Embed Size (px)
Citation preview
Construction of Native IPv6 LANfor Enterprise Network
Takahiro KUBO
KDDI R&D Laboratories Inc.
Purpose
To get know-how of the migration of office network from IPv4 to IPv6
To clarify the issues during shifting from IPv4 to IPv6
To establish basis for IPv6 solution business
First sample case in the world Scale: a 200 personnel office (R&D Labs) OS: Windows XP rather than Mac OS or Linux
NW Structure before Migration
IPv4
IPv6
DNS/Mail/WWW
DMZ IPv4/v6
Client NW IPv4/v6
Client NW IPv4/v6
DNS/Mail
Client PC
Client PC
DNS/Mail
Common SV NW IPv4/v6
Local
WWW
VPN
NW Structure before Migration - Continue
NW : IPv4/v6 dual stack – DMZ:IPv4/v6 dual stack
DNS Server: IPv4/v6 dual stack Mail Gateway: IPv4/v6 dual stack WWW Server: IPv4/v6 dual stack
– Common Server NW: IPv4/v6 DNS Server: IPv4/v6 dual stack Mail Server: IPv4/v6 dual stack
– Client NW:IPv4/v6 dual stack DNS Server: IPv4 Mail Server: IPv4
Terminals for researchers : IPv4/v6 dual stack Terminals for supporting staff : IPv4
Policy for Migration to Native IPv6
Terminals for native IPv6– All terminals for both the researching and the supporting staff– Isolate those terminals that are not feasible to be migrated to
native IPv6 to IPv4 native segment– Target OS : Windows XP
Target applications– Web-browser, Mail-client and FTP client– Printing by LPR to external IPv6-ready printers outside any
Client NW
*Windows file sharing with the external Client NWs is excluded
Policy for Migration to Native IPv6 - Continue
Routing– Forbid IPv4 forwarding to any Client NW – Allow internal IPv4 communication within a Client NW– Set up an isolated IPv4 segment and allow traffic with IPv6
NWs via NATPT translator Cost
– Low cost migration with least additional equipments and least manpower
– No additional cabling for smooth migration
NW Structure after Migration
IPv4
IPv6
DNS/Mail/WWW
DMZ IPv4/v6
Client NW IPv6
Client NW IPv6
DNS/Mail
Client PC
Client PC
DNS/Mail
Common SV NW IPv4/v6
Local
WWW
IPv4/IPv6 translator
VPN
ISATAP router
PC
IPv4 NW
NW Structure after Migration
NW: IPv4/v6 dual stack – DMZ: IPv4/v6 dual stack
DNS Server: IPv4/v6 dual stack Mail Gateway: IPv4/v6 dual stack WWW Server: IPv4/v6 dual stack
– Set up an IPv4 segment– Common Server NW: IPv4/v6
DNS Server: IPv4/v6 dual stack Mail Server: IPv4/v6 dual stack Additional NATPT IPv4/v6 translator Additional ISATAP router for VPN
– Client NW: IPv6 DNS Server: IPv6 Mail Server: IPv6
Client PC: IPv6
SPAM check processing of MTA The reception of mail from a server without A record is refused, even though the
AAAA record is set for the host name in the environment where check_mail is enabled by sendmail. It is caught in the checking process of “From: …”.
- Solution : A record was added to form a temporary IPv4 address IPv4 WWW server search Some Web servers are invisible due to DNS problem. ( DNS server Fail / no AAAA
response ) The time-out of NATPT entry makes the form inputting impossible.
- Solution : Modify the setting of Translator so that “DNS server Fail” message after an AAAA search is ignored. However, it does not solve the servers with “no AAAA response”.
Literal IPv4 address of a WWW server Literal v4 address eg.<img src="http://64.4.55.45/spacer.gif" height=1 width=115>can not be used.
