Re: Cost of IPv6 for IT operations team
Op 27 mrt. 2015, om 00:23 heeft Brian E Carpenter brian.e.carpen...@gmail.com het volgende geschreven: On 26/03/2015 22:04, BERENGUER Christophe wrote: Hello everybody, I work for a consulting firm. For a client, I would like to estimate the work overload for IT operations team to deploy IPv6 dual stack and for day to day operations. On the internet, I have found an estimation around 20% of work overload for the run phase. Is that evidence-based, or a hand-waving guess? I would expect a bit of extra workload at the beginning of the run phase but in the steady state are there really 20% more incidents? We use pfSense at work and I’m using hostnames and other DNS names in the firewall rules to great lengths so that they automatically adjust when a host changes IPs, be that 4 or 6. I can select IPv4 and IPv6 in the rule so the same rule applies to both. Ofcourse, there is a security tradeoff, but considering the sheer amount of CDN hosting today it’s becoming harder to just assign a IP to the rule and have it work for over a week :) Firewalling by (prefixes from) ASN would be something useful to have too, for abuse purposes. I’m mostly talking about outbound firewall rules, the LAN is pretty much closed off. Proxy or bust. Cheers, Seth Brian But if you have operational feedback it would be the best! Thanks in advance for your answers, Have a nice day. Best regards, Christophe BERENGUER Consultant Fixe : +33 (0)1 49 03 85 86 christophe.bereng...@solucom.frmailto:christophe.bereng...@solucom.fr solucom Tour Franklin : 100 - 101 terrasse Boieldieu 92042 Paris La Défense Cedex
Re: Cost of IPv6 for IT operations team
Without a detailed look at the client this kind of question falls in the realm of my kid's story problems in her mathematics book - pretty sounding things that are utterly divorced from reality. I will just say this, however: If you do NOT deploy IPv6 then yes it will save labor. Depending on how disorganized the clients network is, that could be a lot of time or a little. But as for operations costs, I would say, zero The reason is if you don't deploy sooner or later you will have a problem related to IPv6. Then you will spends lots of time finding and correcting. That time is roughly equal to the extremely small amount of additional time that the techs deal with IPv6 on a network that has had it properly setup. Ted On 3/26/2015 2:04 AM, BERENGUER Christophe wrote: Hello everybody, I work for a consulting firm. For a client, I would like to estimate the work overload for IT operations team to deploy IPv6 dual stack and for day to day operations. On the internet, I have found an estimation around 20% of work overload for the run phase. But if you have operational feedback it would be the best! Thanks in advance for your answers, Have a nice day. Best regards, *Christophe BERENGUER** *Consultant Fixe : +33 (0)1 49 03 85 86 christophe.bereng...@solucom.fr mailto:christophe.bereng...@solucom.fr solucom Tour Franklin : 100 - 101 terrasse Boieldieu 92042 Paris La Défense Cedex
RE: Cost of IPv6 for IT operations team
Thanks everyone for your answers. We already have raise the point that at some point IPv6 will need to be deploy and the sooner is the better to have time to fix problems and let time for teams to master the technology. The 20% figure is based on an IETF document and SRI presentation. I think it is not limited to the amount of incident but also the time to duplicate firewall rules, configure all the interfaces, etc. for both v4 and v6. For the build phase, I agree that it depends on my clients architecture. It has a good overview of it but the impact on application is not clear and hard to estimate. Thanks again for your answers! -- Christophe BERENGUER Consultant Fixe : +33 (0)1 49 03 85 86 christophe.bereng...@solucom.fr solucom Tour Franklin : 100 - 101 terrasse Boieldieu 92042 Paris La Défense Cedex De : ipv6-ops-bounces+christophe.berenguer=solucom...