Tuesday, November 29, 2011

When to consider using Provider Assigned IPv6 address space

For network engineers who spend their days designing IP network and running BGP the thought of running Provider Assigned (PA) IPv6 address space is often meet with a look of repulsion and disdain. Given the relative easy for most enterprise network engineers to run multi-homed BGP and to have redundant Internet Service Providers with a single IPv4 or IPv6 address block this might be a justified reaction. However, there are cases for smaller businesses and even smaller branch offices to run IPv6 PA address space that might make sense.

For instance, if you have a remote office that has limited service provider options and perhaps it is not cost effective to run BGP at the remote site you can utilize PA space to dual stack the site and simply put IPv6 ACL's in place to building corporate access policies. For small businesses it makes little sense to try and BGP multi-home due to the hardware and engineering talent required to maintain such arrangements. Considering how infrequent it is for a company to change ISP's for a given location it is not inconceivable that turning up a new service provider and migrating to a new PA block is a reasonable solution for many.

The biggest outcry I hear most often is from System Administrators who seem to think changing IP addresses will break all their server configurations, printer settings and other items. My calm reply is that they can continue to utilize IPv4 RFC 1918 space as they were and that if they are not using DNS for name resolution by now then they should likely not have that SA job anymore. DNS allows for an easy migration from one PA block to a new one with minimal impact. In addition, you can utilize DHCPv6 to manage resources and the lease times ensuring that the migration can be quick and relatively painless like most other maintenance windows for OS upgrades or WAN service provider transitions. In addition, hosts are designed to have multiple IPv6 addresses in use at the same time which theoretically means the host would control the timing of the cut-over from one PA space to a new one.

To top it off, it could be argued that for MPLS or other WAN services it might make sense to get PA space for those point to point links and allow for better summary aggregate routing for the Provider Independent (PI)  space you do have as /48 sites without wasting a /48 for WAN or VPN links within your network. You could even put route filtering in place to prevent the propagation of the PA space out of your network which would control transit WAN/MPLS traffic loads. Just because the Global Unicast Address (GUA) space you get from your provider is available to route globally doesn't mean you have to advertise it or even have the service provider advertise it either.

With the recent introduction of RFC 6296 it is possible to migrate from one prefix to the other in one move but to do this requires some downtime while the prefix replacement happens. It also introduces the problem of what IPv6 address does the host actually have at any given moment (it won't have both like a migration.) Realistically it breaks the end to end transport by being yet another version of NAT. While it is a good tool to have I don't advocate utilizing it unless the use case truly dictates needing it. Just migrate to a new IPv6 address block and things will work as expected. Hopefully your business will grow enough that the migration will be to PI address space and you only have to do the migration once!
- Ed

No comments: