C-Level Management: "We need to get serious about IPv6!"
Meeting happens, everyone agrees, yes, we need to get serious about IPv6.
Production outage happens, IPv6 discussions are put on the back burner for another year or more...
... or is IPv6 getting traction where you are? If so, where?
Quote from: deanwebb on October 12, 2021, 08:16:51 AM
C-Level Management: "We need to get serious about IPv6!"
Meeting happens, everyone agrees, yes, we need to get serious about IPv6.
Production outage happens, IPv6 discussions are put on the back burner for another year or more...
... or is IPv6 getting traction where you are? If so, where?
Federal mandate
a. At least 20% of IP-enabled assets on Federal networks are operating in IPv6-only
environments by the end of FY 2023; 13
b. At least 50% of IP-enabled assets on Federal networks are operating in IPv6-only
environments by the end of FY 2024;
c. At least 80% ofIP-enabled assets on Federal networks are operating in IPv6-only
environments by the end of FY 2025; and
d. Identify and justify Federal information systems that cannot be converted to use
IPv6 and provide a schedule for replacing or retiring these systems;
we hope to be pure IPv6 by 2025. but then again all the gung ho, is all about customer facing IPv6, getting the entire monitoring/management/backups/logging to go IPv6 native is not on everyone's hot list. it will certainly cause issues.
Ouch, yeah, especially if there are legacy IPv4 networks that get ignored... potential major security holes.
I'm thinking IPv4 is the COBOL of networking. It's going to be around for a lot longer than anybody expected or even wanted, and it's the oldsters that will be running it.
Quote from: icecream-guy on October 12, 2021, 04:25:44 PM
Federal mandate
a. At least 20% of IP-enabled assets on Federal networks are operating in IPv6-only
environments by the end of FY 2023; 13
b. At least 50% of IP-enabled assets on Federal networks are operating in IPv6-only
environments by the end of FY 2024;
c. At least 80% ofIP-enabled assets on Federal networks are operating in IPv6-only
environments by the end of FY 2025; and
d. Identify and justify Federal information systems that cannot be converted to use
IPv6 and provide a schedule for replacing or retiring these systems;
we hope to be pure IPv6 by 2025. but then again all the gung ho, is all about customer facing IPv6, getting the entire monitoring/management/backups/logging to go IPv6 native is not on everyone's hot list. it will certainly cause issues.
Same mandate we have. However, this is the 3rd or 4th time this has been extended. Nobody in leadership really cares as there is no funding to go along with the requirement. With no funding for hours, or anything we will do what we can. The last time this came around we got a /48 from ARIN so we don't need any budget there. We also have 50% of our external BGP peers setup, and advertising our space. However, with everyone at about 125% utilization this isn't going to get touched much to get it extended to endpoints.
-Otanx
... and if it's been extended before, it'll be extended again. I know a guy almost 70, still doing COBOL...
Quote from: deanwebb on October 13, 2021, 10:49:45 AM
... and if it's been extended before, it'll be extended again. I know a guy almost 70, still doing COBOL...
bet he makes BANK$ since there are very few COBOL programmers left these days.
He's comfortable, no question there.
I've never heard a single discussion about transitioning to IPv6 with any of my past customers. It has become one of those things I re-learn whenever I need to test on it and then forget how to subnet it again afterwards.
Quote from: config t on October 13, 2021, 10:15:48 PM
I've never heard a single discussion about transitioning to IPv6 with any of my past customers. It has become one of those things I re-learn whenever I need to test on it and then forget how to subnet it again afterwards.
Even worse for me. I'm in management now, so I just pound my fists on the table and shout "Priorities! Synergies! Transformations!" until there's a major outage and I can go back to shouting about things I understand.
Quote from: config t on October 13, 2021, 10:15:48 PM
I've never heard a single discussion about transitioning to IPv6 with any of my past customers. It has become one of those things I re-learn whenever I need to test on it and then forget how to subnet it again afterwards.
there is no need to subnet
/112 on the transit links
/64 on the hosts networks
now the problem turns into a security one, at least for the network scanners.
then some IPv6 addresses in the /64 need to be blocked outbound.
I see /64 and think it's half a /32... I am in need of re-training on basic concepts, methinks... :rofl:
Quote from: icecream-guy on October 15, 2021, 07:33:21 AM
there is no need to subnet
/112 on the transit links
/64 on the hosts networks
now the problem turns into a security one, at least for the network scanners.
then some IPv6 addresses in the /64 need to be blocked outbound.
Any reason you use /112 instead of /127? Also don't forget /128s for loopbacks. I have not done it yet, but we are even looking at not addressing p2p links. Let it use link-local, and loopbacks have real addresses.
The cyber teams are going to have to step up their game with IPv6. No more ping or arp scanning an entire subnet to see what is there. They actually need to look at the network traffic and look for traffic to or from unexpected hosts.
-Otanx
^In that case, they can just try to detect existing IPv4 and then mark a "Fail" if they do find any.
Quote from: Otanx on October 15, 2021, 10:51:55 AM
Quote from: icecream-guy on October 15, 2021, 07:33:21 AM
there is no need to subnet
/112 on the transit links
/64 on the hosts networks
now the problem turns into a security one, at least for the network scanners.
then some IPv6 addresses in the /64 need to be blocked outbound.
Any reason you use /112 instead of /127? Also don't forget /128s for loopbacks. I have not done it yet, but we are even looking at not addressing p2p links. Let it use link-local, and loopbacks have real addresses.
The cyber teams are going to have to step up their game with IPv6. No more ping or arp scanning an entire subnet to see what is there. They actually need to look at the network traffic and look for traffic to or from unexpected hosts.
-Otanx
yes, with dual homed links. ie.
.1 HSRP
.2 Router PE1
.3 Router PE2
.4 Firewall1
.5 Firewall2
the /127 just isn't enough for the redundancy.
so HSRP runs between PE1 and PE2
and Firewall1 and Firewall2 are on active/standby failover configuration.
that builds in the redundancy so that either PE can reach either firewall.
this is our standard.
That makes sense. Feel like I should have been able to figure that one out. I will have to keep that in mind when we do our address planning.
-Otanx
I think a somewhat hidden part of this is the undesirable extra demand IPv6 puts on both software development of vendors to support both, and the extra resource demand it puts on the hardware itself to do all the things that we're all used to with IPv4. IPv6 ACLs for example take way more TCAM memory than IPv4. That's just one basic function - now expand that through all the functions inside of network devices based off IP addressing - all of that needs to be stored in memory somewhere.
... so when do we get switches with more RAM?
GOOD I WAS READING THAT ONLY IN GERMANY IS IPV6 IMPLEMENTING AS A 25%
but later in Latin American countries 0.5% United States 14%
Quote from: luispolanco on November 12, 2021, 02:06:01 AM
GOOD I WAS READING THAT ONLY IN GERMANY IS IPV6 IMPLEMENTING AS A 25%
but later in Latin American countries 0.5% United States 14%
The major IPv6 drivers in the USA are mobile phone providers and US Government facilities.