Home page logo
/

nanog logo nanog mailing list archives

Re: IPV6 in enterprise best practices/white papaers
From: Seth Mos <seth.mos () dds nl>
Date: Sat, 26 Jan 2013 22:30:43 +0100


Op 26 jan 2013, om 18:47 heeft William Herrin het volgende geschreven:

On Sat, Jan 26, 2013 at 4:26 AM, Pavel Dimow <paveldimow () gmail com> wrote:
I can start to create
AAAA record and PTR recors in DNS and after that I should configure my
dhcp servers and after all has been done I can test ipv6 in LAN and
after that I can start configure bgp with ISP.
Is this correct procedure?

Nope.

In their infinite(simal) wisdom the architects of IPv6 determined that
a host configured with both a global scope IPv6 address and an IPv4
address will attempt IPv6 in preference to IPv4. If you configure IPv6
on a LAN without first installing your IPv6 Internet connection, that
LAN will break horribly.

Work your way from the outside in: start with BGP, then the interior
routers and configure the LAN last.

+3

That's what I did too, it works the best, you really need to make sure that the connectivity you turn up actually 
works. I started with the internet connections, and luckily HE.net also offers free BGP tunnels for PI connectivity, 
which will do in a pinch and you still can maintain redundancy of only 1 ISP can actually do native yet.

From there I started with the firewalls and routers, dual stacked those first. I then did some servers, some Linux, 
some Windows. DNS was first, then email. I wish more ISPs dual stacked their email servers, they are prime candidate 
because nothing dies instantly and delivery is retried. It seems so obvious, and everybody is focusing on port 80, 
weird. Email for offices also seems like the prime candidate for end-to-end for businesses. More then websites.

I still see plenty of companies hosting their own email.

Oh, and if you add a IPv6 on a AD server, do all of them at once. Because ipv6 is preferred, they will all try that 
single server with a IPv6 address. That is address preference for you!

So make sure that for some of the steps you deploy it just like IPv4, not a little bit, but all the way.

Add all the IPv6 addressing to your monitoring before going any further. You don't want to fly this blind. We use 
Nagios, it works well enough, I can't see BGP table size, but I can monitor next hop with ping6, so that worked fine.

The clients still don't have IPv6, but everybody browses the net via a dual stack squid proxy, so they didn't even 
notice. At some point in 2013 the clients will get a IPv6 address too, dhcp6 only, no autoconfig for management reasons.

Not that the clients can actually get out to the internet, they can't now with IPv4, so no change there.

Regards,

Seth

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault