I will be doing a presentation on IPv6 at the Network World IT Roadmap event at the San Jose Convention Center on Thursday, Oct 24. If you are interested there is still time and room to registered for the event. My presentation is "IPv6, Now is the Time" and my long time friend and colleague John Hoffman from Oracle will be presenting with me talking about how Oracle is doing their IPv6 deployment and some of the challenges and issues they have run into over time.
If you are in the area I encourage you to come attend the event. There is a wonderful line up of topics and presenters so it will be worth your time to come and attend.
- Ed
Howfunky...a place with useless technical content!
Monday, October 21, 2013
Thursday, October 17, 2013
Network Field Day 6 - Post Mortem
It has been close to a month since I participated in Network Field Day 6 and I am finally getting a chance to write up my thoughts and feelings about the experience overall but also the companies that participated and hosted all the delegates to show us what they are doing.
First, a quick perspective on what Stephen Foskett is doing with Tech Field Day (and all the related events he is involved with) - simply amazing. I can't say enough about how impressed I was with the event. The engagement and quality of the delegates was fantastic and the overall experience of interacting and meeting folks of that caliber was really special. For that alone I give a tip of the hat to Stephen, Tom and Claire for all their hard work in pulling together such a unique opportunity and event.
Second, I have a slightly different perspective of things being a first time delegate and perhaps not as prolific a blogger as some of the other delegates. I thought since I have had some time to think about who I saw at NFD6 I would give you my impressions of the companies who presented and which has had a lasting impact of still being top of mind for me.
With that, I would say the lasting impact company has to be ThousandEyes. Thousand Eyes has an IT performance management platform that I can see a ton of different customers using to solve all sorts of unique problems that until now are relatively difficult to do.
First of all, the easiest way to see how their product works is to check out their videos that gives the overview. What struck me right away with what they were doing is how obvious it was and then wondering why no one had done that before! To me, that is the sign of a great product, when it just clicks and makes sense.
So what is unique about what they are doing? It is the marriage of good graphical monitoring solution with public and private agents but designed for monitoring SaaS applications. They aggregate information from both private agents (that you can run from any location you control) and public agent sites that they maintain. In addition, their service and design works so well that major SaaS providers are using it themselves to measure their performance. If you are responsible for measuring and reporting on SaaS SLA's at all than you should be seriously looking at what they are doing. That really is how they are unique. There are lots of performance monitoring tools out in the market but this is the first that marry together these functions and in an elegant way that is very intuitive.
To be fair, I was impressed with many of the other manufactures that participated in NFD6 and I will likely take a moment to put a blog article together on them also but of all the companies Thousand Eyes really stood out. So there you have it, a company you should really go check out what they are doing.
- Ed
Disclosure and Disclaimer:
Thousand Eyes (and other manufactures) participated in the Networking Field Day 6 event, thus indirectly covering some of my travel expenses. At no time did they ask for, nor where they promised any kind of consideration in the writing of this review. The opinions and analysis provided within are my own and any errors or omissions are mine and mine alone unless I specifically blame someone else for my mistakes, which is uncool but might happen.
First, a quick perspective on what Stephen Foskett is doing with Tech Field Day (and all the related events he is involved with) - simply amazing. I can't say enough about how impressed I was with the event. The engagement and quality of the delegates was fantastic and the overall experience of interacting and meeting folks of that caliber was really special. For that alone I give a tip of the hat to Stephen, Tom and Claire for all their hard work in pulling together such a unique opportunity and event.
Second, I have a slightly different perspective of things being a first time delegate and perhaps not as prolific a blogger as some of the other delegates. I thought since I have had some time to think about who I saw at NFD6 I would give you my impressions of the companies who presented and which has had a lasting impact of still being top of mind for me.
With that, I would say the lasting impact company has to be ThousandEyes. Thousand Eyes has an IT performance management platform that I can see a ton of different customers using to solve all sorts of unique problems that until now are relatively difficult to do.
First of all, the easiest way to see how their product works is to check out their videos that gives the overview. What struck me right away with what they were doing is how obvious it was and then wondering why no one had done that before! To me, that is the sign of a great product, when it just clicks and makes sense.
