Re: enterprise IPv6 only client computers and IPv4 connectivity

[Benedikt Stockebrand]

Hi Mikael and list,

> If an enterprise today would decide that they're going to run IPv6
> only on their LAN, they would have recent Win7|Win8|OSX|Ubuntu clients
> on their client computers, what mechanism would they use to access
> IPv4 Internet?

that heavily depends on the kind of setup in the enterprise.  

In what I consider a "normal" enterprise, as opposed to the ISP,
hosting/housing data center or similar environment a lot of people on
this list work in, you should have a fairly high client/server ratio
and some firewall protection of your internal networks.  In that case,
consider this approach:

- Make the servers dual-stacked; and if they don't have their own
  subnets yet, move them there.  This shouldn't be too much of a
  hassle if the number of servers is reasonably small compared to the
  number of clients.

- Make the firewall you are using dual-stacked.  The application level
  gateways should serve as a proxy with minimal hassle; if they don't
  replace the firewall (and face the discussions with management).

- Now take care of the clients: With a bit of luck, most of them
  should be able to do their job being single-stacked.  Separate the
  IPv4-only clients into dedicated subnets.  Same for the IPv6-only
  clients.

- Now deal with the difficult cases: Dual-stacked clients.  In some
  cases, their number will be insignificant enough that the easiest
  way is to run them in a dual-stacked subnet until they eventually
  die anyway.

- If you have some minor IPv4-dependent application a lot of people
  occasionally use, consider using a terminal server (Citrix or such,
  not Cyclades etc.) to run that application in.

- If you still find that the majority of clients needs to be
  dual-stacked, that usually means it's either time to do a major
  overhaul of the entire environment or provide the list with some
  more detail of your particular situation.

- Continuously move clients from the dual-stacked subnets whenever
  possible.  If you need to convince management about putting
  resources into that, talk about service level agreements and
  availability improving in a single-stacked subnet, or the extra cost
  of providing dual-stacked connectivity.  (Sorry, but talking to
  management is actually part of the job.)

There's more to this, and a lot of work relates to the details of the
particular environment, but as a general outline this should set you
on the right tracks.

Obviously this won't be any good in an environment where the majority
of devices need and have direct Internet connectivity.  On this list
you will find that a lot of people work in these sorts of "abnormal"
environments, but effectively that means that the approaches and tools
they use are ill-fitting for a "normal" (for normal definitions of
"normal") environment.


Cheers,

Benedikt

-- 
 Business Grade IPv6
Consulting, Training, Projects

Benedikt Stockebrand, Dipl.-Inform.   http://www.benedikt-stockebrand.de/

Re: enterprise IPv6 only client computers and IPv4 connectivity

[Nick Hilliard]

On 30/04/2013 11:24, Bernhard Schmidt wrote:
> - Someone advertises  records that fail to connect. See for example
> https://outlook.office365.com that has had broken IPv6 for weeks now.

Would megaphone diplomacy work here?  I.e. posting to nanog.

Nick

Re: enterprise IPv6 only client computers and IPv4 connectivity

[Bernhard Schmidt]

Am 30.04.2013 10:07, schrieb Gert Doering:
> Hi,
> 
> On Tue, Apr 30, 2013 at 09:03:37AM +0200, Mikael Abrahamsson wrote:
>> If an enterprise today would decide that they're going to run IPv6 only on 
>> their LAN, they would have recent Win7|Win8|OSX|Ubuntu clients on their 
>> client computers, what mechanism would they use to access IPv4 Internet?
> 
> NAT64/DNS64 works very well, unless
> 
>  - someone uses literal IPv4 addresses to identify a service  (like,
>embedded references in http pages, loading some content from IPv4 
>addresses instead of hostnames)
> 
>  - that particular machine runs an application that does not know about
>IPv6 - most notably Skype.

- Someone advertises  records that fail to connect. See for example
https://outlook.office365.com that has had broken IPv6 for weeks now.

Bernhard

Re: enterprise IPv6 only client computers and IPv4 connectivity

[Ted Mittelstaedt]

On 4/30/2013 12:03 AM, Mikael Abrahamsson wrote:


Hi,

If an enterprise today would decide that they're going to run IPv6 only
on their LAN,


They wouldn't.

This is a self-defeating question.  In other words, if you seriously
contemplated doing this you would know whether you could do it or not.

You would start small, with ONE IPv6-only system, and find some
proprietary translator/proxy/whatever box, and test it with all your
apps.  Almost certainly many would break.  So you would work with the
developer and they would write fixes into their code and you would
try it again.  After about 6 months to a year you might have something 
that would work.


