An Enterprise IPv6 Address Planning Case-Study

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

I work with that in the Infoblox ipv6 center of excellence which is he's a technical advisory board member for us along with Scott Hogue and we've been doing what we can do to drag the enterprise mule to adopt ipv6 and it's been a long thankless road but I think we're seeing some progress and the presentation that I have today hopefully there's enough ipv6 knowledge in the room that a lot of what you're going to be seeing is probably information that you're already familiar with I'm going to try to present it in the context of how an enterprise sees address planning both in terms of how we recommend address planning as a first step that enterprises can take and then along with the sort of principles that go along with address planning that enterprises sort of have to become comfortable with in order to make sure that their address plan is something that's going to work for them more long term so and in addition to that I have a number of well at least one digression that health isn't too distracting but I presented these I have to apologize to Ed and Scott they've seen many of these slides over and over again and so I try to throw something new in to make it a little more interesting for for Mike for my closest colleagues but as we go through it hopefully if you have questions related to anything that I talked about in the presentation please you know feel free to ask later or offline it's really coming from a place of you know what's the best way to inspire enterprises to move forward with ipv6 adoption to commit to an ipv6 adoption initiative and the one of the biggest feet in the door as it were is the ipv6 address plan something that every organization whether it's an enterprise or a service provider anyone else is going to need when they start thinking about how to adopt ipv6 again these are not confident be controversial ideas for the folks in this room I certainly hope not but if we have any any contrarians in here I'd love to have that discussion around this basic idea and it was actually I kind of want to just give a shout out to Jeff Doyle was the Texas v6 task force meeting a few years back I think in the tooth 13 range it was actually before I wrote the book and Jeff was talking about the amount of ipv6 address space that we have at our disposal to assign to organizations and he was providing and we see we've all seen a lot of analogies to sort of compare ipv4 to ipv6 and I'll be putting one up on the screen here in a moment but Jeff had a statistic related to the consumption of slash 48 which is a pretty good metric for how we're consuming ipv6 since we can't really think in terms of host addresses as we'll see in a moment and the idea that even with the consumption metric of the slash 48 the existing global unicast allocation by the year 2100 and Jeff you can correct me if I get this wrong but the statistic was by the year 2100 there would still be enough slash 48 to give the population of planet Earth which at that point should be somewhere around 15 billion people to give them all 2200 slash 48 out of the existing slash three global unicast allocation which of course is only 12.5 percent of the overall ipv6 address space so what that speaks to is that there's a certain you know and that so that statistic just you know with like maybe sort of made a light go on over my head where I'm like ok I've been talking to a lot of enterprises about ipv6 adoption getting them inspired to try to tackle what they need to tackle that's explicitly going to affect their business and some of those you know the arguments that we make to enterprise is very much about risk management you're already running ipv6 internally you're not really managing it effectively it's running on all your desktops all your all the mobile devices that people bring in its preferred by default you need to manage that you need to get a whole get your arms around ipv6 running on the network have some visibility into it and effectively management the second sort of implicit argument is that you probably have folks that are trying to access your content over coming from ipv6 devices you cannot guarantee you can't prove a negative you can't show for instance that that somebody is not experiencing a limit to their user experience accessing your content if you've made it available over ipv6 but you can sort of infer that if you have a competitor who has made their content available over ipv6 then you removed from the equation the possibility that an ipv6 device attempting to connect to ipv4 online content might experience some user experience degradation some decrease in the user experience and therefore accrue a competitive advantage to your competitor who's running their content making their content available over ipv6 at the same times IP before so as you can imagine these aren't super compelling arguments for enterprises it you know it's not a situation where you know if you if you don't adopt ipv6 tomorrow you're going to show up at work and the network's just going to be down and offline but they are compelling enough arguments that we have a significant number of enterprises based on those types of implicit arguments related to these to the value of v6 adoption that they're thinking okay what are the best first steps and so one of the first things that they run up against is well I've got to go out and get ipv6 address space obviously if I'm going to run ipv6 in the network and they start to get their minds around that they're going to be running global unicast allocation that they may be running publicly addressable publicly available addresses within the corporate land that sort of thing those are sort of longer-term issues for them to look at but the very thing that the first thing that they'll need to be able to do is go get an ipv6 allocation and start to figure out what they're going to do how they're going to carve it up and right away this is just this is the this is the moment where they almost inevitably at least in the early days would make a fatal error based on this concept right here that there is no practical equivalent to address conservation in ipv6 as there is with ipv4 and when I say address conservation I'm speaking specifically of host address conservation so here's the de rigueur ipv4 to ipv6 analogy the limits of the adjective astronomical so you know somebody says well how big is the ipv6 address space you say what's astronomical dude it's an easy adjective to sort of toss out there it's not sufficient to the purposes of describing the size of the ipv6 address space as we'll see so if you do the calculation you start with an average size galaxy such as the Milky Way we've been told that it's average size I think our our new dear leader will assist insist that this is a this is the best galaxy and it's huge and we don't you know we're going to we're going to be the best galaxy that we can be with our 400 billion odd stars and then the number of