IPV6 in enterprise best practices/white papaers

Sat Jan 26 16:41:31 UTC 2013

Hi,

> I have read many of those ipv6 documents and they are great but I
> still luck to find something like "real word" scenario.

Keep an eye on Deploy360: http://www.internetsociety.org/deploy360/ipv6/

> What I mean is that for example I want to start implementation of ipv6
> in my enterprise according to mu knowledge so far
> my first step is to create address plan

Yes. I wrote a document on that for SURFnet a couple of years ago (in Dutch). The RIPE NCC translated it to English: http://www.ripe.net/lir-services/training/material/IPv6-for-LIRs-Training-Course/IPv6_addr_plan4.pdf

> , then implement security on routers/switches then on hosts,

You'll at least have to think about security at this point. Think about how you do security for IPv4. If you do DHCP snooping for IPv4 then you might want to do it for IPv6. One thing to pay attention to is Router Advertisements (RA). Most operating systems these days listen to RA packets and will auto-configure their IPv6 stack based on the information in them. Someone (accidentally or on purpose) sending wrong RAs on your LAN can cause problems. But then: anybody who can access your LAN can cause trouble. This is a risk you already have, but still something to think about.

> and after that I can start to create AAAA record and PTR records in DNS

Well, first you'll have to configure your systems and services to be available over IPv6. So you'll have to check the configurations of your web servers, DNS servers, mail servers, etc. Once you are confident that the service will work just as well over IPv6 as over IPv4 then add the DNS records.

First make it work, and only then add the DNS records to advertise it.

> and after that I should configure my dhcp servers

Think about whether you want a stateful DHCPv6 server (to keep track of every IPv6 address used by a system, to be able to do DHCP snooping on switches, etc) or whether a stateless DHCPv6 server (only supply DNS information and other configuration parameters, but not managing the client's addresses). If you don't do DHCP snooping now and you don't really care which IPv6 addresses a PC gets then stateless DHCP is fine.

> and after all has been done I can test ipv6 in LAN and

Once you start sending RAs and deploying DHCPv6 you will already have IPv6 in those LANs...

> after that I can start configure bgp with ISP.

No. *First* talk to your ISP, get address space (either from your ISP or provider independent), make an addressing plan, configure your firewalls and configure your back bone, then connect to your ISP, then deploy IPv6 on servers and clients (first on small test networks in your lab if possible), then advertise it in DNS.

> Is this correct procedure? Any thoughts? If all is correct I have a
> few questions..
> 
> Regarding DNS, if I give a /64 to host

You give a /64 subnet to a LAN, and the systems on that LAN get addresses from that subnet.

> using SLAAC or DHCP how do I maintain PTR for this /64? I should use DDNS?

That depends. I know many organisations that don't care about reverse DNS for workstations, only for servers. Servers you usually give a static address, so you can configure the PTR records manually. When you use SLAAC (with optionally stateless DHCPv6) and you want to maintain the PTR records then you might use DDNS. If you use stateful DHCPv6 then let the DHCPv6 server handle the DNS updates.

> What do you use in your enterprise SLAAC or DHCP? If SLAAC why not DHCP?

I think I already answered this question above somewhere :-)

> Any other hints/tips?

Deploy on test networks first. From your questions it seems that you have little hands-on experience with IPv6. Get that experience first before working on your production networks. Maybe even get an IPv6 tunnel with a /48 of IPv6 addresses from HE / tunnerbroker.net to play with in your lab. It's free and works very well, especially for getting experience!

Cheers,
Sander