Re: REVIEW NEEDED: draft-ietf-v6ops-ent-analysis-00.txt (fwd)

[Heikki Vatiainen <hessu@cs.tut.fi>]

Here are my comments on the enterprise network analysis draft.  They
are based on our experience on enabling IPv6 on a part of our
university's network.  What we have been doing falls nicely under the
wide-scale dual-stack deployment category with work-arounds to cope
with routing infrastructure that is not IPv6 capable.

Here are the comments:


  4.4.2  Deploy a parallel IPv6 infrastructure
[cut]
  Such an approach means acquiring additional hardware, but it has the
  advantage that the existing IPv4 routing platforms are not disturbed
  by the introduction of IPv6.

I think dual stack has been available long enough that the potential
for disturbance is not great enough to justify a parallel
infrasturcture for IPv6.  In fact, I would recommend that parallel
infrasturcture is only built if no other options, such as upgrading to
dual stack routers, are available.

The problems we have noticed with running a parallel infrastructure
touch many areas.  I try to enumerate our findings in the following
paragraphs.

The parallel infrastructure forces you to have two times the
documentation about the network.  If e.g. intra-organization packet
filtering is done, you have to literally think and check twice that
the filters are set up as required.  With dual stack you may need to
create two sets of filters, one for IPv4 and one for IPv6, but at
least they apply to the same interface on the same router.

If the network is built using VLANs one can extend (trunk) the VLANs
to the new IPv6-only routers.  If the new IPv6 routers are physically
and/or network topologically close to the existing IPv4 routers, this
may be easy to accomplish.  The fourth paragraph discusses the use of
one router to serve many VLANs by "collapsing" them to one router
interface.  If the VLANs are not already topologically close to the
new IPv6 router one has to grow the existing VLAN coverage.  Nobody
wants to do this since this is yet another step to a VLAN spaghetti
network.

When thinking about the routers, IPv6-only router may cause
surprisingly many problems with network and router management.  Our
IPv6 only router does not do at least SNMP, Syslog or NTP over IPv6
transport.  One may think this is only a short term problem, but the
router is only half of the problem.  The other half are the management
applications that are used to monitor and manage the routers.  If dual
stack routers are used, management applications can use IPv4 transport
making the lack of IPv6 transport a less or even a non problem.

In conclusion, I think building a parallel IPv6 infrastructure
initially looks like a non-disturbing approach but a closer looks
shows that it does contains many issues that may cause disturbance
later on.  Finally, the last paragraph of 4.4.2 mentions that the
parallel approach should be viewed only as an interim step.  The
history shows that interim tends to become Integrated or permanent or
otherwise established, so why not use the resources to do dual stack.




  7.3.1 Obtaining external connectivity
[cut]
  It is not recommended to use 6to4 [6TO4] or a tunnel broker [TBRK]
  for an enterprise deployment.  The enterprise has a requirement for
  long-term, stable IPv6 connectivity.  6to4 and the tunnel broker
  are more appropriate for SOHO or single node environments.  Use of
  6to4 also prevents the enterprise adopting aggregatable global IPv6
  addressing from the outset.

I think the stability and availability of 6to4 relays is more of a
problem than the availability of stable 6to4 prefix.  I do not see
enterprise chancing its IPv4 addressing and thus is 6to4 prefix very
often.

However, with 6to4 the enterprise is putting its reachability towards
non-6to4 IPv6 Internet into hands of the closest 6to4 relay operator.
This should not cause problems if the relay is well supported.  The
reachability from the non-6to4 IPv6 Internet back to the enterprise
depends on the relay closest to whoever someone from the enterprise
was communicating with.

I would prefer tunnel broker over 6to4 in the draft.




  7.5.2  Supporting remote access
[cut]
  Such an aid may be either a tunnel broker [TBRK], ideally one that
  supports operation through an IPv4 NAT, or a 6to4 relay [6TO4].  If
  a 6to4 relay is offered, the site should be aware of security
  issues with operating 6to4 relays [cite ref?].

I see enterprise's user working off-site as someone who establishes a
VPN connection back to the enterprise.  When the VPN connection has
been established, the user gets an IP address from the enterprise and
all or some of the traffic is tunneled back to the enterprise over the
VPN connection.

Even if the user is behind a NAT he can still access 6to4 relay over
the VPN connection. The 6to4 relay could even use the well-known
anycast address if all traffic is tunneled or the route towards the
well known address can be set to point to the tunnel.

If the user does not have VPN access and NATs and other filters and
packet manglers cause problems then the enterprise should provide VPN
service for the user.  Advanced VPN implementations may support IPv6
over IPv4 VPNs directly making the need for remote access aid
non-existent.

-- 
Heikki Vatiainen                  * hessu@cs.tut.fi
Tampere University of Technology  * Tampere, Finland