galaxies that we have estimated in the universe I don't imagine that somebody's actually gone out and counted this but it's somewhere in the neighborhood of two trillion this was actually revised upward recently so it's a big fat error in my in my ipv6 address planning book where I think I have a different number of galaxies in the universe here which affects the calculation as we'll see so doing a little bit of division here I'm going to take the total size of the ipv6 address space 3.4 times 10 to the 38th the total number of host addresses that are available and I'm just going to divide that into the number of what would appear to be by this estimate stars in the universe and as you can see you you're left over with 430 trillion times more addresses than there are estimated stars in the universe so so astronomical as an adjective to describe the ipv6 address space it doesn't really work but this is this is incredibly impactful in terms of when enterprises start thinking about getting an ipv6 allocation and start thinking about how they're going to carve up that space they immediately are thinking in terms of how they've done everything in in the world of v4 in the past and we'll see some specific examples of that going forward but here's the early enterprise ipv6 adopter shows up at one of the regional internet registries or Bob's ISP and lawnmower repair and he's really excited because he's beat the rush and you know this is like 2010 or 2011 back when we were deploying ipv6 at limelight trying to figure out how to get enterprises excited about connecting to ipv6 nobody really cared except for a few but the early enterprise adopter he gets to slash 48 and he's off to the races right because man that's that's a huge amount of address space yeah double-double at 48 so it's a nun controversial fact right that slash 48 is certainly more than enough address space to number your enterprise but then so is slope so is a slash 64 right we're slash eighty or even a slash 96 you can have an entire internet for your enterprise with a slash 96 but of course the rule is we're not supposed to subnet to the right of the 64 bits right so as much as I as much as we make a fuss about an analogy showing the comparison of ipv4 to ipv6 in terms of number of host addresses the reality is with v6 we're cutting the address space right in half right and we're in terms of routing in terms of numbering we're just going to take half of those addresses when I'm going to consider them we're going to think in terms of the prefixes rather than the host addresses so here's a quote on the UNIX philosophy that I dug up on the Internet and if that's true so if you're used to making do with a slash 8 in your enterprise or multiple private address ranges then a slash 48 gives you enough rope to get to the moon a billion times it's quite a bit of address space but here's the problem we can assert all day long that you've got more than enough address space to address your enterprise and clearly that would be the case if somebody just handed you a slash ninety-six you'd be off to the races but this pernicious fear of wasting host addresses that comes out of the survival mechanism that we had to deploy back in the 90s and John was talking about you know coming up with IP next generation what are we going to do in the meantime well we've got this vlsm hack we've got cider instead of just handing out eights and 16s and 24s which if you think about it from a routing standpoint from an address planning standpoint from an operational standpoint is actually pretty cool if I have a block of addresses that represents a particular location or function you know if I can assign if I can just throw a slash 16 at at a particular site and know that in perpetuity that site is always going to be reachable through that slash 16 there there's a relative amount of power and of course back then router CPUs are expensive and so it made it a lot easier and cheaper to route those blocks if you could if you could keep everything on that on those those octet boundaries but of course the horse left barn because we were just running out of v4 space we needed vlsm and we needed to make sure that we weren't using IP addresses inefficiently and so when we when we use the word inefficient in the context of ipv4 and in addressing we're thinking in terms of efficiency is represented by the number of addresses that we're consuming and that's the ipv4 thinking problem so the single biggest risk to an enterprise that's coming to ipv6 for the first time and doesn't necessarily know what they're looking at is the ipv4 thinking I can't waste host addresses so there's really no host address conservation it's not it's not an operable concept in ipv6 we'll see why here in a moment so I have to allocate by single bit so I'm so used to doing vlsm I'm going to just peel off a single bit and I'm going to you know make sure that I carve down my subnets to a size where I don't waste any addresses well in v4 we have our v6 we have the concept of nibble boundaries which allow us to do some organizationally and operationally powerful things when we're dealing with managing the network IP space and managing the network that that that it's actually addressing and then of course I must make do with whatever initial allocation size that I got from the ISP of the regional internet registry so it most enterprises and we'll see this later in the presentation they don't have a history of interacting with the rears directly their larger enterprises do they may have gone out and gotten ipv4 blocks in the past in many cases the organization is big enough if you're not a service provider usually from my experience with enterprises they just don't have a solid background of working with the regional internet registries and so as a result of that they're they're more inclined to just think in terms of the quantity of IP addresses that they got either from the ISP of the rears serve this non fungible quantity I have to work with what they have so an allocation large enough to fit your best design to fit a design in ipv6 that's operationally makes sense for what your network looks like and what you're trying to accomplish with operational efficiencies in the network if you realize that you don't have an ipv6 allocation that's large enough to be able to do that then you simply go back to the regional internet registry and you get a larger allocation so this is not something that you can really do with ipv4 right and in most cases enterprises they're using private address space they can start doing strange things with VRS and the data center do things like VX land stitch things together these sorts of you know all sorts of matting and bizarre things to try to extend the life of the private addressing but doesn't typically work very well so the probably the best example of how ipv4 thinking is impactful to the enterprise admin who's come to the ipv6 address planning part of ipv6 adoption has to do with what we do with interfaces and ipv4 so you know if I