Deploying IPv6 Networks

By Ciprian Popoviciu, Eric Levy-Abegnoli, Patrick Grossetete

... Publisher: Cisco Press

Pub Date: February 10, 2006

Print ISBN-10: 1-58-705210-5

Print ISBN-13: 978-1-58705-210-1

Pages: 672

Table of Contents | Index

An essential guide to IPv6 concepts, service implementation, and interoperability in existing IPv4 environments.

Learn about IPv6 services and the relevant IPv6 features that make them possible

Plan, deploy, and manage IPv6 services at the production level in existent IPv4 networks

Configure and troubleshoot IPv6 networks

IPv6 scales up to support new services that require a very large addressing space; it is positioned to provide the infrastructure for a world where mobile devices, home

Deploying IPv6 Networks

By Ciprian Popoviciu, Eric Levy-Abegnoli, Patrick Grossetete

... Publisher: Cisco Press

Pub Date: February 10, 2006

Print ISBN-10: 1-58-705210-5

Print ISBN-13: 978-1-58705-210-1

Pages: 672

Table of Contents | Index

Copyright

About the Authors

About the Contributor

About the Technical Reviewers

Acknowledgments

Icons Used in This Book

Command Syntax Conventions

IPv6 Packet Format

Internet Control Message Protocol for IPv6

Neighbor Discovery Protocol

IPv6 Multicast Deployment Examples

Chapter 7. VPN IPv6 Architecture and Services

Security Threats and Best Practices to Protect Against Them

Summary of Best Practices for Securing IPv6 Deployments

Chapter 10. Managing IPv6 Networks

IPv6 Network Management: The Challenges

Network-Management Architecture

Retrieving Information from Routers and Switches

Fault Management

Performance Management

Configuration and Provisioning Management

Management Platforms

IPv6 Network Management Services and Tools at a Glance

_IPv6 Chapter 11. Network Performance Considerations: Coexistence of IPv4 and Aspects of Router IPv6 Performance

Measuring Forwarding Performance

The Right Router for the Job

IPv6 Router Performance Evaluation Checklist

Part II: Deployment Case Studies

Chapter 12. Generic Deployment Planning Guidelines

Cost Analysis

Address Policies and Registration Process

Education

Chapter 13. Deploying IPv6 in an MPLS Service Provider Network

Network Environment

Network Design Objectives

Network Design

Basic Services Design and Implementation

Quality of Service Design

Operating and Troubleshooting the Network

Design Lessons

Chapter 14. Deploying IPv6 in an IP Service Provider Network

Network Environment and IPv4 Services

IPv6 Deployment Plans

Basic Services Design and Implementation

Advanced Services Design and Implementation

Operating and Troubleshooting the Network

Deployment Lessons

Chapter 15. Deploying IPv6 in an Enterprise Network

AC Network Environment

Business Drivers to Integrate IPv6 on the AC Network

Learning the Technology Moving IPv6 to Production

Design and Setup

Troubleshooting

Future Evolutions

Copyright

Deploying IPv6 Networks

Ciprian Popoviciu, Eric Levy-Abegnoli, Patrick Grossetete

Copyright © 2006 Cisco Systems, Inc.

Published by:

Cisco Press

800 East 96th Street

Indianapolis, IN 46240 USA

All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or

mechanical, including photocopying, recording, or by any information storage and retrieval system, without written

permission from the publisher, except for the inclusion of brief quotations in a review.

Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

First Printing February 2006

Library of Congress Cataloging-in-Publication Number: 2004108530

Trademark Acknowledgments

All terms mentioned in this book that are known to be trademarks or service marks have been appropriately

the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any

trademark or service mark.

Warning and Disclaimer

This book is designed to provide information about the

deployment of IPv6. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied.

The information is provided on an "as is" basis. The author, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may

accompany it.

The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc.

Corporate and Government Sales

Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales.

For more information please contact: U.S. Corporate and Government Sales 1-800-382-3419

corpsales@pearsontechgroup.com

For sales outside the U.S. please contact: International Sales international@pearsoned.com

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional

technical community.

Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at

feedback@ciscopress.com. Please make sure to include the book title and ISBN in your message.

We greatly appreciate your assistance.

Publisher John Wait

Editor-in-Chief John Kane

Cisco Representative Anthony Wolfenden

Cisco Press Program

Manager Jeff Brady

Production Manager Patrick Kanouse

Development Editor Deadline Driven Publishing

Project/Copy Editor Interactive Composition Corporation

Technical Editors Blair Buchanan, Gunter Van de Velde, Dan Williston

Team Coordinator Raina Han

Compositor Interactive Composition Corporation

Indexer Interactive Composition Corporation

Corporate Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA

www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387) Fax: 408 526-4100

European Headquarters

Cisco Systems International BV Haarlerbergpark

Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands

www-europe.cisco.com

Tel: 31 0 20 357 1000 Fax: 31 0 20 357 1100

Americas Headquarters

www.cisco.com

Tel: +65 6317 7777 Fax: +65 6317 7799

Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the Cisco.com Web site at

www.cisco.com/go/offices.

Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel • Italy • Japan • Korea •

Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania • Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain •

Sweden • Switzerland • Taiwan • Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam •

Zimbabwe

Copyright © 2003 Cisco Systems, Inc. All rights reserved. CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me

Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet

Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0303R)

Printed in the USA

Dedications

Ciprian dedicates this book to Nicole and Simon.

Eric dedicates this book to Marine, Julie, and Quentin.

About the Authors

Ciprian Popoviciu, CCIE No. 4499, is a technical leader at Cisco Systems with more than eight years of experience

designing, testing, and troubleshooting large IP networks. As part of the Cisco Network Solution Integration Test Engineering (NSITE) organization, he currently focuses on the architecture, design, and test of large IPv6 network deployments in direct collaboration with service providers worldwide. He contributed to various publications and the IETF. Ciprian holds a bachelor of science degree from Babes-Bolyai University, a master of

science degree and a doctorate degree in physics from the University of Miami.

Eric Levy-Abegnoli is a technical leader in the IP Technologies Engineering group at Cisco Systems, where he is the technical lead for IPv6 development in IOS. Eric has worked with the

Cisco IPv6 implementation since 2001, and has been involved in some of the biggest IPv6 deployments. Before joining Cisco, Eric worked for IBM, where he successively led a development team in the Networking Hardware Division and a research team at the Thomas J. Watson Research Center, focusing on

networking and content-delivery platforms. Eric received the

Diplome d'Ingenieur from the Ecole Centrale de Lyon, France.

