IPv6 is not needed?
Recently I read a note , the meaning of which comes down to what it would not hurt to check, suddenly you are already using IPv6 and do not notice anything. The result, in my opinion, is a different meaning, which for the vast majority of IPv6 will not bring anything new: the sites will also open, and the phones will also ring.
Recently, IPv6 has ceased to be new, perhaps this applies only to my communication environment, but it’s stopped to talk about IPv6 as a new protocol. To read about how great it is to raise tunnels for the sake of access to the cherished and inaccessible is not at all interesting. IPv6 has become one of ... It would seem, finally, you can shout "Hurray!", But becoming one of them, he lost his growth driver, becoming ordinary. To prove to the consumer that he needs it became more difficult, the consumer is not ready to pay for one of ...
Under the cut, the continuation of the story , about how we bought tickets for the IPv6 train and stayed on the platform, in the general sense of the failure story, I hope, is not final. This is exactly the story, how IPv6 works, I think everyone already knows, the minimum of technical details and settings, the maximum of personal impressions.
Approximately a little over a year ago, it was decided to give IPv6 to our subscribers. After the first experiments, enough time passed, we looked at the Google chart and wanted not to be late. Subscribers for us are users of the services of a regional Internet provider, classic tirple play: Internet access (without PPPoE and VPN), television (multicast) and telephony. The prerequisites, if we refer to the given graph are obvious - the tunnel protocols are almost gone, there is more native content, all large sites and hosting sites have enabled IPv6 by default, trunk operators do not charge extra for the dualstack address at the interfaces. In fact, it became possible to use the Internet in IPv6, and being the first in the region and dragging even a little more subscribers under our wing is a tempting idea.
')
First, we received addresses with the prefix / 32, completely free in the usual way for the provider via RIPE or LIR. It was supposed that at the time of the tests there would be enough of / 48, but then during the design it became clear that / 32 is the best.
It was a bit more complicated with uplinks (now, probably, no longer exists), but such a backbone provider was found, they raised BGP in IPv6 and exchanged prefixes. Currently, BGP fullview in IPv6 has about 22,000 prefixes, which is very small compared to IPv4 where there are more than 500,000. There was even a peering partner who did not mind raising an IPv6 session with us.
If you build networks for at least five years, you had to change a couple of generations of devices, if you build networks for more than 10 years, even using one vendor, some confusion of devices that work properly but which are completely inappropriate should have formed in the network under the new realities. It was definitely known that if IPv6 support is not declared on the router, then IPv6 will not be there, we did not expect any trick from the switches. The estimated coverage on pure IPv6 was approximately 30%, without replacing the hardware.
Subscriber terminals. Here, as it turned out, a completely uncharted territory. If with operating systems everything is more or less clear, then with home routers, who is in that much. It was decided to understand along the way, the main thing seemed to set up the backbone network.
Access control, billing, polishing - application software is the most problematic part if you believe the IPv6 reviews and literature that has been studied. But even here we didn’t see big problems, that it’s difficult to replace one address with another one, especially the iron cheerfully told us that all this can.
If for a moment it seems that / 32 is a lot, you should drive away these thoughts from yourself - / 32 is right next to it. With so many addresses, there is a temptation to do everything correctly and structurally and for life:
Total 256 * 4096 * 256 = 2 ^ 28 ~ about 268 million subscribers each of which, well, a lot of addresses. That's all right.
Since it was initially obvious that it would not be possible for everyone to give away native IPv6, it was decided to give those who were not lucky IPv6 in tunnels. I wanted everything to happen automatically without additional configuration. The ideal option would be teredo, but it did not have the support of our IPv6 addresses, only a reserved range. This also applies to 6to4, the implementation of which implies the presence of public IPv4 on the interface. Therefore, the main tunnel protocol was chosen as a clean tunnel, as in tunnel brokers. Although this required some adjustment, but once, and the support on the devices was much broader.
Backbone routers. It's almost all good. All that is newer than 5 years and declared as a router, or if this L3 switch is not the youngest in the line, has support for IPv6. In varying degrees of elaboration, but the basic functions of OSPFv3, ACL, ND, DHCPv6 including snooping, diagnostic utilities are usually present.
Of course, some devices are prone to childhood illnesses:
But this all passes and is repaired in the near future, as I think. The only thing that this wildcard mask suddenly missed was sometimes it would be useful, but this will never happen - IPv6 is another protocol.