can if I have a data center and I've got some servers that are running on a segment and I can just throw US last 24 at that segment that makes me pretty happy because I've got I've got a consistently sized block and I've got 254 available host addresses and I know I can number up to about you know 192 of those and then I'm at 75 percent utilization they have to start thinking about okay am I going to expand the the assignment that I've made on that interface am I going to peel off another bit allocate a slash 23 for instance usually it's the count the the the opposite of that where I've got a smaller subnet I've got a smaller number of servers and I want to carve that subnet down to the point where I'm not wasting any address space but if assuming that I could consistently use twenty fours that's pretty operationally efficient because I've got a tidy boundary for ACLs or any routing summarization that I might need to do that's not as much of an issue today as it has been in the past and I've gotten some room for growth on the segment but of course that's not how things work in the real world one segment might have eight hosts and then I'm like left with this exercise what do I do okay I'm going to I'm going to use vlsm because I don't want to waste host addresses ipv4 consumption it's you know the efficiency of ipv4 addressing is measured in terms of how many host addresses I don't waste so 57 percent utilization if I put a slash 28 on that segment five thirty hosts option one is I can do a slash twenty seven give myself I've got no room for growth that segment but that's quote-unquote maximally efficient for that segment now I've used all of the addresses available in that particular subnet of course if I want to add additional subnets or additional servers rather I have to do a secondary address scenario or I have to renumber the segment option two would be I give myself a little more room for growth but then theoretically I'm not as efficient quote-unquote efficient because now I'm setting aside a large number of host addresses that are just not going to be used same exercise with 119 host but you get the idea vlsm and this is this is what we've had to do for 20 years right so because we haven't had the address resources to be able to number the the network and the way that that makes the most operational sense we've had to do this constant exercise of carving down subnets to make sure that we don't over consume ipv4 addresses that are in scarce supply well what happens in ipv6 right everything just gets this last 64 up to the far beyond the limit of what what I'm allowed to do in terms of mapping layer 2 2 layer 3 addresses based on the amount of memory that I have on the routing device or the switching device so this ipv6 interface assignment exercise then every land or VLAN gets a slash 64 but this is the other point that's worth making in abundance again it doesn't matter whether I use 8 hosts or 30 hosts or 2,000 hosts or 10,000 hosts or a million if I could if I could somehow put a million servers on a segment and know that the layer 2 to layer 3 mapping wouldn't fall over on the the hardware side I can't do that but if I could is there really any numerical difference between having 8 hosts on a segment dividing that number by 1.8 times 10 to the 19th versus having 10 million hosts on a segment and dividing that same number by 1.8 times 10 to the 19th because that's how many host addresses I have available on a / 64 right and there's there's no there's no difference I mean those are you know you're talking about us a long string of zeros to the right of the decimal place before you get to the interesting numbers so this is the keenly felt and that when I noticed it the first time I noticed it was deploying ipv6 at limelight when it came time to do the the point-to-point links right so the point-to-point links caused a great deal of consternation because at the time the recommendation was there was still some debate about whether or not we should be using a / 127 or / 126 versus a / 64 on a point-to-point link it what it had not that debate had nothing to do and still has nothing to do if anyone wants to have that discussion about whether or not to use / 127 versus with / 64 I'll be somewhere else having a drink while you're having that discussion but if it's still it's still a debate apparently it still gets brought up occasionally but the reality is when when I had to deal with it in addressing a large globally sized IP backbone the the vendor that we were using at the time had come up with a fix for the the security risk of running a / 64 on a point-to-point link which is basically that you can a couple of different attacks that you can do you can exhaust the neighbor discovery cache and causing the interface to go down of course we don't want that in our our big beautiful IP backbone we can't have interfaces going down but at the time brocade had fixed that particular problem so I was perfectly able to configure a / 64 on a point-to-point link setting aside a / 64 in a point-to-point link well in the context of wasting addresses you know this is this is cold this is cold break into a cold sweat time if you're used to only configuring say a / 30 or / 31 if you have you know if you could support that in your hardware it's very nerve-wracking to think about putting a / 64 on a point-to-point link which the look-back interfaces get a / 128 so the limits of ipv4 address planning them that we bring with us that enterprises are bringing with them as they move into into ipv6 is there's never enough addresses right there's never enough you never have enough host addresses you never really have enough prefixes or network bits in order to be able to do some interesting things like track your network from an operational standpoint in terms of where prefixes are assigned I don't know I when I first got into doing the address plan anything for v6 I had to think back about you know where was I working when I realized oh cool I've got this 10/8 and I got the second octet and I can I can map some location into there right I've got 8 bits to play around with and I'm like that's pretty cool I can take that second octet and I can make it so that makes this data center 1 or data center 2 earlier so you start off down that path and then I've only got the 8 bits only got 254 possible values in that location and the same thing goes for the third octet and so before you know it you're painted into a corner where you just don't have enough bits you don't have enough prefixes unless you want to peel off an additional 10 and then of course you've got overlapping space you certainly can't do it with public address space you just don't have that kind of you know most enterprises unless you're like an old-school you know HP or whatever sitting on a couple of slash eights back in the day you couldn't really pull that off well even then you're still only dealing with the number of Network bits that you get out of a / 8 so it doesn't what that then prevents you from