Patrick Grossetete, manager of product management at Cisco Systems, is responsible for a suite of Cisco IOS software

technologies including IPv6 and IP Mobility. He is a member of the IPv6 Forum Technical Directorate and manages Cisco's participation in the forum. In June 2003, he received the "IPv6 Forum Internet Pioneer Award" at the San Diego summit.

About the Contributor

About the Technical Reviewers

Blair Buchanan, CCIE No. 1427, is a senior technical architect and convergence strategist with Sherwood Cameron Associates Limited, in Ottawa, Canada. He has 30 years experience in the communications business. He began his career as a software developer for real-time data communications in process-control applications. Blair has participated in ISO standards

development and has taken lead roles in internetwork design for large enterprise and service provider businesses in Canada and the United States. He is currently involved in planning and designing internetworks for converged services over metro Ethernet and IP VPN infrastructures. Blair holds a bachelor degree in computer science and mathematics from the University of Western Ontario (1975). His involvement with Cisco began in 1992 as a Cisco instructor and in 1995 as a CCIE.

Gunter Van de Velde is a senior network consulting engineer on the Cisco System's Advanced Services team, and has been working in the field of core network design, and the

implementation of IPv6, since early 2001. Gunter received his master's degree in electronics in 1993. After graduating, his first professional activities were based on TDMs, modems, and L2 bridges. He joined Cisco Systems in 1997, initially providing reactive worldwide support as part of the Technical Assistance Center, specializing in IP routing protocol technologies. In 1999, he joined the Advanced Services organization as a network

consulting engineer, where he has been active in designing large backbone ISP networks and services.

Since 2001, Gunter has been working as a design architect for the European Commissionsponsored 6NET IPv6 project, and this year has become involved with the IETF, for which he is

speaker at IPv6 conferences and events.

Dan Williston is a technical leader at Cisco Systems in Ottawa. He was a key member of the software development team

responsible for IPv6 on the Cisco 12000 series router. Prior to joining Cisco, he worked at Nortel Networks as a senior

Acknowledgments

This book benefited from the efforts of all Cisco engineers who share our enthusiasm for the next generation of IP and work tirelessly to implement, test, and deploy it. Among them, there are a few to whom we are particularly grateful: Ole Troan, for his encouragement and support of this work, along with his contribution to Chapters 3 and 7; Pascal Thubert, for his key contribution to Chapter 8; Sean Convery and Darrin Miller, for their guidance and contribution to Chapter 9; and Benoit

Lourdelet, for his contribution to Chapter 11. We also want to acknowledge the support of Gunter Van De Velde, Jean-Marc Barozet, Faycal Hadj, Gilles Clugnac, Floris Granvarlet, Tim Gleeson, Stan Yates, Luc Revardel, Vincent Ribiere, Richard Gayraud, Francois Le Faucheur, Alun Evans, Tom Kiely, Kevin Miles, Tin Phan, and Min Li.

We want to thank our technical reviewersDan Williston, Gunter Van de Velde, and Blair Buchananfor their thorough review and their valuable suggestions.

Special thanks go to our extraordinary editorial team, particularly Grant Munroe, Raina Han, and John Kane.

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as

follows:

Boldface indicates commands and keywords that are entered literally as shown.

Italics indicate arguments for which you supply actual values.

Vertical bars (|) separate alternative, mutually exclusive elements.

Square brackets [ ] indicate optional elements.

Braces { } indicate a required choice.

Introduction

There is no doubt that information technologies have become a significant part of our lives, shaping in great measure the way people work, learn, and play. Their rise to prominence was

accelerated over the past decade by computer communications. Networked computing devices have proven to be much more than their sum. This concept led to tremendous productivity increases and a plethora of new services that expanded its scope from research communities, to offices, to large

corporations, and to the World Wide Web.

Unprecedented engineering innovation rapidly improved

networking technologies in lockstep with the fast adoption of computer communications (which naturally require larger,

faster, and feature-rich infrastructures). On the other hand, the trend of converging all communications, data, voice, and video to a single networking protocol revealed a resource constraint to the further adoption of computer-communication-based services. IPv4's address space cannot meet the needs of an ever-increasing demand for globally reachable IP devices. New services make address preservation a futile pursuit, with

mechanisms such as Network Address Translation becoming anachronisms that block further innovation.

With the looming exhaustion of the global IPv4 address space and with the private address space proving inadequate for today's networks, service providers, enterprises, IP appliances manufacturers, application developers, and governments are now looking at the evolution of IP: IPv6. The foreseen address exhaustion has been the trigger and the driver for moving into a new addressing dimension. IPv6, however, is more than just an extension of the address space. Significant reengineering efforts were applied to solving protocol, deployment, and

than IPv4. IPv6 is IPv4's future, happening now!

Goals and Methods

The most important goal of this book is to show that IPv6 is a mature technology and it is ready for deployment. It goes beyond discussing the basics of the protocol while remaining accessible to those unfamiliar with IPv6. With this book in hand, you will not only understand IPv6 but, most important, will

know how to plan, design, and deploy IPv6 services.

Countless books document and explain the vast set of protocols and features known under the name of IPv4. Although its

evolutionary nature allows IPv6 to back reference many of its protocols and features, detailing all the changes and

improvements made would require more than this book. On the other hand, IPv6 has yet to enter the mainstream and is

outpacing many of the reference books on the market. This creates the risk of making any pure deployment case study discussion difficult to follow. These considerations shaped the methodology employed in this book.

The most important changes in the foundation of IP, such as addressing architecture, packet format, and layer 2-to-layer 3 address resolution, are reviewed in detail. All the other

protocols and features are discussed in the context of a service such as unicast, multicast, virtual private networks, quality of service, and security. The goal is to provide the reader with the understanding and tools needed to deploy the respective

services. This approach gives a practical dimension to the information presented. This knowledge is reinforced in the

second part of the book, where the reader can see it applied to concrete, complete deployment case studies. Deployment

planning, deployment costs, performance, and IPv4IPv6 coexistence topics are also covered to further anchor the discussion into real-life deployment challenges.

examples as well as debug outputs wherever useful. The case studies start with a description of the existent IPv4 network environment. They go through planning and design

considerations and present in the end configuration of key network elements. You can leverage this knowledge

immediately in a real, Cisco IOS-based network infrastructure.

In summary, this book's goals are to:

Provide relevant, advanced IPv6 information from a deployment perspective.

Help you plan IPv6 deployments by offering guidelines and references to relevant resources.

Provide you the opportunity to practice the acquired knowledge on complete case studies.

Who Should Read This Book?

