IPv6 Foundation Part 13: IPv6 Internet Connection Planning

IPv6 Foundation Part 13 - IPv6 Internet Connection
How to design your IPv6 Inter­net Con­nec­tion, IPv6 Net­work Plan­ning, Mul­ti Homed / Dual Homed, need PI Space? Find all your answers and more right here!

Table of Con­tents

About this course

So you are inter­est­ed in IPv6, which is absolute­ly great!

IPv6 is not only the future of net­work­ing, it is already here today! All the big play­ers on the Inter­net are already IPv6 enabled and it is now time for you to join the par­ty!

This course cov­ers all major aspects of the new Inter­net Pro­to­col and what changed, com­pared to IPv4. You will under­stand the fun­da­men­tals and be ahead of your peers that are still on the sink­ing ship of IPv4! As of today, there are no IPv4 address­es left and we have no oth­er option but to go ahead and deploy IPv6.

IPv6 Act Now

IPv6 Foun­da­tion Part 13: IPv6 Inter­net Con­nec­tion Plan­ning & Address Plan­ning

This is the final chap­ter of the IPv6 Mas­ter Class. Now you know all the tech­ni­cal details and you are able to do real-world plan­ning of your Inter­net con­nec­tion and local net­work using state of the art best-prac­tice approach­es.

How to do Net­work Address Plan­ning for IPv6

The IPv6 address space is vast and has to be planned with cau­tion to not waste space and ruin your chances of hav­ing a clean and best-prac­tice design. Remem­ber, more than the whole cur­rent IPv4 address space fits in a sin­gle /64 IPv6 net­work, which some of us use as a tran­sit link. Think about installing an IPv6 address man­age­ment solu­tion, such as phpi­pam. See Chap­ter IPv6 Address Man­age­ment for more infor­ma­tion.

Hav­ing so much space at your dis­pos­al means you have to plan extra super accu­rate­ly, before you are in the mid­dle of the roll­out and find our you have made a big mis­take and have to start from scratch. We have all been there!

How to chose the right IPv6 Net­work Sizes

There are the fol­low­ing best prac­tices for IPv6 Net­work Sizes:

  1. The min­i­mum allo­ca­tion of Region­al Inter­net Reg­istries (RIRs) to LIRs (providers) is /32.
  2. The allo­ca­tion from Local Inter­net Reg­istries (LIRs) to end users is most­ly /48.
  3. Client net­works should always use /64 to make State­less Address Auto­con­fig­u­ra­tion (SLAAC) pos­si­ble, if need­ed
  4. Trans­fer net­works should always use /127 - or larg­er, if Next Hop Redun­dan­cy Pro­to­cols (NHRPs) or mul­ti­ple nodes are required in the same seg­ment -> then you should use /126 or sim­i­lar). Don’t use /64 for tran­sit links, see below why!

Why you should always use /127 Tran­sit Links in IPv6 instead of /64

The net­work­ing com­min­i­ty had a very long dis­cus­sion about the cor­rect size of trans­fer net­works. It con­tin­ued for years. The two sides of the sto­ry were:

Opin­ion A: all IPv6 net­works are /64, no mat­ter how many hosts they have
“we have enough address­es, we don’t need to save them”

Opin­ion B:  “let’s not waste address­es, but instead maybe use a sin­gle /64 for all the trans­fer net­works we need in one orga­ni­za­tion”

Final­ly we have a stan­dard with RFC6164,
“Using 127-Bit IPv6 Pre­fix­es on Inter-Router Links”. I ful­ly sup­port this RFC and deci­sion!

By the way: Sub­net Router Any­cast is deac­ti­vat­ed on /127-Links, so the usage of the first (::) address is indeed pos­si­ble.

Should you use Link-Local/U­nique Local (ULA) or Glob­al Address­es for Address­ing your IPv6 Infra­struc­ture?


I rec­om­mend using only Glob­al address­es for all infra­struc­ture but let’s look at the issue from an objec­tive per­spec­tive:

Advan­tages of using Link-Local/U­nique Local (ULA) for address­ing your infra­struc­ture:

  1. Rout­ing pro­to­cols use Link-Local address­es any­way.
  2. The Infra­struc­ture is not reach­able (thus not attack­able) from the out­side.