being able to do is easily mapping hierarchy into your address plan so as we'll see it's easy to get carried away with that I mean you can definitely do too much of the kind of assignment of function and location into the network prefix that causes you then causes your address planet then become very rigid and not necessarily scale very well but it's not even possible in v4 in most instances where you have the standard complement of ipv4 addresses to play with with v6 however you've got unlimited host addresses and sufficient bits on the network side of the address to accommodate whatever network structure you want to represent for operational purposes so that should be it's a very powerful tool to be able to use to apply to your network operations whatever they happen to look like so then some basic principles that come out of that in terms of planning that we try to relate to enterprises they start off with their their v6 address plan and I don't know if I mention it later in the presentation but I'll just go ahead and sort of throw it out there now which is that you've got sort of a chicken and an egg problem with and with the initial ipv6 address plan that an enterprise is going to use because they need to have enough information about how big their network is and how to think about the size of their network in the context of ipv6 in order to be able to make some decisions about how large of an allocation they need if they don't do that properly they end up with too small of an allocation and then they have to redo the address plan it's pretty normal to have to we do a v6 address plan at least a couple years from my experience a couple of times part of the reason I wrote the book was to try to help enterprises reduce the number the amount of iteration that they had to do when they did the address plan but they will still need some basic principles to do the initial address plan to determine the size of allocation that they should really be asking for because a proper v6 address plan requires a sufficiently large ipv6 allocation so the most important vv6 subnet sizes when you're doing this this sort of assessment upfront it's just the organizational allocation which is the overall size of you know the largest v6 block that you're going to get site assignment which would be how many sites do I have in my my enterprise and these are typically when we say sites in general we're thinking in terms of sites that are maybe connected together over MPLS when sites that are geographically diverse or dispersed rather and that I'm going to have to determine a sort of address plan that had it's sort of an whatwhat you just to sort of make a routing protocol analogy it would be the the inter area address plan versus the intra area address plan so how those sites connect together and how many network how many v6 Network prefixes I'll need in order to address those sites and then interface subnets within each site I've got some block of interface subnets that I can assign and I can still do higher higher hierarchical planning using those using that range from where I assign the site the the inter area plan versus the inter area plan the number of bits that I have left over once I've assigned a block to a particular site and then of course the allocation type right so provider assigned get it from an ISPs typically best for single home networks and this is this is a block of address space that you do not own and would have to give back if you were to change ISPs so we've got the provider that we've got the customer that decides that they're going to switch and then they have to turn over there their provider assigned address space and unless they want to use something like network prefix translation v6 and use ula on the inside of the network and for a small single home to enterprise that's okay they can do that get away with it if you have more than one site in general layout the recommended is that provider out aggregated addresses are not going to work provide our assigned addresses are not going to work rather you need provider independent which you get from a regional internet registry so these are portable so no matter where you decide to connect what ISP you decide to connect to you'll always have that block of the dresses and so of course we're recommending to enterprises get a provider independent allocation from the regional internet registry and in general these are medium to large size enterprises but we're saying and if they haven't already done it because many have and in some cases gotten too small of an allocation but we recommend make sure that that address space is portable so that no matter what happens down the road you do this address plan that you're doing today you can guarantee that you'll have it's going to endure through whoever you decide to decide to use as a provider down the road so how big should an organizational allocation be then for most enterprises between a slash 32 and a slash 44 and that's just based on the the simplest calculation or the simplest assessment rather of how many sites do I have if I have more than one a / 48 is not large enough of an allocation just that basic metric so then then if I think in terms of nibble boundaries right I'm thinking in terms of these certain Unger and Euler buckets of 16 256 4096 and 65,000 and so then if I think in terms of getting an allocation based on the number of sites that I have I can use that sort of guideline of the nibble boundary if I have to I have more than one site well I'll need at least the slash 44 that gets me up to 16 slash 48 so I can play around with it and then I can think in terms of like the way Aaron thinks in terms of utilization which as a rule of thumb works well enough is 75% utilization around the time that I want to start thinking about getting more space so if that's the case then if I have more than 12 sites then I should immediately be jumping up to the next nibble boundary which is the slash 40/40 which gives me 256 / 48 if I have more than 200 and if I have more than 192 sites then I'm up to a slash 36 which is 4096 and so on up to 65 K so if you are looking at your network as an enterprise and you're thinking in terms of the number the total number of sites you have and your you're applying this basic sort of logic you have to be comfortable with the idea that a / 48 is assigned per site within the organization as a sort of minimum allocated size now you can certainly use you could certainly use a prefix between a / 48 and a / 64 to assign to a site but there's a reason why in general a / 48 presided is I generally recommend it to to enterprises especially for inter site address planning where I'm looking at sites that are geographically dispersed and I might have a data center that today goes through you know goes over an MPLS LAN to an Internet head end point that's in another location but tomorrow I might want to take that same data center and plumb it directly to the Internet I can only do that if I've assigned a / 48 to that site I can only