@lists.cluenet.de ipv6-ops-bounces+christophe.berenguer=solucom...@lists.cluenet.de de la part de Ted Mittelstaedt t...@ipinc.net Envoyé : vendredi 27 mars 2015 09:27 À : ipv6-ops@lists.cluenet.de Objet : Re: Cost of IPv6 for IT operations team Without a detailed look at the client this kind of question falls in the realm of my kid's story problems in her mathematics book - pretty sounding things that are utterly divorced from reality. I will just say this, however: If you do NOT deploy IPv6 then yes it will save labor. Depending on how disorganized the clients network is, that could be a lot of time or a little. But as for operations costs, I would say, zero The reason is if you don't deploy sooner or later you will have a problem related to IPv6. Then you will spends lots of time finding and correcting. That time is roughly equal to the extremely small amount of additional time that the techs deal with IPv6 on a network that has had it properly setup. Ted On 3/26/2015 2:04 AM, BERENGUER Christophe wrote: Hello everybody, I work for a consulting firm. For a client, I would like to estimate the work overload for IT operations team to deploy IPv6 dual stack and for day to day operations. On the internet, I have found an estimation around 20% of work overload for the run phase. But if you have operational feedback it would be the best! Thanks in advance for your answers, Have a nice day. Best regards, *Christophe BERENGUER** *Consultant Fixe : +33 (0)1 49 03 85 86 christophe.bereng...@solucom.fr mailto:christophe.bereng...@solucom.fr solucom Tour Franklin : 100 - 101 terrasse Boieldieu 92042 Paris La Défense Cedex
Re: Cost of IPv6 for IT operations team
The 20% figure is based on an IETF document Which one? We can fix that if people think it's wrong. (This comes just too late for yesterday's v6ops meeting at the IETF in Dallas.) Regards Brian
RE: Cost of IPv6 for IT operations team
Hi, I have found the figure in this document : https://tools.ietf.org/html/draft-lopez-v6ops-dc-ipv6-05#section-3.4 Regards, Christophe BERENGUER Consultant Fixe : +33 (0)1 49 03 85 86 christophe.bereng...@solucom.fr solucom Tour Franklin : 100 - 101 terrasse Boieldieu 92042 Paris La Défense Cedex De : Brian E Carpenter brian.e.carpen...@gmail.com Envoyé : vendredi 27 mars 2015 13:21 À : BERENGUER Christophe Cc : Ted Mittelstaedt; ipv6-ops@lists.cluenet.de Objet : Re: Cost of IPv6 for IT operations team The 20% figure is based on an IETF document Which one? We can fix that if people think it's wrong. (This comes just too late for yesterday's v6ops meeting at the IETF in Dallas.) Regards Brian
Re: Cost of IPv6 for IT operations team
On 26/03/15 09:04, BERENGUER Christophe wrote: Hello everybody, I work for a consulting firm. For a client, I would like to estimate the work overload for IT operations team to deploy IPv6 dual stack and for day to day operations. On the internet, I have found an estimation around 20% of work overload for the run phase. But if you have operational feedback it would be the best! I agree with others that this is a very hard thing to estimate. I will say that we run our dual-stack network (fully deployed since ca. 2012) with exactly the same staffing levels, and actually a slight reduction in our recurrent budget, as our older IPv4-only network. I don't think our network is any less reliable, or suffers a higher level of incidents. This suggests to me that, in our case, IPv6 has added a very low operational cost. Our incidence of IPv6-related problems, particularly rogue RA from machines configured for connection sharing, has actually *decreased* substantially since we deployed native IPv6. I don't believe the rollout cost was high. We used refresh cycles to upgrade to v6-capable gear, and rolled out slowly to grow our team knowledge. But we don't have detailed cost breakdowns.
