Thursday, November 29, 2012

Microsoft PowerShell IPv6 best practices notes

I just wanted to jot down some notes about some PowerShell commands to use for IPv6 best practices for servers and workstations in enterprise environments.

I recommend turning off all the transition technology solutions on Windows systems, specifically 6to4, ISATAP and Teredo (unless you have a specific use case and design that leverages them.) To address each of those the follow PowerShell commands can be used to do this.

For Windows 8 and Server 2012 PowerShell v3 use:
# - specific IPv6 PowerShell cmdlets
# - turn off 6to4
Set-Net6to4Configuration -State Disabled
#
# - turn off isatap
Set-NetIsatapConfiguration -State Disabled
#
# - turn off teredo
Set-NetTeredoConfiguration -Type Disabled
#

For Windows 7 and Server 2008R2 PowerShell v2 use:
# - specific IPv6 netsh commands - still work from PowerShell
# - turn off 6to4
netsh interface ipv6 6to4 set state disable
#
# - turn off isatap
netsh interface isatap set state disable
#
# - turn off teredo
netsh interface teredo set state type=Disabled

#

To validate the configurations use the following.
For Windows 8 and Server 2012 PowerShell v3 use:
# - check 6to4 state
Get-Net6to4Configuration
#
# - check isatap state
Get-NetIsatapConfiguration
#
# - check teredo state
Get-NetTeredoConfiguration
#

For Windows 7 and Server 2008R2 PowerShell v2 use:
# - check 6to4 state
netsh interface ipv6 6to4 show state
#
# - check isatap state
netsh interface ipv6 isatap show state
#
# - check teredo state
netsh interface teredo show state
#

I hope to be putting together some more useful cmdlets for folks to get best practice configurations pushed out in mass for platforms regarding IPv6, adding in firewall rules and protections and perhaps some extensions for routing and source address selection for enterprises to control behavior the way they want.
- Ed

Monday, November 19, 2012

gogoNETLive! 3 IPv6 Conference is a wrap


The 3rd annual gogoNETLive! IPv6 conference happened last week at San Jose State University. The line up of presenters was fantastic and all the presentations were video recorded so keep an eye out because in the next month or two those should hit the website. The content will be posted to the agenda page where the slides are already posted next to their respective presenter bios.

I'm sorry this post didn't go out prior to the event happening but work and trying to get things ready for the event itself kept me from getting a blog post up. I would personally like to thank Scott Hogg, Jeff Carrell, Sam Bowne and Mike Meyers for putting on the workshops (which are sponsored by the California IPv6 Task Force) that happened on Monday the 12th. Unfortunately these were not video recorded so if you did not attend the event then you missed out. I would also like to thank Yurie Rich for hosting the IPv6 Forum Silver and Gold certification testing at the event. It allowed a lot of folks the opportunity to get tested and certified.

If you absolutely need to attend an IPv6 event prior to the end of the year the only one left is the Texas IPv6 Task Force IPv6 Summit but it starts Nov 19th (day of this post) and is two days.

Otherwise, I suggest marking your calendar for April 17-19th, 2013 so you can attend the North American IPv6 Summit which is hosted by the Rocky Mountain IPv6 Task Force and is hosted in Denver, CO. It is the largest, most influential and likely the finest IPv6 event in North America and I am proud to say I am also involved with that event too.

I think 2012 really has been the year of IPv6, perhaps not from the deployment standpoint but certainly from the discussion and planning perspective. It is finally something that enterprises and service providers are able to build specific plans around deployment and operations and not feel they are totally bleeding edge for doing so. With the current momentum I think 2013 will only hold more promise for widespread deployment. The biggest challenge will continue to be education and closing the knowledge gap around IPv6.

So, if you want to be part of the in crowd and are living and/or working in California or for a California company feel free to send me an email - I'll be happy to send you a CAv6TF laptop sticker! (US only shipping is on us - outside US we will let you know the cost)
Happy holidays - now go deploy IPv6!
- Ed

Wednesday, October 03, 2012

IPv6 Video

Several IPv6 friends and colleagues of mine are featured in this video along with myself. The video does a nice job of overviewing IPv6 and why you need to pay attention to it. Enjoy!