Switches surprised by their selective approach. Perhaps, if you do not use multicast in your network and various options for filtering it, then everything will be fine. But if you are using, then with a high probability of multicast IPv6 traffic will be filtered as unknown. Therefore, for switches, you also need to explicitly look at IPv6 support so that there are no surprises. Coverage area after this discovery decreased slightly.
The tunnels. Oddly enough, the simplest and most effective solution. Raising servers and setting up did not take much time. We raise the sit interface and remember the routes to the connected subscribers through it. An interface for subscribers has been written to let you know if you are using a tunnel, and if not, what should be done to configure it.
Additionally raised teredo relay on miredo. Teredo is a very interesting protocol in itself, even if you only have an IPv6 network, but you do not forget about the disadvantaged ones who have to use teredo, raising teredo relay in your network will greatly improve their lives. Every 10, judging by the ping. Of course, this applies only to your servers; there will be no transit traffic through your relay.
Devices subscribers behave differently. In fact, Windows and Linux did not bring surprises. Different systems and versions have different priorities for IPv6, somewhere in the foreground of DHCPv6, somewhere, even if all IPv6 addresses are obtained, we still work through IPv4. Since they did not intend to turn off IPv4, it was decided to act on the fact, if it does not work. Many routers, in their turn, were pleased with the possibility of including tunneling mechanisms and also quite smart behavior; even without a DHCPv6-PD request, they were able to distribute the / 64 prefix assigned to them to their local network.
But the iron policier let us down. With all his brand authority and painted functionality, I could not digest our requirements, I simply refused to use the new addresses. But not always, but through time, how could I as promised, but I will not. Therefore, the strategy of allocating an address, only / 64 per subscriber, was temporarily revised.
When trunk nodes and tunnel servers were ready, we allowed subscribers to use IPv6. Allowed to use, but the subscribers themselves were not told. Thus, for whom the devices were configured to automatically receive IPv6 (all modern OS), they had to get the addresses and start using the new protocol for the intended purpose. For all those who somehow learned about IPv6, but could not configure natively, it was suggested to go to the tunnel server for configuration.
So it worked for 3 months, for which:
And then we told everyone that we have IPv6. And instead of the expected transition to explosive growth rates, got a rather strange picture. Subscribers started calling us and asking them to set everything up without understanding why it was necessary, not understanding at all, in general. And we suddenly could not explain to ourselves:
Only the server of tunnels was left to work, the last registration on which was on March 9, after 7 months, as the news about IPv6 was removed. The rest was turned off a couple of days after the announcement, realizing that the only result was more calls from those who want to do something, but do not know why, and almost complete unavailability, even in the near future, of software binding. Those who knew why, he did it himself. Now we are completing billing, updating firmware and equipment, and we come to understand that IPv6 is the same protocol as IPv4, the Internet has become ready for this and therefore the “new” protocol itself has become uninteresting. No need to hurry anywhere. No competitor offered anything during this time, although almost all reserved their IPv6 prefixes.
For all those who think that their provider does not have IPv6, try searching - maybe you already have it, you just don’t need it?
Recently, IPv6 has ceased to be new, perhaps this applies only to my communication environment, but it’s stopped to talk about IPv6 as a new protocol. To read about how great it is to raise tunnels for the sake of access to the cherished and inaccessible is not at all interesting. IPv6 has become one of ... It would seem, finally, you can shout "Hurray!", But becoming one of them, he lost his growth driver, becoming ordinary. To prove to the consumer that he needs it became more difficult, the consumer is not ready to pay for one of ...
Under the cut, the continuation of the story , about how we bought tickets for the IPv6 train and stayed on the platform, in the general sense of the failure story, I hope, is not final. This is exactly the story, how IPv6 works, I think everyone already knows, the minimum of technical details and settings, the maximum of personal impressions.
Approximately a little over a year ago, it was decided to give IPv6 to our subscribers. After the first experiments, enough time passed, we looked at the Google chart and wanted not to be late. Subscribers for us are users of the services of a regional Internet provider, classic tirple play: Internet access (without PPPoE and VPN), television (multicast) and telephony. The prerequisites, if we refer to the given graph are obvious - the tunnel protocols are almost gone, there is more native content, all large sites and hosting sites have enabled IPv6 by default, trunk operators do not charge extra for the dualstack address at the interfaces. In fact, it became possible to use the Internet in IPv6, and being the first in the region and dragging even a little more subscribers under our wing is a tempting idea.
