NETWizz
Well-Known Member
- Reaction score
- 1,925
Well, I have been strongly considering the migration to IPv6 in a dual-protocol stack at work, were we have at least 5,000 computers. I know what you are thinking... Windows Vista, 7, 8, 8.1, 10, Mac, etc. ALL have IPv6 turned on and an IP address. IPv6 is NOT a replacement... it is a completely new protocol to run along-side IPv4 for probably the rest of our lives.
Well, you are correct, but the IP address they all have are Link-Local addresses, which are roughly equivalent to the 169.254.x.x addresses Windows boxes automatically generate . Simply put they work on a Local Area Network because the network portions match and the host portions are unique.
***************
For those of you unaware, IPv4 is 0.0.0.0 though 255.255.255.255 though admittedly there are plenty of other rules and tricks for classless interdomain routing, variable-lenght subnet masks, NATing, etc. They are 32-bit addresses.
IPv6 Addresses are NOT simply six octets... No they are128 bits; hence, if they were expressed in dotted decimal it would be 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 to 255.255.255.255.255.255.255.255.255.255.255.255.255.255.255.255
But instead we use Hex and colons
Hence: 0000:0000:0000:0000:0000:0000:0000:0000 to FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
Now, leading 0's are removed, so if you had 0000:0000:0000:0000:0000:0000:0000:0001 you could write it as 0:0:0:0:0:0:0:1
Now, anytime you have multiple groups of 0's, you can collapse this exactly once into a ::
Hence 0:0:0:0:0:0:0:1 could be most succinctly written as ::1
************************
Now, I want you to keep in mind why IPv6 is great is that it runs TCP, UDP and virtually every other Layer-4 protocol that worked on IPv4. What we will have are applications that support both for a long, long time... and antiquated applications should be straight-forward for developers to add in IPv6 support to carry out all of its network tasks.
Now, the vast majority of you know how to subnet, where you are basically specifying the network portion and host portion of a network. Many of you are probably used to the infamous 255.0.0.0, 255.255.0.0, and the 255.255.255.0 masks used on most common public/private networks... thouggh the vast majority of network admints balk at maks like 255.255.128.0, 255.255.192.0,255.255.224.0... After a while these become second nature for those who deal with this crap every day... they eventually just recognizetheir 128, 192, 224, 240, 248, 252, 254, and 255 without thinking about it, the wildcard masks, and CIDR notation becomes second nature too.
Suffice it to say we would rather represent 10.1.2.3/255.255.240.0 as 10.1.2.3/20 and we are well aware of quick mental tricks that if 255.255.240.0 is /20 then 255.240.0.0 would be /12 (you subtract 8)
*********************
The reason I bring this up is that IPv4 has a LOT of design flaws that bother me like the WAY DHCP can assign different IP addresses necessitating reservations OR static IP addresses on servers. How much of a PITA it is to change a subnet scheme or merge two organizations together with overlapping address space (i.e. if both use 10.x.x.x... it's a real blast combining the networks). Then you have NAT, which is a life-saver to IPv4... It is allowing us to have one (1) Internet IP at home or at work. Heck, we have 5,000 computers at work on the same Internet IP, BUT it breaks true end-to-end connectivity. I otherwise have to setup translation addresses, port forwarding, etc. to make stuff work. Basically, everything is a Band-Aid for poor design.
Meanwhile you have Sliding-window, Checksums, Broadcasts, ARP poisioning, etc... cannot find the default-gateway unless someone sets it or DHCP configures it, and the list grows. Ultimately, IPv6 addresses ALL of these shortcommings and more!
Alright, so I mentioned CIDR masks. With IPv6, even the delineators
's) are /16, /32, /48, /56, /64 ... /128
What I like:
1. The ISP provides an organization a /48 which is the first three sets. Hence, they may give you something like 201
B8:ACAD... From here you are recommended to subnet to /64 Hence you have 201B8:ACAD:0/64 through 201B8:ACAD:FFFF/64 to specify your networks!
2. This leaves you with /64 less to address on every LAN! YOu may ask, "Why do I need an address space 4-billion times bigger than the entire IPv4 Internet?" Simple answer is DHCP has been revamped to not only be a two-way communication like it already is, but it ONLY provides the network/subnet information. The HOST generates its own HOST portion based on its MAC address and reports that back to DHCP, which records the lease and can dynamically update DNS with a new AAAA record.