This book will be of interest to a rather large audience,

How This Book Is Organized

Although each chapter of this book can be used independently to learn a certain aspect of IPv6, the book's structure has a clear didactic dimension. It intends to build the knowledge layer by layer, or IP service by IP service, and in closing to offer a set of exercises in the form of case studies.

Part I provides the technology tools needed to approach the design and deployment of an IPv6 network. The knowledge is grouped around IP services, each mapped to a chapter. It starts with enabling unicast connectivity, the foundation of any

network, and follows with QoS, multicast, VPNs, IP mobility, security, and network management. The second part of the book, ushered in by a discussion of deployment planning, covers three complete case studies that map to three distinct environments: MPLS-based service provider, IP-based service provider, and enterprise.

Chapters 1 through 15 cover the following topics:

Part I

Chapter 1, "The Case for IPv6An Updated

Perspective" This chapter builds the case for IPv6 from a technical perspective. It summarizes the differences

between IPv4 and IPv6, and in the process of drawing a parallel between the two versions of IP, this chapter reviews the major concepts and challenges that people manage in their current network. Thus, it provides a framework for the IPv6 discussion in the rest of the book.

significant changes from IPv4. It covers the new addressing architecture, the new header format and structure, the

enhanced functions of ICMP, and the layer 2

address-resolution mechanisms. These are concepts fundamental to understanding any IPv6-related topic. For this reason, they are presented in detail here.

Chapter 3, "Delivering IPv6 Unicast Services" This chapter discusses the elements necessary for establishing unicast IPv6 connectivity, the foundation of all other IPv6 services. It covers the relevant protocols at the access, edge, and core of the network. The mechanisms enabling the transition from IPv4 to IPv6 are discussed along with recommendations on what IPv6 deployment approach to follow in relation to the existent IPv4 infrastructure that will have to host the deployment.

Chapter 4, "IPv6 Routing Protocols" This chapter covers the routing protocols available in IPv6. It parallels their

implementation and operation to their IPv4 counterparts.

Chapter 5, "Implementing QoS" This chapter reviews, from the perspective of IPv6, the concepts relevant to implementing quality of service in IP- and MPLS-based networks. It also discusses deployment considerations relevant to the coexistence of IPv4 and IPv6.

Chapter 6, "Providing IPv6 Multicast Services" This chapter reviews the IP multicast concepts and protocols. It draws a parallel between IPv4 and IPv6 features, it explains the new mechanisms available in IPv6, and it provides

examples that capture the various deployment options. Multicast deployment in conjunction with the various transition mechanisms is also discussed.

chapter covers the topic of deploying VPN services in an IPv6 network. It reviews the VPN-related concepts and the deployment models. In closing, the chapter shows several topology examples with relevant configuration examples.

Chapter 8, "Advanced ServicesIPv6 Mobility" This chapter covers the concepts of IP mobility and their implementation in IPv6. It discusses the improvements made, the remaining open issues, and various examples of applying the protocol to novel services.

Chapter 9, "Securing IPv6 Networks" This chapter

starts with an analysis of the security threats faced by IPv6, the ones specific to the new protocol, and the ones shared with IPv4. The dual perspective is critical because the

coexistence of the two protocols can provide new attack vectors on the IPv6-enabled network. The chapter also presents the tools and best practices available to secure IPv6 networks.

Chapter 10, "Managing IPv6 Networks" This chapter discusses the challenges faced in managing IPv6 networks; some challenges are rooted in the protocol specifics,

whereas others stem from the availability of tools. It covers the applications and management systems that can be

leveraged today to operate IPv6 infrastructures and services.

Part II

Chapter 12, "Generic Deployment Planning

Guidelines" This chapter is intended to assist the reader in planning the deployment of IPv6 services. It provides

guidelines on estimating the cost of deployment. It also provides references to resources relevant to planning the deployment, such as getting IPv6 address space. The chapter also discusses the important aspect of education and training.

Chapter 13, "Deploying IPv6 in an MPLS Service Provider Network" This chapter covers the planning, designing, and deployment of IPv6 in an MPLS service provider network. Internet access and VPN services are rolled out in stages, and configuration examples are provided for each one of them. The chapter closes with examples on troubleshooting the IPv6 network and the services supported.

Chapter 14, "Deploying IPv6 in an IP Service Provider Network" This chapter covers the planning, designing, and deployment of IPv6 in an IP service provider network. The ensuing infrastructure is dual stack, end to end. The various services are built in stages, and configuration examples are provided for each one of them. The chapter closes with examples on troubleshooting the IPv6 network and the services supported.

Chapter 15, "Deploying IPv6 in an Enterprise

Network" This chapter starts by presenting the steps taken by an enterprise to evaluate IPv6 at both network and host level. It shows the development of a few services

Part I: Implementing IPv6 Services

Chapter 1 The Case for IPv6An Updated Perspective

Chapter 2 An IPv6 Refresher

Chapter 3 Delivering IPv6 Unicast Services

Chapter 4 IPv6 Routing Protocols

Chapter 5 Implementing QoS

Chapter 6 Providing IPv6 Multicast Services

Chapter 7 VPN IPv6 Architecture and Services

Chapter 8 Advanced ServicesIPv6 Mobility

Chapter 9 Securing IPv6 Networks

Chapter 10 Managing IPv6 Networks

Chapter 1. The Case for IPv6An Updated

Perspective

It is not only accepted but almost expected that an IPv6 book will try, often hard, to persuade the reader of IPv6's importance and benefits. Countless pages have been written describing business models that would financially justify the deployment of IPv6. Sometimes innovative, other times controversial, the job of selling IPv6 has its role in challenging today's tactical

approach to planning network-related capital expenditures. But despite all these efforts, it might just be that the accelerated depletion of the IPv4 address space will remain the trigger for a massive upgrade of existing networks to IPv6.

The authors decided to steer clear of selling IPv6, and to avoid providing business models for IPv6 services. Instead, we intend to present to the reader the IPv6's value through technical

arguments. We intend to provide a realistic perspective of IPv6, revealing its positives and negatives. This exercise, however, cannot be performed in absolute terms. For this reason, "the case for IPv6" is presented relative to the familiar frame of reference called IPv4. This approach is not original. It is in fact the title of an Internet Architecture Board (IAB) document (http://www.6bone.net/misc/case-for-ipv6.html). Some things have changed since that document was completed, so "an

updated perspective" is seen as useful.

