Right now, we have a rack of servers. Every server right now has at least 2 IP addresses, one for the public interface, another for the private. The servers that have SSL websites on them have more IP addresses. We also have virtual servers, that are configured similarly.
Private Network
The private range is currently just used for backups and monitoring. Its a gigabit port, the interface usage does not usually get very high. There are other technologies we're considering using that would use this port:
- iSCSI (implementations usually recommends dedicating an interface to it, which would be yet another IP network),
- VPN to get access to the private range (something I'd rather avoid)
- dedicated database servers
- LDAP
- centralized configuration (like puppet)
- centralized logging
We don't have any private addresses in our DNS records (only public addresses). For our servers to utilize the correct IP address for the right interface (and not hard code the IP address) probably requires setting up a private DNS server (So now we add 2 different dns entries to 2 different systems).
Public Network
Our public range has a variety of services include web, email, and ftp. There is a hardware firewall between our network and the "public" network. We have (relatively secure) method to instruct the firewall to open and close administrative access (web interfaces, ssh, etc) for our current IP address. With either solution discussed, the host-based firewalls will be configured as well.
The public network currently runs at a dedicated 20Mbps link. There are a couple of legacy servers with fast-ethernet ports, but they are scheduled for decommissioning. All of the other production boxes have at least 2 Gigabit Ethernet ports. The more traffic-heavy servers have 4-6 available (none is using more than the 2 Gigabit ports right now).
IPv6
I want to get an IPv6 prefix from our ISP. So at least every "server" has at least one IPv6 interface. We'll still need to keep the IPv4 addressees up and available for legacy clients (web servers and email at the very least).
We have two IP networks right now. Adding the public IPv6 address would make it three.
Just use IPv6?
I'm thinking about just dumping the private IPv4 range and using the IPv6 range as the primary means of all communications. If an interface starts reaching its capacity, utilize the newly free interfaces to create a trunk.
It has the advantage that if either the public or private traffic needs to exceed 1Gbps. The traffic for each interface is already analyzed on a regular basis to predict future bandwidth use. In the rare instances where bandwidth unexpected peaks: utilize QoS to ensure traffic (like our limited SSH access) is prioritized correctly so the problem can be corrected (if possible, our WAN is the bottleneck right now).
It also has the advantage of not needing to make an entry for every private address. We may have private DNS (or just LDAP), but it'll be much more limited in scope with less entries to duplicate.
Summary
I'm trying to make this network as "simple" as possible. At the same time, I want to make sure its reliable, upgradeable, scalable, and (eventually) redundant. Having one IPv6 network, and a legacy IPv4 network seems to be the best solution to me.
Regarding using assigned IPv6 addresses for both networks, sharing the available bandwidth on one (more trunked if needed):
- Are there any technical disadvantages (limitations, buffers, scalability)?
- Are there any other security considerations (asides from firewalls mentioned above) to consider?
- Are there regulations or other security requirements (like PCI-DSS) that this doesn't meet?
- Is there typical software for setting up a Linux network that doesn't have IPv6 support yet? (logging, ldap, puppet)
- Some other thing I didn't consider?
Answer
Alright, let's reply by parts
1) Private addresses
ipv6 has different "scopes" so you can have a local scope and a global scope, ipv6 is smart enough to know who's what and to regulate traffic accordingly so you can have a local non-routable network on ipv6 without any problem at all, actually it comes by default as that
2) Dump ipv4 and run only ipv6
All ipv6 implementations so far are dual stack so you can comfortably run both, and I would definitely recommend you to run both, there's no damage in doing that and ipv4 is not going away for a long time, although ipv6 is very cool completely dropping ipv4 is not something I would do.
3) Short questions
a) No technical disadvantages, on the contrary! Lots of cool stuff, automatic assignation of addresses, anycast, native ipsec, it's quite cool
b) Firewalls should be good, but there's some specific firewall rules that you should pay attention to like allowing local-link scope traffic, allow multicast on ipv6 and disable processing of RH0 packets, also have in mind that icmpv6 is a completely new protocol and ipv6 is a lot more dependant on it than icmp on ipv4 so filtering it is not a good idea
c) As far as I know most of linux services support ipv6 without any problem, dual stack ftw!
Also it's not bad to get yourself familiar with all the ipv6 new specs, have a look at http://en.wikipedia.org/wiki/IPv6 for starters
No comments:
Post a Comment