /128 on loopbacks BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 110

109 The /127 Issue Originally point to point links were numbered with /64, /96, /112, or /126 /64 simplest /96 allowed 32 bits of address to be used /112 allowed significant 16 bits of IP address to be used /126 emulated the /30 behaviour for Use of ample address space opened networks up to attack (see next slide) Two conflicting RFCs RFC 3627 Use of /127 Prefix Length Between Routers Considered Harmful RFC 6164 Using 127-Bit Prefixes on Inter-Router Links /127 not possible in some implementations due to conflict with the Subnet-router anycast address Cisco IOS does not implement Subnet Router Anycast Issues is with multivendor support Industry is moving towards RFC 6164 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 111

110 Subnets Prefix /64 subnets /32 4,294,967,296 /33 2,147,483,648 /34 1,073,741,824 /35 536,870,912 /36 268,435,456 /38 67,108,864 /40 16,777,216 /44 1,048,576 /48 65,536 /50 16,384 /52 4,096 / BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 113

111 Subnetting references BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 114

112 /32 Addressing Scheme /32 High Level addressing plan. Indicative only. Can be modified to suit needs /34 MW /34 Wired /34 Reserved /34 R&D Assumes a minimum /32 allocation /34 (1 Billion /64 subnets) per network /38 Infra /38 UE /38 UE /38 OAM... /38 WLAN /38 Lab 16 x /38 subnets (67 Million /64 subnets) available for Mobile Wireless network /42 DC /64 Loop /64 /42 GW p2p1 /64 /42 IMS p2p2 /64 p2p3 /64 p2p... /42 LB /64 UE1 /64 UE2 /64 UE3 /64 UE4 /64 UE... UE allocation broken up into catchment zones (16 Million /64 subnets per zone) Each UE will require a /64 prefix Infrastructure networks have access to /56 (256 x /64 subnets) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 115

113 /48 Addressing Scheme /48 High Level addressing plan. Indicative only. Can be modified to suit needs /48 = x /64 /50 Branch /50 DC /50 WAN /50 Lab Break up into functional blocks ( 4 x /50 in this case) /56 Branch 1 /56 Branch 2 /56 Branch 3 /56 Branch4... /56 MGMT Each functional block simplifies security policy /64 Loop /64 WAN /64 DMZ /64 VLAN4 /64 VLAN /64 Loop /64 WAN /64 DMZ /64 VLAN4 /64 VLAN Assumes up to 64 Branch networks Each Branch has access to 256 /64 prefixes for WAN, DMZ, & VLAN use BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 116

114 Allocation vs. Masking Allocate /64 everywhere Ensures simple allocation and no need to maintain /30 style spreadsheets Change the mask to suit purpose /64 for LAN /127 for p2p link /128 for Loopbacks (all sequentially allocated from same /64) Don t use EUI-64 with Global Addresses for network infrastructure Address will change with RMA Will affect DNS Higher Operational overhead BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 117

115 Security

116 Clue 3 Things you need to work out: How long does it take to transmit the packet? How far does light travel in that time? Yes, there are lots of zeros. BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 119

117 Shared Issues

118 Innocent W2k3 to W2k8 Upgrade Windows 2003 C:\>ping svr-01 Pinging svr-01.example.com [ ] with 32 bytes of data: Reply from : bytes=32 time<1ms TTL=128 Reply from : bytes=32 time<1ms TTL=128 Reply from : bytes=32 time<1ms TTL=128 Reply from : bytes=32 time<1ms TTL=128 Upgraded Host to Windows 2008 C:\>ping svr-01 Pinging svr-01 [fe80::c4e2:f21d:d2b3:8463%15] with 32 bytes of data: Reply from fe80::c4e2:f21d:d2b3:8463%15: time<1ms Reply from fe80::c4e2:f21d:d2b3:8463%15: time<1ms Reply from fe80::c4e2:f21d:d2b3:8463%15: time<1ms Reply from fe80::c4e2:f21d:d2b3:8463%15: time<1ms Link Local Multicast Name Resolution No. Time Source Destination Protocol Info fe80::c4e2:f21d:d2b3:8463 ff02::1:3 UDP Source port: Destination port: llmnr UDP Source port: Destination port: llmnr Can happen if the circumstances are right BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 121