directly route to the internet because the / 48 is the smallest routable prefix in v6 land so in general I make that recommendation and these are these are rules of thumb again there's no law that says you can't assign something smaller than a / 48 and as we'll see in the the the case study that I'll show later with an actual enterprise you can certainly assign larger than / for you to a site yeah you had a question that's the memory for / like visit Bullitt Texas my friends exactly and and that but there it the revolution in thinking shouldn't be understated there right because it's very nerve-wracking to be like oh crap I don't have enough bits here so I just need to do more subnetting alright that's just the automatic impulse that we have them before well I'll just carve it up into a smaller block and that's fine it works but you as we'll see in a moment you lose the tremendous sort of operational visibility into the network that you get out of having these prefixes that are assigned on nibble boundaries so what constitutes the site in ipv6 it's a logical construct you need a definition that makes operational sense for your organization for your enterprise there isn't you know you could have asked John when he was up here hey what's the what's Aaron's take on what is a site silence right there's no as far as the regional in our registry is concerned they're not going to define a site for you you're going to define a site as to what makes operational sense for your network and it can be based on network topology routing security policy whatever you would like it to to represent and in fact networks seem to be flattening out in some instances where there isn't necessarily a whole lot of routing hierarchy necessary anymore because of the processing power that's available now in routers so you may not be concerned about something like routing summarization your network may be relatively flat but that doesn't mean that you still can't take advantage of the idea of having a prefix represent a certain location from an operational standpoint that's really powerful because if DNS goes away for some reason or somebody miss configures it you know you know if you have an operational background troubleshooting Network set the IP layer then you're used to looking at prefixes and used to asking the question where is that prefix live well v6 I can assign a prefix to a particular location and with the capacity of that prefix I know that that's the last assignment that anyone will ever make on that network for that particular location of that segment because there's no reason I'll ever have to number into a larger prefix I'm giving myself a large enough prefix up front so it's based on what maximizes operational efficiency so so the site slash 48 concept that you can get a larger smaller allocation depending on what makes operational sense but again address conservation in the in the form of host addresses is not a consideration and if you don't have enough 48 for the plan that you've come up with for your your enterprise network then you just go back to the regional internet registry and you get a larger block and the story is that the the rear is holding contiguous bits in reserve so if I went and got a slash 32 then there's a slash thirty one waiting for me or potentially a slash 28 and that's a continuous range so then I'm not having to have you know a block that potentially has and not that in some cases at work depending on how your network is configured but in some cases you want that contiguous space so here are some examples of ipv6 sites that's an actual German firetruck in the lower right hand corner but that's actually based on the fact that I don't remember which can't on it is in Germany but they have it might it might actually even be nationwide I have to go back and look but they use a mobile ipv6 and they're using a slash 48 per firetruck which i think is pretty cool but the most ridiculous example of course is the one above that get your it you get your hurricane Electric tunnel have your slash 48 routed over the tunnel to your laptop so you have your whatever that is 1.2 times 10 to the 24th addresses on routed to your laptop over a single connection that's how that's how hurricane Electric decided to define how they were going to consume a / 48 per user and they got a large enough address allocation to be able to support that without any pushback from the rear so if we do subnetting strictly on nibble boundaries then again here's this example of the very sort of on Gran Euler buckets that we get and then we have to think in terms of how are whatever we're assigning prefixes to in terms of the entities that represent our network whether it's geographical sites in the form of you know campus headquarters or corporate lands or regional offices or data centers or whatever that might be whatever those entities are that we've identified and that we want to uniquely identify with the prefix and network prefix in v6 as long as I stick to that nibble boundary I have an unambiguous representation of where that particular function or location that entity is on the network and then I just think in terms of how many of those entities do I have 4 enter 4 enter region planning then it's typically this is the the assessment that we would use and as I described earlier depending on the consumption the number of sites that you have you would make your allocation assessment based on that and then within the site so this would be the intra area planning and and this is as we'll see in the case study some organizations are really concerned about laying out the hierarchy other ones aren't so you might have a site and you might just monotonically start assigning slash 64's out of the slash 48 that you have available I might be likely in a datacenter scenario or you might have a multi-tenancy data center where you want to actually have some hierarchy based on the tenants that you have and being able to separate out that space both from an operational standpoint and from a configuration standpoint but they make the prefix more legible so if I have a subnet that's in a multiple of 4 and v6 then it's very clear that I have a range that starts as you can see there with those those final 5 hex tats it's very consistent and I can look at that prefix annuity what slash 48 I'm looking at as soon as I peel off another bit and move away from that nibble boundary and I end up well that didn't why not so you should be looking at the first character to the right of the colon 1 : and you can see that I could have a slash 49 and I would have to expand out the rest of the network address in order to know which half I was looking at which slash 48 I was looking at and that becomes operationally somewhat more ambiguous so not as not as advantageous so then I can take location and function and map it into my site into my prefix at my site and so here's just a simple example of say take take the first nibble break it into slash 52s I have 16 slash 52s and then each of those slash 52s I