Thursday, May 2, 2013

My Experiences with IPv6

I finally cleared enough time on my calendar to start thinking about IPv6 for my corporate network. It’s been quite a while since I last considered implementing IPv6. Fortunately we haven’t had a reason to move forward, so my procrastination has not caused us any grief.
I spent a couple of hours reviewing Ivan Pepelnjak’s Enterprise IPv6 First Steps webinar. Great stuff! It hit on many of the topics I was interested in, including end host address assignments, native IPv6 DNS servers and transition techniques. Armed with a bit of knowledge (always dangerous), I decided to activate IPv6 on my home LAN.
At first I thought my ISP, Comcast, did not support IPv6. I looked for awhile on Comcast’s website to find a rollout schedule, but every link took me back to www.comcast6.net. It was not helpful. I finally broke down and called Comcast support. I was told that IPv6 is enabled in my area, and pretty much everywhere in the Comcast network. My issue turned out to be an old Comcast-provided cable modem. The key to figuring this out is to visit the following web page - http://mydeviceinfo.comcast.net/. This page has an easy-to-use chart of approved devices and whether they support IPv6. I printed this out and took it to my local Comcast office, where they fortunately had a replacement modem available. Be warned, the folks at the Comcast office had never heard of IPv6, but they were able to find a modem on my printed out list. So if you are going to try this yourself, bring the list!
Basic IPv6 Configuration
At home I use a Cisco 1811W router, currently running IOS Advanced IP Services 15.1(4)M6. The following configuration got me up and running on the IPv6 Internet:
ipv6 unicast-routing
ipv6 cef
!
interface FastEthernet0
description ISP Link
ipv6 address autoconfig default
ipv6 enable
ipv6 dhcp client pd comcast-ipv6 rapid-commit
!
interface BVI254
description Home
ipv6 address FE80::1 link-local
ipv6 address comcast-ipv6 ::1/64
ipv6 enable

Adding Security
Of course, the above configuration is wide-open to the Internet, which likely isn’t to be your preferred configuration. I chose to implement Cisco’s Zone Based Firewall solution, using the following configuration (hat tip to Jeremy Stretch for a fine overview):
zone security Trusted
zone security Internet
zone-pair security Trusted->Internet source Trusted destination Internet
service-policy type inspect Trusted_to_Internet
zone-pair security Internet->Trusted source Internet destination Trusted
service-policy type inspect Internet_to_Trusted

! Inside to Outside
class-map type inspect match-any All_Protocols
match protocol tcp
match protocol udp
class-map type inspect match-any Specific_Protocols
match protocol icmp
match protocol http
match protocol https
match protocol ftp
match protocol dns
match protocol ntp
policy-map type inspect Trusted_to_Internet
class type inspect Specific_Protocols
  inspect
class type inspect All_Protocols
  inspect
class class-default
  drop


interface BVI254

 zone-member security Trusted
interface FastEthernet0
 zone-member security Internet




! Outside to Inside (I only allow DNS resolution from OpenDNS servers for content-filtering. I added specific ‘denies’ for domain so I can see if anyone locally is trying to circumvent my security.
ip access-list extended ISP_IN
permit udp host 208.67.222.222 eq domain any
permit udp host 208.67.220.220 eq domain any
deny   udp any eq domain any
ipv6 access-list ISPv6_IN
sequence 21 permit udp host 2620:0:CCD::2 eq domain any
deny udp any eq domain any
class-map type inspect match-any From_Internet
match access-group name ISP_IN
match access-group name ISPv6_IN
policy-map type inspect Internet_to_Trusted
class type inspect From_Internet
  inspect
class class-default
  drop

Overall Thoughts
It’s really not too difficult to get this working, if your ISP supports it. I ran into a lot of trouble trying to implement on an unsupported modem, and then working to determine if this was worthwhile. If your ISP does not support IPv6, you can register with Hurricane Electric’s tunnelbroker.net service and use their templates to configure your router. I went down this path briefly, with nice success, but I ultimately didn’t need to use this service.
Whether this is worthwhile or not depends on your perspective. Enabling IPv6 does not get you any new features or Internet capabilities at this time. I wish that were not the case. I’d love to see companies like Netflix release certain shows earlier on IPv6 servers or something similar. It would drive user adoption and increase pressure on the ISPs to provide this service. The business case for doing something like this is unclear, so it is unlikely to happen.
I was surprised to discover that when the kids are home we have somewhere between 8 – 12 active IPv6 devices on the home network. All of the iPods, iPhones, Kindles, home PCs, etc are IPv6-enabled. The site http://test-ipv6.com/ confirms that each of these devices is fully IPv6 ready (10/10 rating).
So what is out there on the IPv6 Internet? Not too much, in terms of distinct sites. The big ones (Facebook, Google/Youtube, Microsoft) are ready though. Surprisingly, while www.cisco.com is enabled, most of the other Cisco.com URLs do not seem to work. I am also disappointed to learn that OpenDNS’s IPv6 resolvers do not support content filtering. This makes them basically unusable for me, as I count on that service to keep the younger kids out of inappropriate web content.
One final technical issue I found is that it is practically impossible to host a server on IPv6 without opening up that port in your firewall for all IPv6 hosts. For example, if I want to host a web server on 2001:db8::1, I must add an entry in my screening ACL for ::/0 port 80. This is necessary because I cannot guarantee that my provider-assigned prefix will always by 2001:db8::/64. This could be solved with one of two enhancements to IOS:
  1. Allowing address wildcards in IPv6 (such as *::1/128, which could be implemented using a bitmask, as in ‘permit tcp ::1 FF:FF:FF:FF:FF:00:00:00:00 eq 80’
  2. Allowing the delegated-prefix to be used in ACLs (such as ‘permit tcp comcast-prefix::1/128 eq 80’)
This is a nice-to-have, and not a necessity for my personal usage.
Post a Comment