 

The dis­ad­van­tages:

  1. No tracer­oute (vis­i­bil­i­ty) and no Path MTU Dis­cov­ery is pos­si­ble, because nobody from the out­side can reach your local address­es. This makes trou­bleshoot­ing and vis­i­bil­i­ty very hard.
  2. Your Infra­struc­ture is not man­age­able from the out­side. This might not be a prob­lem. Maybe it is even an advan­tage instead of a dis­ad­van­tage for you.

 

I do pre­fer full IP reach­a­bil­i­ty and then reg­u­lat­ing access with fire­walls. Pri­vate IPv6 Address­ing for the pur­pose of “secu­ri­ty by obscu­ri­ty” feels an awful lot like using NAT with IPv4 to secure your pri­vate net­work. I’m glad the NAT times are over, let’s do IPv6 the right way and not make the same mis­takes again.

How to get your IPv6 Inter­net Con­nec­tion run­ning

All the dif­fer­ent IPv6 Inter­net Con­nec­tion Types explained

Let’s look at the dif­fer­ent options how you can con­nect to the native IPv6 Inter­net with­out using tun­neled tech­nolo­gies.

In my detailed post Wie erhält man IPv6-Adressen? (cur­rent­ly only avail­able in Ger­man) I describe the dif­fer­ent ways how you can request your own per­ma­nent IPv6 address space.

How to Design a Sin­gle Homed, Native IPv6 Inter­net Con­nec­tion via one ISP

Your IPv6 address­es will be assigned out of the Provider Aggre­gat­able (PA) Space of your upstream Inter­net Ser­vice Provider.

This IPv6 Inter­net con­nec­tion is sin­gle homed and has no redun­dan­cy.

IPv6 Connection Single ISP Single Homed

How to Design a Dual Homed, Native IPv6 Inter­net Con­nec­tion via one ISP

Your IPv6 address­es will also be assigned out of the Provider Aggre­gat­able (PA) Space of your upstream Inter­net Ser­vice Provider.

This IPv6 Inter­net con­nec­tion is dual homed and has lim­it­ed redun­dan­cy.

There are two options how you can imple­ment this:

Option A uses a redun­dant path between the same hard­ware, this is the least pre­ferred option.

Option B has hard­ware redun­dan­cy, but is still reliant on one sin­gle ISP. If the ISP fails, your con­nec­tion will be bro­ken regard­less of redun­dant hard­ware path.

IPv6 Connection Single ISP Dual Homed

How to Design a Dual Homed, Native IPv6 Inter­net Con­nec­tion via one ISP using your own PI Space and have your ISP announce it via BGP

Your IPv6 address­es are out of your own Provider Inde­pen­dent (PI) IP address pre­fix that you have request­ed and received.

In this case, to keep con­fig­u­ra­tion low, you ask your (sin­gle) Inter­net Ser­vice Provider to announce your PI Pre­fix via BGP to the Inter­net for you.

This IPv6 Inter­net con­nec­tion is dual homed and has lim­it­ed redun­dan­cy, because you still have only one ISP and if it fails, you fail.

IPv6 Connection Dual Homed

How to Design a Dual Homed, Native IPv6 Inter­net Con­nec­tion via one ISP using your own PI Space and announc­ing it your­self with BGP

Your IPv6 address­es are out of your own Provider Inde­pen­dent (PI) pre­fix.

With this option you choose to imple­ment BGP on your own routers and announce your IP address pre­fix via BGP to your provider routers. With this option you have full con­trol over what you announce, how rout­ing is han­dled and how the Inter­net sees your net­work.

This IPv6 Inter­net con­nec­tion is dual homed and has lim­it­ed redun­dan­cy, because you still have only one ISP and if it fails, your busi­ness does so too.

IPv6 Connection Dual Homed BGP

How to Design a ful­ly redun­dant Mul­ti Homed, Native IPv6 Inter­net Con­nec­tion via two ISPs using your own PI Space and announc­ing it with BGP

Your IPv6 address­es are out of your own Provider Inde­pen­dent (PI) pre­fix.

With this best in class option you choose to imple­ment BGP on your own routers and announce your IP address pre­fix via BGP to redun­dant routers of two dif­fer­ent Inter­net Ser­vice Providers. With this option you have full con­trol over what you announce, how rout­ing is han­dled and how the Inter­net sees your net­work.

This IPv6 Inter­net con­nec­tion is mul­ti homed and has full redun­dan­cy, because you have redun­dant hard­ware, redun­dant paths and redun­dant ISPs, while rely­ing on your own IP address space.

By the way, the mul­ti homed option with two ISPs is only avail­able if you have your own PI or PA address space. It is not pos­si­ble for the one provider to route address space of the oth­er provider, only if it is your own!

IPv6 Connection Dual ISP Multi Homed

What are NAT64 and DNS64?

NAT means Net­work Address Trans­la­tion and this always reminds me of IPv4. We still need to talk about this tech­nol­o­gy. If you want to read more, I found this arti­cle from Juniper Net­works about NAT64 and DNS64 help­ful.

 

NAT64 is defined in RFC6052 and RFC6146.

With IPv6 there is no NAT any­more, as there was in IPv4 (I like that).

A bridg­ing tech­nol­o­gy called NAT-PT (NAT Pro­to­col Trans­la­tion) was added to IPv6, but then removed from the stan­dard again (dep­re­cat­ed).

NAT64 is made for IPv6-only clients, to access IPv4-only servers.

To achieve this, NAT64 routers must be dual stack. Remem­ber, that means they need to have at least one IPv4 and one IPv6 address

 

DNS64 was definied in RFC6147 and works with NAT64:

The DNS64 relay serv­er inter­cepts DNS requests from clients and responds with a AAAA record, if the serv­er only has an A record. IPv6-only clients could oth­er­wise not reach an IPv4-only serv­er!

The fol­low­ing process enables this tech­nol­o­gy, that is nice to have but should not real­ly be used in pro­duc­tion if you ask me:

  1. The client sends a DNS request for a AAAA record.
  2. The DNS64 serv­er (relay) only finds an A record (IPv4)
 and cre­ates a AAAA record with the NAT64 pre­fix and the embed­ded IPv4 address.
  3. The DNS64 serv­er pro­vides the AAAA record to client.
  4. The client sends traf­fic to the NAT64 router with a tar­get pre­fix of 64:ff9b::/96 + IPv4 address.
  5. The NAT64 serv­er cre­ates a map­ping between the IPv4 and IPv6 address­es.

Thank You

Thank you for attend­ing the Orig­i­nal IPv6 Foun­da­tion Mas­ter Class! You can book­mark this site to use it as a quick ref­er­ence in case you need to re-read some­thing and you can share this page to social media and your friends and col­leagues. Stay tuned to this blog for more in-depth sto­ries like this one.

Rec­om­mend­ed Resources for addi­tion­al read­ing

Apart from the links through­out this course I rec­om­mend the fol­low­ing resources for addi­tion­al infor­ma­tion:

  1. The Inter­net Soci­ety (ISOC) IPv6 Por­tal
  2. Test your IPv6 con­nec­tiv­i­ty on test-ipv6.com
  3. The offi­cial IANA list of assigned IPv6 address space is very inter­est­ing
  4. The Google IPv6 deploy­ment sta­tis­tics
  5. The RIPE NCC IPv6 work­ing group and mail­ing list

Book rec­om­men­da­tions on IPv6

I can rec­om­mend the fol­low­ing 3 books (Ama­zon refer­ral links) which I enjoyed read­ing:

This con­cludes IPv6 Foun­da­tion Part 13: IPv6 Inter­net Con­nec­tion Plan­ning & Address Plan­ning of the orig­i­nal IPv6 Foun­da­tion Mas­ter Class and the class itself (This was the last part already!).

Pre­vi­ous Part: IPv6 Foun­da­tion Part 12: IPv6 Secu­ri­ty & Tun­nel­ing

Back to IPv6 Foun­da­tion Course Index

Con­grat­u­la­tions! You have com­plet­ed this IPv6 Foun­da­tion Mas­ter Course and your are now an IPv6 Expert!

IPv6 Certified

Share this post

Share on pocket
Share on reddit
Share on facebook
Share on twitter
Share on linkedin
Share on xing