If your MAC address is 11-22-33-44-55-66 it ads FFFE in the middle hence 1122:33FF:FE44:5566 is the rest of the IP, so the computer above on the 1st subnet would become 201B8:ACAD:1:1122:33FF:FE44:5566. No matter how long you have it offline, or lock it in a closet, when you set it up, it again gets the SAME IP. No more static IP or reservations really needed unless you realluy want to create extra work overriding this.
3. ARP has been replaced with Neighbor Discovery Protocl, which is built into the protocol. It is more efficent and more secure. Switches will NOT have to work so hard to find LAN neighbors.
4. Now what's really awesome is the way there is a Gateway or Router discoveyr protocol. Think of it like a routing protocl similar to OSPF that simply advertises the presence of the network's default-gateway!
5. IPv6 no longer has CRC check sequences in the header but leaves the error checking to Ethernet and higher protocols such as TCP. Simply put, networks are more reliable than ever and not having routers verifying checksum vastly reduces latency!
6. IPv6 sumarizes much nicer in routing tables keeping them much smaller and therefore more efficent and easier to troubleshoot.
7. NAT in IPv4 more or less MUST be used to reseve IP addresses. It is what we all use to convert our 192.168/16, 172.16/12 or 10.0.0.0/8 networks to the Intenet. Looking above, this is completely unique 201B8:ACAD:1:1122:33FF:FE44:5566... it is perfect for both inside and external use to the Internet.
8. I know everyone balks saying NAT is for security, but it really is not. A firewall can just as easily control traffic and security with or without a NAT.
*****************************************************************
What I am doing is petitioning our ISP, AT&T we use at work for an Internet Routable /48... Then I am just going to subnet with 0, 1, 2, 3, 4 etc up to /64 and leave the rest for hosts. While this is a HUGE waste of space, it is best practice. I think I will use the "0" subnet for the WAN-side of our network. Hence the entire backbone can be connected on one subnet... and AT&T can do our mesh routing between all our sites.
I need only tie some IPv6 IPs to our firewall interfaces and set each Gateway (LAN SIDE) with a different subnet such as 1, 2, 3, 4 ... all the way to FFFF not that we will need 65k subnets, ever!
Simply then need to enable DHCPv6 and populate the scopes... need to set the IPv6 helper's on the routers, and that should do it. Every computer should then have a unique Internet Routable IPv6 as well as a Link-Local IPv6.
Then I need only make a default rule on the firewall that allows our DNS servers to query via IPv6 to others... and allows our computers to talk outside on IPv6 at least for HTTP & HTTPS.
I think it will REALLY set us up thinking forward for the future.
Well, you are correct, but the IP address they all have are Link-Local addresses, which are roughly equivalent to the 169.254.x.x addresses Windows boxes automatically generate . Simply put they work on a Local Area Network because the network portions match and the host portions are unique.
***************
For those of you unaware, IPv4 is 0.0.0.0 though 255.255.255.255 though admittedly there are plenty of other rules and tricks for classless interdomain routing, variable-lenght subnet masks, NATing, etc. They are 32-bit addresses.
IPv6 Addresses are NOT simply six octets... No they are128 bits; hence, if they were expressed in dotted decimal it would be 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 to 255.255.255.255.255.255.255.255.255.255.255.255.255.255.255.255
But instead we use Hex and colons
Hence: 0000:0000:0000:0000:0000:0000:0000:0000 to FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
Now, leading 0's are removed, so if you had 0000:0000:0000:0000:0000:0000:0000:0001 you could write it as 0:0:0:0:0:0:0:1
Now, anytime you have multiple groups of 0's, you can collapse this exactly once into a ::
Hence 0:0:0:0:0:0:0:1 could be most succinctly written as ::1
************************
Now, I want you to keep in mind why IPv6 is great is that it runs TCP, UDP and virtually every other Layer-4 protocol that worked on IPv4. What we will have are applications that support both for a long, long time... and antiquated applications should be straight-forward for developers to add in IPv6 support to carry out all of its network tasks.
Now, the vast majority of you know how to subnet, where you are basically specifying the network portion and host portion of a network. Many of you are probably used to the infamous 255.0.0.0, 255.255.0.0, and the 255.255.255.0 masks used on most common public/private networks... thouggh the vast majority of network admints balk at maks like 255.255.128.0, 255.255.192.0,255.255.224.0... After a while these become second nature for those who deal with this crap every day... they eventually just recognizetheir 128, 192, 224, 240, 248, 252, 254, and 255 without thinking about it, the wildcard masks, and CIDR notation becomes second nature too.
