IPV6 in enterprise best practices/white papaers

Owen DeLong owen at delong.com
Tue Jan 29 21:55:36 UTC 2013


> 
>>> Whereas, with IPv6 you have most, if not all of the same factors
>>> to consider, but there is some marginal added complexity around
>>> things like SLAAC/RA, some different terminology, binary math in
>>> hex instead of octal, network sizes are many orders of magnitude
>>> larger, etc. So the net effect is that even though "under the hood"
>>> it's not all that different, it all feels new and strange. And we
>>> all know how humans react to things that are new and strange. :)
>> 
>> I think "marginal added complexity" is probably a polite
>> understatement;
> 
> No, it really isn't. I realize that the IPv6 zealots hate it when I say
> this, but in many ways you can treat IPv6 just like IPv4 with bigger
> addresses.
> 

I'm a pretty well known IPv6 zealot and I completely agree with you.

> 1. Don't filter ICMPv6.
> 2. Treat a /64 roughly the way you'd treat a /24 in IPv4.

Actually, I'd say treat a /64 roughly the way you'd treat any sized subnet
in IPv4, whether it's a /24, a /31, or something in between or even a really
large IPv4 single network such as a /22.

If it's an IPv4 /32, then think IPv6 /128.

> 3. Put SLAAC on the networks you have DHCPv4 on.
> 4. Statically assign addresses and networks for v6 on the systems you
> statically assign them on v4 (servers, etc.)
> 5. Neighbor Discovery (ND) replaces arp, but mostly you don't every need
> to worry about it (just like you hardly ever need to worry about arp).
> 
> Voila! You've just learned 80% of what you need to know to be successful
> with IPv6.

Agreed. The remainder has to do with:

1. Understanding and configuring RDNSS support if you're going to use SLAAC.
2. Understanding and configuring DHCPv6 if you want to use that.
3. Managing AAAA records and dealing with ip6.arpa (nearly identical to A and in-addr.arpa)
4. IPv6 routing protocols (if you are in a larger environment)
5. Security policies that are more complex than simply default-deny-all-inbound/permit-outbound.

There's really not a whole lot else one needs to learn for most environments.

> No, quite the opposite. What I'm saying is that if you already
> understand how to run a network with v4 that learning the v6 terminology
> and equivalent concepts, plus the few extra things that you actually do
> need to manage for v6, is not that difficult. It just *seems* hard
> because before you tackle it, it's all new and strange.
> 

I 100% agree with this summary.

Owen




More information about the NANOG mailing list