can jump immediately to the interface level and give myself 4096 slash 64 then I can assign out of course I could carve it up differently if I wanted to I could have 16 slash 52s and each of those 16 slash 50 2-0 give me 16 slash 56 --is so depending on what the security policy looks like within my site you know maybe I'm carving things up according to what will make the Tydeus ACL entries but I've got the ability to do that as long as I stick to the nibble boundary I mean clearly I can do it if I don't but it just makes it easier to read and easier to track in nv6 land so that's mapping function and location based on say within the site I've got a different building here I sign a slash 52 to each of the buildings and then I'm off to the races with 4096 feet lands per building that would be one way to do it it's just one example well at the end of this Pratt at the end of this exercise for for most enterprises when they first start off with v6 if they if they start learning about these principles generally the what happens is they realize that 64 per interface last 48 per site nibble boundaries using P I space and it's like oh crap and you large enough allocation the guy that got the the early adopter that got the / 48 is like I don't have enough address space to make my ipv6 address plan operationally effective I could certainly make do with the space that I have but I can't take I can't leverage this ability to map function and location into the prefix and and I may have done strange things with the subnetting just because I'm paranoid about using too much IP address space so enterprises as I mentioned before they don't have a history of going directly to the rear to get address space it's not something that they're necessarily comfortable with doing so when I have this conversation with enterprises to talk about ipv6 adoption and the address plan there's a lot there's generally a lot of hand-holding related to say reaching out to Aaron and there's a lot of fear and uncertainty about the block that they'll be able to get oh I'm afraid to ask for you know I can't ask for a / 36 that's crazy that's so much address space and I'm going to give it to me I have to like guide them to the point where they're comfortable with the idea that Aaron doesn't have a vested interest in denying them the amount of space that they need to make their their network addressing plan operationally efficient quite the opposite and in fact you know John is very assiduous about saying it's the community it's the Aryan community that's setting these policies but there's a lot of leadership that comes from folks like John who have insisted that the goal is to grow help grow the internet help make the internet you know the promise of v6 of having you know essentially unlimited addressing and to be able to leverage that to whatever the Internet looking like tomorrow setting aside whether that's a horror show for security reasons just getting everything online Aaron's done a really good job of making sure that they're not the bottleneck in terms of providing the ipv6 address allocation that enterprises need so here's the digression that I mentioned earlier there's a related to v6 address planning there's a peculiar anybody know who this is they recognize this this character either based on the the snippet of the proof that's up there or the or the photo cantor who said that yeah if I had a half of my book maybe I'll give you a copy of my book as a prize yeah Georg Cantor the Swiss mathematician so I like to look at ipv6 address planning is a very special case a corner case of numeracy in the realm of stem right so we all pride ourselves on being relatively facile with technology and science engineering and math and math in particular but this V this v6 address planning thing when you're used to doing vlsm and used to carving up subnets ad infinitum ad nauseam to prevent the waste of the dress space you sort of you end up with the sort of Stockholm Syndrome where somebody comes and takes your cage away you're in a cage with these before they take the cage away and then you're still like you know just walking around in a tight circle because that's what you're used to so it's a very it's a very sort of specific form of a numeracy and this it made me think of this early form of what I would call educated and and high-level and numeracy on the part of somebody that literally redefined the way in which we look at very large numbers and in fact infinite numbers so that proof that's over the left the snippet of the proof is Cantor's proof of the what he calls the uncountability of the of the irrational numbers so he had this random and I can show this to you on a cocktail napkin later on well other folks are having the debate over / 64 versus / 127 on a point-to-point link but it's really cool because you could even as a layperson if you don't have a math background you can still understand the way that Cantor lays it out so he goes through this exercise of take olara an infinite set which he just calls the counting integers and he says hey if I can map the counting integers to these other number sets than they're the same size and so he shows that it's possible with but it produces these very strange in non-intuitive results in that the counting set of infinity is the same size whether I'm looking at all the counting integers or whether I'm only just looking at the odd counting integers or the even counting integers or the primes there there's a one-to-one correspondence I can make between the counting integers and the non counting integers and he does this with with the real nut he does this with the counting integers he does it with the rational numbers he does this really clever thing where he takes the rational numbers and lays it out as a huge graph of fractions that just extends infinitely to the right and infinitely down and then he just takes an arrow and he draws it through all of the the fractions and a way to cover them up to show that there's a one-to-one correspondence between the counting integers and the rational numbers then he tries to do the same thing for the irrational numbers and he gets this result and I can show it to you later if you're interested but the gist of it is that he says I see it but I don't believe it because it's totally counterintuitive to say I've got this infinitely large set and then somehow the irrational numbers are larger than an infinitely large set and then he shows the same thing with the real numbers well actually it gets complicated after that he doesn't have to show this any of the real numbers but so this sort of very weird high-level form of numeracy that we're sort of labouring with and then but you know we shouldn't feel bad about it I mean this it shows you why now I I don't know so now I'm going to digress even further away from from Candice Swift's math potato and by the way a cantor for those who don't know was hounded into an insane asylum by a colleague who said that infinity is the realm of God and doesn't belong in the