IPV6 in enterprise best practices/white papaers
dougb at dougbarton.us
Tue Jan 29 19:42:02 UTC 2013
On 01/29/2013 01:09 PM, Jay Ashworth wrote:
> ----- Original Message -----
>> From: "Doug Barton" <dougb at dougbarton.us>
>>> IPv4 is mature enough that for small to medium sized networks,
>>> the answer is "you plug everything in".
>>> My appraisal of v6 is that it's an order of magnitude (or two)
>>> more complex than that, both in 'attack' surface and
>>> interoperability issues.
>>> But, I suppose, it took me a couple years to really learn IPv4
>>> That said, *having* learned IPv4 relatively well, I remain
>>> surprised that there's as much additional (perceived) complexity
>>> in v6.
>> You have perfectly illustrated one of the largest barriers to IPv6
>> adoption. You of course know that if you were to go into a
>> greenfield IPv4 deployment the answer would not be "just plug
>> everything in."
> Depends on how big your "deployment" is. For a small office -- say,
> 100 PCs or less; something that will fit in what I will catch schidt
> for referring to as a "Class C" :-) -- with a single current
> generation consumer market edge NAT router, then yes, in fact, you
> Just Plug It All In.
Well sure, but the same would be true for the equivalent IPv6 deployment.
> Yes, I realize, that approach does not apply to "being Road Runner".
>> You'd have to figure out how to split your allocated space (and/or
>> 1918 space) into reasonable networks, decided which networks get
>> DHCP, assign IP helpers, carve out p-t-p links, etc. etc. But
>> because you've done that a million times, and all the terminology
>> and factors to consider are well known to you, in effect it amounts
>> to, "just plug everything in."
> Well, no, not really. As you note, of course, most of those things
> are reflexes for most network engineering types, but certainly they
> took a while to get there.
Yes, that's precisely my point. :) No one learned IPv4 networking
overnight. But people who already know IPv4 are complaining that they
can't magically come to the same degree of competence with IPv6 without
spending any time to learn it. The irony is that people who already know
"networking" will have a much easier time learning IPv6, with a minimal
amount of extra work, but minimal != zero.
>> Whereas, with IPv6 you have most, if not all of the same factors
>> to consider, but there is some marginal added complexity around
>> things like SLAAC/RA, some different terminology, binary math in
>> hex instead of octal, network sizes are many orders of magnitude
>> larger, etc. So the net effect is that even though "under the hood"
>> it's not all that different, it all feels new and strange. And we
>> all know how humans react to things that are new and strange. :)
> I think "marginal added complexity" is probably a polite
No, it really isn't. I realize that the IPv6 zealots hate it when I say
this, but in many ways you can treat IPv6 just like IPv4 with bigger
1. Don't filter ICMPv6.
2. Treat a /64 roughly the way you'd treat a /24 in IPv4.
3. Put SLAAC on the networks you have DHCPv4 on.
4. Statically assign addresses and networks for v6 on the systems you
statically assign them on v4 (servers, etc.)
5. Neighbor Discovery (ND) replaces arp, but mostly you don't every need
to worry about it (just like you hardly ever need to worry about arp).
Voila! You've just learned 80% of what you need to know to be successful
> my apprehension of IPv6 is that they decided they had
> to fix *lots* of problems which almost nobody actually had, *in
> addition* to fixing the one which actually was a problem: address
> In consequence of that, IPv6 feels to me like it has a bad case of
> what Fred Brooks would call Second System Syndrome.
Your assessment is correct, but the good news is that you can ignore
almost all of it. The "SLAAC vs. full-featured DHCPv6" thing is still
kind of a PITA, but it's working itself out. Beyond that, if there is a
feature of IPv6 that you're not interested in, don't use it. :)
>> My point in asking you to provide the equivalent link for IPv4 is
>> to show that there isn't one, nor could there be. You can't give
>> someone a cookie-cutter IPv4 network layout because the unique
>> factors that they have to consider will prevent that. The same is
>> true for IPv6. What you _can_ do, for both protocols, is to teach
>> people best practices around the key issues, and help and guidance
>> along the way. There are lots of lists that exist to do this with
>> v6. One of the best is ipv6-ops at lists.cluenet.de. If people are
>> interested in learning more about v6 by osmosis that's a good list
>> to lurk on. It's medium traffic, but high signal::noise, and any
>> discussions you are not interested in you can just delete.
> You seem to be suggesting, though, to drag the conversation back
> where I started it, that there is *so much new stuff* with IPv6 that
> it's difficult *even for old hats with IPv4* to learn it by analogy.
No, quite the opposite. What I'm saying is that if you already
understand how to run a network with v4 that learning the v6 terminology
and equivalent concepts, plus the few extra things that you actually do
need to manage for v6, is not that difficult. It just *seems* hard
because before you tackle it, it's all new and strange.
> If that's what you mean, then I agree with you. :-)
> (Yes, yes, I am coming late to this argument; the networks I'm
> responsible are historically relatively small. IPv6 connectivity has
> been troublesome to acquire except at the last couple.)
Roger that. Not that I'm trying to toot my own horn, but most of my
experience has been with large enterprise networks, often spanning
multiple continents, so I tend to think in those terms. The good news
for smaller shops is that if you can get it, IPv6 is pretty much "just
plug it in," very similar to how you described IPv4 for a smaller shop
More information about the NANOG