IPv6 deployment guide

IPv6 has been gaining traction since it was developed in the late 1990s, and enterprises that are implementing it now are considered to be among the early majority – meaning widespread adoption is well underway – so if you haven’t already begun, you need to start planning IPv6 deployment.

The first step along that path is to do your homework. There are many published resources that enterprises can leverage to plan their IPv6 deployments, and some very valuable ones are linked to at the bottom of this article.

[ Check out our guide to IPv6 addressing for enterprises. ]

But to help get you started, here are some best practices that enterprises are encouraged to use in formulating their deployment plans.

Organize Your IPv6 team

You will want to pull together a cross-functional team to lead your IPv6 planning and deployment.  Having team-members from the networking, security, systems, applications, desktop and helpdesk teams, along with business unit and management stakeholders, will ensure successful cooperation and collaboration.

Inventory and assess

You may elect to pull together an inventory of all the IT assets you have in your enterprise and assess if they have sufficient IPv6 capabilities to move forward.  The good news for most enterprises is that they have waited to the point now where almost all routers, switches, firewalls, operating systems, applications and other systems have robust IPv6 capabilities.

Get trained on IPv6

Most enterprises have IT staff that has not spent much time learning about IPv6 and comparing it to the IPv4 protocol they are familiar with.  When these teams start to learn about IPv6, they often ask many of the same basic questions.  Even though there have been excellent IPv6 training materials available for years, many IT teams could use a good IPv6 tutorial to help get them started. Any extra training will pay dividends as the IPv6 project progresses.

IPv6 planning and design

Once the teams are trained and know what is in the environment, they can create a detailed technical plan for deployment.  This wholistic design will take into account all aspects of your environment and the business benefits that your organization will derive from IPv6 implementation.  The plan should follow the internet-inward deployment method.

IPv6 addressing plan

At this point, the team will understand IPv6 address formats and will be ready to build an IPv6 addressing plan. The first step is to determine the size of the global IPv6 prefix your organization may need, a process that can be helped along with an IPv6 address planning tool.  Then you can request an IPv6 address allocation from your regional internet registry (RIR) and proceed to create the detailed prefix plan.  Since this is your organization’s first IPv6 plan, it is beneficial to leverage experience contained in an excellent IPv6 addressing book, and consider using an IPv6 IP Address Management (IPAM) tool to assist with the hex math.

IPv6 proof of concept (PoC)

If your organization has a lab to test configurations, then this is where you will perfect your configuration scripts.  Using your own IPv6 home lab, while a great way to learn, may not be sufficient, and you may require a PoC testbed to prepare for production implementation.

Deploying IPv6 at the internet perimeter

All the preparations up to this stage have laid a foundation for your organization to start pulling together the configuration changes you will make to network devices, servers, security systems, services and end-user devices.  Moving into the deployment phase is where things gets exciting for the teams who have been planning up to this point.

As the IETF recommends, IPv6 deployment should start at the external region of the enterprise environment where the corporate network connects to the internet. The great part about starting deployment at the internet perimeter is that this region of the enterprise network runs the most modern systems and software, so is more likely to be well documented and well understood. The internet perimeter is a smaller portion of the overall enterprise and is an effective way to apply agile methodologies and sprint-cycles for tactically getting IPv6 deployed quickly.

One quick-and-dirty way to get IPv6 working on your corporate web site is to simply call your friendly neighborhood Content Delivery Network (CDN) and have them turn on IPv6 for your public web sites. This gets IPv6 on public-facing web sites, but it doesn’t unlock any of IPv6’s benefits for your own networks. The real goal is to enable IPv6 on the upstream internet links and then bring IPv6 inward through the internet perimeter. Here are the steps to follow to accomplish fully deploying IPv6 in the perimeter:

• Obtain your global IPv6 addresses from your RIR.
• Contact your upstream ISPs and have them enable IPv6 on your links.
• Configure those IPv6 addresses on your router(s) and test connectivity to and from the ISP(s).
• Configure the Border Gateway Patrol (BGP) between your routers and the ISPs’ to advertise your global IPv6 prefix.
• Put global IPv6 addresses on the firewall interfaces and configure IPv6 static routes in your firewall.
• Configure IPv6 addresses on perimeter devices and servers, starting with DNS servers.
• Test IPv6 connectivity between DNS servers and firewalls.
• Add permit/allow rules in firewall for inbound DNS over IPv6, then test from the internet by performing a lookup over IPv6.
• Start to enable other perimeter services, such as web and e-mail servers, to be IPv6 accessible and verify internet reachability.
• Configure IPv6 AAAA and PTR records in your public authoritative DNS to facilitate IPv6 reachability.
• Add IPv6 to the public-facing systems behind load balancers or application delivery controllers.