Re: Cost of IPv6 for IT operations team
Christophe, On 28/03/2015 01:56, BERENGUER Christophe wrote: Hi, I have found the figure in this document : https://tools.ietf.org/html/draft-lopez-v6ops-dc-ipv6-05#section-3.4 That is a very old and expired personal draft, not an IETF document. Very dangerous to rely on such a document. It was eventually replaced by a working group draft http://tools.ietf.org/html/draft-ietf-v6ops-dc-ipv6-01#section-2.5.4 but that has not been accepted to become an RFC and has also expired after an unsuccessful WG Last Call. (You can always check the status of an Internet-Draft at https://datatracker.ietf.org/doc/ .) But in any case, look at the full context: Depending of the complexity of the DC network, provisioning and other factors we estimate that the extra costs (and later savings) may be around between 15 to 20%. Note the parenthesis! Regards Brian Regards, Christophe BERENGUER Consultant Fixe : +33 (0)1 49 03 85 86 christophe.bereng...@solucom.fr solucom Tour Franklin : 100 - 101 terrasse Boieldieu 92042 Paris La Défense Cedex De : Brian E Carpenter brian.e.carpen...@gmail.com Envoyé : vendredi 27 mars 2015 13:21 À : BERENGUER Christophe Cc : Ted Mittelstaedt; ipv6-ops@lists.cluenet.de Objet : Re: Cost of IPv6 for IT operations team The 20% figure is based on an IETF document Which one? We can fix that if people think it's wrong. (This comes just too late for yesterday's v6ops meeting at the IETF in Dallas.) Regards Brian
Re: Cost of IPv6 for IT operations team
I don't think that having things in the mix extends troubleshooting. My experience is that problems generally fall into 2 buckets: 1) Textbook ones (mistyped IP address, overload that's readily visible if they had looked at the reports, or like you said full hard disk) The time-suck in these are techs who aren't very experienced, or skilled or organized (or all the above) With these, adding more stuff seems like it extends troubleshooting - but the real reason troubleshooting is extended is not because you added more stuff it's because your troubleshooting staff isn't up to snuff. Kind of like you drafted Billy Joe Bob from Hayseed to troubleshoot your 2015 Chevy Volt and it extended the time troubleshooting because he's still looking for the carburetor. People only blame the car for that because they don't want to face old Billy Bob and say 'dude your incompetent, hit the books or get the F out of the business We live in a complex world that's getting more complex every day. If you want to be a tech, then deal with it, up your game. When your spending the same effort hitting the books as you are playing Warcraft then I'll have some sympathy. Otherwise go join the line of people sucking off the social services. 2) really knotty ones that take a lot of time, like intermittent failures. With those, it's very hard to draw correlations. I have seen some very simple, basic, 1-protocol setups that had really oddball problems that took a great while to track down. Just my $0.02 Ted On 3/27/2015 6:37 AM, Jens Link wrote: Ted Mittelstaedtt...@ipinc.net writes: But as for operations costs, I would say, zero I don't agree. In a dual-stacked environment there is more work to do. 1. Setting up Servers (and Services) You have at least two addresses to configure, which leads to two DNS records, two services to be monitored, more firewall rules, ... And in the end more things to document. 2. Troubleshooting When looking for problems you always have to remember that there are now two protocols and then the fun begins: Is this problem only v4? Or only v6? Or do have a completely different problem. 3. Layer 8+9 People have little or no experience with IPv6. They need more time to configure stuff and troubleshoot problems. And they will forget to configure one thing or the other and they will forget that there are two protocols to troubleshoot.And then there will always be people who don't want IPv6 an will always blame it[1]. The reason is if you don't deploy sooner or later you will have a problem related to IPv6. Ack. Then you will spends lots of time finding and correcting. That time is roughly equal to the extremely small amount of additional time that the techs deal with IPv6 on a network that has had it properly setup. It will be worse. When you start implementing IPv6 because the latest version of your critical application requires IPv6 and you need IPv6 tomorrow you'll have a real problem. You have to touch many things at once, you may have to buy hardware and you'll be looking for qualified external support. Problem is: Many other companies will do the same. I'll have to remember to buy a big stash of T-Shirts with Told you so! Jens [1] Someone told me a story about a database server which stopped working after IPv6 was deployed. The DB amdin blamed the IPv6 deployment. Of course it hat nothing to do with IPv6, the hard drive was full.