A deployment perspective is maintained while discussing the various IPv6 topics throughout the book. The technology is presented in the context of each network service layer:

Unicast connectivity

Multicast service

Virtual private networks (VPNs)

Security

Mobility

This chapter follows the same structure. Each service is briefly reviewed in the context of the IPv4 world. The protocol

limitations and deployment issues are singled out along with pointers to IPv6 solutions or improvements, with further pointers to the chapters of this book where these topics are detailed. This chapter prepares the reader for an IPv6

Unicast Connectivity

The delivery of IP services relies on an infrastructure that

provides unicast connectivity between IP hosts. The foundation of such an infrastructure consists of three elements:

addressing, routing, and forwarding.

IP addresses represent a finite resource used in identifying hosts within private or global networks. The structure and allocation mechanisms of IP addresses are relevant in

designing, deploying, and operating IP networks. A review of this topic is compelling; especially under the circumstances of a depleting IPv4 address space. After all, at the time of this

writing, addressing is one of the main reasons for deploying IPv6.

Routing and forwarding provide the mechanisms to move traffic between IP hosts. Whereas forwarding's dependency on IP

version is relatively straightforward, routing has multiple

dependencies on addressing. For this reason, it is important to see whether any of the IPv4 routing challenges were resolved in IPv6.

Addressing

IP addressing is a vast topic that influences most of the protocol layers and most of the services. It also represents a critical

resource. This section briefly discusses address architecture and address allocation. For a complete and detailed presentation, the following books are helpful references:

Internet Routing Architectures by Sam Halabi and Danny McPherson

Routing in the Internet by Christian Huitema

IPv4 Address Architecture

A little bit of history is necessary to understand the debate

around the IPv4 address space depletion. An address is used to uniquely identify hosts within the network. Even in a flat

nonhierarchical simple world, some minimum requirements on the address structure enable network elements to operate

efficiently. In IPv4, the address has a fixed size of 32 bits. That would allow in theory up to 232 addresses or somewhere

around four billion. It is important to note that at the time of its specification, these four billion possible addresses appeared to be more than adequate for years if not centuries to come. As soon as early 1990s, however, the Internet community had to introduce a number of changes in the address architecture and the address-allocation scheme to accommodate growing

address needs. IPv6, which is based on 128-bit-long addresses, appears to be safe for centuries to come, but who says that history cannot repeat itself?

A considerable waste of IPv4 addresses was generated by two factors:

The unwise allocation of classful addresses; often entities with just a little over 255 hosts asked for a Class B, capable of accommodating 65,000 hosts.

The increasing number of hosts challenged the address space resources and led to the formalization of private addressing and Network Address Translation (NAT) as an address-conservation solution. The increase in the number of hosts is also matched by an increase in the number of networks and this leads to scalability problems for the routers. In 1994, the core routers had approximately 34,000 routes, doubling every year. By 2004, it was expected to reach millions routes. Variable-length subnet mask (VLSM), Classless Inter-Domain Routing (CIDR), and a new IP address-allocation strategy was the response to the routing table explosion.

Although the core routing table size was predicted to grow from 34,000 to 80,000 between 1994 and 1995, in fact it reached 76,000 routes only in 2000 and about 160,000 in mid 2004.

With IPv6 and its larger address space, one could fear that routing tables will further expand. Bigger addressing space might logically lead to more hosts followed by more networks. In reality, past experience has shown that the "number of hosts" and the "number of networks" are loosely related. With the proper aggregation mechanisms, partly driven by the right address-allocation strategy, the latter have been well under control. Assuming the same mechanisms are maintained and further enforced with IPv6, it is reasonable to believe that routing table size will remain within manageable limits.

Note

The address-conservation mechanisms cannot stave off for long the need for global IP addresses. Past and current Internet

growth rates (source BGP table

statisticshttp://bgp.potaroo.net/) can be extrapolated to predict the time left before the complete exhaustion of all available IPv4 address space. Conservative studies estimate the IPv4 address-space exhaustion by February 2041, and the

exhaustion of the IPv4 unallocated address pool by April 2020. More aggressive models predict even earlier dates such as 2009. These predictions are based on the underlying

assumption that the current growth models will remain

applicable for years to come, which is not necessarily accurate.

IPv6 might change these assumptions. With the combination of the Internet as an attractive and accessible communications medium, and the emergence of communicating gadgets and devices of all kind (even the most unexpected ones such as phones, home appliances, cars, and so on) you must be ready to see them proliferate and stimulate a growth in Internet usage that cannot be extrapolated from past patterns.

Private Versus Public Addresses

Public addresses are registered, globally unique, and can be used to provide reachability over the Internet. By contrast, private addresses are meaningful only within a closed, physical or virtual domain. In IPv4, private addresses have been always associated with unregistered addresses, which in return have been associated with nonunique addresses.

Increase the addressable space used internally

Avoid address registration pains

Decorrelate from public addressing changes (for instance, at peering points) to save the renumbering hassle

Protect the internal network from the public domain by preventing private addressing/topology exposure

RFC 1918 identifies two categories of hosts that could deal with private addresses:

Hosts that do not require access to hosts in other enterprises or the Internet

Hosts that need access to a limited set of outside services (e-mail, FTP, and so on) that can be handled by

intermediate gateways

For these two categories, RFC 1918 further defines three blocks of private addresses that should not be routed over the

Internet, and therefore free to replicate.

10.0.0.0/8 A Class A block

172.16.0.0/12 A Class B block

192.168.0.0/16 A Class C block

In an ideal world, privately addressed hosts would be confined to the private network, whereas only hosts with public

some point. Usually, there are not enough public addresses for all hosts in the private network, so further mechanisms are necessary to interface them with the public domain. The

simplest one is NAT, discussed in the section "Network Address Translation."

One of the benefits of the private address space is the large number of addresses available at the discretion of an

enterprise. It was, however, only logical to expect that the private address space will face depletion similar to the overall IPv4 address space. In 2005, multiple-systems operators (MSOs; or cable operators) reported the fact that they are running out of private address space. This is due to the

proliferation of cable modems, Voice over IP (VoIP) phones, and set-top boxes they have to manage over IP. This realization

accelerated their plans to deploy IPv6 if not to provide services at least to manage their devices.

Some of the reasons to use private addresses become obsolete with IPv6 (there are now plenty of public addresses for

everyone) although others will remain. VPN solutions exist for IPv6, too, and that could be sufficient to safeguard the privacy of addressing used within a network. The plethora of IPv6

addresses had suggested some different paradigms for private addressing, in particular the concept of unique yet private address. These concepts are presented in Chapter 2, "An IPv6 Refresher." The concepts and issues that arose when crossing the boundary between private and public domains are

presented in Chapter 7, "VPN IPv6 Architecture and Services."