119 Reconnaissance in Subnet Size Difference Default subnets in have 2 64 addresses 10 Mpps = more than years NMAP doesn t even support ping sweeps on networks reconnaissance attacks will NOT go away in an environment, rather the tactics will be modified passive techniques such as DNS name server resolution, to identify victim networks for more targeted exploitation 18,446,744,073,709,551,616 addresses / 10,000,000 pps = 1,844,674,407,370 seconds = 21,350,398 days = 58,494 years Neighbour discovery-based attacks will also replace counterparts on such as ARP spoofing BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 122

120 Reconnaissance in Public servers will still need to be DNS reachable More information collected by Google... Increased deployment/reliance on dynamic DNS More information will be in DNS Using peer-to-peer clients gives addresses of peers Administrators may adopt easy-to-remember addresses (::10,::20,::F00D, ::C5C0 or simply last octet for dual stack) By compromising hosts in a network, an attacker can learn new addresses to scan Transition techniques (see further) derive address from address Can scan again BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 123

121 Scanning Made Bad for CPU Potential router CPU attacks if aggressive scanning Router will do Neighbor Discovery... And waste CPU and memory Built-in rate limiter but no option to tune it Using a /64 on point-to-point links a lot of addresses to scan! Using /127 could help (RFC 6164) Using infrastructure ACL prevents this scanning iacl: edge ACL denying packets addressed to your routers Easy with because new addressing scheme can be done BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 124

122 Viruses and Worms in Viruses and , IM worms: brings no change Other worms: : reliance on network scanning : not so easy (see reconnaissance) will use alternative techniques Worm developers will adapt to best practices around worm detection and mitigation remain valid BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 125

123 Prefix Exploits Using /127 for Infrastructure point to point links avoids two attack vectors ND Cache exhaustion for ND based media (e.g Ethernet) TTL attack for non ND media (e.g. POS) IOS not affected as it implements RFC :db8:1000::1/64 (e0/0) 2001:db8:1000::2/64 (e0/0) 2001:db8:1000::1/64 (pos1/0) 2001:db8:1000::2/64 (pos1/0) nd 2001:db8:1000::3 nd timeout entry in cache memory exhaustion ping 2001:db8:1000::3 ping 2001:db8:1000::3 Recommendation: Use /127 where possible on P2P links BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 126

124 Routing Header An extension header Processed by the listed intermediate routers Two types Type 0: similar to source routing (multiple intermediate routers) Type 2: used for mobile 43 Next Header basic header Routing Header (43) Next Header Ext Hdr Length RH Type Segments Left Routing Header Data BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 127

125 Type 0 Routing Header Issue: Amplification Attack What if attacker sends a packet with RH containing A -> B -> A -> B -> A -> B -> A -> B -> A... will loop multiple time on the link A-B An amplification attack! A Till Hop Limit exhausted B BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 128

126 Preventing Routing Header Attacks Apply same policy for as for Ipv4: Block Routing Header type 0 Prevent processing at the intermediate nodes no ipv6 source-route (in IOS only) Windows, Linux, Mac OS: default setting At the edge With an ACL blocking routing header, specifically type 0 RFC 5095 (Dec 2007) RH0 is deprecated Default IOS changed in 12.4(15)T to ignore and drop RH0 No need to configure no ipv6 source-route BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 129

127 Neighbor Discovery Issue#1 Stateless Autoconfiguration Router Solicitations Are Sent by Booting Nodes to Request Router Advertisements for Stateless Address Auto-Configuring RA/RS w/o Any Authentication Gives Exactly Same Level of Security as ARP for (None) Attack Tool: fake_router6 Can Make Any Address the Default Router RS RA RA Router Solicitation ICMP Type 133 Source Destination Query A Link Local (FE80::1) All Routers Multicast (FF02::2) Please send RA Router Advertisement ICMP Type 134 Source Destination Data A Link Local (FE80::2) All Nodes Multicast (FF02::1) Options, subnet prefix, lifetime, autoconfig flag BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 130

