Home page logo
/

nanog logo nanog mailing list archives

Re: IPV6 in enterprise best practices/white papaers
From: Sander Steffann <sander () steffann nl>
Date: Sat, 26 Jan 2013 17:41:31 +0100

Hi,

I have read many of those ipv6 documents and they are great but I
still luck to find something like "real word" scenario.

Keep an eye on Deploy360: http://www.internetsociety.org/deploy360/ipv6/

What I mean is that for example I want to start implementation of ipv6
in my enterprise according to mu knowledge so far
my first step is to create address plan

Yes. I wrote a document on that for SURFnet a couple of years ago (in Dutch). The RIPE NCC translated it to English: 
http://www.ripe.net/lir-services/training/material/IPv6-for-LIRs-Training-Course/IPv6_addr_plan4.pdf

, then implement security on routers/switches then on hosts,

You'll at least have to think about security at this point. Think about how you do security for IPv4. If you do DHCP 
snooping for IPv4 then you might want to do it for IPv6. One thing to pay attention to is Router Advertisements (RA). 
Most operating systems these days listen to RA packets and will auto-configure their IPv6 stack based on the 
information in them. Someone (accidentally or on purpose) sending wrong RAs on your LAN can cause problems. But then: 
anybody who can access your LAN can cause trouble. This is a risk you already have, but still something to think about.

and after that I can start to create AAAA record and PTR records in DNS

Well, first you'll have to configure your systems and services to be available over IPv6. So you'll have to check the 
configurations of your web servers, DNS servers, mail servers, etc. Once you are confident that the service will work 
just as well over IPv6 as over IPv4 then add the DNS records.

First make it work, and only then add the DNS records to advertise it.

and after that I should configure my dhcp servers

Think about whether you want a stateful DHCPv6 server (to keep track of every IPv6 address used by a system, to be able 
to do DHCP snooping on switches, etc) or whether a stateless DHCPv6 server (only supply DNS information and other 
configuration parameters, but not managing the client's addresses). If you don't do DHCP snooping now and you don't 
really care which IPv6 addresses a PC gets then stateless DHCP is fine.

and after all has been done I can test ipv6 in LAN and

Once you start sending RAs and deploying DHCPv6 you will already have IPv6 in those LANs...

after that I can start configure bgp with ISP.

No. *First* talk to your ISP, get address space (either from your ISP or provider independent), make an addressing 
plan, configure your firewalls and configure your back bone, then connect to your ISP, then deploy IPv6 on servers and 
clients (first on small test networks in your lab if possible), then advertise it in DNS.

Is this correct procedure? Any thoughts? If all is correct I have a
few questions..

Regarding DNS, if I give a /64 to host

You give a /64 subnet to a LAN, and the systems on that LAN get addresses from that subnet.

using SLAAC or DHCP how do I maintain PTR for this /64? I should use DDNS?

That depends. I know many organisations that don't care about reverse DNS for workstations, only for servers. Servers 
you usually give a static address, so you can configure the PTR records manually. When you use SLAAC (with optionally 
stateless DHCPv6) and you want to maintain the PTR records then you might use DDNS. If you use stateful DHCPv6 then let 
the DHCPv6 server handle the DNS updates.

What do you use in your enterprise SLAAC or DHCP? If SLAAC why not DHCP?

I think I already answered this question above somewhere :-)

Any other hints/tips?

Deploy on test networks first. From your questions it seems that you have little hands-on experience with IPv6. Get 
that experience first before working on your production networks. Maybe even get an IPv6 tunnel with a /48 of IPv6 
addresses from HE / tunnerbroker.net to play with in your lab. It's free and works very well, especially for getting 
experience!

Cheers,
Sander



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]