Most likely you would not be able to interest someone large like Cisco
as they already have their own testers.  You would have to find some
small outfit and be willing to pay $$$ to them to get them to do it.
I can think of several of the open source/closed source firewall vendors
that might be interested if you offered enough money.

Ted


they would have recent Win7|Win8|OSX|Ubuntu clients on
their client computers, what mechanism would they use to access IPv4
Internet?

My thinking immediately went to DS-lite, NAT64/DNS64 and MAP-E, but I
NAT64/DNS64 isn't "good enough" without 464XLAT, and DS-lite and MAP-E
requires additional software on most of these operating systems, right?
Are these kinds of client software even available?

What other mechanism could be used to achieve IPv4 Internet reachability
over IPv6 only access for end-systems? HTTP proxy or SOCKS-proxy also
sounds too cumbersome.

Re: enterprise IPv6 only client computers and IPv4 connectivity

[Brandon Butterworth]

> > On Tue, Apr 30, 2013 at 4:03 PM, Mikael Abrahamsson 
> > wrote:
> > If an enterprise today would decide that they're going to run
> > IPv6 only on their LAN, they would have recent Win7|Win8|OSX|
> > Ubuntu clients on their client computers, what mechanism would
> > they use to access IPv4 Internet?

The sort of environment that could do that probably doesn't need to.

e.g. with proxy based firewalls we could but with proxy isolation
there's no problem with v4 internal space.

We could do it for just new clients but they communicate with the
old stuff (enterprise, there's still NT4 embedded in some plant)

> At $previousjob we used WPAD to distribute proxy information via DNS and
> DHCP to our clients in advance of a planned service outage to give a
> backup service to our 2k clients over some 1Mbps link.
> Deployed it, and requests started (flooding) in. Proxy did its job
> though.
> This was like 8 years ago.  Today support in OS'es and browsers is only
> much better, especially with the DNS method - all browsers by default
> check for it.

PAC files still in use, original server too

 10:32am  up 5048 day(s), 21:03,  1 user,  load average: 3.39, 3.39, 3.35


brandon

Re: enterprise IPv6 only client computers and IPv4 connectivity

[Martin Millnert]

On Tue, 2013-04-30 at 16:06 +0900, Lorenzo Colitti wrote:
> On Tue, Apr 30, 2013 at 4:03 PM, Mikael Abrahamsson 
> wrote:
> If an enterprise today would decide that they're going to run
> IPv6 only on their LAN, they would have recent Win7|Win8|OSX|
> Ubuntu clients on their client computers, what mechanism would
> they use to access IPv4 Internet?
> 
> 
> "None, and good luck"?

Within the "good luck" segment, you can work to cover as much ground as
possible but there is obviously no 100%-covering solution:

 - NAT64/DNS64 (or a more recent name if there is any) in the resolvers
 - dual-stacked proxy, handing out to clients either via group
policies/puppet/etc, and/or WPAD.

If "enterprise" means normal "user" VLANs, rather than all server VLANs
etc of a bank or process control environments with tons of legacy apps,
it should be generally and on average manageable to handle the odd cases
who cannot access their whatever-service.

While a proxy isn't very sexy, it would take care of literals.
Depending on admin skills, it could be configured only on client
machines with trouble.  Myself, I would have made it the default
setting.  Non-abiding clients would still get DNS64/NAT64.

At $previousjob we used WPAD to distribute proxy information via DNS and
DHCP to our clients in advance of a planned service outage, to give a
backup service to our 2k clients over some 1Mbps link.
Deployed it, and requests started (flooding) in. Proxy did its job
though.
This was like 8 years ago.  Today support in OS'es and browsers is only
much better, especially with the DNS method - all browsers by default
check for it.

/M


signature.asc
Description: This is a digitally signed message part

Re: enterprise IPv6 only client computers and IPv4 connectivity

[Gert Doering]

Hi,

On Tue, Apr 30, 2013 at 09:03:37AM +0200, Mikael Abrahamsson wrote:
> If an enterprise today would decide that they're going to run IPv6 only on 
> their LAN, they would have recent Win7|Win8|OSX|Ubuntu clients on their 
> client computers, what mechanism would they use to access IPv4 Internet?

NAT64/DNS64 works very well, unless

 - someone uses literal IPv4 addresses to identify a service  (like,
   embedded references in http pages, loading some content from IPv4 
   addresses instead of hostnames)

 - that particular machine runs an application that does not know about
   IPv6 - most notably Skype.

[..]
> What other mechanism could be used to achieve IPv4 Internet reachability 
> over IPv6 only access for end-systems? HTTP proxy or SOCKS-proxy also 
> sounds too cumbersome.