128 Neighbor Discovery Issue#2 Neighbor Solicitation No Security Mechanisms Built into Discovery Protocol therefore very similar to ARP Attack Tool: Parasite6 Answer to all NS, Claiming to Be All Systems in the LAN... A B NS NA NA Neighbour Solicitation ICMP Type 135 Source Destination Data Query A Unicast B Solicited Node Multicast FE80:: address of A What is B link layer address? Neighbour Advertisement ICMP Type 136 Source Destination Data B Unicast A Unicast FE80:: address of B BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 131

129 ARP Spoofing is now NDP Spoofing: Mitigation SEMI-BAD NEWS: nothing yet like dynamic ARP inspection for First phase (Port ACL & RA Guard) have been available since September SEMI-GOOD NEWS: Secure Neighbor Discovery SEND = NDP + crypto IOS 12.4(24)T But not in Windows Vista, 2008 and 7 Crypto means slower... More GOOD NEWS: Private VLAN works with Port security works with 801.x works with BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 132

130 FHS Current Status Platform Cat6k Cat4k Series Cat 3750 Series Cisco ISR (IOS Train) 12.2SX 12.2SG 12.2SE 12.4T/15M SEND 12.4(24)T Port ACL 12.2(33)SXI4 12.2(54)SG 12.2(46)SE RA Guard 12.2(33)SXI4 12.2(54)SG BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 133

131 ICMPv4 vs. ICMPv6 Significant changes More relied upon ICMP Message Type ICMPv4 ICMPv6 Connectivity Checks X X Informational/Error Messaging X X Fragmentation Needed Notification X X Address Assignment X Address Resolution X Router Discovery X Multicast Group Management X Mobile Support X ICMP policy on firewalls needs to change to support BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 134

132 Equivalent ICMPv6 RFC 4890: Border Firewall Transit Policy For Your Reference Internet Firewall (B) Internal Server (A) Action Src Dst ICMPv6 Type ICMPv6 Code Permit Any A Echo Reply Name Permit Any A Echo Request Permit Any A 1 0 No Route to Dst. Permit Any A 2 0 Too Big Permit Any A 3 0 Time Exceeded Permit Any A 4 0 Parameter Problem BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 135

133 Potential Additional ICMPv6 RFC 4890: Border Firewall Receive Policy For Your Reference Internet Firewall (B) Internal Server (A) Action Src Dst ICMPv6 Type ICMPv6 Code Permit Any B 2 0 too Big Name Permit Any B 4 0 Parameter Problem Permit Any B Multicast Listener For locally generated traffic Permit Any B 133/134 0 NS & NA Deny Any Any BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 136

134 Preventing Routing Attacks Protocol Authentication BGP, ISIS, EIGRP no change: An MD5 authentication of the routing update OSPFv3 has changed and pulled MD5 authentication from the protocol and instead is supposed to rely on transport mode IPSec RIPng, PIM also rely on IPSec routing attack best practices Use traditional authentication mechanisms on BGP and IS-IS Use IPSec to secure protocols such as OSPFv3 and RIPng BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 137

135 OSPF or EIGRP Authentication For Your Reference interface Ethernet0/0 ipv6 ospf 1 area 0 ipv6 ospf authentication ipsec spi 500 md ABCDEF interface Ethernet0/0 ipv6 authentication mode eigrp 100 md5 ipv6 authentication key-chain eigrp 100 MYCHAIN key chain MYCHAIN key 1 key-string ABCDEF accept-lifetime local 12:00:00 Dec :00:00 Jan send-lifetime local 00:00:00 Jan :59:59 Dec BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 138

136 Attacks with Strong Similarities Sniffing is no more or less likely to fall victim to a sniffing attack than Application layer attacks The majority of vulnerabilities on the Internet today are at the application layer, something that IPSec will do nothing to prevent Rogue devices Rogue devices will be as easy to insert into an network as in Man-in-the-Middle Attacks (MITM) Without strong mutual authentication, any attacks utilising MITM will have the same likelihood in as in Flooding Flooding attacks are identical between and BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 139