Static Versus Dynamic Addresses

Addresses can be assigned to IP nodes either statically or

time it connects to a network. This process enables multiple users to overload the use of a pool of dynamically assigned addresses. DHCP also enables mobile hosts to attach to visited subnets without requiring manual reconfiguration. In reality, dynamically allocated addresses might not change often either. In large networks, DHCP servers tend to allocate the same address to the same host over time, unless there is some

shortage. For the home environment, there are two categories of users:

Users with dialup connections will change their address often. Most Internet service providers (ISPs) make use of DHCP to assign an IP address to each user for the length of time they are connected, and reuse it for another customer after the dialup connection from the previous customer has been terminated.

Users with long-life connections such as Digital Subscriber Line (DSL), Integrated Services Digital Network (ISDN), or cable will tend to keep their address for a longer period of time.

There are now advantages and disadvantages with the trend to use more stable source addresses than there were in the past. From a network operation perspective, one could find useful that the same user stays behind the same IP address; it is easier to manage, bill, filter, authenticate, and so on. However, this operational model eliminates address reuse, which

same address used in multiple contexts (for instance, web

surfing, gaming, and so on) can be used to correlate seemingly unrelated activities. Note that with IPv6, which offers the

possibility of using addresses that embed topological

information such as link identifier, the concern will grow. The mechanisms to allocate IPv6 addresses dynamically are

reviewed in Chapter 3, "Delivering IPv6 Unicast Services."

Renumbering

Want to know a network administrator's worst nightmare? It is renumbering. Renumbering is the process of replacing existing network prefixes and host addresses considered as deprecated throughout the network with new ones.

There can be a large variety of reasons for renumbering:

The topology outside the network has changed (for

instance, because the ISP providing Internet access has changed).

The network is expanding, hence the internal topology is changing; more subnets need to interconnect; a

reorganization of the existing ones; more hosts to address; and so on. Renumbering, although not always required in these cases, could potentially improve aggregation and is sometimes highly recommended.

The network is merging with another one (for instance, in the case of two companies merging).

The complexity of the renumbering process comes from the fact that addresses are used in many different places within a

network and for many different reasons. A single address or a set of addresses may have been configured statically or

dynamically in various places such as the following:

BOOTP or DHCP servers

Applications servers of all kinds (HTTP, FTP, mail, and so on)

Routers (interfaces, routing, and access lists configuration, and so on)

Firewalls (access list)

DNS servers

Sometimes, simply changing the old address can make the new one operational; in many cases, however, the old address has been leaked in caches of all kinds (DNS caches, applications caches, routing caches, web caches, Address Resolution

Protocol [ARP] caches). Many of these caches have expiration timers, which will make them invalidate the "old" addresses, but some do not. In most cases, changing the address and network prefix requires rebooting the host. When addresses are cached throughout the network, delays (mostly "uncontrolled") will occur before the new addresses are operational.

Although some believe that renumbering issues have been entirely taken care of in IPv6, others believe that renumbering remains a problem without any good solution. The truth lies somewhere in between. The renumbering issue is

multidimensional, and IPv6 brings some innovative solutions in some areas, although it does not solve the entire problem.

mechanisms such as link-local addresses, autoconfiguration, and support for multiple addresses on the same interface that can ease aspects of network renumbering.

Network Address Translation

Network Address Translation (NAT) has brought the best and the worst to IP deployments. Per NAT RFC authors, NAT was a short-term solution to enable address reuse and solve the address-depletion issue the IP Internet community was

anticipating in 1993. That worked out well indeed, and what seemed to be a critical issue in 1993 is less critical more than 10 years later. NAT has enabled private addressing in all sorts of corporate networks, eliminating the need for publicly registered chunks of addresses. Nevertheless, NAT is a controversial

subject in the networking community, and for that reason we dedicate this section to it.

For technical background and more details on NAT principles and operations, refer to RFC 1631 and books such as the Cisco Press book Routing TCP/IP, Volume II (CCIE Professional

Development) by Jeff Doyle. Over the years, NAT has been deployed widely throughout the Internet. During this time, its use was given justifications beyond address conservation: from security to privacy, from preventing renumbering to providing high-availability mechanisms, from deployment of virtual

clusters to providing Internet access over VPNs. Each of these justifications was prompted by some deployment scenario and was meant to solve deployment issues.

want to rid the world of the evil NAT, we must make sure IPv6 offers solutions for all problems NAT resolved.

NAT comes with a number of issues, out of which the most significant is the connection model that it implies. NAT is asymmetrical. Because of the way NAT works, it is mainly

usable for client/server sessions where clients within the private network initiate the session with servers sitting in the public network. The client will typically issue a Domain Name System (DNS) query for some public server name, and get the public server address. On the way back, the server will see only the public NAT address, expectantly a globally reachable one. Going the reverse direction is more troublesome. Anybody sitting

outside the private network (either on the public network or on a different private network) would have difficulties reaching a host behind NAT.

Some proxy servers can be used as "middlemen": They can handle all necessary application signaling and enable hosts to use each others NAT addresses as the reachable public address. Session Initiation Protocol (SIP) is a good example of such a solution. However, twisting every single peer-to-peer application to make it fit the client/server model appears to be a great

limiting factor to the adoption and deployment of new applications.

Another issue with NAT is that it does not look at any

information above IP/TCP/UDP/ICMP layers. Some applications have endpoint source addresses buried within their messages, which do not get translated by NAT at the same time as the IP header addresses. This typically happens with applications such as H.323 that tend to establish multiple connections within a single session. To solve those issues, application layer gateways (ALGs) may need to perform complex application-level

translations. When an application that required an ALG is deployed, NAT devices must support this particular ALG.

based on signing or verifying part of the packet, whether header or payload including IP addresses, will have trouble when addresses are overwritten. For instance, with IPsec, both Authentication Header (AH) and Encapsulating Security Payload (ESP) have issues with NAT, although at a different order of magnitude.

Can IPv6 Eliminate NAT?

NAT is used in the networks of 70 percent of Fortune 1000 companies, for better and worse. So, either NAT is not

necessary anymore after IPv6 is deployed, and the worst is gone. Or, IPv6 does not have a proper solution for all

deployment scenarios where NAT is in use and these networks will not transition. Although the large IPv6 address space

eliminates the need for NAT, it is important to explain how IPv6 also provides similar capabilities as the "perceived" benefits of NAT. This is the main purpose of Network Architecture

Protection (NAP), an Internet Draft addressing each NAT benefit (real or perceived) and matching it with an IPv6 solution. Table 1-1 lists NAT features, and for each, it provides pointers to IPv6 documentation (RFC, Internet Drafts, and so on) and refers to chapters of this book where solutions are reviewed.

