Case Study: Professional Services Firm Ensures Secure and Successful IPv6 Deployments for Customers with the OptiView XG Network Analysis Tablet

Transcription

1 CASE STUDY Case Study: Professional Services Firm Ensures Secure and Successful IPv6 Deployments for Customers with the OptiView XG Network Analysis Tablet At a Glance: Customer: Nephos6 Industry: Professional Services Location: Raleigh, NC Challenge: Quickly build a network capable of demonstrating multiple key IPv6 technologies in support of customer training and transaction programs. Result: The OptiView XG Network Analysis Tablet reduced deployment time by providing fast and accurate device discovery, identification of tunneling protocols, and easy-touse tools for troubleshooting integration issues. Product: OptiView XG Network Analysis Tablet Click to View 1 of 5

2 Overview IPv6 adoption is accelerating globally. Integrators, long bereft of adequate IPv6 support in IT infrastructure, are demanding feature parity to support nextgeneration network rollouts. In addition to routers, operating systems, and other standard IT infrastructure, network engineers and technicians need IPv6- capable monitoring and analysis tools. NETSCOUT OptiView XG Network Analysis Tablet, already a staple tool in many organizations, is ready. With capabilities for IPv6 network discovery, tunneling protocol identification, router advertisement analysis, and IPv6 services detection, OptiView XG is an invaluable aid in supporting IPv6 deployment, troubleshooting integration issues, and helping identify unintentional IPv6 deployment. The Review In February 2011, the Internet Assigned Numbers Authority (IANA) distributed the last five /8 (historically referred to as Class A ) IPv4 address blocks to the Regional Internet Registries (RIR). This event signaled the beginning of the end for the IPv4-based Internet and heralded the start of the global transition to the next generation Internet protocol, IPv6. Standardized in 1995, IPv6 is designed to enhance the Internet protocol and address the issue of IP resource exhaustion, but had never found significant purchase in the marketplace for a variety of economic and technology reasons. While some technology camps believed Network Address Translation (NAT) would suffice, Internet scalability requirements and the ever increasing complexity of multiple NATted environments make a compelling case for IPv6 adoption now. Despite a lack of widespread interest in IPv6, numerous organizations, including world governments, large IT product companies, major service providers, and some early adopters blazed the trail of IPv6 adoption. The Internet Engineering Task Force (IETF) developed mechanisms to support the co-existence of IPv4 and IPv6 and to mitigate some of the financial burden of migration. IT vendors incorporated support for IPv6 in many of their mainstream products. Emerging from this collective effort of the early adopters are methodologies and best practices for the secure and efficient deployment of IPv6. Nephos6, Inc. is an IPv6 and Cloud Computing Professional Services firm located in Raleigh, NC. The company was founded by a number of industry experts with significant deployment experience in IPv6 (and cloud computing). The company uses a five-stage methodology to manage the IPv6 integration effort for enterprises and service providers. The first four stages involve cultivating a common understanding of the current environment, aligning business and technical drivers, assessing the IT infrastructure and support systems for IPv6 support capability, and developing architectures and plans for deployment. The fifth stage, Implementation, sees the rollout of IPv6, in a controlled but progressive manner. The ultimate goal environment for any IPv6 adoption program is to enabled dual stack (both IPv4 and IPv6 running concurrently on the same device) on all devices throughout the organization. But the path to achieving a dual stack installation is rarely the same from organization to organization. Despite different approaches to the end state, all well-managed deployments embody these approaches: 1. Validate and test designs configurations and architectures are evaluated in isolated labs first and then systematically deployed in the production environment. 2. Manage and troubleshoot deployments nothing ever goes perfectly the first time. Invariably equipment malfunctions, human error, or Murphy s Law interfere during deployments and require systematic troubleshooting to correct. 3. Monitor for unauthorized/rogue IPv6 Devices IPv6 is supported in most modern IT devices and operating systems, enabled by default in some cases. Unintentional deployment is a security issue and needs to be monitored and managed. A critical element of the implementation process is effective tools to support these key activities. Nephos6 uses packet capture software and network analysis tools but wanted to see if the market offered a comprehensive, portable, and remotely accessible tool. Yurie Rich, chief operating officer of Nephos6 recalls, It was interesting. I interacted with NETSCOUT all the way back in 2000 when I started working with IPv6, then again sometime in 2007 or 2008 as their OptiView team was working towards JITC [Joint Interoperability Test Command] IPv6 certification. I guess it was kismet when they reached out to our CEO, Ciprian (Chip) Popoviciu, to see if we d be interested in evaluating the XG. After reviewing the OptiView XG s capabilities on paper, John Spence, vice president of IP Services at Nephos6, developed a series of trials to test OptiView XG s capabilities. John recalls, Chip, Yurie and I spent some time thinking about the commonality of the deployments we d been involved with. No two are the same, but generally you see testing in the lab, a controlled rollout (or prototype or pilot or all of these) into the production environment using one or more transition technologies, then testing and remediation of any problems. That process is continuously evolved until the organization ends up with the optimal target architecture that is operationally sound and dual-stack enabled. The OptiView XG contains a robust discovery capability, the ability to capture IPv6 tunnel traffic and identify the type of transition mechanism being used. It can also identify a number of IPv6 services types a node is offering, and an analysis of router advertisements. Collectively these features provided a valuable tool chest to support Nephos6 common requirements. 2 of 5