137 Specific Issues

138 Privacy Extensions (RFC 3041) >20 bits Prefix Subnet 64 Bits Interface ID MAC Address +EUI-64 Known Identity MAC Address RFC3041 Random Identity Temporary addresses for host client application, e.g. web browser Inhibit device/user tracking Random 64 bit interface ID, then run Duplicate Address Detection before using it Rate of change based on local policy Recommendation: Use Privacy Extensions for External Communication but not for Internal Networks (Troubleshooting and Attack Trace Back) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 141

139 Disabling Privacy Extension Windows XP,2003,Vista,7,2008 For Your Reference Microsoft Windows Deploy a Group Policy Object (GPO), or Disable with netsh CLI netsh interface ipv6 set global randomizeidentifiers=disabled netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent netsh interface ipv6 set privacy state=disabled store=persistent Alternatively Use DHCP to a specific pool Ingress filtering allowing only this pool BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 142

140 Header Manipulation Unlimited size of header chain (spec-wise) can make filtering difficult Potential DoS with poor stack implementations More boundary conditions to exploit Can I overrun buffers with a lot of extension headers? Perfectly Valid According to the Sniffer Header Should only appear once Destination Header which should occur twice at most. Destination Options Header should be the last header See also: BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 143

141 The IPsec Myth: IPsec End-to-End will Save the World mandates the implementation of IPsec does not require the use of IPsec Some organisations believe that IPsec should be used to secure all flows... Interesting scalability issue (n 2 issue with IPsec) Need to trust endpoints and end-users because the network cannot secure the traffic: No IPS, no ACL, & no firewall policy points can be used IOS 12.4(20)T can parse the AH Network telemetry is blinded: NetFlow is of little use Network services hindered: what about QoS? Recommendation: Do not use IPsec end to end within an administrative domain. Suggestion: Reserve IPsec for residential or hostile environment or high profile targets. BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 145

142 to Transition Challenges 16+ methods, possibly in combination Dual stack Consider security for both protocols Cross v4/v6 abuse Resiliency (shared resources) Security Policy is only as good as the weakest protocol Tunnels Bypass firewalls (protocol 41 or UDP) Can cause asymmetric traffic (hence breaking stateful firewalls) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 146

143 Enforcing a Security Policy

144 IOS Extended ACL Can match on Upper layers: TCP, UDP, SCTP port numbers TCP flags SYN, ACK, FIN, PUSH, URG, RST ICMPv6 code and type Traffic class (only six bits/8) = DSCP Flow label (0-0xFFFFF) extension header routing matches any RH, routing-type matches specific RH mobility matches any MH, mobility-type matches specific MH dest-option matches any, dest-option-type matches specific destination options auth matches AH Can skip AH (but not ESP) since IOS 12.4(20)T fragments keyword matches Non-initial fragments (same as ) And the first fragment if the L4 protocol cannot be determined undetermined-transport keyword matches (only for deny) Any packet whose L4 protocol cannot be determined: fragmented or unknown extension header BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 148

145 ACL Implicit Rules RFC 4890 Implicit entries exist at the end of each ACL to allow neighbor discovery: permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any Must explicitly deny NS or NA if they are to be filtered. BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 149

146 RA Rogue RA & DHCP Port ACL Switch Based Port ACL to protect against Rogue RAs & DHCP ipv6 access-list ACCESS_PORT remark Block all traffic DHCP server -> client deny udp any eq 547 any eq 546 remark Block Router Advertisements deny icmp any any router-advertisement permit any any Interface gigabitethernet 1/0/1 switchport ipv6 traffic-filter ACCESS_PORT in Cat6k and 4k have a system macro for RA Guard interface gigabitethernet 1/0/1 switchport ipv6 nd raguard RA RA RA Port ACL replaces Router ACL starting with August 2010 releases onwards interface gigabitethernet 1/0/1 switchport access-group mode prefer port Nexus-7000, Cat (46)SE, Cat (54)SG and Cat (33)SXI4 RA BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 150

147 ACL to Protect VTY For Your Reference Protect VTY access to devices like you would with ipv6 access-list VTY permit ipv6 2001:db8:0:1::/64 any line vty 0 4 ipv6 access-class VTY in Assess if access is required in the management plane. Some NMS still only Low priority change for existing networks BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 151

148 Control Plane Policing for Protecting the Router CPU For Your Reference Against DoS with NDP, Hop-by-Hop, Hop Limit Expiration... Software routers (ISR, 7200): works with CoPP (CEF exceptions) policy-map COPP class ICMP6_CLASS police 8000 class OSPF_CLASS police class class-default police 8000! control-plane cef-exception service-policy input COPP Cat 6k & 7600 shares mls rate-limit with for NDP & HL expiration mls rate-limit all ttl-failure 1000 mls rate-limit unicast cef glean 1000 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 152

149 Summary of Cisco Security Products ASA Firewall Since version 7.0 (released 2005) Flexibility: Dual stack, only, only SSL VPN for (ASA 8.0) Stateful-Failover (ASA 8.2.2) Cannot configure extension headers in ACL (but parsing is done) FWSM in software Mbps Not an option (put an -only ASA in parallel) IOS Firewall IOS 12.3(7)T (released 2005) Zone-based firewall on IOS-XE 3.6 (2012) Cisco Security Agent (EOS) IPS Since version for network protection Since 6.2 (released 2008), management over : Q Security Appliance (ESA) under beta testing early 2010, shipping Q Web Security Appliance (WSA) Q BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 153

150 Security Best Practices

151 Candidate Best Practices Train your network operators and security managers on Selectively filter ICMP (RFC 4890) Block Type 0 Routing Header at the edge Copy the Best Common Practices Implement RFC 2827-like filtering If management plane is only,block to the core devices (else infrastructure ACL for ) Determine what extension headers will be allowed through the access control device Deny fragments destined to an internetworking device when possible Use traditional authentication mechanisms on BGP and IS-IS Use IPsec to secure protocols such as OSPFv3 and RIPng Document procedures for last-hop traceback BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 155

152 Candidate Best Practices (Cont.) Mainly for Enterprise Customers Implement privacy extensions carefully Filter internal-use addresses & ULA at the border routers Filter unneeded services at the firewall Maintain host and application security Use cryptographic protections where critical Implement ingress filtering of packets with multicast source addresses Use static tunnelling rather than dynamic tunnelling Implement outbound filtering on firewall devices to allow only authorised tunnelling endpoints BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 156

153 Summary

154 Pv6 Design and Deployment allows you to architect a new network frugally In parallel with and over existing infrastructure Minimal capital outlay Implement where it is needed Consider Routing co-existence Consider addressing How will you allocate your prefixes to customers Consider interoperability between vendors Consider billing systems Watch the standards and policies BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 158

155 Security So, nothing really new in Reconnaissance: address enumeration replaced by DNS enumeration Spoofing & bogons: urpf is our IP-agnostic friend NDP spoofing: RA guard and more feature coming ICMPv6 firewalls need to change policy to allow NDP Extension headers: firewall & ACL can process them Amplification attacks by multicast mostly impossible Potential loops between tunnel endpoints: ACL must be used Lack of operation experience may hinder security for a while: training is required Security enforcement is possible Control your traffic as you do for Leverage IPsec to secure when suitable BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 159

156 Recommended Reading These books are excellent reference material BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 160

157 Recommended Reading (Security) Source: Cisco Press BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 161

158 World Launch As the successor to the current Internet Protocol,, is critical to the Internet's continued growth as a platform for innovation and economic development. 6 th June Get involved BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 162

159 Q & A

160 The Answer 2,400 meters BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 164

161 The Math At 1Gbps a 1500 Byte packet takes seconds to transmit * 8 = 12,000 bits 1Gbps = 1,000,000,000 bps 12,000 / 1,000,000,000 = seconds Distance travelled by light (2/3 speed) during this time is 2.4km 200,000,000 m/s * sec = 2400m = 2.4km So on a LAN there are very few bits on the wire at any given time, on a transpacific cable system there are a few thousand packets BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 165

162 Complete Your Online Session Evaluation Complete your session evaluation: Directly from your mobile device by visiting and login by entering your username and password Visit one of the Cisco Live internet stations located throughout the venue Open a browser on your own computer to access the Cisco Live onsite portal Don t forget to activate your Cisco Live Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit