Saturday, August 1, 2015

IPv6 without nat but what about an isp change?



I haven't worked with IPv6 outside of 4to6 tunneling on my home pc with stuff like GoGoNet. I've read about how it works in a general way. No NAT required (or suggested) and each client uses a public ipv6 address and I understand the continued use of firewalls. From my understanding, without the use of NAT, UAL and getting ARIN to give you own global range, that would mean the ipv6 address on all the systems on your lan would be from a range provided by your isp. What would happen in the case you change your ISP? Would that mean you have to change your whole lan address range?



In a typical ipv4 windows shop I might have a situation like such:



Site1 Lan IPs: 192.168.1.0/24
Site2 Lan IPs: 10.0.0.0/24
Site1 Public IP: 11.12.13.1/29 (11.12.13.1 - 11.12.13.5 usable)

Site2 Public IP: 20.30.40.1/29 (20.30.40.1 - 20.30.40.5 usable)
Site-to-site VPN via firewalls

Site1: Lan IP, Public IP:Port
Hardware firewall/router - 192.168.1.1, 11.12.13.1
Windows AD DC server (AD DNS server) - 192.168.1.10
Windows Exchange (email) - 192.168.1.11, 11.12.13.2:25+443
Windows RDS (term server) - 192.168.1.12, 11.12.13.3:3389
Workstations (via DHCP) - 192.168.1.100+


Site2:
Hardware firewall/router - 10.0.0.1, 20.30.40.1
Windows AD DC server (AD DNS server) - 10.0.0.10
Windows IIS (webserver) - 10.0.0.11, 20.30.40.2:80
Workstations (via DHCP) - 10.0.0.100+


The servers have statically assigned lan ips, the DNS servers has to and the others are also, since the firewall does port forwarding to servers via ip addresses you type in (vs hostnames).



Now if I wanted to setup this as a ipv6 only environment? Would everything still be the same with statically assigned servers and dhcpv6 to workstations?




But then if I switch to another isp would that mean I need to change the ip address for all the servers? What if I have 100 servers? I guess I can use dhcpv6 on the servers but I haven't seen a biz-class firewall that allowed port forwarding via hostname or internal dns (sonicwall, juniper, cisco, etc) just local ip (atleast for ipv4). And DNS server still need static ips eitherway.



Also wouldn't that mean that during transition of changing lan ipv6 ips, my servers might be sending lan traffic over the internet to my old block since it's no longer local lan? Atleast in a technical terms, I understand it's unlikely someone would use the old block that quickly and that it can be blocked on the firewall.



I sounds like it would be great for everyone to get their own perm assigned ipv6 block but I understand it would make the global routing table unusably large.



Update
Based on answers below, I updated the example location above and so this would be the ipv6 equivalent?




Site1 ULA: fd80::192:/64
Site2 ULA: fd80::10:/64
Site1 Public IP: 2000:1112:1301::/48
Site2 Public IP: 2000:2030:4001::/48
Site-to-site VPN via firewalls

Site1: Link-Local, ULA, Public
Hardware firewall/router - fe80::1, fd80::ABCD:1, 2000:1112:1301::1
Windows AD DC server (DNS) - fe80::10, fd80::ABCD:10, 2000:1112:1301::A
Windows Exchange (email) - fe80::11, fd80::ABCD:11, 2000:1112:1301::B

Windows RDS (term server) - fe80::12, fd80::ABCD:12, 2000:1112:1301::C
Workstations (via DHCP) - fe80::100+, fd80::ABCD:1xx, 2000:1112:1301::10+

Site2: Link-Local, ULA, Public
Hardware firewall/router - fe80::1, fd80::ABCD:2, 2000:2030:4001::1
Windows AD DC server (DNS) - fe80::10, fd80::ABCD:20, 2000:2030:4001::A
Windows IIS (webserver) - fe80::11, fd80::ABCD:21, 2000:2030:4001::B
Workstations (via DHCP) - fe80::100+, fd80::ABCD:2xx, 2000:2030:4001::10+



Each site own systems would would talk via Link-Local, Site-to-Site would talk with each other ULA (encypted by the VPN) and the world (including services) would talk via Public IPs?


Answer



There's definitely some mechanisms in place to help you out here.



For internal LAN traffic, between systems on your network, there's Unique Local Addresses. Think of them like RFC1918 addresses; they'll only work within your network. You'll be able to use these addresses for any communication within your network borders; just carve off some nets from fd00::/8 and have your routers start advertising them.



In a normal deployment, this will mean that your nodes all possess (at least) 3 IPv6 addresses; a link-local fe80::/64 address (which can only talk to other nodes on its broadcast domain), a unique local fd00::/8 address (which can talk to everything in your LAN), and a public address.



Now, this still means you're renumbering everything when you change ISPs (which you're doing now anyway for publicly addressable nodes assuming you don't own IPv4 space), just that you don't need to worry about all of the internal communication, which can stay on the Unique Local range.




That might cover your concerns - but there's also the NPTv6 proposal, for which there is currently an experimental RFC. This would allow you to translate the public prefixes to the private ranges at the network edge, meaning no renumbering internally when you change ISPs, and the ability to utilize multiple ISPs with disparate assigned addresses seamlessly (either permanently or during a transition period for a provider change).


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...