dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1582
share rss forum feed

uniden9

join:2009-08-04
Birmingham, AL

Ipv6 question in reference to enterprise world.

I understand that you are assigned ipv6 block from isp, and then expected to hand the address out to your corporate network. My question is in regards of the ipv6 block you are assign. Can you register them or is your internal network basically held hostage by your current internet service provider. Since to change isp would mean you would need to change the ip address for your entire network, update all your static dns records, and god forbid if you used static ip for some purpose, fix them. How is this done in large multi site layout. Is it more common to use private network range in this situation, assign a private and public ip? I can find lots of information on how to do this in small soho designs, but medium to large multi-site networks the information seems more lacking. Maybe its just not common in these environments. I also have a hard time wrapping my head around auto assigning all your ip address, even for key servers that provide functionality to many, such as voip call servers and ldap server and such. DNS is great, but changes are not instant across the enterprise, seems like it would make replacing them fun. I'm guessing static addressing is still used in these situations. I would also appreciate some recommended reading on the subject of practical deployment.

Thanks


bdnhsv

join:2012-01-20
Huntsville, AL

1 recommendation

If your organization is large enough then you get your own AS number and apply to ARIN for your own direct allocation of IP's. You make arrangements with your ISP for them to advertise your address space to the rest of the Internet, and then you use your addresses in your network as you see fit. You can use some as static for servers, and you can assign the rest via DHCP to computers and such.


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9

1 recommendation

reply to uniden9

IPv6 is no different from IPv4 in this respect. The address space provided from the ISP is "non-portable" -- it belongs to that ISP and does not go with you when you change providers. (I stopped counting how many times I've had to call in the corp. lawyers to "explain" this to idiot customers; it's even in their contract.)

IPv6 was supposed to eliminate the insanity of renumbering via address autoconfiguration (SLAAC) and prefix delegation (PD) -- in theory, "all you have to change is a prefix." Of course, the geniuses that designed the protocol ignored almost everything about how people actually do networking in the real world. In reality, changing prefixes is still a pain.

As has already been mentioned, if you're "big enough" (i.e. willing to pay for provider independent (PI) space), you can request a direct allocation for your regional internet registry (RIR) -- in North America, that's ARIN. You don't have to register for an AS and run BGP yourself, but it does make the process easier.



leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET

1 recommendation

reply to uniden9

I fully agree with the previously given answers by bdnhsv See Profile and cramer See Profile but would like to add that we do not yet know what a typical enterprise IPv6 deployment will look like.

In the IPv4 world initially every networked computer within an organization received a public IP address regardless whether they were allowed Internet access or not. It was only much later that the practice of assigning private IPv4 numbers to internal computers became popular.

One of the possibilities with IPv6 in the enterprise would therefore be (similar to early IPv4 deployments) to give every node a public IPv6 address. Actually that is really three possibilities in one because such an enterprise could be using statically assigned addresses, stateless address autoconfiguration (SLAAC) or dynamic host configuration (DHCPv6).

There have been arguments made against having private IP addresses in IPv6 since one of the main reasons for their introduction in IPv4 (address shortage) doesn't apply to IPv6. However a similar concept (the obsolete site-local address range replaced by the unique-local address range) does exist in IPv6 and it is quite possible that enterprises will limit the use of public IPv6 addresses to the edge of the network and use some form of local addressing internally.

If enterprises use site-local/unique-local IP addresses for their internal networks any renumbering due to an ISP change would be limited to the edge of the network (routers, DMZ servers, application gateways).
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9

1 recommendation

site-local is just that. Site. Local. They have zero reach on the global internet. And when company A buys company B, if they're both using site-local internal addressing, bringing the two networks together will be a nightmare.

NAT is forbidden in IPv6. If you start rewriting addresses (and ports), things will break and no one will care because it's your [censored] network that's broken. At best, they could be proxied to a global network -- much as secured IPv4 networks do today.



janderso1
Jim
Premium,MVM
join:2000-04-15
Saint Petersburg, FL

You indicate that NAT is forbidden in IPv6. What about NAT64 and DNS64 which may allow legacy IPv4 only hosts to access any IPv6 addresses?
--
Jim Anderson



cablegeek01

join:2003-05-13
USA
kudos:1

1 recommendation

said by janderso1:

You indicate that NAT is forbidden in IPv6. What about NAT64 and DNS64 which may allow legacy IPv4 only hosts to access any IPv6 addresses?

I believe cramer was referring to IPv6-IPv6 NAT, which is generally frowned upon. There will always be one off scenarios however, and there are a few IETF drafts out there that cover the subject.

»tools.ietf.org/html/rfc6296


leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET

1 recommendation

reply to cramer

said by cramer:

And when company A buys company B, if they're both using site-local internal addressing, bringing the two networks together will be a nightmare.

An even bigger concern then company mergers is the difficulty with site-to-site VPN tunnels when both sites use the same private IP address space. This is why the site-local address schema was superseded with the unique-local address schema. If implemented properly it makes it either impossible (fc00::/8 once the IETF appoints registries) or at least very unlikely (fd00::/8) that two enterprises would use the same IPv6 addresses.

The fact that site-local and unique-local addresses cannot be routed on the Internet is unlikely to be seen as a disadvantage. On the contrary, I'm sure that there are many who will view it as an added layer of security. Internet access for hosts with local addresses can be provided with application level gateways (proxies) which allow organizations a much desired level of control (besides the performance benefits from caching proxies).
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9

1 recommendation

reply to janderso1

That's not NAT. That's a protocol translation. IPv6 and IPv4 hosts CAN NOT talk directly with each other. They are as alien to each other as IPX and Appletalk. Something has to turn one protocol into the other, and there's more to it than changing an address and port.


uniden9

join:2009-08-04
Birmingham, AL

I appreciate all the answers to the question. It gives me a good starting point to work from.

thanks.