A dual-stacked proxy would work, of course, but won't help for those 
problematic applications that want to do UDP but don't understand IPv6...

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AGVorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14  Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444USt-IdNr.: DE813185279

Re: enterprise IPv6 only client computers and IPv4 connectivity

[Henrik Lund Kramshøj]

On 30/04/2013, at 09.03, Mikael Abrahamsson  wrote:

> 
> Hi,
> 
> If an enterprise today would decide that they're going to run IPv6 only on 
> their LAN, they would have recent Win7|Win8|OSX|Ubuntu clients on their 
> client computers, what mechanism would they use to access IPv4 Internet?
> 
> My thinking immediately went to DS-lite, NAT64/DNS64 and MAP-E, but I 
> NAT64/DNS64 isn't "good enough" without 464XLAT, and DS-lite and MAP-E 
> requires additional software on most of these operating systems, right? Are 
> these kinds of client software even available?
> 
> What other mechanism could be used to achieve IPv4 Internet reachability over 
> IPv6 only access for end-systems? HTTP proxy or SOCKS-proxy also sounds too 
> cumbersome.

Just a quick note.

NOT having direct connections from ALL systems inside an enterprise can also be 
considered a feature.

I have large enterprise customers that would love to cut SMTP connections from 
inside, but wont since some critical device might be configured to send back 
support through SMTP to vendor on the outside.

We talk a lot about direct connections, and I wholeheartedly agree, but in some 
cases having client PCs required to connect through filtering proxies and only 
sending data outside through other systems is a plus.

Best regards

Henrik
--
Henrik Lund Kramshøj, Follower of the Great Way of Unix
internet samurai cand.scient CISSP
h...@kramse.org h...@solidonetworks.com +45 2026 6000 
http://solidonetworks.com/ Network Security is a business enabler

Re: enterprise IPv6 only client computers and IPv4 connectivity

[Mikael Abrahamsson]

On Tue, 30 Apr 2013, Erik Kline wrote:

Is NAT64/DNS64 without 464xlat really not good enough?  For Cameron's 
mobile phones, where Skype is important, that's a clear need for IPv4. 
But I suspect that /some/ enterprises might consider "can't run Skype" 
more of a feature than a bug.


Most enterprise have a lot of legacy applications, so I'd imagine running 
IPv6 only without being able to do IPv4 literals just won't cut it.


My point is simply that "not good enough" may be more subjective and 
less objective than I think your statement implies.


When I tried running NAT64/DNS64 on a Win7 machine a year ago, not even 
MSN messenger worked. Very few applications apart from web browsing 
worked. I can imagine a lot of software for video conferencing etc won't 
work properly without being able to access things over IPv4.


I got a private pointer to  which 
might be one way to solve it.


--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: enterprise IPv6 only client computers and IPv4 connectivity

[Erik Kline]

> My thinking immediately went to DS-lite, NAT64/DNS64 and MAP-E, but I
> NAT64/DNS64 isn't "good enough" without 464XLAT, and DS-lite and MAP-E
> requires additional software on most of these operating systems, right? Are
> these kinds of client software even available?
>

Is NAT64/DNS64 without 464xlat really not good enough?  For Cameron's
mobile phones, where Skype is important, that's a clear need for IPv4.  But
I suspect that /some/ enterprises might consider "can't run Skype" more of
a feature than a bug.

My point is simply that "not good enough" may be more subjective and less
objective than I think your statement implies.

Re: enterprise IPv6 only client computers and IPv4 connectivity

[Lorenzo Colitti]

On Tue, Apr 30, 2013 at 4:03 PM, Mikael Abrahamsson wrote:

> If an enterprise today would decide that they're going to run IPv6 only on
> their LAN, they would have recent Win7|Win8|OSX|Ubuntu clients on their
> client computers, what mechanism would they use to access IPv4 Internet?
>

"None, and good luck"?

enterprise IPv6 only client computers and IPv4 connectivity

[Mikael Abrahamsson]

Hi,

If an enterprise today would decide that they're going to run IPv6 only on 
their LAN, they would have recent Win7|Win8|OSX|Ubuntu clients on their 
client computers, what mechanism would they use to access IPv4 Internet?


My thinking immediately went to DS-lite, NAT64/DNS64 and MAP-E, but I 
NAT64/DNS64 isn't "good enough" without 464XLAT, and DS-lite and MAP-E 
requires additional software on most of these operating systems, right? 
Are these kinds of client software even available?


What other mechanism could be used to achieve IPv4 Internet reachability 
over IPv6 only access for end-systems? HTTP proxy or SOCKS-proxy also 
sounds too cumbersome.


--
Mikael Abrahamssonemail: swm...@swm.pp.se