Table 1-1. IPv4 NAT vs. IPv6 NAP

NAT Feature IPv6 Reference More Details In

Address

depletion IPv6 AddressingArchitecture, RFC 3513 Chapter 2Address Architecture, section "IPv6"

Address

management Preferred lifetime per prefix& multiple addresses per interface (ID)

Chapter 2, section "IPv6 Address Architecture"

IPv6 Unique Local

IPv6 auto-configuration:

RFC 2462 Chapter 3Provisioning, section "" IPv6

Procedure for Renumbering an IPv6 Network without a flag day: RFC 4192

Chapter 3, section "IPv6 Address Renumbering"

IPv6 VPNs (ID) Chapter 7 "VPN IPv6 Architecture and Services"

Site

multihoming[1]

Goals for IPv6 Site-Multi-homing Architectures: RFC 3582

IPv6 Multihoming Support at Site Exit Routers: RFC 3178

Architectural Approaches to Multi-homing for IPv6: RFC 4177

Chapter 4, section "Site Multihoming"

Server load

balancing[2] Chapter 8_{Load Balancing}, section "_" Server

Failover[3] _{Chapter 15, section}

"Enabling Cisco HSRP for IPv6"

End-system

privacy Privacy Extensions forStateless Address Auto-configuration in IPv6: RFC 3041

Chapter 2, section "IPv6 Addressing"

Topology

hiding IPv6 Network ArchitectureProtection (NAP) (ID) Chapter 2Addressing, section "" IPv6

MIPv6 tunnels: NAP (ID)

and RFC 3575 Chapter 8"Topology Hiding, section"

VPN Internet

access[4] IPv6 Unique Local_{Addresses: RFC 4193} Chapter 2_Addressing, section "_" IPv6

Recommendations on IPv6 Address Allocations to Sites: RFC 3177

Chapter 13, "Deploying IPv6 in an MPLS Service Provider Network"

Simple

gateway DHCP-PD Customer prefixupstream: NAP (ID) Chapter 3Provisioning, section "" IPv6

SLACC via RA downstream: NAP (ID)

Simple

security Context Based AccessControl (ID) Chapter 9Networks" "Securing IPv6

Local usage

tracking Address Uniqueness3513 : RFC Chapter 2Addressing, section "" IPv6

[1] A multihomed site can use NAT to translate the various provider addresses into a single set of private-use addresses.

[2] NAT can be used to load balance traffic over a set of servers by hiding their individual addresses behind a single NAT address. Other techniques can be used for the same purpose, which do not rely on NAT, and can work with IPv6.

[3] NAT is used in some high-availability scenarios by hiding active and standby hosts or routers addresses behind the same virtual address. Other techniques can be used for the same purpose, which do not rely on NAT, and can work with IPv6, such as HSRP (Hot Standby Router Protocol), VRRP (Virtual Router Redundancy Protocol), and GLBP (Gateway Load Balancing Protocol).

[4] Sites or individual hosts configured with private addresses use NAT to expose a public address (rather than their private address) when connecting to a public resource.

In addition to verifying that IPv6 deployments do not create issues in areas where NAT has a specific purpose, you will also have to examine coexistence issues. Because IPv4 and IPv6 are likely to cohabit for a significant period of time, you need to know whether there are any IPv6 deployment issues with regard to traversing IPv4 NATs. Indeed, many of the

transitioning mechanisms that Chapter 3 describes involve

NAT, and being able to properly traverse them is critical to IPv6 deployment.

Routing

The engineering community has not really touched the routing foundations of unicast services in the context of IPv6. Of

course, whenever an IPv4 routing protocol had some

dependencies on IPv4 addresses, work was done to produce an IPv6 version of it. This is the case, for instance, with OSPFv3.

Chapter 4 "IPv6 Routing Protocols," reviews these changes in the routing protocols. But besides "cosmetic differences," all IPv4 routing protocols are closely matched in IPv6, sharing the same design, often the same implementation, with the same area of applicability and the same issues. In IPv6, you will find the familiar Routing Information Protocol (RIP), Intermediate System-to-Intermediate System (IS-IS), Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP).

QoS Services

Packet-switched technologies are well suited for data

communications, which, at first, did not care as much about timely delivery or resource reservation. With packet-switched technologies, the faith of packets is entrusted entirely to the best efforts and good will of the network. Although not

reassuring, the approach is more flexible and allowed these technologies to develop faster than the circuit-switched ones. Besides being capable of multiplexing the user traffic, they offer features that could easily enable new, revenue-generating

services on existing networks. The success of packet switching led to an ever-expanding set of applications leveraging IP. It was not long before time-sensitive applications were IP enabled, and they required special handling of their packets, especially under congestion conditions.

Because not all applications have the same requirements, the IP infrastructure must be enabled to offer different levels of

service for their traffic. Services can be grouped in several types depending on packet drop, delay, and delay-variation

constraints. These constraints are driven by applications such as interactive voice communications, audio, and video that are

sensitive to delay and delay variations (jitter), but they can afford to lose randomly a small percentage of the traffic. At the other end of the spectrum is the mission-critical application that needs reliable, no-loss data transfers while placing a lower

emphasis on timing requirements. The service level is an end-to-end concept that qualifies a mode of handling traffic based on its various characteristics such as type, content, source, and destination. Deploying QoS in a network enables it to support various levels of service. For some, the well-being of their

IPv4 QoS is implemented through two architectures. Integrated Services (IntServ, as in RFC 1633, was modeled based on the concept of circuit). In this case, the user, with the help of a signaling protocol called Resource Reservation Protocol (RSVP; RFC 2208), reserves the resources end to end before sending the data. Differentiated Services (DiffServ), described in RFC 2475 and RFC 3260, is the second architecture, and it relies on the information carried within each packet to make resource-allocation decisions at each network node. This approach is simpler and more dynamic; however, it requires a good understanding of the traffic profiles in the network and a

consistent end-to-end implementation of policies. DiffServ is a widely adopted QoS deployment architecture. Although the QoS concepts are reviewed in Chapter 5 "Implementing QoS," in-depth information on them and their deployment strategies can be found in various specialized books such as IP Quality of

Service, a Cisco Press book by Srinivas Vegesna.