- Ed

Monday, October 01, 2012

DevOps and the impact on traditional System, Storage and Network Admins

There has been more discussion lately on DevOps and how they able to demand higher wages and that it should be a position that traditional System, Storage and Network Admins should be striving for long term. I have a slightly different opinion. I think the number of individuals that actually fit in the DevOps category to be very small and this is by the definition itself. It is very difficult to achieve the mastery involved in being both proficient at System/Storage/Network plus extensively development experience in several languages. I'm not talking scripting (though those that are good at scripting can do some impressive stuff) but those that can actually open up the source code for an application and fix it or tweak it to fit their needs.

My thoughts and questions around this topic are do traditional System, Storage and Network Admins have anything to fear over this new category of Operations? My initial thoughts are no, the roles that DevOps are filling in my experience have been on more complex environments with unique need requirements. They are typically part of very small teams tasked with getting large automation or deployment done. They want very technical people supporting the operations of the environment who can work and debug any part of the stack.

So what impact is this having in the industry? I do think that System, Storage and Network Administrators are now having to learn a lot more about each others jobs. With virtualization such a huge part in the landscape of data centers the lines are blurred. One thing has become abundantly clear to me, automation and scripting are incredibly important for admins to have as a skill. In order to take advantage of all the tools for cloud services (public, private or hybrid) all of them require understanding and using effectively automation and scripting. So my personal short list is learning PowerShell, System Center (several of the products), Hyper-V and if time allows, Orchestrator. Did I mention I spend my time focused on networking? Those tools, along with their counter parts in VMware are increasingly becoming important to understand to deploy data center network architectures appropriately. Additionally, Puppet, Chef or cfengine would be good skills sets to add to my tool belt soon. If only I had more time! What is on your short list to learn and why?
- Ed

Friday, September 07, 2012

Windows Server 2012 RTM and Windows 8

On September 4th, 2012 Windows Server 2012 went RTM and is available for download in MSDN and Technet. To get up to speed there are some great resources available on the product and the huge amount of changes and enhancements Microsoft has put into this release.

To get a handle on it all Microsoft Press has made the Introducing Windows Server 2012 RTM edition available for free. You can download it as a PDF, Mobi or ePub format so there is no excuse not to go over to the site right now and get your free copy!

In terms of features, the Hyper-V update, PowerShell 3.0, Storage and Network updates are really important along with the obvious "cloud" enablement that Microsoft has been touting for awhile.

On a separate note, I haven't had time to install Windows 8 RTM onto my primary work laptop and I am considering waiting until the new Window 8 Intel specific hardware comes out after the new year which is about when my refresh cycle is up anyway. My other option is picking up a cost effective SSD and doing a clean build. In the meantime if I really need to test things out I have my Windows To Go stick to play with Windows 8 on my laptop with no fear of damaging my system or losing any data.
- Ed

Thursday, August 02, 2012

I am presenting at TechMentor in August on IPv6


If you are interested in visiting the Pacific Northwest in August (which is a great time of the year to visit!) then come check out the TechMentor Conference.This year it will be held at Microsoft HQ in Redmond on August 20-24, 2012.

The list of presenters is pretty impressive like Don Jones, Mark Minasi, Bruce Rougeau and Greg Shields. You will also get to hear from me on IPv6 (of course) and lots of other great speakers.

Here's a small sample of the topics that will be covered at TechMentor this year:
  • Virtualization
  • Application Delivery
  • MCITP Certification
  • PowerShell
You can register at: http://bit.ly/TMRD2012
You can use the discount code of TMRTU for a $300 discount off the 5 day value package.
- Ed

Wednesday, August 01, 2012

Windows 8 and IPv6

For those that missed the Microsoft blog post by Chris Palmer explaining the IPv6 support that Windows 8 will have it is worth a read. It is important enough that posted it as a guest blog entry on his building Windows 8 page, which is pretty cool. With Windows 8 now RTM understanding how IPv6 works in the Windows OS environment is pretty important. This is the third client OS release from Microsoft with comprehensive IPv6 support (Vista, Windows 7 and now Windows 8) and the server side is equally as impressive (Windows Server 2008, 2008R2 and now 2012) so there is no excuse not to understand and start working with IPv6. After all, you have had since 2007 (Vista's release) to start working on your IPv6 skills!

The important take away from the post to me was that Windows 8 will not have full RFC 6555 (Happy Eyeballs) support in the way many in the industry wanted (Dan Wing and others.) Happy Eyeballs is an important stop gap solution to resolving much of the end user experience issues that happen when IPv6 isn't work correctly. The issues happen when IPv6 is turned on but broken (routing isn't working for example) but is still preferred over IPv4 connectivity. This situation will become more common as IPv6 is more widely deployed but not as well understood by IT Professionals and helpdesk staff. Their lack of comprehensive understanding of troubleshooting dual stack environments will make this issue more common in the next 1-2 years is my feeling. Hopefully this will change as wider adoption of IPv6 means a better understanding of the protocol and its importance.


In my conversations with many at Microsoft regarding IPv6 and RFC 6555 it comes to light that they see their client OS being deployed and supported much longer than many in the industry. One of the principal concerns with doing a full RFC 6555 implementation was that it likely won't be needed in 3-5 years and because of how RFC 6555 works it makes it much tougher to debug application behavior on the client. This is a huge concern for Microsoft as custom applications deployed in Enterprise environments is a large part of their business. Making client behavior different depending on the application that is running and per session spells disaster in the QA testing area.


There are other considerations too about why they chose the path they did for doing such a limited support of RFC 6555 but the reality is... it doesn't matter. You can't change it, Windows 8 will make use of a modified RFC 3484 solution outlined in Chris' blog post and quoted below:

"Windows 8 tests IPv6 connectivity when you connect to a new network that advertises IPv6 routabilty, and it will only use IPv6 if IPv6 connectivity is actually functioning. This approach is a modification of our implementation of RFC 3484. Instead of sorting addresses as a result of policy, we use the actual state of the network as input to our algorithm. On a misconfigured network, this approach improves the experience not only for browsers but also for apps that connect to dual-stack destinations using standard Windows APIs.
Windows 8 performs the network connectivity test when you first connect to a new network; it caches this information and repeats the test every 30 days. The actual test for connectivity is a simple HTTP GET to an IPv6-only server that is hosted by Microsoft. (For standards buffs, this is implemented between rules 5 and 6 of destination address sorting in our implementation of RFC 3484.) Windows performs a similar network connectivity test for IPv4 connectivity. If both IPv4 and IPv6 are functioning, IPv6 will be preferred.
To make sure that Windows 8 does not cause problems on enterprise networks, the functionality has two safeguards:
  • If the enterprise has provided specific routing information to a particular destination, then Windows 8 will honor that preference, regardless of the connectivity determined by Windows. In enterprise environments, Windows assumes that network administrators who configure such routes specifically thought it was a good idea to use those routes.
  • This change isn’t implemented on networks with web proxies. In these networks, the proxy provides connectivity to the Internet; so end-to-end testing of IPv6 connectivity is not useful. Instead, Windows 8 simply opens connections to the proxy in the most efficient manner possible.
In this way, we’ve ensured that apps and experiences on Windows 8 can remain reliably and speedily connected to the Internet throughout the IPv6 transition, even if your local network is misconfigured."

So there you have it. More details about how it all works can be found in Joseph Davies' Understanding IPv6, Third Edition, an excellent reference book on how Microsoft has implemented IPv6 in Windows. Full discloser, I was the technical editor for the book.
- Ed

Monday, July 23, 2012

Great IPv6 Subnetting Article by Chris Grundemann

If you want a great explanation of IPv6 subnetting then head over to Chris Grundemann's article, he does an awesome job of explaining the principal different in thinking between IPv4 and IPv6 addressing and subnetting design. It is well worth the read.
- Ed

Friday, July 20, 2012

Understanding IPv6, Third Edition is now available!

Microsoft Press has released the new book Understanding IPv6, Third Edition by my friend Joseph Davies. I was fortunate enough to be asked by Joe to be the technical editor of the book and I am very excited about it now being available. Joe has done a great job covering some pretty difficult topics around IPv6 and if you are an IT Pro and doing Microsoft infrastructure architecture, design and deployment you really need to get this book. Why?

First, it has been updated for Windows 8 and Windows Server 2012 and some of the specific IPv6 behavior those two OS's will have verse previous versions of Windows. Second, it has updated recommendations on best practices for deployment in DirectAccess environments and also updated references to RFC's. The last point isn't trivial as the RFC landscape around IPv6 is actually changing and has been moving around a lot within the last 3 years or so.

Finally, you will need a good technical reference around the IPv6 protocol and how it is implemented in Windows and this is the ONLY book that provides that. It was written by someone who has intimate access to the Windows COSD team (they write the network stack for Windows) and I think Joe does a wonderful job making a rather difficult subject matter something that can be understood quickly. Best of all, you don't have to read it end to end, it was designed to be read in chapters as they are relevant to you and what you are trying to do.

It is available from Amazon and at the O'Reilly / Microsoft Press site. The first chapter is available as a sample download too.

The book chapters are:
Chapter 1: Introduction to IPv6
Chapter 2: IPv6 Protocol for Windows
Chapter 3: IPv6 Addressing
Chapter 4: The IPv6 Header
Chapter 5: ICMPv6
Chapter 6: Neighbor Discovery
Chapter 7: Multicast Listener Discovery and MLD Version 2
Chapter 8: Address Autoconfiguration
Chapter 9: IPv6 and Name Resolution
Chapter 10: IPv6 Routing
Chapter 11: IPv6 Transition Technologies
Chapter 12: ISATAP
Chapter 13: 6to4
Chapter 14: Teredo
Chapter 15: IP-HTTPS
Chapter 16: NAT64/DNS64
Chapter 17: IPv6 Security Considerations
Chapter 18: DirectAccess
Chapter 19: Deploying IPv6 on an Intranet
Chapter 20: IPv6 on the Microsoft Corporate Network
Appendix IPv6 RFC Index
Appendix Testing for Understanding Answers
Appendix Setting Up an IPv6 Test Lab
Appendix IPv6 Reference Tables
Appendix Link-Layer Support for IPv6
Appendix Windows Sockets Changes for IPv6
Appendix Mobile IPv6
Appendix Teredo Protocol Processes

So there you have it, my shameless book plug. Honestly, I really do believe you will get great value from Joe's book if you have to do any work around IPv6 and Windows at all. Given everything that is happening on the Internet that should be a LOT of people!
- Ed

Friday, July 06, 2012

Follow up from Microsoft TechEd Europe

There were some additional questions I got at Microsoft TechEd Europe plus some great feedback I wanted to share about my presentation.

First off, thanks to everyone who attended my session in Amsterdam, it was a thrill to present to around 500 delegates and I appreciate all the survey feedback too (and the positive survey ratings!)

For everyone asking about how to get started and reference materials, in my previous post from my Microsoft TechEd North America presentation I have references for books, websites to get IPv6 tunnel broker services and even client host agents to get IPv6 up and working on your Windows 7 machine. To avoid duplication please just pop open that blog post to get that info.

One of the requests I got was for a white paper on how to get started on planning and deployment, something that could specifically be used with management. I don't have a specific white paper to provide however there are some excellent resources out on the web that might provide enough information to help in this area.

Specifically, you can look through both ARIN and RIPE's excellent websites for materials that might match your need requirements. In addition, ARIN maintains a great WIKI on IPv6 at http://www.getipv6.info which is well worth some time to review. There are commercial companies that can provide specific planning and deployment recommendations but those services are obviously not free.

If you are interested in seeing my session but you missed it in person my TechEd North American session is posted (audio and slides only.) I don't know if they will be posting the one from TechEd Europe or not.

- Ed

Thursday, July 05, 2012

Renewed as Microsoft MVP for 2012


I'm happy to say that I was renewed as a Microsoft MVP for 2012 on July 1st. Hard to believe I was first awarded way back in 2004, I'm not the oldest MVP by any stretch but it does remind me how long I've been involved in IT Pro user groups and community.

It is always an honor to be recognized and I am definitely looking forward to the next MVP Summit as the number of product changes and announcements Microsoft has been making as of late is pretty remarkable. It should make for some interesting interaction at the Summit - plus I get to see who actually got a Surface vs. tablet vs. laptop out of all my colleagues.

Also, a quick congratulations to all my fellow renewed and the brand new MVP's on the July award cycle. Keep up the good work and I'll catch you at a community event somewhere!
- Ed

Tuesday, June 12, 2012

Microsoft TechEd North America session - IPv6 Bootcamp Session follow up

I just finished up my IPv6 session at Microsoft TechEd - thanks to everyone who attended, really appreciate you took the time to come hear me talk. I promised to provide some of the content references. I have to confirm with Microsoft I can publish the deck that has the full comments in it (they were removed from the deck available for download) before I can publish anything. If you attended my session please feel free to reach out to me and I will see what I can do to get you specific information (like sample configuration files.) Please remember to fill out your evaluation for my session too!

The book references I had mentioned that you might be interested in:

Understanding IPv6 2nd Edition by Joseph Davies, Microsoft Press
IPv6 in Enterprise Networks by Shannon McFarland, Muninder Sambi, Nikhil Sharma, Sanjay Hooda, Cisco Press
IPv6 Security by Scott Hogg and Eric Vyncke, Cisco Press
Planning for IPv6 by Silvia Hagen, O’Reilly Press
IPv6 Essentials, 2nd Edition by Silva Hagen, O’Reilly Press
DNS and BIND on IPv6 by Cricket Liu, O’Reilly Press
Day One: Exploring IPv6 by Chris Grundermann, Juniper Networking Technologies Series
IPv6 Network Administration by Niall Richard Murphy and David Malone, O’Reilly Press
Running IPv6 by Iljitsch van Beijnum, Apress
Global IPv6 Strategies: From Business Analysis to Operational Planning by Patrick Grossetete, Ciprian Popoviciu, Fred Wettling, Cisco Press
Deploying IPv6 Networks by Ciprian Popoviciu, Eric Levy-Abegnoli, Patrick Grossetete, Cisco Press

The following RFC’s related to IPv6 are here for reference:
·         2460 – IPv6
·         3068 - 6to4
·         3986 – URI Syntax
·         4193 – ULA
·         4380 – Teredo
·         5214 – ISATAP
·         6146 - NAT64
·         6147 - DNS64
·         6296 - NPT66
·         6343 - 6to4 advisory
·         6555 - Happy Eyeballs

If you are interested in starting to play with IPv6 there are several resources to do so. If you want to set up a IPv6 tunnel from your router then try out tunnelbroker.net which is run by Hurricane Electric. You will need to set up an account to use the service.

If you want to try it out on your Windows 7 or Linux client use freenet6 which is a free service from gogo6. You will also need to set up an account to use freenet6 too.
- Ed

Friday, June 08, 2012

Microsoft TechEd North America - IPv6 Bootcamp

I will be heading out to Orlando on Sunday to present my IPv6 Bootcamp session at Microsoft TechEd. I'm pretty excited as this will be my first time presenting at TechEd and a chance for me to address a different audience then I typically present too. I've done plenty of IPv6 specific conferences and they are a different focus. People attending those are attending specifically because they want to learn IPv6. TechEd is different, folks are attending it because it is the biggest Microsoft event where you can hear directly from Microsoft about their products and technologies.

So this is a rare opportunity for me to broaden my reach to those who might not be as familiar with IPv6 and why it is important. I hope if you are attending Microsoft TechEd that you will swing by Tuesday morning (my session starts at 10:15am - WCL324) and come learn some IPv6, ask questions and hopefully expand your horizons about why IPv6 is going to be a critical topic to know now and in the near future.
- Ed

Wednesday, June 06, 2012

The IPv6 bandwagon

I have to admit, there are times when I get tired of watching some companies and industry folks claim IPv6 expertise when clearly they are just jumping on the bandwagon. I am grateful for the current interest in IPv6 that is pushing adoption forward and I have been impressed with lots of companies who have been waving the flag for years now and have put their money where their flag waving is.

For those who are new and trying to figure out who is legit in the IPv6 arena I think the easy way is to see what events a company has sponsored over the years. If they have helped in regional IPv6 Task Force summits or conferences or have run their own IPv6 events for more then a year or two they are likely legit.

The same goes for speakers and industry experts. If you are talking to someone and they claim to have been working with IPv6 since 1995 or such nonsense you can call bull - the RFC (2460) didn't come out until Dec 1998. Unless they were working with Bob Hinden and Stephen Deering on the draft (not very likely) then they are full of it. To be honest, I have been slightly alarmed at recent IPv6 events I have been attending where I am chatting with folks and a new person I get introduced to claims to have years of industry experience deploying IPv6. I am far from a long timer in the IPv6 community but due to my position on the California IPv6 Task Force and my regular attendance at IPv6 events across the country I think I am relatively familiar with the majority of regular speakers and presenters who have real world IPv6 experience and relevant information to share. Often when I ask around these self proclaimed experts are not known by any of my colleagues. I ask because I'm relatively new to the IPv6 community.

I've been fortunate enough to be on panels or presented at conferences with the likes of Jeff Doyle, Scott Hogg, Shannon McFarland, Ciprian Popoviciu, Silvia Hagen, Bob Hinden, Jeremy Duncan, Yurie Rich, John Curran, Owen DeLong, Stephan Lagerholm, Shane Amante, Yanick Pouffary, Jason Fesler, Tom Coffeen, Ron Broersma, Lorenzo Colitti, John Jason Brzozowski, Dan Wing, Eric Vyncke, Andrew Yourtchenko, Mark Townsley, Dave Ward, Erik Kline, Vint Cerf, Chris Grundemann, Salman Asadullah, Elise Gerich, Bruce Sinclair, Jordi Palet , Tony Hain, Stan Barber, John Baird, Joe Klein, Joesph Davies, Chris Palmer, Dave Thaler, Martin Levy and countless others who are regular IPv6 contributors. The contribution level varies but it has been very exciting to say I've been involved in a small way with this community of impressive individuals.

Clearly my list of folks is heavily biased on individuals participating in North American conferences and events and the list would be massive if the rest of the world was included. I wish I could keep a complete list of folks who have true IPv6 expertise but I think the days of having a manageable list are over.

Am I crazy to be concerned about this? I am not sure, the reality is we want more and more folks to adopt and use IPv6 and as that happens the rising tide will lift everyone to greater IPv6 proficiency and eventually expertise. This is a good thing so I guess I will calm down and stop being concerned about too many people getting on the bandwagon, after all, that is the point of all of this!
- Ed


Thursday, May 31, 2012

North American IPv6 Summit - Advanced IPv6 design and deployment items for enterprise networks that are Microsoft technology focused

Back on April 9 through the 11th was the North American IPv6 Summit in Denver, CO. I presented on "Advanced IPv6 design and deployment items for enterprise networks that are Microsoft technology focused" and my presentation is now posted up on the site.

