IPv6 Case Study from University of Colorado Denver in Denver, Colorado
The University of Colorado in Denver has a presence across two main campuses – the Anschutz Medical Campus in Aurora, Colorado and the Auraria Campus in Downtown Denver. Over the past year, I spearheaded the effort by the network team to complete a project of enabling IPv6 across both campuses. This involved extensive planning phases, going through project creation and approval, and finally the roll-out to our approximately 30,000 users.
We began by obtaining IPv6 space from ARIN. Lining up supporting documentation as well as approval of the contract amendment by the University purchasing team was a time-consuming portion of the planning phase. We knew we wanted to get ample space for the future, so we requested and got approval for a /40.
Make it Official
In discussion with my manager, we decided that the best way to get buy-in from the whole IT department was to make it an official project. This is key as it sets expectations for all the project members and stakeholders, and holds each team member accountable for completing their assigned tasks. We regularly hold a Project Review Board where members of the IT staff can present project frameworks. At one such meeting, I presented the benefits of implementing IPv6. Representing the network team, I argued that migrating to IPv6 is not optional, and adoption of it over the legacy IPv4 protocol is happening at other major universities and will soon become the dominant protocol on the internet. The earlier you adopt it, the easier implementation will be as networks only increase in complexity over time. We also discussed efficiency gains as complex NAT schemes would no longer be needed for pure IPv6 traffic. The project was approved by our CIO and it became an official mandate across central IT to deploy IPv6.
We felt that an important part of the rollout was to educate the technical staff outside of the central IT department. To facilitate this, we brought in an outside vendor to give a half day presentation on IPv6 and what it meant. We had a good turnout of about 150 people.
Over the past couple of years, we implemented MPLS across both of our campuses. This made implementation of IPv6 easier as we could target well-defined chunks of our network for rollout. We saw a brand new IPv6 network as an opportunity to atone for legacy protocol sins, and designed the new dual-stack network with redundancy and scalability in mind from day one. Having already rolled out MPLS also presented its own challenges, as we found that some of the features present in the IPv4 world hadn’t yet become available on the IPv6 side. It has become a running joke that IPv6, at 20-some years old, is such a young protocol that we can’t expect vendors to support it just yet.
Since our legacy network routing table was sprawling with thousands of routes, we took the opportunity to summarize our IPv6 routing table as much as possible and it is currently less than 50 routes.
We decided on DHCPv6 for our addressing scheme, and began handing out addresses from our centralized DHCP and DNS appliance. This negated the need for disabling privacy-extensions and also made the client addresses a little more manageable.
One issue we’ve had for a long time is the presence of 6to4 adapters on our Windows computers. Since we still have workstations with public IPv4 addresses, they automatically create a 6to4 tunnel. While this was intended as a transition technology, we’ve found that it can cause issues by generating thousands of incorrect DNS entries and clients will mistakenly use these 6to4 adapters which can lead to connectivity problems. This added challenges to user buy-in because they believed this to be an IPv6 problem. As part of our implementation plan, we disable these adapters through Windows Group Policy.
It is a great advantage to start as early as possible in your IPv6 deployment. This way you’re not forced to react to future requirements and you can do a controlled roll-out. From a budgeting perspective, it did not require any capital expenditures to implement IPv6, however with our MPLS project we had refreshed quite a bit of our hardware already. We did find some caveats with older supervisor modules that did not have all the IPv6 support we needed, so we had to withhold rollouts to certain segments until equipment could be replaced.
I also feel buy-in from the entire department is crucial as it creates clear expectations for the entire team and produces a cohesive message from help-desk and workstation support to system administrators and network engineers.
After the success of our IPv6 rollout, I’ve had conversations with network engineers from our sister institutions expressing interest in our IPv6 implementation. As collaboration between organizations who often have overlapping private IPv4 space increases, I see IPv6 becoming even more important.
Overall, we’ve seen no complaints from our end-users as we’ve rolled out IPv6 across both of our campuses. To be honest, very few people are even aware they have IPv6 access, which is exactly as it should be.
Read more here:: teamarin.net/feed/
Please read this guest post by Enric Pujol, a network data analyst. Enric is looking at potential barriers that prevent ISPs to carry more traffic over IPv6.
Read more here:: labs.ripe.net/RSS
Juniper Networks has found and mostly patched a flaw in the way the firmware on its routers process IPv6 traffic, which allowed malicious users to simulate Direct Denial of Service attacks.
The vulnerability, which seems to be common to all devices processing IPv6 address, meant that purposely crafted neighbour discovery packets could be used to flood the routing engine from a remote or unauthenticated source, causing it to stop processing legitimate traffic, and leading to a DDoS condition.
According to Juniper’s advisory report:
Read more here:: feeds.arstechnica.com/arstechnica/index?format=xml
Cisco today released a high-level alert warning about a vulnerability in IPv6 packet processing functions of multiple Cisco products that could allow an unauthenticated, remote attacker to cause an affected device to stop processing IPv6 traffic, leading to a denial of service (DoS) condition on the device.
Cisco states: “The vulnerability is due to insufficient processing logic for crafted IPv6 packets that are sent to an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 Neighbor Discovery packets to an affected device for processing. A successful exploit could allow the attacker to cause the device to stop processing IPv6 traffic, leading to a DoS condition on the device.”
The company has also pointed out that the vulnerability is not Cisco specific and any IPv6 processing unit not capable of dropping such packets early in the processing path or in hardware is affected by this vulnerability.
There are no workarounds that address this vulnerability as of yet and customers are advised to rely on external mitigation techniques.
Follow CircleID on Twitter
Read more here:: feeds.circleid.com/cid_sections/news?format=xml
By Ed Tittel,
The original title for this story was “Transitioning from IPv4 to IPv6,” but when we started researching, we quickly realized that most organizations are adopting an outside-in strategy, rather than moving over from all-IPv4 to all-IPv6 deployments. This means that they’re often taking steps to accommodate incoming and outgoing IPv6 traffic at the organizational boundary and translating between the two stacks, or tunneling one protocol over another, for internal access and use. The majority of internal clients and other nodes are using IPv4, with increasing use of IPv6 in dual-stack environments (environments that run IPv4 and IPv6 protocol stacks side-by-side).
Read more here:: www.networkworld.com/category/lan-wan/index.rss