IPv6@awt.be

5-6-7 october 2011Belnet Workshop

S. Vince – Information Systems ExpertC. Zaccone – Network Systems Expert

Agence Wallonne des Télécommunications : ICT public actor in Wallonia

Main goals :Technology watchAdvisePromote

Targets :SMEPublic sectorCitizens

Who’s AWT ?

2006 :Get our range (2001:06a8:3880::/48)

2008 :All external services availableInternal IPv6 on separate VLAN/SSID

2009 :Dissemination to the public sector (tryout)

2010 :Dual Stack services on DMZKick off Dual Stack LAN (for Users & Guest)

2011 :Workstation OS Migration to Dual Stack

AWT IPv6 History

•Why does AWT have been interested by IPv6 :Demonstration & CuriosityInnovative provider with dual-Stack supportEuropean involvement in next gen internetSince 2011, no more IPv4 !

•1st Step (careful approach in 2008) :No impact on IPv4 productionPriceless DeploymentRecycling of old equipments (with new Firmware)Only 1 new Virtual Machine (Reverse-Proxy & Relay)

•Actual situation (now, evolutional approach) :Dual-Stack ServicesStill using Reverse-Proxy for some old appsIssues for finding a good VPN alternative

Why & How AWT goes v6

A Closer LookInternal Public

Services •Mail•DBMS•IP Storage•Classical computing

ServersEndpoints

•DMZWeb ServersDNSFTPMail (SMTP,POP3,IMAP)

•VPN

Network •vLANs (Private IPs)UtilisateursVisiteursManagement

•Inter-VLANs routing•Inter-VLANs firewalling

•RIPE

•NPAT

•DMZ

•Segments routage P-t-P

Deeper view

FW v4

Belnet & InternetIPv4 & IPv6

Dual Stack

VPNC

Guest

LAN User

DMZ

FW v6

GuestIPv4

DMZ V6

Future view

FW D ual S tackVPN

D irectAcess

Belnet & In ternetIPv4 & IPv6

D ual S tack

G uest

LAN U ser

D M Z

•FW & Routers use 2 ACLs: 1st for v4 and 2nd for v6•Don’t use IP addresses when not necessary prefer hostname•Application server ACL must be adapted (subnet v4 <> v6)•When possible, use dual-stack on the same host Managing different machines (one on v4, the other on v6) could be a mess•Is your management & statistic tools ready for v6 (AWstat, syslog, ...)•ICMP handling & role are not the same in v4 & v6•Your end-user is using v6 without know it : did you know ?•Appliance with v6 enable logo: do you get the same performance ?•Protocol fixup on some appliance are not v6 capable•Dual Stack is good (we think it’s necessary), but v6 only is not realist !

Caveats & Observations

Team Work : IT & Net guys MUST be involved

Good understanding of IPv6 :IPv6 is more than a simple upgrade of IPv4;System migration, re-engineering, configuration must be assumed

Check compatibility issues :ISP readiness (Dual Stack vs 6to4, etc)

Equipments (FW/SW/OS upgrade, renewing)Applications (upgrade, turn around, new code)

Do a Proof of concept (before production phase)Get Certified (IPv6 Forum)

Online Resources :IPv6 Cookbook: awt.be/ipv6

AWT Guidelines

Question(s) ?

Carmelo Zaccone Network Systems Expertcz@awt.be081/778076

Stéphane VinceInformation Systems Expertsv@awt.be081/778071

http://www.awt.behttp://www.ipv6council.be