realm of mathematics that it's a philosophical concept and if you're trying to put infinity on solid mathematical axiomatic ground then you're a tool of Satan and you belong in an insane asylum and that's actually where Cantor ended up died so I don't know there's some lesson to be learned there I'm not sure what it is so I looked at this but I looked at this picture and immediately I was freaked out because I'm thinking about using this this TI calculator here after a cat has been pawing at the keyboard right everybody know about Toxoplasma gondii i you heard of this if you have if you've had a if you have a wife and she's pregnant she's not allowed to touch the litter box because of this parasite a single-celled parasite so this cat saying hmm actually it's not the cat it's the it's the Toxoplasma gondii ID that the cat is infected with this single-celled parasite loves mammalian intestinal tracts that's where it reproduces and it does everything that it can to get back into the as one writer on the internet put it the hot dayglo sex lounge of the mammalian internet intestinal tract right so it's doing everything that it can to be able to do that it doesn't care who that what the mammal is but cats are uniquely a useful host to Toxoplasma gondii i and so something happens when a mammal becomes infected with Toxoplasma gondii i the parasite actually rewires the mammalian brain and in rats the rats will do this crazy thing where they become no longer not only do they become not afraid of cats they seek out when they detect the the aroma of cat urine they seek it out they go find it where's that cat urine smell coming from I can't wait to find out the source and of course they get to the source and it's a cat and then they get eaten and that's the purpose that's the point right then the Toxoplasma gondii i gets back into the intestines of the cat and the whole the beautiful cycle of life starts over again well the internet exists primarily to propagate cat videos you see where I'm going with this right not only is all the things that John talked about I mean jeez you can't get any darker than the internet being just like Cthulhu's layer like we're waiting for the Dark Gods to like reappear on the Internet well that's that's way more grim I guess but but there are not only the the the virtual infections on the Internet it appears there may actually be a real infection Toxoplasma gondii i cybernetic malar and for those who haven't seen Toxoplasma gondii i - cysts there they are now they're fun okay so here's my case study this is an amalgam it's based on a number of enterprises that I've worked with who've done address plans there's actually a couple of corporations in particular so this is a fictional corporation that's sort of alighting who the actual victims are here that I that I've picked on but the business is it's a very large enterprise based on a very large very real enterprise based in the US manufacturing quite old fortune 500 150 field facilities on six continents and 65,000 employees and then the network looks something like this headquarter campus in US 18 datacenter 60 manufacturing plants 300 regional offices all stitched together over MPLS Enterprise LAN and some regional Internet connectivity per region so right away the the enterprise goes out and does the right thing and gets a large enough allocation for each of the locations Africa Asia from APNIC from AP Nick rather AfriNIC and Lac Nick and in particular the local internet registry in Brazil and black Nick / 32 from each of those a / 31 here in North America from Arin and a / 29 in in Europe so they did the right thing they went out and got a sufficiently large enough block to support wherever their operations are so there's some there's some discussion and confusion about what routing policy will end up looking like for the Internet at large going forward whether or not we'll continue to honor / forty-eighters with smallest routable prefix whether that's going to result in prefix disaggregation that causes the issue of the routing table to grow too large these are certainly concerns but they're not going to be solved by the enterprise that's doing its address plan and so in general the recommendation to get a large block and to get p.i spaces is the one that that led this particular enterprise to get this compliment of ipv6 address space so they did this exercise of sort of breaking things down into using the nibble boundaries here very clearly the regional block followed by a large site block in the form of a slash 40 a normal sized block and the flattened in the form of a slash 48 and then all jumping all the way down to the the interface level and then what that ended up looking like and just in terms of breaking it out regional flash 32 several sites like maybe say not several that two or three fewer than ten extra large sites in that get slash 40s in each of those you can map slash 48 functions although they hadn't actually done that in their address plan at this point they left out as future work and then smaller sites with the slash 48 jumping immediately to the / 64 level for the interfaces and then the actual addresses that get plugged in there so a campus allocation of the slash 44 one of those extra large sites and that site contains a manufacturing plant or one or more manufacturing plants one or more data centers and the corporate can't the corporate land and each of those is getting in this case a / 44 that can be further broken down say with the data centers in 2 / 48 for each of the data centers now what they did from there was once they have the high level sort of map they just did a site template so again the idea is not that you have a unique address plan for every possible site in every possible way in which that site ends up being deployed in terms of the hardware and the software that's that's deployed at that particular location the idea and so in other words you'd be back to that exercise of sort of shrinking and growing the size of the site allocation based on the size of the site that you have and a little bit of that's okay if I have you know three sites in the network that are extremely large and I need them to have a larger allocation maybe I don't want to give every site down to regional office / 40 and there's some there's some that makes some sense because you're thinking in terms of consuming a total number of / 48 which you have either 16 or 256 of so that's a very different calculation than v4 address plan where you're looking at the number of host addresses that are consumed so within the site allocation there's a data center site template that basically says I've got a / 48 for the data center I'm going to go ahead and peel off where I need some hierarchy for application pods or tenants I'm going to peel off at / 60 and I'm going to hold a bunch of reserved address space and reserve and then each of my / 60 s I'm going to go ahead and have 16 / 64 s to number the VLANs so the number of / 60 s I'd have to play it play around within each data