- Solution : Write FQDN description at the server manually /Use Web proxy server
Issues and Solutions - Server 1/2
Issues and solutions - Server 2/2 CISCO VPN/ISATAP When ISATAP is used together with Cisco VPN for IPv6 remote
access, connection is unsuccessful because of MTU mismatching.– Solution : Set up RA so that MTU=1280 at ISATAP router.
DNS server to support IPv4 queryIf DNS server is set on IPv6 segment, it can not reply to queries from DNS Servers on IPv4 network
– Solution : Install DNS server on a Dual Stack network
Issues and solutions - Client 1/6 A DNS query of Windows XP does not support
IPv6– Solution : use NameServerProxy
RA of Windows XP If there are two or more effective interfaces and if either of them
is (internet) shared, the latter may issue RA and may affect the existing networks.
– Solution : Disable the shared interface Windows XP SP2
The starting of Windows takes up to 5 minutes. RS is issued/delegated and RA is received but address is not
given. Disabling the IPv6 ICF has no effect– Solution : Activate/inactivate interface. Or, use “ipv6
renew” command .
Windows File Sharing Windows File Sharing (IPv4) is an essential tool for research activity, but is not available in IPv6 environment.
– Solution : Alternative application, e.g., WebDAV, is recommended.
IPv6 incompatible LDAP of Mail Client No commercial mail client software has IPv6 compatible LDAP
– Solution : Wait until mailer software vendor to solve the problem.
Issues and solutions - Client 2/6
Issues and solutions - Client 3/6
Heavy work load of data transferring with the migration of e-mail Client
It is necessary to change the e-mail clients from IPv6 incompatible ones, such as Eudora etc to IPv6 enabled one, such as Mozilla etc.. There are complaints with the migration, especially on the problem that attached file can not be migrated together with its corresponding message after the email data transferring.
– Solution : Wait until the email client is IPv6 enabled
Terminals with built-in wireless LAN.Some terminals with built-in wireless LAN interface
using Intel® Centrino™ mobile technology can not obtain IPv6 address automatically.
i.e., Let'sNote CF-W2 DW6AXS– Solution : use “ipv6 renew” command manually.
Issues and solutions - Client 4/6
Virus scan softwareCurrent commercial virus scan software cannot check out the virus at the time of mail reception, however, some usable ones can discover the virus in the stage when the mail soft saves/creates the reception file.
Pattern files of those virus scan software that use the communication component of IE is able to be UPDATED.
– Solution: Wait the release of commercial IPv6 enabled virus scan software.
Issues and solutions - Client 5/6
JAVA appletEven if the web browser is IPv6 enabled, JAVA application using IPv6 incompatible JAVA applet fails to work.
– Solution: make the JAVA applet IPv6 compatible. Existing familiar IPv4 applications Someone may not want to change to a new mailer software, or someone wants to use LDAP function.
– Solution : use portproxy of Windows XP
/ use PortForwarding functions of ssh
Issues and solutions - Client 6/6
Application IPv6 enabled TV conference system TV conference by QualityMeeting between native IPv4 and native
IPv6 NW via the translator was carried out, and connection tests completed successfully.
QualityMeeting, a high quality IPv6 enabled two-way audio/video live transmission system developed by KDDI R&D Labs.
Automatic registration to DNS IPv6 address generated by RA etc. makes it difficult for the
terminal address to be registered to DNS severTo make it easier, an automatic DNS registration tool is under development.
Equipments The equipments
– IPv4/IPv6 translator Hitachi AG8100S-T– ISATAP router Cisco 2600 (IOS12.3(8)T3)– Core router SW Foundry BigIron8000– PrintServer Silex PRICOM 3100
Network construction Wiring work was reduced as much as possible by using VLAN
and the information wall socket.
Conclusion
The first case study of enterprise NW migration from IPv4/v6 dual stack to IPv6 single stack
- on office LAN with several hundred Client PCs
- with feasible economical cost - cost can be minimized if Windows XP is
preinstalled. - in a short period