In addition to presenting I also had the opportunity to build out the Cisco wireless network that was used for the conference. It was an interesting experience due to the fact that the wireless was dual stacked and we made SSID's available for each of the carriers brought in for the conference. To top it off, we also made IPv6 only SSID's for each of the carriers allowing conference attendees the chance to test out what IPv6 only connectivity was like. Of course the other SSID's were dual stacked.

The Cisco Wireless LAN Controller required the newest software release of 7.2.103 in order to properly support IPv6. After a few early bumps (and reboots) everything worked as expected and we had several hundred folks up and running on wireless for the duration of the conference. Some interesting IPv6 deployment caveats came out from doing this work. First, due to older Mac OSX and Linux clients not having a DHCP client in the OS it meant that we ended up having to run both DHCPv6 and SLAAC on the same network. Effectively were had to set the A, M and O flags all at the same time. This meant that Windows 7 client machines ended up with three global unicast IPv6 addresses and their link local addresses. One from DHCPv6, one from a the privacy address that is dynamically built (instead of EUI-64) and a temporary address built for the random privacy address to do outbound sessions. Mac OSX and Linux clients built out SLAAC EUI-64 addresses as expected but were unable to obtain DNS information unless they ran a DHCPv6 client as we did not have RFC 6106 set up at all.

Overall, it was functional, but far from perfect. Given we had less then 8 hours to turn the whole thing up I was not disappointed because we had a working network built by a diverse group of engineers who all came together in one day. I would consider that a pretty impressive feat.
- Ed

Wednesday, May 30, 2012

One week away from World IPv6 Launch

June 6th, 2012 is World IPv6 Launch. the goal is to get as many companies and web properties to turn on IPv6 and leave it on. Some of the largest Internet content companies will be turning up IPv6 and leaving it up.

If you haven't invested time in learning IPv6 this should be a wake up call to do so. If you are a Microsoft IT Pro and attending Microsoft TechEd in June in Orlando you can attend my session - WCL324 - IPv6 Bootcamp. If you are Cisco network sort of person and are attending Cisco Live! in San Diego (the same week as Microsoft TechEd - go figure) you can attend Shannon McFarland's presentation's on IPv6 which are excellent. Either way, it is time to learn IPv6 and if you don't know it by now we might have to revoke your geek card.
- Ed

Friday, March 23, 2012

Techdays SF - VPN Session Presentation

For those that attended my VPN session at TechDays SF at Microsoft today, thank you. I am making available my handout which is a reference guide to go along with my presentation. Feel free to contact me if you have any questions and make sure to fill out your surveys about the sessions.
- Ed

Monday, March 12, 2012

Less then two weeks until TechDays SF


I am co-chairing a regional IT Professional conference in San Francisco called TechDays SF. The conference is going to have some amazing speakers (many who present at Microsoft TechEd and other major IT conferences across the US) and I encourage you to check out their bios and the session abstracts too. The conference is at Microsoft's San Francisco office and is Thursday March 22nd and Friday March 23rd from 9am to 5pm both days. The TechDays website has all the details so I won't rehash it all here but please do plan on joining us, it should be a great event!
- Ed

Tuesday, February 14, 2012

IPv6 to IPv6 Network Prefix Translation or NPTv6

I was reading through some comments on reddit about NAT66 or RFC 6296 which is really NPTv6 and I realized that universally there seems to be a misunderstanding of why NPTv6 is needed, when you would use it and that it was intended to only address the needs of those use cases and not to emulate what is happening in IPv4 today.

Credit should be given to far smarter folks than I on this topic, specifically Dan Wing with Cisco who first explained NAT66 to a lot of folks (notice he is presenting on how to avoid having to do NAT66) and who also authored the Happy Eyeballs draft RFC which should pop out of draft here shortly. Dan is soft spoken but I'll call out that he is the co-chair of the IETF Behave (Behavior Engineering for Hindrance Avoidance) working group along with Dave Thaler from Microsoft. Obviously Fred Baker and Margaret Wasserman for authoring the RFC though I haven't been lucky enough to chat with either of them about it, though I hope to do so, opportunity permitting.

