Home page logo
/

nanog logo nanog mailing list archives

Re: IPV6 in enterprise best practices/white papaers
From: Owen DeLong <owen () delong com>
Date: Tue, 29 Jan 2013 13:55:36 -0800


Whereas, with IPv6 you have most, if not all of the same factors
to consider, but there is some marginal added complexity around
things like SLAAC/RA, some different terminology, binary math in
hex instead of octal, network sizes are many orders of magnitude
larger, etc. So the net effect is that even though "under the hood"
it's not all that different, it all feels new and strange. And we
all know how humans react to things that are new and strange. :)

I think "marginal added complexity" is probably a polite
understatement;

No, it really isn't. I realize that the IPv6 zealots hate it when I say
this, but in many ways you can treat IPv6 just like IPv4 with bigger
addresses.


I'm a pretty well known IPv6 zealot and I completely agree with you.

1. Don't filter ICMPv6.
2. Treat a /64 roughly the way you'd treat a /24 in IPv4.

Actually, I'd say treat a /64 roughly the way you'd treat any sized subnet
in IPv4, whether it's a /24, a /31, or something in between or even a really
large IPv4 single network such as a /22.

If it's an IPv4 /32, then think IPv6 /128.

3. Put SLAAC on the networks you have DHCPv4 on.
4. Statically assign addresses and networks for v6 on the systems you
statically assign them on v4 (servers, etc.)
5. Neighbor Discovery (ND) replaces arp, but mostly you don't every need
to worry about it (just like you hardly ever need to worry about arp).

Voila! You've just learned 80% of what you need to know to be successful
with IPv6.

Agreed. The remainder has to do with:

1. Understanding and configuring RDNSS support if you're going to use SLAAC.
2. Understanding and configuring DHCPv6 if you want to use that.
3. Managing AAAA records and dealing with ip6.arpa (nearly identical to A and in-addr.arpa)
4. IPv6 routing protocols (if you are in a larger environment)
5. Security policies that are more complex than simply default-deny-all-inbound/permit-outbound.

There's really not a whole lot else one needs to learn for most environments.

No, quite the opposite. What I'm saying is that if you already
understand how to run a network with v4 that learning the v6 terminology
and equivalent concepts, plus the few extra things that you actually do
need to manage for v6, is not that difficult. It just *seems* hard
because before you tackle it, it's all new and strange.


I 100% agree with this summary.

Owen



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]