So what is unique about what they are doing? It is the marriage of good graphical monitoring solution with public and private agents but designed for monitoring SaaS applications. They aggregate information from both private agents (that you can run from any location you control) and public agent sites that they maintain. In addition, their service and design works so well that major SaaS providers are using it themselves to measure their performance. If you are responsible for measuring and reporting on SaaS SLA's at all than you should be seriously looking at what they are doing. That really is how they are unique. There are lots of performance monitoring tools out in the market but this is the first that marry together these functions and in an elegant way that is very intuitive.
To be fair, I was impressed with many of the other manufactures that participated in NFD6 and I will likely take a moment to put a blog article together on them also but of all the companies Thousand Eyes really stood out. So there you have it, a company you should really go check out what they are doing.
- Ed
Disclosure and Disclaimer:
Thousand Eyes (and other manufactures) participated in the Networking Field Day 6 event, thus indirectly covering some of my travel expenses. At no time did they ask for, nor where they promised any kind of consideration in the writing of this review. The opinions and analysis provided within are my own and any errors or omissions are mine and mine alone unless I specifically blame someone else for my mistakes, which is uncool but might happen.
Wednesday, September 25, 2013
I am speaking at TechMentor in Las Vegas Sept. 30 - Oct. 4 on IPv6
For those of you who are Windows admins and interested in learning about IPv6 I am doing a 3 hour session at TechMentor in Las Vegas next week, September 30th through October 4th. You can still sign up for the event. The conference over all is an excellent chance to learn from some of the best in the community, Greg Shields, Don Jones, Mark Minasi and many others. The exciting part is the change that TechMentor has put in place for their format, it is all hands on labs and deep dive sessions so you really get to learn a lot. The presenters aren't trying to sprint through content and can take the time to explain things and have much more engaging discussions about topics of interest.
My session is Mastering IPv6 for the Inspiring Windows Sever Administrator and I will be taking you from the basics of IPv6 through to some practical advise and a demo or two. So please join me in Las Vegas, perhaps we can chat all about IPv6 and what is happening with it. If not, we can always talk PowerShell, Hyper-V, System Center and Azure!
My session description:
Have you been scratching your head wondering what this IPv6 thing is all about and how it might impact you? Have you seen an IPv6 address and wondered how in the world do I subnet that? The first part of the session is focused on explaining the basics of IPv6 and how it is both different and similar to IPv4. The second part is how to set up a basic working configuration, best practices and common problems you may run into in deploying IPv6. We also cover the default assumptions Microsoft has in place for IPv6 and how that impacts your decisions and how you should manage your environment.
Hope to see you in Vegas!
- Ed
Friday, September 20, 2013
IPv6 Unique Local Address or ULA - what are they and why you shouldn't use them
I am often asked interesting questions by fellow IT professionals about IPv6. Some are worthy of a blog post or two so here it is. The subject of IPv6 Unique Local Address or ULA (which is one of the unicast IPv6 address types) seems to be getting more attention now that IT professionals are actually looking at how to deploy IPv6. I thought I would share some brief information about ULA and follow up with my thoughts about it.
ULA is a unicast address type and is limited to the fc00::/7 prefix. This means the prefix has a fixed binary value of 1111 110x with ULA having the concept of a local flag bit (x) which is the 8th bit. This means the prefix is divided into fc00::/8 and fd00::/8. The local flag value of 0 hasn't been defined and therefore should not be used at all which eliminates the fc00:/8 prefix from being used. The local flag value of 1 indicates that the prefix is locally assigned. That means the only valid ULA addresses to use today are from the fd00::/8 prefix.
There have been a few interesting efforts to coordinate ULA prefix allocations. I have no idea why you would do this but you can check it out at SixXS's site. The reality is, fd00::/8 by definition is locally assigned and there is an algorithm defined in RFC 4193 that helps in generating a unique prefix out of that range to help avoid collisions or you can put your MAC address into the SixXS site and it will generate a prefix for you. You can find how the algorithm works in Section 3.2.2 if you want more details.
So what has sparked all this interest in ULA? I think it is happening because many IT organization think deploying IPv6 should be done in the same manner as IPv4. If you spend any time around IPv6 professionals you will quickly learn that IPv4 thinking doesn't apply when designing IPv6 networks. As an example, the role of NAT and address conservation are entirely thrown out the window. I think there is still a lot of confusion around the role of NAT and many IT professionals still consider NAT a security feature. NAT never was intended to be (and never functionally was) a security solution. All NAT provides is a way to conserve the use of public IPv4 addresses. If you disagree, I'm sorry, you are wrong.
Getting back on track, the analogy is often given that ULA is like IPv4 RFC 1918 address space. I believe this triggers people to think they should use ULA in the same way they are using RFC 1918 today. In other words, assign ULA everywhere on their internal network and run a NAT solution at their edge via a firewall or router. This looks exactly like what they do in IPv4. It also turns out that this is completely WRONG for IPv6.
It actually isn't accurate to say that ULA is like RFC 1918 address space. RFC 1918 address space was specifically set aside for the purpose of running NAT because of the shortage of public IPv4 addresses. There is no shortage of IPv6 address space and there will not be any within your lifetime, your children's lifetime or your grandchildren's lifetime or, well, you get the picture. So how is ULA like RFC 1918? The design of ULA was to have an IPv6 address space that would not route on the public IPv6 Internet - ever. In that capacity, ULA and RFC 1918 addresses are the same, neither was intended to be used on the public Internet at all. ULA was designed for labs or other resources (think secure military uses or maybe internal networks at power plants for example) that NEVER need to (or should ever) talk to the global Internet.
Let me repeat that, you use ULA when you never want to talk to anything on the Internet. I have seen many IT professionals say there should be NAT solutions in IPv6. There are some limited corner cases where solutions like NPTv6 (which is network prefix translation for IPv6) might solve some problems however I am not aware of any production ready implementations of NPTv6. In fact, the NPTv6 RFC is still in experimental status, see RFC 6296 and the former solution of NAT-PT has been moved to historical status, see RFC 4966 so really you have no robust NAT solution to date outside of server load balancing solutions like SLB66.
So what do you do? Simple, you reject your IPv4 ways of thinking and adopt the IPv6 way of thinking. You deploy global unicast IPv6 addresses throughout your network and use a stateful packet inspection firewall to control traffic and enforce security rules. You build good routing policies and leverage host based firewalls to enhance your security posture. In fact, you do all the same security measures you do for IPv4, you just happen to be using global unicast IPv6 address. Why? Because we have enough IPv6 addresses that we don't need NAT anymore.
What advantage do you gain by doing this? First, you don't break protocols that tend to embed address information in their session process. NPTv6 will still break protocols requiring firewalls and other network devices to try and do "fixups" or intelligent repairs on the fly to sessions. Why are we wasting time on that when if you simply use global unicast addresses with no network address translation then the protocol doesn't require any special handling.
Finally, it is easier to manage, complies with every design recommendation you will find out there on deploying IPv6 and reduces the chance you will have breakage for a service later (assuming your firewalls aren’t blowing it up – but at least you only have to look in one place for that issue).
So there you have it. In summary, ULA is appropriate for a lab, a proof of concept, a super secure network and maybe an out-of-band control network. Even then, I would still argue you could do all of those functions with global unicast addresses and simply put the correct routing and firewalls rules in place. ULA is designed to never be routed on the public IPv6 Internet and as a result you should not be assigning ULA to hosts in your network unless you have the correct use case. Otherwise, stick with global unicast IPv6 addresses. Do IPv6 right the first time so you don't have to go back and do it again. As a final thought I give you Andrew Yourtchenko's fun NAT YouTube video.
- Ed
ULA is a unicast address type and is limited to the fc00::/7 prefix. This means the prefix has a fixed binary value of 1111 110x with ULA having the concept of a local flag bit (x) which is the 8th bit. This means the prefix is divided into fc00::/8 and fd00::/8. The local flag value of 0 hasn't been defined and therefore should not be used at all which eliminates the fc00:/8 prefix from being used. The local flag value of 1 indicates that the prefix is locally assigned. That means the only valid ULA addresses to use today are from the fd00::/8 prefix.
There have been a few interesting efforts to coordinate ULA prefix allocations. I have no idea why you would do this but you can check it out at SixXS's site. The reality is, fd00::/8 by definition is locally assigned and there is an algorithm defined in RFC 4193 that helps in generating a unique prefix out of that range to help avoid collisions or you can put your MAC address into the SixXS site and it will generate a prefix for you. You can find how the algorithm works in Section 3.2.2 if you want more details.
So what has sparked all this interest in ULA? I think it is happening because many IT organization think deploying IPv6 should be done in the same manner as IPv4. If you spend any time around IPv6 professionals you will quickly learn that IPv4 thinking doesn't apply when designing IPv6 networks. As an example, the role of NAT and address conservation are entirely thrown out the window. I think there is still a lot of confusion around the role of NAT and many IT professionals still consider NAT a security feature. NAT never was intended to be (and never functionally was) a security solution. All NAT provides is a way to conserve the use of public IPv4 addresses. If you disagree, I'm sorry, you are wrong.
Getting back on track, the analogy is often given that ULA is like IPv4 RFC 1918 address space. I believe this triggers people to think they should use ULA in the same way they are using RFC 1918 today. In other words, assign ULA everywhere on their internal network and run a NAT solution at their edge via a firewall or router. This looks exactly like what they do in IPv4. It also turns out that this is completely WRONG for IPv6.
It actually isn't accurate to say that ULA is like RFC 1918 address space. RFC 1918 address space was specifically set aside for the purpose of running NAT because of the shortage of public IPv4 addresses. There is no shortage of IPv6 address space and there will not be any within your lifetime, your children's lifetime or your grandchildren's lifetime or, well, you get the picture. So how is ULA like RFC 1918? The design of ULA was to have an IPv6 address space that would not route on the public IPv6 Internet - ever. In that capacity, ULA and RFC 1918 addresses are the same, neither was intended to be used on the public Internet at all. ULA was designed for labs or other resources (think secure military uses or maybe internal networks at power plants for example) that NEVER need to (or should ever) talk to the global Internet.
Let me repeat that, you use ULA when you never want to talk to anything on the Internet. I have seen many IT professionals say there should be NAT solutions in IPv6. There are some limited corner cases where solutions like NPTv6 (which is network prefix translation for IPv6) might solve some problems however I am not aware of any production ready implementations of NPTv6. In fact, the NPTv6 RFC is still in experimental status, see RFC 6296 and the former solution of NAT-PT has been moved to historical status, see RFC 4966 so really you have no robust NAT solution to date outside of server load balancing solutions like SLB66.
So what do you do? Simple, you reject your IPv4 ways of thinking and adopt the IPv6 way of thinking. You deploy global unicast IPv6 addresses throughout your network and use a stateful packet inspection firewall to control traffic and enforce security rules. You build good routing policies and leverage host based firewalls to enhance your security posture. In fact, you do all the same security measures you do for IPv4, you just happen to be using global unicast IPv6 address. Why? Because we have enough IPv6 addresses that we don't need NAT anymore.
What advantage do you gain by doing this? First, you don't break protocols that tend to embed address information in their session process. NPTv6 will still break protocols requiring firewalls and other network devices to try and do "fixups" or intelligent repairs on the fly to sessions. Why are we wasting time on that when if you simply use global unicast addresses with no network address translation then the protocol doesn't require any special handling.
Finally, it is easier to manage, complies with every design recommendation you will find out there on deploying IPv6 and reduces the chance you will have breakage for a service later (assuming your firewalls aren’t blowing it up – but at least you only have to look in one place for that issue).
So there you have it. In summary, ULA is appropriate for a lab, a proof of concept, a super secure network and maybe an out-of-band control network. Even then, I would still argue you could do all of those functions with global unicast addresses and simply put the correct routing and firewalls rules in place. ULA is designed to never be routed on the public IPv6 Internet and as a result you should not be assigning ULA to hosts in your network unless you have the correct use case. Otherwise, stick with global unicast IPv6 addresses. Do IPv6 right the first time so you don't have to go back and do it again. As a final thought I give you Andrew Yourtchenko's fun NAT YouTube video.
- Ed
Tuesday, September 17, 2013
Cricket Liu presenting on IPv6 at Dyn Geek Summer Camp
Cricket Liu who is the VP of Technology and Architecture at Infoblox recently gave a wonderful IPv6 presentation at Dyn's Geek Summer Camp that I encourage you to watch. I have embedded it in this post for your viewing pleasure. He has some great points about the issues with IPv4 depletion and what will be happening long term with IPv6 adoption.
- Ed
- Ed
Subscribe to:
Posts (Atom)