Okay, on to NPTv6.

So what is NPTv6? NPTv6 is simply rewriting IPv6 prefixes. If your current IPv6 prefix is 2001:db8:cafe::/48 then using NPTv6 it would allow you to change it to 2001:db8:fea7::/48 - that is it. It is a one for one prefix rewrite - you can't overload it, have mismatching prefix allocations sizes, re-write ports or anything else. Importantly, it doesn't touch anything other than the prefix. Your network/host portion remains intact with no changes.

So what is NPTv6 not? It is not for sharing IPv6 addresses, it is not for port overloading and it is not stateful.

Now that we have the ground rules set lets talk about the use cases that NPTv6 was brought about to address. Fundamentally NPTv6 addresses deficiencies in current host behavior and the lack of support for source address selection, next-hop route selection and split-zone DNS. The most common use case condition will be to fix source address selection issues for home and SMB's that have two providers (for whatever reason, redundancy, walled garden services like VOIP or IPTV, etc.) For almost all Enterprises this is not an issue as they will obtain Provider Independent (PI) IPv6 space and dual home properly. They might have to deal with split-zone DNS but I will address that in another post.

What happens when you have two Global Unicast Addresses (GUA) on the same interface? To clarify, not two interfaces each with a GUA. The host has to make a decision about which interface to use yet it knows nothing about how routing works within the network and therefore likely uses RFC 3484 to determine what to do. There are already many issues with host behavior outlined in RFC 5220 so go read that to get a good idea of some of the challenges.

Lets go over a sample practical use case to show where NPTv6 might help your home dual provider situation. This is an example - the prefixes are unnaturally large for an SMB or home user and I will update the diagrams later to properly reflect potential prefixes you would get in a real world situation. Regardless, it is sufficient to show the issue.

Source Address Selection Diagram - the problem:



The solution for the home user or SMB is to remove the multiple IPv6 GUA configuration and use a single IPv6 GUA address on the interface. Once this is done then you end up with proper traffic flow.

Source Address Selection Diagram - the fix case 1:
In the above diagram the host only has a single GUA to source traffic from and therefore selects it to send a request to a server, in this case 2001:db8:f000::1. Notice that the host forwards the traffic to RTR A which is it's default gateway. RTR A then forwards the traffic outbound and everything works as expected.

Source Address Selection Diagram - the fix case 2:
In the above diagram the host only has a single GUA to source traffic from and therefore selects it to send a request to a server, in this case 2001:db8:ff00::b. Notice that the host forwards the traffic to RTR A which is it's default gateway. RTR A then forwards the traffic to RTR B because a static route assignment has been entered for a longer specific prefix in this case. RTR B receives the traffic and because it has NPTv6 set up it realizes it has a prefix match and must do a prefix replacement prior to forwarding the traffic upstream. RTR B then forwards the traffic outbound and everything works as expected.

So realistically, how do we avoid all this in the first place? The only way is for the host to gain more intelligence in making decisions about what source interface address to select. Some sort of policy control would have to happen on the host OS. Alternatively, all hosts could participate in some sort of routing to determine proper paths and hold a route forwarding table. I don't really see that as a viable alternative in many environments today.

In other words, there is little a network engineers can do to fix this problem. It really is an OS host issue and if network engineers really want NAT to go away fully in IPv6 then we have to beg and plead to get a fix done in all the major OS platforms. It also brings to light one of the biggest changes between IPv4 and IPv6, a host can have multiple IPv6 addresses per interface. Somehow we need to get routing information onto the host.

So, is NPTv6 desirable from an IPv6 perspective? I would argue no, I would prefer that my host selected the correct source address and everything just worked. The problem is that it doesn't work that way today and for the foreseeable future it doesn't look promising. So NPTv6 is a necessary evil to address some of these corner case condition of getting IPv6 deployed widely on the Internet today.
- Ed