3 Leveraging the Network and Device Discovery Feature Figure 1 is a very simplified diagram of a typical enterprise environment. It consists of three disparate campus environments, a data center, and centralized access to the Internet. John developed a lab environment that mirrored this architecture and identified touch points to connect the OptiView XG. Most IPv6 deployments start with a prototype conducted in a lab. The first step was to leverage its discovery capability. Figure 1: Example Enterprise Architecture The lab started as IPv4-only and then IPv6 is enabled on a few devices. The OptiView XG allows both onsubnet device discovery, and through some configuration parameters, discovery of off-subnet devices as well. In IPv6 deployments, most enterprises (and service providers) will likely want a managed IPv6 address space - meaning the use of DHCPv6. Information provided by the Discovery process will verify that nodes are using properly obtained IPv6 address configuration information. The Discovery process also categorizes discovered nodes as a router, server, switch, or end node. Figure 2 is a sample screen capture of the OptiView XG Discovery user interface from the lab on one subnet. Figure 2: OptiView XG Network and Device Discovery Interface 3 of 5

4 The highlighted device is a server on this particular LAN segment. The IPv6 address space is highly diversified. In addition to having a number of address types (unicast, multicast, anycast - like IPv4), there are address scopes (such as link local - identifiable here as fe80::82c:6ff:fe55:1c2b). And, just to make things a bit more interesting, IPv6 addresses can be derived through a number of processes. Here, the upstream router is configured to use address autoconfiguration and send router advertisements to the node, which is properly configuring its IPv6 address based partly on information contained in the RA. The preference in this case is an address configured using the Extended Unique Identifier (EUI-64) process. This is verified by examining the last 64 bits, which have the hex characters FF FE placed in the middle of the MAC address. Combined with the prefix of 2001:db8:ff:70::/64,the interface created 2001:db8:ff:70:82c:6ff:fe55:1c 2b as its IPv6 address The Nephos6 team quickly recognized several benefits of the OptiView s Discovery capability: 1. Validation of on-link device IPv6 configuration recall that one of the common requirements of all IPv6 integration processes is the need to test and validate deployments. The information supplied by the OptiView XG clearly yields solid information to verify IPv6 connectivity, IPv6 address information, and, with further analysis, what specific nodes are doing in terms of open ports and service offerings. 2. Identification of rogue or unintentional IPv6 deployment certainly anytime the discovery process is run and IPv6 devices are present on the link, the OptiView XG will find and report them. 3. Remote access means remote expertise IPv6 skill sets take some time to accrue. It is not uncommon for field personnel, who do much of the heavy lifting in the IPv6 integration process, to be last on the list for IPv6 training. The remote access capability of the OptiView XG means that IPv6 savvy engineers can collaborate with field engineers to not only conduct testing and validation exercises, but also continue the IPv6 knowledge transfer process. Integrating IPv6 Once base configurations are implemented and the environment is operating as predicted, the next step is to expand the deployment to other areas of the network. In the lab example, as shown in Figure 3, IPv6 is deployed in another section of the campus and the two islands are connected with a manually configured tunnel, commonly known as a 6in4 tunnel. At each tunnel end point, the routers are dual stacked - supporting both IPv4 and IPv6 simultaneously. The IPv6-in-IPv4 tunnels are manually configured on each router. The OptiView XG is a very effective IPv6 tunneling identification tool. Figure 4 shows a screen capture of the IPv6 Tunneling Protocol user interface, which is found under the Traffic Analysis tab. In this particular example, John was able to place the OptiView XG discovery interface on a SPAN (monitor) port over which the IPv6 tunneled traffic was passing. Monitoring the traffic on that port, the OptiView XG automatically identifies the tunnel type at 6in4. The capture also identifies the tunnel end points, which is extremely important in the Figure 4: IPv6 Tunneling Protocol Screen Ca detecting and eliminating rogues scenario. With the information provided on this screen, I can identify this traffic as one of my intended deployments. If I don t recognize those endpoints, it is easy to track them down through the DDI (DHCP, DNS, IP Address Management) infrastructure and work with IT to bring those deployments under control commented John. The OptiView XG s IPv6 Discovery capability is not limited to 6in4 tunnels. It supports identification of the most widely utilized tunnels leveraged in industry today (See table below). This is exceptionally important as most modern operating systems have IPv6 enabled by default and the stacks are aggressive about obtaining IPv6 connectivity via established transition mechanisms. As an example, Windows 7 has IPv6 enabled by default and in IPv4-only environment will attempt to establish IPv6 capability via 6to4, ISATAP, and Teredo transition mechanisms. 4 of 5

5 2017 NETSCOUT. Rev: 02/02/2017 9:43 am 5 of 5