With the dramatic increase of traffic transported over packet networks and the demands of the various services and

applications supported, it is difficult to understate the value of QoS in today's IPv4 networks. The same holds true for IPv6. Some hoped for an improved QoS in the next generation of the IP protocol, and some still believe that IPv6 is better than IPv4 in this respect. The reality is that neither evolutionary nor

revolutionary changes were made to IPv6 versus IPv4. Some claim radical QoS improvements in IPv6. These are but a myth at the time of this writing. The same concepts and architectures apply to the new protocol with few and insignificant differences that are discussed in Chapter 5 of this book. An additional

packet header field (Flow Label) is believed to hold the potential for improving the QoS mechanisms, but the means to use it are still being evaluated.

for IP transport will most definitely change the current

approaches on deploying QoS. IPv6 networks hold the potential to implement true end-to-end service level policies. But for now, IPv6 is content to follow in the footsteps of its

Multicast Services

Simply stated, the problem solved by multicast is this: allow one host to talk to several others without bothering everyone else. In a world with limitless resources, the solution is not difficultthe source would replicate the data stream into multiple unicast streams destined for all interested parties. In the real world, this obviously is not a scalable approach. On one hand, it would overburden the source, and on the other, it would have a tremendous impact on the network whenever

bandwidth-intensive traffic such as video is transmitted. A scalable

alternative is to let the network replicate the data as needed. In a "multicast-aware" network, the data stream is replicated

along the way, by the network elements, at points where paths to various destinations converge. A set of dedicated protocols ensures that this data is delivered with optimal utilization of the underlying IP infrastructure, while selecting shortest paths with minimal delay between the source and the destinations.

The demand for multicast services is on the rise, driven by the need for collaborative, real-time information sharing. A wide range of multicast-based applications made their way into both enterprise and service provider types of networks:

Enterprise networks Distribution of financial information (such as stock quotes), distribution of news,

videoconferencing, and delivering content to employees (for example, software updates or facilitate distance learning)

Despite the interest it generates, multicast took a long time and a lot of creative thinking to be developed to the level of a

reliable, manageable, and high-performance service offering. Multicast is deployed on top of an existent IP unicast

infrastructure and conceptually it deals with the same issues of addressing, routing, and forwarding, but sometimes from a radically different perspective. You can find a detailed

presentation of the IPv4 multicast operation and its deployment guidelines in Developing IP Multicast Networks, Volume 1 by Beau Williamson.

Multicast came as an afterthought in IPv4 and it had to deal with many of the limitations built in to the protocol up to that point. Some of these intrinsic constraints become more evident as productivity-enhancing applications and customer

requirements drive up the number of networks that deploy multicast services. By contrast, IPv6 multicast gained a

prominent role from the start and it was developed alongside unicast. This offers the unique opportunity to make it a

ubiquitous service from day one. The operation and benefits of IPv6 multicast are discussed in Chapter 6 "Providing IPv6

Multicast Services."

However, no dramatic changes should be expected; both implementations are built on the same principles. IPv6 took advantage of the larger addresses and larger addressing space while following a more practical approach with respect to

multicast routing protocols selection based on the lessons learned with the IPv4 multicast services. The following are some of the issues that IPv4 multicast faces:

Limited availability of MAC address for layer 2 multicast address mapping. IPv6 is facing a similar problem.

Rendezvous Point (RP) scalability problems in large

multicast domains. IPv6 provides additional mechanisms that facilitate RP to multicast group mapping.

Complex mechanisms used to contain multicast control and data traffic within multicast domains. Through address

scoping, IPv6 offers elegant new ways to mange the multicast traffic.

RP source registration information synchronization is done through the MSDP protocol, a protocol that was meant to be a temporary solution for this function. No further

development was done on the protocol for a couple of years. No mechanism is yet available in IPv6 to perform these functions.

The adoption of MPLS by most service providers and deployment of MPLS/VPN services are a challenge for multicast. Currently there is no mechanism available to support label switching of multicast. At best, multicast traffic is forwarded without leveraging the MPLS

infrastructure. An additional control mechanism is needed in order to isolate the multicast traffic within each VPN. A

stop-gap solution called Multicast VPN (MVPN) is currently offered in Cisco IOS. Nevertheless, with MPLS commonly deployed in Service Provider networks and making its way into the large Enterprise ones, a comprehensive solution to the "multicast over MPLS" problem is important not only for IPv4 but equally important for IPv6.

Note

multicast control plane within each multicast VPN routing and forwarding table (VRF). From a

forwarding perspective, the multicast traffic is

Generic Routing Encapsulation (GRE) encapsulated and IP forwarded. With MVPN, the multicast traffic is not MPLS labeled even though it might be deployed with MPLS based VPNs.

IPv6 multicast continues to evolve and develop. It adapts to practical market requirements such as Triple Play services and collaborative applications. Chapter 6 discusses the IPv6

multicast protocol set. It also covers the deployment options and improvements with respect to IPv4 multicast,

Virtual Private Networks

The Internet has become for most corporations, campuses, and other isolated networks a shared infrastructure to provide

connectivity for their mobile workers or to interconnect distributed locations. Private networks over a shared

infrastructure have been deployed since the infancy of the Internet and even before with proprietary protocols or

standards such as X.25. After all, 20 years ago, one could dial from home in to his corporate network and upload or download data. What has changed is the virtualization of the links

providing the connectivity. Furthermore, the method used for sharing these logical links has moved up from layer 1 (using Time Division Multiplexing, TDM) to layer 2 (X.25, Frame Relay, or ATM Virtual Circuits) to layer 3 (PPP IP tunnels).

While so many corporate networks started to use this shared infrastructure, they inevitably started to worry about security. Their sensitive data is being exposed to others on the shared links. Their hosts and servers, connected to a public shared network, can be reached from anywhere by anybody, including malicious hackers.

The VPN technology enables telecommuters to connect to their office network (and enterprises to connect their sites together) over a public infrastructure. It has mechanisms that offer

security and quality of service.

For a complete and detailed presentation on this topic, refer to

VPN Applications Guide by David McDysan, and MPLS and VPN Architectures by Ivan Pepelnjak and Jim Guichard.

Cost savings The Internet has become so ubiquitous, almost everybody can plug into it, potentially enabling connectivity with everybody else. Because it is

geographically spread everywhere, corporate users do not need anymore to dial long distance to reach remote

corporate resources.

Extended connectivity This is the concept of distributed and dynamic "closed user groups," where the VPN includes various networks with different privileges and excludes others. In a controlled way, this can include telecommuters and temporary users such as customers, partners, and so on.

Easy address-allocation process Addresses can be allocated from the IPv4 private address range. There is no need to coordinate the allocation through a control

organism as long as the communications stay in the VPN.

Simplification of the renumbering process Private addresses are less sensitive to external events, such as public addressing changes.

Services VPN can be used to deploy services not offered by the public network on a general scale.