Deploying IPv6 across the core network

Remember that 1950s SciFi movie “The Blob” and how it slowly absorbed everything in its path? IPv6 will move much the same way across your enterprise network. IPv6 will be deployed one Layer 3 hop at a time as you add IPv6 connectivity over your entire enterprise backbone network, working from the internet perimeter inward, and eventually spread over the entire enterprise core network. The IPv6 deployment needs to be contiguous, because gaps in IPv6 connectivity will cause end-to-end forwarding problems.

The picture below shows IPv4 deployed on all the blue links, with IPv6 deployed suboptimally on the red paths. This will lead to higher end-to-end latency. Therefore, you will also want to make sure that you deploy IPv6 intelligently across your core network.

Scott Hogg

During core and wide-area network (WAN) IPv6 deployment, the networking teams can leverage their knowledge of IPv4 routing routing protocols, which also natively support IPv6. They can use OSPFv3, EIGRP, IS-IS or even BGP across core networks to get IPv6 deployed. It is best to use the same routing protocol that has been used for IPv4 when deploying IPv6 because the network engineers are already familiar with it.

Even though IPv6 is a completely separate protocol from IPv4, you will want to avoid configuring IPv6 in the middle of the work day; best practice dictates getting approval for a configuration-change window first to avoid impacting your production network.

As you migrate IPv6 across your corporate WAN, the changing enterprise WAN architectures will come into play. As more and more enterprises deploy software-defined WAN solutions with hybrid or direct-Internet connections, the enterprise’s IPv6 addressing strategy will be impacted. Your branches using direct-internet access will be allocated IPv6 addresses from the service provider. You might elect to use the provider’s address space for the branch/store/remote office, or you may elect to use the global IPv6 address space that the enterprise has been allocated from an RIR.

Enabling IPv6 on access networks

In some cases, IPv6 can perform faster than IPv4 and benefit the end-user experience. For example, IPv6 connections are not subject to the lag-inducing side-effects of network-address translation (NAT), such as TCP/UDP header checksum recalculations.

Today, enterprise end-users unknowingly consume native IPv6 internet resources using their mobile devices, and content providers like Facebook prefer IPv6. Therefore, the next step in your enterprise IPv6 deployment is to enable IPv6 on the first-hop routers for the access networks. Due to “Happy Eyeballs” (RFC 6555) algorithms in end-user’s mobile devices, their connections will choose whichever IP version provides the best performance.

You shouldn’t be concerned about allocating sufficient IPv6 address space for a LAN based on the number of hosts on that LAN. You will simply allocate a /64 prefix for every access network regardless of the number of end-nodes. As soon as these routers (Layer-3 interface) are configured with an IPv6 address, the router will begin to send ICMPv6 Router Advertisement (RA) messages. These messages will notifyi all the nodes on the access network that IPv6 is now active, that they should set their IPv6 addresses and use this router for upstream connectivity. You will also leverage your existing DHCP servers for DHCPv6 services across your enterprise to help manage address allocation.

You will want to enable IPv6 on both your wireless and wired access networks. As you are deploying modern wireless equipment with 802.11ac, you likely already possess modern WAPs and wireless controllers capable of enterprise-grade IPv6.

The final step to IPv6-only

At this point you will be operating a dual-protocol environment. It is important to remember that dual-protocol is not the final destination of the journey; IPv6-only is the ultimate goal. The rationale is that an organization would prefer to operate an environment using a single protocol. Operating a dual-protocol environment results in increased administrative costs because many tasks would need to be performed twice, once for IPv4 and again for IPv6. So running an IPv6-only environment is more efficient. The sooner you get to this phase, the less constrained you will be by IPv4’s limitations.

Resources

There are many published articles that enterprises can leverage to plan their IPv6 deployments. The National Institute of Standards and Technology (NIST) has published documents to help U.S. Federal enterprises meet their IPv6 adoption mandates and track their progress.

The Internet Society (ISOC) and its Deploy360 Programme have created a site (ipv6guide.net) to document advice for organizations. ARIN, the Regional Internet Registry (RIR) for North America, also publishes some great resources for deploying IPv6. Europe’s RIR, Réseaux IP Européens (RIPE), has formed an IPv6 for Enterprises Best Current Operational Practices (BCOP) group. And the Internet Engineering Task Force (IETF) has published an RFC 7381 titled “Enterprise IPv6 Deployment Guidelines.”

(Scott Hogg is a co-founder of HexaBuild.io, an IPv6 consulting and training firm, and has over 25 years of cloud, networking and security experience.)