Suffice it to say we would rather represent 10.1.2.3/255.255.240.0 as 10.1.2.3/20 and we are well aware of quick mental tricks that if 255.255.240.0 is /20 then 255.240.0.0 would be /12 (you subtract 8)
*********************
The reason I bring this up is that IPv4 has a LOT of design flaws that bother me like the WAY DHCP can assign different IP addresses necessitating reservations OR static IP addresses on servers. How much of a PITA it is to change a subnet scheme or merge two organizations together with overlapping address space (i.e. if both use 10.x.x.x... it's a real blast combining the networks). Then you have NAT, which is a life-saver to IPv4... It is allowing us to have one (1) Internet IP at home or at work. Heck, we have 5,000 computers at work on the same Internet IP, BUT it breaks true end-to-end connectivity. I otherwise have to setup translation addresses, port forwarding, etc. to make stuff work. Basically, everything is a Band-Aid for poor design.
Meanwhile you have Sliding-window, Checksums, Broadcasts, ARP poisioning, etc... cannot find the default-gateway unless someone sets it or DHCP configures it, and the list grows. Ultimately, IPv6 addresses ALL of these shortcommings and more!
Alright, so I mentioned CIDR masks. With IPv6, even the delineators
's) are /16, /32, /48, /56, /64 ... /128 What I like:
1. The ISP provides an organization a /48 which is the first three sets. Hence, they may give you something like 201
B8:ACAD... From here you are recommended to subnet to /64 Hence you have 201B8:ACAD:0/64 through 201B8:ACAD:FFFF/64 to specify your networks!2. This leaves you with /64 less to address on every LAN! YOu may ask, "Why do I need an address space 4-billion times bigger than the entire IPv4 Internet?" Simple answer is DHCP has been revamped to not only be a two-way communication like it already is, but it ONLY provides the network/subnet information. The HOST generates its own HOST portion based on its MAC address and reports that back to DHCP, which records the lease and can dynamically update DNS with a new AAAA record.
If your MAC address is 11-22-33-44-55-66 it ads FFFE in the middle hence 1122:33FF:FE44:5566 is the rest of the IP, so the computer above on the 1st subnet would become 201
B8:ACAD:1:1122:33FF:FE44:5566. No matter how long you have it offline, or lock it in a closet, when you set it up, it again gets the SAME IP. No more static IP or reservations really needed unless you realluy want to create extra work overriding this.3. ARP has been replaced with Neighbor Discovery Protocl, which is built into the protocol. It is more efficent and more secure. Switches will NOT have to work so hard to find LAN neighbors.
4. Now what's really awesome is the way there is a Gateway or Router discoveyr protocol. Think of it like a routing protocl similar to OSPF that simply advertises the presence of the network's default-gateway!
5. IPv6 no longer has CRC check sequences in the header but leaves the error checking to Ethernet and higher protocols such as TCP. Simply put, networks are more reliable than ever and not having routers verifying checksum vastly reduces latency!
6. IPv6 sumarizes much nicer in routing tables keeping them much smaller and therefore more efficent and easier to troubleshoot.
7. NAT in IPv4 more or less MUST be used to reseve IP addresses. It is what we all use to convert our 192.168/16, 172.16/12 or 10.0.0.0/8 networks to the Intenet. Looking above, this is completely unique 201
B8:ACAD:1:1122:33FF:FE44:5566... it is perfect for both inside and external use to the Internet.8. I know everyone balks saying NAT is for security, but it really is not. A firewall can just as easily control traffic and security with or without a NAT.
*****************************************************************
What I am doing is petitioning our ISP, AT&T we use at work for an Internet Routable /48... Then I am just going to subnet with 0, 1, 2, 3, 4 etc up to /64 and leave the rest for hosts. While this is a HUGE waste of space, it is best practice. I think I will use the "0" subnet for the WAN-side of our network. Hence the entire backbone can be connected on one subnet... and AT&T can do our mesh routing between all our sites.
I need only tie some IPv6 IPs to our firewall interfaces and set each Gateway (LAN SIDE) with a different subnet such as 1, 2, 3, 4 ... all the way to FFFF not that we will need 65k subnets, ever!
Simply then need to enable DHCPv6 and populate the scopes... need to set the IPv6 helper's on the routers, and that should do it. Every computer should then have a unique Internet Routable IPv6 as well as a Link-Local IPv6.
Then I need only make a default rule on the firewall that allows our DNS servers to query via IPv6 to others... and allows our computers to talk outside on IPv6 at least for HTTP & HTTPS.
I think it will REALLY set us up thinking forward for the future.
default port)
