Microsoft IT's IPv6 Killer App
2 likes4,458 views
The document discusses the company's IPv6 evolution over time. It began IPv6 trials in 2006 and worked towards a full corporate deployment. Key steps included enabling IPv6 in operating systems, transition technologies, routing protocols, security tools, and datacenters. Challenges included address scaling, control plane traffic increases, and routing between IPv4 and IPv6. The company now has full IPv6 backbone and 63% of hosts enabled, with a goal of full dual-stack by end of year. It is piloting an IPv6-only network using NAT64 and has found most applications and services work but some do not. Future plans include expanding DNS64 and testing NAT64 redundancy.
Microsoft IT's IPv6 Killer App
- 3. Agenda
- 4. IPv6 Evolution • ISATAP tunneling for IPv6 enablement for development and research started in 2006. • Operating Systems IPv6 capable • Client and Server OS’s on the corporate network IPv6 capable and prefer v6 by default • Transition Technologies • ISATAP deployed and then deprecated in favour of dual-stack • Initial IPv6 only pilot • Native deployed in selected locations
- 5. IPv6 Evolution continued… • World IPv6 Day June 8, 2011 • Corporate wide interest and excitement leading up to World IPv6 launch day!! • World IPv6 Launch June 6, 2012…..YAY!
- 6. Enabling IPv6 • Routing Protocols • IGP • VPNv6 • Security infrastructure v6 aware • Firewalls v6 enabled • Other security components (AMA, APT, DLP, IDS) v6 capable • NetFlow v9 deployed • Corporate on-prem datacenters IPv6 enabled • Includes hardware load balancers • Internet Peering • IPv6 internet peering enabled • Enabling direct v6 internet into labs on request
- 7. Internet Routing Challenges • Initial announcement of ARIN /32 from HQ in Seattle • Lack of certainty about advertising space from one regional RIR in another region • Questions about geolocation • Considered PI /48s • Proceeded to procure one /32 per region • No IPv6 NAT for first implementation – Therefore could only announce in one location in the region – E.g. Tokyo in Asia and Dublin in EMEA
- 8. IPv6 Challenges • Enabling dual-stack at the user edge created some scaling issues • ARP and ND timers – much increased traffic • Increased control plane traffic – SSDP, LLMNR • Challenges with introducing IPv6 into MPLS • Issues with OSPFv2/v3 taking different paths through the network. Mostly solved by IS-IS J • Extension Headers – quickly fixed by vendor • Quirks introduced by IPv6 – eg DAD on WAN links • Staff training • IPv6 addressing seems to be hard • Ensuring consistency between IPv4 and IPv6 during new deployment • Operational issues with IPv6
- 9. IPv6 current status • Current Stats – 100% of WAN and Backbone is v6 enabled; IS-IS backbone (OSPFv2/v3 campus) – 63% of managed hosts are v6 enabled – Dual stack on 20% of corporate access network – 6,400 internal v6 routes, 20,000 internal v4 routes – DNS AAAA to A record comparison – Expect to have complete network dual stack by end of year Europe Redmond A – 34,545 A – 410,679 AAAA – 31,946 AAAA - 321,113 FarEast Development A – 67,115 A – 147,633 AAAA- 32,039 AAAA – 131,402
- 10. IPv6 Killer App… • I know you have more v4 addresses…
- 11. Vanishing RFC1918 space – Options • Start looking at internal NAT44 OR NAT64 • We are piloting v6-only using NAT64 (with DNS64). • For wired we are using DNS64 via Direct Access* deployment • DHCPv6 stateful on existing DHCP server • Cisco ASR1K for NAT64 • Wireless Guest Network • BIND9 on Windows Server 2012 • DHCPv6 stateless on Windows Server 2016 • Cisco ASR1K for NAT64 *Microsoft VPN solution
- 13. IPv6-only Pilot Results – what works • Native IPv6 • Office 365 • Xbox.com • Microsoft.com • Windows update (test) • Skype for Business • Applications via NAT64; no noticeable performance degradation • SharePoint • Yammer • Bing search • Windows RPC/SMB • Windows RDP • Xbox VOD, video playback
- 14. IPv6-only Pilot Results– what doesn’t work • Applications • Skype • Other applications with IPv4 embedded addresses • X-Windows applications • Microsoft homegrown applications • Non-client devices • IP phones • Conference room schedule monitor • Security cameras
- 15. IPv6 w/NAT64 Pilot Results • Switching between v6-only wired and dual-stack wireless • Had to disable Ethernet when switch to dual-stack wireless (Ethernet preferred over Wi-Fi) • Without Stateful DHCPv6, no “release6, renew6” had to issue PowerShell “restart-netadapter” • Still have to figure out IPv4 embedded • 464xlat for mobile, what about wired • Operations and Troubleshooting • Issues when one troubleshooting step is to turn off IPv6 Generally things just worked
- 16. Future Thoughts § DHCPv6 or SLAAC or both? § DNS64 deployed globally § IPv6 Multicast § NAT64 redundancy testing § TE - Segment Routing? § Management
- 18. 2 0 0 1 : 4 8 9 8 : 0 0 0 0: 0 0 0 0 :0:0:0:0 0010 0000 0000 0001 0100 1000 1001 1000 0 000 0000 0000 0000 0000 0000 0000 … 0000 32 bit prefix 8 site bits 64 bit IID “I” bit 6 block bits /40 /48 /64 16 subnet bits “D” bit 0000 0000 1) Bit 33 0=Corpnet 1=Internet 2) Bit 34 0=Corpnet 1=Delegations 3) Bits 35-40 Regional Blocks Puget Sound, Canada, Americas EMEA APJ 4) Bits 41-48 Site Bits Site = Hub location ROW PS core aggregation pair First /48 reserved for infastructure 5) Bits 49-64 User Subnets 6) Bits 65-128 Host identifiers
- 19. AMA - Advanced Malware Analysis DLP - Data Loss Prevention IDS - Intrusion Detection System APT - Advanced Persistent Threats Appendix: Acronyms
- 20. Disclaimer § This presentation and the content therein cannot be, duplicated, modified or excerpted without the express written approval of Marcus Keane marcus.keane@microsoft.com 20