')
Start
First, we received addresses with the prefix / 32, completely free in the usual way for the provider via RIPE or LIR. It was supposed that at the time of the tests there would be enough of / 48, but then during the design it became clear that / 32 is the best.
It was a bit more complicated with uplinks (now, probably, no longer exists), but such a backbone provider was found, they raised BGP in IPv6 and exchanged prefixes. Currently, BGP fullview in IPv6 has about 22,000 prefixes, which is very small compared to IPv4 where there are more than 500,000. There was even a peering partner who did not mind raising an IPv6 session with us.
If you build networks for at least five years, you had to change a couple of generations of devices, if you build networks for more than 10 years, even using one vendor, some confusion of devices that work properly but which are completely inappropriate should have formed in the network under the new realities. It was definitely known that if IPv6 support is not declared on the router, then IPv6 will not be there, we did not expect any trick from the switches. The estimated coverage on pure IPv6 was approximately 30%, without replacing the hardware.
Subscriber terminals. Here, as it turned out, a completely uncharted territory. If with operating systems everything is more or less clear, then with home routers, who is in that much. It was decided to understand along the way, the main thing seemed to set up the backbone network.
Access control, billing, polishing - application software is the most problematic part if you believe the IPv6 reviews and literature that has been studied. But even here we didn’t see big problems, that it’s difficult to replace one address with another one, especially the iron cheerfully told us that all this can.
Project
If for a moment it seems that / 32 is a lot, you should drive away these thoughts from yourself - / 32 is right next to it. With so many addresses, there is a temptation to do everything correctly and structurally and for life:
- / 60 - to the subscriber. It is possible and / 64, of course, but / 60 is forever, and it will not be necessary to come up with something separately for those who need more;
- / 52 - per node, at the rate of 256 subscribers;
- / 40 - per area, at the rate of 4096 nodes, by the number of wilan per device;
- the rest is areas, a maximum of 256 minus service networks.
Total 256 * 4096 * 256 = 2 ^ 28 ~ about 268 million subscribers each of which, well, a lot of addresses. That's all right.
Since it was initially obvious that it would not be possible for everyone to give away native IPv6, it was decided to give those who were not lucky IPv6 in tunnels. I wanted everything to happen automatically without additional configuration. The ideal option would be teredo, but it did not have the support of our IPv6 addresses, only a reserved range. This also applies to 6to4, the implementation of which implies the presence of public IPv4 on the interface. Therefore, the main tunnel protocol was chosen as a clean tunnel, as in tunnel brokers. Although this required some adjustment, but once, and the support on the devices was much broader.
Implementation
Backbone routers. It's almost all good. All that is newer than 5 years and declared as a router, or if this L3 switch is not the youngest in the line, has support for IPv6. In varying degrees of elaboration, but the basic functions of OSPFv3, ACL, ND, DHCPv6 including snooping, diagnostic utilities are usually present.
Of course, some devices are prone to childhood illnesses:
- The increased load on the CPU (especially OSPFv3), although IPv6 should have solved the problem of lack of computing power;
- Some manufacturers come up with a completely creepy syntax to fit the IPv6 configuration into an existing interface;
- Basic diagnostic commands do not always work correctly. Even trying to check something ping can end sadly.
But this all passes and is repaired in the near future, as I think. The only thing that this wildcard mask suddenly missed was sometimes it would be useful, but this will never happen - IPv6 is another protocol.
Switches surprised by their selective approach. Perhaps, if you do not use multicast in your network and various options for filtering it, then everything will be fine. But if you are using, then with a high probability of multicast IPv6 traffic will be filtered as unknown. Therefore, for switches, you also need to explicitly look at IPv6 support so that there are no surprises. Coverage area after this discovery decreased slightly.
The tunnels. Oddly enough, the simplest and most effective solution. Raising servers and setting up did not take much time. We raise the sit interface and remember the routes to the connected subscribers through it. An interface for subscribers has been written to let you know if you are using a tunnel, and if not, what should be done to configure it.