Security VPNs have some built-in mechanisms to provide secure communications over the public infrastructure. One could argue that the deployment of VPNs is creating the problem that it then claims to solve. A bit of a sophism here!

Privacy The internal addresses are private to some extent because they are not published outside the private

Growth options Using small roads to interconnect remote sites makes it difficult to transport a lot of traffic when needed. Using shared highways provides opportunities to grow and to handle peaks as needed.

Address-depletion protection Some big organization might need more addresses than the IANA is ready to give up. VPNs enable it to use private address space and not worry about exposing these addresses over the public network.

Out of these benefits provided by VPN, some are perceived

benefits, in the sense that they are not directly provided by VPN technologies. The protection against address depletion, for

instance, is in fact achieved through NAT. Nodes in a private site are likely to require public resources access and will need public addresses to do so. To limit the number of these public

addresses required, some other technology is needed, to

expose a public address on these nodes behalf (one for many). This can be NAT or an application proxy.

So, are VPNs still useful with IPv6? The question is worth asking. Why would IPv6 customers ever need to deploy VPNs when they can get all the addresses they want? Why split the global address space into smaller chunks, if it is guaranteed that none of these addresses will ever overlap? In an ideal world full of honest people, that is probably true. This is precisely what VPN technology does not assume. It does not deal with issues of overlapping address space, but rather intends to isolate address spaces, and communications, to protect against malicious users. With IPv4, address-space overlapping simply becomes a by-product of VPN and NAT.

requirements that lead to similar solutions. VPNs are still useful in IPv6 networks.

However, IPv6 differs from IPv4 for two reasons that have

consequences on IPv6 VPN deployments. First, the IPv6 address space is large enough to allow address uniqueness, even across private networks. Second, by design, IPv6 does not support NAT. These differences do not drive fundamental requirement or technology divergence. But, they do have some consequences in various deployment scenarios. Chapter 7, "VPN IPv6

Architecture and Services," reviews IPv6 VPN technologies in detail and addresses the differences with IPv4. Chapter 13,

Security

Software applications and network infrastructures are mission-critical elements in today's economy. Those who use these resources as well as those who intend to abuse them

understand their value. Security is a broad term that

encompasses all the steps taken to evaluate the risks these resources are exposed to and implement the measures to counter them. Examples of threats and countermeasures include the following:

Software application attacks, denial-of-service (DoS) attacks, virus distribution, and data security breaches

Network infrastructure attacks, attacks on the network elements

Interception of data exchanged across public domains

IP security is not only a concern for enterprise networks; it is a concern even at the smaller scale of home networks. Internet access is becoming part of our daily lives whether we use it for online banking, VoIP, or information gathering. Attackers take this window to the larger world to be their door into the privacy of our own lives.

In some contexts, security takes a network management and operational perspective, although in others it becomes a

Sean Convery's Network Security Architectures.

Cisco SAFE Blueprint is a comprehensive set of references and design guides on securing various types of IPv4 networks and the services they deploy.

One of the most common misconceptions with respect to IPv6 is that it is more secure than IPv4. It is believed that when you eliminate NATs, IPv6 enables fully secured traffic to

transparently cross the boundary between public and private domains. The peer-to-peer communications model reinstated by IPv6 enables the endpoints to secure their information

exchange. This is a good idea if implemented by all endpoints. Otherwise, it could instill a false sense of security. Without having everyone participate in this new security paradigm, some RFC-obeying users might be left with a false sense of

security. It all started with the good intentions of RFC 2401 that mandated the use of IP Security (IPsec) with IPv6. Although the mandated observance would bring without a doubt a higher level of security, its success would depend on a consistent and proper implementation of IPsec on all applications and

networked devices. Until then, IPv6 is equally secure or

insecure as its counterpart is. In fact, most IPv6 deployments to date do not leverage any encryption, and that makes them

more vulnerable. The operational lessons learned from securing IPv4 networks and applications have yet to be all applied to IPv6, and this offers attackers extra opportunities during this transitional phase.

Overestimating how secure IPv6 is could be dangerous.

However, it would be unfair not to mention the committed effort made by the networking community to anticipate and provision for protocol security holes in IPv6. For new protocols that could be built with embedded security from the start, the topic was deemed so important that it blocked the standardization

the binding-update process. For protocols already built on the structure of their IPv4 counterparts, dramatic changes were avoided for practical reasons, and only limited tweaks were implemented. An example in this category is OSPFv3, which replaced the Message Digest 5 (MD5) authentication with IPsec AH and ESP headers to provide integrity, authentication,

confidentiality, and anti-replay protection of routing information exchanges.

Because of their similarities, IPv6 inherits the vulnerabilities of IPv4. For the common threats, the same countermeasures are applied. There are, of course, security improvements as well as new threats that stem from IPv6's idiosyncrasies, and these are discussed in Chapter 9, "Securing IPv6 Networks."

It is also important to address the entire area of IPv6 transition mechanisms. In this case, the various tunnel types open the door for IPv6 attacks, but more important, they provide

opportunities to circumvent the security measures protecting the underlying IPv4 infrastructure. In addition, changes made to IPv4 security measures and devices to accommodate IPv6 migration mechanisms can weaken an IPv4's network defense. Standardization work is being done to address these security risks, but for the time being they remain a concern.

IP Mobility

The Internet has become so pervasive that no matter where you are, you can plug your computer into a wall, or attach to a wireless LAN, and, after a while, you will be able to

communicate. Is not this mobility? Well, not quite.

That type of "mobility" is achieved by getting a new IP address within the network of attachment and losing all sessions bound to the previous IP address. This might be acceptable for

corporate users moving from work to home, but can be much more cumbersome for road warriors, and it can be a

showstopper for IP telephony.

Mobile IP provides a network layer for hosts that enables them to maintain the same IP address no matter where they are in the Internet, and keep receiving traffic as they move.

In Chapter 8, "Advanced ServicesIPv6 Mobility," MIPv6 is compared to MIPv4. Even though MIPv4 is a mature and

deployable technology, it faces limitations because of the nature of IPv4. At the same time, IPv6 mobility is considered as one potential enabler for IPv6. The number of IP-enabled devices and the need for any-to-any communications among them is driving requirements that IPv4 cannot easily satisfy, and it is opening opportunities for IPv6. By integrating functionalities designed for Mobile IPv4 into standard IPv6 protocols, and by leveraging existing IPv6 capabilities, MIPv6 has built up a MIP model that is much more compelling than its IPv4 counterpart.

It must be noted that enhancements to mobility are largely taking place in IPv6 related working groups, even though a