center site would be 4096 and maybe that makes sense for that particular enterprise it's not a one-size-fits-all model so we're able to articulate at a very high level just the allocation that was received from the rears what an extra-large site would get and these are extra large sites that have multiple functions corporate campus data center manufacturing facilities standard sites which could be a standalone campus a standalone data center a regional office or a standalone manufacturing facility would get a / 48 and then site templates are going to provide the hierarchy for campuses data center regional office and manufacturing facilities and again there's a with the site template it's sort of a one-size-fits-all notion but the idea is that the largest entity the largest network component the largest site that has a particular network complement that's going to sort of set the bar for where that that assignment is if I make it a slash 48 that's that's future proof to me in terms of making sure I can always connect that site to the Internet a slash 52 will be reserved at locations not using a site template and slash 64's maybe may be assigned monotonically until later when they decide they want to add some hierarchy within that site so it's very straightforward operational and operations you the network relies on a well-defined organizational entities that are tied to location and role and in this case they're going to use either a slash 40 or slash 48 and the larger allocation for the largest of the network entities drove the need to go back and get or initially I think they said when they started out they had to slash they had a single slash 40 from Aaron and then they had to go back and get a slash 29 from Aaron along with allocations from each of the regional internet registries and again that's the opposite of choosing a smaller prefix to accommodate a smaller initial allocation so some things that will impact this IOT deployments clearly ipv6 addressing for containers and I don't know what this you know in terms of in terms of the basic calculation of the number of slash 48 that are being consumed every that that approach that methodology can be plugged in to whatever we end up with in the future in terms of IOT or hybrid data center private data sir I'm sorry hybrid cloud or private cloud for enterprise container networking etc and there's this ipv6 address planning book on O'Reilly you're interested in reading even more I don't have the Toxoplasma gondii I dig ration in there though so anyway that's all I had for today any questions based on what I've talked about so far and oh yeah sure good question it's a it's a panders ground j that's native to kazachstan and and that was my question when I went with the O'Reilly when Riley accepted my proposal like what kind of animal am I going to get what kind of you know they're very they're very sort of you know like they're they don't care anymore they've it's like every one of their books has an animal on it so they're just like you know they're first of all they're like you get what you get you would long past the time when you can pick the animal that you you know one on the cover your book because we've already gone through the entire you know Linnaeus table of taxonomy classification for all the animals are available so I said well will it be a blip via mammal will be a bird will be a like a slug you know what is it actually no because Sylvia has she's got the snail on the I twenty six essentials yeah I will be will it be from the kingdom in secta will it be from the kingdom Amalia it's gonna be a bird Mike on okay bird what will be panders ground you a native to kazachstan good question hey Owen how you doing doing good Owen DeLong Akamai you must have gotten that allocation from air or that assignment rather from Aaron quite a while ago in order to get a 29 or a 31 out of them because they're doing strictly nibble boundaries nowadays and a bad thing yeah exactly yeah so on brings up a good point so if I if I started off with a slash 40 and realize it wasn't large enough and I needed to slash 32 if I realize that / 32 wasn't large enough I really should be jumping to a slash 28 and my understanding is that they are holding that nibble boundary in reserve so then it's I've enough I decided to / 32 wasn't going to meet my needs operationally then I could go back and get a slash 28 from Aaron my question is I was stopping its list 64 because of the simplicity or there are some cultural and social limitations going so they're like submitting why is it yeah as a hardware limitation right because it's defined in the protocol if it wasn't defined explicitly in the protocol and and I'm sure you can hack around this if you know if you're crazy but need the the limit in terms of how the logic gets deployed and how the interface is handling the addressing and I'm not a software I'm not a software engineer so I I can't go into the details of that but you just you end up breaking things you end up breaking things like slack and stateless a stateless dhcpv6 etc so there that limit is an actual functional limit yeah but having said that there are instances and I've run in instances where folks are are peeling off those smaller subnets for reasons of security for reasons of they're doing something very specific within a contained environment and they want to use that smaller subnet for a particular purpose but then of course they have to think in terms of the logic that the interface is going to support and whether that whether or not that's going to break something so I couldn't take a bunch of off-the-shelf gear that's conforming to the ipv6 RFC's plug it in start subnetting to the right of the slash 64 and and reasonably expect consistent behavior I might get it but that might be accidental and I would never know when that particular limitation would bite me in the behind so yeah any other questions I was going to add a comment that there are several different protocols that breaks so that these days it's very dangerous that was something probably I don't know eight years ago seven eight years ago is when they really made that decision to be really firmed with the / 64 you know the questions more question so I was just reading the literature SEC that you should use / 127 to get to be a link after thing that you should use / 64 so well we ladies and gentlemen that was a troll we we so rarely get to see one in meatspace we we know them online that could be Cthulhu himself or herself I don't know yeah well we can argue about it later I have no I'd seriously have no opinion I don't care so beyond caring any other questions all right on that cheerful note thanks again for everyone's attention and look forward to chatting with you offline [Applause]

Info

Channel: Rocky Mountain IPv6 Taskforce

Views: 1,967

Rating: undefined out of 5

Keywords: IPv6, Infoblox, IoT, containerization, microservices, cloud

Id: 7Tnh4upTOC4

Channel Id: undefined

Length: 54min 45sec (3285 seconds)

Published: Wed May 31 2017