Additionally raised teredo relay on miredo. Teredo is a very interesting protocol in itself, even if you only have an IPv6 network, but you do not forget about the disadvantaged ones who have to use teredo, raising teredo relay in your network will greatly improve their lives. Every 10, judging by the ping. Of course, this applies only to your servers; there will be no transit traffic through your relay.
Devices subscribers behave differently. In fact, Windows and Linux did not bring surprises. Different systems and versions have different priorities for IPv6, somewhere in the foreground of DHCPv6, somewhere, even if all IPv6 addresses are obtained, we still work through IPv4. Since they did not intend to turn off IPv4, it was decided to act on the fact, if it does not work. Many routers, in their turn, were pleased with the possibility of including tunneling mechanisms and also quite smart behavior; even without a DHCPv6-PD request, they were able to distribute the / 64 prefix assigned to them to their local network.
But the iron policier let us down. With all his brand authority and painted functionality, I could not digest our requirements, I simply refused to use the new addresses. But not always, but through time, how could I as promised, but I will not. Therefore, the strategy of allocating an address, only / 64 per subscriber, was temporarily revised.
Earned
When trunk nodes and tunnel servers were ready, we allowed subscribers to use IPv6. Allowed to use, but the subscribers themselves were not told. Thus, for whom the devices were configured to automatically receive IPv6 (all modern OS), they had to get the addresses and start using the new protocol for the intended purpose. For all those who somehow learned about IPv6, but could not configure natively, it was suggested to go to the tunnel server for configuration.
So it worked for 3 months, for which:
- Native IPv6 traffic grew linearly and reached approximately 1-2% of total traffic;
- Structurally: mainly web and video via web, no torrent;
- The number of subscribers also grew linearly to about the same size;
- About 1000 subscribers registered on the tunnel server, which generated traffic comparable to the native one;
- Even traffic via teredo relay amounted to 50 Kbps.
And then we told everyone that we have IPv6. And instead of the expected transition to explosive growth rates, got a rather strange picture. Subscribers started calling us and asking them to set everything up without understanding why it was necessary, not understanding at all, in general. And we suddenly could not explain to ourselves:
- Many addresses. On average, there may be more active devices for a subscriber who needs access to the Internet 2-3, the gadgetning wins. But even now it is more than covered by a private address space without IPv6. Although each subscriber is up to 2 ^ 24, although for all subscribers 2 ^ 24 - now this is more than enough;
- Every address is public. Now we have all the addresses when accessing the Internet get a unique public address through NAT. Yes through NAT, but from the point of view of the final subscriber, NAT as the primary filter is very good. IPv6 attacks every connected device;
- IPv4 is running out. If you go from NAT to PAT (NAPT) when multiplexing 1 to 2, saving 2 times - twice the number of connected subscribers. Such multiplexing is not noticeable at all, to anyone, 1 to 10 are more realistic values. And for those who really need public addresses after such a transition, they are easy to find. This does not negate the fact that IPv4 is ending, but providers with fully understood NAT technology will be noticed by the latter. Many probably already use NAPT or already cgNAT, but IPv4 can still be bought or rented, and quite freely. Prices have risen, the list of proposals has decreased, but there is still at least a couple of years before the situation “there is nothing”;
- Automatic settings. For the provider, stateless technologies are terrible, total control is the key to success. Giant number of IPv6 addresses of different types on the same interface, huge potential error potential. If you do not follow the addresses, most of the network will turn into a botnet and it will be too late to change something;
- Multicast vs. Broadcast. Switches do not care, sometimes even badly, the logic starts to fail when using different filters. At the network level, instead of 192.168.0.255/24, the same FF02 :: 1, i.e. don't care either.
Total
Only the server of tunnels was left to work, the last registration on which was on March 9, after 7 months, as the news about IPv6 was removed. The rest was turned off a couple of days after the announcement, realizing that the only result was more calls from those who want to do something, but do not know why, and almost complete unavailability, even in the near future, of software binding. Those who knew why, he did it himself. Now we are completing billing, updating firmware and equipment, and we come to understand that IPv6 is the same protocol as IPv4, the Internet has become ready for this and therefore the “new” protocol itself has become uninteresting. No need to hurry anywhere. No competitor offered anything during this time, although almost all reserved their IPv6 prefixes.
For all those who think that their provider does not have IPv6, try searching - maybe you already have it, you just don’t need it?
Source: https://habr.com/ru/post/257147/
All Articles